FUTURE_SECURITY_ARCHITECTURE.md

May 31, 2026 ยท View on GitHub

Hack23 Logo

๐Ÿš€ Riksdagsmonitor โ€” Future Security Architecture

๐Ÿ›ก๏ธ Evolution Roadmap: From Static Website to Advanced Intelligence Platform
๐ŸŽฏ Post-Quantum Ready ยท AI-Augmented Security ยท Zero-Trust Architecture

Owner Version Effective Date Review Cycle OpenSSF Best Practices


Document Version: 2.1
Last Updated: 2026-05-31
Classification: Public
Owner: Hack23 AB (Org.nr 5595347807)
Review Cycle: Quarterly


๐ŸŽฏ Executive Summary

This document outlines the future security architecture for Riksdagsmonitor over the next 3-11 years (2026-2037). The roadmap focuses on proactive security evolution rather than reactive patches, ensuring the web platform with interactive Chart.js/D3.js dashboards remains secure against emerging threats including post-quantum cryptography, AI-powered attacks, and advanced persistent threats.

Strategic Goals:

  • ๐Ÿ” Post-Quantum Readiness - Cryptographic agility before quantum computers threaten current algorithms
  • ๐Ÿค– AI-Augmented Security - Machine learning for threat detection and anomaly analysis
  • ๐Ÿ›ก๏ธ Zero-Trust Architecture - Never trust, always verify, assume breach mentality
  • ๐Ÿ“Š Privacy-Preserving Analytics - Intelligence without surveillance
  • ๐ŸŒ Decentralized Resilience - Distributed architecture for high availability

๐Ÿ“‹ Table of Contents

  1. Current State Baseline
  2. Threat Landscape Evolution
  3. Future Security Domains
  4. Implementation Roadmap
  5. Technology Evolution
  6. Compliance Evolution
  7. Risk Management
  8. Success Metrics
  9. Security Investment & Budget Planning
  10. Conclusion
  11. References

๐Ÿ“š Architecture Documentation Map

The following table shows all 15 architecture documents maintained for Riksdagsmonitor. This document is highlighted.

DocumentFocusDescription
ARCHITECTURE.mdCurrentC4 system architecture model
DATA_MODEL.mdCurrentData structures and entities
FLOWCHART.mdCurrentBusiness process flows
STATEDIAGRAM.mdCurrentSystem state transitions
MINDMAP.mdCurrentSystem conceptual map
SWOT.mdCurrentStrategic analysis
SECURITY_ARCHITECTURE.mdSecurityCurrent security controls
THREAT_MODEL.mdSecuritySTRIDE threat analysis
FUTURE_SECURITY_ARCHITECTURE.mdSecurityFuture security roadmap (this document)
FUTURE_ARCHITECTURE.mdFutureArchitecture evolution roadmap
FUTURE_DATA_MODEL.mdFutureEnhanced data architecture
FUTURE_FLOWCHART.mdFutureImproved process workflows
FUTURE_STATEDIAGRAM.mdFutureAdvanced state management
FUTURE_MINDMAP.mdFutureCapability expansion map
FUTURE_SWOT.mdFutureFuture strategic opportunities

๐Ÿ” ISMS Policy Alignment

Policy Framework Integration

This document aligns with the following Hack23 ISMS policies from Hack23/ISMS-PUBLIC:

PolicyRelevanceKey Requirements
Information Security PolicyPrimarySecurity objectives, management commitment, risk appetite
Secure Development PolicyHighSecure coding standards, SAST/DAST, supply chain security
Access Control PolicyHighLeast privilege, MFA, zero-trust principles
Risk Management PolicyHighRisk register, treatment plans, residual risk targets
Incident Response PolicyMediumMTTR targets, escalation procedures, post-incident reviews
Cryptography PolicyHighAlgorithm standards, key management, PQC migration
Supplier Security PolicyMediumThird-party risk (Chart.js, D3.js, GitHub, AWS)
Business Continuity PolicyMediumDual deployment, RTO/RPO targets

Security Control Implementation Status

Control DomainCurrent (2026)Target (2028)Target (2030)Framework
Access Control๐ŸŸก Partial๐ŸŸข Full๐ŸŸข FullISO 27001 A.9
Cryptography๐ŸŸก Classical TLS 1.3๐ŸŸก Hybrid PQC๐ŸŸข Full PQCISO 27001 A.10
Physical Security๐ŸŸข GitHub/AWS managed๐ŸŸข Full๐ŸŸข FullISO 27001 A.11
Operations Security๐ŸŸก Partial๐ŸŸข Full๐ŸŸข FullISO 27001 A.12
Network Security๐ŸŸก TLS/CDN only๐ŸŸก WAF added๐ŸŸข Full ZTAISO 27001 A.13
Supplier Relations๐ŸŸก SRI/SBOM๐ŸŸข Full SBOM๐ŸŸข FullISO 27001 A.15
Incident Management๐ŸŸก Documented๐ŸŸก Automated๐ŸŸข AI-assistedISO 27001 A.16
Compliance๐ŸŸก Managed๐ŸŸก Certified๐ŸŸข ISO 27001 CertISO 27001 A.18

Alignment with NIST CSF 2.0 Functions

FunctionCurrent Maturity2028 Target2030 Target
GV โ€” Govern๐ŸŸก Level 2๐ŸŸข Level 3๐ŸŸข Level 4
ID โ€” Identify๐ŸŸก Level 2๐ŸŸข Level 3๐ŸŸข Level 4
PR โ€” Protect๐ŸŸก Level 2๐ŸŸข Level 3๐ŸŸข Level 4
DE โ€” Detect๐Ÿ”ด Level 1๐ŸŸก Level 2๐ŸŸข Level 3
RS โ€” Respond๐ŸŸก Level 2๐ŸŸข Level 3๐ŸŸข Level 4
RC โ€” Recover๐ŸŸก Level 2๐ŸŸข Level 3๐ŸŸข Level 4

1. ๏ฟฝ๏ฟฝ Current State Baseline

1.1 Current Security Posture (2026 Q1)

graph TB
    subgraph "2026 Q1 Security Stack (Current)"
        L1[๐ŸŒ Network: TLS 1.3, HTTPS-only, AWS CloudFront + GitHub CDN]
        L2[๐Ÿ›ก๏ธ Application: HTML/CSS/JavaScript, Chart.js/D3.js dashboards]
        L3[๐Ÿ”‘ Access: GitHub MFA, SSH keys, GPG signing, AWS OIDC]
        L4[๐Ÿ“‹ Integrity: Git history, Branch protection, SRI hashes]
        L5[๐Ÿ” Monitoring: Dependabot, CodeQL, Secret scanning]
        L6[๐Ÿšจ Response: Documented procedures, Rollback capability, Dual deployment]
    end
    
    L1 --> L2
    L2 --> L3
    L3 --> L4
    L4 --> L5
    L5 --> L6
    
    style L1 fill:#4caf50,color:#000000
    style L2 fill:#4caf50,color:#000000
    style L3 fill:#ff9800,color:#000000
    style L4 fill:#ff9800,color:#000000
    style L5 fill:#2196f3,color:#ffffff
    style L6 fill:#f44336,color:#ffffff

Strengths:

  • โœ… LOW residual risk (7.21/10.0)
  • โœ… Zero high-priority vulnerabilities
  • โœ… Dual deployment with automatic failover (AWS + GitHub Pages)
  • โœ… Interactive dashboards with SRI hash validation
  • โœ… Comprehensive ISMS documentation
  • โœ… AWS OIDC authentication (no long-lived credentials)
  • โœ… NEW (2026-02-18): SLSA Level 2+ Build Provenance attestations
  • โœ… NEW (2026-02-18): SBOM generation in SPDX format
  • โœ… NEW (2026-02-18): Documentation as code (API, coverage, E2E reports)

Limitations:

  • โš ๏ธ CSP 'unsafe-inline' required for Chart.js/D3.js (future: nonce-based CSP)
  • โš ๏ธ Client-side JavaScript increases attack surface (XSS risks)
  • โš ๏ธ CDN dependency for Chart.js/D3.js (supply chain risk)
  • โš ๏ธ No real-time threat intelligence integration
  • โš ๏ธ Limited observability (no APM for client-side performance)

2. โš ๏ธ Threat Landscape Evolution

2.1 Emerging Threats (2026-2030)

graph TB
    subgraph "2026-2027: Near-Term Threats"
        T1[๐Ÿค– AI-Powered Phishing<br/>Deepfake social engineering]
        T2[๐Ÿ” Cryptographic Weakening<br/>Quantum computing advances]
        T3[โšก Supply Chain Attacks<br/>Compromised CI/CD]
    end
    
    subgraph "2028-2029: Mid-Term Threats"
        T4[๐Ÿง  AI-Generated Exploits<br/>Automated vulnerability discovery]
        T5[๐ŸŒ DNS Hijacking 2.0<br/>Advanced BGP attacks]
        T6[๐Ÿ“ฑ IoT Botnets<br/>Distributed attacks]
    end
    
    subgraph "2030+: Long-Term Threats"
        T7[๐Ÿ’ป Quantum Decryption<br/>TLS 1.3 broken]
        T8[๐Ÿค– AGI Security Attacks<br/>Autonomous threat actors]
        T9[๐ŸŒ Nation-State APTs<br/>Advanced persistent threats]
    end
    
    T1 --> T4
    T2 --> T7
    T3 --> T6
    T4 --> T8
    T5 --> T9
    
    style T1 fill:#ff9800,color:#000000
    style T2 fill:#ff9800,color:#000000
    style T3 fill:#ff9800,color:#000000
    style T7 fill:#f44336,color:#ffffff
    style T8 fill:#f44336,color:#ffffff
    style T9 fill:#f44336,color:#ffffff

2.2 Regulatory Evolution

FrameworkCurrent (2026)Future (2028-2030)Impact on Riksdagsmonitor
NIS2 DirectiveApplicableStricter controlsIncident reporting <24h
EU Cyber Resilience ActProposedMandatory SBOMSoftware supply chain transparency
AI ActDraftEnforcedAI system categorization if ML added
Post-Quantum CryptographyNIST standardsMandatoryAlgorithm migration required
GDPREnforcedEnhancedPrivacy by design for any user data

3. ๐Ÿ—๏ธ Future Security Domains

3.1 Post-Quantum Cryptography (PQC)

Timeline: 2027 Q1 - Q4
Priority: ๐Ÿ”ด HIGH

graph LR
    Current[Current: TLS 1.3<br/>RSA 2048, ECDSA P-256] --> Hybrid[2027 Q2: Hybrid Mode<br/>Classical + PQC]
    Hybrid --> Full[2028 Q1: Full PQC<br/>CRYSTALS-Kyber, CRYSTALS-Dilithium]
    
    style Current fill:#90caf9,color:#000000
    style Hybrid fill:#ff9800,color:#000000
    style Full fill:#4caf50,color:#000000

Implementation Plan:

Phase 1: Assessment (2027 Q1)

  • Inventory all cryptographic dependencies
  • GitHub Pages TLS capabilities assessment
  • Browser compatibility matrix (PQC support)
  • Performance impact analysis

Phase 2: Hybrid Deployment (2027 Q2-Q3)

  • Configure hybrid TLS (classical + PQC)
  • Browser fallback mechanisms
  • Performance monitoring
  • User experience validation

Phase 3: Full PQC Migration (2028 Q1)

  • Deprecate classical-only connections
  • Full PQC enforcement for AWS CloudFront
  • Certificate management automation
  • Documentation updates

NIST PQC Standards:

  • Key Encapsulation: CRYSTALS-Kyber (KEM)
  • Digital Signatures: CRYSTALS-Dilithium, FALCON
  • Fallback: Classical algorithms during transition

AWS Integration:

  • CloudFront custom SSL certificate with PQC support
  • S3 presigned URLs with post-quantum signatures
  • Route 53 DNSSEC with PQC algorithms

Control Mapping:

  • ISO 27001: A.10.1.1 (Cryptographic controls)
  • NIST CSF 2.0: PR.DS-2 (Data in transit protected)
  • CIS Controls v8.1: 3.10 (Encrypt data in transit)

3.2 AI-Augmented Security

Timeline: 2026 Q3 - 2027 Q4
Priority: ๐ŸŸก MEDIUM

graph TB
    subgraph "AI Security Layers"
        A1[๐Ÿค– Anomaly Detection<br/>Traffic pattern analysis]
        A2[๐Ÿ” Threat Intelligence<br/>Real-time feed integration]
        A3[๐Ÿ›ก๏ธ Behavioral Analysis<br/>User interaction patterns]
        A4[๐Ÿ“Š Predictive Security<br/>Vulnerability forecasting]
    end
    
    Data[Log Data] --> A1
    External[Threat Feeds] --> A2
    Analytics[User Analytics] --> A3
    SBOM[SBOM Data] --> A4
    
    A1 --> Alerts[Security Alerts]
    A2 --> Alerts
    A3 --> Alerts
    A4 --> Alerts
    
    style A1 fill:#2196f3,color:#ffffff
    style A2 fill:#2196f3,color:#ffffff
    style A3 fill:#2196f3,color:#ffffff
    style A4 fill:#2196f3,color:#ffffff

Capabilities:

1. Anomaly Detection (2026 Q4)

  • Traffic pattern analysis via AWS CloudWatch and CloudFront logs
  • Baseline establishment for normal behavior
  • Real-time alerting on deviations
  • Integration with GitHub Actions logs

2. Threat Intelligence (2027 Q1)

  • Integration with threat intelligence feeds (MISP, OTX)
  • Automated IOC matching against CloudFront access logs
  • Proactive blocking of known-bad actors via AWS WAF
  • Threat actor profiling

3. Behavioral Analysis (2027 Q2)

  • User interaction patterns (if analytics added)
  • Bot detection and mitigation via AWS WAF
  • Session anomaly detection
  • Privacy-preserving analytics (differential privacy)
  • Client-side dashboard performance monitoring

4. Predictive Security (2027 Q3)

  • Dependency vulnerability forecasting (Chart.js/D3.js)
  • Zero-day prediction models
  • Attack surface trend analysis (JavaScript attack surface)
  • Risk score predictions

Privacy Considerations:

  • โœ… No PII collection
  • โœ… Anonymized analytics only
  • โœ… GDPR-compliant by design
  • โœ… User opt-out mechanisms

Control Mapping:

  • ISO 27001: A.12.6 (Technical vulnerability management)
  • NIST CSF 2.0: DE.CM-1 (Network monitored)
  • CIS Controls v8.1: 13.1 (Security event alerting)

3.3 Zero-Trust Architecture

Timeline: 2027 Q1 - 2028 Q4
Priority: ๐ŸŸข LOW (Static website context)

Principles:

  1. Never Trust, Always Verify - Even GitHub infrastructure
  2. Assume Breach - Design for compromise scenarios
  3. Least Privilege - Minimal permissions at all layers
  4. Micro-Segmentation - Isolate components

Future Enhancements:

Contributor Access (2027 Q2)

  • Time-limited access tokens
  • Just-in-time privilege elevation
  • Continuous authentication verification
  • Behavior-based access policies

Infrastructure Verification (2027 Q4)

  • โœ… IMPLEMENTED (2026-02-18): GitHub Actions attestations (SLSA Level 2+)
  • โœ… IMPLEMENTED (2026-02-18): Build Provenance verification
  • Future Goal: SLSA Level 3 (hermetic builds, non-falsifiable provenance)
  • Binary authorization for deployments
  • Reproducible builds

Network Isolation (2028 Q2)

  • Content Security Policy Level 3 with nonces (remove 'unsafe-inline')
  • Subresource Integrity (SRI) for all external resources (Chart.js, D3.js)
  • CORS policy enforcement
  • DNS-over-HTTPS (DoH) via Route 53
  • AWS WAF integration with CloudFront

Control Mapping:

  • ISO 27001: A.13.1 (Network security management)
  • NIST CSF 2.0: PR.AC-5 (Network integrity protected)
  • CIS Controls v8.1: 13.6 (Deploy network-based IDS)

3.4 Advanced Monitoring & Observability

Timeline: 2026 Q4 - 2027 Q4
Priority: ๐ŸŸก MEDIUM

graph TB
    subgraph "Observability Stack Evolution"
        M1[Current: GitHub Actions<br/>Basic workflow monitoring]
        M2[2027 Q1: APM Integration<br/>Real-time performance tracking]
        M3[2027 Q3: SIEM Integration<br/>Security event correlation]
        M4[2028 Q1: Distributed Tracing<br/>End-to-end visibility]
    end
    
    M1 --> M2
    M2 --> M3
    M3 --> M4
    
    style M1 fill:#90caf9,color:#000000
    style M2 fill:#ff9800,color:#000000
    style M3 fill:#2196f3,color:#ffffff
    style M4 fill:#4caf50,color:#000000

Components:

1. Application Performance Monitoring (2027 Q1)

  • Real User Monitoring (RUM) for Chart.js/D3.js dashboards
  • Synthetic monitoring from global locations
  • Performance regression detection
  • Lighthouse CI integration
  • Client-side error tracking (Sentry or similar)

Metrics:

  • First Contentful Paint (FCP) < 1s
  • Time to Interactive (TTI) < 2s
  • Cumulative Layout Shift (CLS) < 0.05
  • Chart.js rendering performance < 500ms
  • Core Web Vitals monitoring

2. Security Information & Event Management (2027 Q3)

  • Centralized log aggregation (GitHub + AWS CloudFront + S3 access logs)
  • Real-time security event correlation
  • Automated incident response workflows
  • Compliance reporting automation

Integration:

  • Elastic Stack (ELK) or Splunk
  • GitHub audit log streaming
  • AWS CloudTrail and CloudWatch Logs
  • CloudFront access logs
  • Automated alerting to PagerDuty/Opsgenie

3. Distributed Tracing (2028 Q1)

  • OpenTelemetry instrumentation
  • Request flow visualization
  • Latency analysis
  • Dependency mapping

Control Mapping:

  • ISO 27001: A.12.4 (Logging and monitoring)
  • NIST CSF 2.0: DE.CM-1 (Network monitored)
  • CIS Controls v8.1: 8.2 (Collect audit logs)

3.5 ๐Ÿ›ฐ๏ธ Intelligence-Integrity & Counter-AI Controls (OSINT/INTOP, to 2037)

Fielding the Political-Intelligence Capability Catalog (C1โ€“C32) makes analytic integrity a first-class security property. The threats in FUTURE_THREAT_MODEL.md ยงPolitical-Intelligence Capability Threat Analysis (PI-T1โ€ฆPI-T7) are countered here by integrity-by-construction: nothing reaches a published judgment without an evidence anchor, a provenance check, a neutrality gate and a human sign-off. These controls realize the catalog's assurance pillar (C26โ€“C32).

3.5.1 Control set

#ControlCountersMechanism (Horizon)
II-1 Evidence-anchor gateEvery analytic record must carry a graded dok_id/primary-source ref or it is rejectedPI-T1, PI-T3CI hard-fail today (H1); runtime gate on fusion/estimative writes (H3)
II-2 Provenance & content credentialsC2PA-sign evidence; verify on cite; detect synthetic mediaPI-T3KMS-signed manifests, S3 Object Lock, deepfake detector, refuse-to-cite on failure (H3)
II-3 Prompt-injection & poisoning defenseScreen inputs to SAT/estimative agents; isolate untrusted document textPI-T1, PI-T2Bedrock Guardrails, input sanitization, retrieval allow-listing, tool-permission minimization (H3)
II-4 Party-symmetry / neutrality gateBlock asymmetric framing before publishPI-T4CI neutrality audit (H1โ†’H2); longitudinal symmetry monitoring + dual-control override (H3)
II-5 Calibration-as-release-metricForecast products gated on rolling Brier; immutable, pre-registered questionsPI-T6Append-only calibration ledger; release blocked on drift; independent resolution criteria (H2โ†’H3)
II-6 I&W integrityProtect tripwires from decoy flooding / warning suppressionPI-T5Adaptive thresholds, redundant indicators, anomaly-on-anomaly, human triage (H3)
II-7 FIMI ethics gateAggregate-only, no citizen profiling, advisory-not-accusatoryPI-T7Hard ethics gate in pipeline; attribution-confidence floors; human framing (H3)
II-8 Human-on-the-loop sign-offNo estimative/warning product auto-publishesPI-T2, PI-T4, PI-T7Mandatory analyst sign-off state (see FUTURE_STATEDIAGRAM.md ยง18)
II-9 Tradecraft auditabilityICD-203 compliance + reproducibility logged per productPI-T2, PI-T6Assumption logs, source characterization, audit trail, GDPR Art. 9 basis stamped

3.5.2 Control architecture

flowchart TD
    SRC[Public sources] --> ING[Ingest plus provenance sign<br/>II-2]
    ING --> POIS{Poisoning plus injection screen<br/>II-3}
    POIS -->|Reject| QUAR[Quarantine plus alert]
    POIS -->|Clean| EVID{Evidence-anchor gate<br/>II-1}
    EVID -->|No dok_id| DROP[Reject record]
    EVID -->|Anchored| ANAL[SAT plus forecast engine]
    ANAL --> CAL{Calibration gate<br/>II-5}
    CAL -->|Drift| HOLD[Hold for retrain]
    CAL -->|OK| NEUT{Neutrality gate<br/>II-4}
    NEUT -->|Asymmetric| REWORK[Rebalance]
    NEUT -->|Symmetric| SIGN[Human sign-off<br/>II-8 plus II-9]
    SIGN --> PUB[Publish plus audit trail]
    REWORK --> ANAL

    style POIS fill:#ff006e,color:#ffffff
    style EVID fill:#ff006e,color:#ffffff
    style CAL fill:#ff006e,color:#ffffff
    style NEUT fill:#ff006e,color:#ffffff
    style SIGN fill:#9c27b0,color:#ffffff
    style PUB fill:#4caf50,color:#000000
    style DROP fill:#f44336,color:#ffffff
    style QUAR fill:#f44336,color:#ffffff

3.5.3 Framework mapping

ControlISO 27001:2022NIST CSF 2.0OWASP LLM
II-1 Evidence anchorA.5.34 (PII), A.8.28 (secure coding)PR.DS, GV.OCLLM09 Overreliance
II-2 ProvenanceA.8.24 (crypto), A.5.33 (records)PR.DS-6 (integrity)LLM08
II-3 Injection defenseA.8.28, A.8.16 (monitoring)DE.CM, PR.PSLLM01 / LLM03
II-4 Neutrality gateA.5.1 (policies), A.8.29 (testing)GV.OC, GV.RRLLM09
II-5 CalibrationA.8.16, A.5.36 (compliance)ID.IM, DE.AELLM09
II-6 I&W integrityA.8.16 (monitoring), A.5.7 (threat intelligence)DE.CM, DE.AELLM04 / LLM10
II-7 FIMI ethicsA.5.34, A.18 (privacy)GV.OC, ID.RAโ€”
II-8 Human-on-the-loopA.5.4 (mgmt responsibilities)GV.RR-1LLM08 Excessive Agency
II-9 Tradecraft auditabilityA.5.33 (records), A.8.15 (logging)GV.RR, PR.PSLLM08 / LLM09

Governing principle. Security for a political-intelligence capability is not perimeter defense alone โ€” it is integrity of the analytic product. Controls II-1โ€ฆII-9 ensure that even a fully compromised model or a poisoned source cannot launder a manipulated, biased, or unevidenced judgment through the platform's credibility. Every gate is fail-closed; every published product is reproducible, neutral, evidence-anchored and human-accountable under the Hack23 AI Policy.


4. ๐Ÿš€ Implementation Roadmap

4.1 Timeline Overview

gantt
    title Riksdagsmonitor Security Evolution (2026-2030)
    dateFormat YYYY-MM
    section Post-Quantum
    PQC Assessment           :2027-01, 3M
    Hybrid PQC Deployment   :2027-04, 6M
    Full PQC Migration      :2028-01, 3M
    section AI Security
    Anomaly Detection       :2026-10, 3M
    Threat Intelligence     :2027-01, 3M
    Behavioral Analysis     :2027-04, 3M
    Predictive Security     :2027-07, 3M
    section Zero-Trust
    Contributor Access      :2027-04, 3M
    Infrastructure Verify   :2027-10, 3M
    Network Isolation       :2028-04, 3M
    section Monitoring
    APM Integration         :2027-01, 3M
    SIEM Integration        :2027-07, 3M
    Distributed Tracing     :2028-01, 3M

4.2 Phase-by-Phase Breakdown

2026 Q3-Q4: Foundation

  • โœ… Complete current ISMS documentation (DONE: Feb 2026)
  • โœ… AWS CloudFront + S3 deployment (DONE: Feb 2026)
  • โœ… Dual deployment with GitHub Pages DR (DONE: Feb 2026)
  • ๐Ÿ”„ Implement APM monitoring (Lighthouse CI)
  • ๐Ÿ”„ Enable GitHub Advanced Security features
  • ๐Ÿ”„ AI anomaly detection prototype
  • ๐Ÿ”„ Nonce-based CSP for Chart.js/D3.js (remove 'unsafe-inline')

2027 Q1-Q2: Early Adoption

  • ๐Ÿ” PQC assessment and hybrid deployment
  • ๐Ÿค– AI threat intelligence integration
  • ๐Ÿ›ก๏ธ Zero-trust contributor access model
  • ๐Ÿ“Š SIEM integration (ELK/Splunk)

2027 Q3-Q4: Expansion

  • ๐Ÿ” Full PQC readiness testing
  • ๐Ÿค– Behavioral analysis deployment
  • ๐Ÿ›ก๏ธ Infrastructure attestation (SLSA Level 3)
  • ๐Ÿ“Š Advanced monitoring dashboards

2028 Q1-Q2: Maturity

  • ๐Ÿ” Full PQC enforcement
  • ๐Ÿค– Predictive security models
  • ๐Ÿ›ก๏ธ Network micro-segmentation
  • ๐Ÿ“Š Distributed tracing

2028 Q3-Q4: Optimization

  • ๐Ÿ”ง Performance tuning
  • ๐Ÿ“– Documentation updates
  • ๐ŸŽฏ Compliance validation
  • ๐Ÿ† Maturity assessment

2029-2030: Continuous Improvement

  • ๐Ÿ”„ Regular security audits
  • ๐Ÿ”„ Emerging threat response
  • ๐Ÿ”„ Technology refresh cycles
  • ๐Ÿ”„ ISMS updates

5. ๐Ÿ’ป Technology Evolution

5.1 Hosting Platform Migration Considerations

Current: AWS CloudFront + S3 (Multi-region, cross-region replication)
Future Options:

PlatformProsConsTimelineRecommendation
AWS CloudFront + S399.9% SLA, DDoS protection, multi-regionCost, complexityCurrentโœ… Stay (already implemented)
GitHub PagesFree, integrated, simpleLimited customization, single providerCurrent (DR)โœ… Keep as DR
AWS WAFAdvanced protection, rate limiting, geo-blockingAdditional cost2027 Q2๐ŸŸก High priority
Multi-CDN StrategyResilience, performance optimizationComplexity, cost2028 Q4๐ŸŸข Consider for scale

Decision Criteria:

  • Cost-effectiveness for static content
  • Security feature set (WAF, DDoS, monitoring)
  • ISMS compliance capabilities
  • Migration effort vs. benefit

Recommended Path:

  • 2026-2027: Stay on AWS CloudFront + S3, maximize security features
  • 2027 Q2: AWS WAF integration for advanced application-layer protection
  • 2028 Q1: Enhanced monitoring and observability (APM, SIEM)
  • 2028 Q4: Evaluate multi-CDN strategy if traffic scales significantly

5.2 Content Delivery Network (CDN) Evolution

graph LR
    Current[AWS CloudFront + S3<br/>Multi-region deployment] --> Enhanced[AWS WAF Integration<br/>Advanced application protection]
    Enhanced --> Premium[Multi-CDN Strategy<br/>Resilience & performance]
    
    style Current fill:#4caf50,color:#000000
    style Enhanced fill:#ff9800,color:#000000
    style Premium fill:#4caf50,color:#000000

Enhancements:

AWS WAF Integration (2027 Q2)

  • Advanced Web Application Firewall (WAF) with CloudFront
  • Bot protection and rate limiting
  • Geo-blocking capabilities
  • Custom rule sets for dashboard protection
  • XSS and SQL injection prevention (defense-in-depth)

Multi-CDN Strategy (2028 Q4)

  • Primary: AWS CloudFront
  • Failover: Cloudflare or Fastly
  • Automatic failover detection via Route 53
  • Load balancing across CDNs for optimal performance

5.3 Security Tooling Roadmap

Tool CategoryCurrent (2026)Future (2027-2028)Purpose
SASTCodeQL+ Semgrep, SonarCloudEnhanced code scanning
SCADependabot, dependency-review+ npm audit, Snyk, FOSSABetter dependency insights
DASTNoneOWASP ZAP, Burp SuiteDynamic scanning of dashboards
Secret ScanningGitHub+ GitGuardianAdvanced secret detection
SBOMManualCycloneDX, SPDXAutomated generation (Chart.js, D3.js)
Container ScanningN/AN/ANot applicable (static hosting)
FuzzingNoneOSS-FuzzInput validation for CIA data
Client-Side SecurityNoneJSXray, Retire.jsJavaScript vulnerability detection

6. ๐Ÿ“‹ Compliance Evolution

6.1 Framework Maturity Progression

graph TB
    subgraph "2026: Foundation"
        C1[ISO 27001: 7 controls]
        C2[NIST CSF: 6 functions]
        C3[CIS Controls: 6 controls]
    end
    
    subgraph "2027-2028: Expansion"
        C4[ISO 27001: 15 controls]
        C5[NIST CSF 2.0: Full framework]
        C6[CIS Controls: 18 controls IG2]
        C7[SOC 2 Type II readiness]
    end
    
    subgraph "2029-2030: Maturity"
        C8[ISO 27001: Certification]
        C9[ISO 27701: Privacy extension]
        C10[CIS Controls: IG3 compliance]
        C11[SOC 2 Type II audit]
    end
    
    C1 --> C4
    C2 --> C5
    C3 --> C6
    C4 --> C8
    C5 --> C9
    C6 --> C10
    C7 --> C11
    
    style C1 fill:#90caf9,color:#000000
    style C4 fill:#ff9800,color:#000000
    style C8 fill:#4caf50,color:#000000

6.2 New Compliance Requirements

NIS2 Directive (2027 Q4)

  • Incident reporting within 24 hours
  • Supply chain security requirements
  • Board-level security responsibility
  • Regular penetration testing

EU Cyber Resilience Act (2028 Q2)

  • Software Bill of Materials (SBOM)
  • Vulnerability disclosure program
  • Security updates for product lifetime
  • CE marking for digital products

AI Act (2028-2030)

  • AI system risk categorization
  • Documentation requirements for high-risk AI
  • Human oversight mechanisms
  • Transparency obligations

6.3 Per-Control Maturity Progression

ControlFrameworkCurrent Level2027 Target2030 TargetTimelineMilestone
Cryptographic ControlsISO 27001 A.10.1Level 2 (Classical TLS)Level 3 (Hybrid PQC)Level 4 (Full PQC)2027 Q2 โ€“ 2028 Q1PQC migration complete
Access ControlISO 27001 A.9.1Level 2 (MFA, SSH)Level 3 (Zero-Trust)Level 4 (JIT, ABAC)2027 Q2 โ€“ 2028 Q4Zero-trust contributor model
Network SecurityISO 27001 A.13.1Level 2 (TLS/CDN)Level 3 (WAF added)Level 4 (Full ZTA)2027 Q2 โ€“ 2028 Q4AWS WAF + CSP nonces
Logging & MonitoringISO 27001 A.12.4Level 1 (GitHub Actions)Level 3 (APM+SIEM)Level 4 (AI-SIEM)2027 Q1 โ€“ 2028 Q1Full SIEM integration
Vulnerability ManagementISO 27001 A.12.6Level 2 (Dependabot)Level 3 (DAST added)Level 4 (Predictive)2026 Q4 โ€“ 2027 Q3DAST integration
Incident ManagementISO 27001 A.16.1Level 2 (Documented)Level 3 (Automated)Level 4 (AI-assisted)2027 Q1 โ€“ 2028 Q1Automated playbooks
Supply Chain SecurityISO 27001 A.15.2Level 2 (SBOM+SRI)Level 3 (SLSA L3)Level 4 (Full provenance)2027 Q3 โ€“ 2028 Q1SLSA Level 3
Identity ManagementISO 27001 A.9.4Level 2 (MFA+SSH)Level 3 (Zero-Trust)Level 4 (ABAC+JIT)2027 Q2 โ€“ 2028 Q4Just-in-time access
Network MonitoringNIST DE.CM-1Level 1 (None)Level 2 (CloudFront logs)Level 3 (Behavioral AI)2026 Q4 โ€“ 2027 Q3Behavioral analysis
Threat IntelligenceNIST ID.RA-2Level 1 (Dependabot)Level 2 (MISP/OTX feeds)Level 3 (Predictive)2027 Q1 โ€“ 2027 Q3Threat feed integration
Secure Dev LifecycleCIS 16Level 2 (CodeQL+Dependabot)Level 3 (+DAST+Fuzz)Level 4 (Full SDL)2026 Q4 โ€“ 2027 Q4Full SSDLC implemented
Data ProtectionCIS 3Level 2 (SRI+CSP)Level 3 (nonce-based)Level 4 (Full isolation)2027 Q1 โ€“ 2028 Q1CSP nonces for Chart.js

6.4 CIS Controls v8.1 Implementation Roadmap

CIS ControlDescriptionCurrent (IG1)2027 (IG2)2030 (IG3)
CIS 1Inventory & Control of Enterprise Assets๐ŸŸข Complete๐ŸŸข Full๐ŸŸข Full
CIS 2Inventory & Control of Software Assets๐ŸŸก Partial (SBOM)๐ŸŸข Full๐ŸŸข Full
CIS 3Data Protection๐ŸŸก Partial (SRI, CSP)๐ŸŸข Full (nonces)๐ŸŸข Full
CIS 4Secure Config of Enterprise Assets๐ŸŸข Complete (GitHub/AWS)๐ŸŸข Full๐ŸŸข Full
CIS 6Access Control Management๐ŸŸก Partial (MFA, SSH)๐ŸŸข Full (Zero-Trust)๐ŸŸข Full
CIS 7Continuous Vulnerability Management๐ŸŸก Partial (Dependabot)๐ŸŸข Full (+DAST)๐ŸŸข Full
CIS 8Audit Log Management๐Ÿ”ด Minimal๐ŸŸก Partial (APM)๐ŸŸข Full (SIEM)
CIS 12Network Infrastructure Management๐ŸŸก Partial (CDN)๐ŸŸข Full (WAF)๐ŸŸข Full
CIS 13Network Monitoring & Defense๐Ÿ”ด Minimal๐ŸŸก Partial๐ŸŸข Full (AI)
CIS 16Application Software Security๐ŸŸก Partial (SAST)๐ŸŸข Full (+DAST)๐ŸŸข Full
CIS 17Incident Response Management๐ŸŸก Documented๐ŸŸข Automated๐ŸŸข AI-assisted
CIS 18Penetration Testing๐Ÿ”ด None๐ŸŸก Annual๐ŸŸข Continuous

7. โš ๏ธ Risk Management

7.1 Future Risk Register

Risk IDFuture ThreatLikelihood (2030)ImpactMitigationTimeline
FR-01Quantum decryption of TLSHIGHCRITICALPQC migration2027-2028
FR-02AI-powered supply chain attack (Chart.js/D3.js)MEDIUMHIGHโœ… SLSA Level 2+ (2026), SBOM, SRI2027 Q4 (Level 3)
FR-03AWS infrastructure compromiseLOWHIGHMulti-CDN strategy, AWS security best practices2028
FR-04DNS hijacking via Route 53MEDIUMMEDIUMDNSSEC, DoH, IAM least privilege2027
FR-05Deepfake social engineeringMEDIUMMEDIUMMFA, training2026
FR-06IoT botnet DDoSMEDIUMLOWAWS WAF, rate limiting, AWS Shield2027
FR-07Zero-day in GitHub ActionsLOWMEDIUMSHA-pinning, attestationsOngoing
FR-08Regulatory non-complianceMEDIUMHIGHISMS evolutionOngoing
FR-09XSS in Chart.js/D3.js dashboardsMEDIUMMEDIUMCSP nonces, SRI, regular updates2027
FR-10Client-side data exfiltrationLOWMEDIUMCSP, browser security, monitoring2027

7.2 Residual Risk Evolution

graph LR
    Current[2026: 7.21/10.0<br/>LOW Risk] --> Enhanced[2027: 4.5/10.0<br/>VERY LOW Risk]
    Enhanced --> Optimized[2030: 2.0/10.0<br/>MINIMAL Risk]
    
    style Current fill:#4caf50,color:#000000
    style Enhanced fill:#4caf50,color:#000000
    style Optimized fill:#4caf50,color:#000000

Target Risk Reduction:

  • Current: 99.5% risk reduction (web platform with dashboards)
  • 2027: 99.75% risk reduction (PQC + AI security + nonce-based CSP)
  • 2030: 99.9% risk reduction (Full zero-trust + AWS WAF)

8. ๐Ÿ“Š Success Metrics

8.1 Key Performance Indicators (KPIs)

MetricCurrent (2026)Target (2027)Target (2030)
Residual Risk Score7.21/10.04.5/10.02.0/10.0
MTTR (Incidents)<17 min<10 min<5 min
Vulnerability Window<7 days<24 hours<4 hours
Compliance Score85%95%99%
Security Automation60%80%95%
Threat Detection RateN/A95%99%
False Positive RateN/A<5%<2%
Dashboard XSS ProtectionBasic (CSP)Enhanced (nonce-based)Advanced (isolation)

8.2 Maturity Assessment

Current State: Maturity Level 2 (Managed)

  • Documented processes
  • Basic automation
  • Reactive security posture

Target 2027: Maturity Level 3 (Defined)

  • Organization-wide standards
  • Advanced automation
  • Proactive threat hunting

Target 2030: Maturity Level 4 (Quantitatively Managed)

  • Data-driven decisions
  • Predictive security
  • Continuous optimization

9. ๐Ÿ’ฐ Security Investment & Budget Planning

Per-Phase Investment Estimates

PhasePeriodEstimated InvestmentKey InvestmentsPriority
Foundation2026 Q3-Q4โ‚ฌ5,000 โ€“ โ‚ฌ10,000Lighthouse CI, GitHub Advanced Security, SIEM baseline๐Ÿ”ด High
Early Adoption2027 Q1-Q2โ‚ฌ15,000 โ€“ โ‚ฌ25,000AWS WAF, PQC assessment, AI anomaly detection, SIEM๐Ÿ”ด High
Expansion2027 Q3-Q4โ‚ฌ20,000 โ€“ โ‚ฌ35,000Full AI security stack, behavioral analysis, SIEM integration๐ŸŸก Medium
Maturity2028 Q1-Q2โ‚ฌ25,000 โ€“ โ‚ฌ40,000Full PQC migration, AWS WAF, distributed tracing๐ŸŸก Medium
Optimization2028 Q3-Q4โ‚ฌ10,000 โ€“ โ‚ฌ20,000Audits, compliance validation, ISO 27001 certification๐ŸŸข Low
Continuous2029-2030โ‚ฌ10,000 โ€“ โ‚ฌ15,000/yrMaintenance, audits, ISMS updates, training๐ŸŸข Low

Total Estimated Investment (2026-2030): โ‚ฌ85,000 โ€“ โ‚ฌ145,000

Resource Requirements

ResourceCurrent202720282030
Security Architect (FTE equivalent)0.20.40.60.5
DevSecOps Engineer (FTE equivalent)0.10.30.40.3
External Security AuditorAnnualAnnualISO 27001 pre-auditCertification
PQC Specialist (Contractor)โ€”Q1 2027Q1 2028โ€”
SIEM Administratorโ€”Q3 2027FullFull

Return on Investment (ROI)

InvestmentCostRisk Reduction ValueROI Estimate
AWS WAF + Rate Limiting~โ‚ฌ5,000/yrPrevents DDoS, reduces XSS exposure10x โ€“ 20x
AI Anomaly Detection~โ‚ฌ8,000/yrEarly threat detection, reduces MTTR by 70%5x โ€“ 15x
PQC Migration~โ‚ฌ20,000 one-timeFuture-proofs encryption against quantum threatsLong-term strategic
SIEM Integration~โ‚ฌ12,000/yrCompliance automation, faster incident response3x โ€“ 8x
ISO 27001 Certification~โ‚ฌ15,000Customer trust, regulatory compliance, contracts5x โ€“ 10x
GitHub Advanced Security~โ‚ฌ3,000/yrAutomated vulnerability detection in CI/CD8x โ€“ 15x

Cost Optimization Strategies

  • โœ… Open-Source First: Prefer OSS tools (ELK, Semgrep) over commercial solutions
  • โœ… GitHub-Native: Leverage GitHub Advanced Security features (included in GitHub Enterprise)
  • โœ… AWS Reserved Instances: Reserved capacity for CloudFront/WAF for cost predictability
  • โœ… Automation: Reduce manual security effort through GitHub Actions automation
  • โœ… Phased Investment: Align spending with roadmap milestones to manage cash flow

10. ๐Ÿค Conclusion

This Future Security Architecture demonstrates Hack23 AB's commitment to proactive security evolution rather than reactive patching. By implementing post-quantum cryptography before it's necessary, AI-augmented security before attacks become fully autonomous, and zero-trust principles before breaches occur, Riksdagsmonitor will maintain its security leadership while delivering interactive Chart.js/D3.js dashboards.

Key Takeaways:

  • ๐Ÿ” Post-Quantum Ready by 2028 - Ahead of predicted quantum threat timeline
  • ๐Ÿค– AI-Augmented Security by 2027 - Machine learning for threat detection
  • ๐Ÿ›ก๏ธ Zero-Trust Architecture by 2028 - Comprehensive trust verification
  • ๐Ÿ“Š 99.9% Risk Reduction by 2030 - Industry-leading security posture
  • ๐Ÿ† ISO 27001 Certification Track - Formal compliance validation
  • ๐ŸŽจ Nonce-Based CSP by 2027 - Eliminate 'unsafe-inline' for Chart.js/D3.js
  • โ˜๏ธ AWS WAF Integration by 2027 - Advanced application-layer protection

Alignment with Business Goals:

  • ๐Ÿ’ผ Competitive advantage through security leadership
  • ๐Ÿค Customer trust through transparency
  • ๐Ÿ’ฐ Cost efficiency through automation
  • ๐Ÿš€ Innovation enablement through secure foundation
  • ๐Ÿ“‹ Compliance posture supporting expansion

๐Ÿค– AI/LLM Security Evolution (2026-2037)

AI Model Security Trajectory

Current State (2026): Anthropic Claude Opus 4.8 via Amazon Bedrock with safe-outputs validation

Security Implications of AI Evolution:

PeriodAI Model LevelSecurity ChallengesMitigations
2026-2027Opus 4.8-5.x (minor updates ~2.3mo)Prompt injection, model hallucination, biasSafe-outputs validation, human review, bias testing
2028-2029Opus 6.x-7.x (annual major upgrades)Autonomous agent risks, multi-modal attack vectorsAgent sandboxing, output filtering, behavioral monitoring
2030-2032Opus 8.x-10.x / Pre-AGIAI-powered adversarial attacks, deepfake political contentAI-augmented SIEM, deepfake detection, content provenance
2033-2035Near-AGI systemsAutonomous threat actors, AI arms raceZero-trust AI, formal verification, cryptographic AI attestation
2036-2037AGI / Post-AGI eraSuperhuman threat actors, unknown attack vectorsQuantum-resistant crypto, AI alignment verification, democratic safeguards

AI Security Controls Roadmap

Phase 1 (2026-2027): Foundation

  • โœ… Amazon Bedrock guardrails and content filtering
  • โœ… Safe-outputs validation for all agent actions
  • โœ… Model output auditing and logging
  • ๐Ÿ”„ Prompt injection detection and prevention
  • ๐Ÿ”„ AI model version pinning with rollback capability

Phase 2 (2028-2030): Advanced Protection

  • ๐Ÿ”ด AI-powered threat detection (behavioral analytics)
  • ๐Ÿ”ด Multi-modal content provenance (C2PA standard)
  • ๐Ÿ”ด Autonomous agent containment and monitoring
  • ๐Ÿ”ด AI model supply chain security (model signing, attestation)

Phase 3 (2031-2033): Pre-AGI Security

  • ๐Ÿ”ด Formal verification of AI agent behavior
  • ๐Ÿ”ด Cryptographic attestation of AI-generated content
  • ๐Ÿ”ด AI alignment monitoring and enforcement
  • ๐Ÿ”ด Decentralized AI security governance

Phase 4 (2034-2037): AGI-Era Security

  • ๐Ÿ”ด Post-quantum cryptography fully deployed
  • ๐Ÿ”ด AI-to-AI security protocols
  • ๐Ÿ”ด Democratic oversight mechanisms for AGI systems
  • ๐Ÿ”ด Global threat intelligence federation
  • ๐Ÿ”ด Autonomous security response with human override

LLM Competitor Security Considerations

Multi-Model Security Strategy:

  • Evaluate security posture of each model provider (Anthropic, OpenAI, Google, Meta) at every major release
  • Maintain model-agnostic security controls that work across all providers via Amazon Bedrock
  • Monitor for model-specific vulnerabilities disclosed by security researchers
  • Continuous benchmarking of AI safety features every ~2.3 months aligned with minor model updates
  • Prepare for potential paradigm shifts (quantum AI, neuromorphic computing) requiring new security frameworks

๐Ÿ“– References

ISMS Documentation

External Standards

Riksdagsmonitor Architecture Portfolio

DocumentFocus
๐Ÿ›๏ธ ArchitectureC4 models
๐Ÿ“Š Data ModelData entities
๐Ÿ”„ FlowchartProcess flows
๐Ÿ“ˆ State DiagramState transitions
๐Ÿง  MindmapConceptual relationships
๐Ÿ’ผ SWOTStrategic analysis
๐Ÿ›ก๏ธ Security ArchitectureCurrent security controls
๐ŸŽฏ Threat ModelSTRIDE/MITRE ATT&CK
๐Ÿ”ฎ Future Threat ModelFuture threat analysis
๐Ÿ”ฎ Future Security ArchitecturePlanned security (this document)

Document Control
Repository: https://github.com/Hack23/riksdagsmonitor
Path: /FUTURE_SECURITY_ARCHITECTURE.md | Classification: Public | Next Review: 2026-08-31
Change Management: Requires Security Architect approval for major revisions

ISO 27001 NIST CSF 2.0 CIS Controls v8.1 NIS2 GDPR


๐ŸŒ Evolving the Current IMF Security Boundary toward the Future Zero-Trust State

Baseline: the already-implemented IMF trust boundary, egress allow-list, and STRIDE coverage are documented in SECURITY_ARCHITECTURE.md ยงIMF and THREAT_MODEL.md ยงIMF. The diagram below shows how those existing controls evolve when the runtime moves to AWS Lambda + Aurora.

Authoritative hub: analysis/imf/README.md ยท analysis/imf/agentic-integration.md ยท analysis/imf/indicators-inventory.json ยท analysis/imf/data-dictionary.md ยท .github/aw/ECONOMIC_DATA_CONTRACT.md

Trust boundary (target zero-trust state)

flowchart LR
    subgraph Trusted["Trust Boundary โ€” Riksdagsmonitor (AWS GovCloud-like posture)"]
        Lambda[Lambda Workers ยท IMF context]
        Cache[(Aurora ยท imf_cache ยท SHA-256 + vintage pin)]
        Audit[CloudTrail + GuardDuty]
    end
    subgraph Public["Public-Internet ยท IMF Open APIs (Datamapper unauth ยท SDMX subscription-key)"]
        Datamapper[www.imf.org/external/datamapper/api/v1]
        SDMX[api.imf.org]
    end
    Lambda -- HTTPS ยท TLS 1.3 ยท pinned SHA-256 --> Datamapper
    Lambda -- HTTPS ยท TLS 1.3 ยท pinned SHA-256 --> SDMX
    Datamapper -. JSON payload .-> Lambda
    SDMX -. SDMX-JSON payload .-> Lambda
    Lambda --> Cache
    Lambda --> Audit

IMF-specific controls (mapped to target frameworks)

ControlImplementationISO 27001NIST CSF 2.0CIS v8.1
Egress allow-listSquid + iptables limit egress to www.imf.org, api.imf.org onlyA.13.1PR.AC-513.4
Payload integritySHA-256 pin per (dataflow, indicator, country, vintage); supersedes-chainA.8.2PR.DS-63.11
Vintage disciplineReject payload >6 mo old without staleness annotationA.8.10PR.DS-13.5
Rate-limit guardโ‰ค30 req/min self-imposed; exponential back-off; emits metricA.13.1PR.AC-44.7
Provenance auditEvery article-claim row in article_economic_provenanceA.5.28DE.AE-38.2
No auth, no PIIIMF data is anonymous public macro statistics; GDPR DPIA short-circuitA.5.34GV.OV14.2

Future BIA addition

AssetConfidentialityIntegrityAvailabilityRTORPO
IMF cache (Aurora)PUBLICHIGHSTANDARD24hN/A
IMF API egress pathPUBLICHIGHSTANDARD24h (fallback to last cached vintage)N/A

Egress hosts (allow-list): www.imf.org (Datamapper REST ยท WEO/FM, unauthenticated), api.imf.org (SDMX 3.0 REST ยท IFS/BOP/DOTS/GFS/PCPS/ER/MFS_IR/MFS_PR, subscription-key authenticated via the Azure APIM Ocp-Apim-Subscription-Key header / IMF_SDMX_SUBSCRIPTION_KEY secret). Both HTTPS-only; payloads are public macro statistics with no PII.

Canonical rule. Every economic claim in a Riksdagsmonitor article cites an IMF dataflow first; World Bank citations are reserved for governance, environment and social residue (the classes IMF does not publish). SCB is the Swedish-specific ground truth layer. See ECONOMIC_DATA_CONTRACT.md v2.1 for the banned-phrase list and vintage discipline (>6 mo โ†’ annotation).


๐Ÿ”— Hack23 Ecosystem

๐ŸŒ Platforms ๐Ÿ“ฆ Open-Source Projects ๐Ÿ›ก๏ธ Governance & Standards
๐Ÿ—ณ๏ธ Riksdagsmonitor โ€” Swedish Parliament intelligence
๐Ÿ‡ช๐Ÿ‡บ EU Parliament Monitor โ€” European coverage
๐Ÿ•ต๏ธ Citizen Intelligence Agency โ€” political-data engine
๐ŸŒ Hack23 AB โ€” corporate site
๐Ÿ“ฐ Hack23 Blog โ€” engineering & policy
๐Ÿ’ผ Hack23 on LinkedIn
๐Ÿ—ณ๏ธ Hack23/riksdagsmonitor
๐Ÿ•ต๏ธ Hack23/cia
๐Ÿ‡ช๐Ÿ‡บ Hack23/euparliamentmonitor
๐Ÿ”Œ Hack23/european-parliament-mcp
โœ… Hack23/cia-compliance-manager
๐Ÿฅ‹ Hack23/black-trigram
๐Ÿ  Hack23/homepage
๐Ÿ›ก๏ธ Hack23 ISMS-PUBLIC โ€” public ISMS
๐Ÿ”’ Information Security Policy
๐Ÿค– AI Policy
๐Ÿงช Secure Development Policy
๐ŸŽฏ Threat Modeling Policy
โš ๏ธ Vulnerability Management
๐Ÿท๏ธ Classification Framework

OpenSSF Best Practices OpenSSF Scorecard ISO 27001:2022 NIST CSF 2.0 CIS Controls v8.1 Apache 2.0

๐Ÿ—ณ๏ธ Empower citizens ยท ๐Ÿ” Strengthen democratic accountability ยท ๐Ÿ•ต๏ธ Illuminate the political process

ยฉ 2008โ€“2026 Hack23 AB (Org.nr 559534-7807) ยท Maintainer: James Pether Sรถrling, CISSP CISM