Bottom line up front (BLUF)

The aim of this blog post is to share information and provide input to the cyber dimension of the Norwegian Total Defence discourse. It discusses how the private sector, specialising in digital security, can prepare for, address, and eventually deliver on three of the main recommendations from the Norwegian Total Preparedness Report, namely

1. Cross-Sector Collaboration: Enhancing integration between civilian and military resources to address complex threats more effectively.
2. Role of the Private Sector: Clearly defining the responsibilities of businesses in emergency preparedness efforts.
3. Digital Security: Strengthening the protection of critical infrastructure against digital threats and cyberattacks.

Findings in the latest IT-security surveys in Norway “Mørketallsundersøkelsen” (2020 and 2022), conducted by the Norwegian Business and Industry Security Council (NSR), concluded that there were shortfalls in Norwegian private and public businesses’ ability to both prevent and detect cyber security breaches. We believe that the results from the 2024 “Mørketallsundersøkelse” will display similar shortfalls.

Introduction

As the geopolitical situation is getting more volatile and unpredictable, with hostile states and their proxies taking more risks and further engaging in a hybrid war against Western civilization, democratic nations and institutions are under serious pressure. In that regard, Jens Stoltenberg, the former Secretary general of NATO, during a visit to Canada in June 2024, summarised the hybrid nature of what we are up against:

“We are threatened by something that is not a full-scale military attack, which are these hybrid threats ... ranging from interference in our political processes, (undermining of) trust in our political institutions, disinformation, cyberattacks (...) and acts of sabotage against critical infrastructure.”

In October 2024, former Finnish president Sauli Niinistö delivered the report “Safer Together – Strengthening Europe’s Civilian and Military Preparedness and Readiness”, as a special advisor to the European Commission. The report assesses the complex challenges the EU and its Member States face in a volatile geopolitical landscape, and presents recommendations to enhance the preparedness and readiness of the EU. Illustrated by the paragraph below, the report challenges us, as citizens of democratic nations, to increase preparedness by adopting a new mindset in order to build trust amongst ourselves:

Lenin instructed the Bolsheviks during the Russian civil war to ‘probe with bayonets: If you find mush you continue. If you find steel you stop’. A hundred years on, today’s opportunistic actors use the same method. They target us by looking for weaknesses in our protection, take advantage of our political divisions, any lack of social cohesion and harmful economic dependencies, trying to weaponize anything they can against us. In being well prepared, a fundamental requirement is not to be an easy target. A change in mindset is needed to build the trust that allows us to do this as the whole of society.

Lenin’s instructions from the Russian civil war look very much to be present in the Russian leadership today. Ine Eriksen Søreide, the former Minister of both Defence and Foreign affairs in Norway, recently stated in “Ukrainapodden” 13 nov 2024, a podcast covering the Ukraine conflict, that unless Russian leaders face immediate opposition to their claims, they will not stop.

The EU report further states that “evolving threats, such as the sabotage of critical infrastructure and cyberattacks, continue to bring private and public actors’ security interests ever closer. The systematic sharing of information and experiences is crucial for further deepening trust between different actors to prepare for and address these threats together”.

The need for cross-sector collaboration

The Norwegian government, via the Ministry of Justice and Public Security, has recently presented their plan to facilitate for and lead the way in such a joint effort – the Total Preparedness Report (Totalberedskapsmeldingen). It is our assumption that the Norwegian Total Preparedness Report is closely coordinated with the just mentioned EU report, and that the respective EU and Norwegian recommendations have similarities. In particular, the phrase “systematic sharing of information and experiences” warrants further investigation.

The sector principle in Norway, rooted from the 1970s, dictates that each sector within government, e.g., Ministry of Defence, Ministry of Justice and Public Security etc., have the authority over and are responsible for innovation and public services within their respective domains. This, by default, hampers interdepartmental cooperation and fragmentates the responsibility for cross-sector challenges, such as security - including the cyber domain. Moreover, the current Norwegian public budget model, granting each sector its own separate budget, does not provide incentives for collective innovation and ultimately the delivery of comprehensive services. Finally, the sector principle inherently grants each sector the right to set their own goals and make their own priorities to execute, more or less regardless of the need for joint efforts against complex and sector overarching national challenges. Despite good intentions of working across sectors, and in conjunction with the private sector, we still have a way to go in order to systematically share information and experiences, and thus be better ‘Prepared’.

Given this back drop, how can we, the private sector, be incentivised and contribute to an enhanced integration with both civilian and military information, experiences and resources, in order to address complex and cross-sector hybrid and cyber threats more effectively?

We could lead by example, and show the way! There could be some value in adopting the AI company Anthropic's approach with a "race to the top" strategy, where they "are trying to pull the ecosystem in a direction where everyone can be the good guy," demonstrating good practice which is copied and further developed by others, and thereby scaling up. Given the number and complexity of the evolving threats we face, we can rest assured that there will be enough work for the private sector to go around.

But how can we begin this ‘Race to the top’ in practical terms, showing the way for a more robust National Digital Security (NDS), protecting both critical infrastructure and fundamental national functions in Norway, that also incentivises the private sector?

Driving cultural and operational shifts 

Firstly, we need to tell the right story. The call for a new mindset on public/private cooperation, moving from a traditional customer/supplier relationship, to more a mission- and burden sharing approach and partnership, requires cultural change. We can for the sake of the argument think of ‘culture’ as “how we do things at our place”. In order to pull the cyber security ecosystem in the right direction, making everyone “the good guy”, cultural change has to take place in both the public and the private sector. The story we tell will have to convince relevant private and public parties to overcome bureaucratic restraints and conservatism, to think “out of the box” and develop new policies that rewards pragmatism and operational effect. Such a story would require us to “translate” the political and strategic formulations in the EU report, the Norwegian national digitalisation strategy and the Total Preparedness Report into simpler and actionable language, thus leading the way. 

Secondly, we need to identify a small number of competent and open-minded people in mature private companies, with access to relevant data, and key stakeholders, think tanks, and responsible parties in public sectors, who see the big picture. Put them together, engage them, and let them collaborate on the “how to” operationalise cross-sector public/private sharing, integration and data driven analysis, bearing in mind that innovation, technological development and the cutting-edge expertise is based in the private sector.

If such a group of people already exists, for instance in the realm of the Norwegian Business and Industry Security Council, engage them in the “how to” posed above.

Key questions for these people; a cross-sector NDS public/private “working” group, to answer, could be:

• What should a national cyber situational picture look like, and what data points are needed in order to produce and maintain it?
• What data, information, services and products are needed to provide digital situational awareness and support informed decision making, cross-sector wise?
• Is there a need for a centralised information requirement and collection management, and if so, how should it be organized?
• What data is already available in different sectors, and what needs to be further collected, by whom?
• Is there a need for a secure, but unclassified national digital information library, providing validated and quality assured information, analysis and threat intelligence, accessible to authorized public and private stakeholders?
• How can we timely and confidentially exchange and share data and information on different classification levels?
• What are the best formats we should use to collect and exchange data and information on?
• Is there a need for standardisation of data formats and resolution levels?
• And overall, how can the private sector contribute to NDS in a coherent and predictable manner, that create win-wins; support private companies’ business cases and have positive effect on national digital security?

We can visualise this as depicted in the figure below. A cross-sector public/private NDS “working” group, with an operational and technical approach, that could lead the way and provide actual guidance for real mission sharing, in a way that resonates well with the people performing the day-to-day tasks.

Thirdly, we need to build ready-to-use private capabilities, supporting NDS. The new Norwegian national digitalisation strategy aims to further digitalise all aspects of our society, thus making us even more exposed and vulnerable to cyber threats. This drive for increased digitalisation, combined with the ambitions and recommendations in the mentioned EU report and the Norwegian Total Preparedness Report, will most likely deepen the already prominent gap between demand and supply of operational and technical digital security competence and capabilities. This is a gap that may realistically only be filled by private digital security companies, as the public sector by default face limitations, both in personnel, skillsets and capacity. Thus, the private sector will need to step up its game and be prepared to innovate on, demonstrate value of and scale up their capabilities in order to meet current and future cross-sector cybersecurity needs.

We suggest that this cross-sector NDS public/private “working” group, with technical and operational cyber expertise, will be

1. involved in the process of developing the cyber dimension of the upcoming national security strategy (to be presented by the summer of 2025), and
2. challenged to provide input to the future Long-Term Plan for Civilian Preparedness and Readiness (to start work in 2025). 

*Find more information in section 15 & 16 here

We strongly endorse, without further delay, that responsible governmental agencies utilise the opportunity of entering long-term agreements with capable and trusted private companies, ensuring predictable access to cyber competence, resources and off the shelf capabilities.