momius - stock.adobe.com

Norway’s National Security Agency warns IT industry about security obligations

IT service providers serving organisations in Norway have received a timely reminder about their security obligations.

A report from Norway’s National Security Agency (NSM/Nasjonal Sikkerhetsmyndighet) has warned IT suppliers of their security obligations following the controversy surrounding the outsourcing of IT services to India by Broadnet AS.

The NSM published and circulated a 20-page report reminding the IT industry of its national security obligations when outsourcing IT-tasks to foreign subcontractors. The report aims to encourage the ICT industry to more effectively implement supervisory controls, checks and balances, particularly in relation to the level of IT network access allowed to foreign contractors and their employees.

The NSM, which is responsible for protecting the integrity of Norway’s state and private IT-infrastructure against conventional and serious cyber space threats, has stopped short of advancing the need for new legislation to tighten rules and limit the scope of IT subcontract work awarded by IT enterprises in Norway to foreign IT service companies.

In fact, the NSM report recognises the growing reality that more organisations are looking to outsource all or part of their IT portfolio to keep costs down.

The primary focus of the NSM report is on IT subcontracting agreements that may have direct implications for Norway’s national security. “In recent years, we have seen instances where risk management relating to outsourcing decisions by companies in Norway has fallen short,” said Kjetil Nilsen, NSM’s director general.

The NSM report has three overarching principles under which IT companies are advised to manage IT subcontracting contracts with foreign-located enterprises. The first of these principles refers to the need for IT companies to have a full overview of the service life cycle of IT projects.

Additionally, companies are advised to adopt and apply a high standard of risk management to support the decision-making ahead of the awarding of subcontracts. The third involves senior management engagement in all decision-making leading to the awarding of ICT subcontracts to foreign companies.

Lessons learned

The three specific overarching principles mentioned in the NSM report are directly connected to the “lessons learned” from the so-called Broadnet affair. Broadnet is Norway’s leading provider of fiber-based data communication to businesses, operators and the public sector. The company is a key supplier of infrastructure to Nodnett, the country’s emergency communications directorate. Broadnet’s nationwide fibre network connects 90 towns and cities in Norway, and covers 15,000 miles (24,000 km).

Influenced by a cost savings programme, Broadnet signed a subcontracting agreement with the IT service provider Tech Mahindra, headquartered in India, in September 2015. The transfer of tasks to India resulted in the lay-off of some 120 employees at the Norwegian unit that had previously handled this work at Broadnet.

Over time, the outsource contract resulted in a number of security breaches. These involved deviations where Tech Mahindra staff had unauthorised access to Broadnet’s core IT network and by extension the national emergency network.

Broadnet responded to breaches by strengthening oversight and network monitoring procedures to better regulate access. In one connected action, staff that had been outsourced to Tech Mahindra as part of the outsourcing subcontract were taken back in-house on “security grounds”.

The operational responsibility for the Nødnett national emergency network is tasked to Motorola, with Broadnet functioning as a key subcontractor. The Nødnett network operates under the supervision of the Ministry of Transport and Communications (MTC). It was Motorola that first noticed what it suspected were breaches in IT network security in December 2016.

The company reported possible deviations from defined operating procedures by Tech Mahindra. These deviations were mainly connected with debugging activities. The discrepancy, which was confirmed in meetings with Broadnet and Tech Mahindra, was reported to the MTC, Nkom and national security agencies.

The Norwegian state owns a 60% interest in the Nødnett national emergency network. Around 10% of all lines in the Nødnett-operated network are leased from Broadnet.

Read more about retaining security when outsourcing

Broadnet’s own internal security unit observed unauthorised IT network breaches by a Tech Mahindra employee without security clearance in February 2017. Breaches were reported to Nkom, Norway’s telecommunications authority, and state security agencies under statutory obligation reporting procedures.

Nkom was informed that TechMahindra had more extensive access to the Norwegian emergency network than was provided for under its contract with Broadnet. The serial security breaches resulted in a decision by Broadnet’s management board, prompted by Nkom, to move the entire operations of the emergency network and infrastructure maintenance activities back to Norway. All operations had been restored in-house to Broadnet by mid September 2017.

The security shortcomings in the Tech Mahindra outsourcing contract triggered an investigation, commissioned by Nkom and conducted by the Norwegian Police Security Service (PST/ Politiets Sikkerhetstjeneste), in November 2017. The Regulator initially ordered Nkom to take immediate remedial action to upgrade its security protocols. Nkom followed up this censure by imposing a NOK14m fine, under the Electronic Communications Act, on Broadnet for failing to operate effective risk management and IT network security measures and controls.

The PST’s investigative report concluded that for the 14-month duration of the IT service outsourcing agreement, employees at TechMahindra had close to full access to parts of the national emergency network, but without the necessary permits or security clearances to permit official access.

“The most important thing is that we have closed the security deviation and resolved irregularities,” said Torbjørn Krøvel, Broadnet’s operations director. “The essential conclusion from this is that anyone who works with the emergency network must have a security clearance.”

Broadnet has insisted none of the breaches detected posed a serious risk to its IT network security, or the security of the Nodnett-managed national emergency network.

Reviewing network security protocols

From the perspective of Norway’s ICT sector, the NSM report delivers a timely cue to companies to review network security protocols and all aspects that deal with system access when negotiating the outsourcing of service contracts.

The central message for IT companies is the need to map which laws, requirements and regulations apply both nationally and internationally to their IT service outsourcing contracts. In particular such contracts must comply with laws regulated under the Security Act and the Personal Information Act.

For the ICT sector, the national security implications, and lessons linked to Broadnet’s relationship with Tech Mahindra are many and obvious. The Indian subcontractor was allowed, unauthorised and unintended through Broadnet, access to the Nodnett-operated national emergency communications system.

This is Norway’s most important national emergency network, comprising 255 emergency call centres for police, fire departments and medical response services. Around 60% of Nødnett’s sites are linked by microwave, with leased fibre accounting for the remaining 40%.

Next Steps

Fortify emergency communications systems with a business plan

Read more on IT outsourcing