Civil cyber resilience is part of total defence

The day Swish and BankID — Sweden’s payment and e-ID services — go down for three hours, we feel how thin it all is.

The till in the grocery store stops. The petrol station can’t take payment. The parent who needs to identify themselves at the preschool stands helpless. Home care staff can’t log into the scheduling system. And somewhere a communications officer is trying to phrase how long it will last, without knowing the answer.

Three hours. That’s roughly what it takes for us to start grasping how deeply the digital runs through an ordinary day.

And that’s where this piece begins.

Total defence is broader than we talk about

When total defence is discussed in the media, it’s usually about the armed forces. Tanks, submarines, conscription, fighter jets. That matters. But it’s only half the picture.

The other half is civil. Water in the tap. Power in the socket. Healthcare that works. Salaries that get paid. Transport that keeps running. The municipality that answers the phone. The grocery store with goods on the shelf.

Everything that has to work for a society to hold together when conditions turn harsh.

And almost all of it is digital today.

That means civil cyber resilience isn’t an IT project off to the side. It’s part of Sweden’s defence capability. As plainly as ammunition and combat units.

The gap is almost never in the technology

I’ve worked with this from the inside for many years. As IT and digitalisation manager in municipal government. With NIS responsibility. As an on-call duty officer. Before that, as group CIO for a corporation operating in eight countries.

And something I’ve noticed again and again is that the gap rarely lies in the technology.

The technology exists. The tools exist. The consultants exist. You can buy SIEM, EDR, vulnerability scanning and firewalls the same day. You can bring in penetration testers and security architects.

What’s missing is something else.

It’s governance.

Whether someone actually owns the question. Measures it. Funds it. Practises it. Knows what to prioritise when not everything can be done. Or whether it falls between the cracks until something happens.

When I talk to colleagues in municipalities and regions, it isn’t technical questions that dominate. It’s questions of mandate, budget, accountability and follow-up. Who owns the information security work? Where does it sit in the organisation? Who reports to whom? Have we practised losing systems, or only protecting them?

That’s where the work is.

Six questions every leadership team should be able to answer

If I had to choose six questions that every municipal leadership team, regional leadership team and provider of essential services should be able to answer without hesitating, these are the ones:

1. Do we know which systems actually have to work?

Not what’s nice to have. Not what’s important according to the budget. But which systems the organisation can’t manage without for three days, a week, a month. If the answer is “we have a list somewhere”, that isn’t enough.

2. Do we know who owns the risk when they fail?

Risk without an owner isn’t a risk. It’s wishful thinking. If the answer is “the IT department”, it’s almost always wrong. IT operates. The business owns.

3. Have we practised losing them, for real?

Not in a binder. Not in a workshop. But with the power off, the systems down, the phones silent. What does home care do then? What does social services do? What does the fire and rescue service do? What does the municipal chief executive do?

4. Can the organisation manage three days without the cloud? Two weeks?

Most organisations today have critical functions in cloud services that sit outside Swedish jurisdiction. That isn’t wrong in itself. But if such a service disappears, how long does the organisation function before it becomes a crisis?

5. Who do we call at 2am on a Sunday when things are on fire?

That question isn’t theoretical. It’s operational. And if the answer is “our supplier”, the follow-up question is: with what response time, under what contract, and who on our side receives their report?

6. What happens if a supplier in another country pulls the plug?

It could be for political reasons. It could be sanctions. It could be a bankruptcy or an acquisition. How quickly can you switch? What needs to be migrated? Who owns that plan?

These aren’t theoretical questions. They’re everyday reality for anyone who actually carries responsibility for continuity.

The Cybersecurity Act and NIS2 aren’t red tape

In the discussions about NIS2 and the new Cybersecurity Act, the word “burden” comes up often. That it means more documentation. More control. More administration.

I understand the frustration. Requirements that aren’t anchored in the business always become a burden.

But I see the regulations differently.

They’re an attempt to set a baseline that can withstand reality. To make sure the organisations responsible for society’s functioning actually have a systematic way to handle risk, incidents and suppliers. Not because someone in Brussels finds it fun. But because reality has grown harder.

Ukraine has taught us things you can’t read off a threat assessment from five years ago. Iran has shown us others. Cyber attacks against municipalities and regions in Sweden have shown that this isn’t hypothetical. It happens. It has already happened. It will happen again.

Against that backdrop, NIS2 isn’t an overreaction. It’s a baseline.

Security of supply and digital sovereignty are connected

There’s one more thing that needs saying, even though it’s uncomfortable.

You can’t outsource your total defence to a platform you don’t control.

That doesn’t mean all cloud services are wrong. It doesn’t mean international suppliers should go. It means we need to be aware of where the dependencies lie, which ones are acceptable, and which ones need alternatives.

That question isn’t technical. It’s political and strategic. And it needs to be raised at every board level, from municipal councils to the boards of critical infrastructure companies.

Security of supply used to be about fuel, food and spare parts. Today it’s also about data centres, certificates, identity federation and update services.

It’s the same question. Just new dependencies.

What this means in practice

For you who lead an organisation with an essential function, here is my advice.

Don’t start with technology. Start with governance.

Clarify who owns information security in your organisation. Not on paper. For real. With a mandate, a budget and reporting to top management. If that person doesn’t exist, or if the role is split between three functions that never talk to each other, that’s where the work begins.

Take stock of which services the organisation genuinely can’t manage without. Classify them. Understand the dependencies back through the supply chain. Identify where the concentration risk is highest.

Build a systematic way of working. Not a project. A way of working. NIS2 and the Cybersecurity Act offer a good structure for that. Use them as tools, not as obstacles.

Practise losing. Not just protecting. Those are two different things. Protection builds the capacity to resist. Practice builds the capacity to function when protection isn’t enough.

And dare to ask the uncomfortable questions in the management team. About budget. About prioritisation. About what happens if we do nothing.

Deterrence on the civil side

Modern deterrence isn’t built on claiming everything is under control. Everyone knows it isn’t.

Deterrence is showing the ability to learn, adapt and improve faster than the threat develops.

That’s where Sweden has a real opportunity right now. We’re building up. The legislation is in place. Engagement in municipalities, regions and the private sector is growing. Cybercampus Sweden is taking shape. The investments are heading in the right direction.

The only question is whether we use it well.

Whether we start with the method, or buy tools and hope for the best.

This isn’t a project with an end date. It’s never finished. It only gets better, or worse, depending on what we do today.

If you want to discuss how your organisation can strengthen its civil cyber resilience, or how to move in practice from regulation to a way of working, get in touch.