Efforts to strengthen information and cyber security are inefficient
The Government’s efforts to strengthen information and cyber security in Sweden are inefficient. This is due in part to shortcomings in the national cyber security strategy, and in part because the Government’s control is weak and fragmented.
The Swedish National Audit Office (Swedish NAO) has audited the Government’s efforts to strengthen Sweden’s national information and cyber security. The overall conclusion is that efforts have been inefficient.
Above all, there has been a lack of cohesive governance based on strategic considerations and priorities in terms of Sweden’s collected needs. Coordination has not functioned as intended and relevant stakeholders, such as the business sector, have not been involved to any great extent.
The shortcomings are largely due to the fact that the Government Offices’ working methods, organisation and use of resources have not enabled efficient work on information and cyber security issues.
The Government Offices have formed inter-ministerial working groups and have tasked a number of government agencies with setting up a national cyber security centre. However, the assessment of the Swedish NAO is that this has not led to an increased capacity for giving priority to measures, nor to long-term strategic, holistic and cohesive governance. The governance of the agencies concerned has been based on the objectives and priorities of each individual ministry rather than on strategic considerations of what is best for Sweden, which has limited the efficiency of the efforts.
“The Government Offices and agencies each operate with a starting point in their respective responsibilities and remit, without valuing or ranking the implemented measures based on what benefits Sweden as a whole,” says Marcus Pettersson, Project Leader for the audit.
In addition, the Government’s national cyber security strategy is not of sufficient quality. For example, it lacks a clear vision, objectives that can be followed up, designated parties responsible and allocated resources. It is unclear which actors and sectors should be affected and how. The strategy does not specify how objectives and activities affect society, the economy, or the citizens, nor does it contain any actual analysis of the strategic challenges. It is the Swedish NAO’s assessment that such a strategy will only have a minor – if any – steering effect.
There are deficiencies in the information exchange between the actors. Exchanging information is an important component for the ability to coordinate efforts, so that everyone works towards the same goals and has a common picture of the situation, needs, goals and measures. At present, the government agencies produce several different situational reports, providing a fragmented picture that is difficult to consult when measures have to be weighed against each other.
“Work on information and cyber security needs to be more efficient. This requires clearly designated responsibilities and resources as well as more cohesive and strategic governance,” says Auditor General Helena Lindberg.
Recommendations in brief
The Swedish National Audit Office recommends that the Government:
- establish a strategic, holistic, and long-term focus for work on information and cyber security
- ensure concerted governance with clear lines of responsibility, sufficient competence and effective forms of coordination concerning information and cyber security issues at the Government Offices
- identify obstacles for information exchange and ensure that structures are in place that allow necessary information sharing
- review the remit, mandate, and organisational designation of the cyber security centre.
See the report for the recommendations in full.
Press contact: Olle Castelius, phone: +46 8-5171 40 04.
Presskontakt: Olle Castelius , telefon: 08-5171 42 06.
Share in social media and by e-mail
Send your questions or comments via the form below and we will make sure that they reach the right member of staff. Please state if your question concerns the information on this particular page.