The Storting chairmanship stopped the IT security review at the Storting in 2017. – Obviously, this may be one of the reasons why we haven’t gotten this far in improving security, says Michael Tetzschner (H).
In February of this year, the parliamentary representative was the target of a comprehensive and targeted cyber attack. Tetzschner had at least 4,000 emails stolen. The attack was one of three successful attacks against the Storting in less than a year.
It has now emerged that the Storting leadership halted an investigation into security in parliament in 2017, including cybersecurity. The investigation was an audit that the Office of the Auditor General had initiated on its own.
According to Auditor General Per-Kristian Foss, this happened after weaknesses were found in the area of security in connection with a previous audit.
Tetzschner responds that the then presidency stopped the investigations of the General Auditor. He believes the scrutiny could have strengthened IT security at the Storting.
– Obviously, this may be one of the reasons why not so much progress has been made in improving security, he says.
Exposed to various attacks
The security investigation stopped in 2017. In August 2020, the Storting was hit by a comprehensive hacking attack. The government believes that Russia was behind this, something that the Russian authorities have rejected.
Following the attack, the Storting launched an external security assessment. The order went to the consulting firm KPMG. The work is still in progress.
At least 4,000 emails were stolen from the Storting. The suspicion is directed at Chinese hackers.
In February and March 2021, the Storting was attacked again, this time by groups based in China, according to Norwegian authorities. Michael Tetzschner’s emails were stolen. China denies the accusations.
Denies that security was compromised
Storting President Tone W. Trøen (H) believes that it is not a fact that security at the Storting has been weakened by the interruption of work by the Auditor General’s Office. The findings of the Auditor General’s Office were communicated to management at the Storting, he tells Aftenposten.
– This is how I have perceived it, a good dialogue with the Office of the Auditor General about the findings so far in the investigation, says Trøen.
It says that the Storting management initiated an external evaluation in 2019, carried out by the consultancy BDO. The findings led to many actions, including the fact that the Storting established a new security staff and hired a new security director.
– This has been worked very thoroughly, says the president.
Trøen does not want to respond to Tetzschner’s criticism, but says that “he has taken care to thoroughly review security at the Storting.”
– You can’t afford bad security
Michael Tetzschner has a long career as a parliamentary representative behind him, but he ran out of elections just over a week ago. For the past four years he was a member of the Foreign Affairs and Defense Committee.
He emphasizes that he does not believe that the Storting could have prevented the cyber attack against him. The Tetzschner attack exploited a hitherto unknown vulnerability in Microsoft’s software and is said to have been difficult to detect.
However, the Storting representative believes that the Storting leadership must take security more seriously.
– We cannot afford to stick to computer security that is worse than the best that can be achieved, he says.
Two cyber attacks in three weeks in the Storting: contact networks, Norwegian positions and internal conflicts have intelligence value, says the electronic service
– Take security more seriously
The computer attacks on the Storting come after several warnings, including from the Intelligence Service. The e-service has previously told Aftenposten that it is not surprising that the Storting is a target.
– Last year shows that the threat to the Storting is so great that you probably have to take it even more seriously than you have done so far, says Lars Gjesvik.
Gjesvik is writing a PhD in computer security at NUPI in Oslo. He believes that it is obvious that the Storting is exposed to such attacks. The threat has grown greater in a short time, he believes.
– It’s one thing that the threat landscape has gotten worse. Digital attacks are a more important part of the states toolbox. The past year has also shown quite clearly that the Storting is an attractive target for intelligence.