Swedish signals intelligence agency to take over national cybersecurity center

After failing to achieve “expected results,” Sweden’s National Cyber Security Center (NCSC) is facing a range of reforms, including being brought under the control of the country’s cyber and signals intelligence agency.

The failures were assessed as part of a government review, rather than in response to a single incident, but come amid a changing geopolitical situation for Sweden, which formally joined NATO this March in the wake of the Russian invasion of Ukraine.

The restructuring will see Sweden move toward a model for its cybersecurity center similar to that of the United Kingdom, Norway and Denmark, where those bodies are parts of GCHQ, the Norwegian National Security Authority and the Danish Defence Intelligence Service, respectively.

The reforms have been recommended in an interim report, commissioned by the Swedish government into the cybersecurity center’s  shortcomings. The interim report particularly praised the British NCSC for its “outward profile” and its premises at Nova South in London, which had previously been criticized by MPs.

Sweden’s NCSC was established in December 2020, not as an authority in itself but more as a voluntary collaboration center between a handful of authorities, including sigint agency the Defence Radio Establishment (FRA) and the Swedish armed forces.

These authorities were tasked to use the NCSC to “coordinate the work to prevent, detect and deal with antagonistic cyber threats and other IT incidents,” as well as “convey advice and support regarding threats, vulnerabilities and risks” and “constitute a national platform for collaboration and information exchange with private and public actors in the cybersecurity field.”

To some degree, these were activities that were already being carried out by different agencies, but the initial structure meant the Swedish NCSC had no budget of its own, with funds instead coming from the participating authorities.

Alongside the legal challenges that limited the contributions of the participating authorities to their legally prescribed tasks, the funding limitations contributed to the NCSC failing to live up to the government’s expectations.

The government’s inquiry found that the NCSC lacked “clear goals, missions, and division of responsibilities,” and particularly took aim at narrow definitions of the center’s tasks limiting it to addressing “major” instead of “significant” incidents, and “cyberattacks” instead of “cyberthreats.”

Its recommendations, some of which will require legislation to be put into effect, are intended to help the NCSC achieve its overall goal of strengthening “Sweden's collective ability to prevent, detect and manage cyber threats and significant IT incidents.”

The recommendations focus on the NCSC adopting the responsibilities for different cybersecurity tasks currently spread across several Swedish authorities, and that the NCSC becomes a body wholly owned by the FRA, Sweden’s cyber and signals intelligence agency, although the other six authorities will continue to participate in it.

CERT-SE, Sweden’s national CSIRT (Computer Security Incident Response Team) is currently operated by the country’s civil contingencies agency rather than a cybersecurity authority. The inquiry recommends that these activities “should be transferred to the [FRA] and NCSC as soon as possible.”

Other changes are expected to be recommended in later reports from the inquiry.

The Swedish reforms come as many European countries are attempting to strike a balance within their cybersecurity apparatus between the intelligence services and aspects of government that are more used to engaging with the public and with industry.

While this is expected to be challenging for the FRA, the model in Britain, Norway and Denmark — which the government report praises — suggests it can be done effectively.