Framework for an appropriate level of security for the Armed Forces’ use of ICT – application to a tactical communication network

The Armed Forces are an organization critical to national security and therefore subject to the Norwegian Security Act. As a result, the Armed Forces are required to establish and maintain an adequate level of security for the assets that enable them to fulfill their function effectively. The Armed Forces’ information and communication technology (ICT) is one such asset. According to the Security Act, an appropriate level of security should be based on a functional approach and be risk-driven, but implementing this in practice has proven to be challenging. The Norwegian Defence Research Establishment (FFI) has been working on developing a framework to address this issue by offering a structured and verifiable methodology for risk assessments related to the Armed Forces’ use of ICT.

This report provides an overview of the framework’s components developed so far and introduces a fictional, but concrete, example of a tactical communication network to demonstrate its application. The results presented here, bar the fictional example, have been published previously in peer-reviewed articles but are compiled here for the first time in a more comprehensive and consistent manner.

The framework consists of two main parts. The first is an approach to break down and model the Armed Forces’ functions and the ICT systems and infrastructures that support these functions in a way that highlights their interconnections. The second is a method that uses this functional model to carry out the necessary risk assessments in a traceable, holistic, and verifiable manner. The aim is to provide a better basis for evaluating potential security measures while considering both regulatory and functional requirements related to risk assessments and making it possible to determine what an adequate level of security should be.

The example addresses the assessment of a network infrastructure intended to connect several different tactical networks and enable seamless information flow in combat-related situations. The purpose is to demonstrate how the framework can be used to derive a better risk-based decision-making foundation for security-related evaluations—not to propose specific technological solutions for an actual tactical communication network.

Our conclusion is that the framework is approaching a maturity where it can be applied in practice, and it does indeed provide more structured and traceable assessments in line with the intention in the Security Act. However, the lack of a more granular functional breakdown of the Armed Forces’ tasks and of well-defined operational scenarios prevent us from conducting more comprehensive assessments. Additionally, some digital tools are needed to manage the large and complex models required to use the framework.