It is more serious now

Everything has to work

A modern infrastructure requires a solid and secure foundation, where vulnerability is reduced to a minimum. The premise of the digital foundation in 2023 is that everything has to work, all the time. Succeeding in this will be a decisive factor for how well we succeed in simplifying, improving and renewing our own operations and supporting the digitalisation of society.

The changed security situation affects the choices we make. Over the past 10-12 years, Telenor has built a holistic security organisation in Telenor Norway to safeguard and protect ourselves and our customers, and to help fulfil our social responsibilities. We work systematically in three areas: security, robustness and emergency preparedness to build, operate and develop as robust and secure a digital infrastructure as possible. We have increased vigilance in both the digital and physical domains, a lower threshold for reporting incidents, and even closer cooperation with the authorities, such as the National Security Authority (NSM) and the Norwegian Communications Authority (Nkom).

Meeting the technological and geostrategic shift

Over the past year, we have received a number of important reports that form the impetus for strengthened work on security and emergency preparedness. The Defence Commission (Forsvarskommisjonen) has made several recommendations to strengthen the capacity for cross-sectoral situational awareness and crisis management: that a national security strategy (NSS) be developed, that the Office of the Prime Minister (SMK) be given more staff power, and that the role of the crisis council (Kriserådet) be expanded.

The Total Preparedness Commission (Totalberedskapskommisjonen) has proposed a more robust emergency preparedness system, adapted to the challenges of our time. The report describes an improved emergency preparedness system with resilience to all forms of danger, across the crisis spectrum, and for as long as the situation lasts. The Commission summarises its main recommendations in ten points. A number of them concern Telenor's operations, in particular: closer integration of the business sector into the national emergency preparedness structure, expanded Nordic emergency preparedness cooperation, and intensified work on infrastructure and cyber security. These are all of strategic importance for our business.

For private companies such as Telenor, it has been important to emphasise that governance and cooperation must be formalised in order to achieve a more effective total defence in these areas, where private enterprises and companies are more systematically involved. Private enterprises in oil and gas, power, food, and electronic communications are important elements for maintaining societal security and state security because they own critical infrastructure. They have a natural role in total defence to provide insight and expertise about the functions they maintain and the dependencies they have to others. The fact that the Security Act is not fully implemented in all sectors is an obstacle to this.

New opportunities with the entire Nordic region in NATO

We have a long tradition of working closely together in the Nordic region. With Sweden and Finland in NATO, everything is in place for strengthening and furthering Nordic cooperation in the digital domain. Such cooperation is important to ensure robust and secure infrastructure in times of crisis and war. The experiences from Ukraine, where the international community and industry partners have participated, shows the importance of international cooperation to sustain digital services and infrastructure. It is incumbent on private companies in the Nordic region to develop this cooperation to its potential.

It is a positive sign that the Norwegian Ministry of Justice and Public Security has announced that «The government will map strategically important infrastructure in order to identify which allies and close partners we are most dependent on in order to secure national control, and will establish a close, binding and predictable collaboration with them»²⁷. At the same time, there is a need for a greater degree of cooperation across national borders. The security situation we face today is different and requires new strategies and choices. Closer Nordic cooperation could contribute to a more rapid effect if Nordic industrial partners can mobilise innovative power within frameworks based on strategic cooperation agreements.

We have taken note of the initiative for more binding cooperation and integration between the Nordic countries in the defence sector, and consider it natural that this should be seen in connection with similar processes on the civilian side. In our opinion, it is now very important that the electronic communications industry be given the latitude to share technical solutions and infrastructure across the Nordic region, within the framework of proper security, for increased resilience and robustness.

Telenor has particularly noted that the Total Preparedness Commission recommends that "Norwegian authorities, in connection with the Finnish and Swedish NATO membership, take the initiative for cooperation on cyber security and increased preparedness in the Nordic region". In Telenor's view, a Nordic initiative is needed to make better use of technical solutions and infrastructure such as fibre and data centres across Nordic countries and to make better use of the limited human resources with expertise in this domain. This will strengthen national security of supply with more resources close to Norway and the Nordic region as a whole, and stimulate the multinational technology suppliers to establish centres of expertise in the Nordic region.

Such cooperation will require changes and harmonisation of national regulations. This work should be initiated immediately.

Closer integration of business and industry

It is positive to see increasing recognition of the business sector as an emergency preparedness actor and emergency preparedness resource. From a preparedness perspective, this is crucial, as the Total Preparedness Commission has emphasised that "the business sector is more closely linked to the emergency preparedness and crisis management systems from the central level to the regional and local levels".

Telenor is a recognised Total Defence actor. It is not in ministries or directorates that National Critical Funtions (GNFs) will be affected, it will be in public and private, civil and military enterprises. Such actors with a critical function must therefore be better integrated into Total Defence in order to provide the insight and expertise needed to be better prepared to work together in conflict, crisis and war. This will require formalisation and considerable further work to have an effect.

Based on the commissions' reports, the Government and the Parliament (Storting) have an exceptionally good basis for clarifying frameworks, roles and expectations for critical enterprises in the private sector. Such a strengthening of emergency preparedness capacity should be driven by a need for innovation, transformation and sustainable value creation. A more strategic approach to the development and protection of competence and technology in critical communications should be given priority.

Strengthen the ability to handle digital incidents

Telenor takes note of the government's ambition for Norway to stage a coordinated response to national incident management. In Telenor's view, there is a need for strengthened cross-sectoral cooperation that brings together all domains, and where both public and private actors participate. In our view, the sector principle and associated fragmented coordination fall short in this regard.

Telenor took note of the Office of the Auditor General's investigation of the authorities' coordination of work on cyber security in the civil sector; Document 3:7 (2022-2023). The Office of the Auditor General confirms that "weak coordination of roles, responsibilities and requirements makes the work on cyber security demanding for the agencies", that cross-sectoral incident management has not been "adequately facilitated", and that there is "a need for more training in cross-sectoral handling of incidents at the national level". Telenor shares these assessments.

Training and exercise

Telenor has previously advocated for exercises across sectors where we test collaboration, interaction, leadership and coordination that may be relevant to handling actual incidents. In this context, the importance of practicing real-world scenarios must be emphasised.

In Telenor's view, increased use of exercises could contribute to strengthened cross-sectoral cooperation and leadership at strategic, operational and tactical levels. Good shared situational awareness, not just information sharing, will also put everyone with emergency preparedness responsibility in a better position to understand events in context and to capture the totality of hybrid operations. Exercises are also a good arena for building knowledge of each other's capabilities and working methods, as well as developing networks and relationships between key personnel at critical emergency preparedness actors.

Information sharing and platform for collaboration

Strengthened cooperation between the Norwegian security authorities, the Armed Forces, the police and other natural partners in the civilian sector is crucial for achieving more robust and safe emergency preparedness cooperation in Norway. Cooperation today lacks certain basic input factors and is too fragmented. In some areas, it is still more voluntary than binding.

Among other things, businesses do not have sufficient access to up-to-date threat and security information. In addition, many enterprises, as highlighted in NSM's advisory report A Resilient Norway (Sikkerhetsfaglig råd 2023), lack solutions for classified interaction. This is particularly serious when it comes to businesses that are part of Total Defence.

A particular challenge is that there are currently no commercial data centres or public cloud platforms adapted for enterprises subject to the Security Act. An increasing number of enterprises will have a need for cloud platforms and data centres for designated systems processing information worthy of protection (skjermingsverdig informasjon). It is therefore important that the authorities in various relevant processes, such as choice of concept for a national cloud solution (Nasjonal sky) or regulation of data centres, contribute to this goal being realised.

Harmonised security legislation

Telenor noted that the Norwegian Government has submitted a proposal for a law on cyber security, and that key objectives of this are to hold businesses accountable, ensure implemen- tation of national advice and recommendations, and facilitate the introduction of the EU's Network and Information Security or NIS Directive. Telenor's position is that the more providers of socially important services in key areas are obliged to implement security measures and warn of serious digital incidents, the more resilient our open and digital society becomes. This can contribute to a better coordinated response across sectors.

Competence and industry cooperation

Telenor is experiencing an increasing challenge with access to expertise in the technology and security field. There is a large deficit of such specialist expertise in Norway today. Not least, we experience challenges in the availability of personnel with the right security clearance. We believe that closer Nordic cooperation on this issue is necessary. Closer coordination will make it possible for more efficient utilisation of the competence base in public and private enterprises across Nordic countries.

In addition to national measures such as increased educational capacity in relevant disciplines, Telenor believes there is a need to strengthen the overall work of facilitating better technology utilisation and industrial cooperation. It provides an opportunity to draw on the technological knowledge that Norwegian, Nordic and international industry and business have to offer.

Telecom is an international industry with multinational suppliers, and from the supplier side, priority will generally be given to markets of a certain size. Nordic cooperation, with a more harmonised approach to security legislation and clearance processes, could contribute to growing to the necessary scale. Doing so might entice multinational technology suppliers to establish centres of expertise in the Nordic region. In addition to contributing to the region's digital resilience, this could also strengthen Nordic competitiveness.

A security policy foundation

Close technical cooperation between companies and organisations across national borders requires a security policy foundation. This entails harmonisation of security legislation and cooperation between national regulators at a completely different level than what we see today. With increasing pressure on talent and expertise, and concentration of the supplier market with ever longer supply chains, the individual Nordic countries are by themselves too small. Closer security cooperation across the Nordic region will enable us to realise completely different conditions for effective, secure and robust total defence.

There is a need for closer Nordic cooperation on security, resilience and emergency preparedness. A more harmonised legislation allowing the sharing of technical solutions and infra- structure across the Nordic region is necessary. Security is best built together.