Nordic countries’ cybersecurity skills are improving, but what happens when an attacking country is identified? On 30 June, the Nordic Council will debate proposed joint Nordic sanctions in the case of cyberattacks. The proposal already has support among Norwegian researchers.
“Cyberattacks represent a serious threat not only towards the Nordics but also globally. They target our most important values – our democracy and open societies. That is why it is absolutely crucial to highlight this issue at the Nordic Council and to consider what we can do together in the face of this threat. Both cyber threats and the pandemic represent challenges that must be met with Nordic and international cooperation in order to find solutions,” says Bertel Haarder, President of the Nordic Council during 2021.
He gets support from Maria Bartnes, Research Director at SINTEF Digital in Trondheim.
“Our society is in the middle of a rush of digitalisation. All kinds of systems are going online. They are linked together and we introduce software and IT into all sectors,” she says and mentions the oil industry, health care, water supply and other critical functions.
Bartnes is head of system development and security at SINTEF and is also an Adjunct Associate Professor at the Norwegian University of Science and Technology NTNU in Trondheim.
“A more digitalised society gives increased functionality. We can better survey and fix faults without having to go out into the field. We get better control and reduce the number of faults through the use of technology. But we also become more vulnerable. Different kinds of infrastructure are also becoming more interdependent. All social functions have become dependent on electricity and ICT. At the same time, electricity and ICT are dependent on each other,” she says.
“One fault in a system can have major consequences in a different system far away. Systems you might not immediately consider. It then becomes challenging to analyse risk and to understand how to prevent attacks,” says Bartnes.
“Each trade used to have their own systems and retained full control over them. You knew where to access and exit the systems and how a hacker might get in. It is harder to know the kind of danger hackers represent these days, and it will become harder still,” she says.
How much more vulnerable are we in the Nordics compared to 10 years ago?
“Interdependence between systems has increased. That means society is now far more vulnerable. But at the same time, we have become more aware of this, and security technology has improved. Security has not been idle while the technological development has marched on,” she says and adds that online consumer technology is growing at a rapid rate, especially in Norway.
“Security at hospitals is critical, where many people are using different types of online medical equipment. Equipment that improves patients’ lives is also online. This brings advantages and more potential vulnerability.”
China, Russia, Iran and Pakistan are listed as interfering actors by the Norwegian secret service.
“Foreign states have become more powerful. If someone really wants to attack us there is little we can do. They have vast resources and can spend years preparing an attack. This says something about motivation and the available resources.
“We can become better at developing more secure technology. Functionality drives technological development. Afterwards, people think about the need for security when the technology has already come into use. We need to integrate security into the development of technology at an earlier stage. Security should be a competitive advantage,” she says.
It turns out not everything can be prevented.
“Something can hit us and we need to be able to limit the consequences. We seem to hear about new attacks every week in the media,” she says and mentions what happened on the east coast of the USA when Colonial Pipelines’ IT systems were hacked.
When Colonial Pipeline's computer network was hacked it became big news across the USA. These are screenshots from various news flashes.
The company transports petrol diesel, aircraft fuel and paraffin from refineries. The pipeline network that was hit stretches from Texas to New Jersey.
“The pipeline was incapacitated for about a week. Fuel prices shot up and people panicked. Panic is an efficient tool for those who want to damage a society. In Norway, the parliament and a health provider has been attacked. It is scary yet interesting though to find out what makes hackers attack MPs. They can learn a lot about procedures and relations and therefore get the information needed to influence political processes. It is difficult to discover this as a society,” she says and underlines that political espionage is perhaps among the worst examples.
“When is a political decision influenced from the outside, and when is it real? Unwanted influence over time could start to control our society. This is challenging, and that is why it might be a positive thing if the Nordics cooperate on imposing sanctions,” argues the Research Director.
“We can make it easier to discover, disclose and protect ourselves. We have a lot in common. We share the same ideas around privacy and how to operate in the digital sphere. This means that cooperation will benefit us all. There are no national borders online, so it is a bit strange that a country should only protect what exists within its own borders,” says Bartnes.
Maria Bartnes want common IT security demands in the EU.
She believes data security skills will improve in the years to come. Company boards and leaders must demand solutions with higher levels of security. ICT providers do not implement security if security is not stipulated in the product order. If security is integrated, it gets better and it pays. Security has entered the boardrooms, and that happened more than ten years ago.
“Anyone can make and sell an IT solution, apps or gadgets without certification. Without a minimum security standard. Certification could make it easier to compare products. It would make it easier to choose a product according to how secure the equipment is. This is consumer-oriented, but also very interesting for places like hospitals,” she argues.
“The EU has introduced privacy legislation with GDPR. Perhaps we could have something similar on IT security?” she wonders, adding that a joint rulebook could stipulate some minimum demands.
Threat actors can be categorised according to a threat pyramid, says Nils Kalstad. He is Head of Department at the Department of Information Security and Communication at NTNU.
“Some hackers can be compared to activists who demonstrate in the streets carrying banners and shouting slogans. They only want to test the technology. Next in the pyramid is small-time and organised crime. Then you have actors supported by foreign states and at the top, you find foreign states.
“Information forms the basis for espionage, which is something all countries have been doing for a long time. This is just a new arena. It becomes easier to run disruption operations, or deep face news as it is now called, on an international level. False or adapted information posing as legitimate information over time is being spread in order to manipulate public opinion or part of the population’s sense of reality. The internet really has made the world a smaller place.”
The opportunity to study digital security at NTNU has improved over the past seven years.
“The capacity has tripled. The courses are attractive and popular. Digital security is also being included in basic education in new curricula. Companies also put more resources into further education with support from the Research Council of Norway.
“There are, however, not enough Norwegian candidates on special PhD courses in information technology across our universities,” he says and adds that many Norwegian master degree students often go into attractive jobs rather than pursuing a PhD.