Norway’s public and private enterprises must do more to protect their IT systems and infrastructure against increasing external threats from the cyber domain.
This stark warning was given in a report by NSM (Nasjonal Sikkerhetsmyndighet), the Norwegian security authority tasked with protecting critical IT infrastructure.
The NSM’s report A safe digital Norway – ICT risk picture 2018 takes a forensic look at the most pressing vulnerabilities threatening the country’s IT systems and infrastructure.
For organisations and their leaders, the report is as a timely reminder for unremitting vigilance. The clear message to organisations is that the scale of threats posed by “hostile foreign actors” against their IT systems and critical national infrastructure is growing.
Norway has adopted a collaborative approach to strengthening its defences against malevolent external cyber threats. Government officials, national security agency chiefs and industry leaders are currently engaged in roundtable discussions to deepen their cooperation.
This private-public sector alliance could create better channels for information-sharing on emerging risks, and joint expert panels can evaluate the risks and develop effective solutions.
The range of threats, both random and anticipated, against IT systems continues to grow year after year. The NSR (Næringslivets Sikkerhetsråd), a security council for Norwegian business and industry, has estimated that almost 40% of companies in Norway were exposed to information security fraud in 2017.
Online economic crime is growing because of the digitisation of payment systems. and is being driven by the evolution of more sophisticated digital tools to commit financial crimes online.
“The most common and highest-risk threats remain malicious actors operating in the foreign intelligence domain, along with malicious data-capturing criminality,” said Bente Hoff, NSM’s deputy director of cyber security. “Right now, these constitute the biggest digital threats to business and industry in Norway. The primary and most vulnerable targets are government administration, defence, finance and high-tech companies.”
Worryingly for IT network security, the NSM report identified an emerging threat to unnerve business and industry leaders. The organisation’s updated intelligence revealed that an increasing number of foreign malicious actors are criminal organisations bent on not only taking control of IT systems, but using hijacked IT systems and networks to establish “command hubs” to conduct criminal activities.
The NSM report is an alarm call for Norway’s government and industry chiefs. In its examination of poor IT system defences and network vulnerabilities, the NSM has identified a range of digital threats posed by both foreign intelligence agencies and criminal organisations. Often motivated by industrial espionage, these actors set out to target inadequately defended and unsecured servers and internet of things (IoT) devices to gain control over IT systems and digital equipment.
“These illegally appropriated IT systems are subsequently incorporated into the global infrastructure of the threat actors,” the report said. “The compromised systems do not constitute targets in themselves, but act as intermediaries for traffic between the real target and the threat actor. They become bridgeheads in further operations against other targets.”
While the increased threat posed by foreign criminal organisations is a new worry for private and public sector organisations, the NSM report also observed that “everyday threats” to IT system security continue to flow from the “usual suspects”, such as distributed denial of service (DDoS) attacks, phishing and cyber-distributed computer viruses.
“We are seeing both predictable and fresh threats,” said Hoff. “The incidence of attempts to gain control of servers and use them for criminal purposes is new. We are also seeing more evidence of so-called recognition and mapping, where there is continuous scanning activity to identify weak points in a system’s defences.”
A valuable insight into the scale and range of the perceived threat to critical IT infrastructure emerged in September when the PST, Norway’s national security agency, arrested and charged a Russian government official on suspicion of espionage and compromising the Stortinget’s (national parliament) computer systems.
Bugs and listening devices detected
The PST and the NSM conducted a joint technical sweep of the parliament building, which detected the presence of data capture software, voice-activated surveillance bugs and electronic listening devices in computer and digital printing equipment. Norway’s defence ministry offices and computer system was a focal point for the technical inspection.
The Russian official, identified as MA Bochkaryov, was detained at Oslo Airport as he prepared to fly back to Moscow. The official had attended an international seminar on digitisation in the Storting’s conference hall.
“Gaining access to the Storting’s core IT systems and databases would provide a gateway to a treasure trove of valuable knowledge about political and strategic decisions taken by the government and parliament,” said Jack Fischer Eriksen, the NSM’s administrative director.
Security sensitivities around the digitisation conference were sharpened by a parallel series of meetings in the Stortinget building involving advanced planning of Nato-related military exercises in northern Norway during the final quarter of 2018.
The NSM’s Hoff said effective enhanced security to protect IT systems, networks and critical infrastructure will only be possible if company managers and security officers are prepared to take a committed leadership role and long-term view of risks and threats from the cyber domain.
“All businesses need to have a greater awareness of the prevailing risks,” he said. “Company leaders should ensure that the measures they take to secure their IT systems specifically address the risk picture.
“Measures introduced must track trends and changes in the economy as society becomes increasingly digitised. It is crucial that competence in IT security be prioritised in all businesses.”