Sweden (SE)

Sweden adopted its National Cybersecurity strategy in 2010 with a high level Strategy for Information Security 2010-2015. A new strategy is expected in late 2017/early 2018 based on a Fact Sheet published in July 2017: A National Cyber Security Strategy

The document outlines objectives in six priority areas aimed at helping to create the long-term conditions for all stakeholders in society to work effectively on cyber security, and raise the level of awareness and knowledge throughout society.

Obj. 1 - Securing a systematic and comprehensive approach in cyber security efforts: enhance collaboration and cyber security information sharing and improve the conditions for pursuing systematic cyber security efforts in a more integrated and coordinated manner.

Obj. 2 - Enhancing network, product and system security: Access to secure data encryption systems for IT and communications solutions must also meet society’s needs, and this requires enhanced security in industrial information and control systems that control and monitor the distribution of critical supplies (e.g. electricity and water).

Obj. 3 - Enhancing capability to prevent, detect and manage cyberattacks and other IT incidents: an advanced cyber defence must be in place that includes enhanced military capability to respond to and handle an attack by an advanced opponent in cyberspace.

Obj. 4 - Increasing the possibility of preventing and combating cybercrime: The ability to prevent and combat these crimes must be strengthened through adapted legislation, well-developed expertise and organisational structures, and enhanced international cooperation. More stakeholders, beyond law enforcement authorities, need to actively take part in preventive efforts.

Obj. 5 - Increasing knowledge and promoting expertise: Greater knowledge and a broader understanding of cyber security in society are necessary to focus on the most urgent security needs. Higher education, research and development, and regular training activities are also crucial in this area.

Obj. 6 - Enhancing international co-operation: enhanced international cooperation, based on international law and the objective of a global, accessible, open and robust internet characterised by freedom and respect for human rights.

Next steps include alignment across government departments while ensuring as much flexibility as possible so the strategy can evolve with the threat landscape.

 

 NATIONAL CYBERSECURITY STRATEGY - NIS Capacities

 

Year of Adoption

2010 (2010-2015); a new strategy expected in late 2017/early 2018 based on a Fact Sheet published in July 2017 by the Swedish Ministry of Justice: A National Cyber Security Strategy (www.government.se/49edf4/contentassets/b5f956be6c50412188fb4e1d72a5e501/...).

Updates and revisions

The 2010 strategy, high level Strategy for Information Security 2010-2015, placed emphasis on the role of central government and the procurement of IT services.

In February 2017, an in-depth article was published on legal and regulatory aspects of cybersecurity in Sweden (https://gettingthedealthrough.com/area/72/jurisdiction/38/cybersecurity-...).

In January 2017, the Prime Minister made a statement with regard to national security. While the statement focuses on military threats, cybercrime and terrorism, it highlights the importance of protecting critical infrastructures, primarily energy, transportation and telecommunications (http://www.government.se/opinion-pieces/2017/01/swedens-security-must-be-seen-in-a-broader-perspective/).

Implementation and monitoring

The Government will prioritise the implementation of the new strategy and closely monitor developments in the area.

National competent authority for network and information security (NIS) is the responsibility of the MSB (Swedish Civil Contingencies Agency).

Operational capacity building

CERT-SE (Swedish: www.cert.se/) is the national/governmental Computer Emergency Response Team. Established in 2003, it is responsible for coordinating incident response measures for both government institutions and private entities across all Swedish networks. It is also responsible for providing an Incident Reporting Platform for collecting cybersecurity incident data.

SUNET-CERT is the Swedish University Network Computer Emergency Response Team, supporting universities, colleges and other organisations connected to the SUNET network, including the coordination of incidents, IT security competences and co-operation with other national and international CERTs (Swedish: https://www.cert.sunet.se/; English: https://www.cert.sunet.se/english/index-eng.htm).

Linköping University has its own Incident Response Team: Li.U (https://old.liu.se/insidan/it/irt?l=en), handling issues and incidents within the institution.

Other CERTs/CSIRTs are listed on the Forum of Incident Response and Security Teams (FIRST) but do not have websites.

National incident management structure (NIMS): partial coverage. The Swedish Civil Contingencies Agency's Regulations on Government Agencies Information Security 2009 (pusuant to Regulation 2006:942) requires each agency to develop its own information security management systems, based on standards supported by the Swedish Standards Institute.

Sweden conducted the National Cyber Security Exercise “NISÖ” in 2012. Sweden also participated in the multi-national International Watch and Warning Network Exercise 2013 organised by the United States.

Legal conditions

There are no current laws in Sweden that specifically deal with cybersecurity though an in-depth article on legal and regulatory aspects of cybersecurity in Sweden was published in February 2017.

Current status: The Swedish Civil Contingencies Agency (MSB) is the national authority in charge of information security and has helped Sweden establish a good reputation on cybersecurity. MSG is the centralised information security entity and has a prominent public presence.

Current legislation/policy in place:

  • Legislation/policy requiring the establishment of a written information security plan: the Swedish Civil Contingencies Agency’s Regulations on Government Agencies’ compels each government agency to establish an information security policy sufficient for ensuring that agency’s information security.
  • Legislation/policy requiring an inventory of “systems” and the classification of data: The Armed Forces Regulation on Security 2203:77 outlines a four-tiered classification system. Under the system, data deemed to be in need of classification are assigned a classification level according the level of risk involved in disclosing the information.
  • Legislation/policy requiring security practices to be mapped to risk levels. The Public Access to Information and Secrecy Act 2009 sets out security practices for information mapped to the classification level assigned to it. The classification levels are set out in the Armed Forces Regulation on Security 2203:77 and are assigned according to the level of risk involved in disclosing the information.
  • Legislation/policy requiring that each agency should have a Chief Information Officer (CIO) or Chief Security Officer (CSO). Each government agency to appoint one or more persons to direct and coordinate measures related to information security under Regulation 2006:942.
  • Legislation/policy requiring public and private procurement of cyber-security solutions based on international accreditation or certification schemes without additional local requirements. Although some local security guidelines have been developed, they do not require additional local certification or accreditation.

Current gaps in legislation/policy:

  • No requirement for an annual audit.
  • No requirement for a public report on cyber-security capacity for government.
  • No requirement for mandatory reporting of cyber-security incidents.

Business and Public Private Partnerships

There are no official national incentives for improving the cybersecurity of businesses in Sweden. However, several initiatives have been set up to boost public-private co-operation.

The National Telecommunications Coordination Group (NTSG) is a voluntary co-operation platform based on a public private partnership but does not have a specific remit on cyber security. Telekomforetagen (in Swedish) is a member organisation for Swedish companies in IT and telecom sector that engages in cyber security. 

The SCCA has created an information security council with representatives from government and the private sector. The council shall assist the SCCA on information on trends regarding information security, provide opinions on the priority and conduct of the SCCA’s work, perform quality certification of the SCCA’s work and publicise the SCCA’s work.

The PTA hosts an integrity forum for the PTA and representatives from the industry. The forum is held a couple of times each year to discuss issues on integrity in electronic communication. The PTA and DIB also cooperate in matters of information security to exchange information and coordinate their work. The PTA takes part in the international cooperation on integrity issues. The PTA is part of the Contact Network of Spam Authorities and also cooperates with other member states within the European Union on questions concerning data retention and cookies.

CI-DSS applies to all entities processing payment data relating to credit or debit cards from distributors to payment transferors and publishers.

Ericsson organises annual Security Days for its employees and is a partner in several projects funded under the 5G PPP phase 1 projects, including one on 5G security enablers and related standardisation, including co-signed contributions to security standardisation.

Other capacity-building measures: research and education

Sweden is increasing national investments in research and innovation with the launch of Cyber Security 2017. The Swedish Foundation for Strategic Research has announced SEK 300 million in a national Call for problem-, challenge- or application-driven research projects that meet the highest international scientific standards. The aim of the first Call is to stimulate collaborative interdisciplinary research within the area of cyber security and Information Security, of relevance to present or future Swedish-based industry and to society.

Overall assessment 

Sweden has a good reputation for cybersecurity. Its focus on certifications and standardisation is a very positive move, also in the light of EC ICT standardisation priorities with the development of a Catalogue of Standards planned (DG Growth).

The new strategy seeks to fill existing gaps in policy and create a cybersecurity culture. A new assessment will therefore be needed to gauge measures and expected outcomes.

Operational capacities also need to be enhanced, making it easier to report a cyber incident.

Making more information available in English will be important to increase collaboration and information sharing across borders.

Latest update August 2017

 

Compliance with the GDPR and NIS Directive: Report a cyber incident

Report a cyber incident to national CERT/CSIRT

CERT-SE: www.cert.se/

Authorities are obliged to report an incident whereas other organisations may choose to report voluntarily. However, it is important to be aware of new obligations under the EU NIS Directive and GDPR applicable from 25 May 2018. 

Guidelines on reporting an incident: https://www.cert.se/it-incidentrapportering/om-it-incidentrapportering/.

Telephone: 010-240 40 40 | 08-678 57 99.

Email: cert@cert.se

The website of SUNET-CERT is currently being updated and does not include information about reporting a cyber incident (Swedish: https://www.cert.sunet.se/; English: https://www.cert.sunet.se/english/index-eng.htm).

Handelsbanken Security Incident Response Team (Handelsbanken SIRT)

Constituency: Finance Sector
Country coverage: most EU countries, UK and USA

Telephone: (+46) 8 701 8370
Telephone (emergency number): (+46) 8 701 8370
Email: sirt@handelsbanken.se
Please refer to https://www.first.org/members/teams/handelsbanken_sirt, for information about cryptography.

Guidance and Updates

CERT-SE: www.cert.se/ provides updates in Swedish on cybersecurity news and alerts, e.g.

CERT.SE also provides a map of infected computers in Sweden, which is updated on a daily basis: https://www.cert.se/megamap/ and a guide on the terminology used, as well as a list of keywords for vulnerabilities detected and other matters related to cybersecurity: https://www.cert.se/nyckelord/.

Languages Swedish; Some information is also available in English.
Latest update July 2017

 

Contact us for more info