The Swedish IT Blunder: Are Private Contractors Capable of Guarding State Data? Should they be?
The Swedish summer has been interrupted by perhaps the country’s most serious mishandling of state information in decades. The Financial Times reported that the Swedish transport authority, Transportsyrelsen had exposed critical data. Sweden’s Prime Minister, Stefan Lofven defined the breach as, “…a disaster. Extremely serious. It has exposed both Sweden and Swedish citizens to risks.”
In April of 2015, IBM won a $98.6 million contract to handle IT services for the Swedish transport authority. IBM openly admitted to using foreign national staff throughout Europe to handle such services. Despite protests from employees within the transport authority, as well as a formal investigation and recommendations from Sapo, The Swedish Security Service, Dir. Gen. Mira Agren proceeded to ignore certain security measures. She was fired in January, and recently fined over $8,000.
Confidential data with individual confidential police databases, and possibly-military personnel’s private information Swedish citizens with protected identities was accessed by several subconsultants who were not cleared for sensitive information in several eastern European countries as it was handed over to IBM for cloud storage. This scandal comes as Stockholm’s Mayor recently released a revolutionary plan to build the city into the most “Smart and connected” in the world. Simultaneously, Sapo released a report warning of levels of security unable to keep up with rapid digitalization.
A political blame game has ensued, and Swedish politics has become quite animated: including emergency meetings, votes of no confidence for select ministers by the opposition party, and massive media coverage. Information that this breach was, in fact noticed in 2015 has left the PM Lofven seriously exposed, “I wish I had been informed earlier,” he remarked when the scandal broke. With general elections on the horizon for next year, such scandals provide a perfect scenario for disinformation, digital theft, and other elements of hybrid war. Such a scandal could not have happened at a worse time.
Cyber security has been a leading growing pain for a country with such progressive branding and companies. Though never officially confirmed., activist groups reported that in late 2015 Sweden sent distress signals to NATO, claiming its infrastructure was under advanced persistent threat from sophisticated cyber-attacks, likely from state-sponsored sources. Last month, in a tell-tale irony of the importance for cyber security for the private sector, the CEO of Securitas, Sweden’s largest global company, had his identity stolen and ‘declared bankruptcy’ without his knowledge. Last month also marked the official release of Sweden’s first national cyber security policy.
As the media tries to hunt for the fault lines of responsibility within a massive public sector, the government released an official inquiry to all Swedish institutions to formally declare if they have subcontracted IT services to external providers. The response was an overwhelming yes. Swedish Newspaper Svenska Dagbladet has published a list of all state institutions that outsource IT and data services. The results are part of survey last year by another institution, the Swedish Government Services Center, which also outsources IT services itself. General Manager, Thomas Palsson has said this scandal has affected the procurement of quality services because of a lack of qualified bidders: “I have been forced to cancel the entire procurement process for a state-of-the-art e-mail service because none of the companies fulfilled the requested security requirements,” he noted.
IT outsourcing by the Swedish state, a high public spender currently amounts to some $37 billion per year. Regardless of private implementers, responsibility is currently undefined, and begs the questions: “Who, if anyone is responsible of protecting information, and are they even capable?” The new Dir. Gen. of the Transport Authority says that only after this autumn can it be guaranteed that non-cleared personnel will not be able to access the very data that started the scandal.
Rick Falkvinge, founder of the Swedish Pirate Party, in addition to defining more elaborate risks of data openly stated in a prominent internet privacy blog: “Let’s be clear: if a common mortal had leaked this data through this kind of negligence, the penalty would be life in prison. But not when done by the government themselves. Half a month’s pay was the harshest conceivable sentence.”