Current status: National Cyber Security Strategy
The Danish Government published its NCSS in February 2015 after a formal presentation in December 2014. The NCSS sets our 27 government initiatives for 2015-2016 as part of a coordinated and long-term strategy.
Overriding objectives for a strong and cohesive security strategy:
Obj. 1 - Maintain trust of citizens and businesses in cyber and information security measures of government institutions and providers of IT systems and infrastructure upon which society relies for providing important functions. Provide measures to strengthen cyber and information security that permit user-friendly and effective use of new technologies.
Obj. 2 - Strengthen the protection of important functions in society and national security against cyber-attacks.
The NCSS establishes 6 strategic focus areas with specific initiatives to raise cyber and information security levels in Denmark.
Strategic Focus Area 1 - Professionalised and reinforced ICT oversight: Ministries must manage information security systematically and professionally and initiate strong ICT oversight of subordinate authorities.
Strategic Focus Area 2 - Clear guidelines for suppliers: Government institutions must set clear requirements regarding cyber and information security for providers of IT services and infrastructure, perform regular risk assessments and follow up regularly on providers’ ICT security measures.
Strategic Focus Area 3 - Strengthened cyber security and more knowledge: Public sector cyber security levels must be raised and government institutions and business must have access to threat assessments and to advanced knowledge about how to reduce vulnerabilities.
Strategic Focus Area 4 - Robust infrastructure in the energy and telecommunications sectors: There must be a high level of cyber and information security within the energy and telecommunications sectors.
Strategic Focus Area 5 - Denmark as a strong international partner: Danish authorities must work with international partners to strengthen cyber and information security through active participation in relevant forums.
Strategic Focus Area 6 - Strong investigation and high level of information: Cyber-crime investigations must be strong and competent, and citizens and businesses must be given a better basis for adequately assuming responsibility for security in relation to their own equipment and online conduct.
Appropriate definition of critical infrastructure protection (CIP)? Yes, the Danish Security and Intelligence Service (PET) provides an appropriate definition. The NCSS gives priority to the energy and telecommunications sectors where the aim is to increase security levels underpinned by several new legal measures in 2016.
Denmark has also published official guidelines stating that compliance with international security standards will be required for government procurement relating to critical infrastructure and other ICT services: Cloud computing and the legal framework (Guidance on legislative requirement and the contractual environment related to cloud computing), published by the Agency for Digitisation in August 2012, at a time when government and local government agencies were early adopters of cloud services.
National Cyber Security Strategy
|Year of adoption||
February 2015: The Danish Cyber and Information Security Strategy. 27 government initiatives are established for the period 2015-2016.
|Updates and revisions||This is the first NCSS for Denmark. Publications on threat landscape and annual reports are available for 2014 and 2015 (in Danish).|
|Implementation and monitoring||
The Government's Centre for Cyber Security is part of the Defence Intelligence Service (FE), which is an agency under the Ministry of Defence, is responsible for detecting, analysing and helping to address advanced cyber attacks against authorities and companies providing important IT functions, such as the finance sector, government, telecommunications network, water supply. The Centre serves as Denmark’s National IT security authority, informing and advising Danish authorities and companies on IT security and is also the national centre of competence in cyber security. It is also the national authority for information security and preparedness in telecommunications, advising on emergency response telecommunications resources.
The 27 initiatives for 2015-2016 apply to each of the 6 stratgic focus areas.
Professionalised and reinforced ICT oversight (6 initiatives)
Clear guidelines for suppliers (2 initiatives)
Strengthened cyber security and more knowledge (7 initiatives)
Robust infrastructure in the energy and telecommunications sectors (2 initiatives)
Denmark as a strong international partner (3 initiatives)
Strong investigation and high level of information (7 initiatives)
The Centre for Cyber Security has already implemented several initiatives, e.g. a Self-Service for companies to assess their cyber security (detect, analyse and help address security incidents) and published a Guide on DDoS attacks. In July 2016 it launched a new notification system for companies and authorities for undisclosed incident reporting to overcome barriers to reporting. Other initiatives include vulnerability testing and awareness campaigns, as well as a set of legal measures described below.
Coverage with respect to the BSA CyberSecurity Dashboard:
Other relevant coverage:
Coverage since the publication of the CyberSecurity Dashboard:
Other updates since the BSA Dashboard include:
Denmark has two national response teams and three known privately held teams. Government-run CERTs:
Commercial/ISP customer based CERTs;
Denmark is also part of the Nordic co-operation on research and education in cyber and information security: Funet CERT (Finland); NORDUnet CERT (Norden); RHNet CERT (Iceland); Sunet CERT (Sweden); UNINETT CERT (Norway).
Under focus area 1, the NCSS calls for:
Industry organised (i.e. business or industry cybersecurity councils):
Cross-country co-operation of cyber security clusters
|Sector specific cyber-security plans||
Finance and IT cluster in Denmark
Fintech and ICT-intensive financial services is an important sector in Denmark. The Danish vision is to form a strong finance IT cluster and develop financial IT infrastructure that will drive innovation and growth. Combining this dense finance ICT cluster with the advanced levels of education in financing and banking, Copenhagen is a hot spot for development and implementation of modern finance IT. Source: Copenhagen Fintech Innovation and Research
The Danish NCSS places emphasis on building business capacity not only around cyber security but also risk management, including rules for the providers of government services.
|Risk management plan||Mandatory security risk assessment of public IT projects under strategic focus area 1.|
|Date of last WISER analysis||July 2016|
Current status: NIS Directive and national CERTs/CSIRTs
|National computer security incident response teams||
Danish GovCERT (national/government CERT) now operates under the Centre for Cyber Security (FE). Under the new notification system for public and private sector organisations, information about cyber attacks provided to the CFC is not publicly accessible. The scheme, which is legally binding under Act no. 1567 of 15 December 2015 (Network and Information Security Act) was established to reduce risks for private companies, which had previously been reluctant to report on incidents.
The centre also publishes a “picture” of the current cybersecurity situation from the Danish perspective, which includes comparisons of national and international of cybersecurity incident statistic
DKCERT - authorised CERT for NREN (research and education network) responsible for montoring the security of the network of affiliated institutions DeIC.
TDC Security Operations Center (TDC SOC), ISP customer base, established in June 2015, accredited since January 2016. ISP Customer base covering Denmark, Norway and Sweden with a mission to coordinate, inform and assist with IT-security related issues.
CSIS.DK - private company providing actionable intelligence, prevention, incident response and 24/7 managed security services.
CSIRT.DK (Danish Computer Security Incident Repsonse Team) - ISP customer base for customers of TDC A/S (Danish telecommunications company).
|Report an incident||
Center for Cyber Security - Citadel 30-2100 Copenhagen Ø - Phone: +45 3332 5580 - E-mail: email@example.com
|Overall assessment & best practices||The Danish NCSS has a comprehensive set of initiatives for capacity building, business support and educational awareness campaigns. New legislation has been implemented to build legal capacity. The co-operation with other Nordic countries is also praiseworthy. Having a website in English would enable Denmark to showcase its model to other countries more effectively.|
|Languages||Danish. Only the NCSS is in English.|
|Date of last WISER analysis||August 2016|