Report: Swedish information security ‘not good enough’

IT security in some of Sweden's most important state-controlled agencies is so inadequate that it requires government intervention, according to a national auditor.

Report: Swedish information security 'not good enough'
Information security in government agencies has been criticised. Photo: Janerik Henriksson/TT

The Swedish National Audit office (Riksrevisionen) examined how nine government agencies conduct their work in relation to information security.

Among the bodies specifically scrutinized were the employment agency (Arbetsförmedlingen), National Grid (Svenska Kraftnät) Migration Agency (Migrationsverket) and maritime authority Sjöfartsverket.

“Our review shows that work on information security is not a sufficiently high priority among the agencies in relation to the risks that exist,” said auditor general Margareta Åberg in a press release.

The report warned that those deficiencies can lead to significant consequences, like when air traffic control operator Luftfartsverket closed airspace over Stockholm last week due to a network issue. And it will take some time for information security at the agencies to reach an acceptable level, it added.

“The paradox is that everyone agrees that good information security is a necessary condition for digitizing civil services and that more needs to be done. Yet so little as happened,” wrote Åberg and her colleagues Per Dackenberg and Marcus Pettersson of the National Auditor in an article in Dagens Nyheter.

In the review the National Audit office recommended stronger guidance from the Swedish government, with clear demands on what should be achieved and when it will occur.

It has also urged the state to allow the Civil Contingencies Agency (MSB) to develop a model on improving information security.