New warning over tech suppliers in thrall to hostile governments

Europe’s inability to turn fundamental technical research into thriving businesses leaves it prey to Chinese and Russian suppliers under the thumb of their intelligence services and a more benign but still self-interested US, Nokia’s former chairman has warned.

Risto Siilasmaa, chairman of Nokia from May 2012 to 2020, and co-founder of Finnish cyber security firm F-Secure (now WithSecure), told The Sphere 2022 conference in Helsinki that there was no shortage of tech expertise in Europe – including in cyber.

“Our challenge is that the European innovations, the smart founders, engineers, companies, tend to be acquired,” he said. “And they become mostly American companies.”

The result, said Siilasmaa, was that “we have become quite dependent on imported cyber security technologies without fully realising what the consequences will be in the long term.”

Most of the technology in question comes from the US, he said. “But a surprisingly large part comes from China, not necessarily primarily cyber security technology, but communication technology. And a portion of it comes from Russia.

“So, let’s think about this for a moment. When we rely on Chinese or Russian technology in areas that are relevant to cyber security, we should not be thinking about how reliable the vendor is. That is completely irrelevant.”

Rather, said Siilasmaa, “we should be looking at what is the national legislation in the country of origin for that vendor, and we should be looking at what is the behaviour of the security agencies and intelligence agencies in that country”.

Turning to China, he said, legislation is highly favourable towards the local security agencies. “It makes it mandatory for any Chinese company to support those intelligence and security agencies. It even protects any Chinese citizen from the repercussions of assisting these authorities, maybe getting fired. They get financial support from the government, if that happens.”

Regarding Russia, he said: “Let’s think about the behaviour of these agencies, regardless of the legislation. So we can think about Litvinenko and polonium. We can think about Navalny and Novichok. We can think about Crimea... And we can think about the DNC email server, and Donald Trump.”

Siilasmaa said it was hard to imagine that “these people” would not lean on local tech providers if they wanted something. “And this is how we need to think about the vendors, and not actually the vendors, but the nations they come from. What is the legislation? And what is the behaviour?”

The natural alternative was the US, he said. “After all, it ends up controlling most EU cyber security tech one way or another anyway. But while the US is our friend and ally, we all know that they are constantly running cyber operations on our soil. How do we know that? Because they have been caught red-handed a number of times.”

Also, the US has explicitly targeted data controlled by cloud providers, initially on US soil, and now, through the Cloud Act, in US providers’ datacentres outside the US, said Siilasmaa. “It’s very challenging to judge what kind of risk, if any, this is because the US is our friend and ally. But we need to think about it, because these are data points. These are facts.”

He said Finns “are widely known to be so unimaginative that we couldn’t even think about misusing our access to data”, while the Finnish government had no ambitions to be a superpower – and Siilasmaa should know, given that he is chairman of the Finnish government’s Technology Advisory Board.

“So I have always felt that it is an advantage to be European, and to be a Finnish company,” he said. “And that is how I personally want to keep things because I think it’s good for the company. It’s good for our shareholders. It’s good for our customers. It’s good for our country, and region, and the world.”

Siilasmaa’s comments were echoed by other speakers at the conference. WithSecure CEO Juhani Hintikka warned that following Russia’s invasion of Ukraine, and Finland and Sweden’s consequent application to join Nato, the two countries were likely to become higher-profile targets for “hacking groups with Russian ties” and as well as full-blooded cyber espionage attacks. He said the EU needed to take a stronger stance on cyber security, adding: “Geopolitically speaking, technology is not neutral. Europe must stand its ground.”

But another speaker at the conference, former senior British intelligence officer Philip Ingram, told Computer Weekly that the commercial power of the US and its cyber security industry would always give it an advantage over the more fragmented EU.

“The US companies will always win out in that environment because the US works as a collective,” he said. “That has an impact on how the EU can progress from a security perspective.

“However, I don’t think that overall affects wider European security, because that is provided by Nato, and of course, the US is part of Nato.”

Ingram said the Trump era “highlighted the fact that the US can become very isolationist very quickly – and therefore you cannot rely on permissions to use US technologies”.

The issue of permissions and exports of dual-use technology had been highlighted by the response to Russia’s invasion of Ukraine, he said. Some EU countries that wanted to supply weapons systems or technology to Ukraine were hamstrung when fellow EU states that had contributed to those systems were unwilling to give permission for technology transfers.

The result could be that those countries with the ability to develop and build military and security technology entirely within their borders will become more isolationist, said Ingram, “because they have to”.

At the same time, he predicted, there could be a shakeup to international agreements to make it easier for countries to supply partners – such as Ukraine – over the objections of other countries that might have contributed components of those systems.

“I think Trump scared us from a US perspective,” he said. “But actually, there are more European countries that are scaring the EU, and I think potentially providing fracture points in the EU, for example Germany and Hungary.”

The UK was in a “favourable position”, Ingram added, still being closely linked to the EU, as well as Nato, and with the wider Five Eyes community with the US, Canada, Australia and New Zealand.