A report from Norway’s National Security Agency (NSM/Nasjonal Sikkerhetsmyndighet) has warned IT suppliers of their security obligations following the controversy surrounding the outsourcing of IT services to India by Broadnet AS.

The NSM published and circulated a 20-page report reminding the IT industry of its national security obligations when outsourcing IT-tasks to foreign subcontractors. The report aims to encourage the ICT industry to more effectively implement supervisory controls, checks and balances, particularly in relation to the level of IT network access allowed to foreign contractors and their employees.

The NSM, which is responsible for protecting the integrity of Norway’s state and private IT-infrastructure against conventional and serious cyber space threats, has stopped short of advancing the need for new legislation to tighten rules and limit the scope of IT subcontract work awarded by IT enterprises in Norway to foreign IT service companies.

In fact, the NSM report recognises the growing reality that more organisations are looking to outsource all or part of their IT portfolio to keep costs down.

The primary focus of the NSM report is on IT subcontracting agreements that may have direct implications for Norway’s national security. “In recent years, we have seen instances where risk management relating to outsourcing decisions by companies in Norway has fallen short,” said Kjetil Nilsen, NSM’s director general.

The NSM report has three overarching principles under which IT companies are advised to manage IT subcontracting contracts with foreign-located enterprises. The first of these principles refers to the need for IT companies to have a full overview of the service life cycle of IT projects.

Additionally, companies are advised to adopt and apply a high standard of risk management to support the decision-making ahead of the awarding of subcontracts. The third involves senior management engagement in all decision-making leading to the awarding of ICT subcontracts to foreign companies.

Lessons learned The three specific overarching principles mentioned in the NSM report are directly connected to the “lessons learned” from the so-called Broadnet affair. Broadnet is Norway’s leading provider of fiber-based data communication to businesses, operators and the public sector. The company is a key supplier of infrastructure to Nodnett, the country’s emergency communications directorate. Broadnet’s nationwide fibre network connects 90 towns and cities in Norway, and covers 15,000 miles (24,000 km). Influenced by a cost savings programme, Broadnet signed a subcontracting agreement with the IT service provider Tech Mahindra, headquartered in India, in September 2015. The transfer of tasks to India resulted in the lay-off of some 120 employees at the Norwegian unit that had previously handled this work at Broadnet. Over time, the outsource contract resulted in a number of security breaches. These involved deviations where Tech Mahindra staff had unauthorised access to Broadnet’s core IT network and by extension the national emergency network. Broadnet responded to breaches by strengthening oversight and network monitoring procedures to better regulate access. In one connected action, staff that had been outsourced to Tech Mahindra as part of the outsourcing subcontract were taken back in-house on “security grounds”. The operational responsibility for the Nødnett national emergency network is tasked to Motorola, with Broadnet functioning as a key subcontractor. The Nødnett network operates under the supervision of the Ministry of Transport and Communications (MTC). It was Motorola that first noticed what it suspected were breaches in IT network security in December 2016. The company reported possible deviations from defined operating procedures by Tech Mahindra. These deviations were mainly connected with debugging activities. The discrepancy, which was confirmed in meetings with Broadnet and Tech Mahindra, was reported to the MTC, Nkom and national security agencies. The Norwegian state owns a 60% interest in the Nødnett national emergency network. Around 10% of all lines in the Nødnett-operated network are leased from Broadnet. Read more about retaining security when outsourcing The Swedish government is tightening its public procurement regulations in an effort to increase cyber security. It estimates that this will affect hundreds of outsourcing projects a year.

Sweden’s Transport Agency outsourced its databases to IBM in the Czech Republic, but it has now been revealed that the required security clearance checks were not carried out.

IT services firm Atos is investigating a potential security breach in response to reports that employee credentials were found in malware used to target the Winter Olympics. Broadnet’s own internal security unit observed unauthorised IT network breaches by a Tech Mahindra employee without security clearance in February 2017. Breaches were reported to Nkom, Norway’s telecommunications authority, and state security agencies under statutory obligation reporting procedures. Nkom was informed that TechMahindra had more extensive access to the Norwegian emergency network than was provided for under its contract with Broadnet. The serial security breaches resulted in a decision by Broadnet’s management board, prompted by Nkom, to move the entire operations of the emergency network and infrastructure maintenance activities back to Norway. All operations had been restored in-house to Broadnet by mid September 2017. The security shortcomings in the Tech Mahindra outsourcing contract triggered an investigation, commissioned by Nkom and conducted by the Norwegian Police Security Service (PST/ Politiets Sikkerhetstjeneste), in November 2017. The Regulator initially ordered Nkom to take immediate remedial action to upgrade its security protocols. Nkom followed up this censure by imposing a NOK14m fine, under the Electronic Communications Act, on Broadnet for failing to operate effective risk management and IT network security measures and controls. The PST’s investigative report concluded that for the 14-month duration of the IT service outsourcing agreement, employees at TechMahindra had close to full access to parts of the national emergency network, but without the necessary permits or security clearances to permit official access. “The most important thing is that we have closed the security deviation and resolved irregularities,” said Torbjørn Krøvel, Broadnet’s operations director. “The essential conclusion from this is that anyone who works with the emergency network must have a security clearance.” Broadnet has insisted none of the breaches detected posed a serious risk to its IT network security, or the security of the Nodnett-managed national emergency network.