The growing undercurrent of risk linked to the increase in cyber terrorism threats is changing both the character and direction of Sweden’s national security policy and associated defence apparatus.
In particular, Sweden’s government and national security leaders are pursuing a more aggressive, capital-intensive programme to scale-up spending and strengthen the Nordic country’s long-term capacity to defend itself against potentially damaging attacks from cyber terrorists and cyber crime organisations.
This integrated approach to national security was outlined in the delivery of the government-appointed Swedish Defence Commission’s (SDC) report to the Swedish cabinet in late December 2017.
The report – entitled Resilience, the total defence concept and the development of civil defence in 2021-2025 – is based on detailed security-specific analysis compiled by the Swedish Armed Forces (AFC) and national security intelligence agencies.
Its findings are supplemented with strategic evaluations by inter-departmental expert groups operating within key ministries such as finance, infrastructure and justice.
The report provides a forward-looking blueprint to shape future national security policy, enabling the drafting of fit-for-purpose legislation to deal with contemporary and future cyber domain threats. The bedrock of Sweden’s evolving national security policy will be deeper collaboration between core branches of government, the armed forces and civil defence.
Working towards total defence
“Sweden’s long-term approach is to develop a ‘total defence’ capability against external threats to the country’s national security that also protects our economy and critical infrastructure, said SDC chairman Björn von Sydow.
“Our next major task will be to deliver a comprehensive assessment of the regional and global security situation. This will include an appraisal of cyber threats facing Sweden and what action should be taken,” he added.
The report concluded that cyber attacks posed a very real and immediate threat for Sweden’s economy and society.
“Systems for electronic communications are not designed to operate in war-like conditions. Public services that the government previously operated are now under private ownership. These changes are important preconditions for total defence planning. Cyber attacks may have similar consequences for the operation of society and critical infrastructure. A conventional kinetic attack, and in some circumstances a cyber attack, can be considered to be an armed attack,” the report noted.
The protection of national critical infrastructure, such as public transport systems, telecommunications networks and power plants, will constitute a fundamental focal point in the Swedish government’s all-inclusive mission to deliver a more effective overall defence against future cyber terrorism threats.
Boosting cyber defence funds
The seriousness with which Sweden is taking new and future threats in the cyber domain is plainly visible in the government’s budgeting plans. Sweden plans to increase expenditure on its signals intelligence and cyber domain defence capabilities by 10% to SEK5bn (€510m) in 2018.
Pivotal to Sweden’s national security, both the FRA and MUST are tasked with developing effective early warning systems to deal with increasingly sophisticated cyber threats and attacks against critical national IT infrastructure in both state and privately operated enterprises and sectors of the national economy.
Under the 2018 defence spending programme, the FRA and MUST will see their annual operating budgets grow by SEK83.5m (€8m) in 2018.
The lion’s share of the added funding will be used to expand FRA’s and MUST’s increasingly expansive counter-terrorism, information and cyber security projects and programmes. These include the reinforcement of present and active cyber war threat response capabilities.
New projects cover the development of advanced offensive smart technologies and tools that have the capacity to weaponise counter-strike actions against the perpetrators of hostile cyber attacks against Sweden and the country’s critical infrastructure.
IT weaknesses heighten fear
Sweden’s elevated sense of fear is based on the higher frequency of malicious cyber crime strikes against IT infrastructure, especially in the form of distributed denial of service (DDoS) type attacks targeting state department and banking IT/computer platforms.
Recent inter-departmental threat assessments, combined with intelligence gathered by the FRA and MUST, have identified basic weaknesses in some IT systems and networks linked to the operation of power plants, defence infrastructure, fire services, wind turbines and waste water treatment plants.
The full scale of inherent weaknesses isn’t known just yet. This may be revealed to a greater extent once a comprehensive risk assessment on critical IT infrastructure is completed in 2019. This review will involve input by the FRA, MUST, all state departments and Sweden’s regional civil defence authorities.
What is known is that IT and computer operating systems employed to run some of the country’s older power plant units and other utilities do not use a password-based access protection shield to guard against cyber attacks. Based on this loose degree of system protection and vulnerability, it would be technically possible for hackers to gain remote access and “take over” unsecured internet-connected devices such as water treatment pumps, ventilation equipment and alarm systems protecting private and state-operated facilities.
Sweden’s vulnerability to malicious attacks in the cyber domain became openly visible in October 2017 after IT systems used by public transport authorities to monitor rail-traffic were targeted.
The DDoS cyber strike caused significant delays to train schedules. Moreover, the cyber attack also forced the Swedish Transport Agency’s(Transportstyrelsen/STA) website to temporarily crash. The website was forced offline after its servers became overloaded in the wake of a sustained bombardment of communication requests in the aggressive DDoS strike.
The incident exposed vulnerabilities in the STA’s IT infrastructure and capacity to repel a large-scale and sustained DDoS attack. It also displayed the incapacity of the agency’s website and servers to deal with the multiple and large-scale communication requests that are the hallmark of DDoS attacks.
Victims of the DDoS attack included the regional public transport operator Västtrafik and its services in western Sweden. The attack overloaded servers supporting the company’s ticket-booking app and online travel planner, causing related core IT systems to crash.
“It is sometimes difficult to know who the perpetrators are, and who is behind attacks like this. It could be just high jinks. Alternatively, it could be other parties trying to investigate what kind of protection Trafikverket employs to safeguard its IT and computer systems against cyber attacks,” said Patrik Gylesjö, the vice-CEO of Stockholm-headquartered internet provider DGC.
Cyber threats have global reach
The global reach of cyber threats facing Sweden was also highlighted in May 2017 when the country’s 290 municipalities began to overhaul their IT security platforms and defences following the notorious WannaCry ransomware attack which infected more than 300,000 computers across 150 countries. In Sweden, Timrå council fell victim to the attack. Around 70 of the local authority’s computers were infected.
The WannaCry ransomware cryptoworm targeted PCs running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin crypto-currency. The cyber attack was halted days after its discovery when Microsoft released emergency patches.