Recently, we have had the opportunity to learn a little about what Russian intelligence officers spend their days doing in Norway. Will the expulsions lead them to try to cover their needs through cyberattacks?
In October 2022, at the University of Tromsø, an illegalist is imprisoned, where the man himself claims to be a Brazilian citizen - while the Norwegian Police Security Service believes the man is a Russian spy and charges him for violating the penal code's section 121, which deals with espionage against state secrets.
In November 2022, an employee at the Norwegian Veritas is convicted of severe corruption for selling information to a Russian intelligence officer.
And last week, Norwegian authorities announced that 15 Russian diplomats are expelled from Norway for "engaging in activities incompatible with their diplomatic status."
The day after the expulsion, it was also made public that a Norwegian businessperson was stopped by the Police Security Service, believing that the person was about to do something that could harm Norwegian interests - over the weekend, it became known that there is suspicion that the spy tried to obtain information about Norwegian underwater technology, with a potential goal of sabotage in the North Sea.
This is "business as usual" - the use of human sources in intelligence work occurs in all countries, and we are talking about the world's second oldest profession. However, the trick in such operations is, of course, that it takes place covertly. The purpose may be different than it appears. It can happen openly or secretly, but in any case, the aim is to create dependencies that can be exploited later. Intelligence officers usually have long-term perspectives and plans in mind.
What will this mean for intelligence gathering?
Referring to all the cases mentioned above - and it is likely to assume that there are more cases not known through public media - one may ask: What does it mean now that 15 Russian diplomats are expelled from Norway? Will this type of activity end?
My claim is "no, it will not end." Although there are changes in the number of Russian diplomats in Norway, Russia's information needs will not be reduced. They still have an interest in various types of advanced technology, or knowledge about these, research, critical infrastructure, and weapons production, among other things.
The consequence, however, may manifest in the cyber domain. When the "boots on the ground" become unavailable, the information vacuum must be filled with other methods, means, or vectors to achieve what previously happened through the Russian intelligence officers.
Many are unprepared
It is now simply time to look beyond the naivety glasses we are known for wearing - and start considering how to defend our values against foreign intelligence agencies.
Defendable has experience that many Norwegian businesses appear unprepared for the threat landscape they are forced to navigate. They lack an overview of their own values, and basic security measures are either absent or "few and far between." Few, if any, have good and realistic plans for how to handle intelligence against their values - and they are not practiced and trained in it.
Several businesses are aware of the intelligence threat, but are they well enough prepared for the intelligence officer to come through the network cable, rather than sharing a pizza at a restaurant?
Although scholars disagree on whether Sun Zi actually lived, we will refer to his military strategy - most commonly known as "The Art of War." Allegedly, around 500 BC, Sun Zi wrote:
"He who knows the enemy as he knows himself will fight a hundred battles without defeat."
The core of the quote is essential! You must not only know yourself but also those who want to harm you.
Regarding cybersecurity and the threat of foreign intelligence activity, we recommend five steps:
- Identify and assess your values - what is important for your business, and are there unauthorized parties interested in these?
- Identify vulnerabilities - in what ways can vulnerabilities in your values be exploited?
Get to know your opponent - who is the most likely or relevant threat to your values, and how do they operate?
Implement basic cybersecurity measures - find a framework suitable for your business and designed to protect your values
Train and educate your employees and other key personnel - practice makes perfect, and awareness must be systematized
We recognize that intelligence threats, values, risk, and security are challenging concepts for many to deal with - but we still believe that doing something to make oneself defendable is better than doing nothing.