Key societal institutions once again criticized for lacking IT security
The State Auditors once again direct sharp criticism towards four governmental institutions for not addressing significant deficiencies in their IT security, despite warnings six years ago. The institutions in question – Banedanmark (The Danish Transport Authority), Beredskabsstyrelsen (The Danish Emergency Management Agency), Sundhedsdatastyrelsen (The Danish Health Data Authority), and Udenrigsministeriet (The Danish Ministry of Foreign Affairs) – continue to have major gaps in their cyber defenses. Since 2018, the institutions’ cybersecurity has been reviewed multiple times, most recently in 2021, but no significant improvements have been made. The State Auditors strongly urge the implementation of necessary protection measures to withstand ransomware attacks.
The issues have been highlighted by both the National Audit Office and several experts, who criticize the institutions’ lack of action. According to a report from the National Audit Office, neither The Danish Ministry of Foreign Affairs, Banedanmark, nor The Danish Emergency Management Agency have implemented measures that can ensure normal operations following a potential cyberattack. Jan Lemnitzer, a cybersecurity lecturer at CBS (Copenhagen Business School), believes that IT security is not prioritized adequately by the leadership of these four institutions. He emphasizes that the threat of cyberattacks is increasing, but security measures are still lagging behind.
Lemnitzer stated to the online media Version2 that there have been several attacks from “Russian state actors” targeting NATO and foreign ministries of various countries in the past. A central part of the criticism is that The Danish Health Data Authority and Banedanmark have not conducted comprehensive risk assessments. Without these assessments, the institutions cannot properly determine where and how to improve their security infrastructure. Lemnitzer points out that without satisfactory risk assessments, the cyber defense does not meet standard requirements.
The State Auditors have now requested a statement from Minister for Digitization Marie Bjerre (V) regarding the situation.