Current status: National Cyber Security Strategy
Sweden is developing its NCSS. A high level Strategy for Information Security 2010-2015 comprises an executive summary and a set of recommendations in English for the proposed strategy (Swedish version is more detailed) with a strong focus is on central government and the procurement of IT services.
The main drivers behind the high-level strategy are: improving the quality of central government functions and ensuring the necessary legislation is implemented by the Government and Parliament while protecting the fundamental values of Swedish society. Guiding principles are personal privacy and freedom, the functionality, efficiency and effectiveness, and quality of central government administration, law enforcement, the ability of central government to prevent and deal with serious
disruptions and crises, and business sector growth with clearly defined requirements set by central government.
The six strategic objectives are:
Obj. 1 - Strengthening governance and oversight of cyber security in central government. The strategy foresees the establishment of a national governance model for cyber security in society. The Government will set up a government agency council for cyber security comprising representatives of the relevant government agencies. Cyber security oversight of the central government sector will be coordinated and strengthened. The Swedish Civil Contingencies Agency will be given a general oversight mandate for government agencies’ cyber security. Sectoral oversight will be reviewed. Cyber security auditing will be developed. Management responsibility at government agencies for maintaining security in their information management shall be enhanced through a reporting requirement, regulated by statute.
Obj. 2 - Clearly stating security requirements for the procurement of IT products and services, and services involving the handling of information at the level of central government. Central government procurement will include include references to standards and certification requirements in line with central government security levels. The Swedish Civil Contingencies Agency is mandated to establish minimum requirements for security in commonly used IT products used by government agencies. It will be a requirement that each government agency must report which contractor it has chosen with regard to agreements for IT solutions. The Defence and Security Procurement Act may be applicable if procurements do not provide for sufficient security requirements. A stronger dialogue between private and public organisations, educational and research institutions will take place to ensure requirements are understood and met.
Obj. 3 - Communicating securely across government agencies. All government agencies listed in the annex to the Emergency Management and Heightened Alert Ordinance will be connected to the Swedish Government Secure Intranet (SGSI). During the expansion of SGSI, appropriate measures will be taken to develop sensor technology.All agencies are to use the same synchronised time scale for the time they use in their IT systems.The Government will instruct the Swedish Civil Contingencies Agency, the National Defence Radio Establishment, the Defence Materiel Administration and the Swedish Armed Forces to develop the process for securing cryptographic functions.
Obj. 4 - Increasing information sharing and improving knowledge on cyber incidents by requiring timely status reports from all government agencies. Cyber incident reporting will be mandatory for all government agencies with measures taken for compliance with the EU Directive on Network and Information Security (NIS Directive).
Obj. 5 - Strengthening the prevention of and fight against cybercrime. A review of current laws may lead to a new regulation on information exchanged between law enforcement agencies and any other agencies involved within the area of cyber security.
Obj. 6 - Making Sweden a strong international partner by taking consistent action in all relevant international and regional forums.
Appropriate definition of critical infrastructure? Yes. The Swedish Civil Contingencies Agency (MSB) provides an appropriate definition for “critical infrastructure protection”.
National Cyber Security Strategy
|Updates and revisions||N/A|
|Implementation and monitoring||
Central government will play a key role in defining and implementing the NCSS with cross-agency responsibilities for IT procurement and providing timely status reports to increase information sharing.
There are no laws in Sweden that specifically deal with cyber security. However, the Swedish Civil Contingencies Agency (MSB), which is the national authority in charge of information security, has helped Sweden establish a good reputation on cybersecurity. MSG is the centralised information security entity and has a prominent public presence.
Current legislation/policy in place:
Current gaps in legislation/policy:
CERT-SE is the national/governmental CSIRT, established in 2003, and is responsible for coordinating incident response measures for both government institutions and private entities across all Swedish networks. It is also responsible for Incident reporting platform for collecting cybersecurity incident data.
National competent authority for network and information security (NIS): responsibility of the MSB.
National incident management structure (NIMS): partial coverage. The Swedish Civil Contingencies Agency's Regulations on Government Agencies Information Security 2009 (pusuant to Regulation 2006:942) requires each agency to develop its own information securitymanagement systems, based on standards supported by the Swedish Standards Institute.
Sweden conducted the National Cyber Security Exercise “NISÖ” in 2012. Sweden also participated in the multi-national International Watch and Warning Network Exercise 2013 organised by the United States.
|Public Private Partnerships||
Current practices: partial coverage
The National Telecommunications Coordination Group (NTSG) is a voluntary co-operation platform based on a public private partnership but does not have a specific remit on cyber security. Telekomforetagen (in Swedish) is a member organisation for Swedish companies in IT and telecom sector that engages in cyber security.
Ericsson is a partner in several projects funded under the 5G PPP phase 1 projects, including one on 5G security enablers and related standardisation, including co-signed contributions/specifications.
|Sector specific cyber-security plans||
|Risk management plan||
|Date of last WISER analysis||July 2016|
Current status: NIS Directive and national CERTs/CSIRTs
|Computer security incident response teams||
CERT-SE support includes but is not limited to, Governmental Authorities, Regional Authorities, Municipalities, Enterprises and Companies with efforts to prevent and deal with IT incidents. Operations are conducted at the Swedish Civil Contingencies Agency (MSB). It also acts as Sweden's contact point for equivalent services in other countries, development co-operation and information sharing.
CERT-SE finns även, the Governmental CERT of Sweden, has additional responsibilities within the governmental body.
Sweden has several private CSIRTs, with most of them covering other countries.
Swedbank Security Incident Response Team (Swedbank SIRT) - financial sector, covering Sweden, Estonia, Latvia and Lithuania.
Host organisation: Svenska Handelsbanken AB
TeliaSoneraCERT CC (TS-CERT) - industrial - National and international ISP Customers of TeliaSonera and internal to TeliaSonera AB, covering Denmark, Estonia, Finland, Latvia, Lithuania, Norway, Sweden.
2Secure CSIRT (2S-CSIRT) - Service Provider Customer Base - 2Secure AB, including 2Secure Inspect IT AB, 2Secure Sverige AB and 2Secure Screening AB.
|Report an incident|
|Overall assessment & best practices||
Sweden has a good reputation for cyber security. Its focus on certifications and standardisation is a very positive move, also in thelight of EC ICT standardisation priorities with the development of a Catalogue of Standards planned (DG Growth).
However, Sweden has a number of policy gaps and also seems to lack a strong culture of security through public-private partnerships. Private CSIRTs could be a good source of insightful information in several market verticals.
|Languages||Swedish (Some information available in English).|
|Date of last WISER analysis||July 2016|