Sweden (SE)

Current status: National Cyber Security Strategy

Sweden is developing its NCSS. A high level Strategy for Information Security 2010-2015 comprises an executive summary and a set of recommendations in English for the proposed strategy (Swedish version is more detailed) with a strong focus is on central government and the procurement of IT services.

The main drivers behind the high-level strategy are: improving the quality of central government functions and ensuring the necessary legislation is implemented by the Government and Parliament while protecting the fundamental values of Swedish society. Guiding principles are personal privacy and freedom, the functionality, efficiency and effectiveness, and quality of central government administration, law enforcement, the ability of central government to prevent and deal with serious
disruptions and crises, and business sector growth with clearly defined requirements set by central government.

The six strategic objectives are:

Obj. 1 - Strengthening governance and oversight of cyber security in central government. The strategy foresees the establishment of a national governance model for cyber security in society. The Government will set up a government agency council for cyber security comprising representatives of the relevant government agencies. Cyber security oversight of the central government sector will be coordinated and strengthened. The Swedish Civil Contingencies Agency will be given a general oversight mandate for government agencies’ cyber security. Sectoral oversight will be reviewed. Cyber security auditing will be developed. Management responsibility at government agencies for maintaining security in their information management shall be enhanced through a reporting requirement, regulated by statute.

Obj. 2 - Clearly stating security requirements for the procurement of IT products and services, and services involving the handling of information at the level of central government. Central government procurement will include include references to standards and certification requirements in line with central government security levels. The Swedish Civil Contingencies Agency is mandated to establish minimum requirements for security in commonly used IT products used by government agencies. It will be a requirement that each government agency must report which contractor it has chosen with regard to agreements for IT solutions. The Defence and Security Procurement Act may be applicable if procurements do not provide for sufficient security requirements. A stronger dialogue between private and public organisations, educational and research institutions will take place to ensure requirements are understood and met.

Obj. 3 - Communicating securely across government agencies. All government agencies listed in the annex to the Emergency Management and Heightened Alert Ordinance will be connected to the Swedish Government Secure Intranet (SGSI). During the expansion of SGSI, appropriate measures will be taken to develop sensor technology.All agencies are to use the same synchronised time scale for the time they use in their IT systems.The Government will instruct the Swedish Civil Contingencies Agency, the National Defence Radio Establishment, the Defence Materiel Administration and the Swedish Armed Forces to develop the process for securing cryptographic functions.

Obj. 4 - Increasing information sharing and improving knowledge on cyber incidents by requiring timely status reports from all government agencies. Cyber incident reporting will be mandatory for all government agencies with measures taken for compliance with the EU Directive on Network and Information Security (NIS Directive).

Obj. 5 - Strengthening the prevention of and fight against cybercrime. A review of current laws may lead to a new regulation on information exchanged between law enforcement agencies and any other agencies involved within the area of cyber security.

Obj. 6 - Making Sweden a strong international partner by taking consistent action in all relevant international and regional forums.

Appropriate definition of critical infrastructure? Yes. The Swedish Civil Contingencies Agency (MSB) provides an appropriate definition for “critical infrastructure protection”.

 National Cyber Security Strategy

Status Currently pending.
Updates and revisions N/A
Implementation and monitoring

Central government will play a key role in defining and implementing the NCSS with cross-agency responsibilities for IT procurement and providing timely status reports to increase information sharing.

Legal conditions

There are no laws in Sweden that specifically deal with cyber security. However, the Swedish Civil Contingencies Agency (MSB), which is the national authority in charge of information security, has helped Sweden establish a good reputation on cybersecurity. MSG is the centralised information security entity and has a prominent public presence.

Current legislation/policy in place:

  • Legislation/policy requiring the establishment of a written information security plan: the Swedish Civil Contingencies Agency’s Regulations on Government Agencies’ compels each government agency to establish an information security policy sufficient for ensuring that agency’s information security.
  • Legislation/policy requiring an inventory of “systems” and the classification of data: The Armed Forces Regulation on Security 2203:77 outlines a four-tiered classification system. Under the system, data deemed to be in need of classification are assigned a classification level according the level of risk involved in disclosing the information.
  • Legislation/policy requiring security practices to be mapped to risk levels. The Public Access to Information and Secrecy Act 2009 sets out security practices for information mapped to the classification level assigned to it. The classification levels are set out in the Armed Forces Regulation on Security 2203:77 and are assigned according to the level of risk involved in disclosing the information.
  • Legislation/policy requiring that each agency should have a Chief Information Officer (CIO) or Chief Security Officer (CSO). Each government agency to appoint one or more persons to direct and coordinate measures related to information security under Regulation 2006:942.
  • Legislation/policy requiring public and private procurement of cyber-security solutions based on international accreditation or certification schemes without additional local requirements. Although some local security guidelines have been developed, they do not require additional local certification or accreditation.

Current gaps in legislation/policy:

  • No requirement for an annual audit.
  • No requirement for a public report on cyber-security capacity for government.
  • No requirement for mandatory reporting of cyber-security incidents.
Operational entities

CERT-SE is the national/governmental CSIRT, established in 2003, and is responsible for coordinating incident response measures for both government institutions and private entities across all Swedish networks. It is also responsible for Incident reporting platform for collecting cybersecurity incident data.

National competent authority for network and information security (NIS): responsibility of the MSB.

National incident management structure (NIMS): partial coverage. The Swedish Civil Contingencies Agency's Regulations on Government Agencies Information Security 2009 (pusuant to Regulation 2006:942) requires each agency to develop its own information securitymanagement systems, based on standards supported by the Swedish Standards Institute.

Sweden conducted the National Cyber Security Exercise “NISÖ” in 2012. Sweden also participated in the multi-national International Watch and Warning Network Exercise 2013 organised by the United States.

Public Private Partnerships

Current practices: partial coverage

The National Telecommunications Coordination Group (NTSG) is a voluntary co-operation platform based on a public private partnership but does not have a specific remit on cyber security. Telekomforetagen (in Swedish) is a member organisation for Swedish companies in IT and telecom sector that engages in cyber security. 

Ericsson is a partner in several projects funded under the 5G PPP phase 1 projects, including one on 5G security enablers and related standardisation, including co-signed contributions/specifications.

Current gaps:

  • No plans for future public private partnership at the national level.
Sector specific cyber-security plans

Current gaps:

  • No sector specific security priorities defined though there are several private CSIRTs.
Risk management plan

Current gaps:

  • No sector specific risk assessments released.
Progress Measures

Potential gaps:

  • No current indication of any progress measures will be defined in the forthcoming NCSS.
Date of last WISER analysis July 2016

 

Current status: NIS Directive and national CERTs/CSIRTs

Computer security incident response teams

CERT-SE support includes but is not limited to, Governmental Authorities, Regional Authorities, Municipalities, Enterprises and Companies with efforts to prevent and deal with IT incidents. Operations are conducted at the Swedish Civil Contingencies Agency (MSB). It also acts as Sweden's contact point for equivalent services in other countries, development co-operation and information sharing.

CERT-SE finns även, the Governmental CERT of Sweden, has additional responsibilities within the governmental body.

Sweden has several private CSIRTs, with most of them covering other countries.

Swedbank Security Incident Response Team (Swedbank SIRT) - financial sector, covering Sweden, Estonia, Latvia and Lithuania.
Host organisation: Swedbank AB - handles IT security related and computer fraud incidents impacting the bank and its customers, while also taking part in IT development quality assurance activities by performing penetration testing on IT systems, and actively raising awareness to improve IT security awareness across the bank.


Handelsbanken Security Incident Response Team (Handelsbanken SIRT) - financial sector, covering Austria, China, Denmark, Estonia, Finland, France, Germany, Hong Kong, India, Latvia, Lithuania, Luxembourg, Malaysia, Netherlands, Norway, Poland, Russian Federation, Singapore, Spain, Sweden, Switzerland, United Kingdom, United States.

Host organisation: Svenska Handelsbanken AB
 

TeliaSoneraCERT CC (TS-CERT) - industrial - National and international ISP Customers of TeliaSonera and internal to TeliaSonera AB, covering Denmark, Estonia, Finland, Latvia, Lithuania, Norway, Sweden.
Host organisation: TeliaSonera AB

Basefarm Group's Security Incident Response Team (Basefarm SIRT/BF-SIRT) - industrial, ISP Customer Base, Basefarm AS (Norway), Basefarm AB (Sweden), Basefarm BV (Netherlands), acting as the primary contact point for the Group.
Host organisation: Basefarm AS (Norway), Basefarm AB (Sweden), Basefarm BV (Netherlands)

2Secure CSIRT (2S-CSIRT) - Service Provider Customer Base - 2Secure AB, including 2Secure Inspect IT AB, 2Secure Sverige AB and 2Secure Screening AB.
Host organisation: 2Secure AB

Report an incident

CERT-SE, cert@cert.se, 08-678 57 99

Overall assessment & best practices

Sweden has a good reputation for cyber security. Its focus on certifications and standardisation is a very positive move, also in thelight of EC ICT standardisation priorities with the development of a Catalogue of Standards planned (DG Growth).

However, Sweden has a number of policy gaps and also seems to lack a strong culture of security through public-private partnerships. Private CSIRTs could be a good source of insightful information in several market verticals.

Languages Swedish (Some information available in English).
Date of last WISER analysis July 2016

 

Contact us for more info