State information technology is vulnerable: audit
There are serious deficiencies in the way state authorities handle IT security, and the government has no control over the matter – this harsh criticism came on Thursday from the National Audit Office which launched a broadside on government agencies and how they handle sensitive data.
"It can have serious consequences if the information is lost, stolen, manipulated or spread without proper authorisation. If the security around information is lacking, there is a risk that government agencies and state-run companies cannot meet their obligations, such as paying out compensation, managing train traffic or providing society with electricity. Both the functioning of the individual and society as a whole can suffer," the National Audit office wrote in a press release.
The authority watchdog added that the government lacks a comprehensive picture of the present status of information security in state-run authorities, and thus lacks the ability to govern effectively. It said the Swedish Civil Contingencies Agency, (MSB), the Swedish Defence Radio Establishment, (FRA), and the Security Service Säpo lack an effective overview of IT security.
"It's really serious that there is a large lack of knowledge regarding the state of information security in the state authorities. The government should set clearer requirements on authorities and follow up to see if they are living up to the requirements," said auditor Claes Norgren.
The assessment by the National Audit Office (Riksrevisionen) shows that there are deficiencies in several areas, such as skills, procurement, supervision, monitoring, and control and coordination. Thirty-eight percent of authorities believe that such expertise, mandate or resources are insufficient.
It recommends that the government expand its oversight and investigate how the responsibility for this can be gathered and coordinated in a better way.
In response, the government's home affairs minister, Anders Ygeman, told news agency TT that the lack of oversight had existed for some time and was unacceptable.
"The National Audit Office came out with the same criticism in 2007 and since then almost nothing has happened and this is serious."