The post was written by Christian Top Marchant and Thorstein Theilgaard and was originally published as a column on Finans.dk.

The government's new national cyber and information security strategy landed amid impeachment, shutdown and Christmas fun - and it deserves attention because it paints a worrying picture of the urgent need for security tightening to protect our increasingly digital infrastructure. Experience shows that objectives from the previous strategy have not yet been achieved.

The long-awaited strategy on cyber and information security has finally been presented by the government. The strategy demonstrates - if anyone has any doubts - that we live in a world full of digital threats from both criminals and state actors.

Denmark is one of the world's most digitised countries, and therefore it is difficult not to be concerned when the strategy points out, among other things, that the security situation is inadequate in almost half of the state's socially critical IT systems.

Earlier this year, it was read that we are only number 32 on the list of countries in terms of IT security. It seems both disturbing and paradoxical when Denmark is at the same time one of the world's most digitized societies. This leaves us in a potentially very vulnerable situation if the wrong forces pounce on Denmark.

The brave new world of possibilities in technology also has a more unpleasant flip side. The digitisation of more and more parts of society makes Denmark vulnerable to espionage and cybercrime if we do not have control over security. And as the strategy clearly shows, Denmark's cyber and IT security is hopelessly lagging behind our status as a digital pioneer.

This applies to private companies, the public sector and citizens. Therefore, we can of course also welcome the fact that the total DKK 770 million that the strategy and recent defence settlements have prioritised, more than anything else, shows that digitalisation, communication technologies, IT systems, etc. have become part of national security policy of the very heavy calibre.

One thing is strategy - another is implementation

But, as you know, the devil lies in the detail and, in this context, more precisely in the implementation of the new national strategy. The strategy shows that 46 per cent of the state's socially critical systems are in what is called inadequate condition. According to the Danish Agency for Digitisation, it is estimated that 590 out of the state's 3,433 IT systems are of a socially critical nature. With a little quick main bill, this means that 270 (46 percent) socially critical IT systems in the Danish state are potentially vulnerable to attack.

It may be surprising. Since 2016, state authorities have been obliged to implement the ISO27001 safety standard. Already in the previous national strategy of 2018, it was pointed out that there was room for improvement in this account for state enterprises - to say the least. Therefore, the new strategy is also alarming reading, as it finds that only 57 per cent of state authorities today live up to ISO27001.

Five years is an infinitely long time

When it comes to technological developments - and not least the more aggressive and sophisticated methods of cybercriminals - five years is not an elusive period - if it is finally, it should rather be measured in dog years. Whether it will make a difference in this context that the National Audit Office is now investigating it security in the public sector must be tested.

Now, the strategy does not indicate which parts of the state IT systems are not secured well enough, but try to think the following thought in the current corona situation: that the IT systems that ensure the logistics behind the entire corona effort will be paralyzed by either cybercriminals or a hostile foreign state. This would mean that Denmark's fight against corona would collapse in a short time, with enormous health, economic and political consequences.

In the IT security industry, it has long been said that it is not about if you are attacked, but when it happens. It is therefore positive that the strategy is now in place - so let us hope that its implementation will proceed faster than last time.

‍

Photo by: Kasper Rasmussen