Europe must adapt to ‘permanent’ cyber and hybrid threats, Sweden warns

MUNICH, Germany — Cyber and hybrid threats are now a permanent feature of Europe’s security environment, a senior Swedish defense official said Thursday, warning that societies must be built to function under sustained pressure rather than assuming disruptions will be rare.

Lisa Gustafsson, director of foreign intelligence and cyber at the Swedish Ministry of Defence, made the remarks at the Munich Cyber Security Conference, citing Russia’s full-scale invasion of Ukraine as a turning point that has normalized the combined use of military force, economic pressure, information operations and cyber activity.

“We are now living through a long-term confrontation in which military power, economic pressure, information operations, and cyber activities are used in combination, persistently, and deliberately,” Gustafsson said. 

“The most dangerous assumption is that disruptions will be rare or limited,” she added. “Our task is to build societies that can withstand severe pressure and still function.”

She said conflict is increasingly being waged below the threshold of open war, with cyber operations and information campaigns often aimed at undermining public trust and creating a sense of insecurity rather than causing immediate physical damage.

Gustafsson explained how, in response, Sweden is carrying out its largest rearmament since the Cold War while rebuilding its civil defense and strengthening national cybersecurity under its “total defense” concept, which treats security as a whole-of-society responsibility.

Critical services such as health care, energy, transport, communications and food and water supply are increasingly digital and therefore more vulnerable to cyber disruption, she said, adding that the armed forces depend on those civilian systems to operate.

“Deterrence must once again be made credible,” Gustafsson said, not only through military strength but through resilience and a society able to function under pressure.

Under Sweden’s model, civilian authorities are responsible for protecting essential public services, the military handles cyber defense of defense-related systems, and the National Cyber Security Centre (NCSC) coordinates the overall effort alongside the national computer emergency response team.

Moves to bring the NCSC under the control of Sweden’s cyber and signals intelligence agency — the Defence Radio Establishment — formally began in 2024, after a government inquiry established it was failing to achieve “expected results” under its existing structure.

The failures were assessed as part of a government review, rather than in response to a single incident, and came amid a changing geopolitical situation for Sweden, which formally joined NATO in the wake of the Russian invasion of Ukraine.

The model, similar to that of the United Kingdom’s NCSC, will see the agency collaborate with the private sector, which operates much of the country’s critical infrastructure and is expected to play a central role through information sharing and joint preparedness planning.

“Large parts of our critical infrastructure, including energy, telecommunication transports, and digital services are owned or operated by private sectors,” said Gustafsson. “Effective cybersecurity depends on deep, public, private corporation, structured information sharing, and not the least joint preparedness planning.”