‘Don’t open this e-mail from “McDonald’s”.’ The word ‘Warnings’ white against the green background, screams at me from the top of the mobile phone display. Below it, Vi er kede, Danish for ‘We are sorry’ is accompanied by a yellow letter M. It looks as familiar as can be and automatically makes you think of greasy burgers and fries, a guilty pleasure on late office workdays.
The notification is an alert about a fraudulent e-mail disguised as a message from McDonald’s. The warning was sent by the Danish app Mit digitale selvforsvar (‘My digital self-protection’). According to the head of the project, Ulla Malling, the application has already been downloaded 250,000 times since its launch in April 2017 and has an average of 80,000 active users per month.
The app provides information about digital scams, threats from viruses and malware, live updates from banks and law enforcement authorities, and even gives concrete advice if a breach has occurred. The initiative is a result of a collaboration between The Danish Consumer Council, a non-profit entity TrygFonden, the financial sector and The Danish Crime Prevention Council.
More importantly, however, the app is the epitome of the Danish approach to cyber and information security, with its near-perfect synergy of different institutions and focus on the everyday safety of citizens and businesses.
Denmark: First amongst equals
Until recently, Denmark, a country with a population of just over 5.8 million people, was clearly overshadowed in the public eye by cybersecurity big league players like the United States, Israel and the United Kingdom. But now, it seems to have finally gained enough momentum to step into the spotlight.
This year, the Danish Ministry of Foreign Affairs announced that the country ranked first among the world’s most cybersecure countries with an average overall score of 3.56, according to the British security research firm Comparitech. How did Denmark achieve such an important accomplishment? And did it have to do with the country mobilizing its information security efforts after a major security breach in 2015-2016 that Copenhagen linked to ‘the intelligence services or central elements in the Russian government’?
‘A very critical situation’
In April 2017, the Copenhagen newspaper Berlingske published some of the conclusions from the report by the Danish Defense Intelligence Service’s Center for Cyber Security (CFCS). It revealed that the same hacking group behind a 2016 cyberattack on the US Democratic Party servers had gained access to ‘the e-mail accounts of select members of the Danish Defense.’ Even though the leaked data was described as non-classified, it could still be used ‘to blackmail staff into becoming agents,’ CFCS said.
Denmark’s then defense minister, Claus Hjort Frederiksen, rated the breach as a ‘very critical situation.’ According to several intelligence agencies, the group behind the attack was most likely APT28, also known as Fancy Bear, which is widely associated with Russian military intelligence.
Now, only four years after the attack came to light, Denmark tops Comparitech’s ranking as the world’s most ‘cyber safe’ nation. According to Rebecca Moody, the lead researcher, Denmark was placed in the top three ten times out of a possible 15. It had zero users attacked by mobile ransomware trojans and mobile banking trojans. It also scored particularly well in categories such as percentage of users attacked by ransomware trojans (0.02 per cent) and percentage of attacks by cryptominers (0.11 per cent).
Although the study, based on Kaspersky Lab’s Q3 2020 data, is largely malware-centric and does not offer deeper insights into legal and strategic issues (in the Global Cybersecurity Index 2018, which does, Denmark ranks 12th in Europe with a score of 0.85), it does give an indication of what the Danes are particularly good at individual digital hygiene and financial services security.
The latter is at least partly due to the widespread implementation of two-factor authentication. It successfully helps block certain attack vectors, considering that personal digital signatures are used as a login for all governmental online services and in the financial sector. Another game changer is well-developed banking apps.
The Danes are among the most digital-ready
The image of a country where pre-school kids entertain themselves by poking around on mobile phone and tablets is pretty much the reality in Denmark. Even before the pandemic, its population was one of the most digital-ready in the world. Employees were used to spending the odd day out of the office and taking tasks home to work on. In 2017, 97 per cent of Danish households had internet access.
When asked about the factors that have contributed to the Danes’ digital savvy, Kare Lovgren, an IT technical spokesperson for the Danish Society of Engineers, nails it: ‘It is a country with flat hierarchies, a high level of education and a general openness to the rest of the world.’ But with the government’s commitment to going ‘digital by default,’ protecting users has become one of the biggest challenges.
A wake-up call for many actors
Over the next few years, Denmark plans to invest at least 1.5 billion (€202 million) DKK (Danish kroner) into its cyber and information security. According to the government’s strategy for 2018-2021, its policy is based on a triad: increasing technological resilience, improving citizens’ knowledge and strengthening coordination between different actors. The country is now actively working on defining its critical infrastructure. This will help the government adopt emergency preparedness guidelines and breach prevention strategies.
So, do these efforts mean that Denmark has done its homework well after the major security incidents of 2015-2016? While Comparitech’s study editor Paul Bischoff says: ‘It sounds like it could be, definitely,’ Rebecca Moody takes a more cautious stance: ‘Probably. I think any time someone suffers a successful cyberattack, they’re inclined to upgrade both their operational security and their cybersecurity.’
Lars Bajlum Holmgaard Christensen, the executive director at the Danish Hub for Cybersecurity, recalls how security breaches were perceived by businesses when information about them first became public. ‘I think it was a wake-up call for many companies. Awareness of the threats has increased after these attacks,’ he says.
A 24/7 Situation Centre has been established at the CFCS to help maintain a national cyber situational awareness map. Also, 25 specific initiatives have been outlined to consolidate defences against cyberattacks, information technology criminals and external threats.
Since the data leak came as a serious warning, it is not too far-fetched to assume that the Danish intelligence services’ response to it must have been much more systematic and thorough than a simple ‘let’s patch it up’ approach.
Denmark’s example as a NATO country has certainly shown how fragile the technical balance has become in a world where Big Data, multiplied by AI capabilities, offer a new understanding of digital vulnerabilities amid increasing attacks by malicious cyber actors.
Moscow’s ambiguous stance
Even as Russian hackers continue to be perceived as les enfants terribles by the Western digital world, Moscow’s stance on such groups remains ambiguous. On the one hand, the Kremlin categorically denies that official Russian structures are involved in such attacks. On the other hand, there is a certain pride among the authorities, backed by official propaganda, in what Russian IT geeks are supposedly capable of.
Nevertheless, according to Alexander Isavnin, a Russian Internet expert and lecturer at Free Moscow University, ‘we can’t really speak of a particular aversion of “Russian hackers” to Denmark.’ Rather, their modus operandi is to attack a series of vulnerabilities one after the other (often in different countries) in order to break through several ‘security doors’ in succession. The most widely used version of the internet protocol, IPv4 (as opposed to its next-generation successor IPv6), allows almost the entire internet to be scanned for vulnerabilities within minutes, thanks to a limited number of IP addresses and current network speeds.
Also, the actors behind such attacks can be very diverse, he admits, be they scientific military units, outsourcers through various tech platforms, operators of hired malware, schoolkids or modern IT equivalents of Soviet ‘sharashkas’ – research labs in the Gulag system. Their operational goal in most cases is, if not fishing for classified and hard-to-access information, then causing chaos. The lack of globally agreed procedures for dealing with cyber actors currently makes these forays possible.
Another aspect that adds to the complexity is that even in the case of state-backed APT groups, their attribution to specific countries cannot be done 100 per cent through technical means due to the highly fragmented internet landscape, even with current tool advances. “It is possible by their targets” or by relevant non-virtual factors, but not by the technical arsenal alone, said Isavnin.
What’s next? Cyberdesign
With all these developments, however, one important factor should not be forgotten, as it certainly contributes to Denmark’s top position in Comparitech’s world ranking. Unlike the US, Denmark is not currently perceived as a high-profile cyber target.
Although, as the June 2021 CFCS assessment shows, the threat level in terms of cyber espionage and cybercrime is very high, the threat of destructive cyberattacks on Danish authorities and private companies remains low. This means that in the eyes of the Danish intelligence services, it is very unlikely that something similar to the targeted ransomware attack on the US Colonial Pipeline will happen in the country anytime soon.
As long as this status quo persists, Denmark will certainly continue to engage in cybersecurity, including in ways that look quite innovative to the rest of the world. As part of its international efforts, it will further promote its cyber diplomacy. In 2017, the world’s first ‘techplomat’ was appointed to strengthen the country’s interests in Silicon Valley. The position is currently held by tech ambassador Anne Marie Engtoft Larsen, who replaced ‘pioneer’ Casper Klynge.
Another field with emerging potential is the coupling of various cybersecurity solutions with Danish innovative design, offering them as part of the package already at the product sketch stage. As the discourse around this new market thinking gains strength, the national business community seems increasingly inclined to see cybersecurity as their new growth adventure.