Over a year and a half after the National Audit Office pointed out serious shortcomings in the state’s IT preparedness, things are not under control, say the state auditors.
Of
Today at 07:47
We all have to shop so that we can manage without electricity and water for three days.
This is what the new recommendations from the government read against the backdrop of growing threats of cyber attacks from Russia in particular.
But at the same time as the Danes are hoarding water and batteries, the state has for years issued warnings about gaps in the security and preparedness of society-critical IT systems. And this is despite persistent attempts to call the guard into action, says the State Auditors.
It can have a huge impact on Danes’ safety and everyday life.Mette Abildgaard (K), chairman of the State Auditors.
– I am concerned and frustrated that the state is not doing enough to ensure that the collapses that the Danes are now being asked to guard against do not occur, says Mette Abildgaard (K), chairman for the State Auditors.
Denmark has around 90 IT systems critical to society. The National Audit Office, which is tasked with controlling the state, has investigated 25 of them in recent years.
The first 13 were investigated back in November 2022. Here, very serious errors and deficiencies were found in all systems, among other things due to a lack of preparedness for how to restore the systems after a crash.
In the 12 other socially critical IT systems, serious deficiencies were pointed out in seven of them.
Some of the problems have since been resolved, but the cases have not yet been concluded. And the ministries and IT systems where the security requirements are still not met are kept secret for security reasons.
– Only seven of the 25 systems have satisfactory contingency plans. And although it has been several years since it was first concluded, it has not yet been rectified, says Mette Abildgaard.
What are critical IT systems?
Since 2018, the state has divided its IT systems into three categories: critical to society, critical to business and other (non-critical) systems. Those critical to society are the most sensitive and vulnerable, as prolonged breakdowns or cyber attacks can have serious consequences for the whole of Denmark.
“Critical IT systems are IT systems where major operational disruptions result in significant challenges for society as a whole, e.g. in the form of financial losses for the state, companies or citizens, prolonged breakdowns of critical infrastructure or real threats to national security”.
It is not public which systems are defined as socially critical.
Sources: The Norwegian IT Council – Status report 2023
May affect the security of the Danes
When the IT systems are critical to society, this means that they can pose a threat to national security if they break down or are hit by destructive cyber attacks.
– It can have a huge impact on Danes’ safety and everyday life. We cannot go out and say which systems these are. I can’t even say which ministries are responsible. Because that would pose too great a security risk, says Mette Abildgaard and continues:
– We have asked the responsible ministries to let us know as soon as we can publish which ministries are involved – that is, when it has been put in order. We haven’t been able to get permission to do that yet, and that says something about the fact that we haven’t succeeded in getting these systems fixed. It is deeply worrying.
As the ministries are secret, DR has not been able to relate the criticism from the state auditors to them.
But DR has received a written response from Defense Minister Troels Lund Poulsen (V). He does not want to appear for an interview and does not relate to the specific points of criticism from the state auditors, but writes instead:
– I take the threats in the cyber area very seriously. It is important for our entire society that all government authorities, including the Ministry of Defence, have a solid protection of IT infrastructure and a satisfactory preparedness. Our efforts in this area must therefore also be continuously strengthened as the threats against Denmark increase.
The IT systems are outdated
According to Jacob Herbst, who is technical manager at the IT security company Dubex, the critical deficiencies are probably rooted in the fact that several of the state’s IT systems are old:
I consider that it is not only about security, but also about covering up the fact that you have run a kind of calculated risk by letting some outdated systems continue to run long after the last sell-by date.Henrik Moltke, DR’s tech correspondent.
– There are some old IT systems in many places in the public sector. And they are difficult to handle. So my guess is that it is some of them that you have problems being able to restore if something were to happen.
– It is no secret that, for example, Tax has many old IT systems standing. If you imagine that some destructive cyber-attacks are made against Tax and that they find it difficult to correct the system, then we as a society have a huge problem, continues Jacob Herbst.
He supports Mette Abildgaard’s criticism and believes that the state has been too slow to do anything about the problem.
– It is probably an expression that this has not been given super high priority. And when you are suddenly met with this kind of criticism, it is difficult to resolve it overnight, says Jacob Herbst.
The state auditors consist of six politicians who keep control of government and administration. They are appointed by the Danish Parliament.
The state auditors check whether the state and companies use taxpayers’ money in an efficient and productive, frugal and legal way.
It is the National Audit Office that carries out the majority of the audit work, while the State Auditors review it. The picture shows current chairwoman Mette Abildgaard (K).
Correspondent: ‘Dangerous to keep it a secret’
DR’s tech correspondent and host of the podcast Prompt Henrik Moltke joins the criticism. At the same time, he believes that secrecy is problematic.
– I think it is not only about security, but also about covering up the fact that you have run a kind of calculated risk by letting some outdated systems continue to run long after the last sell-by date.
Henrik Moltke assesses that the information about which systems are vulnerable will probably not have a major impact on the risk of cyber attacks if they become more or less public:
– It is not the case that state hackers find vulnerabilities. They scan and poke loose, and then suddenly there is a rock or some mortar in the digital defense that has been loosened. They take advantage of that. If you think they don’t discover the vulnerabilities because we don’t talk about them, you only make it easier for them.
The National Audit Office informs DR that they expect to launch a new follow-up on the case with the first 13 investigated IT systems in August/September 2024.
Newsessentials Blog 
Posted on June 21, 2024
0