Denmark (DK)

Current status: National Cyber Security Strategy

The Danish Government published its NCSS in February 2015 after a formal presentation in December 2014. The NCSS sets our 27 government initiatives for 2015-2016 as part of a coordinated and long-term strategy.

Overriding objectives for a strong and cohesive security strategy:

Obj. 1 - Maintain trust of citizens and businesses in cyber and information security measures of government institutions and providers of IT systems and infrastructure upon which society relies for providing important functions. Provide measures to strengthen cyber and information security that permit user-friendly and effective use of new technologies.

Obj. 2 - Strengthen the protection of important functions in society and national security against cyber-attacks.

The NCSS establishes 6 strategic focus areas with specific initiatives to raise cyber and information security levels in Denmark.

Strategic Focus Area 1 - Professionalised and reinforced ICT oversight: Ministries must manage information security systematically and professionally and initiate strong ICT oversight of subordinate authorities.

Strategic Focus Area 2 - Clear guidelines for suppliers: Government institutions must set clear requirements regarding cyber and information security for providers of IT services and infrastructure, perform regular risk assessments and follow up regularly on providers’ ICT security measures.

Strategic Focus Area 3 - Strengthened cyber security and more knowledge: Public sector cyber security levels must be raised and government institutions and business must have access to threat assessments and to advanced knowledge about how to reduce vulnerabilities.

Strategic Focus Area 4 - Robust infrastructure in the energy and telecommunications sectors: There must be a high level of cyber and information security within the energy and telecommunications sectors.

Strategic Focus Area 5 - Denmark as a strong international partner: Danish authorities must work with international partners to strengthen cyber and information security through active participation in relevant forums.

Strategic Focus Area 6 - Strong investigation and high level of information: Cyber-crime investigations must be strong and competent, and citizens and businesses must be given a better basis for adequately assuming responsibility for security in relation to their own equipment and online conduct.

Appropriate definition of critical infrastructure protection (CIP)? Yes, the Danish Security and Intelligence Service (PET) provides an appropriate definition. The NCSS gives priority to the energy and telecommunications sectors where the aim is to increase security levels underpinned by several new legal measures in 2016.

Denmark has also published official guidelines stating that compliance with international security standards will be required for government procurement relating to critical infrastructure and other ICT services: Cloud computing and the legal framework (Guidance on legislative requirement and the contractual environment related to cloud computing), published by the Agency for Digitisation in August 2012, at a time when government and local government agencies were early adopters of cloud services.

National Cyber Security Strategy

Year of adoption

February 2015: The Danish Cyber and Information Security Strategy. 27 government initiatives are established for the period 2015-2016.

Updates and revisions This is the first NCSS for Denmark. Publications on threat landscape and annual reports are available for 2014 and 2015 (in Danish).
Implementation and monitoring

The Government's Centre for Cyber Security is part of the Defence Intelligence Service (FE), which is an agency under the Ministry of Defence, is responsible for detecting, analysing and helping to address advanced cyber attacks against authorities and companies providing important IT functions, such as the finance sector, government, telecommunications network, water supply. The Centre serves as Denmark’s National IT security authority, informing and advising Danish authorities and companies on IT security and is also the national centre of competence in cyber security. It is also the national authority for information security and preparedness in telecommunications, advising on emergency response telecommunications resources.

The 27 initiatives for 2015-2016 apply to each of the 6 stratgic focus areas.

Professionalised and reinforced ICT oversight (6 initiatives)

  1. Increased information security effort in government institutions.
  2. Mandatory security risk assessment of public IT projects.
  3. Increased coordination of information security efforts between national and local authorities.
  4. Co-operation between education and research institutions regarding cyber and information security
  5. Intensified dialogue between private and public employers and education and research institutions regarding competence needs.
  6. Sufficient capacity in the Agency for Governmental IT Services to handle cyber attacks.

Clear guidelines for suppliers (2 initiatives)

  1. Introduction of security requirements in IT tenders and contracts.
  2. Continuous security oversight of suppliers.

Strengthened cyber security and more knowledge (7 initiatives)

  1. Mandatory inclusion of cyber threats in government institutions’ risk management.
  2. Formation of a cyberthreat assessment unit.
  3. Study regarding the possible concentration of government Internet connections.
  4. Study regarding the development of secure communication among state institutions.
  5. Formation of a unit to investigate major cyber security incidents
  6. Formation of a SCADA knowledge centre.
  7. Setting up a business advisory board on ICT security.

Robust infrastructure in the energy and telecommunications sectors (2 initiatives)

  1. Strengthening of network and information security in telecommunications.
  2. Stronger requirements regarding cyber and information security in the energy sector.

Denmark as a strong international partner (3 initiatives)

  1. Strengthening of Danish cyber diplomacy.
  2. Promotion of Denmark’s stance in international cyber and information security cooperation forums.
  3. Nordic co-operation on research and education in cyber and information security.

Strong investigation and high level of information (7 initiatives)

  1. Raised security awareness among citizens and businesses.
  2. Security self-check service for businesses.
  3. Expansion of the National Cyber Crime Center (NC3).
  4. Increased capacity of the police regarding information security guidance.
  5. Strengthening the cyber capacity and capability of the Danish Security and Intelligence Service (PET).
  6. Establishment of an online platform for reporting cyber crime.
  7. Study regarding a service providing information on stolen identity documents.

The Centre for Cyber Security has already implemented several initiatives, e.g. a Self-Service for companies to assess their cyber security (detect, analyse and help address security incidents) and published a Guide on DDoS attacks. In July 2016 it launched a new notification system for companies and authorities for undisclosed incident reporting to overcome barriers to reporting. Other initiatives include vulnerability testing and awareness campaigns, as well as a set of legal measures described below.

Legal capacity

Coverage with respect to the BSA CyberSecurity Dashboard:

  • Law on the Center for Cyber ​​Security: Act no. 713 of 25 June 2014 Center for Cyber ​​Security.
  • Guidelines on the treatment of data: DoD guidelines of 30 June 2014 concerning the processing of data in and from the Center for Cyber ​​Security network security service.
  • Law on electronic communications networks and services (Telecommunications Act): Order no. 128 of 7 February 2014 of the Law on electronic communications networks and services

Other relevant coverage:

  • Legislation/policy requiring  an inventory of “systems” and the classification of data.

Coverage since the publication of the CyberSecurity Dashboard:

  • Order on connection to network security service: Order no. 1546 of 11 December 2015 on connecting to the Center for Cyber ​​Security network security service.
  • Act on network and information security: Act no. 1567 of 15.12.2015 on network and information security
  • Order on information security and emergency networks and services: Order no. 567 of 1 June 2016 on information security and emergency networks and services.
  • Order on information and notification duties relating to network and information security: Order no. 566 of 1 June 2016 on information and notification duties relating to network and information security.
  • Order on security of employees on network and information security, which enters into force on 1 January 2017: Order no. 565 of 1 June 2016 on the security clearance of employees on network and information security.
  • Order on emergency operators' access to electronic communications in emergency situations, etc.: Order no. 564 of 1 June 2016 on emergency operators' access to electronic communications in emergency situations, etc..

 Other updates since the BSA Dashboard include:

  • Legislation/policy requiring the establishment of a written information security plan: now guided by a single plan.
  • Legislation/policy requiring security practices to be mapped to risk levels: risk management for IT providers of public services and continuous monitoring under strategic focus area 2.
  • Legislation/policy requiring (at least) an annual cyber security audit.
  • Legislation/policy requiring a public report on cyber security capacity for the government.
  • Legislation/policy requiring mandatory reporting of cyber security incidents.

No coverage:

  • There is no requirement for each agency to have a chief information officer (CIO) or chief security officer.Operational entities
Operational Capacity

Denmark has two national response teams and three known privately held teams. Government-run CERTs:

  • The national Centre for Cyber Security under which DKCERT (est. 2009) and the Danish GovCERT operate. Since July 2016, a new notification system has been in place for companies and authorities reporting cyber incidents. @Danish_GovCERT
  • DKCERT - research and educational institutions.

Commercial/ISP customer based CERTs;

  • TDC Security Operations Centre
  • CSIRT.DK
  • CSIS.DK

Denmark is also part of the Nordic co-operation on research and education in cyber and information security: Funet CERT (Finland); NORDUnet CERT (Norden); RHNet CERT (Iceland); Sunet CERT (Sweden); UNINETT CERT (Norway).

Public-private partnership

Under focus area 1, the NCSS calls for:

  • Intensified dialogue between private and public employers and education and research institutions regarding competence needs. However, there is no indication if government funding will support such a dialogue.

Industry organised (i.e. business or industry cybersecurity councils):

  • The Council for Digital Security is a security and privacy advocacy group comprised of 20 private sector and academic organisations.
  • Dansk IT is a representative body for information technology professionals in Denmark, cyber security being one of the areas covered.

Cross-country co-operation of cyber security clusters

  • Denmark is among the countries that joined the Dutch security cluster: The Hague Security Delta in June 2016 as part of an effort to encourage co-operation with other European regions bringing together public and private parties, academia and R&D organisations to stimulate innovation and economic growth. In Denmark, Karup and CenSec are the participating clusters joining others from the Netherlands, France, Finland, and Germany.
Sector specific cyber-security plans

Finance and IT cluster in Denmark

Fintech and ICT-intensive financial services is an important sector in Denmark. The Danish vision is to form a strong finance IT cluster and develop financial IT infrastructure that will drive innovation and growth. Combining this dense finance ICT cluster with the advanced levels of education in financing and banking, Copenhagen is a hot spot for development and implementation of modern finance IT. Source: Copenhagen Fintech Innovation and Research

The Danish NCSS places emphasis on building business capacity not only around cyber security but also risk management, including rules for the providers of government services.

Risk management plan Mandatory security risk assessment of public IT projects under strategic focus area 1.
Progress Measures

 

Date of last WISER analysis July 2016

 

Current status: NIS Directive and national CERTs/CSIRTs

National computer security incident response teams

Danish GovCERT (national/government CERT) now operates under the Centre for Cyber Security (FE). Under the new notification system for public and private sector organisations, information about cyber attacks provided to the CFC is not publicly accessible. The scheme, which is legally binding under Act no. 1567 of 15 December 2015 (Network and Information Security Act) was established to reduce risks for private companies, which had previously been reluctant to report on incidents.

The centre also publishes a “picture” of the current cybersecurity situation from the Danish perspective, which includes comparisons of national and international of cybersecurity incident statistic

DKCERT - authorised CERT for NREN (research and education network) responsible for montoring the security of the network of affiliated institutions DeIC.

Private-sector organisations:

TDC Security Operations Center (TDC SOC), ISP customer base, established in June 2015, accredited since January 2016. ISP Customer base covering Denmark, Norway and Sweden with a mission to coordinate, inform and assist with IT-security related issues.

CSIS.DK - private company providing actionable intelligence, prevention, incident response and 24/7 managed security services.

CSIRT.DK (Danish Computer Security Incident Repsonse Team) - ISP customer base for customers of TDC A/S (Danish telecommunications company).

Report an incident

Center for Cyber ​​Security - Citadel 30-2100 Copenhagen Ø - Phone: +45 3332 5580 - E-mail: cfcs@cfcs.dk

Overall assessment & best practices The Danish NCSS has a comprehensive set of initiatives for capacity building, business support and educational awareness campaigns. New legislation has been implemented to build legal capacity. The co-operation with other Nordic countries is also praiseworthy. Having a website in English would enable Denmark to showcase its model to other countries more effectively.
Languages Danish. Only the NCSS is in English.
Date of last WISER analysis August 2016

 

Contact us for more info