About the Danish Cyber and Information Security Strategy 2018-2021

Strategic benchmarks: Everyday Safety for Cititzens and Business; Better Competencies; Joint Efforts.

The Danish government has presented a new national strategy for cyber and information security. With its 25 concrete initiatives, the strategy will strengthen government security, improve the competencies of the population, and ensure far more coordinated efforts and initiatives across authorities.

A digital society demands high information security

Denmark is at the forefront in the use of digital solutions. This is crucial for further development of the welfare society. At the same time, the cyber threats against citizens, businesses, and public authorities have become more frequent and ever more advanced over a short period of time. This puts new demands on digital security and database protection for the authorities, businesses and citizens.

It is vital that work on cyber and information security is made more professional and constantly developed and updated. A new Danish Cyber and Information Security Strategy 2018-2021 will raise the national level of digital security in society. The strategy will enhance the technological resilience of digital infrastructure, improve citizens’, businesses’, and authorities’ knowledge and skills, and it will strengthen national coordination and co-operation on information security.

The government is launching 25 initiatives in the strategy. Six targeted sub-strategies have also been launched to improve cyber and information security in critical sectors, i.e. the telecommunications, financial, energy, healthcare, transport and maritime sectors.

Strategic benchmarks

The strategy sets out three benchmarks for work over the years to come.

1. Everyday safety for citizens and businesses

Central government, together with the critical sectors, is enhancing its technological preparedness to be able to protect critical IT systems and data. Among other things, all authorities will have to adhere to the principles in the international information security standard, ISO27001. Furthermore, monitoring of critical government IT systems will be established.

The authorities must also be much better at managing and coordinating work, so that everyone is geared to the current threat scenario. Furthermore, they must be better at working together; both with regard to prevention, and in the event of an actual attack. A national cyber situation centre will be set up to maintain an overview of both current and potential threats against Denmark.

2. Better competencies

Digital competencies in Denmark must be improved. Citizens, businesses, and public employees at authorities must be able to deal with the increasing threats against cyber and information security.

Digital competencies and knowledge about security will be incorporated throughout the educational system, from municipal primary and lower secondary school to research at universities. This will ensure that children and young people develop digital judgment. Research in the area must ensure that more employees acquire the specialist cyber and information security awareness demanded by Danish businesses and authorities.

It should also be easier for the individual citizen to obtain information about secure online behaviour and about what to do if things go wrong. Therefore, one common information portal will be set up for citizens, businesses, and authorities, with information about current threats, as well as tips on how to protect data.

Finally, government managers and employees must have more cyber and information security awareness. There will be focus on promoting ICT security and responsible data processing by businesses.

3. Joint effort

There is a need for better protection of ICT systems and data in the critical sectors, i.e. the telecommunications, financial, energy, healthcare, transport and maritime sectors. An attack in these sectors could paralyse large parts of society or have major consequences for humanity. For example, if the ICT system at a power station or hospital collapses.

Therefore, the strategy places greater demands on work by the six critical sectors to prevent serious cyberattack. Before the end of 2018, each sector will have drawn up a sector-specific cyber and information security strategy and have established a dedicated cyber and information security unit. These units will help prepare sector-specific threat assessments, establish monitoring of critical systems, and conduct emergency preparedness exercises and drills.

Moreover, national coordination will be enhanced to improve coherence between operational initiatives and the overall strategic approach to cyber and information security.