In a recent Svenska Dagbladet article, Fredrik Olsson from NTT Security highlights the pressing need for Sweden to speak up about cyber attacks. The article dives into the high cost of cybercrime for Swedish businesses and suggests simple yet crucial steps to improve transparency and teamwork in tackling this issue. By adopting lessons from the software industry and taking strategic actions, Sweden can step up its game in cybersecurity. Let’s break the silence and face the challenge together.
This is the translated version of the article published in Svenska Dagbladed 2023-11-27: ”Inför sekretess vid cyberbrottsanmälan” | SvD)
“Introduce Confidentiality in Cybercrime Reporting”
Sweden needs to break the culture of silence surrounding cyber attacks and establish effective collaboration against this criminal activity. The solutions are closer than we think, writes Fredrik Olsson, NTT Security.
The cost of cybercrime for Swedish companies is almost 9 billion SEK – three times higher than last year, according to a new report from the Swedish Confederation of Enterprise (Svenskt Näringsliv). Ransomware attacks, where hackers demand a ransom to unlock critical data currently pose the biggest cyber threat to Swedish companies in terms of occurrence, rapid increase, and the significant damage and costs these attacks cause. Despite this, only 5 percent of ransomware attacks are reported to the police, according to the police’s National Operations Department, Noa. We can validate the insights Noa shares. The explanations often revolve around the fear of exposing vulnerabilities, shame, concern for a lost reputation, and a lack of faith that the crimes will be solved.
But this doesn’t have to be a culture that we accept. The software industry is a role model to be inspired by, where individuals are compensated for finding vulnerabilities in applications before the criminals do. This leads to quick fixes and updates in the form of so-called patches. Openness within the software industry has become a necessity for security work that the industry cannot do without.
The huge number of unreported cases benefits cyber criminals because it significantly complicates efforts to prevent more cyber attacks. The ability of cybersecurity actors to detect and stop cyber threats is largely based on the amount of intelligence data available to analyze and see patterns of cybercrime trends. This applies regardless of whether it is a matter of analyzing global data traffic with the help of AI or local crime statistics in Sweden.
Reports of cybercrime should, for these reasons, be able to be made with confidentiality, where the affected company can be anonymized in the material made public. This is necessary if we are to increase the volumes of reports.
Another obvious measure is to follow the example of countries like Denmark, where digital reporting of cybercrime can be done much faster and more smoothly than in Sweden. It would be a good addition even if it does not address the main reason companies refrain from reporting.
To be able to take advantage of the valuable data from the reports, competence, the latest technology and, not least, collaboration are required. Cybersecurity companies can certainly attract the most sought-after skills and use the latest AI technology, but they lack a very important capability. Because of their competitive position, private companies find it difficult to cooperate with each other without an independent body to coordinate the work. In Sweden, the Swedish National Defence Radio Establishment (FRA), has recently been given the responsibility to coordinate cyber security work and thus has the opportunity to take on this role. This is not a wheel that needs to be reinvented; there is already a well-functioning model in the United States that collaboration can be shaped after.
As a member of the Joint Cyber Defense Collaborative (JCDC), established by the U.S. Cybersecurity Agency, we can testify that national collaboration is both possible and effective. The insight of U.S. authorities that, with all their power, they cannot stop cybercrime without help from the private sector has become a great strength.
Sweden has the basic conditions for effective cybercrime prevention in place, but due to knowledge being isolated in silos, we cannot leverage our collective strengths. Increased transparency and effective collaboration can make us leaders in cybersecurity.
Regional Director, Nordics