Important Lessons for Sweden from the Cyber War in Ukraine

In 2022, 330 IT incidents were reported to MSB. This is fewer than in 2021, when 343 incidents were reported. The number of incident reports from authorities decreased from 261 in 2021 to 231 in 2022, while reports from other critical societal functions increased from 82 in 2021 to 99 in 2022.

– The fact that fewer incidents are reported likely does not mean that fewer incidents occur; there is a dark figure that may be due to, for example, incomplete routines, fear that the trust in the operation may be questioned, lack of time, or a desire to avoid police reports. MSB wants to see more reports in 2023 and urges all organisations obliged to report to take their responsibility. The more information MSB receives about IT incidents, the better we can support preventive work, says Mathias Antonsson, senior officer in the department for cyber security and secure communications at MSB.

Many IT incidents can be avoided

Of the IT incidents reported to MSB in 2022, 41 percent were due to system errors, 26 percent to mistakes, and 12 percent to some form of attack. MSB's assessment is that many of the incidents could be avoided with better routines and staff competence development.

– The fundamental systematic information and cyber security work must be prioritised higher and allocated more resources by organisations within critical societal functions. Reviewing all conceivable risks and making plans for continued operations if something happens makes a big difference in the impact of an incident. If critical services do not function, it can lead to serious consequences for citizens, says Charlotte Petri Gornitzka, Director General at MSB.

Theme on cyber warfare against Ukraine

The report includes a theme on Ukraine's defence against Russia's cyber warfare, a cyber war that has highlighted the importance of a resilient cyber defence in Sweden as well.

– The cyber attacks against Ukraine have largely been countered, and important societal functions have been maintained or quickly restored, something largely explained by good preparations where cooperation with other states and companies has been crucial. Sweden has much to learn there; we need to cooperate to make the digital infrastructure more robust and able to withstand serious cyber incidents, says Johan Turell, head of the department for cyber security and secure communications at MSB.

Measures for a strengthened cyber defence in Sweden

By mapping supply chains, avoiding dependencies on individual services, strengthening relevant collaborations, and planning for all kinds of risks, organisations can limit the effects of IT incidents. MSB presents several recommendations in the report to strengthen information and cyber security in Sweden. It mainly concerns three areas:

• MSB needs to be able to demand more information from critical societal functions and be given an expanded mandate to act on risks and vulnerabilities.
• Several investigations need to be conducted to clarify the missions and powers of central authorities related to cyber defence.
• MSB suggests, for example, that all critical societal functions should be subject to comprehensive information security requirements, which could be achieved by expanding the scope of the upcoming NIS2 regulation.

– Despite relatively few reported cyber attacks in Sweden, the risks should not be underestimated, especially in connection with the serious international situation. Being able to withstand serious cyber attacks is an important part of total defence since cyber attacks pose a constant threat to all parts of society. If information and cyber security work is prioritised and resourced, Sweden has the opportunity to be much better prepared in a short time than today, says Åke Holmgren, head of the department for cyber security and secure communications at MSB.