Norway officially adopted its national strategy in 2012. In June 2017, the Norwegian Ministry of Justice and Public Security published its first white paper ("Stortingsmelding") on ICT/cyber security, with the title "ICT security. A shared responsibility" (in Norwegian). The white paper makes an evaluation of the current landscape, such as electronic communications, energy supply, oil & gas, financial services, water supply, and several others. The thrust of the paper is the growing number vulnerabilities as the result of digitalisation. These vulnerability challenges cross boundaries between countries, sectors and enterprises and as such erase the traditional distinction between war and peace, while challenging the division of responsibility between civilian and military sectors.
The Government will therefore seek to:
- Strengthen co-operation between private and public organisations, civilian and military organisations, and across borders.
- Appoint a committee to consider the legal regulation of ICT security.
- Establish a national framework for digital incident response.
Furthermore, by establishing a national strategy for ICT security competence, the Government will facilitate long-term development of such competences. The Government considers the following areas to be particularly important:
- Preventive ICT security – the individual organisation's ability to manage security.
- Attack detection and response.
- ICT security competences.
- Critical ICT infrastructure.
NATIONAL CYBERSECURITY STRATEGY - NIS Capacities
|Year of adoption||
Norway National Cyber Security Strategy 2012; White Paper on new plans June 2017.
|Updates and revisions||
The Action Plan (Norwegian) describes in detail specific aspects of the national strategy, was published by the Norwegian Government in 2012.
The national strategy is built on 4 main objectives: Obj. 1 - Better coordination and common situational understanding; Obj. 2 - Robust and secure ICT infrastructure for everyone; Obj. 3 - Good ability to handle adverse ICT events; Obj. 4 - High level of competence and security awareness. This will be achieved by 1. ensuring a more comprehensive and systematic approach to information security; improving ICT infrastructure; ensuring a common approach to information security in public administration; safeguarding society’s ability to detect, alert and handle serious ICT incidents; safeguarding society’s ability to prevent, detect and investigate cyber crime; making continuous efforts to raise awareness and competence and delivering high quality national research and development in the field of information security.
The June 2017 white paper provides insights into the evolution of the national strategy.
|Implementation and monitoring||
The national strategy was jointly developed by the Ministry of Government Administration, Reform and Church Affairs, the Ministry of Defence, the Ministry of Justice and Public Security and the Ministry of Transport and Communications.
The Ministry of Justice and Public Security is primarily responsible for following up the strategy.
|Operational capacity building||
Norway has serval computer emergency response teams as part of the country's capacity-building strategy.
NorCERT (Norwegian and English) is the national computer emergency response team, operating under the National Cyber Security Centre (NSM); (Norwegian: https://nsm.stat.no/; English: nsm.stat.no/english/). Its tasks include dealing with counter threats to the independence and security of Norway and other vital national security interests, primarily espionage, sabotage or acts of terrorism.
UNINETT (English; www.uninett.no/en) develops and operates the Norwegian national research and education network, interconnecting about 200 Norwegian educational and research institutions and more than 300,000 users, as well as giving them access to international research networks. It is a neutral party, and is run non-profit. UNINET CERT (English) is its computer emergency response team.
UiO-CERT (English; www.uio.no/english/services/it/security/cert/) is the computer security incident response team (CSIRT) for the University of Oslo, handling IT-related security incidents, such as virus, break-ins and vulnerabilities for the constituency.
FinansCERT is a dedicated industry computer security incident response team (CSIRT) for the Norwegian financial sector, which is represented by Finance Norway – FNO. It serves banks, life insurance and pension companies that are members of Finance Norway (Norwegian: http://www.finanscert.no/index.html; English: http://www.finanscert.no/engelsk.html).
Basefarm Group's Security Incident Response Team Basefarm SIRT/BF-SIRT). Its constituency is industrial, ISP Customer Base, Basefarm AS (Norway), Basefarm AB (Sweden), Basefarm BV (Netherlands), acting as the primary contact point for the Group.
The white paper published in June 2017, highlights the importance of the legal aspects of ICT security with the establishment of a committee to investigate these aspects and future evolutions of the legal framework in Norway.
Other capacity-building measures: research and education
Norway is a good practice in terms of education and research on topics related to cyber security.
The Norwegian Center for Cyber and Information Security (CCIS) is a partnership of key national cyber security stakeholders, giving access to a variety of resources, both funding and man-power. The institution operates in close co-operation with the Norwegian University of Technology (Norges teknisknaturvitenskapelige universitet; NTNU). One of its primary tasks is to ensure that education in the field of cyber security is available at all levels from elementary schools to post graduate university studies.
The COINS Research School of Computer and Information Security is led by CCIS/NISlab. Participants in the research school include NTNU, University of Oslo, University of Bergen, University of Agder, University of Stavanger, and University of Tromsø. COINS integrates Norwegian research groups in Information Security to a larger entity by building stronger relationships between doctoral students in the network, establishing more incentives to excel and increasing student mobility through access to a larger network, including the hosting of internationally recognised researchers.
Other examples include:
Master of Science in Information Security: cryptography and security mechanisms.
PhDs in Computer Science and Information Security.
Research programmes span a variety of topics, such as cyber defence, critical infrastructure, information security management.
|Other measures||To assess the current status during follow-up of the strategy’s priority areas, the Government will regularly request a status update for sectoral implementations of action plan initiatives, in order to monitor developments in information security. The Ministry of Justice and Public Security is responsible for this work. An inter-ministerial group will be appointed to monitor the strategy continuously over the long-term. The group’s work will include following developments in security challenges and trends, and assessing whether those developments will trigger a need to revise all or part of the national strategy on an ongoing basis.|
Compliance with the GDPR and NIS Directive: Report a cyber incident
|Report a cyber incident to national CERT/CSIRT||
Basefarm Group's Security Incident Response Team Basefarm SIRT/BF-SIRT)
Constituency: industrial, ISP Customer Base, Basefarm AS (Norway), Basefarm AB (Sweden), Basefarm BV (Netherlands), acting as the primary contact point for the Group.
|Guidance and Updates||
cert.no, https://nsm.stat.no/ provides updates on new cyber threats, related news and events. All information is provided in Norwegian as the English version does not feature these updates.
Twitter (Norwegian): @NorCERT provides information in both Norwegian and English.
|Date of last WISER analysis||July 2017|