Committee of Digital Vulnerabilities in Society

Industrialized countries are in the midst of a transition. Analogous tools and infrastructures that where totally dominant a handful of decades ago, are rapidly - and to some extent unplanned and uncoordinated - being replaced with digital solutions. The fast development of ICT technology also leads to rapid change and renewal of existing digital solutions (movement of functionality from local installations into cloud-installations is a current example of this).

The change from an analog to a digital world present new challenges to developed countries. These challenges range from new types of crimes and new arenas for terrorism, to new classes of accidents with new sets of consequences. The constant flux of the digital world means that the classes of crime, terrorism, accidents and consequences also are a subject to constant change.

On the basis of this development, there is a need for an assessment of the society's digital vulnerabilities so that we can further improve and coordinate our emergency preparedness on a sound professional basis. The committee shall deliver its assessment in the form of an Official Norwegian Report (NOU) to the Ministry of Justice and Public Security by the end of September 2015.

Members of the committee:

  • Professor and head of committee Olav Lysne, Norway
  • Researcher Janne Hagen, Norway
  • Professor Fredrik Manne, Norway
  • Senior strategic advisor Åke Holmgren, Sweden
  • Lawyer Eva Jarbekk, Norway
  • Head of section Einar Lunde, Norway
  • Professor Kristian Gjøsteen, Norway
  • Vice President Sofie Nystrøm, Norway
  • Government Affairs Manager Kristine Beitland, Norway

In addition the secretariat is represented with members from Ministry of Justice and Public Security, National Police Directorate, Norwegian National Security Authority, and Directorate for Civil Protection.

Mandate

The Internet and new ways of using technology have radically changed our everyday lives in the last 15-20 years.  Information and Communications Technology (ICT) is in everything - in your telephone, your car, your panel heaters, your mail box and your household appliances. This technology is in every home, in almost every workplace, in the operating room in the hospital, in power stations and in police cars. Devices, machines and users are coupled together in more and more new ways, and the use of the Internet as infrastructure continues to grow. The most critical infrastructures and important functions in our society are now digitised. Our dependence on ICT in social, economic and private contexts is large and increasing.

This introduces new vulnerabilities in the society. With increasing interdependence among critical components, and many important functions in our society can be damaged or paralysed in unintentional events, such as an accident or extreme weather.  At the same time, cyberspace makes possible new intentional and serious threats from both governmental and non-governmental parties. Over time crime, international crises and conflicts between nations have elements of digital aspects incorporated. Cyberspace and the digital services are interconnected across sectors and international borders. Different entities may own, monitor and operate the various infrastructures, and the lines of responsibility between them are not always equally clear.

This entails a number of challenges, e.g. related to protection of privacy, due process protection, civil protection and crime-fighting. This development is also of great importance for the authorities' information gathering, processing and their preventative activities.

On the basis of this development, there is a need for an assessment of the society's digital vulnerabilities so that we can further improve and coordinate our emergency preparedness on a sound professional basis. This assessment shall provide a basis for evaluating measures that support comprehensive goals such as safeguarding life and health, economic growth and social development, rights and property, and ensuring the preservation of law and order, national security interests, principles governing the rule of law, protection of privacy and democratic forms of government.

The work of the committee shall be based on existing knowledge about present and future challenges. The committee may request special evaluations from experts and/or groups of experts in certain areas. The committee shall not evaluate the national rules for data storage passed in Act no. 11 of 11 April 2011 or the consequences for Norwegian law of the Court of Justice for the European Union's decision in the case relating to the data storage directive.

The committee shall examine the following: 

  1. The committee shall describe the digital vulnerabilities that Norway faces at present and in the near future. In particular, vulnerabilities in critical functions in society and critical infrastructure, e.g. electronic communication, power supply, and banking and financial services and the mutual interdependencies among them, shall be analysed in greater detail. The committee shall assess the consequences this vulnerability may have for individuals, business and industry and civil protection. In connection with this, the committee shall also examine civil-military cooperation and cooperation between public and private-sector entities.
      
  2. The committee shall describe relevant issues related to the safeguarding of information, including the possible insufficient control of suppliers in an entity's own activities. The committee shall discuss measures that ought to be implemented in order to prevent information from being processed unlawfully or compromised in some other way.
      
  3. The committee shall describe the key frameworks under international law for transnational information gathering. In addition, the committee shall identify the international arenas where international legal issues concerning cyberspace are discussed and that are of particular relevance for Norway and Norwegian interests.
      
  4. The committee shall assess the challenges to digital security from ICT crime, espionage, sabotage and terrorism. The committee shall describe the need for being able to detect, handle and investigate digital attacks. The committee shall describe the dilemmas that must be taken into consideration in this context, especially those that are related to economic development, democratic participation and the relationship between protection of privacy and information gathering.
     
  5. The committee shall make a principled assessment of the ways in which the society ought to deal with the handling of digital vulnerability. The committee shall assess the effects against the costs and disadvantages of risk-reducing measures (proportionality), the balance between preventative measures and the capability of reducing the damage in the event of actual events, as well as the extent of vulnerability with which the society ought to be prepared to live. 
      
  6. The committee shall describe the ways in which relevant allies and other comparable countries are working to reduce this vulnerability, with a special focus on policy instruments that are relevant to Norwegian conditions.  
      
  7. On this basis, the committee shall propose measures that may help reduce vulnerability. The recommended measures can be of a regulatory, structural, organisational or technological nature or require special skills. 
     
  8. The committee shall study the administrative, economic and other significant consequences of their recommendations. At least one proposal shall be based on an unaltered use of resources. 
      
  9. If there is a need to make minor changes in the mandate, the committee shall discuss this with the Ministry of Justice and Public Security, which can make these decisions.
     
  10. The committee shall deliver its assessment in the form of an Official Norwegian Report (NOU) to the Ministry of Justice and Public Security by the end of September 2015. This report shall be drafted in a form that is appropriate to being circulated for public comments. The parts of the committee's work that will include classified information will have to be handled by a restricted number of the committee's members. These persons must have the necessary security clearance. Materials that are classified will be drafted in a separate appendix.