The National Strategy for Cyber and Information Security (NCIS) 2022-2024 focuses on ensuring secure ICT operations in government and critical infrastructure, as well as equipping citizens and businesses with the tools and skills to navigate the digital sphere safely. Domestic and international cyber threats demand a joint effort if we are to protect Denmark from malicious cybercrime and cyber espionage.
The strategy has four strategic objectives which set the framework for the development of a stronger and more secure digital Denmark.
1. Robust protection of vital societal functions
Maturity in working with cyber and information security is generally increasing in Denmark, including in government authorities. However, several key challenges remain, including sufficient understanding of cyber threats as well as complex ICT systems that make the work difficult.
Vital societal functions, such as energy supply, rail transport, and research, increasingly rely on digital systems and technology, making it necessary to focus on the critical ICT infrastructure that supports those functions.
There is a need for a better overview of the critical ICT infrastructure and dependencies between the ICT systems that support vital societal functions. Therefore, the ministries responsible for vital societal functions must have a clear plan for cyber security work and be part of operational cooperation.
Since 2016, Danish government agencies have been required to follow the international security standard ISO/IEC 27001, which sets best practices for information security management. Over a third of the agencies have yet to complete the implementation of the standard.
Additionally, many agencies lack basic technical security measures. Likewise, the level of security for a large part of the ICT systems critical for society in the central government is currently inadequate.
2. Increased level of skills and management commitment
People in Denmark are becoming increasingly aware of cyber and information security. However, translating this awareness into knowledge, skills, and action to boost cyber and information security is a significant challenge. This applies both in people’s private and professional lives.
In government authorities and businesses, cyber security requires top management commitment to make security a more integral part of the management function, and this requires the right skills. However, small and medium-sized enterprises, in particular, lack the skills and resources to implement appropriate security measures. Moreover, there is a cross-cutting challenge in recruiting and retaining employees with relevant cyber and information security skills. Thus, there is a need to increase the supply of professional skills if security is to be raised across the board.
Additionally, there is also a need for initiatives to promote better skills within the Danish population generally.
3. Strengthening cooperation between the public and private sectors
The ability to share knowledge and experience on cyber and information security incidents is essential to achieve a high security level. For this reason, there is a need to strengthen collaboration across sectors to become even better at sharing knowledge and learning from each other. Government agencies also need to be better at using data from reports to disseminate knowledge about threats and vulnerabilities.
There is a high demand for centralised consultancy, and there is a need to strengthen capacity and the overall advisory support of government agencies to meet this demand.
With regard to people and businesses, they may currently find it difficult to know where to turn and what advice they need if they are exposed to phishing attempts and hacking. Residents can get advice from the identity theft hotline which was established in 2021. However, there is a need for broader help and consultancy for both people and businesses.
In the business sector, stronger and closer cooperation is needed. In general, initiatives targeted at SMEs remain fragmented and often take the form of awareness-raising activities and guidance initiatives only. If cyber and information security is to be boosted in the entire business sector, it is crucial that the overall business effort for cyber and information security is coordinated and coherent. Concrete tools are needed to keep Danish companies competitive.
4. Active participation in the international fight against the cyber threat
International cooperation in the EU, UN, and NATO and with like-minded countries must be strengthened. Conducting cyber-attacks against Denmark has to be difficult and have consequences.
The digital domain is an integral part of international politics in the twenty-first century, and it has become one of the front lines in the defence of law-based international order.
Denmark is continuously under attack from other states. Malicious actors want to steal valuable information and high-tech knowledge, or deploy malware that can later be used in tense situations. Although Denmark can do much on its own, there is also a need for strengthening international cooperation with the organisations that can develop norms and define standards for cyberspace if the underlying causes of cyber-attacks are to be fought.
In short, there are a number of challenges but also opportunities on the international cyber and information security scene. The National Strategy for Cyber and Information Security initiates a number of efforts in order to strengthen Denmark’s international profile, build stronger bridges to the international tech and cyber security industry, and ensure that it remains expensive and costly to conduct cyber-attacks and espionage against Denmark and our allies.