1 Synopsis
Danish cyber threat levels is the focus of this article. It analyzes how Denmark’s cyber threat landscape has evolved based on Danish Center for Cyber Security‘s (CFCS) methodology and reports. This is not a new assessment, but an analysis on the how, the when and the what of the reports.
Current threat levels (ratings can be none, low, medium, high, very high):
VERY HIGH
Cyber Espionage
HIGH
Cyber Crime
HIGH
Cyber Activism
MEDIUM
Destructive Cyber Attacks
NONE
Cyber Terror
1.1 Key Conclusions
- The release date of the annual, ordinary threat report has progressively moved later each year, however the mean time between reports has drastically decreased due to the use of extraordinary reports
- Certain threat categories have remained stable over time, but the Ukrainian war and Russian threats have notably impacted others, showing significant changes.
- The cumulative threat level is at its highest point in the reporting timeline, indicating an elevated overall risk environment.
Disclaimer: This article is based solely on publicly available CFCS data and analysis there of. It does not offer intelligence-based assessments or guidance and is not intended to replace official CFCS reports or assessments. It is intended to provide an overview of threat level trends, not a detailed security assessment. This post is based on the overall, more generic, reports and not the wonderful sector specific reports. For precise and updated threat information, please refer to CFCS’s official publications.
2 Introduction to Danish Cyber Threat Levels
In today’s digital world, cyber threats are a growing concern for nations worldwide, and Denmark is no exception. To address these risks, the Danish Center for Cyber Security (CFCS) plays a crucial role in protecting the country’s digital infrastructure. Part of the Defence Intelligence Agency, CFCS is responsible for assessing and reporting on the Danish cyber threat levels and cyber threat landscape in Denmark, with a particular focus on threats that could impact national security and critical infrastructure.
CFCS assesses threats in five distinct categories, which together provide a comprehensive picture of the current cyber risk environment. By continuously monitoring and updating these threats, CFCS provides both public and private sectors with the information they need to safeguard systems contributing to the country’s overall resilience in an increasingly complex cyber landscape.
If you want to know more about the cyber threat categories or the levels, go to section 6: “Understanding Denmark’s Cyber Threat Assessment Categories and Levels”.
3 Historical Changes in Danish Cyber Threat Levels
Below, you will find a breakdown of each threat category with a graph depicting recent trends. For a description of the current state, we refer to CFCS’s latest threat report for 2024. This table provides an overview of the changes in Denmark’s cyber threat environment over time.
Category, Level and Changes
Analysis
Cyber espionage has remained consistently at a very high level since 2016, reflecting sustained interest from state-sponsored groups in targeting Danish government and industry. The high level suggests a persistent risk of surveillance and data theft impacting national security and strategic sectors. For a specific case, I will refer to the Operation Pellegrino where a major Danish telco was hit by cyber espionage.
The threat level for cyber crime has been very high throughout the entire period, indicating a stable and serious risk. This sustained very high level reflects consistent, widespread activities such as phishing, ransomware, and financial fraud targeting both businesses and individuals within Denmark. The lack of change suggests an entrenched cyber crime threat that remains a significant concern. Looking at other reports and sources, the PWC cyber survey state that 45% of the participating Danish business have been hit by a cyber attack – and similarly the report from TDC states the number as 50%.
Cyber activism began at a medium level and has experienced considerable fluctuation in recent years. It dropped to low in June of 2020, likely due to reduced activist campaigns or effective countermeasures, however the drop was not explained. In May 2022, it rose again and reached medium due to activist cyber attacks carried out in connection with the war in Ukraine. It spiked in early 2023. The increase was a result of the high level of activity of pro-Russian activist hacker groups as well as the willingness and capacity to attack Danish targets. The level reflects heightened political and social tensions, linked to international events, leading to the surge in ideologically motivated attacks on public and private sector targets.
Destructive cyber attacks started at none in 2016 but gradually increased to low in 2020 and eventually medium in mid 2024. This escalation suggests a growing concern for Denmark’s critical infrastructure, with the threat of attacks designed to damage or disable essential services. The rise to medium was based on that Russia probably had become more risk-averse in relation to the use of hybrid means with destructive effects in European NATO countries. CFCS considered this willingness to also includes destructive cyber attacks.
As a part of this analysis, I would like to note that for the ordinary reports in 2016 and 2018, it was not a separate category, so in these two years, the number has been set to 0.
Cyber terror has remained consistently low in the first area of the reporting period with a drop to none in early 2019. The stable none level suggests that there is no immediate risk targeting public safety at this time. This could be due to limited interest from terror groups in cyber as a primary tool or effective mitigation strategies by CFCS and other security agencies.
4 Three Insights from the Report Release Dates
Since 2016, CFCS has published a series of ordinary, annual reports titled “Cyber Threat Against Denmark YYYY,” which document and analyze the cyber threats facing Denmark. These reports provide insight into how the threat landscape has evolved, the timeliness of response from the CFCS, and the increasing necessity for extraordinary reporting.
Date
Type
Name and link
2024-06-04
Extraordinary report
4.1 Reporting Insight 1: Frequency of Reports
The annual, ordinary reports’ release dates have shown a significant shift over the years. While the initial report in 2016 was published in as soon as January, subsequent reports have gradually been delivered later. By 2024, the publication date had moved to 263 days into the year, highlighting how the expanding scope and complexity of cyber threats demand more in-depth analysis and extended preparation time.
The gradual increase in publication correlates with the need to analyze a rapidly changing cyber landscape. With each passing year, new technologies emerge, and the global digital landscape shifts, requiring a deeper examination of cyber threats. These developments include the proliferation of advanced computing power, increased technology distribution, and the rise of more sophisticated cyberattack methods, all contributing to the more complex and extensive reporting process.
4.2 Reporting Insight 2: Emergence of Extraordinary Reports
A notable development occurred in 2022 when CFCS began issuing extraordinary reports, marking a new approach in their communication strategy. Prior to this, only ordinary reports were released, providing a general overview of the cyber threat landscape for that year. However, starting in May 2022, CFCS released extraordinary reports in response to specific events, such as the Russian invasion of Ukraine. This geopolitical event significantly impacted the cyber landscape, leading to increased cyber activism and necessitating additional analysis and timely updates beyond the annual reporting cycle.
The introduction of extraordinary reports demonstrates CFCS’s adaptability and responsiveness to high-stakes events. This agility allows CFCS to address immediate threats, provide relevant information to stakeholders, and take preventative action when global events pose an elevated risk. By integrating extraordinary reports, CFCS reinforces the importance of continual vigilance and adaptability in the face of unprecedented cyber threats.
4.3 Reporting Insight 3: Increased Reporting Frequency
Not only have publication delivery increased of the annual, ordinary reports, but CFCS has also increased the frequency of its communications with the extraordinary reports. In the initial years, reports were issued annually. However, CFCS has moved towards a shorter interval between updates, looking at 1.5 months towards the end of the reporting period. This increase in frequency indicates a heightened sense of urgency and a proactive stance on cyber threat awareness. The rapid reporting serves as a response to evolving global cyber threats and a way to keep the Danish public and stakeholders informed.
5 The Overall Danish Cyber Threat Level is at Its Highest
Based on the threat assessments and levels, an overall cyber threat level can be estimated. Each of the categories Cyber Espionage, Cyber Crime, Cyber Activism, Destructive Cyber Attacks, and Cyber Terror is assigned a level from None to Very High, which is then translated into a numerical score. Here’s how the scoring system works for Danish cyber threat levels:
5.1 Threat Level Scoring
VERY HIGH
Score: 4
HIGH
Score: 3
MEDIUM
Score: 2
LOW
Score: 1
NONE
Score: 0
Each category’s threat level is converted into a numerical score based on this scale. The scores for all five categories are then added together, producing a single Overall Threat Level. This total score provides a quick overview of Denmark’s cyber security landscape, helping organizations and the public understand the aggregated risk across multiple threat types. This is not exact science, nor does it represent a full threat assessment, but it indicates a movement.
5.2 The Overall Threat Level Graph
The graph above displays the changes in Denmark’s Overall Threat Level from January 2016 to January 2024.
There overall tendency is an increase roughly at the same time, the threat level of destructive cyber attacks increased while the threat level for cyber activism decreased – to later increase again.
5.3 Additive Insight: The Overall Threat Level Has Reached an All-Time High
The total Danish cyber threat levels and score has gradually increased over the years, reaching its peak in the most recent assessment. This indicates that cyber risks in Denmark are more substantial now than at any point in the past, with all five threat categories contributing to an elevated level of risk.
You could argue that not all the categories are equally important – and while that might be right – defies the point of the discussion.
The increased level emphasizes the importance of proactive cyber defense and being on the forefront of threats. We know that 70 – 80% of enterprises have tools, e.g. SIEMs, but do not use them properly, so at the same time roughly 27% of alerts are ignored. Simply not assessed. Which in essence mean that to be hacker you do not need a masters degree You just need simple tools and the ability to count to 4, because at some time, you will reach a defender that have ignored the alert created by you, the hacker.
6 Understanding Denmark’s Cyber Threat Assessment Categories and Levels
Each of these five distinct threat categories represent a different kind of cyber threat. CFCS assigns a threat level – ranging from none to very high – to each category, reflecting the current risk posed by these activities. Here’s an overview of these five assessment categories:
Cyber Espionage
Cyber espionage refers to activities carried out by state-sponsored or highly sophisticated groups seeking to gather sensitive information from government, business, or critical infrastructure sectors.
Cyber Crime
Cyber crime encompasses activities like financial fraud, data theft, and ransomware attacks, generally carried out by criminal organizations or individual hackers seeking monetary gain.
Cyber Activism
Often driven by ideological motives, cyber activism (or “hacktivism”) involves groups or individuals conducting cyber attacks to promote political or social causes.
Destructive Cyber Attacks
These attacks are aimed at causing physical or digital damage to infrastructure, such as power grids, transportation networks, or healthcare systems.
Cyber Terror
This represents the threat posed by groups or individuals who aim to inject fear or harm public safety through cyber attacks.
For each of these categories, CFCS assigns a threat level to reflect the current risk based on capacity and intent:
None
One or more actors have the capacity and intention for attack/malicious activity. However, there are no indications of specific planning for attack/malicious activity.
Low
One or more actors have the capacity and intention for attack/malicious activity. However, there are no indications of specific planning for attack/malicious activity.
Medium
One or more actors have the capacity and intention for attack/malicious activity. However, there are no indications of specific planning for attack/malicious activity.
High
One or more actors have the capacity and are specifically planning attack/malicious activity, or have already conducted or attempted attack/malicious activity.
Very High
There is either information that one or more actors are initiating attack/malicious activity, including information on timing and targets, or one or more actors are continuously initiating attack/malicious activity.
By making these assessments, CFCS provides a comprehensive overview of Denmark’s cyber threat landscape.
7 Conclusion: The Evolving Landscape of Cyber Threats in Denmark
This article provided a meta-analysis of how Denmark’s cyber threat levels evolved. Both the threat level for cyber espionage and cyber crime has remained very high in the reporting period indicating that there is a large persistent threat for Danish businesses and society. The high level of cyber attacks supports this. Vice versa for the cyber terror threat level which has decreased to none.
Similarly, threat levels for cyber activism and destructive cyber attacks have fluctuated but increased predominantly due to Ukrainian war and Russian threats have notably impacted others, showing significant changes.
The shift in CFCS’s reporting methods, from annual, ordinary reports to more frequent extraordinary updates, is a reflection of the rapidly changing cyber threat landscape. As the cyber domain becomes more complex, the need for timely and comprehensive reporting grows more critical. The CFCS has responded with dedication, shortening report intervals and issuing extraordinary reports to ensure Danish society remains informed and prepared.
The cumulative threat level has never been higher! Staying well-informed is more crucial than ever as cyber threats continue to grow in sophistication. Denmark’s resilience depends not only on government action but also on public awareness and preparedness. Special thanks to all the people working at CFCS for their outstanding efforts in safeguarding the nation’s digital infrastructure.