The Inconvenient Truth About the State of Swedish Cyber Security

The luxurious conference room was packed to capacity when IVA released it latest report on the topic of cybersecurity today. Panelists came and went during two full hours; heads of the biggest telecoms, energy companies, security consultancies, even two representatives of the notoriously secretive military intelligence agency MUST.

The shared feeling among all speakers: apprahension.

Sweden regularly comes out on top when nations are ranked in terms of digital maturity. While that might be flattering, it also means that we’re highly vulnerable to ever more aggressive cyber threats.

This is an uncomfortable realisation that now seem to collectively dawn; apart from the IVA report, the think tank Fores recently released a report on the topic, as did the Royal Swedish Academy of War Science, as did RI.SE too. Everyone seem to agree: the nation is pretty much constantly under attack and we’re ill prepared to fight back. There’s very little reason to sleep well at night.

So what can be done?

Pontus Johnson from KTH expands on what most speakers keep coming back to: we need to design security into our products from the ground up. He describes how Microsoft – to mention just one top tier player in this game – discover one hundred new product vulnerabilities every month. There’s no way to keep up, even with the best human resources that money can buy. To quote one of the other speakers: you can’t build a skyscraper out of popsicle sticks, not even if each stick follows rigorous security standards to a T…

Another topic that everyone keeps coming back to, is how new structures for research and innovation around cyber security must be developed. The cross disciplinary scientific centre Scilife lab is mentioned as an inspiring model for what people here talk about in terms of Cyber campus Sweden (in planning phase, but it already has a web page).

As always with IT, there are a lot of neologisms flying around. One which was new to me: “the trust stack”. At the bottom of which academic research happens, fuelling product development which in its turn serves operational security in key industries.

Speaking of nomenclature, some people seem to think it’s unfortunate that we’re stuck with the prefix cyber, since in order to address vulnerabilities you can’t just focus on the tech, but often have to take a holistic view of the entire organisation, or even of society as a whole. As one speaker put it: “we can’t even make matrix organisations work locally, we need to admit that reality is not shaped in the form of silos, instead it’s one big lasagna.”

As the event unfolded, a new government was being formed a few blocks away. When news reached us that Pål Jonson (M) had been elected defence minister, an expectant gasp went through the crowd. This is the man who – apart from being exceedingly well schooled (BA from Georgetown, PhD from King’s College) recently published a debate article where he pledged to spend 50 million kronor on above mentioned Cyber campus Sweden, so looks like that will happen!

I left this event with mixed impressions. On the one hand there had been much pessimism expressed at how Sweden is far behind countries like Israel and USA in the cyber security race. On the other hand though, the event itself was one of the most well organised I’ve ever attended, it seemed like everyone who entered the stage knew exactly why they were there and beyond a doubt they also knew exactly what they were talking about. The whole thing felt, I don’t know, smart!

All in all I’m hopeful, and I do agree with Annika Avén from SOFF who said something which really hit home with me. She said that when it comes to innovating around cyber security we need to break out of the sandbox and zoom out, we need to start thinking big. I think that’s very true.