Current status: National Cyber Security Strategy
The Danish Government published its NCSS in February 2015 after a formal presentation in December 2014. The NCSS sets our 27 government initiatives for 2015-2016 as part of a coordinated and long-term strategy.
Overriding objectives for a strong and cohesive security strategy:
Obj. 1 - Maintain trust of citizens and businesses in cyber and information security measures of government institutions and providers of IT systems and infrastructure upon which society relies for providing important functions. Provide measures to strengthen cyber and information security that permit user-friendly and effective use of new technologies.
Obj. 2 - Strengthen the protection of important functions in society and national security against cyber-attacks.
The NCSS establishes 6 strategic focus areas with specific initiatives to raise cyber and information security levels in Denmark.
Strategic Focus Area 1 - Professionalised and reinforced ICT oversight: Ministries must manage information security systematically and professionally and initiate strong ICT oversight of subordinate authorities.
Strategic Focus Area 2 - Clear guidelines for suppliers: Government institutions must set clear requirements regarding cyber and information security for providers of IT services and infrastructure, perform regular risk assessments and follow up regularly on providers’ ICT security measures.
Strategic Focus Area 3 - Strengthened cyber security and more knowledge: Public sector cyber security levels must be raised and government institutions and business must have access to threat assessments and to advanced knowledge about how to reduce vulnerabilities.
Strategic Focus Area 4 - Robust infrastructure in the energy and telecommunications sectors: There must be a high level of cyber and information security within the energy and telecommunications sectors.
Strategic Focus Area 5 - Denmark as a strong international partner: Danish authorities must work with international partners to strengthen cyber and information security through active participation in relevant forums.
Strategic Focus Area 6 - Strong investigation and high level of information: Cyber-crime investigations must be strong and competent, and citizens and businesses must be given a better basis for adequately assuming responsibility for security in relation to their own equipment and online conduct.
Appropriate definition of critical infrastructure protection (CIP)? Yes, the Danish Security and Intelligence Service (PET) provides an appropriate definition. The NCSS gives priority to the energy and telecommunications sectors where the aim is to increase security levels underpinned by several new legal measures in 2016: (Danish: https://www.pet.dk/default.aspx; English: https://www.pet.dk/English.aspx)
Denmark has also published official guidelines stating that compliance with international security standards will be required for government procurement relating to critical infrastructure and other ICT services: Cloud computing and the legal framework, offering guidance on legislative requirement and the contractual environment related to cloud computing), published by the Agency for Digitisation in August 2012, at a time when government and local government agencies were early adopters of cloud services: English: http://digitaliser.dk/resource/2368677
NATIONAL CYBERSECURITY STRATEGY - NIS Capacities
|Year of adoption||
February 2015: The Danish Cyber and Information Security Strategy (English version: https://www.enisa.europa.eu/topics/national-cyber-security-strategies/nc...).
|Updates and revisions||
This is the first cybersecurity strategy for Denmark.
|Operational capacity building||
Denmark has two national response teams and three known privately held teams. Government-run CERTs:
Both operate under the national Centre for Cyber Security.
Commercial/ISP customer based CERTs:
Denmark is also part of the Nordic co-operation on research and education in cyber and information security: Funet CERT (Finland); NORDUnet CERT (Norden); RHNet CERT (Iceland); Sunet CERT (Sweden); UNINETT CERT (Norway).
Coverage based on the BSA CyberSecurity Dashboard:
Other relevant coverage:
Coverage since the publication of the CyberSecurity Dashboard:
Other updates since the BSA Dashboard include:
Business and Public Private partnership
The strategy calls for:
Industry organised (i.e. business or industry cybersecurity councils):
Cross-country co-operation of cyber security clusters
BrainsBusiness is a platform for ICT innovation in North Denmark through the interaction of industry and university and the link to public authorities. Its activities include ICT trust, cyber security & network security, Open data & sharing of public sector information, Warehousing & support activities for transportation: www.brainsbusiness.dk/.
BrainsBusiness is a unique platform for ICT innovation in North Denmark through the interaction of industry and university and the link to public authoritie
Finance and IT cluster in Denmark
Fintech and ICT-intensive financial services is an important sector in Denmark. The Danish vision is to form a strong finance IT cluster and develop financial IT infrastructure that will drive innovation and growth. Combining this dense finance ICT cluster with the advanced levels of education in financing and banking, Copenhagen is a hot spot for development and implementation of modern finance IT. Source: Copenhagen Fintech Innovation and Research (www.cfir.dk/en-gb/aboutcfir/pages/financeitindenmark.aspx)
The Danish NCSS places emphasis on building business capacity not only around cyber security but also risk management, including rules for the providers of government services.
|Implementation & Monitoring||
It is part of the Defence Intelligence Service (FE), which is an agency under the Ministry of Defence, is responsible for detecting, analysing and helping to address advanced cyber attacks against authorities and companies providing important IT functions, such as the finance sector, government, telecommunications network, water supply. The Centre serves as Denmark’s National IT security authority, informing and advising Danish authorities and companies on IT security and is also the national centre of competence in cyber security. It is also the national authority for information security and preparedness in telecommunications, advising on emergency response telecommunications resources.
The 27 initiatives for 2015-2016 apply to each of the 6 stratgic focus areas.
Professionalised and reinforced ICT oversight (6 initiatives)
Clear guidelines for suppliers (2 initiatives)
Strengthened cyber security and more knowledge (7 initiatives)
Robust infrastructure in the energy and telecommunications sectors (2 initiatives)
Denmark as a strong international partner (3 initiatives)
Strong investigation and high level of information (7 initiatives)
The Centre for Cyber Security has already implemented several initiatives, e.g. a Self-Service for companies to assess their cyber security (detect, analyse and help address security incidents) and published a Guide on DDoS attacks. In July 2016 it launched a new notification system for companies and authorities for undisclosed incident reporting to overcome barriers to reporting (fe-ddis.dk/cfcs/nyheder/arkiv/2016/Pages/Nyunderretningsordningforvirksomhederogmyndighederitilfældeafcyberangreb.aspx)
Other initiatives include vulnerability testing and awareness campaigns, as well as a set of legal measures described below.
|Overall assessment/best practices||
In 2017, the Centre for Cyber Security has released a report that addresses the threat from cyber activities against Danish authorities and private companies: fe-ddis.dk/cfcs/CFCSDocuments/The%20cyber%20threat%20against%20Denmark%202017.pdf
Among the reported reccomendations, public authorities and private companies should make targeted efforts to improve processes, technology and behaviour. Processes include preparing regular risk analyses and identify which data requires protection and what the consequenses of a potential breach would be. Technology could involve improving knowledge of in-house IT infrastructure and processes and regular identification and patching of system vulnerabilities. Behaviour involves initiatives aimed at raising user awareness of the cyber threat and establishing staff training programmes that teach employees safe cyberspace behaviour. In addition, companies and public authorities should implement cyber attack contingency plans.
|Latest WISER update||October 2017|
GDPR and NIS Directive: Compliance and Notification
National Computer Security Information Response Team (CSIRT)
Computer Emergency Response Team (CERT)
Notification obligations in the event of a data breach
Center for Cyber Security
|Languages||Danish. Only the NCSS is in English. @Danish_GovCERT|
|Latest WISER update||October 2017|