The Norwegian National Security Authority (NSM) has warned the country’s information technology firms to prioritize national security over cutting costs when outsourcing their operations abroad. The warning follows what has come to be known as the “Broadnet affair”, which, according to the Norwegian government, highlighted the dangers of extreme cost-cutting measures by Norway’s heavily privatized IT industry. The incident is named after Broadnet, Norway’s leading supplier of fiber-optic communications to the country’s industry and state sectors. Among Broadnet’s customers is Nødnett, an extensive digital network used by agencies and organizations that engage in rescue and emergency operations, including police and fire departments, as well as medical response agencies. Although 60% of the Nødnett network is owned by the Norwegian government, Broadnet is a member of the Nødnett consortium, and is thus supervised by Norway’s Ministry of Transport and Communications.
In September of 2015, Broadnet fired 120 of its Norway-based employees and outsourced their jobs to India, in search of cost-cutting measures. The company signed a multimillion dollar contract with Tech Mahindra, an outsourcing firm based in Mumbai. But an audit by the Norwegian government soon discovered several instances of security breaches by Tech Mahindra staff. The latter were reportedly able to access Nødnett without authorization through Broadnet’s core IT network, which was supposed to be off-limits to outsourced staff without Norwegian security clearances. Soon after the breaches were discovered, Broadnet began to bring its outsourced operations back to Norway. By the end of 2017, all security-related IT tasks had been returned to Norway. In the meantime, however, Broadnet had come under heavy criticism from the Norwegian government, opposition politicians, and the NSM —the government agency responsible for protecting Norway’s IT infrastructure from cyber threats, including espionage and sabotage.
The NSM warning —published earlier this month in the form of a 20-page report— makes extensive mention of the Broadnet affair. It recognizes the right of Norwegian IT firms to outsource some or all of their operational tasks as a cost-cutting measure. But it also stresses that the country’s IT firms are required by law to abide to national security protocols when outsourcing part of their IT portfolios to foreign companies. There have been numerous instances in recent years, where “risk management obligations relative to outsourcing decisions by Norwegian [IT] companies have fallen short”, the NSM report states. It adds that IT firms must abide to strict protocols of risk management when making outsourcing decisions. It also states that the firms’ Norway-based senior managers must regain complete overview of outsourced projects at every step of the way.