Norway’s corporates want government to support ‘herd immunity’ to cyber attack

Norway’s IT and telecoms industry chiefs are demanding decisive action by prime minister Erna Solberg’s Conservative-led government to eliminate shortcomings and enhance network security in the country’s national cyber defence systems and infrastructure.

Telenor ASA, the Oslo-based telecoms group that is 54% owned by the Norwegian state, has become increasingly vocal about the need to improve the country’s preparedness against the escalating threat emanating from the cyber domain. The company has called for a closer partnership between state and private companies to develop a “digital herd immunity” capability with the aim of countering cyber threats more effectively. 

“If companies could build a base within digital security, and if all companies can do this simultaneously, then we can raise the bar and make it more difficult for both criminal and other bad actors in the cyber domain to attack,” said Tangen Nilsen, Telenor’s chief security officer. “This is what we are looking for in herd immunity.”

Telenor wants the government to implement new measures to improve the country’s national digital and cyber security infrastructure.

The ongoing controversy over Huawei has sharpened the debate around personal data and privacy laws in Norway. In July, the Department of Regional Development and Digitisation indicated its support for new measures to improve consumer knowledge and information concerning the content and origin of digital equipment and services sold and used in Norway.

A survey conducted by market research organisation Kantar TNS in August revealed that just 31% of respondents were able to name the country of origin for the equipment and digital services they used. Some 43% of respondents expressed the fear that some digital equipment producers may be linked to personal data theft, identity manipulation and cyber espionage.

The growth in industry-wide support for a strategic “digital herd immunity” approach to cyber defence building is contained in Telenor’s Security report 2020. The report called for government action to build effective defences against more regular, sophisticated and increasingly malicious attacks from cyber space on critical digital IT systems and infrastructure operated by public and private organisations in Norway.

Telenor’s report proposes the establishment of an autonomous cross-sectoral government agency tasked with conducting threat concept development and risk impact assessment at a national level. The proposed agency would formulate solutions and responses to meet the widest range of cyber threats.

“There is a strong level of cooperation at the operational level between the private sector and state security centres that share information,” said Tangen. “Alongside this, we need a cross-sectoral national and strategic level organisation with the capacity to recognise links between different types of events to determine whether such an event is a coordinated hybrid attack or just coincidence.”

Telenor has set about improving cyber defence capabilities through a broad cooperation with large Norwegian companies such as Equinor, DNB, Norsk Hydro, Storebrand, Aker and Orkla. Industry chiefs are mindful that the impending arrival of 5G, and the rapid adoption of new technologies such as the internet of things (IoT) and machine learning, also creates new vulnerabilities and security risks for corporate IT networks and data systems. 

Nordic companies are hoping for strengthened government-led cross-border relationships in the cyber defence domain, as well as enhanced collaboration between national cyber crime centres.

Telenor, which launched a Nordic Hub project to stimulate growth in 5G and IoT technologies across its Nordic markets in the second quarter of 2020, has joined the ranks of an increasing number of large, regionally headquartered corporations that are providing cyber defence expertise and solutions for their customers, especially clients in the small to medium-sized enterprise (SME) category across Nordic markets. 

The urgency for a government-led preparedness plan to bolster cyber defences and protection for digital networks and critical data infrastructure was highlighted in April following the discovery of a major data breach at the headquarters of state-controlled private equity company Norfund.

The advanced data breach not only penetrated Norfund’s multi-tiered security defences, but also manipulated the organisation’s IT system to transfer a $10m loan intended for a Cambodian microfinance organisation into an offshore bank account controlled by the hackers.

The level of ingenuity used in this hack meant that the fraudulent transaction went undetected at Norfund for weeks, said Tellef Thorleifsson, Norfund’s CEO.

“The fraud exposed our vulnerability to actively using digital channels to conduct our business as an international investor and development fund,” he said. “As an organisation, we are taking swift action to ensure this can not happen again. Through collaboration, we also need to do more as a country to defend against cyber attacks of this kind.”

Norfund, which currently has about $2.8bn worth of investments committed to 163 projects in developing countries, launched a forensic investigation into how hackers breached the organisation. This revealed that the hackers manipulated and falsified information exchanges with individual loan department personnel over a period of months, while taking over the identity of the microfinance borrower in Cambodia.

The investigation resulted in Norfund hiring PwC to conduct a root-and-branch analysis to evaluate weaknesses in its IT security set-up. Norfund is also working with Norway’s cyber-crime law enforcement agencies and its bank, DNB, to track down and identify the criminals behind the fraud.

DNB has seen a dramatic increase in cyber attacks similar to that used to defraud Norfund, said Terje Aleksander Fjeldvær, head of the bank’s financial cyber crime centre.

“The attack on Norfund was serious, advanced and sophisticated,” said Fjeldvær. “It is the type of cyber crime that is unfortunately becoming an all too common experience for financial groups and companies generally. In Norfund’s case, the hackers gained access to email communications between two parties. They became familiar with how the parties communicated. The illegal transfers initiated deviated very little from Norfund’s standard payments routine. It was not easy to detect and prevent.”

The cyber attack on Norfund has prompted other big financial institutions in Norway, including central bank Norges Bank and financial supervisory authority Finanstilsynet, to run combined cyber resilience and contingency testing programmes. The objective is for Norges Bank and Finanstilsynet to jointly devise a framework to test the cyber resilience of Norway’s banking and payments system.