There is no clear cybersecurity policy
This is a translated English version of the original, which is in Swedish at DI Debatt.
Sweden needs a cyber deterrence strategy and, together with national and international partners, conduct offensive cyber operations against threat actors
A clear Swedish cybersecurity policy is important for deterring cyber threats and showing that attacks have consequences. Examples of a well-designed deterrence strategy can be found in the US, the EU and Australia. In light of the recent ransomware attack that affected more than 120 authorities and businesses, this should also be considered for Sweden.
The ransomware attacks against Coop, Kalix municipality, the Church of Sweden and TietoEvry highlight the urgent need to deter cyber threats. The attacks have had a significant impact on Swedes’ daily lives, economic interests and, by extension, Swedish security. The situation emphasises the importance of Swedish policies that increase the costs and risks for threat actors and make it clear that it does not pay to attack Swedish interests.
Bill 2020/21:30 discusses the need to strengthen cyber defence capabilities, both defensively and offensively. The focus on deterring cyber threats is limited. The Defence Committee’s report “Kraftsamling” deals with deterrence for security in the Euro-Atlantic area, including Sweden’s role in NATO, but not Sweden’s own cyber deterrence.
What can be done? To deal with cyber threats, such as ransomware attacks, we should understand that Swedish interests are under continuous attack over time, and Sweden is constantly dealing with threats in cyberspace. This emphasises the importance of cyber deterrence, as illustrated by the 2014 Sony hack and the Colonial Pipeline attack.
The cyber attack on Sony Pictures, triggered by the film ‘The Interview’ and its fictional plot against the North Korean leader, led to international controversy and questions about US cyber deterrence. Admiral Michael S. Rogers of the US Cyber Command emphasised the global impact of the attack. In response, the US government under President Obama developed a new cyber security policy and sanctions against individuals involved in cyber attacks, which was an important step in addressing cyber threats.
The Colonial Pipeline case, a major ransomware attack, led to fuel shortages, price increases and panic buying in the US. The US launched a comprehensive government effort to restore operations and mitigate the impact on the energy sector and the public. General Paul Nakasone of the US Cyber Command emphasised the strategic importance of the attack and the coordinated response of the Cyber National Mission Force and other government agencies and international partners to combat such threats.
International cooperation is essential to tackle cyber threats. Many countries face the challenge of identifying and acting against threat actors, but cooperation has proven effective in imposing sanctions. For example, negotiations between the US and Russia led to the arrest of an individual behind the Colonial Pipeline attack after months of dialogue.
The EU has imposed sanctions on those responsible for cyber attacks such as ‘WannaCry’ and ‘NotPetya’, including travel bans and asset freezes. ENISA, the EU’s cybersecurity agency, and Europol’s EC3, which fights cybercrime, play an important role in helping member states improve their ability to deal with cyber threats, contributing to a stronger common front against cyber attacks.
Australia has imposed sanctions on a Russian following an international investigation involving the FBI, NSA and GCHQ for a cyber attack on “Medibank Private”. General Nakasone emphasises “integrated deterrence” as a strategy, meaning coordination of offensive cyber operations and collaboration across different arenas and partners, which is important in a world of continuous geopolitical competition.
Based on the above, the following lessons emerge:
Cyber deterrence requires a society-wide cyber strategy and responsibility from decision-makers, where offensive cyber operations can also be undertaken with the support of extended legal authority and international jurisdiction. With this support, the Swedish Armed Forces, in collaboration with the FRA, key companies and partners, can conduct offensive cyber operations against identified threat actors. These could include disabling infrastructure, securing Bitcoin or changing email passwords. Effective intelligence is essential to uncover the identities of the attackers.
The strategy should clearly state that ransomware attacks are a strategic threat to Sweden: all attacks will be responded to decisively, in cooperation with international partners.
Ransomware attacks threaten the Swedish economy and security and must be managed seamlessly during all phases of peace, crisis and war.
Gazmend Huskaj is Head of Cyber Security at the Geneva Centre for Security Policy (GCSP), previously a doctoral student in offensive cyberspace operations at the Swedish Defence University and Director of Intelligence in cyber-related issues in the Swedish Armed Forces.