Netnod responds to the Ministry of Infrastructure interim report on secure and cost-effective IT operations

Netnod has responded to the interim report of the investigation on secure and cost-effective IT operations (SOU 2021:1).

The final report is due to be presented by 15 October 2021. The interim report is in Swedish with a summary in English. Netnod’s full response (available here) is in Swedish.

We see four main issues:

First, we do not agree with the interim report’s definition of the term “revealed” (röjd). Information cannot be considered revealed just based on the fact the information is managed by another party. Instead, information must be considered revealed when the information cannot be considered sufficiently protected. This is regardless of whether it is known if anyone has actually managed to read the information or not.

We also do not agree with the interim report’s conclusion that a similar assessment should be made when information is transferred regardless of whether such methods as encryption are used or not. Instead, Netnod believes that encryption is a good way to protect information. In addition, encryption should be used regardless of whether the information is handled by a subcontractor or not. Routines and processes can and must be adapted to the protection value of the information. This should be regardless of whether it is the organisation itself or subcontractors who are handling this information.

Further, we believe that an overall problem with the interim report is that it uses existing legislation as a strict baseline when the real need we have is new legislation based on today's technical environments. An example is the proposed changes in the Public Access to Information and Secrecy Act, which we believe are based on a reasoning around the problem instead of setting clear requirements and rules.

Finally, Netnod notes that the interim report does not consider the case of services that fall under the Electronic Communications Act (2003:389) as outsourcing. We observe that services that are currently recommended for authorities (such as RAKEL and SGSI) do not fall under this law. Netnod believes that the report should take into account the proposed changes in the legislation contained in SOU 2021:25 (Struktur för ökad motståndskraft).

Netnod’s full response is available here.