Cyber security became a real game changer in politics during the past year. It’s well-known that the U.S. Presidential election was highly affected by cyber espionage and PSYOPS and those waves don’t calm down yet. Now, the Swedish government got into trouble and two ministers were forced to resign their positions because of a not well-thought out contract made by a not so weighty governmental office.
In 2015, Swedish Transport Agency decided to outsource its IT operations to IBM. As it turned out, this low profile governmental office manages much classified information, such as data on military vehicles, protected identities and Sweden’s register of drivers’ licenses. Although, the responsible Swedish Security Service warned the Transportation agency in advance, the agency started the cooperation with IBM and let this data be accessed by foreign entities at IBM without the necessary security clearance.
What we have to highlight in this case is how an ordinary IT contract has reached the highest political level. Hundreds of billions of dollars’ worth of IT outsourcing deals were made in the past and will be made in the future. All of those contracts contain (or should contain) some language about security. We have reached an era when these sections should be more detailed and precise than ever as badly defined requirements can cause a political scandal or even the resignation of a political leader.
There are at least two other aspects of this incident that we should also mention as an experience for future reference. First, the new General Data Protection Regulation (GDPR) effective from May 2018 in the European Union requires a high-level cyber security from those who manage the private data of European citizens. In the worst case, if European private data leaks from such a large database, that would cause a fine up to 20.000.000 EUR or up to 4% of worldwide turnover for the data controller. Therefore, organizations concluding outsourcing contracts should pay special attention to security as “The responsibility and liability of the controller for any processing of personal data carried out by the controller or on the controller’s behalf should be established. In particular, the controller should be obliged to implement appropriate and effective measures and be able to demonstrate the compliance of processing activities with this Regulation, including the effectiveness of the measures.”
Second, Sweden has a special geopolitical situation, as it is not the member of NATO, but bordered by Russia and continuously struggles with Russia’s intelligence activities both in civil and military areas. In such a tense situation, military secrets should be protected as much as possible. The types and numbers of military vehicles are one of the secrets that should be kept. There is no sign that Russia had access to this database, but as they have high quality cyber intelligence capabilities, the Transport Agency has exposed this valuable information more than advised. As an experience for all organizations, classified information should be kept in a classified environment, even if it is outsourced for 3rd parties.
We at Balabit are aware with the necessity of outsourcing and 3rd party operators. In our latest white paper, we detail the reasons to monitor access of 3rd party system administrators. We believe in the power of contracts and Service Level Agreements. However, we propose to use some additional control and monitoring solutions to support the SLA to be enforced. Balabit Privileged Access Management provides a central entry point for 3rd parties to reach the organizations’ internal servers. Balabit Privileged Session Management solves the shared account problem and enables the continuous tracking of privileged activities both real-time and historically, even years after the incident. Balabit Privileged Account Analytics identify unusual activities of privileged user and helps the recognition of stolen accounts.