The Swedish government is tightening its public procurement regulations in an effort to increase cyber security. It estimates that this will affect hundreds of outsourcing projects a year.
The new rules, which come into force in April, require all government agencies with security-sensitive outsourcing projects to have them scrutinised by either the Swedish Security Service (Säpo) or the Armed Forces.
The new requirements will apply when a supplier can access or store sensitive data outside government agency premises. In such cases, consultation must begin before the procurement process begins, and the security authorities are authorised to stop any outsourcing they deem to have insufficient security measures in place.
The changes to the procurement rules were first proposed in October 2017 in the aftermath of the Swedish Transport Agency’s IT security scandal. The roots of the scandal lay in the agency outsourcing its IT maintenance to IBM in the Czech Republic back in 2015.
In July 2017, it was discovered that proper security clearance checks had not been carried out, exposing driving licence data and information about all vehicles in Sweden – including police and military vehicles – to foreign IT workers without the required security clearance.
It was also revealed that the Transport Agency had outsourced firewall and network maintenance to a company in Serbia, potentially further exposing the data.
Read more about cyber security in Sweden and the Nordics
- Sweden is tightening up its cyber security defences as part of a wider national security strategy.
- The Swedish Transport Agency exposed sensitive information by transferring its databases to a third-party cloud provider without following data protection procedures.
- The volume of cyber attacks last year has increased boardroom focus on security in the Nordic region.
Sweden’s minister of justice and home affairs, Morgan Johansson, referenced the Transport Agency incident in a speech in January calling for a change of approach in outsourcing IT systems to private contractors. He said there was too much emphasis on outsourcing, and that sensitive data required greater protection. This is where the new rules come in.
Peter Hansen, operations and information security consultant at Capgemini Sweden, believes the regulation is a step in the right direction, particularly where IT outsourcing affects sensitive data on a national scale.
“This is quality control of the requirements which must be met by providers and should, if anything, make it clearer and easier to define the solutions suggested by the vendors, from a technical as well as a non-technical aspect,” he told Computer Weekly. “As long as the Swedish Security Police and Swedish Army get the additional resources they request, this shouldn’t affect the total [IT outsourcing] timeline significantly.”