Swedish cyber security politics and tactics…

There has been some debate and discussion lately on the current state of nation-wide cyber security efforts here in Sweden. Recently published reports has highlighted Swedens inability to resist attacks such as those targeting Estonia earlier this year. The reports led to an interpellation and a debate in the parliament earlier this week where concrete suggestions and answers were in the line with: there is currently “work in progress in defining the responsibilities and requirements on government agencys, and once these are ready they will become mandatory”. First of all, why reinvent the wheel? Why not just require government agencys to meet an all-ready mature, well defined and frequently “used” standard such as iso 27001? Too easy..

Related to that, a year ago (2006) the Swedish government arm KBM published a report that highligheted the current state of Swedish cyber security efforts. From the report (”freely” translated),

It can be established that Sweden today lack a national system for discovering, alerting, terminating and in a coordinated way respond to [incidents].

Hopefully, the “requirements” mentioned in the debate will attempt to address this. Efforts such as giving SITIC - the national incident response organistation - additional funding and more responsibilities are excellent steps in the right direction. Other countries are also moving in this direction, such as the US for instance whom are currently planning to reduce the number of internet connections to be able to monitor them more efficently. I’d like to see Sweden following similar tactics.