Mikkel Storm Jensen

In 2014, Denmark launched its first national strategy for cyber resilience of critical infrastructure (CI). The ‘National Cyber and Information Security Strategy’ and its two subsequent successors from 2018 and 2022 follow the Sector Responsibility Principle (SRP). According to the principle, the state distributes the task of achieving and maintaining societal resilience to individual sectors, for example, health, energy supply, or finance, while maintaining central oversight and responsibility for implementation. Denmark is not alone in taking this approach: in fact, all the Nordic countries have applied some version of SRP. Danish governments have over the last decade taken significant steps to implement and facilitate societal cyber resilience through development of institutions, strategies, legal measures, and public-private partnerships (PPP). That said, Danish governments have gone less far than, for example, Finland’s to take measures to achieve efficacy, and significant weaknesses are still left to be addressed. The article outlines the principles behind SRP and, using mainly Danish examples, demonstrates why implementation of SRP is both legally, organisationally, and echnically difficult but also politically ‘unpleasant’. Resilience is desirable but also a tedious chore. An inherent risk with SRP at both strategic, political level and individual private or public entity level are incentives to strive for legal compliance, rather than operational efficacy and act more according to a ‘sector responsibility avoidance principle’. In that light, the article outlines how the SRP has been implemented in Denmark so far, along with examples of both what drives the effort and challenges to successful SRP implementation.

For decades, few NATO members, predominantly the US, had the

capabilities to conduct offensive cyberspace operations (OCO).

Today more than half of NATO’s members have, or are acquiring,

offensive cyberspace operations capabilities (OCOC). Historically,

NATO’s planning and coordination is based on shared knowledge

of the members’ military capabilities, to a degree even their nuclear

capabilities. In the cyber domain, the principle has evolved to

include allies’ emerging defensive cyber capabilities. NATO’s

approach to OCOC, however, deviates radically: NATO’s doctrine

merely integrates OCO’s effects, that is, allow members to contribute

with OCOs in operations without sharing information with

allies on what OCOCs are available or how the OCOs deliver the

effects. OCOC’s technical and tactical characteristics incentivize

NATO’s members to keep OCOCs secret, also from allies. This results

in a dilemma: Either the allies providing OCOC’s effects risk sharing

sensitive information on the means, or the allies, who depend on

the provided effects, act without sufficient knowledge of the

deployed OCOCs to assess their efficacy, legality, or impact on

own offensive or defensive cyber operations. NATO’s limited

approach to OCOC is a pragmatic mitigation of the dilemma that

allows NATO to train and develop doctrine in the field further.

After a long and – from an analytical and philosophical perspective – relatively dormant existence as an analytical tool taught and used by Danish officers since the early 1960s, the Capability Cycle (the literal translation from Danish, “the Cycle, of Warfare” is somewhat misleading) has been thoroughly analyzed over the last couple of years. Theoreticians as well as practical users of the model have all demonstrated a number of ways in which the model is philosophically and methodically lacking as a proper scientific model. This article reflects the author’s thoughts on the criticism of the model as well as the suggestions to alter and expand it based on his own experiences with practical use of the model as a tool for real-world intelligence analysis through more than a decade. The critics are right to argue that the model is not a proper theory in the social science sense. However, this article finds that the model should remain unmodified with an inner circle representing the examined entity and an outer circle reflecting the society in which the entity originates. In its current format, the model is a simple, but effective tool for organizing the analyst’s available information. Furthermore, it is a means to help him or her focus the search for further information and to generate hypotheses that can then be tested with scientific methods.

Denne artikel handler om, hvordan cybervåben giver småstater en række nye strategiske muligheder.Den forklarer først, hvorfor der ikke er megen hjælp at hente i den eksisterende forskningslitteratur. Artiklen gennemgår derefter en række generelle karakteristika for cybervåben ét ad gangen og beskrive hvad de betyder for småstater generelt og Danmark specifikt. Det konkluderes, at cybervåben delvist ændrer balancen mellem småstater og stormagter i småstaternes favør. Men der er grænser for de muligheder, våbnene åbner. Særligt for småstater, der somDanmark knytter deres sikkerhedspolitik snævert til medlemskab af en militær alliance som NATO. Cybervåben er vanskeligere at anvende i NATO end konventionelle våben både på det strategiske og operative niveau – og især hvis vi ikke er i krig. Det er derfor måske ikke overraskende, at det stadig ikkeer helt klart, hvordan Danmark vil anvende disse våben – særligt i fredstid.

Siden 2003 har regeringerne i Norge, Danmark, Sverige, Finland og Island arbejdet med at udvikle og implementere nationale strategier for cyber- og informationssikkerhed. Strategierne omfatter mange forskellige områder; f.eks. institutionel kapacitetsopbygning, uddannelses- og forsvarspolitik, internationalt samarbejde etc. Denne artikel skitserer landenes forskellige strategier per august 20181 for statens rolle i samfundets cyberresiliens, dvs. de kritiske samfundsfunktioners evne til at modstå og overkomme negative effekter af hændelser med udspring i cyberdomænet. Endvidere skitserer artiklen de udfordringer, som regeringerne har konstateret, at opgavefordeling og ansvarsplacering har givet, samt hvordan implementeringerne af strategierne reflekterer disse erkendelser. Her har den finske regering vist sig mest konsekvent ved at placere ansvaret for implementeringen af cyberresiliens centralt i en magtfuld organisation og udstyre den med konkrete styringsredskaber og en stor, velintegreret kontaktflade til den private del af Finlands kritiske infrastruktur.

Danmark er et af de mest gennemdigitaliserede lande i verden. Staten, virksomhederne og borgerne udnytter i stort omfang internettets muligheder for at effektivisere og optimere. Bagsiden af de mange gevinster er nye, alvorlige sårbarheder over for angreb eller ulykker. Stater har de farligste cybervåben, men betydelige incitamenter til ikke at bruge dem.Kriminelle har færre ressourcer til at udvikle cybervåben, men ingen hæmninger i forhold til at bruge dem. Terrorister og aktivister har hidtil ikke vist sig i stand til at gennemføre alvorlige cyberangreb. Uheld og menneskelige fejl vil altid være en mulighed.

Over the last two decades the state’s traditional duty to defend its citizens against threats has been extended to a new man-made domain: the cyber domain. As part of this defence states have created systems for establishing a level of preparedness in order to ensure societies’ resilience. ‘Resilience’ in this regard describes societal robustness – not only to deflect outside pressure, but also to absorb its effects and constantly adapt to changing conditions by collecting knowledge of negative events, learning from it and implementing the experience. Denmark’s cyber resilience plays an increasing role, as digitisation has meant that threats in the cyber domain have changed from peripheral nuisances to questions of national security.Hence, the Danish government has initiated the development of a new strategy for cyber and information security. Also, Denmark has committed to implementing the EU NIS Directive concerning measures for a high common level of security of network and information.This report focusses on those governmental aspects of the strategy that play a role in Denmark’s resilience against cyber threats. The report suggests that the new cyber strategy, along with the implementation of the EU NIS Directive, is an occasion to adjust the current interpretation of the sector responsibility principle. The report finds that the sector responsibility principle must remain the basic principle for governance of societal resilience in Denmark, but that adding some central authority and clarifying the division of responsibilities may overcome identified weaknesses in the current implementation of the principle.