
Swedish Government Scrambles to Contain Damage from Data Breach - dwgirvan
https://www.nytimes.com/2017/07/25/world/europe/ibm-sweden-data-outsourcing.html
======
depressedpanda
Here's a summary of what foreign powers got access to:

\- identities of undercover operatives \- personal identity data of everyone
with a driver's licence \- people with protected identities \- location of all
army vehicles \- money transport vehicles \- classified infrastructure
information

Even worse: when they realized they'd leaked photos, home addresses and SSNs
of protected identities, they sent a clear text email asking the contractor to
clear them from the database manually.

<emotional rant> My country is a joke.

SÄPO knew about this in 2015, and recommended against it, but the Transport
Agency still went through with the deal. How they could even be allowed to do
that is beyond me.

The director general of the Transport Agency, and the person ultimately
responsible for the leak, was fined a mere $8500 (which is half of what she
allegedly would earn in a _month_) for leaking highly classified information
to foreign powers - an act that would be punished as high treason in any sane
country. Either she knew exactly what she was doing, meaning the Russians paid
a meagre $8500 for full access to a database containing top secret
information, or (more likely) she was just that stupid, meaning possibly
hostile powers got this information for free.

But hey, that's Sweden, where incompetent people become director generals of
big government agencies, and any screw up they get caught with is excused by
saying that you didn't know better.

Here, Swedes believe that Trump is such a catastrophe, and wonder why
Americans could vote for him. We should instead look at our own pathetic
"feminist" government, and ask ourselves how and why we got here.

But hey, luckily for everyone we don't have nukes. We'd probably accidentally
give the launch codes to Saudi Arabia/Palestine, and respond by giving the
person responsible for the leak a small fine while the rest of the world
burned in the war that erupted after Israel got nuked. </rant>

~~~
rhblake
Well, she was also fired (finally) and her career is finished. I agree it was
monumentally stupid. But "punished as high treason"? Treason requires intent.
She most certainly did not _intend_ to be criminally disloyal to the country.
Merely being ignorant and incompetent is not treason.

This is a major fuckup but let's be real. Our country is a "joke"? I know
complaining is a national sport in Sweden, much like in many other countries,
and I can rage about plenty of idiotic things going on. But _on the whole_ ,
things are _in general_ pretty good, relative to most other countries in the
world. Move elsewhere and you'll just find a different set of things to be mad
about (perhaps more, perhaps less; and there's always a bunch of Swedish
expats who complain that things don't work like in Sweden).

~~~
staticelf
Wait what? She knew that was a possibility and that it is highly illegal and
still she went through with it.

I would say that is having intent if anything. I love my country but I think
she should be punished a lot harder. Arkebusering på slottsgården. But since
that will never happen, 12 years in jail is probably enough.

~~~
duncan_bayne
Is that word from the same root as arquebus?

~~~
depressedpanda
Yes, correct:
[https://sv.wikipedia.org/wiki/Arkebusering#Etymologi](https://sv.wikipedia.org/wiki/Arkebusering#Etymologi)

Ultimately, both words come from low German "hakebusse".

------
FrenchyJiby
Reading the article, I am reminded of the story of the famous Swedish ship,
the Vasa [0], which sank in the XVII century because, ultimately, no one
wanted to say no to the king: when the engineers saw there was a massive
problem ahead ("your boat don't float"), the management didn't dare tell the
King, leading to catastrophe[1].

It's a good lesson, I hope we learn it someday.

[0] :
[https://en.wikipedia.org/wiki/Vasa_(ship)](https://en.wikipedia.org/wiki/Vasa_\(ship\))

[1] : I'll admit it is a fantastic chance for historians and tourists alike:
The wreck, pulled from the waters perfectly preserved, is a must-see in
Stockholm

~~~
kevin_nisbet
For some reason, I think parts of this writeup were debunked, but it's still
one of my favorite reads:

[http://faculty.up.edu/lulay/failure/vasacasestudy.pdf](http://faculty.up.edu/lulay/failure/vasacasestudy.pdf)
[pdf]

Thank you for reminding me about the Vasa!

------
staticelf
The biggest problem with this story is not that it happened, it is that it
could happen again. IT issues is heavily underestimated in government agencies
and corporations [1], viewed like it' nothing important. The same goes for
politicians, they don't give so much attention to IT at all.

The problem is of course lack of knowledge. They don't understand how
important it is and that it is one of societies most critical infrastructure
today.

Hopefully this incident will be a lesson to politicians and government
agencies to care more about security and IT in general.

[1]: [http://www.sakerhetspolisen.se/publikationer/fallstudier-
och...](http://www.sakerhetspolisen.se/publikationer/fallstudier-och-artiklar-
fran-arsbocker/sakerhetsskydd/-bristande-it--och-informationssakerhet-hos-
myndigheter-och-foretag.html)

~~~
belorn
There is a lot of resistance, universally it seems, to the concept that
outsourcing is different to in-house development/administration. It doesn't
even seem like its a knowledge issue, but rather willful ignorance. Cost,
convenience, and less likelihood to be blame for faults is more important than
security and control.

To take one example, only government entity that I know that don't outsource
email would be the military, and even there I doubt the in-house use is 100%.

~~~
sgt101
It's darwinian; if you don't deliver the savings you are out. One solution
would be rigorous research that demonstrated that insourced onshore operations
were more effective and cheaper in the long run. But no such research exists,
is that because it's hard to do or is it because the result is that offshoring
and outsourcing is cheaper and as good?

~~~
walshemj
no its because vested interests want to prove that outsourcing is all rainbows
and unicorns.

~~~
rjtavares
Ronald Coarse won a Nobel Prize for his work on transaction costs, and how
those (usually hidden) costs should be considered when companies externalize
business functions.

Coase’s writings and teachings lead directly to the idea of accounting for all
costs in any business or outsourcing endeavor, or “Total Cost of Ownership.”

That's just an example of "vested interests" proving that outsourcing is not
all rainbows and unicorns.

~~~
sgt101
One thing I've noted is the budget and effort that outsourcers put into
killing corporate IT. Not only in the frank effort (as in one outsourcer
ringing my CEO and telling him that I was "a problem" luckily my CEO thought
this was hugely funny) but also more with more subtlety - sponsoring research
that is aimed at undermining incumbent IT. For example, cost metrics derived
from peer studies that show that everyone is spending too much - there's money
on the table to be had. This generates a cycle of cutting, internal and then
when the money is not delivered in full consultants are brought in to "help
access the value".

In house has no budget for this, we rely on the public space and academia for
validation and fair insight. It's telling that Coarse was active from the 30's
to the 70's as was J.K. Galbraith who wrote about the technostructure.
Managerial capitalism has been slaughtered, bits of it are flopping around
weakly. It seems to me that the neo-liberal replacement has helped billions
out of poverty in China, India, Indonesia and so on, but this is an unstable
situation. It's not clear that the greater good can continue to be served if
the economies of the west cannot be reconstructed to provide far larger
numbers of stable, interesting and reasonably well paying jobs. Neo-liberalism
has failed in that sense and seems not to have anything to say about it apart
from "tough, you lot had it too good for too long and now you have to be as
rich or poor as people in India and China." Which implies dictatorship.

------
Vagantem
The top ministers in charge of this scandal are impeached by the opposition.
Our prime minister Stefan Löven is having a press conference tomorrow at 10am
(+1gmt) and possibly the entire party will resign to hand over power to the
Moderates (right wing) because of this.

~~~
johansch
I guess the most likely scenario is that the current PM tomorrow at 10am will
announce that the current goverment has resigned and that it's then upon the
Speaker of the Riksdag/Parliament to try to form a new government that will
meet the acceptance of the parliament.

One note: the "right-wing" alliance of four parties who was behind this
impeachment notice (I should use more quotes, they really are centrist as a
group) parties earlier today announced that they would _not_ seek to form an
independent government with the help of Sverigedemokraterna, the anti-
immigration and rightwing-ish party currently polling at around 20-25%.

Instead they would seek to form a new government together with the social
democratic party they just claimed was not trustworthy.

Yes, it's odd.

(On the whole though I'm happy that we can have a political crisis like this
without the country falling apart. Everyone is behaving perfectly orderly.)

~~~
Yetanfou
It is more than odd and it will only serve to steer more voters to the Sweden
Democrats (SD).

For those not totally in tune with Swedish politics, the current government (S
- social democrats - and MP - Miljöpartiet, 'environmental party') more or
less stumbled right out of the starting blocks as the opposition voted down
their budget. This would normally have ended with a resignation followed by a
new formation attempt or new elections but this did not happen, the reason
being the 'threat' of SD getting in a position of power. At that moment SD had
the support of around 13% of those Swedish voters who actually turned up to
vote. The opposition - which had just voted down the budget - now supported S
and MP staying in power, enacting the budget proposed by the opposition. This
became known as the 'decemberöverenskommelse' (December agreement).

Of course the ruling parties - S and MP, both left-wing - did not try to
implement the budget as the opposition intended, they more or less went their
own way. Already marred by a few scandals - e.g. the forced resignation of the
minister for housing (MP) when his rather tight connections to the Erdogan-
regime in Turkey, his mingling with the 'Grey Wolves' [1] (a Turkish ultra-
nationalist organisation) and his connections to the Muslim Brotherhood became
clear even to those who tried their best not to notice - the government
stumbled along without any clear plan or direction. While they produce a lot
of hollow rhetoric about their 'ethic values' (the Swedish concept of
"värdegrund", [2]) and boast about being the "first feminist government" they
have not acted decisively on real issues cropping up in the country, often
going so far as to deny the issues. This has led to comparisons with the
infamous Iraqi minister for Information, Muhammad Saeed al-Sahhaf [3] who was
known for stating things as he wanted them to be instead of the way they were,
even when confronted with irrefutable evidence.

All this served to push more and more people towards SD, the social stigma of
being associated with this party notwithstanding. If the "opposition" \-
quotes around the word as it is no longer clear whether the parties of the
"alliance" can be considered to oppose the current government as they did
support its rule under the December agreement - does go along with S and
possibly MP (which by now has lost enough support to end up under the 4%
threshold) they will lose even more voters to SD. In the latest poll by Sentio
the combined support for the current government parties was 26.2% while SD got
26.8%, in other words there is more support for SD in Sweden than for the
coalition of S and MP. The trend has been for support for SD to roughly double
every four years (the election period in Sweden), from 3% to 6% to 13% to now
26%. It is unlikely for this trend to hold but it is certainly possible for
them to end up with about a third of the votes in the country.
Disenfranchising these voters will have a disastrous effect on the trust in
politics and politicians in Sweden, a trust which is already at bottom level.

[1]
[https://en.wikipedia.org/wiki/Grey_Wolves_(organization)](https://en.wikipedia.org/wiki/Grey_Wolves_\(organization\))

[2]
[https://en.wikipedia.org/wiki/V%C3%A4rdegrund](https://en.wikipedia.org/wiki/V%C3%A4rdegrund)

[3] [https://en.wikipedia.org/wiki/Muhammad_Saeed_al-
Sahhaf](https://en.wikipedia.org/wiki/Muhammad_Saeed_al-Sahhaf)

~~~
JumpCrisscross
> _Sweden Democrats (SD)_

For those not following the rich drama that is Swedish politics:

"Sweden Democrats or Swedish Democrats (Swedish: Sverigedemokraterna, SD) is a
nationalist political party in Sweden that was founded in 1988. The party
describes itself as social conservative with a nationalist foundation, however
the party has been described as far-right, right-wing populist, national-
conservative, and anti-immigration. The party had its roots in Swedish fascism
and was a part of the white supremacy movement in the late-1980s; initially,
it was characterized by right-wing extremism and activism. Among the founding
party officials were several people that had formerly expressed strong support
for the ideology of Nazism. SD's logo from the 1990s was a version of the
torch used by the UK National Front, until it was changed to an Anemone
hepatica flower in 2006 (Swedish: blåsippa)."

[https://en.wikipedia.org/wiki/Sweden_Democrats](https://en.wikipedia.org/wiki/Sweden_Democrats)

~~~
Yetanfou
Sweden as a country has a history with extremism, 'Nordic' nationalism and
national-socialism, this includes nearly all parties from all sides. The
social democrats (S) were in cahoots with the nazi-regime in Germany in the
second world war and agreed with parts of their ideology. That this started
long before before the war is clear when looking at e.g. the founding date of
the Swedish State Institute for Racial Biology by a social democrat and a
farmers union leader in 1922 [1]. It was on a proposal from Sweden and
Switzerland that nazi-Germany started stamping passports with a red "J" to
indicate that the carrier was considered to be Jewish, the stated reason being
that this made it easier to refuse those people access to those countries.

These nationalist and extremist tendencies did not die with the end of Nazism
either. The social democrats also have a murky past when it comes to relations
with e.g. the DDR (German Democratic Republic, i.e. eastern-Germany) and other
communist regimes. With the rise of Olof Palme and his followers the social
democrats, and with that Sweden turned away from Nordic nationalism and
instead went the diametrically opposite direction - another example of the
Swedish tendency to go for extremes. Palme was impressed by what he considered
to be the "success" of the DDR and spoke in praise of their "successes"
without any mention of the way they treated those who did not follow the party
line. He also admired Fidel Castro's Cuba and other similar countries.

This fascination with political extremes continues to this day, an example of
which is the left-wing "Researchgruppen" (research group). This is a left-wing
NGO intelligence service which proudly considers itself to be "the Swedish
Stasi" [2]. Like the original Stasi (Ministerium für Staatssicherheit, the
east-German intelligence service which kept records on millions of people and
had informants spread throughout the population) they keep a database of
people with 'dissenting' political views, most of the contents of which comes
from burglary. This "research group" works together with the left-wing
magazine "Expo" which had and has several prominent social democrats in their
leadership.

In the second world war Sweden used the motto "en svensk tiger" (which means
both "a Swedish tiger" and "a swede keeps silent") to remind the populace to
secrecy. This term can equally well be applied to the attitude within the
social democratic party and for that matter the communist/'left' party which
has a history of its own worth revealing. Swedish social democrats like to see
themselves as shining beacons of solidarity and openness. They'd do well to do
some research into their past to try to avoid past mistakes.

[1]
[https://en.wikipedia.org/wiki/Statens_institut_f%C3%B6r_rasb...](https://en.wikipedia.org/wiki/Statens_institut_f%C3%B6r_rasbiologi)

[2]
[https://www.dagenssamhalle.se/sites/default/files/archiveima...](https://www.dagenssamhalle.se/sites/default/files/archiveimages/tweet.jpg)

[*] [https://www.dagenssamhalle.se/nyhet/granskare-som-inte-
tal-e...](https://www.dagenssamhalle.se/nyhet/granskare-som-inte-tal-en-
granskning-14461)

[3]
[https://en.wikipedia.org/wiki/En_svensk_tiger](https://en.wikipedia.org/wiki/En_svensk_tiger)

------
hutch120
Another IBM stuff up... anyone remember the Australian Census screw up?
[http://www.abc.net.au/news/2016-11-25/ibm-to-pay-
over-$30m-i...](http://www.abc.net.au/news/2016-11-25/ibm-to-pay-over-$30m-in-
compensation-for-census-fail/8057240)

~~~
rhblake
I don't know how much blame you can put on IBM here.

\- The Transport Agency decided to outsource operations, and IBM won the
contract (April 2015)

\- The following month, the head of the agency _decided to ignore_ certain
laws about privacy, secrecy, etc., as well as the agency's own requirements
about information security

\- The Swedish Security Service, Säpo (basically our FBI), immediately got
wind of this and started investigating, ultimately recommending - in November
2015 - to put an immediate halt to the outsourcing

\- The Transport Agency decided to ignore the advice of Säpo and handed over
operations to IBM in December 2015

Here's a good timeline: [http://www.dn.se/nyheter/sverige/detta-vet-vi-om-
transportst...](http://www.dn.se/nyheter/sverige/detta-vet-vi-om-
transportstyrelsens-it-skandal/)

~~~
bjelkeman-again
IBM really should be able to see that this is a very questionable contract and
not take the contract.

~~~
justinclift
At this point (and historically for many years), it seems like there is no
circumstance upon which an IBM salesperson or any of their management (right
to the top) would ever say No to receiving more money.

------
tofflos
Hopefully we can have a public discussion about ethics and vendor
responsibility once the dust settles. If the government was so negligent that
we may get a new one, then perhaps the vendor should have been aware of it?
Perhaps they shouldn't have suggested such a solution in the first place?
Perhaps they should have outright refused? Perhaps they should have demanded
that the government change the law before proceeding? In what country do you
get a free pass from the law just because the customer says so?

These vendors are being paid big money, and unlike our elected government
officials, they are expected to be knowledgeable - experts in their field.

~~~
cerved
How would the vendor know the client has sensitive information that they
shouldn't share. Sounds like a client responsibility.

IT sales people are rarely experts.

~~~
tofflos
I agree that would be the case if the vendor was providing infrastructure or
platform as a service. But I don't think that's the case here.

------
tscolari
"no one was ever fired for buying ibm" no so true anymore =p

------
JBiserkov
I guess the old saying "Nobody got fired for buying [from] IBM." isn't true
any longer?

~~~
johansch
Well, one person was already fired for buying this kind of IBM, but that was
just the director general of the authority that leaked the data. The thing
most swedes have an issue with is that the government tried to silence the
leak for like two years (people really dislike being actively lied to). If
they had owned it, I don't think it would have been such a big deal.

~~~
adrianratnapala
It is an old truism that it is the cover-up that gets you. I.e. when we look
at scandals, the thing that people generally get in trouble for was part of
the cover up rather than the original scandal.

Given that this is common knowledge, why do cover-ups keep happening? Theory
(A): the failed cover-ups we hear about are only a tiny fraction of the
successful ones, so on average it is rational to try and cover things up. (B)
cover-ups are not rational on average, but some bias in human psychology makes
people do it anyway.

I am inclined to believe both, even though they contradict each other. I am
also working on a (C) involving multiple parties drawing each other into the
cover up in such a way that the person who takes the fall is not the principal
who started the trouble.

~~~
daemin
People cover up things because at the time when the cover up starts the
damage/cost of exposing the problem and taking the blame far outweighs the
cost of doing a cover up. As time progresses (the simple view is) one of two
things can happen, either the incident blows over and so the cover up was
worth it, or the person needs to keep maintaining and increasing the cover up,
thus increasing the damage/cost of the cover up.

In this way we end up with cover ups that cause more damage and are more
costly than the original incidents, even though at the onset just owning up to
the error would be less costly in the long term.

------
_Codemonkeyism
This is different because it concerns a government, but as long as the CEO
doesn't go to jail for IT breaches (Sony,...) and grossly negligent IT
decisions (British Airways), nothing will change with data security.

The second the law changes, CEOs will make it a personal matter sound
decisions are made.

------
holografix
Frankly I pin this down on IBM Sweden who knowingly cut corners in order to
land a juicy government contract and satisfy its margin targets. Clearly not
caring about the customer's best interest.

~~~
pkaye
The biggest crime is that they decided to use IBM in the first place.

------
azinman2
"It said that the project manager for the outsourcing agreement admitted
during questioning that “he had no knowledge whatsoever of how to ensure
security.”

You'd think someone would come in an consult on this, however, and setup basic
protocols. A PM isn't expected to be a security expert -- that's what security
experts are for.

~~~
TrickyRick
That's what you get when the government pays 3/4 of private companies in
salary. When you pay peanuts you get monkeys as they saying goes.

Also any type of consultancy work would probably have to go through "offentlig
upphandling" which means the government puts out a proposal of what they want
done and companies bid with the contract going to the lowest bidder. However
someone has to formulate the requirements and that ends up going back on the
original PM. Oh, and since the contract goes to the lowest bidder, what did
you get when you payed peanuts?

------
xlocicicig
This is rather hilarious, as most of Sweden's IT sector learned over a decade
ago that outsourcing is worthless

------
unknown_apostle
\- identities of undercover operatives...

This is terrible. When will people learn to NOT use computers at all for some
things. Use typewriters and spend a little bit more on administrative workers.
You trade in processing efficiency for making these catastrophic breaches
rarer.

~~~
daemin
I think for actual security you need to practice physical security. No matter
if the data is stored on paper or electronically, you will still need to air
gap it, and have security and clearance protecting that data.

To put it into perspective Manning only got the data out because they were lax
about securing the CD-burner in the computer he was using.

~~~
unknown_apostle
Absolutely. But computers and centralized data make physical security easier.
Old fashioned typewriters, paper files, and manual indexes for searches are
safer (for very specific things), because you simply just can't haul all of it
out. For a decent set of paperwork you'd spend months or years xeroxing
everything. Leaks may happen but may be smaller. Processed and redacted data
may still be put on computers for searching. It's a tradeoff with obvious
serious disadvantages, but one that can save the operations and even lives of
the good guys.

------
Radim
The article doesn't mention many specifics, but I'd say when it comes to
national security, Sweden has bigger (and more apparent) long-term issues than
a handful of known IT professionals from Eastern Europe having access to
private DBs.

~~~
azm1
It blows my mind that rich country like sweden outsource super important info
to ibm but on the other side accepts 'refugees' heavily.

~~~
rconti
I don't understand the connection between the two. Do you mean the financial
considerations?

~~~
azm1
> I don't understand the connection between the two. Do you mean the financial
> considerations?

Yep.They try to save money on the most crucial part of every country and yet
they spent vast amounts on so called refugees.It does not make any sense to
me..

~~~
maaaats
Why do you say "refugees" in quotes and "so called refugees"?

~~~
staticelf
Most likely because they are coming through Denmark and is not really fleeing
from war anymore.

~~~
maaaats
That just moves the goalpost though. Denmark could say the same to Germany,
and they to southern countries. Should the beach-cities of Italy carry all the
responsibility? Should we in Norway not help humanity, because there are some
other borders between us and the problems?

(Not aiming this at you)

~~~
beagle3
No, it doesn't just move the goal posts - international law does make the
first peaceful ground different by being the place a refugee needs to settle
their status first.

The refugee infrastructure in Italy (and Turkey, and Greece, and Jordan) is
stretched thin and breaking, as this law was not written for the current
situation. And as a result, Italy asked for help, did not receive it, and is
now threatening to use a loophole to grant every refugee seeker some EU status
that would make them effectively pan-european refugees -- but that has not
happened yet.

Assuming you are norweigan -- didn't Norway recently threaten closing the
Swedish border if Sweden doesn't reign on their refugee situation and stop
them from crossing to norway?[0] Not sure if this speisa is reliable, remember
reading it in a reputible source but can't find one right now on Google.

[0]
[http://speisa.com/modules/articles/index.php/item.1917/migra...](http://speisa.com/modules/articles/index.php/item.1917/migrant-
chaos-norway-is-considering-closing-the-border-with-sweden.html)

~~~
maaaats
> _Assuming you are norweigan -- didn 't Norway recently threaten closing the
> Swedish border if Sweden doesn't reign on their refugee situation and stop
> them from crossing to norway?_

Yes, as has happened elsewhere in the world, we have elected a government
based on fear, FUD, protectionism and anti-immigration.

I don't support us sitting on a throne of riches, leaving the rest of the
world to deal with the problems, though. This is of course my personal belief,
but I also think not doing it this way is shortsighted and will leave
everyone, including us, worse of in the long run.

~~~
rimliu
Overstretching infrastructure won't make it any better for anyone. Imagine the
lifeboat which accepts everyone and sinks because it cannot support the
weight.

------
rconti
The further the data gets from the original designers of the system, the less
likely it's being protected properly.

I've seen this time and again not just in outsourcing but also in regime
change at companies where employees and management turn over.

Pretty soon you've got a whole host of legal contracts with customers and
regulatory promises saying you provide X, Y, Z encryption, data redundancy,
offsite backups, support contracts, and so on -- but you're doing none of it.

I wonder to what extent outsourcing ends up being cheaper precisely because
they're not following the framework that the in-house crew implemented and
hopefully stuck with.

------
raverbashing
"With friends like these, who needs enemies"

And in this case people did get fired for buying IBM

------
throwawaymanbot
This is a very very curious incident. Advice from SAPO was not taken. And
almost literally everything has been exposed because someone in the transport
authority wanted to proceed? Incredible. Kompromat was it?

------
Bromskloss
How sure can you be anyway that vetted and authorised people won't do evil
with the data they are entrusted? That's what this has me wondering.

------
kaybe
I just hope the other governments watch, learn, and maybe maybe listen to us
once in a while.

------
josmar
Watching "Kingsmen" last night feels very timely.

~~~
johansch
All-right, I have to ask; what is the correlation you see between that movie
and these events?

~~~
sexydefinesher
Kingsmen's ending takes place in Sweden and features both a Swedish prime
minister and a Swedish princess of which the protagonist has anal sex with.

------
1337biz
I don't know why they are making such a big deal out if it?!

I always thought Sweden is such a transparent society with open insights into
how much everbody is earning and so on.

What do they have to hide? /s

