1. Introduction

Danish governments have over the last decade taken significant steps to implement and facilitate societal cyber resilience through the development of institutions, strategies, legal measures, and public-private partnerships (PPP).1 Denmark is not alone in taking this approach: in fact, all the Nordic countries have applied some version of Sector Responsibility Principle (SRP) [1]. In 2014, Denmark launched its first national strategy for achieving cyber resilience of critical infrastructure (CI). The ‘National Cyber and Information Security Strategy’ [2] and its two subsequent successors from 2018 [3] and 2021 [4] follow SRP. According to the principle, the state distributes the task of achieving and maintaining societal resilience to individual sectors, for example, health, energy supply, or finance, while maintaining central oversight and responsibility for implementation. However, Danish governments have gone less far than, for example, Finland’s to ensure the efficacy of the implemented strategies. According to North Atlantic Treaty Organization’s (NATO) 2020 evaluation, weaknesses in governance of resilience measures are still left to be addressed [5, p. 5]. This raises the question: why Denmark has not gone as far as Finland?

The literature on societal resilience strategies explains the sound principles behind SRP. This article seeks to add nuances to this body of literature by looking at the Danish case with an eye to identify incentives against implementing SRP with efficacy, rather than formal compliance as the main goal at both macro and micro levels.

After a literature review, the article outlines the principles behind SRP and demonstrates why it is a good strategic approach for states to achieve cyber resilience in modern, digitalised, and diverse economies. Methodologically, the article demonstrates why implementation of SRP in practice is not only legally, organisationally, and technically very difficult but also politically ‘unpleasant’ using mainly Danish examples. Denmark is a relevant case for studying potential weaknesses in cyber resilience strategies, as it is a highly digitalised society that has consistently scored high in international evaluations of national cybersecurity, although its position has fallen since ITU’s initial evaluation in 2015 [6, 7]. The article takes its outset in the, so far, three Danish national information and cybersecurity strategies as well as the accompanying European Union (EU) NIS and NIS 2 directives. This presents methodological challenges: there are no formal definitions of a strategy, but according to, for instance Yarger and Bartholomees’ [8] strategies should include political ends and explicit theories of success regarding assumed causalities between allocated means and appropriate ways. This allows observers to identify, assess, and discuss risks, for example, from potentially inadequate means or questionable ways and evaluate the theory of success’ internal causality or compare with the result of other strategies in similar empirical contexts. Held to Yarger and Bartholomees’ standards, the Danish strategies are lacking in content. Particularly the 2021 strategy [4] is mainly a list of aspirational ends, while ways and particularly allocated means are not specified in detail. This constitutes an analytical weakness, as the lack of explicit ways and means leaves a large amount to the external observer’s interpretation. Even so, the approach gives indications as to where weaknesses may lay in the presented strategies, illustrated anecdotally with empirical observations from resilience-related events as they appear in reputable news sources or other reporting.

To governments as well as their citizens and enterprises, resilience is desirable but also a tedious chore that takes away resources from core services. An inherent risk with the SRP at both the strategic, political level and the individual private or public entity level is incentive to strive for legal compliance rather than operational efficacy and act more according to a ‘sector responsibility avoidance principle’. Having discussed this in principle, the article will outline how the SRP has been implemented in Denmark so far, along with examples of both what drives the effort and challenges to successful SRP implementation.

2. Cyber resilience strategy – a new academic field

The article’s headline includes the three concepts of ‘strategy’, ‘cyber resilience’, and ‘sector responsibility principle’, which the present literature goes some way to define. As mentioned above, Yarger and Bartholomees provide an operational definition of strategy as a formulated theory of success on how ends are achieved by applying sufficient means in particular ways. Furthermore, Yarger and Bartholomees provide a framework for describing the level at which strategies are developed and implemented. In the present case, the investigated Danish strategies are at what Yarger and Bartholomees define as the ‘National Security Strategy’ level, as the means deployed include all aspects of the national instruments of power [8, pp. 48–49]. National cyber resilience strategies can encompass a number of relevant topics: building a cyber-workforce, promoting public cyber literacy, etc. This article focuses on the state’s task of protecting critical infrastructure, particularly its role in developing and implementing strategy in the shape of institutions and regulations and how PPP is enforced, encouraged, and facilitated. Here, Tiirma-Klaar provides an overview of the areas that states may include in cyber resilience strategies [9]. Cyber resilience as such, particularly at the tactical level as the concept applies to individual entities and organisations, is described from many perspectives, and for instance, Sepúlveda Estay et al. provide oversight of relevant literature [10]. A search for ‘sector responsibility principle’ on Google Scholar, however, provides only Jensen [11] in spite of the principle’s widespread use in Scandinavia [1].

Identifying the state’s objective to be ‘resilience’ rather than ‘security’ is an acknowledgement of a governing principle, where the state is more a gardener guiding and facilitating a complex society’s ability to withstand, overcome, and emerge stronger from external blows, than an engineer trying to keep external blows from affecting the societal machine or assist in repairing it afterwards. The emergence and history of this approach are well described by, for instance, Walker and Cooper [12]. This principle and the state’s role therein is brilliantly described by Dunn-Cavelty and Suter in their article ‘Public-private partnerships are no silver bullet: An expanded governance model for critical infrastructure protection’ [13]. In this key piece, they describe how the strategic context for national resilience strategies has changed, particularly since the end of the Cold War. Modern economies used to be complicated, but some factors made it possible for the state to manage crisis through collection and analysis of information and central allocation of resources through commands, economic incentives, or patriotic encouragement [14, p. 2]. Critical infrastructure (CI) within, for example, production or communications was state-owned or run by domestic industries and based on standard communications systems like telephone, mail, order books, etc. This allowed a state to conduct ‘business continuity management’ (BCM) at a national level for extended periods. The world wars provided excellent examples of such state-run economies with ‘PPP’ based on central control [12, p. 3; 15]. But during the 1990s, many Western economies changed: state-run critical infrastructure was sold to private entities and these along with other domestic industries often became international, either due to ownership or based on outsourcing from national or foreign subcontractors, always prone to change. At the same time, digitisation meant that command and control within critical infrastructure became based on innumerable and ever-changing systems [13, p. 180]. These and other changes transformed the basic structure of modern economies from complicated to complex, and made the hitherto successful central control approach to crisis management impractical [16, p. 46]. In the modern context the state’s role is not to manage through direct intervention. The state’s principal challenge is to create a framework that ensures – and facilitates – the individual sectors’ resilience within critical infrastructure [13, pp. 183–186]. Only in the individual sectors are the necessary insights to identify, implement, and maintain resilience and overcome external blows [17]. Hence, the state must delegate the tasks involved to achieve resilience [18, p. 36; 19, p. 481]. Christensen and Lund-Petersen elaborate on the cyber aspects of PPP and resilience in ‘Public-private partnerships on cyber security: A practice of loyalty’ [20].

Dunn-Cavelty and Suter’s analysis of meta-governance of self-organising networks identifies the state’s tasks, thus: (1) define and communicating goals and priorities, (2) identify status quo and needs for action, (3) choose instruments, and (4) verify efficiency – and go to step 2 again [13, p. 185]. In practice, this means that to conduct meta-governance, a state should identify, designate, and keep track of CI, divided into sectors according to tasks to facilitate the emergence of networks. Also, it should set strategic objectives, for instance, through contracts, that sectors or individual suppliers must fulfil. Furthermore, set and enforce minimum standards, for example, ISO 27001 compliance, for cyber resilience in CI. And finally, it is important to facilitate PPP, for instance, by providing threat intelligence, promoting best practices, or improving access to reports and prosecuting cybercrime.

It is important to note that delegating the tasks does not mean delegating the responsibility: comprehensive security, including BCM of the nation’s critical infrastructure, remains the state’s responsibility towards its citizens even if the actual infrastructure involved has been sold to a private contractor [18, p. 37]. Furthermore, it is important to note that except for the financial sector, market forces are often insufficient to incentivise individual entities in CI, whether public or private, to achieve the levels of resilience that would be sufficient from a societal perspective [11, p. 5; 21, p. 266]. And, again it must be reiterated that the task of developing and implementing the necessary strategies is simple in principle, but very difficult in practice and hampered by strong incentives that can lead to sub-optimisation at both strategic and individual levels. Dr. Kerttunen, who took part in developing Finland’s comprehensive cyber resilience strategy, has expressed it thus:

What is the best strategy? It is relevant, optimized, updated, and implemented! There are three categories of states when it comes to cyber strategies: those without strategies, those with utopian strategies that cannot be implemented, and those with realistic strategies that are poorly implemented [1, p. 275; 22].

In Denmark, SRP is the guiding principle for resilience, including cyber resilience. This is stated by law and entails that the authority or institution, for instance ministry, who has the day-to-day responsibility for a task, also has the responsibility for planning, and resolving this task in a crisis [23, 24]. The fact that Denmark is now implementing its third cyber resilience strategy and has achieved some results, with its two predecessors placing Denmark in the third category of Dr. Kerttunen’s conceptual framework. The next section elaborates on the strengths and weaknesses of the Danish approach.

3. Denmark’s cyber resilience strategies

Since 2001, Denmark has had national strategies for the public sector’s, citizens’, and corporations’ use of the cyber domain [25]. In 2014, the first national strategy for cyber and information security was introduced. It had set basic objectives, for instance, requiring ISO27001 implemented in government entities as well as some other concrete measures in identified CI in the telecommunications and energy sectors. Furthermore, it provided guidance to the newly established national Computer Emergency Response Team (CERT), Centre for Cyber Security (CFCS) under the Danish Defence Intelligence Service, and National Cyber Crime Centre (NC3) under the police, and initiated a program of information collection to establish status quo and identify major weaknesses [2]. The first strategy thus followed the model for meta-governance quite closely. The plan was to build on the results of this strategy with the introduction of a more extensive strategy in 2017. Developments were also driven forward by the introduction of the EU’s Directive 2016/1148 concerning measures for a high common level of security of network and information systems – in daily terms, the NIS directive, which Denmark as an EU member was obliged to implement [26].

However, the initial plan did not hold. In 2016, the Ministry of Defence was tasked with developing a new strategy, and relevant ministries were ordered to participate in the process. However, after repeated delays, the government transferred the task to the Ministry of Finance. Likely, the lack of progress was due to the fact that efforts to develop individual ministries’ contributions to the strategy had to compete with the ministries’ core functions and were not given priority. In Denmark, the Ministry of Defence has no means to influence the quality and scale of other ministries’ efforts. Also, while the Ministry of Defence was responsible for the cross-ministerial coordination, it was not provided extra funding with which to facilitate its progress. The Ministry of Finance has significantly more influence on other ministries through the power of the purse and a new strategy was eventually presented by an entity established under the ministry for the purpose, Digitaliseringsstyrelsen (‘the Board for Digitization’) in 2018 [3; 11, p. 10]. While Denmark has no official definitions of what constitutes CI, the commission for the strategy included designated sectors within which entities could be designated as CI, namely energy, health, transport, telecommunications, finance, and maritime transport. This was supplemented by the criteria for CI designation of the EU’s NIS directive [3, pp. 38–40; 20, p. 3; 26, 27]. The 2018 strategy included both concrete initiatives to increase CI resilience but also initiatives to facilitate PPP. Part of the strategy was that each of the designated sectors should develop individual resilience strategies, a process that was completed by the end of 2018 [28]. Furthermore, the strategy introduced a central entity (a ‘styregruppe’ or ‘control group’) and an accompanying reporting framework with the task of staying informed on how the implementation progressed in individual sectors and facilitating the sharing of, for instance, best practice between sectors [3, pp. 43–45]. Like its predecessor, the 2018 strategy follows the recommendations of meta-governance by building on the information collected after the first strategy was implemented and focusing on concrete initiatives with stated deadlines to establish and facilitate the individual sector’s ability to improve resilience, including PPP.

In December 2021, Digitaliseringsstyrelsen presented Denmark’s current strategy [4]. Compared with its two predecessors, it is less concrete: more describing intents and ambitions than stating objectives and setting deadlines [21, p. 261]. The 2021 strategy outlines a continuation and expansion of the previous strategies, for example, by the establishment of decentralised cyber and information security entities (DCIS). It also expands the state’s practical facilitation of individual citizen’s and enterprise’s cyber resilience, for example, by establishing a new hotline for identity theft, strengthening the police’s capability to prosecute cybercrime, and a special entity dealing with the cyber security challenges for small- and medium-sized enterprises (SMEs) that make up a significant part of the Danish economy [4, pp. 11, 14]. As such, the strategy continues to follow the principles of meta-governance, but its less concrete form and more aspirational formulations make it less immediately applicable. There is an underlying and accompanying set of documents that much more explicitly outlines the implementation of the strategy to the individual sector; however, while formally unclassified, these are not accessible to the public.

According to the strategy’s preamble, the plan is to follow up with a new strategy in 2024. In this regard, it is interesting to observe what role Digitaliseringsstyrelsen, which has been leading the process since 2017, play. In December 2022, Digitaliseringsstyrelsen was removed from the Ministry of Finance’s portfolio and formally made an independent ministry. However, a ministry is responsible for two diverse areas: digital governance and equal gender rights [29]. Recalling the Ministry of Defence’s difficulties in moving the development of the second strategy forward in 2017, the new Ministry of Digital Governance and Gender Rights may experience similar challenges regarding a 2024 strategy.

4. Challenges to Denmark’s implementation of SRP and cyber resilience

Recalling Dr. Kerttunnen’s quip about national cyber resilience strategies, at this point it is relevant to review what the principle challenges are to Denmark’s implementation of its cyber resilience strategies through the SRP doctrine, and consider how they manifest themselves.

Initially, it must be fully acknowledged that developing, implementing, and maintaining national cyber resilience strategies is always going to be an extremely difficult task legally, economically, technically, organisationally, etc. Hence, the following sections are in no way intended as condescending vis-à-vis the attempts that are done. Furthermore, realising that the tasks involved are truly daunting, the analysis does not address these difficulties, but instead address the challenges presented by incentives for complacency at both political-strategic and individual level.

The nature of these challenges is perhaps best illustrated with an example from the United States: In May 2021, Colonial Pipeline, a private enterprise that delivers fuel to most of the US east coast, was paralysed as a result of a ransomware attack conducted by Russian cybercriminals. As a result, fuel supplies immediately dropped by 45%. Seventeen states had to declare a state of emergency that in some areas lasted for weeks as transportation of persons and goods came to a halt. Forensics later assessed that the ransomware attack had been possible because Colonial Pipeline lacked basic cyber security measures in place [3032]. What went wrong? Was the enterprise not designated as CI? Was there no resilience strategy in place? Was Colonial Pipeline not in compliance with regulations? It turned out that strategy was in place, and the enterprise was designated as CI complying its rules and regulations. However, those rules were basically that Colonial Pipeline should read the government’s – here TSA’s – recommendations, and then follow those if felt inclined to. Colonial had read the recommendations, and were thus in compliance. But it was not inclined not to follow them, hence they had no effect. The rules have now been changed [31, 33].

How could such an in hindsight obviously inefficient approach to cyber resilience be developed and implemented? There are four good reasons at play: (1) Designating CI is politically unpleasant; (2) requiring and upholding demands for CI is politically unpleasant; (3) having updated and detailed insight into CI’s cyber resilience or lack thereof is politically unpleasant; and (4) paying for cyber resilience is generally unpleasant (for an extensive elaboration of these arguments, see Jensen [11, 34]). To go through these four drivers that incentivise neglect of resilience measures, cyber or otherwise, let us review them individually.

Designating CI is unpleasant: When the state designates a private or public entity as CI, it either implicitly or explicitly imposes some demands regarding resilience measures that non-CI entities are not subjected to. This imposes extra costs for the CI-designated entity that has to be covered either by adding to the price of the provided services or compensated in some manner. Hence, there is an economic incentive against designating infrastructure as CI that may counterbalance operational considerations.

In the Danish case, it may be difficult to demonstrate this challenge with regard to cyber resilience, but a look at Denmark’s interpretation of EU’s directive No. 2008/114/EF may illustrate how relevant decision makers may be reluctant to designate infrastructure as CI. The EU directive defines ‘European critical infrastructure’ or ‘ECI’ as ‘critical infrastructure located in Member States the disruption or destruction of which would have a significant impact on at least two Member States’ [35, p. L345/77]. In Denmark’s case, one could expect, for example, bridges across the straits, transnational power and internet cables, or Copenhagen Airport (CPH), the largest in Scandinavia, to be designated as ECI. However, as of 2022, no Danish infrastructure was ECI. Why? Because there are substitutes in principle if less so in reality: for instance if the bridge to Sweden breaks down, there is a ferry. From an operational perspective, this may make little sense and probably goes against the spirit behind the EU directive. However, this is how the ministries for transport and energy interpret the letter of the directive when they biannually report ‘no ECI in Denmark’ to Brussels. Thus, Denmark is in compliance with the directive but IT has no effect if the EU’s intent IS to strengthen ECI’s resilience [21, p. 263]. That said, compliance with the EU’s NIS directive and the recently updated version, NIS 2 has been and will continue to be a very important driver of the implementation of cyber resilience measures in Denmark [26, 36]. In February 2024, the Danish Ministry of Defence stated that the implementation of NIS 2 in Denmark was delayed, but it is still expected to be in place in 2024 [37].

Requiring and upholding standards for CI is unpleasant: Not only do these demands add costs to the provided service as described above, but the demanding entity, here the government, also has to allocate resources to enforce and keep track of their implementation, a further draw on resources.

In this regard, the nature of the sector also plays a role. Within the governance sector, implementing resilience requirements should in principle be a question of issuing commands and expecting the entities to follow orders. However, in 2014, as part of Denmark’s initial strategy, government agencies were ordered to implement the ISO 27001 standard by the end of 2016. Even so, by December 2022 only two-thirds had done so in spite of ‘a high degree of attention from leaders on the task’ [4, pp. 19–20; 38]. Hence, implementation of even relatively simple resilience requirements is not unproblematic even within the government and likely also not in other public sectors, for instance, health. In the financial sector, market forces drive cyber resilience and security in advance of governmental requirements. In the telecommunications and energy sector, the involved enterprises are private but highly concentrated to a few large entities that are very capable technically regarding cyber security and resilience which enables sparring on relevant requirements and their implementation between these entities and the government. The transport sector, on the other hand, is similarly composed of private enterprises, but many are SMEs that often have little or no skills when it comes to cyber and their IT systems and potential vulnerabilities are very diverse.

Insight into status of resilience is unpleasant: Knowing that cyber resilience in CI is sub-par entails a political responsibility to react. Not knowing provides ‘credible deniability’ and the SRP can become ‘a sector responsibility avoidance principle’ if political leadership in case of incidents due to lack of resilience can get away with the excuse that according to SRP, it is the sector’s and even individual entity’s task to ensure sufficient resilience.

As mentioned, the Danish 2018 strategy put a framework in place for CI sectors to report to a central entity on progress on the implementation of resilience measures and share best practices [3, p. 45]. However, the framework does not set specific formats or timelines for reporting. Occasional interviews with entities involved in the process suggest that while such reporting takes place, it is with uneven intervals and in different formats across different CI sectors. The lack of central oversight and the accompanying lack of resilience measures enforcement in Denmark in even very critical CI were recently demonstrated in a highly critical report from ‘Rigsrevisionen’, the Danish Parliament’s special investigations board. It states the following:

The cyber security resilience of the 13 critical IT systems selected for this study is not satisfactory. The resilience of one of the authorities, where Rigsrevisionen examined several IT systems, is particularly unsatisfactory. The consequence of inadequate cyber security resilience is that critical services provided by the public sector risk being either seriously disrupted or impossible to deliver. It should be noted that the level of cyber security resilience varies between the authorities in the study [39, p. 3].

This suggests that the Danish strategies do not go as far to gain insight into the status of cyber resilience as they could. For comparison, in Finland, the government has gone considerably further: they identified the problems presented by uneven reporting in 2015, and since 2017, Finnish CI sectors have reported monthly to the government’s national security committee in a fixed format involving a 22-point matrix. This committee, established in 2013, conducts monthly meetings and submits an annual report to the president [40, 41].

Exacerbating the lack of central awareness, there is no overall authority tasked with coordinating the individual sector’s planning and preparation between incidents [20, p. 1435]. Denmark’s designated crisis management organisation only come together in extraordinary situations and only temporarily have the authority to deal with the effects of a crisis [23]. The tasks of coordinating individual sector’s planning and preparation is delegated according to the SRP. But, as the example with implementation of ISO 27001 demonstrates, even under SRP, giving an order to implement resilience measures does not mean it is carried out – even within the public sector. With SRP’s decentralised responsibility for the implementation of the upcoming cyber strategy follows that individual ministries must interpret what their responsibility entails [34]. At the same time, the ministries evaluate themselves when assessing whether their respective sectors live up to their interpretation of their responsibility. This introduces significant risk that the sectors do not have a shared understanding of their tasks and that they do not give them the same priority – a fact also noted above by Rigsrevisionen. Biannual national exercises since 2006 have consistently been highlighting this in their ‘Conclusions’ [42, p. 5; 43, p. 6].

Paying for resilience is unpleasant: Under most circumstances, cyber resilience is not the core business for neither public nor private entities. Hence, resilience measures take away human and capital resources from whatever that core business is. In public service sectors, for example, health, the societally optimal level of resilience is in no way influenced by market forces, and hence arbitrarily set by political leadership. In private sectors, market forces have some influence, but the economically optimal dedication of resources to resilience may be far less from an individual enterprise’s perspective than from the general society if the failure of that enterprise results in significant costs, as second-order effects of its failure ripple through the economy. Consider, for example, a small de-icing company that is critical for the function of a major airport in winter. Their revenue, and hence market incentive to ensure BCM, comes nowhere near the cost to society if aircraft cannot take off on a winter day due to a cyberattack. Historically, only in the Danish financial sector, market forces have been sufficient to drive cyber resilience to a very high level [44]. In the case of public sector, the political level can decide how much resources are taken from other tasks and dedicated to resilience, but who and how should the difference between the general society’s and the small airport enterprise’s incentive to invest in resilience be covered?

Recent research indicates that cyber security and resilience are often not a high priority in Denmark’s many SMEs. In some cases, this is because implementation appears economically and/or technically challenging. In other cases, the task is too far from the experience and expertise of SMEs’ leadership to rise to a sufficient level of attention to result in taking action [45, 46]. Since the introduction of the first national Danish strategy in 2014, Danish governments have primarily placed funding for implementation on the defence budget [47, p. 13; 48, p. 11]. This is in light of the magnitude of the task likely insufficient to cover the actual costs in all sectors. For instance, the Confederation of Danish Industry (Dansk Industri, DI) that promotes the interests of the SME sector assessed it as unlikely that the allocated 270 mio. DKK were sufficient to cover the 34 initiatives presented in the 2021 strategy [4, p. 5; 49].

5. The SRP is the right principle for Danish cyber resilience, but demonstrated political priority does not fully match stated ambitions

As the examples of this article have demonstrated, the state’s role in establishing and maintaining comprehensive cyber resilience in CI is both highly complex and fraught with political and economic incentives to give the task less priority than a purely operational perspective might recommend. The Russian full-scale invasion of Ukraine in February 2022 has accentuated the need for resilience and the state’s role in that regard. Denmark’s national CERT has, along with other Western intelligence services, warned about an increased risk of Russian ‘hactivism’, and Danish banks, airports, ministries, and other CI have been the target for Russian distributed denial-of-service (DDOS) attacks [5055].

The Danish strategies have, since 2014, along with EU’s NIS directives, established a framework for solving the task. The strategies have, like in the rest of Scandinavia, built on SRP and contain the elements necessary to replace the state’s role as ‘the societal engineer’ of the past with ‘the societal gardener’ of today and tomorrow. Governments from both sides of the parliament have built on their predecessors’ strategies to establish institutions and frameworks to, for instance, identify and designate CI, assess the level of resilience, provide threat warning, and facilitate PPP. Also, the latest strategy’s focus on SME opened a new and important area for implementing measures for cyber resilience.

However, as demonstrated by the examples, the implemented policies have still been insufficient to overcome incentives to give the task less than the necessary priority, even within the public sectors, as demonstrated by the limited progress of ISO27001 implementation and the serious deficiencies in CI systems identified by Rigsrevisionen. SRP is the proper tool for the task, but the inherent threat from implementing it as the ‘sector responsibility avoidance principle’ has yet to be overcome – a challenge that Denmark shares with all Nordic countries that apply SRP [1, p. 274]. Ambitious headlines in the current and coming strategies do not decide the outcome. Only the government’s will and tenacity actually implement resilience measures through oversight, control, facilitation, guidance, and resource allocation.