Olivier Le Moal - stock.adobe.co
In an attempt to counter ever-increasing threats, such as DDoS attacks, Finland’s government has increased funding for the Finnish Armed Forces (FAF) and Suojelupoliisi (Supo), the country’s security intelligence service.
These two organisations guard Finland’s frontline in the battle against attacks from cyber space.
The regular flow of national security updates between Supo and the government have served to reinforce the message that more must be invested in Finland’s competence in security IT.
Moreover, future capital investments are required to enable state security agencies to run cyber warfare-style offensive operations, domestic and cross-border, against hostile actors in the cyber domain.
“Cyber crime, and especially, espionage poses a serious threat to Finnish information capital. If product development data is stolen to another country, it is possible that the company loses its whole future,” said Antti Pelttari, director general at Supo.
The full scope of the technical and practical challenges facing Finland outlined in a government commissioned national cyber security report produced by the country’s leading cyber security experts.
Delivered to the Prime Minister’s Office (PMO), the Cyber Security Management In Finland (CSMIF) report will be used to inform the next stage of the government’s National Cyber Security Strategy (NCSS). The first stage of the NCSS was adopted and launched in 2013.
The Finnish government’s next-stage NCSS will seek to address one of the more visible shortcomings uncovered in the report, the lack of a centralised Finnish cyber defence command organisation.
The existing national security strategy provides no clear strategic direction in respect of which agency is responsible to coordinate and lead a defensive response in the wake of a significant cyber attack.
This defect in the NCSS is routinely identified by Supo as a major potential weakness in defending the country against malicious cyber attacks targeting critical infrastructure.
Of real concern to Supo and Finland’s national security community, are coordinated attacks from cyber space that have the explicit purpose of crippling Finnish IT-systems controlling key infrastructure, including power grids, banks, hospitals, government departments, police and the military.
“If Finland was struck by a serious cyber attack today, then responsibility would probably fall to the authority or ministry whose accountability is closest. Unfortunately, unpleasant situations may arise where there is no certainty as regards who is responsible, or who has the authority and how the process should go forward.
“The issue of delegation and responsibility is important, especially if there are serious disruptions and exceptional circumstances,” said Jarno Limnéll, a professor of cyber security at the Helsinki-based Aalto University, and one of the senior authors of the CSMIF report.
Centralised command organisation
The new report supports the creation of a centralised command organisation with direct oversight and overall decision-making responsibility to manage cyber domain threats.
Such an organisation, consolidated from existing military and civilian agencies, would be empowered with the strategic responsibility to coordinate Finland’s national security defences against both minor threats and large-scale cyber attacks targeting critical infrastructure and vulnerable digital-based operating systems.
To enhance protection, the Finnish government has already expressed a willingness to designate strategic responsibility for cyber defence threats in the same way as conventional threats requiring a rapid response from the country’s Air, Naval and Land forces. All conventional threats are managed at a centralised command level.
The national cyber-defence centralisation strategy advanced in the CSMIF would require an unprecedented level of collaboration between Finland’s state and private sector cyber-security experts and communities. Finland’s cyber-security sector is one of the fastest growing specialised segments within the country’s ICT-industry.
The future re-shaping of Finland’s National Defence Strategy and the NCSS will likely lead to the establishment of a centralised cyber-defence organisation solution that both comprises a command leadership structure and incorporates close collaboration with the European Centre of Excellence for Countering Hybrid Threats (Hybrid CoE).
The Hybrid CoE opened a unit in Helsinki in October 2017. It is anticipated that a future centralised organisation would also liaise with the Hybrid Threat Ambassador’s Office (HTAO), which was established in April.
Countering cyber threats
Operating under the Ministry of Foreign Affairs (MFA), the HTAO’s mission covers the development of cyber-threat-countering strategies to protect IT-networks. The HTAO is also tasked with advising the MFA and the Finnish government on policies relating to hybrid threats.
“The Ambassador will strengthen the foreign ministry’s role in the area of hybrid threats. It is also intended to raise Finland’s profile in this area at an international level. In this regard, we will also cooperate closely with agencies and officials working within the cyber security field in Finland,” said Mikko Kinnunen, Finland’s new Hybrid Threat Ambassador.
A stronger private sector role will be pivotal in the development of a future centralised cyber-security organisation. This is becoming more apparent as state-run cyber agencies lose more of their specialist personnel to private companies offering the kind of salary and employment terms that neither the FAF nor Supo can match.
Defence and security organisations are experiencing similar problems retaining their ICT-staff, who are also being lured by higher salaries and improved promotion prospects on offer from private ICT firms.
“The situation is not critical, but we may see a shortage of key personnel at a level that could directly affect defence operations and significantly impact national security,” said Mikko Heiskanen, the director of the FAF’s C5 Agency. With around 400 staff, the unit is tasked with delivering CIS, specialised IT and data network protection cyber technology services to the whole of the FAF organisation.
The C5 unit will need to recruit an additional 200 full-time cyber-security specialists by 2024. Under Finnish law, such sensitive positions can only be offered to Finnish nationals. The C5 will, based on current budgeting restraints, continue to struggle to compete with the private sector to lure the country’s top cyber-security professionals, said Heiskanen.
“Within the parameters of our existing budget, there is no real way we can match the salary demands of the best cyber experts in Finland. They are looking to earn multiples of what our resources allow. This means that we may not necessarily attract the expertise that we would like to attract, and we may have to be satisfied with the people we do get,” said Heiskanen.
Read more about cyber security in Finland
- Finnish research and development, as well as critical infrastructure, are being targeted by state-backed cyber espionage attacks, says report.
- Security concerns have re-emerged to further frustrate the Finnish government’s plans to launch a national e-voting system.
- The volume of cyber attacks last year has increased boardroom focus on security in the Nordic region.
The government could employ a deeper framework of collaboration between the state and private sector in the national cyber-security domain to help alleviate, or completely resolve, issues relating to the recruitment of specialists. Such an initiative could run parallel to continuing capability-building within the FAF’s and Supo’s cyber units.
The FAF has recently shown a willingness to develop innovative relationships with the private sector in niche areas. In April, the FAF’s Logistics Command contracted IT company Digia Finland to provide system life cycle services.
The agreement covers maintenance services for the FAF’s command and control systems, training systems and information security systems, including solutions and services for communications encryption.