Efforts to strengthen information and cyber security are inefficient

The Swedish National Audit Office (Swedish NAO) has audited the Government’s efforts to strengthen Sweden’s national information and cyber security. The overall conclusion is that efforts have been inefficient.

Above all, there has been a lack of cohesive governance based on strategic considerations and priorities in terms of Sweden’s collected needs. Coordination has not functioned as intended and relevant stakeholders, such as the business sector, have not been involved to any great extent.

The shortcomings are largely due to the fact that the Government Offices’ working methods, organisation and use of resources have not enabled efficient work on information and cyber security issues.

The Government Offices have formed inter-ministerial working groups and have tasked a number of government agencies with setting up a national cyber security centre. However, the assessment of the Swedish NAO is that this has not led to an increased capacity for giving priority to measures, nor to long-term strategic, holistic and cohesive governance. The governance of the agencies concerned has been based on the objectives and priorities of each individual ministry rather than on strategic considerations of what is best for Sweden, which has limited the efficiency of the efforts.

“The Government Offices and agencies each operate with a starting point in their respective responsibilities and remit, without valuing or ranking the implemented measures based on what benefits Sweden as a whole,” says Marcus Pettersson, Project Leader for the audit.

In addition, the Government’s national cyber security strategy is not of sufficient quality. For example, it lacks a clear vision, objectives that can be followed up, designated parties responsible and allocated resources. It is unclear which actors and sectors should be affected and how. The strategy does not specify how objectives and activities affect society, the economy, or the citizens, nor does it contain any actual analysis of the strategic challenges. It is the Swedish NAO’s assessment that such a strategy will only have a minor – if any – steering effect.

There are deficiencies in the information exchange between the actors. Exchanging information is an important component for the ability to coordinate efforts, so that everyone works towards the same goals and has a common picture of the situation, needs, goals and measures. At present, the government agencies produce several different situational reports, providing a fragmented picture that is difficult to consult when measures have to be weighed against each other.

“Work on information and cyber security needs to be more efficient. This requires clearly designated responsibilities and resources as well as more cohesive and strategic governance,” says Auditor General Helena Lindberg.