Consultation response to the IT Operations Inquiry

Fredric Wallsten

CEO, Safespring

This text is automatically translated for your convenience. You can read the text in:

English Swedish (original) Give feedback

Since the inquiry was published, the geopolitical situation has changed significantly. This does not alter the substance of the inquiry, but it further highlights the importance of sovereign, secure and robust IT services.

Safespring, together with industry peers Binero and City Networks, thanks you for the opportunity to submit our views. The inquiry has carried out a very extensive and ambitious piece of work, and we share several of the conclusions and recommendations you have reached. Since the inquiry was published, the geopolitical situation has changed significantly. This does not change anything in substance for the inquiry but further highlights the importance of sovereign, secure and robust IT services.

There are IT systems that the state is indeed best suited to operate. Our response does not primarily address these special-purpose systems, but rather the agencies’ need for innovative, standardized IT systems and services to continue digitizing and developing their operations. Our overarching views can be summarized as follows:

LACK OF MARKET LOGIC in the funding solution proposed by the inquiry. Even if four agencies are designated as “service providers,” there is an overarching risk that their mandate as those responsible for IT operations will be conflated with their other missions. Under pressure, the core mission will likely be prioritized over the role of acting as a service provider.
CHOICE OF OPEN INFRASTRUCTURES and open standards to counter lock-in effects has already been examined (SOU 2007:47). It is not clear from the inquiry whether you have made use of that information.
IT OPERATIONS AT AGENCIES ARE JUST AS MUCH INDUSTRIAL POLICY as agency policy. We call for sustainable solutions that support the market.
WE CALL FOR VERTICAL SEGMENTATION OF THE MARKET that allows commercial actors to handle the “core business” at each market level, combined with clear directives to agencies such as Kammarkollegiet, Upphandlingsmyndigheten and Konkurrensverket to counter lock-in at every stage of the market.
THE COORDINATING AGENCY should serve as a central hub for advice on information classification, information mapping, data protection clauses, incident reporting templates, and the like. At present, above all, the regulatory framework around actual data has been dispersed across many levels (national, European, personal, governmental, civil, defense, and so on). We elaborate on these ideas below.

To begin with, we illustrate our overall understanding of the inquiry’s proposal. This is followed by a section on the market logic we operate within as providers of operations services for IT systems. Finally, we provide a number of international examples of cybersecurity coordination (the United Kingdom and the Netherlands) that we believe can support the government’s continued work in this area.

Consultation response to the IT operations inquiry

Source: The illustration above is our interpretation of images from the inquiry’s figures 5.1 and 11.1.

The market model

As we understand the inquiry’s proposal, four centrally placed agencies, Skatteverket, Trafikverket, Försäkringskassan and Lantmäteriet, are to become IT operations providers for other agencies. These four agencies should be able to charge other agencies for IT operations and are expected, with the help of DIGG, to coordinate with and implement advice from a number of surrounding agencies that have responsibility for information and quality review (marked 1–5 in the image).

DIGG should then also coordinate with third parties who can build services on top of the infrastructure of the four IT-operations agencies and target each of the customer agencies. In addition, it should coordinate advice and guidance from the large number of agencies that today have supervisory responsibility for various aspects of information and quality-regulatory frameworks.

Issues and risks

Based on our experience of IT operations, this is an unambitious proposal that risks giving customer agencies insufficient or substandard opportunities both for efficient IT operations and for specialized third-party services. One of the reasons many agencies in recent years have wanted to invest in cloud services is that a clear separation of the operations assignment is what creates the best conditions for reliable, stable and secure systems. The fact that some of the solutions explored to achieve these benefits have had other drawbacks—such as interoperability problems, lock-in effects and uncertainty around legal factors—should not be taken as a reason to dismiss private service providers, but as an indication that the service providers agencies have primarily turned to in the past are not delivering the services agencies need.

Distributing the responsibility for centralized IT operations across four agencies can be challenging: four different IT operations systems must be embedded in four different administrative agency cultures and, every year, require attention in four separate agency mandates issued by (possibly) four different ministries. We also miss an examination of the practical prerequisites for “coordination”: DIGG will not be able to direct the missions and operations of the supervisory authorities, so how is DIGG to create the right conditions for coordination and cohesion?

Learn from the past

We believe it is important that the government dares to show leadership in its ambitions for Swedish IT infrastructure. In this case, that could mean the government should deviate from strong interests at centrally placed agencies that are defending their own IT operations turf. In the 1990s, Sweden became a leading IT nation as a result of a number of strategic decisions concerning infrastructure. The government made it easy for employees to have computers at home, and created incentives for investments in networks. Combined with European regulations liberalizing the telecom market, Sweden rapidly built a broad base of competence in network technology, IT security and web hosting—something we, as a private cloud provider, still benefit from today.

Many of the initiatives undertaken in the 1980s and 1990s created room for private service providers to take a place in new markets, and because end users were also connected, those markets could grow quickly. The digitization of the former Televerket’s switches, for example, helped Ericsson become one of the dominant mobile network suppliers—a position it still holds today. Today, Sweden’s cloud industry has similar opportunities, but companies generally do not grow strong unless they have a strong home market. We firmly believe that if the Swedish government is going to reform current forms of IT operations among government agencies, it should take such industrial-policy aspects into account. In doing so, the government should open up to private competition specifically in base infrastructure operations, thereby gaining service providers without goal conflicts.

Nor did the state expect, in the early days of computerization (see e.g. SOU 1973:6), to build and operate all IT systems itself. Rather, the government understood that public administrations would be dependent on private service providers and created a set of new rules for these circumstances (SOU 1972:47, among others). When planning infrastructure, the government should also take human capital into account: to be at the forefront of expertise in operational reliability and IT systems, an average IT worker often needs to gain varied experience over a career. Private employment arrangements are better suited to that than agency jobs. An examination in the inquiry of current purchasing of consultancy services at agencies could have given the government better insight into how knowledge transfer between the public and private sectors takes place today.

Points to consider

We propose that the inquiry take the following points into account:

We want to see a continued focus on open standards (SOU 2007:47), as well as open APIs, updated for new technology. Private service providers are not a problem in themselves; problems arise only when lock-in effects occur, putting agencies in a bind.
By vertical segmentation of the market for IT services for agencies we essentially mean a view of the market structure that corresponds to the white boxes labeled “Potential IT operations services” in the image on p. 3. Each of the white boxes should be regarded as its own service market (which also implies natural horizontal segmentations). In these markets, agencies can procure services from a private provider or from the agency itself. What matters is how to guarantee interoperability between the different markets and providers, and to create competition within each box.
There is no collaboration forum with the private sector.
We support assigning Kammarkollegiet the task of procuring framework agreements. It is important that the coordination takes account of the vertical segmentation mentioned above. The framework agreement(s) could be seen as a service catalog or marketplace

In the longer term, however, the government may need to consider whether to make broader changes to how data-based business models are used at agencies (cf. the discussion on open government data, SOU 2020:55) and whether changes to these business models could also contribute to safer and more efficient IT operations.

Coordination of oversight

We see greater potential in coordinating supervisory bodies for information legislation from the perspective of the customer agencies than in coordinating service catalogs from provider agencies with supervisory authorities. Because Swedish security protection legislation is written so that each organization must itself assess whether it has socially critical or security-sensitive information, and thus also assess which IT interfaces may be appropriate given its own assessment, it will be difficult to coordinate more than the general guidelines produced by existing supervisory bodies.

This may include guidelines for incident reports, guidance for control systems, information security routines, and the like, which often come from several agencies simultaneously and from different perspectives. Such coordination could also provide third-party providers who want to deliver specialized services to customer agencies with a natural portal for reconciling the various requirements set out in Swedish and European legislation. Internationally: Cybersecurity center Today, responsibility for Swedish cybersecurity is spread across several agencies. The coordination mechanisms previously used to create consensus among these institutions have not led to clearly positive results. We believe that, instead of further coordination in the abstract, the government should set concrete goals.

DIGG can be tasked with collecting existing guidelines. But a Swedish national cybersecurity center modeled on the UK could also help agencies and the private sector get a better grip on security issues.

United Kingdom

The NCSC is the public arm of GCHQ (the UK equivalent of the FRA) and brings together government agencies, private companies, and the intelligence and security services in a single state organization. The NCSC has its own “DG” and its own funding (about SEK 5 billion/year according to a presentation at Cyber Defense Day 2020.

In the UK, the NCSC literally leads the country’s proactive cyber defense through successful and well-funded initiatives. Furthermore, inspiration should be drawn from the NCSC’s successful collaboration with academia and research, where CyBOK deserves particular attention. The NCSC also works closely with both private industry and universities, with the aim of safeguarding current and future jobs in the United Kingdom.

The Netherlands

In the Netherlands, the foundations for the national cybersecurity council were laid as early as 2011. First, clear goals were set at government level for what the cybersecurity work should lead to:

“Work involving both private and public actors”,
“Conducting risk and vulnerability analyses”,
“Better resilience against operational disruptions”,
“Improved response capacity during operational disruptions”,
“Better follow-up of IT crime”,
“Stimulation of research and education”,

Second, the former GOVCERT was given a clear mandate to participate in the development of implementing measures. The result is that the cybersecurity council is now a meeting place for different actors who both respect each other and respect the forum in which they cooperate. The political level has succeeded in creating a platform where actors meet instead of compete.

Source: The National Cyber Security Strategy (NCSS)

Signed

For Safespring, Binero and City Networks

Fredric Wallsten , CEO, Safespring
Charlotte Darth , CEO, Binero
Johan Cristiansen , City Networks

Advisor: Amelia Andersdotter