Another Expensive Crash Landing of Public IT Spending?

Martin Beyer
ESST Graduate 2017

Digital defence and IT security have been major concerns of public and private sectors for a while now, and with the amount of information produced today, these issues are more pressing than ever. Now, the public sector also aims to digitize their services. With more services going online, authorities worry that we may become an easy target. The debate concerning a digital border defence has resurfaced.

Digital information constantly flows across our borders through old-fashioned landlines. Norwegian security authorities claim they need access to all the information sent through these landlines to collect relevant and incriminating information regarding terrorism and other serious crimes. Others, however, question whether the authorities can actually find anything relevant to use from this surveillance, or if it is merely an excuse for mass surveillance. Will this digital border defence open a backdoor to your internet activity and give birth to other security issues?

Ninety-nine percent of all internet traffic crosses the border through landlines, even communication between Norwegian devices. The Norwegian Intelligence Service (NIS) (E-tjenesten, editor’s note.) wants to access this traffic in order to identify and gather evidence exclusively from foreign actors. It is not within their mandate to prosecute domestic parties. However, as the Internet is international, the difference between foreign and domestic actors is not at all clear. When you message a Norwegian friend through Facebook Messenger, the traffic is routed through Facebook’s servers that are located in Sweden and the US. It most certainly is not the scope of the NIS to deal with domestic issues, but the Internet blurs the lines between national and international. To collect communication between foreign actors, they will also need to collect domestic data, as long as the internet is global. What will happen with this data is difficult to say.

According to former Minister of Defence, Ine Eriksen Søreide, the NIS does not have exclusive access today and the nation’s systems are not built to uncover advanced cyber attacks or communication regarding terrorism or other sinister crime. Critical systems can be under attack for a long time before we even realize they are being targeted. Søreide argues that a digital border defence is a necessary step to make us capable of protecting our assets, our elections and our digital integrity. But at what cost?

The Data Protection Authority (Datatilsynet, editor’s note.) opposes the idea of a digital border defence and says that it violates both the constitution and human rights. Their main concern is that a digital border defence, as outlined by the government, will store metadata that is personified and untargeted. They worry we are close to a slippery slope where normal criminal investigation could access the same information – even though NIS is reassuring us this will never happen.

SINTEF fears the effect it could have on the public – many people might avoid important legal services due to increased surveillance. This effect is called the ‘chilling effect’ and makes a digital border defence into a matter of security versus democracy.

This, however, is not just a debate on whether a digital border defence is a good idea. It is also a question of whether or not it will work. Hollywood gives us the impression that intelligence services have access to cutting-edge technology – often not yet available to the public – and can do whatever they need to do, given the right authorization. But the truth is rather the opposite. Lise Lyngnes Randeberg, president of Tekna, has stated that Norway does not even have the technological capabilities to operate a system like this. In addition, SINTEF argues that people with the right resources and competence will be able to circumvent the surveillance system by using encryptions that cannot be cracked.

Remembering the debate concerning the Data Retention Directive (Datalagringsdirektivet, editor’s note.), we learned that there was no evidence that a defence system like this has actually ever helped solve crime. The system was too slow and easy to avoid, and the authorities usually had the ability to find targeted individuals without the directive. It is difficult to see how the Digital Border Defense will make a significant difference.

There might be a recurring problem for the public sector when dealing with technology. It seems that they either do not properly understand the technology or they are not cutting-edge enough to deal with problems as they arise. The latter might be because of overall slow progress in the public sector. From concept to implementation, the process might take years – through public inquiries, procurements and bureaucratic procedures – and by the time of launch, the technology would already be outdated. Just imagine a municipality signing a four-year contract with Nokia one month before the first iPhone was released. Without going into a lengthy debate, we can point to plenty of examples of how the public sector and its suppliers of IT security are not up to scratch. A recent relevant example is when 30GB of sensitive data on the new fighter jets Norway procured was hacked from an Australian defence contractor in 2016, or the massive vulnerability at South-Eastern Norway Regional Health Authority (Helse Sør-Øst editor’s note.) in 2017 where sensitive patient data became openly available to international subcontractors – even after the authorities had been warned.

This does not seem to inspire confidence in the industry or the sector, and one can only wonder how long it will take before a similar thing happens with the data collected by a Digital Border Defense, and all your communication, passwords, bank accounts and health information becomes available to anyone. And if it is not even likely to work, the massive investment might be better spent elsewhere.

© Lasha Kilasonia/Adobe Stock