Director General, Nasjonal Sikkerhetsmyndighet
(NSM - Norway's National Security Authority)
Cyber Security: Trust and Cooperation in a Complex Threat Environment
April 11, 2014—The CyberWire interviewed Mr. Kjetil Nilsen, Director General of Norway's National Security Authority (NSM), who delivered the final keynote at SINET ITSEF 2014. Mr. Nilsen's agency is responsible for information assurance, cyber security, cryptography and other national protective security services. NSM also leads NorCERT and a public-private partnership that includes Norway's national sensor network. Mr. Nilsen shared his perspective on the role of trust and cooperation in coping with an increasingly complex threat environment.
The CyberWire: Thanks for speaking with us, Director General. What can you tell about the distinctive cyber security challenges Norway faces?
Nilsen: A vital part of this picture is the risk environment that is increasing and becoming more and more complex. The number of registered serious cases of cyber espionage is increasing, and this development worries me. Last year alone, we handled a large number of such cases in Norway and this is probably just the tip of the iceberg.
These attacks are targeted towards both public and private businesses. The attackers seek information regarding technology, production methods, organizational matters and business strategy etc.
Security measures are strengthened on a national level, but we still have to reduce the vulnerabilities. The primary problem is not that we lack security measures and solutions that make us secure; the problem is aligning the demand for security with the actual need for security.
The CyberWire: Norway has a fairly well-developed cyber innovation ecosystem. What lessons do you think the Norwegian experience holds for other countries?
Nilsen: Norway and Norwegians are fast adapters to new technology. With a small population, a high standard of living, and well-developed infrastructure, Norway has been in a position to establish and maintain a good system for cyber innovation.
As I will point out in my speech at ITSEF; we rely on knowledge and innovation to find the right security solutions; solutions that we as citizens, businesses and government institutions will apply.
I think we have to increase the knowledge and priority on cyber security on the executive level in the public sector and in private sector. For instance - Last month we gathered over 100 of Norway's top executives, chairmen, and government officials to discuss the challenges related to cyber security and what the next steps should be. I think the only path to success is through leadership and good corporate governance. It is necessary to have a strong cooperation on an operational level and I believe that we have been reasonable successful in doing so.
The CyberWire: How has cyber cooperation, and particularly cyber threat information sharing, fared within NATO, from your point of view?
Nilsen: I think we can all agree that there is a need for information sharing. You need to get the right people to sit down and discuss what needs to be shared, what the common interests of information sharing are, and how it should be done. I think NATO will continue to play the role as a facilitator and enabler for further cooperation and information sharing between its members. We see this both in exercises and in the handling of real-time incidents. The existing cooperation on cyber incident response between the NATO CERTs is both effective and well-functioning. Instead of building new structures, we should focus on the structures we already have in place, to make them even more efficient.
The CyberWire: If information sharing is as important to cyber security as consensus seems to regard it, can you describe some of the obstacles to that sharing?
Nilsen: Sharing of information is built on trust. First, we have to build trust, between the Government and businesses, between competing businesses, and across societal sectors. To build trust, you will often need to clarify roles and responsibilities that will establish good relationships. It takes hard work to build those relationships across sectors and businesses.
Another challenge is the secrecy in the information security community. Information is being shared with those we trust, which often is a few number of people. The answer to your question is yes: information sharing is probably the most important factor in increasing the cyber security. There has to be some benefit for all, so we should remind everybody that the information you share will help others, but when they share, it will help you.
The CyberWire: You have a background in law enforcement. From that background, and from the perspective of your current post at the NSM, what trends are you seeing in cybercrime these days?
Nilsen: Cybercrime continues to be a growing global concern, and is increasing on all different levels, from so-called script kiddies, hacktivists, organized crime, and different types of state sponsored attacks. The main trends that we see is the increasingly complex environments that opens up for new methods for attacks combined with a more movement of data across borders that increase the need for a global approach to cybercrime. The trend in Norway is the huge increase in targeted attacks.
The CyberWire: How could those obstacles be overcome?
Nilsen: Building trust between governments, businesses and sectors is essential. Networking is crucial. Frequent exercising difference scenarios are crucial to build trust and handling difficult situations together. This should make the common ground needed to ensure a good cooperation between different entities. When you have a problem, you call someone you know and trust. The added value is to understand that we cannot solve our cyber challenges alone and when you help others, others help you back.
The CyberWire: You also have a background in arms control. Control of cyber tools would seem to present a particularly thorny problem—they are easy to proliferate, and many of them may have legitimate uses. Are there any lessons we should take from the history of arms control as we grapple with cyber proliferation?
Nilsen: First, I do not completely agree with those who compare cyber tools with traditional arms. In my view, we are talking about different worlds. As you say, many tools have a legitimate use, and many of the tools can be used to both secure and attack. I do not think the most effective way of attacking the problem is to try to reduce the outspread of the tools itself, but to ensure that the tools capabilities is known, so counter measures can be established.
The CyberWire: Some fairly senior and experienced people have recently said that the threat of cyber terrorism is overblown and vanishingly small, and that the real cyber threat lies in espionage. How do you see the matter?
Nilsen: For the time being, I agree, but that could change. There has been research on the topic at the Norwegian Defence Research Establishment, which came to the same conclusions. At the same time, we see an increasing knowledge about vulnerabilities in for instance SCADA systems for critical infrastructure. In many systems, it might be too easy to gain control over for instance production processes or critical functions. Even though players at the time seem not to exploit vulnerabilities in the systems, we cannot completely exclude the opportunity. As a nation, we have to prepare for others scenarios than espionage. The same applies for owners of critical infrastructure.
The CyberWire: ITSEF, of course, is a forum where entrepreneurs meet industry leaders and policy makers. What are you most interested in seeing at ITSEF 2014?
Nilsen: As a representative from the Norwegian public sector, I think the most interesting with ITSEF is the eco system the forum represents. The idea of bringing together entrepreneurs, academia and public sector to seek common ground and discuss ways to handle the cyber threats is the most interesting as I see it.
The CyberWire: Thank you, Mr. Nilsen.