Spe c i a l
m e d i a
o f
s t r a t e g i c
c y b e r
s e c u r i t y
#STRATEGY22 – SECURE DIGITAL DATA, SECURE BUSINESS NEW SKILLS AND LEARNING IN THE DIGITAL AGE
FLOWS,DATA – AND LEGOS
A
Forecast Of The Cyber World
M A G A Z INE
2021/4
CONTENT 2021/4
4
21
45
A Forecast Of The Cyber World
Pandemic era trends in energy sector cyber attacks
6
26
Amazon AWS as the platform of Suomi.fi web service reflects the role of tech giants
Bioindustry is faced with increasingly complex cyber attacks
Strategic situation
46
30
Ransomware attacks mirror the cybercrime ecosystem’s development
The European Union’s data economy is expected to create powerful change in the market
48
7 Flows,data – and Legos
10 Ransomware attacks mirror the cybercrime ecosystem’s development
12 New skills and learning in the digital age
15 #STRATEGY22 – Secure digital data, secure business
CyberwatchMagazine Special media of strategic cyber security PUBLISHER Cyberwatch Finland Meritullinkatu 33, 00170 HELSINKI Finland www.cyberwatchfinland.fi
32
An insider risk may be even greater than an outside threat in information operations
Overview of the russian navy and air force's electronic warfare units and their main equipment
50
LAYOUT Atte Kalke, Vitale atte@vitale.fi
Strategic cyber security year 2021 in Finland
ILLUSTRATIONS Shutterstock
42 The “cyber ambassador” would build a whole new secure internet
56 Quarterly review
PRODUCER AND COMMERCIAL COOPERATION Executive Producer Kirsi Toppari kirsi@cyberwatchfinland.fi
ISSN 2490-0753 (print) ISSN 2490-0761 (web) PRINT HOUSE Scanseri, Finland
WHAT FIND OU BUSINE DON’T
CAN “ T ABO SS TH EVEN
THEY” UT YOUR AT YOU KNOW?
D A R K S O C as a Service
D A R K S O C s e r vice creates strategic i n t e l l i g ence for your cyber s e c u rity ecosystem.
DARKSOC www.cyberwatchfinland.fi
aapo@cyberwatchfinland.fi
pertti@cyberwatchfinland.fi CYBERWATCH
FINLAND
|
3
Editorial
A FORECAST OF THE CYBER WORLD // Aapo Cederberg
C
HANGES IN THE CYBER WORLD are quick and unpredictable. We must be sufficiently prepared for future threats and challenges. Even though we feel comfortable with our situational awareness and think our understanding is sufficient for the threats lurking within the cyber world phenomena, we can never be sure that we are fully safe. Daily news bulletins highlight increasingly severe issues. Threats concerning conventional war are discussed in Europe and elsewhere, in addition military force can be used to create new contradictions and problems. Currently the main concern of our everyday life is learning to live with the Covid virus. However, the outlook for the future is unclear and not very stable. On the one hand, digital and cyber security capacity requires long-term planning and development measures. A critical key to success requires the cyber security industry to be a step ahead of the threats. Anticipating many future developments and trying to predict
the so-called black swans events that may occur are vital tasks. The future of the cyber world is of course hard to predict but not impossible. Digitization combined with future research methods can be combined to create the necessary visions and scenarios into the future. While the digital world brings us new challenges, at the same time, it also provides other and more efficient responses. Cyber securities many success’s mean we have great opportunities to combat the real and growing world of the cyber security threat. With competency and sufficient forward planning the cyber security industry will be at the forefront of the battle against incoming threats and is already playing a decisive and winning role. In addition, drawing out future road maps and paths for success are key for the industry to always be ahead. Whoever has access to the best data, storage of that data and access to the best analysis tools, will find the correct information and development methods to achieve early warning and identify undiscovered threats.
We have a great opportunity and many success factors on our hands.
4
|
CYBERWATCH
FINLAND
Cyberwatch Finland has taken on this challenge, and in cooperation with the Futures Platform, has described the 20 most critical strategic cyber phenomenons. The aim is to combine Cyberwatch’s expertise and Futures Platform talent to create excellent possibilities for all organizations and businesses. This will allow the digital and cyber world's future vision to be integrated as part of their ongoing strategy. We have also joined forces in developing a cyber intelligence capability with the Cyber Intelligence House. The Deep web provides an insight on cyber crime and cyber world developments. Cyber Intelligence House has one of the world's best deep networking schemes developed from various extraction systems. Cyberwatch has brought our strategic analysis tools, expertise and research
capability and combined it with our trusted partners. Even after a short trial period, we have noticed that these methods have produced significant early warning signs of threats. This in turn has allowed us to develop various cyber security solutions and prevent many cyber-attacks. Encouraged by our success, we aim to develop a D & D-SOC service, which will be on market at the beginning 2022. Excellent innovations and development work will be the game changer for this industry. Digital and cyber security is being turned into a great opportunity for creating new business and improving our competitiveness. We wish all of our valuable customers and industry partners Season Greetings and Happiness for the New Year! May 2022 Be An Extraordinary One.
AAPO CEDERBERG Managing Director and Founder of Cyberwatch Finland
CYBERWATCH
FINLAND
|
5
The race of quantum computers forces digital security to adapt // Cyberwatch Finland
F
inland’s first functioning five qubit quantum computer was built in Otaniemi, Espoo. The computer was built by VTT together with quantum startup company IQM. The project has been granted an additional funding of 20.7 million euros. The funding is to be used to build a 50-qubit quantum computer by the year 2024. Currently, the largest quantum computer developers are the United States and China, but many other nations are building their own quantum computers as well. At the moment, the largest known unit is IBM’s 127-qubit quantum computer. The utilisation potential of quantum computing is huge, but it also creates new threats, such as the breaking of current encryption algorithms. In short, a powerful quantum computer can destroy the public key infrastructure and create a need to renew the whole cyber security ecosystem. It is an ongoing battle on the control of digital space, at least on an imaginary level. Utilising quantum computers on a practical level, for example breaking encryption algorithms, is not yet very
realistic. However, the motivation of superpowers to break military and government encryptions is a significant push for development. When realised, it creates a substantive global threat. New quantum-proof encryption algorithms already exist and more are being developed, but the real challenge is updating the safety of the whole digital ecosystem. In practice, this means that in the future a significant proportion of the digital ecosystem, such as services and the devices used by citizens will be vulnerable to government-level quantum hacking. This creates new developmental directions for the digital world that are difficult to predict.
Kvanttitietokoneiden kisa pakottaa digitaalisen turvallisuuden muutokseen // Cyberwatch Finland
S
uomen ensimmäinen toimiva viiden kubitin kvanttitietokone valmistui Espoon Otaniemeen. VTT rakensi tietokoneen yhdessä kvanttialan startupyrityksen IQM:n kanssa. Hankkeelle on myönnetty 20,7 miljoonan euron lisärahoitus. Sen puitteissa on määrä rakentaa 50 kubitin kvanttitietokone vuoteen 2024 mennessä. Maailman suurimmat kvanttitietokoneiden kehittäjät ovat tällä hetkellä Yhdysvallat ja Kiina, mutta myös monet muut valtiot kehittävät kilpaa omia kvanttitietokoneitaan. Tällä hetkellä suurin yksikkö on tiettävästi IBM:n 127 kubitin kvanttitietokone. Potentiaali kvanttilaskennan hyödyntämiseen on valtava, mutta se muodostaa myös uhkia, kuten nykymuotoisten salausalgoritmien murtamisen. Lyhyesti sanottuna riittävän voimakas kvanttitietokone voi kaataa julkisen avaimen infrastruktuurin ja luoda tarpeen uudistaa koko kyberturvallisuuden
ekosysteemin. Menossa onkin taistelu digitaalisen avaruuden herruudesta, ainakin mielikuvatasolla. Kvanttitietokoneiden hyödyntämiseen käytännön tasolla, esimerkiksi salausalgoritmien murtamiseen kulunee vielä aikaa, mutta suurvaltojen motivaatio sotilasteknologian ja valtiollisten salausten murtamiseen on merkittävä kehityksen ajuri ja muodostaa toteutuessaan todellisen globaalin uhan. Uusia kvanttilaskennan kestäviä salausalgoritmeja on jo olemassa ja niitä kehitetään lisää, mutta haasteeksi muodostuu koko digitaalisen ekosysteemin päivittäminen turvalliseksi. Käytännössä tämä tarkoittanee, että tulevaisuudessa merkittävä osa digitaalisesta ekosysteemistä, kuten kansalaisten käyttämät laitteet ja palvelut tulevat olemaan haavoittuvia valtiollisen tason kvanttihakkerointia vastaan. Tämä puolestaan muodostaa uudentyyppisiä ja vaikeasti ennustettavia kehityssuuntia digitaalisen maailman kehitykselle.
https://www.is.fi/digitoday/art-2000008445161.html https://www.vttresearch.com/fi/uutiset-ja-tarinat/suomen-ensimmainen-kvanttitietokone-valmis-kayttoon https://www.theguardian.com/technology/2021/nov/21/next-giant-leap-boris-johnson-go-big-on-quantum-computing https://www.ssl.com/fi/blogs/quantum-computing-and-cryptography/
6
|
CYBERWATCH
FINLAND
// Valtteri Vuorisalo
CYBERWATCH
FINLAND
|
7
O
ur societies are built on the foundation of transactions, on various interactions and exchanges between people. As the number and intensity of transactions increase, they form flows of people, goods, energy, and even pandemics. These flows are facilitated by various functional nodes of air, maritime, and rail routes, for example. In addition to these age-old functions, data and information nodes and flows are increasing their importance for our way of life. As we begin to view the world through this ‘lens of flows’, we are, in fact, evolving our geopolitical thinking from map- or topography-based analysis to increasingly focusing on the way with which our societies’ critical, constituent enablers are interrelated and arranged. This type of analysis is topology-based (in contrast to topography), where the capabilities of functional nodes and the connectors which link them form the focus of analysis. It follows that when analyzing the security capability of a state, it makes more sense to examine the number, shape, and form of its functional nodes and their connectors rather than of its map-based geographies. This is not to say that geographies are not important. Rather, the point is that it is not sufficient to only look at geography when evaluating what impacts our way of life. These nodes have their own logics and attributes which can be used to analyze the impact of a given flow to a state, and the types of dependencies that are constituted. Mika Aaltola (2019) has exhaustively examined the various characteristics of flows which include, for example the symmetry, intensity, trustworthiness, and loyalty-requisites of flows. It should be noted that as we increasingly use and depend on data and information flows to develop our way of life, these same flows introduce new types of complexity, irregularity, and disruption into our system as well. While the ‘new normal’ of our security architecture is host to multiple disturbances in maritime, air, and energy flows for example, data and information flows constantly create new means of power projection for various actors, including the state.
8
|
CYBERWATCH
FINLAND
Somewhat worryingly, from a small state -perspective, the solutions, and standards with which these flows are enabled, governed, and further developed are not in the hands of small states. Decisions about these technological solutions and mechanisms which enable data hubs and connecting flows are made elsewhere. Increasingly these are US and Chinese based organizations. From a relative power positioning perspective, the EU should take note of this development. While the structure of this topological reality contains to new kinds of direct and nuanced power struggles, the characteristics of the contents of the flow itself deserves closer analysis from researchers and practitioners. The ingredient of these flows is data, which is traditionally presented as the building block for information, knowledge, and wisdom. Yet, despite its importance, we often make the mistake that the data flow is as robust, as standardized, as governed and regulated, and as established of a practice as the other flows (for example maritime commerce). From a ‘building-block’ perspective, we can entertain the analogy that data is much like Legos: data is a building block for information which encapsulates infinite designs of the imagination. Similarly, a piece of Lego is a building block for the imagination, an embodiment of its design. If we pursue this analogy further, we can identify how our understanding about the characteristics of data, the key enabler of our way of life, is nowhere near as mature as it is with Legos. Legos are wonderful for this author since they can be used in so many ways: one can follow designs that come with a specific product, or one can ‘freestyle’ with a heap of Legos and follow the guidance of one’s own imagination. However, this is only possible because Lego blocks are uniform and standardized: all Lego blocks fit together. Data, much less the information it forms, is not standardized. All data are not potential building blocks for the fulfillment of a vision. Some ‘data-blocks’ simply do not fit together. Even if we constantly have more data – more than we can comprehend – we can still be in a situation
where we simply do not have the building blocks we need. At times, rather worryingly, we are not aware that two types of data for example do not ‘fit’ together and are not mutually constitutive. Moreover, the utilization of Legos is intuitive – everyone can figure out how Legos work without training to do so. The idea is so simple and powerful that even small children can understand it. Can we honestly say we understand the form and function of data in a similar way? Finally, we should recall that the popularity and utility of Legos was established when the design and manufacturing was done and owned by one single authority, the Lego company. So far, this is not the case for data. Yet, is this the fate of data as well? We already witness how global data is increasingly rotating to US and Chinese hubs of data, putting these superpowers in a league of their own when it comes to establishing the rules and realities of the topological flow-structure, and the ability to control the essence of the flow: data. It might be frightening and provocative, but we should ponder if we are on a path leading to the emergence of a single authority for data. If we are, what are the trade-offs in a scenario like this? One thing is certain: data continues to impact our way of life and societal transactions in ways which have no precedent in human history. It is prudent to develop credible means with which we can understand and navigate these new complex realities.
DR VALTTERI VUORISALO Professor of Practice Faculty of Management and Business, Tampere University Valtteri is also a visiting Senior Research Fellow in the Department of War Studies at King's College London About me: The international security environment is changing rapidly due to intensifying geopolitical power struggles and constantly accelerating technological change. My research interest is to examine how new technologies enable new strategic possibilities, dependencies and vulnerabilities. Fields of expertise: The dynamics of the changing international security architecture and its impacts to national contexts especially from a technology perspective. Valtteri also has more than 20 years of experience in security issues in both the private and public sectors.
FURTHER READING Aaltola, Mika. Poutasään jälkeen. Jyväskylä: Docendo, 2019. Print. Valtteri Vuorisalo, Mika Aaltola. Towards a data-centric great game: new challenges for small states in contemporary power politics. Helsinki: Finnish Institute of International Affairs Briefing Paper, November 2021. [https://www.fiia.fi/en/publication/towards-a-data-centric-great-game] Department of Defense, ‘DoD Data Strategy’, 2020, https://media.defense. gov/2020/Oct/08/2002514180/-1/-1/0/DOD-DATA-STRATEGY.PDF. Valtteri Vuorisalo, ‘Algorithmic Life & Power Flows in the Digital World’, in M. Lehto, P. Neittaanmaki (eds.), Cyber Security: Cyber power and technology (Berlin: Springer, 2018). Tidepedia. DIKW pyramid. [https://en.wikipedia.org/wiki/DIKW_pyramid] CYBERWATCH
FINLAND
|
9
BIOINDUSTRY IS FACED WITH INCREASINGLY COMPLEX CYBER ATTACKS // Cyberwatch Finland
10
|
CYBERWATCH
FINLAND
B
io and pharmaceutical industry operators are the most popular targets of cyber criminals and government agents because the information is valuable to multiple different operators for many years to come. The latest cyber attacks have utilised shape-shifting Tardigrade malware, which appears to be built with bioindustry in mind. The malware is difficult to detect and even more difficult to get rid of. Researchers have not officially connected the attacks to any specific party, but the traces point to Russian operators. Medical and health care organisations have been the targets of multiple cyber attacks during the pandemic. The attacks have targeted the World Health Organization, European Medicines Agency and numerous hospital systems and companies related to coronavirus vaccinations.
A DNA testing company DNA Diagnostics Center (DDC) in Ohio recently became the victim of a data breach, which led to the information of 2.1 million users ending up in the attackers’ hands. DNA information was not exposed in the leak. Instead, the leaked information involved older backups from 2004-2012. It is worth questioning why old databases were stored in an environment that is vulnerable to security breaches. If older information was stored carelessly, has something else also been left unnoticed or unreported in fear of negative reputation? Lots of expectations and unredeemed potential is linked to DNA testing. Genetics research is constantly developing, but the associated cyber risks are potentially left unnoticed. Therefore, it is safe to assume that attacks on DNA testing companies and genome databases will increase in the near future.
Bioteollisuuteen kohdistuu entistä monimutkaisempia kyberhyökkäyksiä
B
io- ja lääketeollisuuden toimijat ovat kyberrikollisten ja valtiollisten toimijoiden suosikkikohteita, koska tiedoilla on arvoa monelle eri toimijalle vielä vuosienkin kuluttua. Viimeisimmissä kyberiskuissa käytetty muotoaan muuttava Tardigrade-haittaohjelma vaikuttaa olevan rakennettu bioteollisuutta varten. Ohjelma on vaikeasti havaittava ja siitä on erittäin hankalaa päästä eroon. Tutkijat eivät ole virallisesti nimenneet iskuja minkään tahon tekemiksi, mutta jäljet viittaavat venäläisiin toimijoihin. Lääketieteen ja terveydenhuollon organisaatiot ovat joutuneet pandemian aikana useasti kyberhyökkäysten kohteeksi. Iskuja on tehty muun muassa Maailman terveysjärjestöä, Euroopan lääkevirastoa sekä lukuisia sairaalajärjestelmiä ja koronarokotteisiin liittyviä yrityksiä kohtaan. Ohiossa toimiva DNA-testausyritys DNA Diagnostics Center (DDC), joutui äskettäin
tietomurron kohteeksi, jonka seurauksena 2,1 miljoonan käyttäjän tiedot päätyivät hyökkääjien käsiin. Tiettävästi vuodossa ei paljastunut DNA-tietoja, vaan kyseessä kerrotaan olleen lähinnä vanhempien varmuuskopioiden tietoja vuosilta 2004–2012. Kysymys toki herää, miksi vanhoja tietokantoja säilytetään tietomurroille alttiissa ympäristössä? Jos vanhoja tietoja on säilytetty huolimattomasti, onkohan jotain muutakin oleellista jäänyt huomioimatta tai raportoimatta maineriskin pelossa? DNA-testauksiin liittyy paljon odotuksia ja lunastamatonta potentiaalia. Geenitutkimus kehittyy jatkuvasti, mutta siihen liittyviä kyberriskejä ei välttämättä osata huomioida. Voidaan siten olettaa, että DNAtestausyrityksiin ja genomitietokantoihin kohdistuvat hyökkäykset tulevat lähivuosina lisääntymään.
https://www.tivi.fi/uutiset/bioteollisuus-ennennakemattomien-iskujen-kohteena-hakkerien-jaljet-johtavat-venajalle/76966fca-6cd2-430f-8862-7c60b8b20bb9 https://threatpost.com/shape-shifting-tardigrade-malware-hits-vaccine-makers/176601/ https://www.bleepingcomputer.com/news/security/dna-testing-firm-discloses-data-breach-affecting-21-million-people/
CYBERWATCH
FINLAND
|
11
NEW SKILLS AND LEARNING IN THE DIGITAL AGE // Leena Nyman, Mikko Vieltojärvi
T
he Confederation of Finnish Industries EK set up a Covid Digital Game Changers Task Force working group in late spring 2020. The aim was to bring together globally operating Finnish digitalisation pioneers to reflect on how the Covid pandemic is changing business, ways of working and customer expectations. It was clear from the start that the upheaval is also an opportunity to support and renew the skills and competitiveness of Finnish business. As the work progressed, it became apparent that the need for change was also focused on skills and new ways of learning. Changing ways of working and multi-locationality, the move towards a carbon-neutral industry and society and digital leaps requires companies to innovate and evolve.
12
|
CYBERWATCH
FINLAND
Digitalisation is both creating a whole new set of skills needs as well as reinforcing existing ones even more. One example of a skill need that is becoming increasingly critical is cybersecurity skills and their management. Cybersecurity must be regularly on the management agenda, and it is important to strengthen the cybersecurity skills of all staff. There was a clear need to describe the skills needs of enterprises and the evolution of skills and competences development in today’s working life. That is why EK made a publication, where eight different business examples illustrate how to manage competence and how to develop the skills of staff and managers in different sectors through e-learning and digital platforms - and what is involved in learning new skills and competences is changing. It is also
In many cases the biggest security threat is the actions of one individual.
worth considering cybersecurity and information security in a new way as part of normal business and a guarantee of business continuity. Data security ensures business continuity. It is a question of quality, not only about threats and minimising the possibility of cyber-attacks. Business continuity is the ability of a company to keep its commitments to the customer as agreed and within the agreed timeframe. Security expertise and a security-conscious approach contributes to this. Information security should be seen as a quality question. Information security opens possibilities and should be thought of in both small- and large-scale projects. The most cost-effective way of increasing information security is to educate people about it.
In many cases the biggest security threat is the actions of one individual. And in order to change the actions and behaviour of individuals, we need training. Big companies have in many cases the resources to employ information security professionals but with SME’s the case might be different. SME’s might face information security challenges because of not having as extensive resources as bigger companies. Luckily there are services that can be bought to ease up covering information security. Also, customers are starting to have demands concerning information security. Therefore, companies should see also information security as an enabler and a competitive edge.
CYBERWATCH
FINLAND
|
13
Digitalisation offers great opportunities for business, but only hand in hand with cybersecurity. Therefore, cybersecurity management must be part of normal business operations. You need to identify the risks and know how cybersecurity can improve your own competitiveness. Situational awareness is the key in managing cyber security. Management needs to know what is going on in order to timely react to rising issues. Situational awareness also helps to identify risks. Risk assessment is a great tool for companies to know where to do improvements and what threats need the focus. Focusing on cybersecurity should be seen as improving the company's competitiveness. If a company does not think of cyber security, the risks can be enormous: as the worst alternative it might cause the company to go bankrupt.
Outsourcing know-how is one way to gain skilled staff for the company and it smoothens the need for staff caused by labour market fluctuations. It requires a thorough analysis and discussions, and often the outsourcing strategy proceeds in a phased approach. Outsourcing is also a great tool of getting cyber security know how into a company that is lacking these skills on its own.
LEENA NYMAN LEENA NYMAN, ADVISER, DIGITALIZATION, CONFEDERATION OF FINNISH INDUSTRIES EK Leena Nyman works with promoting digitalization at the Confederation of Finnish Industries EK. She is also the product owner of Covid Digital Game Changers Task Force that was founded for forerunners to find new solutions on how to tackle challenges caused by the Covid pandemic and the fast digitalization. Leena is currently a Board member of the Foundation for Aalto University Science and Technology. She has previously also worked at the Economic Policy department at EK as an Adviser. Before her EK career Leena worked with Customer Insight at Kärkimedia and Yle.
MIKKO VIELTOJÄRVI MIKKO VIELTOJÄRVI, ADVISER, EDUCATION POLICY, CONFERERATION OF FINNISH INDUSTRIES EK Mikko Vieltojärvi works with everything related to skills, competencies, and education at the Confederation of Finnish Industries EK. He was the editor for New skills and competencies for digital age -publication made with Digital Game Changers companies. Mikko is a member in various working groups set by the ministry of education to develop Finnish education. Mikko has worked with education policy for more than ten years in different positions.
14
|
CYBERWATCH
FINLAND
For more information on developing new skills and learning in the digital age, see EK’s publication
The project is halfway through – progress report of obtained results // Digipool Antti Nyqvist, Pertti Immonen and Tero Oittinen Cyberwatch Finland Aapo Cederberg, Pertti Kuokkanen, Kirsi Toppari and Jukka Viitasaari
CYBERWATCH
FINLAND
|
15
Companies without some kind of strategy are rare. Companies that operate without any digital tools, outside the internet or without technical interface are also rare. Many company strategies take digitalisation into account, but only a few acknowledge the flip side of the coin: digital security.
T
his progress report is based on the project’s background research, an online survey, interviews and the results of the first organised company event, which was held on October 27, 2021. This report describes the present situation of companies and development targets that arise from the situation.
The Strategy22 project has received significant visibility: the project’s current video communication has reached over 1500 viewers and over 11 500 downloads on LinkedIn and Twitter. The next company event will be organised on January 11, 2022. The theme is “Managing a company with a digitally secure strategy.” The report’s italicised sections are excerpts from a story to lead the project along.
DIGITALISED BUSINESS OPERATION BINDS COMPANIES TOGETHER Digitalisation has made companies and organisations increasingly reliant on each other. Operating a business in a network society requires strong trust, as protecting business secrets and personal information is crucial. The challenge concerns all businesses regardless of their size or field. The rate of change of the digital world is so fast that societal regulations can hardly keep up.
T
he global price tag for cybercrime continues to grow fast. Paradoxically, the costs of cyber attacks are decreasing, but the costs of defence measures against attacks are increasing. This applies to both the public sector and the private sector. The pandemic’s effects on working methods have increased the number of digital appliances and their use in society, which has grown the potential surface of cyber attacks. The realisation of cyber risks may threaten the existence of companies and the safety of people (e.g., attacks targeting infrastructure and health care). All operations are more digital and complex than before, which is why they are more often exposed to cyber attacks. (1) The aim of the Strategy22 project is to produce practical development and improvement suggestions to support company managers and management groups regarding cyber security related leading. The strategic management of cyber security can be defined as recognising and setting aims derived from securing a digital operational environment, reconciliation of actions and precautions as well as managing large-scale disturbances (2). 16
|
CYBERWATCH
FINLAND
The importance of the private sector and its challenges must be seen as a part of cyber security and its national strategic management. Specific attention must be paid to the risks of subcontracting chains. A central challenge is to convince companies that information and cyber security are a real competitive factor in a digital world and that the availability of secure products and services must be promoted globally. The involvement of companies must be improved to increase the security of products and services for the end user. (3) Because strategic levels interest company owners and the stock market specifically, cyber security must also be considered on this level. Ensuring and maintaining cyber security is a continuous process, which adjusts to match the needs of each individual company through development work and practice. A company should continuously develop its cyber security strategy as well as related operations and technology (4). Due to modern service chains, an attack to one cell of the network or one industry sector could cause repeating problems in the whole network or in other industry sectors.
A SMART COMPANY EXCEEDS MINIMUM OPERATION REQUIREMENTS Strategic work turns a threat into a possibility. That is why smart companies and especially their decision-makers are always one step ahead. The safety of digitalisation is included in business strategy, not only as a safe net, but as an enabler of business growth. An aware business manager and a committee expert see it as a competitive advantage, which allows the company to set itself apart from others by minimising disturbances and securing safety. Digital security is a part of a company’s responsibility, and consumers and employees are aware of this fact.
C
yber security should be the top priority of senior management because in the end, senior management is responsible for everything that happens in the company. Cyber security should also be managed in a centralised and consistent manner in all sectors of the organisation. Cyber security challenges faced by companies are typically related to stealing trade secrets and information assets through cyber attacks. That is why applying cyber security governance to prevent cyber attacks is necessary. Cyber security has become a necessary requirement in business operation. To create a truly effective cyber security strategy, cyber threats must be acknowledged in all operation processes and companies must specify their strategic goals. Recognising the cyber security needs and performance indicators of an organisation is the prerequisite for an effective cyber security strategy (5). They also enable management’s appropriate reporting.
STRATEGIC GOALS IN A COMPANY
Based on reports conducted as part of the project, efficiency goals have often been set for company production and service activities. Digital security goals have also often been set for products and services. A company’s strategy (or an equivalent less formal plan) sets central goals for safety components, but similar goals for cyber security are often lacking. Despite this, more attention should be paid to developing the following aspects: Possibilities and success factors of company digitalisation Financial goals set for digital security and Efficiency requirements for cyber security (expense - efficiency).
Typically, a company writes down their strategic goals in their business strategy or cyber strategy roughly like this: “Production reliability is developed utilising a cyber secure method” or “A safe service experience is guaranteed”. Another way to write down goals is to include them in a continuity management plan. Company committees often have shortcomings in their cyber security. This is also affected by the field’s regulation in which case the skill requirements are regulated in the field’s set of rules. At the start of operation, company responsibilities are often vague. However, knowledge and interest in cyber security has clearly grown. Progressive companies already have a chief digital officer in their committee to bring valuable skills to management. Most companies use a risk-based operation model, which ensures that management’s decision making is based on overall risk evaluation. Decisions are made in accordance with business operations, and they focus on critical factors. The effectiveness of safety measures is ensured with operative training if needed. Future development areas are drawn up based on the results of internal and external auditing. Cyber threats are monitored using multiple channels. Some companies may have threat intelligence as part of their organisation. Field-specific cooperation, networking and cooperation with the National Cyber Security Centre commonly produce most of the information and the situation picture. Reporting to management often occurs on a weekly or monthly basis depending on the situation, but once a month is most common. Cyber security is already a competitive advantage. Its significance as an advantage has been demonstrated in competitive conditions when a certificate is required for a quote or other operation description. If products are monopoly products, cyber security is required for CYBERWATCH
FINLAND
|
17
delivery reliability and corporate social responsibility. A positive customer experience is also a part of this advantage. It can be stated that cyber security is the change in the scheme of things in a company’s operation (not just technology), and cyber threats must be treated as a business risk. Cyber security is also a management method. Implementing strategic goals is seen as an important value. Digital and cyber security is difficult to realise, and purchasing expertise is expensive, but many companies buy such services regardless. Different partnership programmes are seen as an important part of a company’s operation, especially if they are organised by authorities (credibility). SECURING COMPANY STRATEGY REALISATION
Most companies have a regular and functioning strategy process or an operation model for drawing up company strategy (or equivalent guidance). Companies have management-approved risk management policies, responsibilities and processes. Drawing up a company’s strategy (or similar) is usually the responsibility of a chief executive officer or managing committee. The tasks and responsibilities of companies are also clearly defined in exceptional situations and emergencies. Companies have a viable contingency and continuity management plan as well as a related disturbance and crisis communication plan. Company management is committed to developing digital security. The implementation utilises a management-approved information security policy or an equivalent information security implementation document. Companies also have access control policies and a process for managing access. Strategic work has defined communication policies and transparency principles in case of crisis. Companies communicate of digital security risk situations and other new risks effectively.
Despite the existence of a good basis for digital and cyber security, the areas of further development include the following: a standardised method should be used in strategic planning a single company does not have the ability to estimate adequate resources and budget for digital and cyber security audits regarding information security and information systems are not conducted regularly Companies utilise risk management methods in their operation. These methods estimate the risk, its effect in Euros and its effect on operation. Cyber security must also be incorporated in the method to evaluate business risks. The results must be reported at least once a month. The most important goals of a company are often communicated by higher management, but the process should still be developed further. Things get done in communication and mundane operations and repeating them is seen as important. Safety culture is seen as a positive thing in most companies. In certain companies, traditions are far-reaching, and the danger level of work is high, which has led to the topic of safety being present daily. Based on multiple answers, cyber and information security should also be included in occupational safety. To limit risks, companies utilise information security procedures and internal inspections derived from them. Service management and contract management are significant factors in digitalisation and supplier selection. Nowadays, operation relies heavily on contract management, trust management and discussion. Regular external auditing is a significant factor for those companies that use a standard. Cyber security must be considered in operation processes. The owner of a company is in a key position as cyber security is still seen as an auxiliary activity. Based on the information received, it can be concluded that companies value mutual and authority cooperation, open source threat modelling as well as a common threat situational pictures. Continuity planning, a recovery plan and training are central elements in cyber security strategy implementation.
Cyber security must be considered in operation processes. The owner of a company is in a key position as cyber security is still seen as an auxiliary activity. 18
|
CYBERWATCH
FINLAND
DIGITAL SECURITY TO BECOME A COMPANY SUCCESS FACTOR The Strategy22 project determined what kind of strategic work starting points companies have, how strategies are formed and what kind of cyber security operations the strategy creates in companies. The project provides companies a possibility to turn digital security into a strategic advantage instead of a vulnerability. When companies operate as a unified front, the future of digitalisation will become a competitive advantage for Finland.
STRATEGIC WORK STARTING POINTS IN COMPANIES
B
ased on the answers, company values often include digital security. Despite this, especially small and medium-sized companies have room for improvement. Efficiency requirements are often set for production and service operations, but their digital security goals require further developing. Digitalisation possibilities of small companies should be improved in general. All company sizes should develop financial digital security goals. Risk management is paid attention to especially well instead. More attention should be paid to standardising strategic work in companies of all sizes. Especially standards and similar procedures are clearly unfamiliar. Instead, the evaluation of required resources for digital and cyber security is effective: sufficient resources and the skills of employees are seen as adequate in general. The critical factors of business operations have mainly been identified. STRATEGIC WORK IN A COMPANY
Based on the companies’ answers, every company currently has a strategy-based operation model. Planning the strategy is typically the chief executive officer’s responsibility, but consolidated corporations are an exception to this rule as the strategy may be planned by a strategy
manager. In smaller companies, the chairperson of the board can also have a role in strategy work. In general, company managers are seen as committed to developing digital security. Digitalisation is connected to all business operation. Strategic work sets goals for operation, but significant shortcomings were identified in digitalisation level and continuity requirements as digital success factors are only partly defined in companies. IMPLEMENTING COMPANY STRATEGY AND MEASURING RESULTS
Companies tend to utilise a management model for developing digital security. However, there are a few companies of all sizes whose situation is not as great. Information security and access control policies (operation models) are only documents that guide implementation in most companies. When it comes to monitoring the operational environment, small and medium-sized companies have the most to improve, including digital security in supply chains. More attention should be paid to details in company management reporting and risk communication. Small and medium-sized companies’ auditing has lots to improve. Guidelines regarding operation continuity, recovery and communication are mainly in order, but regular training is rare or non-existent.
CYBERWATCH
FINLAND
|
19
THE PROJECT’S NEXT STEPS
The Strategy22 project continues to develop and plan operation recommendations especially regarding the following themes:
1 2 3 4 5 6 7
Digital and cyber security goals and success factors to be implemented into products and services. Financial and efficiency goals and requirements of digital security. Standardising strategic work from large companies to smaller ones, as well as using standards or similar definitions. Monitoring operational environment: the contents and quality of the cyber situation picture in small and medium-sized companies. Risk management and continuity development, increasing resilience, digital security indicators. Developing digital future cooperation in service chains. Developing communications and training in emergencies.
The project’s results as well as practical development and implementation suggestions regarding cyber security management in companies will be published in the beginning of March (March 9, 2022) as part of the fourth organised Cyber Security Nordic 2022 (CSN2022) event. *The project and all related materials are produced in Finnish
SOURCES: (1) The CEO’s Guide to Cybersecurity, September 2021. https://media-publications.bcg.com/BCG-Executive-Perspectives-CEO-Guide-to-Cybersecurity.pdf (2) (3) Martti Lehto, Jarno Limnéll, Tuomas Kokkomäki, Jouni Pöyhönen, Mirva Salminen, Kyberturvallisuuden strateginen johtaminen Suomessa, Maaliskuu 2018, Valtioneuvoston selvitys ja tutkimustoiminnan julkaisusarja 28/2018. (4) Kim, J. (2017). Cyber-security in government: reducing the risk. Computer Fraud & Security, 2017(7), 8–11. (5) Alashi S. A., Badi D. H. (2020) The Role of Governance in Achieving Sustainable Cybersecurity for Business Corporations, Department of Information Science, King Abdulaziz University, Jeddah, Saudi Arabia.
20
|
CYBERWATCH
FINLAND
PANDEMIC ERA TRENDS IN ENERGY SECTOR CYBER ATTACKS // Julia Vainio
A
global pandemic has kept security staff busy on all fronts the past few years. This has included the energy sector and its information security personnel, as COVID-19 has had a big spike on cyber attacks worldwide. Some of the reasons behind the recent growth in attacks have included criminals deploying new services in their portfolio – Ransomware as a Service is considered a lucrative business model in 2021, and more critical the targets, the bigger possibilities there are for profit as industrial control systems (ICS), or hospitals, are unable to withstand long delays in their day-to-day operations.
Another trend in the cyber world seems to be the emergence of safety harbours for criminals. In a global network, location of the offender is irrelevant. Countries that have a lax stance against cyber criminal activity, or insufficient democratic institutions to combat such activity, are favoured by various criminal groups, like DarkSide, Lazarus Group, or Hafnium. The US and its Western allies have explicitly named countries such as Russia, North-Korea and China as hiding and enabling cyber criminal activity over the years1. When identifying the recent trends in cyber attacks, it is vital to remember that most breaches
CYBERWATCH
FINLAND
|
21
go unreported. According to an executive assistant director at the US Cybersecurity and Infrastructure Security Agency (CISA), only around quarter of ransomware intrusions are reported.2 Having insufficient visibility on the threat landscape, CISA as well as its global and domestic partners have difficulty in measuring and mitigating not only ransomware threats, but other types of malicious activity in the information security space. It is estimated that the US has the most instances of ransomware affecting industrial control systems (ICS) in the world, followed by India, Taiwan and Spain3. Even with inadequate data, there is a clear trend of increased attacks against the energy sector in the past two years of the pandemic, as well as a few identifiable trends emerging within. Energy sector companies do not operate in a vacuum from other organisations, and thus large, cross-organisational, and global attacks influence the energy sector operators. “STREAMLINE EVERYTHING AT THE LEAST TOTAL COST” – SUPPLY CHAIN VULNERABILITIES
With global attacks such as Pulse Secure VPN or SolarWinds, the limelight has shifted towards supply chain vulnerabilities. In the SolarWinds case, the attackers compromised a piece of software used by more than 18 000 of the world’s largest infrastructure sites (for a more detailed look on SolarWinds, see Cyberwatch Finland’s bulletin brief “Bad News Concerning SolarWinds Supply Chain Attack Will Continue to Unfold for Quite Some Time More” 12/204. According to the CEO of Dragos, Robert Lee, these types of supply chain attacks are just the beginning. In a briefing Lee gave to the US Department of Energy (DOE) in early 2021, he noted how converging and homogenous infrastructure as well as open standards and frameworks all enable criminals to start scaling up their criminal activity.5 As with most ICS operators, companies in the energy sector are heavily dependent on original equipment manufacturers (OEM) that bundle different OEM parts, such as processors or software, into solutions they sell. By compromising OEMs, hackers were in some cases able to conduct “second stage” attacks where they were able to have direct access to energy sector software, such as turbine controls.6 Different attack trends overlap in many ways. Saudi Aramco, for example, was subject to a 50-million-dollar ransom in cryptocurrency Monero in the summer of 2021, when an unknown criminal claimed to have stolen 1 terabyte of the company’s data, including information on the location of oil refineries, payroll files and confidential 22
|
CYBERWATCH
FINLAND
client and employee data. According to Saudi Aramco, the data had leaked from one of its contractors.7 The overlap between a supply chain vulnerability from a trusted and vetted partner, and financial opportunism in the form of ransomware, showcase the different types of risks at play. “A DIGITAL PANDEMIC” - FINANCIAL OPPORTUNISM (RANSOMWARE AND CRYPTOMINING)
Perhaps one of the most headline grabbing incidents in the pandemic era regarding energy sector ICS and ransomwares was the Colonial Pipeline attack in May 2021. The privately held liquid petroleum fuel pipeline operator was forced to close its operations and freeze its IT systems, which it said to have done proactively in order to contain the threat.8 The company ended up paying the criminals’ requested 5-million-dollar equivalent in bitcoins. However, the Department of Justice managed to recover 64 of the paid 75 bitcoins.9 The attack was attributed to DarkSide group, a rather new Eastern European criminal gang quickly gaining reputation. DarkSide is known to adhere to double-extortion campaigns, where they first lock the victim companies out of their systems, and then steal the information for blackmailing later. However, they have tried to brand themselves as a ransomware-as-a-service group with an apparent moral consciousness of targeting “only big companies and [who] forbids affiliates from dropping ransomware on organizations in several industries, including healthcare, funeral services, education, public sector and non-profits.” 10 Big Game Hunting and ransomware-as-a-service model have seen a rising trend during the pandemic time, with other attacks such as a breach in a Brazilian electrical company Light S.A. by Sobinokibi (also known as REvil) operators reported in July 2020. The criminal group demanded a 14-million-dollar ransom be paid in Monero cryptocurrency 11. According to a Trend Micro report, Sodinokibi, Ryuk, Nefilm, and LockBit accounted for over half of the attacks against ICS. Ryuk ransomware alone accounted for one in five ransomware attacks against ICS in 2020.12 Even when remote network attacks are becoming more prominent, a report released by Honeywell in 2020 noted that USB-borne malware continues to be a major risk for industrial operators and specifically for operational technology (OT) systems. The report shows that 1 in 5 of all threats was designed specifically to leverage USB removable media as an attack vector. Of these, more than half the threats were designed to open backdoors, establish persistent remote access or download additional malicious payloads. These findings are indicative of more coordinated attacks, likely attempting to target air-gapped systems used in most
industrial control environments and critical infrastructure.13 “I SPY WITH MY LITTLE EYE...” SPYING AND STRATEGIC INFLUENCING
As with most of the trends observed during the pandemic era, spying is probably the oldest method in the books. With its more hybrid means of execution in today’s international playing field, ICS and specifically critical energy systems continue to be subjected to high foreign state interest. In what Matt Devost called the “strategic penetration for future exploitation” back in his 2012 article “State sponsored cyber threats – the long view”, he referred to an attack strategy that “hedges long-term bets on two potential future worldviews, namely prosperity and conflict that allows for the pursuit of prosperity while seeking out strategic advantage in the event of conflict”. Instead of short-term gains such as intellectual property theft or disruption, this type of strategic approach on critical infrastructure would offer generational and fixated long-term opportunities.14 A strategy very useful when involved in an unexpected border battle, where a country such as China might wish to deter the opposing nation from further escalation. Somewhat what was suggested to have happened in Mumbai in October 2020, when an electricity outage caused by a coordinated targeting of Indian load dispatch centres shut power from the city of 20 million people.15 China’s cyber focus seems to have started to shift from the short-term information theft attacks towards the “strategic penetration for future exploitation” - using malware placed in systems as a deterrent from further aspirations from the adversary’s side. A tactic used by both Russia on Ukraine in 2015 as well as the US on Russia in 201916.
India has been amid another recent state-led cyber attack on energy infrastructure as well, when in July 2021 its power sector was targeted by a Pakistani-based hacker group. Another fragmented international relations conundrum, the supposed criminals installed a Remote Access Trojan in critical infrastructure that enabled covert surveillance and unauthorised access to victim’s computers.17 “CALL OUT” - HOW NON-ATTRIBUTABLE LOST ITS NEGATION
An interesting diplomatic shift that has coincided with the pandemic era and its increased amount of cyber attacks has been an apparent increase in political will to public attribute cyber attacks. Researchers Florian Egloff and Max Smeets identify a few reasons behind the increased trend of calling both state actors as well as criminal gangs out. First, states simply seem to have become better at attributing cyber operations. Even if there are a degree of copycats and intentional masquerading as someone else, victim states and private sector operators have become better at recognizing attacker profiles and styles. Second, by applying attribution, Egloff and Smeets believe governments fulfil their political goals of shaping the political and normative environment of cyber operations towards a more stable cyber space.18 However, the researchers note how decisionmakers need to carefully balance any intelligence gains or losses following a public disclosure of malicious cyber activity. Relevant things to consider are if public attribution reveals too much of one’s sources and methods, or if it might hinder other allied agency’s information collection efforts.19
CYBERWATCH
FINLAND
|
23
In July 2021, the Biden administration ruffled its feathers as the President stated the country was willing to escalate a major cyber attack on its soil into a “real shooting war” if necessary. The statement was specifically targeted towards Russia and China, whom the US sees as increased threats in the cyber sphere.20 This type of public condemnation and a threat of a counterattack could be interpreted as a deterrence factor for any malicious actor – “try again, and we’ll shoot”. Public attribution could thus reveal to the international audience what a government finds strategically important – like critical energy supply chains- and create a focal point for malicious activity.21 President Biden’s speech could also be understood as a community building measure among the allied network. By sharing sensitive information with other states and then acting together publicly is a political signal of shared threat perception, as Egloff and Smeets note.22 The narrative of a “a real shooting war” could also be Biden’s way of enhancing the US’ domestic and/or international credibility.23 After the former incumbent’s apparent mistrust in the country’s intelligence services, coming out strong against foreign attackers can shed a positive light on the role of intelligence and security organizations and their knowledge gathering capabilities. OLD MITIGATION MEASURES FOR THE NEW NORMAL
For the short-term view, there seems to be no stopping the cyber sphere criminals from their activity. International safe harbours, evolvement of cyber crimes into a service sector with packaged products and unified leagues, and the low-attribution nature of attacks will continue to attract both low-level perpetrators as well as nation-state actors. In order to mitigate cyber attacks and as part of a larger shift in the market economy, there seems to be a push for acceptance of more regulation on critical sectors such as energy. Especially in the US, a history of industry opposition towards regulation from the government has lent itself to the cyber sphere as well. During the Obama administration, efforts towards setting standards for security in critical industries did not pass due to heavy lobbying from trade groups and the U.S. Chamber of Commerce24 . The Trump administration began a slow turning of tides, when in May 2020 President Trump signed an Executive Order on “Securing the United States Bulk-Power System”. The Executive Order’s motif was clear: instead of relying on the lowest-cost bids from suspect foreign countries, the bulk-power system all other 24
|
CYBERWATCH
FINLAND
modern-day functions are dependent on, should establish a pre-qualified vendor list for procurements. The sector should identify, monitor and replace any now-prohibited equipment already in use; and develop energy infrastructure procurement policies with clear integration of national security considerations as well as government energy security and cyber security policymaking. In essence, less global streamlining for the least total cost and less probing eyes to go with it.25 The Biden administration has continued the same path and is preparing to both assist ICS industries such as electric network operators with financial incentives as well as impose new regulation mandating said companies to disclose and receive help from CISA and other relevant organisations if they find themselves under attack. One concrete example of this is the administration’s 100-day plan to address cyber security risks to the US Electric system. Together with the DOE, CISA, and the electricity industry, the initiative aims at modernizing electric utilities’ cyber security defences and, inter alia, encourage the enhancement of detection, mitigation, and forensic capabilities as well as adding and deploying real time situational awareness and response capabilities.26 For interesting insights into the 100-day plan, check27 In addition, the DOE have been working on a “software bill of materials” approach that would target securing vendor supply chains and OEMs. This type of bill would focus on showing the digital ingredients of what critical ICSs hold inside. To add to the complexity, after the Colonial Pipeline incident, the Department of Homeland Security (DHS) has issued new reporting requirements for energy pipeline companies regarding actual or suspected cyber attacks. Before, pipelines had been subject to voluntary guidelines in the US.28 Recent years have witnessed expanding EU legal and policy instruments on the critical digital energy sector. These instruments include, but are not limited to, Cybersecurity act, Security of Electricity Supply Regulations, Cybersecurity of 5G networks, FDI regulation and Cybersecurity in the energy sector in 2019, as well as Europe’s digital future, Industrial Strategy and Secure 5G deployment in 2020. Academic research has shown how the there is a clear shift from sectoral regulation of digitalized security in the energy sector to a distinctly cross-sectoral approach. It appears that in the EU framework, there is no room for sectoral silos of security, as data-driven technologies and their interconnectedness means similar threats and vulnerabilities pervade all sectors. 29
There seem to be some similarities between US and EU regulatory frameworks. One example of such is the legal instrument FDI regulation, which follows along the lines of the Trump administration’s Executive Order on bulk-power system. In the FDI regulation, member states established a framework for screening of foreign direct investment on grounds of security or public order. This specifically allows state intervention in order to limit investments in digital energy infrastructures.30 The European Union is also currently in the final stages of negotiating the second Network Information Security directive (NIS 2) set to replace the 2018 NIS-directive. An identified defect in the current NIS-directive is the lack of a clear integrated crisis management system for responding to a cyberattack affecting multiple European countries at once31 What the ICS operators can expect from the future will no doubt include an escalating number of cyber threats from various levels of hostile perpetrators, ever-growing pressure in assigning proper budgets and personnel for securing their operating environments, increased push for sharing information among their networks and states, as well as further regulation to increase the transparency of supply security and operability.
JULIA FOMÍN Julia Fomín (née Vainio) works in the public sector as an Information Security Officer. Previously, she was seconded as the first Finnish Subject Matter Expert on energy security at NATO Energy Security Centre of Excellence, where she was responsible for strategic analysis on electricity and gas networks. Her alma mater is University of Turku, from where she graduated as Master of Social Sciences.
SOURCES: 1 https://arstechnica.com/tech-policy/2021/07/us-warns-china-over-state-sponsored-hacking-citing-mass-attacks-on-exchange/, https://www.bbc.com/news/ world-us-canada-57786302 2 https://www.washingtonpost.com/technology/2021/07/27/fbi-congress-ransomware-laws/ 3 https://www.zdnet.com/article/ransomware-gangs-are-taking-aim-at-soft-target-industrial-control-systems/ 4 https://www.cyberwatchfinland.fi/wp-content/uploads/2020/12/Cyberwatch-Finland_Special_Bulletin.pdf 5 https://www.utilitydive.com/news/solarwinds-fallout-could-last-for-years-as-power-industry-secures-vulnerab/594598/ 6 https://www.utilitydive.com/news/solarwinds-fallout-could-last-for-years-as-power-industry-secures-vulnerab/594598/ 7 https://arstechnica.com/information-technology/2021/07/saudi-aramco-confirms-data-leak-after-50-million-cyber-ransom-demand/, https://www.bbc.com/ news/business-57924355 8 https://www.zdnet.com/article/colonial-pipeline-ransomware-attack-everything-you-need-to-know/ 9 https://www.vox.com/recode/22428774/ransomeware-pipeline-colonial-darkside-gas-prices 10 https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/ 11 https://securityaffairs.co/wordpress/105477/cyber-crime/sodinokibi-ransomware-light-s-a.html 12 https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/2020-report-ics-endpoints-as-starting-points-for-threats 13 https://www.honeywell.com/us/en/press/2020/07/honeywell-cybersecurity-research-reveals-the-risk-of-usb-threats-to-industrials-has-doubled-over-12months 14 https://www.oodaloop.com/technology/2012/09/27/statecyber/ 15 https://www.businesstoday.in/latest/economy-politics/story/cyber-attack-from-china-behind-mumbai-power-outage-in-2020-289648-2021-03-01 16 https://www.nytimes.com/2021/02/28/us/politics/china-india-hacking-electricity.html , https://www.bbc.com/news/technology-48675203 17 https://www.indiatoday.in/india/story/pakistan-hackers-power-sector-government-organisation-india-1827527-2021-07-13 18 https://www.tandfonline.com/doi/full/10.1080/01402390.2021.1895117 19 https://www.tandfonline.com/doi/full/10.1080/01402390.2021.1895117 20 https://www.reuters.com/world/biden-warns-cyber-attacks-could-lead-a-real-shooting-war-2021-07-27/ 21 https://www.reuters.com/world/biden-warns-cyber-attacks-could-lead-a-real-shooting-war-2021-07-27/ 22 https://www.tandfonline.com/doi/full/10.1080/01402390.2021.1895117 23 https://www.tandfonline.com/doi/full/10.1080/01402390.2021.1895117 24 https://www.tandfonline.com/doi/full/10.1080/01402390.2021.1895117 25 https://www.washingtonpost.com/technology/2021/07/27/fbi-congress-ransomware-laws/ 26 https://www.energy.gov/articles/president-trump-signs-executive-order-securing-united-states-bulk-power-system 27 https://www.energy.gov/articles/biden-administration-takes-bold-action-protect-electricity-operations-increasing-cyber-0 28 https://www.securityweek.com/new-initiative-protect-us-electrical-grid-cyberattacks-feedback-friday 29 https://www.wsj.com/articles/european-energy-sector-prepares-for-new-cybersecurity-rules-11623144602 30 https://academic.oup.com/jwelb/article/13/4/353/5983698 31 https://academic.oup.com/jwelb/article/13/4/353/5983698 https://www.wsj.com/articles/european-energy-sector-prepares-for-new-cybersecurity-rules-11623144602 CYBERWATCH
FINLAND
|
25
STRATEGIC SITUATION THE UNITED STATES AND CANADA ANNOUNCED THAT THEY TAKE THE OFFENSIVE AGAINST CYBERCRIME
AND FOREIGN HACKERS. Superpowers taking measures to openly utilise their cyber attack potential opens up a new type of progression. The fact that government agents respond to cyber attacks may act as a deterrent against regular cybercriminals, but it also enables a new type of game for government agents and a potential means to evaluate the skills of the opposing side. The active participation of government agents also increases the probability of attack escalation and poorly targeted counterattacks. Behind this progression there could certainly be an alliance between government agents and criminals, which attempt to hide the actual offenders and ulterior motives.
THE GOVERNMENT’S GRIP ON TECHNOLOGY COMPANIES AND SOFTWARE PROVIDERS IS TIGHTENING IN
CHINA AND RUSSIA. China’s network surveillance organisation announced new propositions regarding information management regulation, which suggests that foreign companies, such as Google, Meta and Twitter, would have to follow the new regulations even if they had no operation in China. In Russia the statist Gazprom has taken control over the country’s largest social media service VKontakte. The European Union’s Digital Markets Act is also progressing. It aims to restrict the power and influence of global tech giants in the European market.
POLICE OF FINLAND ASKS FOR MORE RIGHTS IN CRIMINAL INTELLIGENCE. At the request of the
National Police Board, the Ministry of the Interior has decided to begin a preliminary investigation on whether the jurisdiction of the police should be increased in matters of criminal intelligence. The police wants to look into the possibility of utilising secret data acquisition means before a concrete criminal suspicion, as regulated in the Police Act. This sort of criminal intelligence is not a part of preliminary investigation, but a preceding phase. The request can be seen as a continuum for civil and military intelligence acts.
FINLAND’S FIRST QUANTUM COMPUTER IS FULLY FUNCTIONAL.
Finland’s first fully functioning five qubit quantum computer was built in Otaniemi, Espoo. The computer was
built by VTT together with quantum startup company IQM. The project has been granted an additional funding of 20.7 million euros. The funding is to be used to build a 50-qubit quantum computer by the year 2024. Currently, the largest quantum computer developers are the United States and China, but many other nations are building their own quantum computers as well. At the moment, the largest known unit is IBM’s 127-qubit quantum computer. The development of quantum computers is regarded as one of the “game changers” in the cyber world, in both good and bad. It is therefore important to follow their development.
DIGITAL AND POPULATION DATA SERVICES AGENCY PUBLISHED A GUIDE IN SUOMI.FI WEB SERVICE
FOR ORGANISATIONS AND COMPANIES THAT HAVE FALLEN VICTIMS OF A SECURITY BREACH.
The guide provides information for companies, communities and other organisations on how to act if you suspect a security breach or if confidential information has been leaked to the public. The guide is an addition to a similar guide published for citizens in spring 2021. Utilising Suomi.fi web service to publish guides is a great way to share information and instructions for citizens.
NATIONAL EMERGENCY SUPPLY AGENCY IS LAUNCHING A PROJECT TO ESTABLISH AN INFORMATION
SECURITY SKILLS CENTRE. The centre’s purpose is to focus on identifying and preventing information
operations. A preliminary report on preventing information operations has been published in Finnish. The report will function as a starting point for building the new information security skills centre function. 26
|
CYBERWATCH
FINLAND
NATIONAL CYBER SECURITY CENTRE HAS ISSUED A RED WARNING ON LOG4J COMPONENT
VULNERABILITY AND A YELLOW WARNING ON FLUBOT PHONE MALWARE. The Log4j component vulnerability affects a major part of services on the internet and it is actively exploited also in Finnish organisations. The updates must be installed immediately by system administrators. Individual users cannot fix the vulnerability. This is one of the most significant vulnerabilities ever discovered The spam-sending FluBot malware campaign has once again been activated and it is being spread through text messages. Based on telecommunication operators’ estimates, millions of spam messages are currently in circulation. The National Bureau of Investigation has initiated preliminary investigation. Those who received the message or installed the malware are advised to follow Finnish Transport and Communications Agency Traficom’s cyber security centre’s instructions. https://www.kyberturvallisuuskeskus.fi/en/varoitus_5/2021 https://www.kyberturvallisuuskeskus.fi/en/be-aware-malware-spread-sms
FINNISH TRANSPORT AND COMMUNICATIONS AGENCY TRAFICOM IS LOOKING FOR WAYS TO PREVENT
INTERNATIONAL SCAM CALLS. Traficom is working together with Finnish telecommunication operators to prepare ways to prevent the common forging of the caller’s number. The aim is to complicate and prevent the operation of international criminals. The forging of the caller’s number only involves calls coming to Finland from abroad.
https://www.epressi.com/tiedotteet/telekommunikaatio/traficom-etsii-keinoja-kansainvalisten-huijaussoittojen-estamiseksi.html
A NEW LAW CAME INTO EFFECT IN BRITAIN, WHICH FORBIDS DEFAULT PASSWORDS ON INTERNET-
CONNECTED DEVICES UNDER THREAT OF A FINE. This is a positive development due to device-encrypted default accounts and passwords being one of the factors enabling wide cyberattacks and botnets. For example, some broadband and cable modems offered by Finnish teleoperators still use easy username and password combinations, such as admin and 1234. Users should always change the password immediately after the first login or after resetting the device.
https://www.bbc.com/news/technology-59400762
HUNDREDS OF SUSPICIOUS PROXY SERVERS WERE REMOVED FROM TOR NETWORK.
The servers, which were most likely used for spying and disassembling network anonymity, were removed by Tor Project organisation. The large number of servers and the fact that the multi-role servers in question were unregistered suggest a governmental operator. Uncovering the users of Tor network is in the interests of intelligence units, authorities and researchers. https://therecord.media/a-mysterious-threat-actor-is-running-hundreds-of-malicious-tor-relays/
Tor network offers stronger anonymity than the public internet and a means to circumvent censorship. However, even Tor cannot offer full anonymity. It is possible to uncover the user’s identity by upholding a proxy server and tracking the traffic. Tor Project organisation, which is developing the network’s function and the security of Tor browser, is cooperating with research communities on both cracking network security and improving anonymity.
Cyberwatch Finland CYBERWATCH
FINLAND
|
27
STRATEGINEN TILANNE YHDYSVALLAT JA KANADA ILMOITTIVAT RYHTYVÄNSÄ HYÖKKÄYKSIIN KYBERRIKOLLISIA JA ULKOMAISIA
HAKKEREITA VASTAAN. Suurvaltioiden ryhtyminen avoimesti hyödyntämään kyberhyökkäyskyvykkyyksiään avaa uudentyyppisen kehityskulun. Se, että valtiolliset toimijat vastaavat kyberhyökkäyksiin toiminee pelotteena tavallisille kyberrikollisille, mutta valtiollisille toimijoille se mahdollistaa uuden tyyppisen pelin ja potentiaalisen keinon evaluoida vastapuolen kyvykkyyksien tasoa. Valtiollisten toimijoiden aktiivinen osallistuminen lisää myös hyökkäysten eskaloitumisen ja väärin kohdennettujen vastaiskujen todennäköisyyttä. Tämän kehityksen taustalla on varmasti myös valtiollisten toimijoiden ja rikollisten yhteistyö, joka hämärtää todellisia tekijöitä ja taustavaikuttimia.
VALTION OTE TEKNOLOGIAYRITYKSISTÄ JA OHJELMISTOTARJOAJISTA TIUKKENEE KIINASSA JA
VENÄJÄLLÄ. Kiinan kybervalvontajärjestö julkisti uudet tiedonhallintasäännösehdotukset, mikä viittaa siihen, että ulkomaisten yritysten, kuten Googlen, Metan ja Twitterin, olisi noudatettava uusia sääntöjä, vaikka niillä ei olisi toimintaa Kiinassa. Venäjällä valtiojohtoinen Gazprom on ottanut hallintaansa maan suurimman sosiaalisen median palvelun VKontaktenin. Myös EU:n Digital Markets Act etenee. Se pyrkii rajoittamaan globaalien teknologiajättien valtaa ja vaikuttamismahdollisuuksia Euroopan markkinoilla.
SUOMESSA POLIISI KAIPAA LISÄÄ TOIMIVALTUUKSIA RIKOSTIEDUSTELUUN. Sisäministeriö on päättänyt
poliisihallituksen aloitteesta käynnistää esiselvityksen siitä, tulisiko poliisin toimivaltuuksia rikostiedustelussa
laajentaa. Poliisi haluaa selvittää mahdollisuuden käyttää poliisilaissa säädettyjä ns. salaisia tiedonhankintakeinoja ennen konkreettista rikosepäilyä. Tämä ns. rikostiedustelu ei ole osa esitutkintaa, vaan nimenomaan sitä edeltävä vaihe. Aloite on nähtävissä jatkumona siviili- ja sotilastiedustelulaeille.
SUOMEN ENSIMMÄINEN KVANTTITIETOKONE VALMISTUI.
Suomen ensimmäinen toimiva viiden kubitin kvanttitietokone valmistui Espoon Otaniemeen.
VTT rakensi tietokoneen yhdessä kvanttialan startup-yrityksen IQM:n kanssa. Hankkeelle on myönnetty 20,7 miljoonan euron lisärahoitus. Sen puitteissa on määrä rakentaa 50 kubitin kvanttitietokone vuoteen 2024 mennessä. Maailman suurimmat kvanttitietokoneiden kehittäjät ovat tällä hetkellä Yhdysvallat ja Kiina, mutta myös monet muut valtiot kehittävät kilpaa omia kvanttitietokoneitaan. Tällä hetkellä suurin yksikkö on tiettävästi IBM:n 127 kubitin kvanttitietokone. Kvanttitietokoneiden kehitystä pidetään yhtenä kybermaailman “pelin muuttajina” niin hyvässä kuin pahassa. Siksi on tärkeää seurata niiden kehitystä.
DIGI- JA VÄESTÖVIRASTO DVV JULKAISI SUOMI.FI-VERKKOPALVELUUN OPPAAN TIETOMURRON
UHREIKSI JOUTUNEILLE ORGANISAATIOILLE JA YRITYKSILLE. Oppaasta yritykset, yhteisöt ja muut
organisaatiot saavat tietoa, kuinka toimia, jos epäilevät organisaationsa joutuneen tietomurron uhriksi tai jos organisaation hallussa olevia salassa pidettäviä tietoja on vuotanut julkisuuteen. Opas on jatkoa aikaisemmin keväällä 2021 kansalaisille julkaistulle vastaavalle oppaalle. Suomi.fi -palvelun käyttö oppaiden julkaisuun on hyvä keino jakaa keskitetysti tietoa ja ohjeistusta kansalaisille.
HUOLTOVARMUUSKESKUS ON KÄYNNISTÄMÄSSÄ HANKETTA INFORMAATIOTURVALLISUUDEN
OSAAMISKESKUKSEN PERUSTAMISEKSI. Keskuksen tarkoitus on keskittyä informaatiovaikuttamisen tunnistamiseen ja torjumiseen. Hankkeesta on julkaistu Informaatiovaikuttamisen torjunta -esiselvitys, jonka pohjalta uutta informaatioturvallisuuden osaamiskeskus-toimintoa lähdetään rakentamaan.
28
|
CYBERWATCH
FINLAND
KYBERTURVALLISUUSKESKUKSELTA PUNAINEN VAROITUS VAKAVASTA LOG4J HAAVOITTUVUUDESTA JA
KELTAINEN VAROITUS KÄNNYKÖITÄ VAIVAAVASTA FLUBOT -HAITTAOHJELMASTA.
Vakava Log4j komponentin haavoittuvuus koskee isoaa osaa internetin palveluita ja sitä käytetään hyväksi aktiivisesti, myös kotimaisissa organisaatioissa. Palveluiden ylläpitäjien on asennettava korjauspäivitykset välittömästi. Tavallinen käyttäjä ei voi tehdä toimenpiteitä haavoittuvuuden korjaamiseksi. Kyse on yksi merkittävimmistä koskaan löydetyistä haavoittuvuuksista. Huijausviestejä lähettävä FluBot-haittaohjelmakampanja on aktivoitunut jälleen ja sitä levitetään tekstiviestitse. Teleoperaattorien arvioiden mukaan liikkeellä arvioidaan olevan miljoonia huijaustekstiviestejä. Keskusrikospoliisi on käynnistänyt esitutkinnan. Viestin saaneita ja haittaohjelman asentaneita suositellaan noudattamaan Liikenne- ja viestintävirasto Traficomin kyberturvallisuuskeskuksen antamia ohjeita. https://www.kyberturvallisuuskeskus.fi/fi/varoitus_5/2021 https://www.kyberturvallisuuskeskus.fi/fi/varo-tekstiviestitse-levitettavaa-haittaohjelmaa
LIIKENNE- JA VIESTINTÄVIRASTO TRAFICOM ETSII KEINOJA KANSAINVÄLISTEN HUIJAUSSOITTOJEN
ESTÄMISEKSI. Traficom valmistelee yhteistyössä Suomessa toimivien teleoperaattoreiden kanssa
keinoja estää huijauspuheluissa yleiseksi muodostunut soittajan numeron väärentäminen. Tavoitteena on kansainvälisten rikollisten toiminnan vaikeuttaminen ja estäminen. Soittajan numeron väärentäminen koskee poikkeuksetta ulkomailta Suomeen soitettuja puheluja. https://www.epressi.com/tiedotteet/telekommunikaatio/traficom-etsii-keinoja-kansainvalisten-huijaussoittojen-estamiseksi.html
BRITEISSÄ ASTUI VOIMAAN UUSI LAKI, JOKA KIELTÄÄ INTERNETIIN KYTKETTYJEN LAITTEIDEN
OLETUSSALASANAT SAKKOJEN UHALLA. Kehityssuunta on hyvä, sillä laitteisiin valmiiksi koodatut oletustunnukset ja salasanat ovat yksi laajojen kyberhyökkäysten ja bottiverkkojen mahdollistajista. Esimerkiksi Suomessa joidenkin teleoperaattorien tarjoamissa laajakaista- ja kaapelimodeemeissa käytetään edelleenkin erittäin helppoja käyttäjätunnus-salasanayhdistelmiä, kuten admin ja 1234. Käyttäjien tulisi aina vaihtaa salasana heti käyttöönoton tai laitteen nollauksen yhteydessä.
https://www.bbc.com/news/technology-59400762
TOR-VERKOSTA POISTETTIIN SATOJA EPÄILYTTÄVIÄ VÄLITYSPALVELIMIA.
Todennäköisesti vakoiluun ja verkon anonymiteetin purkamiseen tarkoitetut palvelimet poistettiin Tor Project -järjestön toimesta. Palvelinten suuri lukumäärä ja se, että kyseessä oli jokaisessa verkon roolissa toimivia rekisteröimättömiä palvelimia viittaa valtiolliseen toimijaan. Tor-verkon käyttäjien selvittäminen kiinnostaa niin tiedusteluyksiköitä, viranomaisia kuin tutkijoita. https://therecord.media/a-mysterious-threat-actor-is-running-hundreds-of-malicious-tor-relays/
Tor-verkko tarjoaa julkista internetiä paremman anonymiteetin ja mahdollisuuden esimerkiksi verkkosensuurin kiertämiseen. Täyttä anonymiteettia Tor-verkkokaan ei anna. Omia välityspalvelimia ylläpitämällä ja niiden liikennettä seuraamalla voi saada selville käyttäjien identiteetin. Verkon toimintaa ja turvallista Tor selainta kehittävä Tor Project -järjestö tekeekin yhteistyötä tutkimusyhteisöjen kanssa niin verkon suojausten murtamisen kuin sen paremman salaamisen edistämiseksi.
Cyberwatch Finland CYBERWATCH
FINLAND
|
29
THE EUROPEAN UNION’S DATA ECONOMY IS EXPECTED TO CREATE POWERFUL CHANGE IN THE MARKET // Cyberwatch Finland
N
ew joint principles for utilising health data are being developed in the Joint Action Towards the European Health Data Space project funded by the European Union. The aim is an internal market for European health data. 25 countries are participating in the project. Sitra and Finland were selected as the coordinators for the project because Finland was the first ever country to implement an act that allowed secondary use of health data. It regulates how existing health data can be used in research and innovation activities. Within a year, the European Commission has proposed four large data-related legislations. They are proposals on data governance, Digital Services Act, Digital Markets Act and Artificial Intelligence Act. The expectations for data economy are high. According to President of Sitra Jyrki Katainen, data economy will be one of the largest dynamics of the market and societies. 30
|
CYBERWATCH
FINLAND
The regulation of data economy and data usage for innovation activities is a two-way street. Regulation restricts and regulates what is allowed to be done and how. Secondary use of data enables the use of delicate data for research purposes. This is great for research, innovation development and Finland’s ability to utilise its own expertise. On the other hand, research and innovation activities are also susceptible for data seepage and cyber spying. Maximum utilisation of data economy and data innovation is a great objective, but it runs the risk of neglecting the negative aspects of data economy. The fast pace of digitalisation and innovation creates a continuous legislative challenge; how should legislative processes be developed to improve their response time to the changes brought on by the information age? In Europe, lots of work has been done to improve legislation, but the process is slow, and it appears to mainly focus on restricting the power of US tech giants. The European Union could release more resources from the battle
against tech giants and redirect them toward developing safe and strong privacy protection services. Presently, many significant projects and resolutions that affect the digitalisation of the European Union are advancing, such as Digital Markets Act and Digital Services Act. If these acts come into effect, they will significantly restrict and change the operation of tech giants in Europe. The acts are meant to come into effect during the year 2022.
Another significant long-term project, the European Digital Identity (eID), also appears to be advancing. A common identity for the European Union and strong electronic identification lay a foundation for new digital services even if it did not replace member states’ own digital identification methods in the near future. Instead, eID will change the sign in process of services like Microsoft and Google or other such services that require strong identification.
EU:n datataloudesta povataan valtavaa muutosvoimaa markkinoille // Cyberwatch Finland
E
uroopan unionin rahoittamassa TEHDAS-yhteistoimintahankkeessa (Joint Action Towards the European Health Data Space) kehitetään yhteisiä toimintaperiaatteita terveysdatan hyödyntämiseen. Tavoitteena ovat eurooppalaiset terveysdatan sisämarkkinat. Työhön osallistuu 25 maata. Sitra ja Suomi valikoitui hankkeen koordinoijaksi, koska Suomeen laadittiin maailman ensimmäisenä maana terveysdatan toissijaisen käytön salliva laki. Se sääntelee sitä, miten olemassa olevaa terveysdataa voidaan käyttää tutkimuksessa ja innovaatiotoiminnassa. EU-komissio on esittänyt vuoden sisään neljä isoa dataan liittyvää lainsäädäntöehdotusta. Ne ovat ehdotukset datan hallintamallista, digipalvelusäädöksestä, digimarkkinasäädöksestä ja tekoälysäädöksestä. Odotukset datatalouden suhteen ovat kovat. Sitran yliasiamies JYRKI KATAISEN mukaan datatalous tulee olemaan yksi markkinoiden ja yhteiskuntien suurimmista muutosvoimista. Datatalouden sääntelyllä ja datan mahdollisella käytöllä innovaationtoiminnassa kuljetaan kuitenkin kaksilla rattailla. Sääntelyllä rajoitetaan ja reguloidaan sitä, mitä saa tehdä ja miten. Datan toissijaisella käytöllä mahdollistetaan arkaluontoisen datan käyttö tutkimukselliseen käyttöön. Tutkimustyön ja innovaatioiden kehittymisen ja Suomen mahdollisuudesta hyödyntää omaa osaamistaan näkökulmasta, tämä on erittäin hyvä asia. Mutta, tutkimus ja innovaatiotoiminta on myös valitettavan altis erilaisille tietovuodoille ja kybervakoilulle. Datatalous ja datainnovaatioiden
maksimaalinen hyödyntäminen ovat hyviä tavoitteita, mutta riskinä on, että datatalouden negatiiviset merkitykset jäävät vähemmälle huomiolle. Digitalisaation ja innovaatioiden vauhti aiheuttaa jatkuvan lainsäädännöllisen haasteen. Kuinka muuttaa lainsäädännön prosesseja ketterämmiksi vastaamaan nopeammin digiajan tuomiin muutoksiin? Euroopassa on tehty paljon työtä lainsäädännön parantamiseksi, mutta prosessi on hidas ja se vaikuttaa ensisijaisesti keskittyvän yhdysvaltalaisten teknologiajättien vallan rajoittamisen. EU voisi vapauttaa enemmän resursseja digijättejä vastaan taistelusta omien turvallisten ja vahvaan yksityisyyden suojaan perustuvien palveluiden kehittämiseen. Tällä hetkellä on kuitenkin edistymässä merkittäviä EU:n digitalisaatioon vaikuttavia hankkeita ja päätöksiä, kuten Digital Markets Act ja Digital Services Act, jotka voimaan tullessaan rajoittaisivat ja muuttaisivat merkittävästi teknologiajättien toimintaa Euroopassa. Lait on tarkoitus saada voimaan vuoden 2022 aikana. Toinen merkittävä vuosia kestänyt hanke eurooppalainen digitaalinen identiteetti (eID) näyttää myös etenevän. EU:n yhteinen identiteetti ja siihen pohjautuva vahva tunnistautuminen luo pohjaa uusille digitaalisille palveluille, vaikka se ei korvaisikaan jäsenvaltioiden omia digitaalisia tunnistautumisratkaisuja, ainakaan vielä lähivuosina. Sen sijaan, eID tullee muuttamaan tapaa, jolla mm. Microsoftin ja Googlen palveluihin tai vahvaa tunnistautumista vaativiin palveluihin kirjaudutaan, omaa digitaalista eID-tunnistetta käyttäen.
https://www.tivi.fi/uutiset/datataloudesta-tulee-valtava-muutosvoima-markkinoille-jyrki-katainen-vertaa-sahkon-keksimiseen/13eef468-19ca-4434-9d58-af37d06c6c03
CYBERWATCH
FINLAND
|
31
OVERVIEW OF THE RUSSIAN NAVY AND AIR FORCE'S ELECTRONIC WARFARE UNITS AND THEIR MAIN EQUIPMENT // Juha Wihersaari
Introduction
T
he Georgian War of 2008 was the starting point for the development of electronic warfare in Russia. We started see an increase in the number of electronic warfare forces and their reorganization in efforts to integrate the electronic warfare system from the bottom up, i.e. as a part of tactical and strategic level systems, as well as the development of more high-performance systems and the modernisation of the electronic warfare tools. The 2018 statement by the Commander of the Russian Electronic Warfare Force illustrates well these developments: "In the near future, electronic warfare forces will determine the fate of all military operations”. 32
|
CYBERWATCH
FINLAND
As far as the development of the force is concerned, the enhancement of electronic warfare systems is still ongoing. The most significant development has been seen in the Army, where the number of electronic warfare troops has been significantly increased across the board, in addition to qualitative upgrades. Protecting the northern sea route as well as the development in other branches of defence has been mainly qualitative, rather than increasing the number of troops. In accordance with the Russian military dialogue, the armed forces seek superiority in the information dimension of the battlefield by means of electronic warfare. Western
experts estimate that the Russian armed forces would already be able to block all civilian, military and satellite connections and positioning systems in active battle areas in the next few years. Russia's strong investment in electronic warfare, which enables an information superiority on the battlefield, is likely to continue. This review examines the current situation of electronic warfare in Russian Navy and Air Force on the basis of publicly available sources. Information from public sources is often contradictory, due to the author's background and possible ulterior agenda. It
should therefore be stressed that this is an estimate based on information that is necessary. The situation regarding electronic warfare by the Russian Army will be examined in the next review. It would be futile to carry out a review of the nuclear-related electronic warfare force, as there is much less public information on them. Russian Technical Surveillance Forces i.e. own electronic systems electromagnetic dispersed radiation monitoring forces and their equipment or Russian SIGINT or shipborn/airborne ECM/EW equipment are not analysed in this review. CYBERWATCH
FINLAND
|
33
The Navy’s land-based electronic warfare force The land based part of the Russian Navy's electronic warfare section include a total of nine centres of electronic warfare, mainly formed since 2009 on the basis of naval electronic warfare regiments.
Table 1: Fleet electronic warfare centres
Regiment
Higher eschelon
Location
N.B!
186. IEWC
Northern Fleet
Severomorsk
News Observation 2014
NN.ERELSOKESK
Northern Fleet
Novaya Zemlja
News Observation 2019
NN.ERELSOKESK
Northern Fleet
Severnaja Zemlja
News Observation 2019
NN.ERELSOKESK
Northern Fleet
Ljahovi Islands
News Observation 2019
NN.ERELSOKESK
Northern Fleet
Tshukotka Peninsula
News Observation 2019
471.ERELSOKESK
Pacific Fleet
Petropavlovsk-Kamtshatka
News Observation 2017
474.ERELSOKESK
Pacific Fleet
Shtykovo
News Observation 2017
475.ERELSOKESK
Black Sea Fleet
Sevastopol
News Observation 2016
841.ERELSOKESK
Baltic Fleet
Jantarnii
News Observation 2012
IEWC = Independent Electronic Warfare Center
Both the Baltic and Black Sea fleets have independent electronic warfare centres in their organization, the Pacific Fleet has two centers and the Northern Fleet, which has the status is of the military district, has a total of five electronic warfare centres. The additional electronic warfare centers of both ocean fleets will cover the electronic defence of the northern sea route. The number of electronic warfare centres in the Northern Fleet explains the fact that, like other military districts, it does not have an electronic warfare brigade. The Caspian
34
|
CYBERWATCH
FINLAND
Sea Flotilla does not have any electronic warfare troops. In addition to land-based troops, ships of course have their own electronic warfare systems. With the exception of the Northern Fleet, other fleets have not, according to OSINT-information, made any changes to the grouping of electronic warfare, and the news published about the fleets electronic warfare centres has primarily been related to the new equipment that Russia has wanted to report on or from which information has otherwise become public.
Each separate electronic warfare centre typically includes two electronic warfare battalions and possibly separate electronic warfare company. One battalion is responsible for strategic tasks and the other for tactical matters. The assessed tasks match the main EW-equipment of battalions. This leads to the conclusion that the electronic warfare centres responsible for the electronic defence of the Northern Sea Route are battalion size troops. The most significant equipment in the separate electronic warfare centres of the fleets consists of the Murmansk-BN, Krasukha-2 and Krasukha-4 systems. The latter have been replaced by Divnomorye systems. The Murmansk-BN and Samarkand systems can only be found in electronic warfare centers located in the main base of each fleet. However, a second battalion is likely to form as an offshoot. At the moment, the Kamtshatka center, a part of the Pacific Fleet, and in the centres along the Russian northern sea route only utilize the Krasukha systems. Another type of naval electronic warfare battalion is being built around the Krasukha and Divnomorye systems. The aforementioned Krasukha system reported by the Russians at each of the navy's smaller electronic warfare centers suggests that their main equipment consists of an electronic warfare package traded abroad by the Russian military industry, consisting not only of Krasukha-2 and -4 jamming systems, but also of the Moskva-1 signal intelligence system. Krasukha jamming systems were originally developed to protect tactical missile systems such as the 9K720 Iskander (SS-26 Stone). Based on public information, the armed forces would have been delivered a total of 18 Krasukha systems from 2015 onwards. According
to Russian sources, Krasukha-2 and 4 pair is strategic level combination, which will be deployed to the most important directions and will not be found in the armies of the land forces. In addition to tactical missiles, the main naval bases and the northern sea route clearly area a priority. The Krasukha-2 (1L269EH) is a mobile high-powered radar jamming system. This Krasukha-2 system operates in the S-band (2.86 to 3.54 GHz) and is intended to jam AWACS air surveillance and combat command aircrafts, as well as airborne surveillance radars installed in aeroplanes, helicopters, UAVs and aerostats, as well as those in surveillance towers up to 250 km away. Russian sources report of a more advanced version of the Krasukha-2 system, the Krasukha-2O jamming system, these sources report of jamming radius up to 400 km. According to the manufacturer, the Krasukha-2 system has the ability to hide a target from radar detection in a range of 50-80 km. In addition to jamming, the Krasukha-2 system is capable of creating fake targets. According to the Russians, the system can also damage the enemy's electronic warfare, command and navigation systems and, according to a spokesman for the system manufacturer, destroy electronic components of the AWACS radar system. According to Russian data, the Krasukha-2 jamming systems aims to prevent the enemy from detecting command posts, troop groupings, air defense systems and important industrial and civilian targets, jam radar systems in enemy aircrafts and to prevent the enemy from using precision guided weapons. In summary, the Krasukha-2 jamming system is responsible for defend significant targets from enemy air CYBERWATCH
FINLAND
|
35
and space reconnaissance. The system is mobile and can be installed in a heavy off-road truck or three transport tanks. Krasukha-4 (1RL257EH) is a mobile high-powered radar jamming system operating in the X-band (2-3 GHz) and is developed to jam SAR-satellites and UAVs, as well as air-to-ground and air-to-air missiles, and preventing them from detecting targets on the ground or in the air. In addition to jamming, the Krasukha-4 system is capable of creating fake targets. According to the Russians, the Krasukha-4 jamming system is capable of blocking one SAR satellite, an E-8 JSTARS surveillance aircrafts or 11 tactical aircrafts at the same time. The system is capable of protecting an object within an area of 15-25 km. According to US intelligence in Syria, the system is also capable of jamming GPS communications - which was found to be the reason for the diversion of 36 Tomahawk cruise missiles in US operation in Syria. In summary, the Krasukha-4 jamming system is responsible for protecting significant targets from attacks by enemy precision guided weapons. The system is mobile and can be installed in a heavy off-road truck or two transport tanks. Moskva-1 (1L265EH) is an automatic signal intelligence and command system used to detect targets for the Krasukha-2 and Krasukha-4 jamming systems from up to 400 km away and to control jamming. One Moskva-1 system can run a total of nine jamming systems. According to Russian sources, Divnomorye is a fully automated mobile electronic warfare system designed to replace the combination of the Krasukha-2, Krasukha-4 and Moskva-1 systems. It is intended to protect important targets and is capable of working against targets operating both in the air and in space and on land. According to a Russian military expert, Divnomorye is a "universal system", suggesting that this will become be a general system that will be put in place throughout the armed forces , thus be integrated into the wider entity of military systems. The system is described to independently choose and analyze the target and then devise the best way to jam the target. In other words, Divnomorye is a system based on artificial intelligence and it is an integral part of the Russian armed forces' efforts to achieve superiority through artificial intelligence. As a result of the new technology, Divnomorye is smaller and is able to be placed in one off-road truck. According to data published this year, the first two systems have been deployd to the Baltic Fleet's Electronic Warfare Centre in Kaliningrad. In Russian style, the deployment of the Divnomorye system does not mean
36
|
CYBERWATCH
FINLAND
removing the older Krasukha-2 and Krasukha-4 systems, which are still to be modernized alongside the new system. Murmansk-BN is a highly powerful, portable, mobile, strategic HF signal intelligence and jamming system created for the purpose of jamming (MIKSI?) the US Global Communications System (USGCS); Its main targets are vessels and aircrafts operating in oceans. The system is reported to have a power of 400 kW and, according to the Russians, has a range of 5000-8000 km, however according to Western estimates the true range is closer to 3000 km. The Murmansk-BN jamming system consists of seven heavy off-road trucks with which equipment and the antenna field can be moved. It will take at least three days to reach operational readiness in the new deployment area. Samarkand is the most modern Russian jamming system, however, very little is known of its capabilities. Western military experts assessed its targets as command, communication, reconnaissance and surveillance systems (C4ISR), as well as jamming GPS navigation system and producing false positionings. Russian sources stress Samarkand's ability to make enemy command systems "blind and deaf" as well as "strike" to paralyze radars, reconnaissance planes and satellites within a "dome" 700 km in diameter and 80 km in height. However, according to the opinion of a Ukrainian expert, the diameter of the dome is only approximately 200 km. According to the Russians, when Samarkand creates the electronic dome, the enemy's electronic, targeting and navigation systems inside the dome lose their ability to function. The Russians use similar wording when describing the Murmansk-BN system, this would suggest that this is similar advanced and powerful jamming system. As Samarkand’s technology is more modern than Divnomorye’s, it can well also be assumed that also Samarkand system will utilize artificial intelligence. Samarkand system is a logical pair for the Murmansk-BN system in the HF band. Both systems are developed to paralyze and damage enemy's command and control systems and together they cover the whole necessary radio spectrum. By the end of 2018, at least 16 Samarkand systems had been deployed into 13 different troops in the Kaliningrad, Arkhangelsk, Murmansk, Moscow, Krasnodar, Primorde regions, in Belarus as well in Naval bases. This new system for is aimed at defending, at least at this phase, the most critical targets. Based on the deployment, the Samarkand systems are deployed to defend missile sites in addition to naval bases.
Table 2: Russian Navy's main electronic warfare systemsp
System
Description
Range
Frequency
Organization
Murmansk- BN
Disabling the command systems of ships and aircraft operating in the seas. Main target is the USGCS. Very powerful jamming system.
3000 – 8000 km
HF band
EWC 1
Samarkand
Disabling C4ISR systems and GPS positioning of objects inside the dome Automatic system using artificial intelligence.
700x80 km dome
Divnomorye
Protect targets from air and space radar reconnaissance and precision guided weapons strikes Automatic system using artificial intelligence
Hundreds of km
Moscow-1
Signal intelligence and C2 for Krasukha systems
Krasukha-2
Protect objects from air and space radar reconnaissance
250 km (400 km)
S-band
ElsoKesk 2
Krasukha-4
Protect targets from precision guided weapons strikes
300 km
X-band
ElsoKesk 2
ElsoKesk 1
X-band S-band
ElsoKesk 1
ElsoKesk 2
EWC 1= Electronic Warfare Centre in connection with the main naval base EWC 2= Electronic Warfare Centre outside the Navy's main basep
The electronic warfare systems used by the Navy can roughly be divided into two parts. More offensive electronic warfare systems which target command systems and on the other hand more defensive systems which focus on targe radar and positioning systems. The most
significant threat to be tackled for the Navy are clearly precision guided weapons; especially their navigation and targeting systems. The adoption of artificial intelligence in the systems is even reflected in OSINT material, even though assumptions can not be drawn solely on this basis.
CYBERWATCH
FINLAND
|
37
Air Force Ground Electronic Warfare Force
E
ach air and air defence army has an independent electronic warfare battalion, the activities of which are integrated with the Air Defence Division. In the area of
responsibility of each Military District is deployed air and air defence army and on the basis of this, there are totally four electronic warfare battalions supporting air force.
Table 3: Independent electronic warfare battalions of the air and air defence armiesppIEWB= Independent Electronic Warfare Battalion
Troup
Higher echelon
Military District
Location
N.B!
2226. IEWB
14.AADA
Central
Engels
Data from 2018
328. ERELSOP
6.IIPA
Western
Pesotshnyi
Data from 2018
541. ERELSOP
11.IIPA
Eastern
Artem
Data from 2017
AADA= air and air defence army
According to OSINT, the 45th air and air defence army, which is deployd to the area of responsibility of the Northern Fleet, does not have independent electronic warfare battalion. The battalion may be organized under the command of the Fleet’s independent electronic warfare center, or the center has been complemented by the capabilities in order to be able to support the 45th air and air defence army . Engels is also the main airbase of Russia’s long-range aviation, and the missions of the 2226. Independent Electronic Warfare Battalion may also include supporting long-range air aviation. Thus, it may have a different composition than other separate electronic warfare battalions in other air and air defence armies. In addition to land-based troops, aircrafts have their own electronic warfare systems. As far as the air force is concerned, the same assumption applies as for the Navy. According to OSINT, there were no changes in the deployment of electronic warfare capabilities. Moreover, pieces of news of new systems in electronic warfare battalions of and air defence armies have come to light, this information is likely to have been specifically released by the Russian armed forces or leaked through unofficial sources. The Air Force's electronic warfare equipment most likely have been the last to be updated, and therefore its modernisation was the last to be announced.
38
|
CYBERWATCH
FINLAND
According to OSINT, the 45th air and air defence army, which is deployd to the area of responsibility of the Northern Fleet, does not have independent electronic warfare battalion. The battalion may be organized under the command of the Fleet’s independent electronic warfare center, or the center has been complemented by the capabilities in order to be able to support the 45th air and air defence army . Engels is also the main airbase of Russia’s long-range aviation, and the missions of the 2226. Independent Electronic Warfare Battalion may also include supporting long-range air aviation. Thus, it may have a different composition than other separate electronic warfare battalions in other air and air defence armies. In addition to land-based troops, aircrafts have their own electronic warfare systems. As far as the air force is concerned, the same assumption applies as for the Navy. According to OSINT, there were no changes in the deployment of electronic warfare capabilities. Moreover, pieces of news of new systems in electronic warfare battalions of and air defence armies have come to light, this information is likely to have been specifically released by the Russian armed forces or leaked through unofficial sources. The Air Force's electronic warfare equipment most likely have been the last to be updated, and therefore its modernisation was the last to be announced.
Based on the available information, the main equipment of the air forces independent electronic warfare battalions consists of Krasukha-S4, Sinitsa, SPN-2, SPN-4 and Zhitel jamming systems. In addition to these, the battalion has unidentified signal reconnaissance systems operating on the HF and VHF frequency ranges. R-330Zh Zhitel is an analogue radio frequency mobile signal intelligence and jamming station whose efficiency has been improved by connecting it to an automatic R-330KMA command post. This combination is called the R-330M1P Diabazol jamming system and is capable of effectively blocking the use of GSM connections, INMARSAT and IRIDIUM satellite communications, as well as GPS navigation systems from ground targets operating within a 25 km radius, as well as airborne objects 50 km away. If necessary, the Zhitel system can also act as a stand alone station. The Zhitel system is installed in a heavy off-road truck and the management position is installed in another as such the entire Diabazol system consists of two vehicles. The SPN-2 is a mobile powerful radar signal jamming station designed to defend relatively small ground-based objects from air radar reconnaissance and to jam aircraft altitude measurement and targeting radars. The SPN-2 jamming station is installed in a single heavy off-road truck. The SPN-4 is a mobile powerful radar signal jamming station designed, to protect targets on the ground from airborne SLAR, aimed bombings or rocket attacks, disable
navigation and altitude measurement radars, prevent air-to-ground and air-to-air missile radar targeting, disable on-ground surveillance, and aircombat control and targeting radars. The SPN-4 system detects radars at a distance of up to 150 km and is capable of simultaneously disabling up to six radars at a distance of 60 km. The SPN-4 jamming station consists of three heavy off-road trucks. The R-934U Sinitsa is a mobile, automatic jamming system operating on the VHF airband and it is designed to disable the positioning systems of attacking combat aircrafts and to prevent reconnaissance aircraft from sending target data to ground stations. The jamming range of system is 250 km. Sinitsa can function as a standalone unit, together with another Sinitsa system, or as a part of a larger Diabazol system. Since the Sinitsa system is by default an automatic system, in the latter case the Sinitsa and Zhitel systems most likely have been assembled to work together. When two Sinitsa systems work together, their maximum distance from each other is 10 km. Krasukha-S4 is an automatic jamming system that, according to the manufacturer's representative, has the ability to interfere with a wide range of jamming methods. He was not willing to discuss technical characteristics of the system further. It is estimated that, in addition to the advancements in the jamming methods, its range may have also increased, as has happened with Krasukha-2O. The Krasukha-S4 system is a good example of Krasukha systems being further developed alongside Divnomorye systems. CYBERWATCH
FINLAND
|
39
Table 4: The Air Force's main electronic warfare systems
System
Task
Range
Frequency
Organization
Krasukha- Protect targets from precision guided S4 weapons strikes
300+ km
X-band
IEWB
Sinitsa
Prevent air strikes with conventional weapons Prevent operation of SIGINT aircrafts
250 km
Airband (100-400 GHz)
ElsoP
SPN-2
Protect small objects from airborne radar reconnaissance Disrupt air strikes with conventional weapons
13,333 – 17,744 GHz
ElsoP
SPN-4
Protect objects from airborne radar reconnaissance Protect targets from air strikes with conventional weapons Jam air-to-air missile strikes
Detection: 150 km Jamming: 60 km
Zhitel
Block mobile and satellite communications Block GPS navigation systems
20 km to ground 50 km to air
IEWB= Independent Electronic Warfare Battalion of Air and Air Defence Army
Even with regard to the Air Force's electronic warfare systems, it is clear that air reconnaissance, air raids, traditional bombings as well new missiles pose the most significant threats to the Russian military. Zhitel jamming systems are also used in the Land forces and, for the Air Force, the jamming of GPS navigation system plays more important role.
JUHA WIHERSAARI 1* The author of this special bulletin Colonel (ret.), Juha Wihersaari is Doctoral Researcher and Member of the Russia Research Group at the Finnish National Defence University. He has a General Staff Officer’s Degree from year 1993 and he served in the Finnish Defence Forces until 2015. Wihersaari’s military experience includes positions mainly in Military Intelligence, where he served 26 years. During his career Wihersaari served two times as Defence Attache: the first time in the Eastern Europe (inc. Ukraine) and the second time in the Middle East. He also served five years as the Director of the Finnish Signal Intelligence. Since 2016 Wihersaari has been the owner and the Director of JITINT, small Intelligence and Security Company. His Doctoral Research is focused on Hybrid Warfare in the Russian Art of War: “Hybridisodankäynti venäläisessä sotataidossa”.
40
|
CYBERWATCH
FINLAND
ElsoP
100-2000 MHz
ElsoP
Summary The Northern Sea Route is a very important target to be defended in addition to the fight against precision guided weapons. The development of an electronic warfare organisations and systems is clearly a strategic objective that most likely will also in future be adequately resourced.
Electronic warfare systems combine two things: firstly, it is an asymmetrical way of gaining superiority in a war or armed conflict. Secondly, electronic warfare systems are an excellent way to fund the development of artificial intelligence.
Sources STUDIES Kjellén, Jonas: Russian Electronic Warfare - The role of Electronic Warfare in the Russian Armed Forces, FOI, Ministry of Defence, Stockholm, September 2018
ARTICLES Close the wave: how electronic warfare will change the strength of the fleet, VPK News, 23.11.2020, https://vpk.name/en/464930_close-the-wave-how-electronic-warfare-will-change-the-strength-of-the-fleet.html Dura, Maksimilian: Electronic Warfare: Russian Response to the NATO’s Advantage, Defence24, 5.5.2017, https://www.defence24.com/electronic-warfare-russian-response-to-the-natos-advantage-analysis Hendrickx, Bart: Russia gears up for electronic warfare in space (part 1), The Space Review, 26.10.2020, https://www.thespacereview.com/article/4056/1 McDermott, Roger: Russia’s Electronic Warfare Capabilities as a Threat to GPS, Jamestown, Eurasia Daily Monitor, Volume 18, Issue 40, 10.3.2021, https://jamestown.org/program/russias-electronic-warfare-capabilities-as-a-threat-to-gps/ McDermott, Roger: Moscow Deploys Latest Electronic Warfare Systems in Kaliningrad, Jamestown, Eurasia Daily Monitor, Volume 15, Issue 174, 11.12.2018, https://jamestown.org/program/moscow-deploys-latest-electronic-warfare-systems-in-kaliningrad/ Nikolov, Boyko: Are Norwegian F-35s at risk because of the Russian EW system?, BULGARIANMILITAY.COM, 5.6.2021, https://bulgarianmilitary.com/2021/06/05/are-norwegian-f-35s-at-risk-because-of-the-russian-ew-system/ Russia's electronic warfare system Samarkand can paralyse NATO army easily, pravda.ru, 31.10.2018, https://english.pravda.ru/news/world/141912-samarkand/ Vijainder K Thakur: Terrestrial Electronic Warfare: The IAF’s Unexplored Option?, Indian Defence Review, 9.11.2020, http://www.indiandefencereview.com/news/terrestrial-electronic-warfare-the-iafs-unexplored-option/ Валагин, Антон: Ослепить AWACS: что может новая версия системы РЭБ "Красуха", RG.RU, 13.7.2020, https://rg.ru/2020/07/13/oslepit-awacs-chto-mozhet-novaia-versiia-sistemy-reb-krasuha.html Болтенков, Дмитрий: Закрыть волну: как средства радиоэлектронной борьбы изменят силу флота, Известия, 22.11.2020, https://iz.ru/1090025/dmitrii-boltenkov/zakryt-volnu-kak-sredstva-radioelektronnoi-borby-izmeniat-silu-flota Эксперты рассказали о принципах работы комплексов РЭБ «Самарканд», Известия, 18.10.2018, https://iz.ru/805723/2018-10-28/eksperty-rasskazali-o-printcipakh-raboty-kompleksov-reb-samarkand Первые комплексы РЭБ «Дивноморье» поступят в российские войска в текущем году – минобороны, Информационное агентство Крыминформ, 4.5.2018, https://www.c-inform.info/news/id/64698 Рамм, Алексей: Радиоэлектронный щит: Минобороны разворачивает в Сирии средства РЭБ, Известия, 25.9.2018, https://iz.ru/792721/ aleksei-ramm-bogdan-stepovoi-aleksei-kozachenko/radioelektronnyi-shchit-minoborony-razvorachivaet-v-sirii-sredstva-reb Рамм, Алексей & Степовой, Богдан & Кречул: Щит и путь: русскую Арктику прикроет радиоэлектронный купол, Известия, 7.5.2019, https://iz.ru/875561/aleksei-ramm-bogdan-stepovoi-roman-kretcul/shchit-i-put-russkuiu-arktiku-prikroet-radioelektronnyi-kupol Романюк, Николай: Российские радиоэлектронные комплексы “Самарканд”: уже бояться или еще нет?, Укринформ, 31.10.2018, https://www.ukrinform.ru/rubric-world/2570304-rossijskie-radioelektronnye-kompleksy-samarkand-uze-boatsa-ili-ese-net-ukr.html Скоморосов, Роман: Станция постановки помех Р-330Ж «Житель», Военное обозрение, 26.7.2016, https://topwar.ru/98467-stanciya-postanovki-pomeh-r-330zh-zhitel.html Скоморосов, Роман: Р-330Ж «Житель». Возвращаясь к написанному, Военное обозрение, 1.11.2017, https://topwar.ru/128607-r-330zh-zhitel-vozvraschayas-k-napisannomu.html Скоморосов, Роман: Станция РЭБ Р-934У «Синица». Когда «Синица» в поле, журавлям в небе тяжко, Военное обозрение, 3.11.2017, https://topwar.ru/128807-stanciya-reb-r-934u-sinica-kogda-sinica-v-pole-zhuravlyam-v-nebe-tyazhko.html Гірськострілецькі війська Росії: аналіз структури, завдань та загроз для України, Defense Express, 27.2.2021, https://defence-ua.com/army_ and_war/girskostriletski_vijska_rosiji_analiz_strukturi_zavdan_ta_zagrozi_dlja_ukrajini-2996.html
WEB SITES Murmansk-BN EW system, Military Periscope, https://www.militaryperiscope.com/weapons/sensorselectronics/electronic-support-measureselectronic-warfare/murmansk-bn-ew-system Strategic Aviation, Russian Strategic Nuclear Forces, http://russianforces.org/aviation/ The POWER of Russia’s Murmansk-BN electronic warfare complex, Military Blog, 26.6.2021, https://military-wiki.com/the-power-of-russiasmurmansk-bn-electronic-warfare-complex/ Красуха-C4, комплекс радиоэлектронной борьбы, Информационное Агентство Оружие России, https://www.arms-expo.ru/armament/ samples/1491/65283/ Красуха-4, Библиотека, ВПК.name, https://vpk.name/library/f/krasuha-4.html Красуха (комплекс РЭБ), Википедия, https://ru.wikipedia.org/wiki/Красуха_(комплекс_РЭБ) Р-330Ж, Противовоздушная оборона, Рособоронэкспорт, http://roe.ru/catalog/protivovozdushnaya-oborona/sredstva-radiotekhnicheskoy-razvedki-i-reb/r-330zh/ С подразделениями РЭБ Северного флота проведено специальное учение в рамках контрольной проверки, Новости, Министерство обороны Российской Федерации, 15.5.2021, https://function.mil.ru/news_page/country/more.htm?id=12354720@egNews Специалисты РЭБ объединения ВВС и ПВО вывели из строя командный пункт условного противника в Ленинградской области, Новости, Министерство обороны Российской Федерации, 7.7.2021, https://function.mil.ru/news_page/country/more.htm?id=12370584@egNews Специалисты РЭБ Ленинградской армии ВВС и ПВО на спецзанятии отработали радиоэлектронное поражение пунктов управления противника, Новости, Министерство обороны Российской Федерации, 24.9.2020, https://function.mil.ru/news_page/country/more.htm?id=12316056@egNews СПН-2, станция мощных шумовых помех, Информационное Агентство Оружие России, https://www.arms-expo.ru/armament/ samples/1480/61348/ СПН-4, станция мощных шумовых помех, Информационное Агентство Оружие России, https://www.arms-expo.ru/armament/ samples/1477/61267/ Универсальный наземный модуль помех 1Л269 «КРАСУХА-2О», Военно-технический сборник Бастион, http://bastion-karpenko.ru/krasuha-2/
CYBERWATCH
FINLAND
|
41
THE “CYBER AMBASSADOR” WOULD BUILD A WHOLE NEW SECURE INTERNET // Marko Mannila, Freelance Journalist, specialized in Middle East
42
|
CYBERWATCH
FINLAND
I
n 2000, during the famous Y2K, the Israeli Army Brigadier General Rami Efrati, who joined the army reserve, investigated possible cyber threats. "That's when I realized that cyber threats are real, that they occur not only in movies," he says. Twenty years later, 71-year-old Efrati calls himself a "cyber ambassador." He has also become a respected expert outside of Israel. He makes several trips to Europe and Asia to give speeches and presentations each year. After the interview, Efrati was scheduled to travel to Switzerland and Germany. "Before COVID-19, I was traveling every other week." Efrati works as a partner at the Swiss company MSF, which develops new technologies to improve corporate cybersecurity. He is also well known in Finland and often appears as a commentator for Cyberwatch Finland. According to the Brigadier General, new technology such as artificial intelligence and machine learning, makes life easier and more accessible by developing new automated systems. The downside of this development is that foreign powers and criminals are constantly looking for vulnerabilities in these systems to exploit them. “New cars, primarily electric and autonomous cars, have a lot of computers (some with up to 50 units) and each of them is a potential target. There are also targets inside the vehicle, namely the driver and the passengers.” CYBERATTACKS RARELY BECOME PUBLIC
Information about cybercrimes is rarely shared with the public. Companies usually report a cyberattack only if required by the country's law. The attacker might also go public with the attack to demand more ransom. Efrati neither supports the idea of the law forcing companies to report attacks, nor does he advise them to pay the ransom demanded. “Companies should invest their money before anything happens. That saves money and also safeguards the company's reputation more effectively.” For example, he cites the Israeli insurance company Shirbit, whose databases were accessed by
hackers at the end of last year. News of the hack spread and the company's reputation suffered." According to Efrati, it is essential to distinguish between Operational Technology (OT) and IT. OT stands for devices and programs that monitor and control physical processes, devices, and infrastructure. The central part of OT is industrial control systems (ICS). IT, on the other hand, processes data. "It is worth choosing a cybersecurity partner that understands the business and industrial processes of the particular industry. For example, we need to focus on different issues in the pharmaceutical industry than the automotive industry,” Efrati says. THE NECESSITY OF CYBER STRATEGY FOR COMPANIES
In addition to the state’s cyber strategy, companies also need their own strategy. According to Efrati, the strategy should involve figuring out what to do "in normal times" and how to act if there is a cyberattack. "When it happens, you can't just go to the sauna and wonder about what to do then," he smiles. The company's cyber strategy must involve all employees. Israel has invested in the prevention of cybercrime. The country has an emergency number 119 in place 24 hours a day, which anyone can call if they suspect that they have been the target of a cyberattack. The Israeli cybersecurity team CERT is informed of the attack through the emergency number and can prepare for it. The emergency number has received hundreds of calls per day at its peak. "This is how information about attacks spreads quickly. Preventing cybercrime saves money." Efrati has often visited Finland. According to him, Finland and Israel are among the top five countries where cyber security is concerned. “Finland understood the need to prepare in advance, as Russia is a neighboring country. I believe Finland is an important target for the Russians." Finland is interesting because crypto analysis and mathematics are very advanced in the country. Cybercrime can be roughly classified into two categories according to its purposes. Money is demanded in the case
CYBERWATCH
FINLAND
|
43
of ransom programs, ransomware so that access to critical databases can be prevented. Another goal for attackers may be, for example, to harm the industry. Governments can also spread ransom programs for money. “North Korea reportedly distributes malware for profit purposes.” In a press release issued by the Finnish Security Intelligence Service, Supo, at the end of September, Finland is particularly interested in China and Russia. With its leading 5G technologies, Nokia is a fascinating target for foreign spies and competitors. "We need to remember that 5G technology networks involve billions of components." According to Efrati, Nokia's cybersecurity is highly advanced. He also mentions Nixu as another example of a high security company in Finland. More and more devices will be connected via the internet in the future, and the importance of security will be emphasized. "The internet was not originally built to be safe. If it were up to me, the internet would have to be completely rebuilt. In addition to security, privacy features should also be improved."
"It was unprecedented for state intelligence to be responsible for the cybersecurity of critical infrastructure, which is a civil matter. The security services, therefore, acted as an industry regulator. This cannot happen in other countries. Things are different for us in Israel. I don't mind monitoring Shin Bet's security services. I'm happy to collaborate with them." At the beginning of 2012, Efrati was the founder of the Israeli state cyber agency INCB and worked as the head of civil affairs. The office was responsible for 99% of the country's cyber affairs. The office later changed its name to the Israeli State Cyber Directorate INCD. After a few years, the brigadier general switched to the business world. There was a significant change in Israel in the summer of 2021 when long-time Prime Minister Benjamin Netanyahu was forced to step down and was replaced by Naftali Bennett. Despite the change of government, the importance of the matter remains on the agenda. “Israeli politicians understand how important cybersecurity is."
A LONG CAREER IN INTELLIGENCE
Over the years, Efrati has come to one conclusion:
Efrati served for more than 28 years in the Israeli Defense Forces, for the most part in the intelligence unit, 8200. He remained on reserve as a brigadier general in the late '90s and began to ponder about cyber affairs. At the same time, Shin Bet, Israel's internal security officer, identified cybercrime as a major threat. Israel established the National Information Security Authority (NISA) in 2003.
Cyber security is part of the business. Without cybersecurity, a business will cease.
RAMI EFRATI Rami Efrati Managing Partner Brig.Gen.(Res.) Efrati has served in the Israel Defense Forces for more than twenty-eight years and commanded numerous prestigious operational and technological positions in Military Intelligence. Mr. Rami Efrati, is an expert in Cyber Strategic Methods and has many years of experience in anti-terrorism and Intelligence technology. Mr. Efrati is one of the founding members and former Head the Civilian Division of the Israel National Cyber Bureau in the Prime Minister’s Office. Mr. Efrati is currently involved in international level strategic projects for cyber-security and innovation. Mr. Efrati has over 20 years of civilian experience and has been involved in entrepreneurial activities with both start-up and established companies in the Cyber-Security, High Tech and Bio-Technology sectors.
44
|
CYBERWATCH
FINLAND
Amazon AWS as the platform of Suomi.fi web service reflects the role of tech giants // Cyberwatch Finland
E
lectronic Frontier Finland organization (Effi), which promotes digital rights, has complained to Helsinki Administration Court about DVV’s decision to not share how the information data of Finnish users is protected on Amazon’s service. Amazon Web Services (AWS) is the world’s largest cloud service. Server centres are located around the world, including the European Union. From the cyber security point of view, the execution of Suomi.fi web service is a prime example of a great operation model. It utilises an excellent cloud platform in which important information is encrypted with a separate encryption. In principle, all cloud services provided by external service providers should be treated as unsafe and additional information encryption should always be ensured. The AWS platform obtained through the central government’s ICT service provider Valtori can be assumed to adhere to the Criteria for Assessing the Information Security of Cloud Services (PiTuKri). It should therefore be adequate for the use of the central government. Operation models and the publishing of related security policies are a part of proper safety policy, but Effi’s concern
over their security and execution is also valid. The technical execution of encryption and encryption key management are important when a high level of safety is required from the service. Another matter entirely is whether moving Suomi.fi service out of the AWS would improve protection against governmental intelligence operations. Suomi.fi service also has an important symbolic significance. The fact that the Finnish government’s central information service is reliant on an American cloud service emphasises the critical role and reality of tech giants in the present time. Could a Finnish data center or cloud platform be used instead? Could authorities serve as a responsible example on utilising Finnish or at least European services?
Amazon AWS Suomi.fi -verkkopalvelun alustana kuvastaa teknojättien roolia // Cyberwatch Finland
I
hmisten oikeuksia digitaalisessa maailmassa ajava Electronic Frontier Finland Effi ry on valittanut Helsingin hallinto-oikeuteen Digi- ja väestövirasto DVV:n päätöksestä olla kertomatta, miten suomalaisten tiedot on suojattu Amazonin palvelussa. Amazon Web Services (AWS) on yhdysvaltalainen maailman suurin pilvipalvelualusta. Palvelinkeskuksia on eri puolilla maailmaa, myös EU:n alueella. Kyberturvallisuuden näkökulmasta Suomi.fi -verkkopalvelun toteutus, jossa käytetään saatavuudeltaan erinomaista pilvialustaa niin, että tärkeät tiedot salataan itse erillisellä salauksella, on suositeltava toimintamalli, jota tulisi yleisimminkin käyttää. Lähtökohtaisesti kaikkia ulkopuolisen palveluntarjoajan pilvipalveluita tulisikin kohdella turvattomina ja siksi itse huolehtia tietojen erillisestä salaamisesta. Valtionhallinnon ICTpalvelutarjoaja Valtorin kautta hankitun AWSalustan voi olettaa olevan pilvipalveluiden turvallisuuden arviointikriteeristö PiTuKrin mukainen ja siten olevan riittävä myös valtionhallinnon käyttöön.
Toimintamallien ja niihin liittyvien suojauskäytänteiden julkaisun rajoittaminen on osa hyvää ja perusteltua turvallisuuskäytäntöä, mutta myös Effin huoli salaus käytänteiden turvallisuudesta ja toteutustavasta on validi. Salauksen teknisellä toteutustavalla ja salausavainten hallintaprosessilla on merkitystä, kun palvelulta vaaditaan korkean tason turvallisuutta. Kokonaan toinen kysymys on, että parantaisiko Suomi.fi -palvelun siirtäminen pois yhdysvaltalaispalvelusta suojaa valtiollista tiedustelua vastaan? Suomi.fi -palvelulla on myös iso symbolinen merkitys. Se, että Suomen valtion keskeinen tietopalvelu toimii yhdysvaltalaisen pilvipalvelun varassa, kuvastaa teknologiajättien kriittistä roolia ja realiteettia tässä ajassa. Herääkin kysymys, että eikö puhtaasti kansalliseen käyttöön tarkoitettu Suomi.fi-verkkopalvelun alustana voisi käyttää kotimaista, lähtökohtaisesti suomalaiseen viranomaiskäyttöön suunniteltua turvallista konesali- ja pilvialustaa? Voisivatko viranomaiset toimia esimerkkinä kotimaisten tai vähintäänkin eurooppalaisten palveluiden hyödyntäjinä?
RANSOMWARE ATTACKS MIRROR THE CYBERCRIME ECOSYSTEM’S DEVELOPMENT // Cyberwatch Finland
T
he development of ransomware and operational groups indicate that cybercrime is developing into a wide and diverse business. The groups have developed different negotiation and pricing strategies to maximise the attacks’ profits. There are indicators that some groups have hired experts to estimate the target business’ finances and solvency or their cyber insurance to score the largest possible ransom. If an insurance company reimburses the ransom, it is possible to obtain larger sums of money through blackmail. 46
|
CYBERWATCH
FINLAND
Even though it is not yet clear whether artificial intelligence has been used in attacks, their future usage in such cases is probably only a matter of time. Ransomware and related products and services can already be diverse automated compounds. For now, the worst kind of destruction is achieved through carefully targeted and partially automated attacks in which the attack is still navigated by a human. The automatization of attacks and the ability of ransomware to adjust automatically to the target’s
environment or to destroy backups are steps toward artificial intelligence development. One potential development is that attackers will plan assaults and ransom demands according to the target company’s stock exchange rate. The difference between investments in cyber security and cyber attacks is growing because of attackers’
potentially huge developmental resources. The role of insurance companies and cyber insurance will be emphasised. Companies must conceal the most important information and secure offline backups. The United States’ announcement on using military cyber force for counter attacks may reduce ransomware attacks at least momentarily.
Ransomware-hyökkäykset kuvastavat kyberrikollisuuden ekosysteemin kehittymistä // Cyberwatch Finland
R
ansomware eli kiristyshaittaohjelmien ja niitä operoivien ryhmien kehitys kuvastaa kyberrikollisuuden kehittymistä laajaksi ja monipuoliseksi liiketoiminnaksi. Ryhmät ovat kehittäneet erilaisia neuvottelu- ja hinnoittelustrategioita maksimoidakseen hyökkäysten tuotot. On merkkejä, että osa ryhmistä on palkannut asiantuntijoita arvioimaan kohdeyrityksen taloutta ja maksukykyä, tai mahdollisen kybervakuutusta maksimaalisen lunnassumman arvioimiseksi. Jos tietää vakuutusyhtiön korvaavan lunnaat, voi kiristää suurempia summia kuin muuten tekisi. Vaikka vielä ei ole tiedossa, että hyökkäyksissä olisi käytetty varsinaisia tekoälyratkaisuja, niiden käyttö osana hyökkäystä lienee kuitenkin vain ajan kysymys. Hyökkäysohjelmat, tuotteet ja palvelut voivat jo nyt olla monipuolisia automatisoituja kokonaisuuksia. Toistaiseksi suurin tuhovaikutus saadaan tarkkaan
kohdennetuilla ja osin automatisoiduilla hyökkäyksillä, joissa on ihminen vielä itse ohjaa hyökkäystä. Hyökkäysten automatisoituminen ja haittaohjelmien kyky mukautua automaattisesti kohteen ympäristöön, tai kyky tuhota varmuuskopiot ovat askelia tekoälykehityksen suuntaan. Yksi potentiaalinen kehityssuunta on, että hyökkääjät kohdentavat iskut ja niiden lunnasvaatimukset kohdeyrityksen pörssikurssien kehityksen ja siihen liittyvän tiedottamisen perusteella. Nähtävissä on, että kybersuojauksen ja kyberhyökkäysten investointien välinen ero kasvaa, sillä hyökkääjien kehitysresurssit ovat potentiaalisesti valtavat. Vakuutus yhtiöiden ja kybervakuutusten rooli tulee korostumaan. Yritysten tulee huolehtia tärkeimpien tietojen salaamisesta ja off-line varmuuskopioiden turvaamisesta. Yhdysvaltojen ilmoitus käyttää sotilaallisia kyberjoukkoja vastahyökkäyksiin voi vähentää ransomware-hyökkäyksiä, ainakin hetkellisesti.
Image: https://blog-assets.f-secure.com/wp-content/uploads/2021/03/30120359/attack-landscape-update-h1-2021.pdf https://research.nccgroup.com/2021/11/12/we-wait-because-we-know-you-inside-the-ransomware-negotiation-economics/ CYBERWATCH
FINLAND
|
47
An insider risk may be even greater than an outside threat in information operations // Cyberwatch Finland
A
Y F OL RR
L
SH
!
,
ON
Y
KS
SO
merican Robert Willis has revealed that he is ”Hacker X”, a previously anonymous person who was described by a previous White House Chief Information Officer Theresa Payton in her book Manipulated: Inside the Cyberwar to Hijack Elections and Distort the Truth. Willis revealed how he had participated in building a huge fake news machine, which had advanced Donald Trump’s candidacy, political propaganda and medical false information regarding Covid-19 pandemic and vaccinations. Willis also states that the news has given too much credit for Russia for the election’s information operations, when in fact the whole system for manipulating human conceptions and psychology was designed and carried out inside the United States. An outside threat is an easy scapegoat and a strong lever for achieving one’s own political aims. The fact that the people behind the system’s manipulation are the country’s own citizens puts the United States in an awkward position. The case highlights that the
IN FI NN
I
#S
T
R
A
11.1.2022 kello 13–16 Digiturvallisen yrityksen strategialla johtaminen.
T
significance of an insider risk in information operations may be a bigger threat than one from outside. The emergence of Willis brings up the media’s vulnerability for intentional manipulation and it also highlights how effective and dangerous information operations can be. The case also forces us to re-evaluate the reliability of news and public sources in forming a general understanding about a situation. By following mainstream media, one can easily come to wrong conclusions. In Finland, the National Emergency Supply Agency is launching a project focused on recognising and preventing information operations. A preliminary report on preventing information operations has been published in Finnish. The report will function as a starting point for building the new information security skills centre function.
E G
I
2 A
2
Informaatiovaikuttamisessa sisäpiirin riski voi olla jopa ulkoista uhkaa suurempi // Cyberwatch Finland
A
merikkalainen Robert Willis paljasti olevansa ”Hacker X”, aiemmin anonyymina pysytellyt henkilö, jota entinen valkoisen talon tietoturvajohtaja Theresa Payton kuvaili kirjassaan Manipulated: Inside the Cyberwar to Hijack Elections and Distort the Truth. Willis paljasti, kuinka hän oli ollut rakentamassa valtavaa valeuutiskoneistoa, joka oli mm. edistänyt Donald Trumpin ehdokkuutta, poliittista propagandaa ja lääketieteellistä väärää tietoa Covid-19 pandemiaan ja rokotteisiin liittyen. Willis myös toteaa, että uutiset ovat antaneet liikaa kunniaa Venäjälle vaalien informaatiovaikuttamisesta, kun koko järjestelmä ihmisten käsityksen ja psykologian manipuloimiseksi suunniteltiin ja toteutettiin USA:n sisällä. Ulkopuolinen uhka on helppo syntipukki ja vahva vipuvarsi omien poliittisten tarkoitusperien saavuttamiseksi. Se, että järjestelmän manipuloinnin
taustalla onkin oman maan kansalaisia, saattaa Yhdysvallat kiusalliseen valoon. Tapaus korostaa, että informaatio vaikuttamisessa sisäpiirin riskin (insider risk) merkitys voi olla jopa ulkoista uhkaa suurempi. Willisin esiintulo nostaa esiin mediakentän haavoittuvuuden tarkoitushakuiselle manipulaatiolle ja sen, kuinka tehokasta ja vaarallista informaatio vaikuttaminen on. Tapaus myös pakottaa arvioimaan uudelleen uutisten ja julkisten lähteiden luotettavuuden tilannekuvan muodostamiseksi. Yksipuolista mediaa seuraamalla pääsee helposti vääriin johtopäätöksiin. Suomessa Huoltovarmuuskeskus on käynnistämässä hanketta, joka keskittyy informaatiovaikuttamisen tunnistamiseen ja torjumiseen. Hankkeesta on julkaistu Informaatiovaikuttamisen torjunta -esiselvitys, jonka pohjalta uutta informaatioturvallisuuden osaamiskeskus-toimintoa lähdetään rakentamaan.
Y F OL RR
L
SH
!
,
ON
Y
KS
SO
https://en.wikipedia.org/wiki/Robert_Willis_(hacker) https://books.google.fi/books/about/Manipulated.html?id=2D7QDwAAQBAJ&redir_esc=y https://arstechnica.com/information-technology/2021/10/hacker-x-the-american-who-built-a-pro-trump-fake-news-empire-unmasks-himself/
IN FI NN
I
#S
T
R
A
9.3.2022 kello 13–16 Turvallisuus, vastuullisen yrityksen strategisena kilpailuetuna.
T
E G
I
2 A
2
STRATEGIC CYBER SECURITY YEAR 2021 IN FINLAND // Cyberwatch Finland
T
he year of uncertainty, vaccinations and hybrid work is soon turning to a third new year affected by the coronavirus. This unusual time has forced companies and organisations to re-evaluate their processes, operations, leadership style and continuity plan, in which cyber security plays a significant part. A good example is the Covid Digital Game Changers Task Force project established by the Confederation of Finnish Industries. The project identified six essential themes that 50
|
CYBERWATCH
FINLAND
will change business and working methods, one of them being the Digital Way of Working and Cyber Security. Digital and Population Data Services Agency continued its persistent work on advancing digital and cyber security in Finland. TAISTO exercise was awarded the Year’s Best Information Security Service title by the Finnish Information Processing Association, TIVIA. Another service that should be recognised is Suomi.fi guides for victims of a data leak produced by Digital and Population Data Services Agency.
The unusual time has also seen exceptionally good reports and studies. A preparatory study by Digipooli and KPMG on the state of cyber security in Finland in different fields from management’s point of view was initiated in the winter of 2019-2020 and was finally published in October 2020. The most central observation was that companies where management guides cyber strategy as part of the company’s overall strategy and risk management are better prepared for cyber attacks and are more likely to survive them. In autumn 2021, Digipooli’s #STRATEGIA22 project sought answers regarding the significance of digital and cyber security elements in business strategy. The study found shortcomings in forming situational pictures and communication on it as well as implementing strategies. On a positive note, digital and cyber security has been identified as a competitive benefit, especially when the requirement is a certified
and safe supply chain. This project continues next year, and its final report will be published in March at the Cyber Security Nordic event. There is still a lot of work to be done. Implementing digital and cyber security to a business environment as a strategic element requires comprehensive observation of the scheme of things, changing digital and cyber security culture as well as business risks. As the rate of change keeps increasing, the importance of anticipation is emphasised. Another interesting and important project is the National Emergency Supply Agency’s project on developing the recognition and prevention of information operations. A preliminary report on the project has been published in Finnish. The report is used as a basis for building the new information security skills centre function. Preparing for information operations is essential in digital security.
Suomen strategisen kyberturvallisuuden vuosi 2021 // Cyberwatch Finland
E
pävarmuuden, rokotusten ja hybridityön vuosi 2021 on pian kääntymässä kohti kolmatta koronan värittämää vuotta. Poikkeuksellinen aika on pakottanut yritykset ja organisaatiot arvioimaan uudelleen prosesseja, toimintamalleja, johtamiskäytänteitä ja liiketoiminnan jatkuvuudenhallintaa, jossa kyberturvallisuus on merkittävässä roolissa. Hyvänä suunnannäyttäjänä toimi Elinkeinoelämän keskusliiton perustama Covid Digital Game Changers Task Force -hanke. Siinä tunnistettiin kuusi tärkeää liiketoimintaa ja työn tekemisen tapaa muuttavaa teemaa, joista yksi keskeinen on Digital Way of Working and Cyber Security. Digi- ja väestöviraston jatkoi sinnikästä työtään digija kyberturvallisuuden edistämiseksi Suomessa. TAISTOharjoitukset huomioitiin Tietoturva ry:n Vuoden tietoturvapalvelu -tunnustuksella. Oman tunnustuksen ansaitsisi myös DVV:n Suomi.fi-verkkopalveluun tuottamat oppaat tietomurron uhreiksi joutuneille kansalaisille ja organisaatioille. Poikkeuksellinen aika on tuonut myös poikkeuksellisen hyviä raportteja ja tutkimuksia. Talvella 2019-2020 aloitettu Digipoolin KPMG:llä teettämä taustaselvitys kyberturvallisuuden tilasta Suomessa eri toimialoil-
la liikkeenjohdon näkökulmasta julkaistiin lokakuussa 2020. Sen katsauksen keskeisin havainto oli, että yritykset, joissa johto sitoutuu ja ohjaa kyberstrategiaa osana yrityksen kokonaisstrategiaa ja riskienhallintaa, ovat paremmin varautuneita kyberhyökkäyksiin ja selviävät niistä. Syksyllä 2021 Digipoolin #STRATEGIA22 -projektissa haettiin vastauksia digi- ja kyberturvallisuus elementtien merkityksestä liiketoimintastrategiassa. Tutkimuksessa todettiin puutteita tilannekuvan muodostamisessa ja siitä viestimisessä, sekä strategian jalkauttamisessa. Positiivista kuitenkin on, että digi- ja kyberturvallisuus on tunnistettu kilpailueduksi, varsinkin silloin kun vaatimuksena on sertifioitu turvallinen toimitusketju. Tämä hanke jatkuu ensi vuonna ja sen loppuraportti julkaistaan maaliskuussa Cyber Security Nordic -tapahtuman yhteydessä. Työtä on vielä paljon, koska digi- ja kyberturvallisuus liiketoimintaympäristöön tuotuna strategisena elementtinä vaatii ajatusmallin, digi- ja kyberkulttuurin muutosta sekä liiketoimintariskien kokonaisvaltaista huomioimista. Muutosvauhdin yhä kiihtyessä ennakoinnin merkitys korostuu entisestään. CYBERWATCH
FINLAND
|
51
Cyberwatch Finland
A PASSION F OR A SAFE CYBE R W O R L D
W
e provide a situational picture and analysis of the ever-changing operating environment as a foundation for and the development of cyber security of critical services and infrastructure.
We conduct a cyber risk analysis and use modern methods to support your organisation’s comprehensive risk management, including the implications of cyber security. You will also receive tailored and cost-effective solutions, for instance, for staff training and the implementation of the most effective practices and new technology. Through our international network of experts, we bring forth the best specialists and technologies in the industry to support your cyber strategy. Working together, we can create a cyber culture that minimises risks and strengthens your organisation’s resilience to crises. Cyberwatch Finland strengthens the resilience of your organisation and helps prevent costly cyber disasters
B E N E F I TS AND COMP E T I T I V E A D V A N T A G E S : Improved situational awareness is the basis for better decision-making. Our clients can establish a holistic cyber security strategy, build situational awareness across the organisation, and take the necessary measures to build cyber resilience. We provide a comprehensive roadmap for a realistic cyber culture and cyber hygiene for your entire organisation. Our experts have the ability to interpret and present complex cyber world phenomena and developments in an easy-to-understand format, utilising the latest technology, easily adaptable methods, and various media formats. Our mission is to secure the functions of critical infrastructure as well as protect your organisation´s most valuable assets. We guide you to a solid cyber security culture that strengthens your organisation’s resilience to crises and reduces business risks. We provide a holistic understanding of the interdependence of people, practices and technology, and their development opportunities. We rely on the model of continuous improvement and boldly look for new business models.
COMPANY Cyberwatch Finland´s strategic-level international expertise is based on experience and an extensive network of experts. Our mission is to be our clients most trusted partner. Therefore we are constantly looking for the best ways to create a steady strategic cyber security roadmaps to ensure your cyber security to the highest possible level.
Cyberwatch Finland Cyberwatch Finland Oy • Meritullinkatu 33, 00170 HELSINKI FINLAND www.cyberwatchfinland.fi
Cyberwatch Finland F O R M U L ATING A DEP E N D A B L E C Y B E R S E C U R I TY WITH A C O M P R E H E N S I V E A P P R O A CH Strategic cyber expertise requires a holistic view and understanding of the interdependencies of people, practices and technology, and the opportunities for development that they offer. Skilful cyber management in a digital operating environment requires reliable strategic cyber situational awareness and a cyber risk analysis tailored for you needs.
With the use of roadmaps, designed to create a safer corporate culture, we train executive teams and governments to develop their as a part of comprehensive crisis management, overall security and to ensure future competitiveness. Cyberwatch Finland strengthens the resilience of your organisation and helps prevent costly cyber disasters.
O UR SERVICES Cyber security strategies, risk analysis and roadmaps We develop cyber security strategies, risk analyses and roadmaps for cities and municipalities, states, companies and organisations aimed at a safer corporate culture, based on extensive strategic expertise and experiences.
SCA N M E
The end result of well-executed strategy planning, and implementation is resilience: an organisation’s stronger crisis resilience and defence against cyber attacks.
Strategic situational awareness to support management and decision-making A cyber security risk assessment is done to help determine your organisation’s capabilities and limitations in detecting, preventing and responding to the evolving cyber threats.
SCA N M E
Our expert reviews, offer compact analyses of the most significant incidents in cyberspace, providing an extensive view of the background, cause and effect of each incident.
S C AN M E
Modern education with e-learning and hybrid-learning methodologies As a conceptual service, we produce monthly reviews, tailored seminars, webinars, games, workshops, podcasts and learning development solutions by utilising the latest technology and an international network of experts.
S C AN M E
Cyberwatch forensic-services
Risk analysis is a key tool in facilitating your cyber security planning. Together, we begin by identifying risks, threats in your operating environment and vulnerabilities in your own organisation in order to be able to define the value and likelihood of the risk.
Cyberwatch Forensic assists companies S C AN M E and other organisations in preventing, detecting, and responding fraud, compliance violations, and other misconducts. We offer you independent expertise, a clear operating model, and the level of support you want. With our long and extensive experience, we can help you reduce fraud and corruption risks and support in investigating internal or external misconducts. We also offer you a full-service whistleblowing channel.
Strategic analysis and reports of the cyber world On the basis of a comprehensive strategy, a concrete roadmap and capacity building plan will be created. It defines how cyber security should be managed and how people should be trained, what technologies and best practices are needed, as well as all the other necessary practical actions and resourcing.
AI-powered analysis and information services based on our expertise
Innovative and unique cyber security technologies SCA N M E
We support our customers in building resilient critical infrastructure through services and technical solutions that meet the cybersecurity requirements at the highest level in the fastchanging world.
SCAN ME
Cyberwatch Finland
QUARTERLY REVIEW
Q3 2021
CONTENT 1. Country-analysis – Turkey
40
2. Maritime cybersecurity
42
3. China’s cyber diplomacy
44
4. International rules of cyber influence
46
The third quarterly review of the year will be initiated by an analysis of the cybersecurity situation in
Turkey. The management and organisation of cybersecurity is clearly organised in Turkey. The
Ministry of Transport is responsible for the management of cybersecurity, alongside which civilian intelligence and the Turkish army's cyber forces are developing their own activities in close cooperation. However, Turkey's IT infrastructure is vulnerable, and it is constantly suffering from various cyberattacks. The new cybersecurity development program aims to improve the situation through new technologies and personnel training. As a NATO country, Turkey has the support of western powers behind it, even though its Islamist-led hacker groups have disrupted, for example, the last US presidential elections. According to various estimates, the number of cyber-attacks on maritime transport has quadrupled in the past year. One influential factor is the reduction in air traffic caused by the pandemic and the emphasis on maritime transport in logistics chains. Maritime vulnerability against cyberattacks is the result of longterm digitalisation and increased inter-system automation. International maritime umbrella organisations have announced new cybersecurity requirements and set this year as a deadline for improving cybersecurity. Cybersecurity should be closely involved in overall security, from system design to lifecycle management. China's cybersecurity market is growing strongly, which supports its superpower aspirations from an economic point of view. China is already using cybersecurity to support its superpower development as one of the tools of national security. China emphasises the sovereignty of information systems and transport, i.e., their national management rather than international, transparent management. China is seeking to establish international coalitions with countries that think the same way. The unpopularity of Chinese online technology in western powers has hampered international cooperation in cybersecurity. Cyber-influencing between nations is a daily activity. All states use cyber influence in one way or another, and no international rules of the game have been established for its permitted and unauthorised use. Cyber-influencing is even seen as one form of warfare for which no common policies have been established in the same way as conventional warfare. States sometimes try to agree on the rules of the game of cyber influence, as they did in the summer at the meeting between Presidents Biden and Putin, but with poor results. Last July, UN-appointed working groups published the first proposal on the principles of cyber-influencing. The recommendations of the GGE working group have good potential to become the ethical rules of international cyber policy that have long been needed in the current cyberspace. CYBERWATCH
FINLAND
|
57
Q3
|
2021
1. COUNTRY-ANALYSIS – TURKEY 1. The management and organisation of cyber security in Turkey is organised, at least in theory, effectively. However, society and business have not kept pace with digitalisation and successful cyber-attacks against public administration and business are ongoing. 2. NATO membership supports Turkey's efforts to improve the level of cyber security. However, the actions of Turkish cybercriminals against Western powers place Turkey in a contradictory situation from the perspective of Western powers. 3. There are several nationalist and Islamist-led cybercrime groups in Turkey. These are suspected of having links to the current state administration, which will enable the development of operating conditions also in the future. Foreign Islamist organisations have also recently led their cyber operations from Turkish soil. 4. Turkey's political goal is to become a regional superpower, which also requires the development of defence and offensive cyber capabilities as part of the armed forces development program.
C 58
ybersecurity management and organisation in Turkey is, at least in theory, organised almost according to the textbook. The first national cybersecurity strategy was published in 2013 and has been steadily updated every three
|
CYBERWATCH
FINLAND
Q3
|
2021
years. Data breaches and other cybercrime were criminalised for the first time already at the beginning of the millennium and the current data protection legislation has entered into force in 2016. The implementation of cybersecurity in Turkey is led by the Ministry of Transport and Infrastructure. It has the highest responsibility for coordinating cybersecurity, although civilian intelligence and the Turkish army's cyber forces operate more independently than other government organisations. Turkish cybersecurity software production and other business activities also work in close cooperation with the Ministry of Transport. Despite the clarity of leadership and organisation, Turkey is constantly suffering the damage caused by various levels of cyber-attacks. Building cyber defence has not kept pace with the fierce digitalisation process. In 2020, ransomware attacks in Turkey increased by more than 80% compared to the previous year, and the number of cyberattacks is also growing rapidly. Last March, the personal information of more than a million city dwellers with their personal IDs was stolen from the information systems of the city of Konya. During the same month, the customer database of the Turkish food chain was published on the Dark web. To improve the situation, a three-year cybersecurity development programme was launched in Turkey last year. The programme focuses on improving cybersecurity in three areas. The first objective, the safeguarding of critical infrastructure and the management of incidents on a 24/7 basis require the operation of a monitoring and management centre in constant readiness. A National Cybersecurity Intervention Center with 150 experts has already been set up in Turkey. The second objective is to develop and deploy new technology solutions to enhance cyber defence. Artificial intelligence, big data and robotics are areas that are hoped to help make cyber defence more efficient. Turkey's active software industry produces solutions for cyber defence needs, and the country also strives for self-sufficiency in more traditional network surveillance and cybersecurity. Improving the competence and cyber awareness of personnel is the third objective of the development programme. The aim is to improve competence through degree-leading training programmes and targeted training. Today, two larger cybersecurity conferences are being held in Turkey by the state administration, and efforts are being made to increase the number of them. Efforts will also be made to increase cyber defence exercises involving both public administration and private sector organisations. As a NATO country, Turkey has been well placed to develop its cyber defences in line with international requirements and objectives. Cyber has been elevated in the Turkish army to its own defence branch, as one of the five domains of warfare, in accordance with modern doctrines. Cyber warfare is led by the Turkish Army's Cyber Defence Command (CDC), which is manned by experts from all service branches. The CDC also cooperates actively with the Turkish Ministry of Transport and cyber organisations from other NATO countries. NATO-led cyber defence and its good links with civilian cyber organisations have not been able to reduce cybercrime in Turkey. Several Islamist-led factions, including Ayyıldız Tim and Anka Neferler, have carried out several cyberattacks on both Turkish and international targets. Last year, Anka Neferler attacked the servers of the Greek government in retaliation for the anti-Turkish statements made by Greece. Turkish factions are also cooperating with Iranian cybercriminals, such as the APT35 group. Turkey received questionable attention in connection with the US presidential elections as the only NATO country to try to influence the outcome of the elections through cyber activities. Turkish cyber proxy RootAyyıldız broke into the website of then-presidential candidate Joe Biden. Biden's website was filled with images and writings praising Turkish President Erdogan, and the texts called for the United States to stop influencing Turkey's domestic politics. The United States has openly funded right-wing and Kurdish parties operating in Turkey. According to some sources, the RootAyyıldız group is linked to the administration of President Erdogan, who openly supported Trump's re-election as president of the United States at the time of the election. Turkey's multicultural background has also enabled foreign extremist organisations to operate on Turkish soil. At the end of last year, there was widespread news that the Palestinian organisation Hamas had quietly established its own cyber warfare command centre in Turkey. When the project was revealed to Western intelligence, the Turkish regime said Hamas acted without its knowledge. The istanbul-based command centre has not participated in the actual operations but has been tasked with coordinating Hamas' cyber warfare resources and leading strategic planning. The Hamas case is a good example of how extremist organisations have the opportunity to create a playing field on the soil of a state government that is at least partially favourable to them. CYBERWATCH
FINLAND
|
59
Q3
|
2021
Turkey is well placed to improve the level of its cyber defences. The action is clearly organised and, as a NATO country, receives support from the United States and other Western countries. However, nationalist, and Islamicoriented cybercrime groups will strain Turkey's efforts to become a model country for cybersecurity. Criminal groups operating partly under state protection, as well as foreign extremist organisations, can develop their opportunities for action from Turkish soil. Rapid digitalisation also poses its own challenges for the cybersecurity of society and business in the future. SO URCES: https://www.dni.gov/index.php/newsroom/reports-publications/reports-publications-2021/item/2192-intelligence-community-assessment-on-foreign-threats-to-the2020-u-s-federal-elections https://nordicmonitor.com/2021/03/us-intelligence-community-marked-turkish-cyber-attack-on-bidens-campaign-site-as-a-bid-to-influence-us-elections/ https://www.bloomberg.com/news/articles/2020-12-23/europe-s-human-rights-court-hit-by-cyberattack-after-turkey-case https://www.aa.com.tr/en/science-technology/turkey-malware-attacks-up-81-in-2020/2105600 https://www.dailysabah.com/turkey/investigations/cyberattack-steals-info-of-one-million-in-turkeys-konya CCDCOE, National Cybersecurity Organisation: Turkey, 2021.
2. MARITIME CYBERSECURITY 1. According to various estimates, the number of cyber-attacks on maritime transport has quadrupled in the past year. The world's leading shipping companies and ports have suffered significant financial losses as a result of cyberattacks. 2. The vulnerability of shipping against cyberattacks is the result of long-term digitalisation. The situation is broadly similar to the IT/OT environment of industrial automation, where special maritime systems and the modern IT environment have been merged and made accessible to public networks. 3. The UN maritime agencies have strongly recommended that cybersecurity be integrated into the safety management system. According to the recommendation, maritime parties should audit their level of cyber security annually from the beginning of this year. 4. There is still confusion and shortcomings in the international guidance of cybersecurity, which put the risk of a one-off effort in implementing cybersecurity.
T
he importance of maritime transport in global logistics operations has increased as a result of the pandemic and the decrease in air traffic. Shipping is part of critical infrastructure, the disruption of which significantly hampers other functions of society. The interruption of maritime traffic in the Baltic Sea has been identified in Finland's national risk assessment as one of the worst threat scenarios. At the same time, according to various estimates, the number of cyber-attacks on maritime transport has quadrupled. Shipping companies’ security chiefs have named maritime disruption as the second most significant maritime risk after natural disasters due to a cyberattack. Maritime transport and its support functions, such as ports, shipping companies and shipyards, are increasingly dependent on information systems and their undisturbed operation. The information networks of the maritime parties and the various sensors connected to them communicate with each other automatically, allowing a complex entity to approach an industrial automation system with its cybersecurity challenges. The shipping industry has suffered extensive damage in recent years as a result of cyberattacks. In the Indian Ocean in particular, pirates have misled ship navigation systems (GPS spoofing), which has allowed vessels to deviate from their routes to an area where the vessel has subsequently been invaded. All four leading container shipping companies in 60
|
CYBERWATCH
FINLAND
Q3
|
2021
the world, Moeller-Maersk from Denmark, MSC in Swiss, CMA-CGM in France and COSCO in China have been subjected to cyber-attacks and ransomware in less than two years. The reported cost of NotPetya ransomware was about $300 million for Moeller Maersk. Last July, cybercriminals crashed the information systems of several South African ports, for which several days the ports were forced to transfer operations to many slower manual controls. The vulnerability of shipping against cyberattacks is the result of long-term digitalisation. Information systems have been developed in accordance with specific maritime requirements, resulting in some degree of dedation in the sector's system development from information systems in other sectors. Development work has begun in an era when cybersecurity was not as big a problem as it is today. For example, there were originally no plans for encryption (e.g., navigation) for communications systems. The situation is very similar to the problem area of industrial automation, where digitalisation has put us in a previously unknown situation. Automation systems (OT) and office IT systems (IT) have merged and networked with each other, and previously closed networks are also connected to the Internet. Building security solutions afterwards has been laborious and time consuming, although the solutions themselves have been simple. For example, the 2019 U.S. Coast Guard recommendation to improve cybersecurity included five points: 1) segment computer networks, 2) use only personal user accounts, 3) do not use unknown USB flash drives, 4) install antivirus software, and 5) install security updates. Basic issues that have not come to the fore in cybersecurity audits for years. Another factor that increases vulnerability is the low cybersecurity expertise and awareness of the personnel. According to an international survey conducted in 2019, a third of all successful cyberattacks on maritime traffic were the result of staff's inability to detect and combat cyberattacks. Most of the successful attacks were malware and phishing attacks carried out using either emails or fake websites, which allowed cybercriminals to gain access to users' passwords. In other words, the end user has very often entered the usual trap of clicking on a link to a vague email or website. Cybersecurity has only recently found its way into staff security training, which is expected to improve the state of cybersecurity in this regard. The International Maritime Organization (IMO), a UN-led international maritime organisation focusing on technical maritime issues, began publishing its first recommendations on cyber risk management in the late 2010s. According to these recommendations, maritime parties should consider cyber safety as part of the safety management system and audit the level of cyber safety in annual safety audits from 2021 onwards.
CYBERWATCH
FINLAND
|
61
Q3
|
2021
The framework for the audit of cybersecurity has not been precisely defined, but the IMO designates, for example, ISO27001 as options, as well as the guidelines on Cyber Security Onboard Ships, prepared by eleven maritime organisations. The latter document is a guide tailored to the shipping industry, presenting a variety of options for implementing cybersecurity. The document takes better account of the IT/OT environment than the ISO standard, for example, but is more instructive in nature than a list of requirements such as the ISO standard. If shipping companies have an ISO quality system in place, security management processes are in place and cybersecurity considerations will be made easier. In any case, there will be a major task if cybersecurity practices, and necessary security controls have not been implemented in the past. Cybersecurity and quality control certification bodies have developed their own service packages to assess and improve the level of cybersecurity. Shipping is a good example of an industry that combines the criticality of its uninterrupted operations with the cybersecurity challenges that have developed over a long period of time. It is precisely these kinds of environments that are of interest to both cybercriminals seeking easy money and government entities planning hybrid influence. Although more effort is now being made in cybersecurity, the industry's cybersecurity frameworks and auditing mechanisms are mainly recommendations and guidance. In central government and the financial sector, for example, there are remarkably much more unambiguous requirements, which are also easier to implement due to the lack of differences of interpretation. Due to the deadlines set for 2021, there is a risk that cybersecurity will be seen as a one-off effort and will not achieve a permanent position in the annual calendars of the security management. Cybersecurity should be integrated into the so-called security by design thinking in maritime information systems, which considers the implementation of security mechanisms on a risk-based basis already at the planning stage and forces the regular assessment of the level of security of the systems at all stages of its life cycle. Future visions of self-driving ships require a permanent increase in the level of cybersecurity to a new level. SO URCES: https://safety4sea.com/category/smart-parent/cyber-security/ https://www.dco.uscg.mil/Portals/9/DCO%20Documents/5p/CG-5PC/INV/Alerts/0619.pdf https://www.traficom.fi/fi/ajankohtaista/tilaisuudet/merenkulun-kyberturvallisuustilaisuus-1192020 http://www.emsa.europa.eu/ https://wwwcdn.imo.org/localresources/en/OurWork/Security/Documents/Resolution%20MSC.428(98).pdf Androjna, A. et al. (2020). An Overview of Maritime Cyber Security Challenges. Conference paper. https://www.researchgate.net/publication/344461659
3. CHINA’S CYBER DIPLOMACY 1. China has a determined ambition to become the world's leading superpower in all areas. China's digitalisation has happened faster than in most Western countries. Indeed, China sees digitalisation - and cybersecurity as part of it - as an important channel for achieving its economic and technological goals. 2. China's national security legislation allows the widespread use of cybersecurity methods in both domestic and foreign policy. In domestic politics, the Communist Party uses cybersecurity to keep the political climate conducive to the current regime. Cyber stability and attacks are part of a range of foreign policy tools if it can support national security objectives. 3. China is strongly advocating state-centred sovereignty over the management of information networks, which is already reflected in restrictions on internet use. China is seeking to create a coalition of like-minded states to strengthen its cybersecurity policies. 4. China supports the development and internationalisation of private cyber and ICT companies to boost the country's
62
|
CYBERWATCH
FINLAND
Q3
|
2021
economic growth and strengthen its technological position. However, Chinese technology has not been approved for ICT infrastructure in several Western powers due to cybersecurity issues. The confrontation has led to Chinese reactions to foreign policy, making it difficult to promote East-West relations in other areas, as well as possible cooperation in cybersecurity.
C
hina's rapid internationalisation and the significant rise of science and technology have brought significant geopolitical and economic consequences. China's development in the network and cyber technology area is also reflected in the global cybersecurity landscape. Digitalisation has been soaring, and China currently has the highest number of Internet users in the world. In addition, the fast-growing digital economy is generating Chinese tech giants such as Huawei, Alibaba, and Baidu, which are increasingly capable of competing in the global technology market. China's cybersecurity market currently has about $25 billion a year representing an estimated 10% share in the world. However, the Chinese market is projected to grow relatively faster each year compared to the rest of the world over the next five years, when China would already represent almost 40% of the global cybersecurity market in 2026. Chinese cybersecurity companies such as Qi An Xin, Qihoo and ThreatBook are still quite unknown around the world compared to their Western competitors. Companies produce both traditional and more advanced cybersecurity solutions, of course, for the domestic market, but also for a wide area of the Far East. Many companies have offices in countries such as Singapore and Malaysia, and the trend is also on Europe and the United States. Chinese cybersecurity companies are constantly catching up with the Western front, both economically and technologically, thus supporting China's efforts to achieve superpower status. In China, as in any one-party system, the line between the private sector, political life and the state is blurred. The Chinese Communist Party, intertwined with state organisations and bodies, uses cybersecurity to support the party's ideals and to silence opposing threats. For example, social stability and public order, safeguarding Chinese culture and extinguishing these threatening phenomena are objectives of Chinese national security law. To secure these, the Communist Party can use all the resources of the state, including cybersecurity experts and methods. The state's grip on private companies is firm, making private sector resources indirectly available to these objectives as well. China is well known for its capabilities in cyber espionage. Espionage capabilities are exploited against both external and internal targets. External targets, i.e., the administration of other countries and the private sector, are being spied on in the name of national security. National security is widely understood in China, including economic and technological capability to achieve the development goals. In China's internal activities, the main target of espionage is
CYBERWATCH
FINLAND
|
63
Q3
|
2021
dissidents whose movements are being anticipated, then preventing the emergence of anti-regime factions. China has a strong ambition to maintain and further strengthen its sovereignty over the management of information networks. While the United States, Europe and other Western states emphasise the openness of the Internet, individual participation, and freedom of expression of opinion, China defends the greater role of sovereign states in internet management. China justifies its view by increasing the influence of sovereign states by increasing the dissemination and promotion of anti-state material. China is not alone in its thoughts. The closest of the major countries to this idea is Russia, which has had the construction and deployment of a national Internet for a long time. Despite the same starting points, China’s, and Russia's objectives regarding open networks and cybersecurity are different. While China harnesses cybersecurity to guarantee national security and build its superpower status, Russia uses the cyber element more straightforwardly, for example in hybrid influencing and in the context of international conflicts, as a tool for warfare. China is seeking closer international cooperation with countries that are prepared to use Chinese network technology and which do not criticise China's foreign policy. Such countries can be found on almost all continents, especially Africa and South America. Relations between China and the Western powers have always been more or less tense. Right now, we're living in highly tense times. The United States has been in a trade war with China for a long time and over the past year the EU has again expressed its concern about China's climate and human rights issues. In addition, the EU wants to have stricter control over China's efforts to invest in European critical infrastructure such as ports and telecommunications. China has been soured by the rejection of 5G investments and Huawei by most European countries. Its economic development on the world market rests partly on giant companies such as Huawei and the weakening of commercial opportunities slows down China's superpower aspirations. Huawei has sought to dispel suspicions, for example through testing laboratories set up in Europe and available to its customers. China is well placed to become the world's leading superpower in many areas, including cybersecurity. China's vast resources are capable of delivering world-leading technology solutions. However, China's social order and culture differ in many respects from western countries, and it is challenging to find consensus on human rights, for example. Both sides are commercially and technologically promoting the dissemination of their own ideology to the world, making cooperation in areas such as cybersecurity more difficult. This is a pity, because closer cooperation would make it possible to fight international terrorism even more strongly, for example. SO URCES: Broeders et al. A coalition of the unwilling? Chinese and Russian Perspective on Cyberspace. The Hague Program for Cyber Norms Policy Brief. 2019. Bozhkov, N. China’s Cyber Diplomacy: A Primer. EU Cyber Direct. 2020. Segal, A. China’s Alternative Cyber Governance Regime. Council on Foreign Relations. 2020. https://www.politico.eu/article/european-commission-ursula-von-der-leyen-state-union-2021-china-xi-jinping/
4. INTERNATIONAL RULES OF CYBER INFLUENCE 1. Transnational cyber influence takes place on a daily basis. It may be motivated, for example, by espionage, disruption of critical infrastructure or modification of the political climate. States often use surrogates, or proxies, to conceal the origin of an activity. 2. Attempts have been made to establish rules for cyber-influencing through discussions between countries with poor results. The principles agreed between the two countries are not public, making it difficult to form comprehensive acceptance and commitment. 3. This year, UN working groups have published the first international rules of the game for cyber-influencing between
64
|
CYBERWATCH
FINLAND
Q3
|
2021
countries. The rules of the game are partly high-level principles, but clear and concrete framework conditions have also been defined quite well. These principles are a good starting point for the future framework of international cyber policy.
I
nterstate cyber-influencing is a daily activity. States spy on each other on information networks, influence each other's and the political climate through social media, and carry out cyberattacks against other states' computer networks and critical infrastructure. Finland has also recently been hit by numerous cyberattacks, some of which are also made public. For example, at the turn of last year, a cyberattack on parliament's information systems and MPs' e-mail accounts became public, as well as a case of harassment of a GPS tracking system the previous year. States often use surrogates, or proxies, to attack, partly because of the concealment of the origin of the attack. Despite the use of proxy, the origin of the attack can most often almost certainly be determined. All states use cyber influence in one way or another, and no international rules of the game have been established for its permitted and unauthorised use. Cyber-influencing is even seen as one form of warfare for which no common policies have been established in the same way as conventional warfare. Where the Geneva Conventions very precisely define the boundary conditions of conventional warfare, they have been completely absent from cyber warfare. One of the few attempts to agree on the rules of the game for cyber-influencing and warfare took place last June at a meeting between Presidents Putin and Biden. It was preceded by a ransomware attack in the United States on colonial pipeline, whose fuel distribution network was halted due to the attack. The United States had traced the attacker to a Russian proxy operator. Putin and Biden were supposed to agree on the rules of the game for cyber influence, but the results have been slim so far. The countries agreed to enter mutual negotiations to establish rules of the game and to work together to investigate serious cybercrimes. Biden is said to have given Putin a list of 16 critical infrastructure activities that should be left alone from cyber-influencing. The United Nations, or UN, has set up two working groups, the Group of Governmental Experts (GGE) and the Open-Ended Working Group (OEWG), to define international principles for cyber-influencing. GGE was originally established in 2004 as a security coordination group for IT and telecommunications services. The group has 25 member states, selected for three years at a time. The most important major powers, as well as The Nordic countries Norway and other neighbours such as Estonia, are included in the current composition. Since 2019, GGE has focused on transnational cyber-influencing and defining its policies. The official name of the group during the term ending this year is 'Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security'. CYBERWATCH
FINLAND
|
65
Q3
|
2021
OEWG is a forum established in 2019 to support GGE's activities, which is open to all UN member states. The forum can also be attended by representatives of business and academic research, and its purpose is to serve as a broader forum for discussion, including finding concrete practical solutions for cyber protection of IT systems, for example. The main objective of GGE's current mandate was to define international principles of transnational cyberinfluencing and to publish them at the UN General Assembly in the summer of 2021. The working group therefore published its final report and the principles contained therein at the UN General Assembly on 14 July 2021. The report states that societies are increasingly dependent on information technology and transport, and that both interstate cyberinfluencing and cybercrime threaten people's well-being and social stability. The fairly up-to-date report describes various threats to the cyber environment and their specific characteristics, such as the so-called attribution problem of a cyberattack, i.e., the difficulty of identifying the origin of a cyberattack. Emphasis will also be placed on the possibility of conducting cyberattacks from anywhere in the world, the factor that most clearly distinguishes cyber warfare from traditional warfare. The report contains 11 policy principles ("norms"). While the Geneva Conventions mainly focus on the principles of intergovernmental military action, the standards defined by the GGE also emphasise transnational cooperation to combat non-state actors such as terrorists and cybercriminals. The principles encourage the exchange of information between states in order to prevent and investigate cybercrime and to provide key assistance for the construction of cyber defence. The personal cybersecurity of citizens has been mentioned separately and it has been stated that human rights and the protection of privacy must be respected as part of cyber influence. The GGE principles are interfering with or cooperating with proxy groups and prohibit states from supporting or cooperating with cybercriminal groups. Critical infrastructure and logistics chains have been specifically mentioned as prohibited targets of cyber-attacks. Citizens must be able to rely on society and its vital functions without disruptive cyber-influences. Critical infrastructure is understood in slightly different ways in different countries and, for the sake of clarity, the GGE report lists separately, for example, health, energy production and transmission, water and waste management, education, and the parliamentary electoral system. The GGE principles also oblige States to protect their critical infrastructure by the necessary methods to counter cyberattacks and ensure the smooth operation of the infrastructure. In addition to critical infrastructure, GGE's principles calm national cybersecurity centres and their CERT functions beyond cyber influence. At the same time, the use of CERT functions in cyber-influencing against another country will also be prohibited. The principles of GGE’s cyber-influencing have received surprisingly little attention. They are part of high-level general objectives, but the work has also succeeded in developing quite detailed definitions of the rules of the game for cyber-influencing. Of particular note is the threat posed by non-state actors to critical infrastructure identified by the GGE and the call for transnational cooperation to minimize such threats. The principles of the GGE have good potential to become the ethical rules of international cyber policy that have been needed for a long time in the current cyber environment. However, they are in no way legally binding, but recommendations that can be followed or not followed. What is significant, however, is that a political consensus has been reached on such far-reaching recommendations. SO URCES: https://dig.watch/processes/un-gge United Nations – General Assembly. Report of the Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security. 14.7.2021 United Nations – General Assembly. Open-ended working group on developments in the field of information and telecommunications in the context of international security – Final Substantive Report. 10.3.2021. https://fi.wikipedia.org/wiki/Geneven_sopimukset https://www.reuters.com/world/wide-disagreements-low-expectations-biden-putin-meet-2021-06-15/
66
|
CYBERWATCH
FINLAND
KVARTAALIKATSAUS Q2/2021 SISÄLLYS 1. Maa-analyysi – Turkki
4
2. Merenkulun kyberturvallisuus
6
3. Kiinan kyberdiplomatia
8
4. Kybervaikuttamisen kansainväliset pelisäännöt
10
Vuoden kolmannen kvartaalikatsauksen aloittaa analyysi Turkin kyberturvallisuustilanteesta. Kyberturvallisuuden johtaminen ja organisointi on Turkissa järjestetty selkeästi. Kyberturvallisuuden johtovastuu on liikenneministeriöllä, jonka rinnalla siviilitiedustelu ja Turkin armeijan kyberjoukot kehittävät omaa toimintaansa tiiviissä yhteistyössä. Turkin IT-infrastruktuuri on kuitenkin haavoittuvainen ja se kärsii jatkuvasti erilaisista kyberhyökkäyksistä. Kyberturvallisuuden uusi kehitysohjelma pyrkii parantamaan tilannetta uusien teknologioiden ja henkilöstön koulutuksen avulla. Nato-maana Turkilla on länsivaltojen tuki takanaan, vaikka sen islamistivetoiset hakkeriryhmät ovat häirinneet esimerkiksi Yhdysvaltojen viimeisiä presidentinvaaleja. Meriliikenteeseen kohdistuvien kyberhyökkäysten määrä on eri arvioiden mukaan nelinkertaistunut viimeisen vuoden sisällä. Yksi vaikuttava tekijä on pandemian aiheuttama lentoliikenteen vähentyminen ja merenkulun aseman korostuminen logistiikkaketjuissa. Merenkulun haavoittuvuus kyberhyökkäyksiä vastaan on seurausta pitkän aikavälin digitalisaatiokehityksestä ja järjestelmien välisen automaation kasvusta. Merenkulun kansainväliset kattojärjestöt ovat julkistaneet uusia kyberturvallisuusvaatimuksia ja asettaneet kuluvan vuoden kyberturvallisuuden parantamisen takarajaksi. Kyberturvallisuus tulisi ottaa kiinteästi mukaan osaksi kokonaisturvallisuutta ulottuen järjestelmien suunnittelusta niiden elinkaaren hallintaan asti. Kiinan kyberturvallisuuden markkinat ovat vahvassa kasvussa, mikä tukee sen suurvaltapyrkimyksiä taloudellisesta näkökulmasta. Kiina käyttää kyberturvallisuutta muutenkin suurvaltakehityksensä tukemiseen yhtenä kansallisen turvallisuuden työkaluna. Kiina korostaa tietojärjestelmien ja -liikenteen suvereniteettia eli niiden kansallista hallintaa kansainvälisen, avoimen hallinnan sijaan. Kiina pyrkii luomaan kansainvälisiä koalitioita samoin ajattelevien valtioiden kanssa. Kiinalaisen verkkoteknologian epäsuosio länsivalloissa on vaikeuttanut kansainvälistä yhteistyötä kyberturvallisuuden alueella. Valtioiden välinen kybervaikuttaminen on jokapäiväistä toimintaa. Kaikki valtiot käyttävät kybervaikuttamista tavalla tai toisella, eikä sen sallitulle ja ei-sallitulle käytölle ole muodostunut kansainvälisiä pelisääntöjä. Kybervaikuttaminen nähdään jopa yhtenä sodankäynnin muotona, jolle ei ole muodostettu yhteisiä toimintaperiaatteita tavanomaisen sodankäynnin tapaan. Valtiot yrittävät välillä sopia kybervaikuttamisen pelisäännöistä keskenään, kuten kesällä presidenttien Biden ja Putin tapaamisessa, kuitenkin heikoin tuloksin. YK:n asettamat työryhmät julkistivat viime heinäkuussa ensimmäisen ehdotuksen kybervaikuttamisen periaatteista. GGE-työryhmän suosituksilla on hyvä potentiaali muodostua kansainvälisen kyberpolitiikan eettisiksi säännöiksi, joita nykyisessä kybertoimintaympäristössä on kaivattu jo pitkään.
CYBERWATCH
FINLAND
|
67
Q3
|
2021
1. MAA-ANALYYSI – TURKKI 1. Kyberturvallisuuden johtaminen ja organisointi on järjestetty Turkissa ainakin teoriassa tehokkaasti. Yhteiskunta ja liike-elämä eivät kuitenkaan ole pysyneet digitalisaatiokehityksen vauhdissa ja onnistuneita kyberhyökkäyksiä julkishallintoa ja liike-elämää vastaan tapahtuu jatkuvasti. 2. Nato-jäsenyys tukee Turkin ponnistuksia sen tavoitteissa parantaa kyberturvallisuuden tasoa. Turkkilaisten kyberrikollisten toiminta länsivaltoja vastaan asettaa kuitenkin Turkin ristiriitaiseen tilanteeseen länsivaltojen näkökulmasta. 3. Turkissa toimii useita nationalistisia ja islamistivetoisia kyberrikollisten ryhmiä. Näillä epäillään olevan kytköksiä nykyiseen valtionhallintoon, mikä mahdollistaa toimintaedellytysten kehittämisen myös tulevaisuudessa. Myös ulkomaiset islamistijärjestöt ovat viime aikoina johtaneet kyberoperaatioitaan Turkin maaperältä käsin. 4. Turkin poliittisena tavoitteena on nousta alueelliseksi suurvallaksi, tämä edellyttää myös puolustuksellisten ja hyökkäyksellisten kyberkyvykkyyksien kehittämistä osana asevoimien kehittämisohjelmaa.
K
yberturvallisuuden johtaminen ja organisointi on Turkissa ainakin teoriassa järjestetty lähes oppikirjan mukaan. Ensimmäinen kansallinen kyberturvallisuusstrategia julkaistiin vuonna 2013 ja strategiaa on päivitetty tasaisesti kolmen vuoden välein. Tietomurrot ja muu kyberrikollisuus kriminalisoitiin ensimmäisen kerran jo vuosituhannen alussa ja nykyinen tietosuojalainsäädäntö on tullut voimaan 2016. Kyberturvallisuuden toteutusta Turkissa johtaa liikenneministeriö (Transport and Infrastructure Ministry). Sillä on ylin kyberturvallisuuden koordinointivastuu, vaikka siviilitiedustelu sekä Turkin armeijan kyberjoukot toimivat muita valtion organisaatioita itsenäisemmin. Myös turkkilainen kyberturvallisuuden ohjelmistotuotanto sekä muu liike-elämä toimivat tiiviissä yhteistyössä liikenneministeriön kanssa. Johtamisen ja organisoinnin selkeydestä huolimatta Turkki kärsii jatkuvasti eri tasoisten kyberhyökkäysten aiheuttamista vahingoista. Kyberpuolustuksen rakentaminen ei ole pysynyt mukana kiivaassa digitalisaatiokehityksessä. Vuonna 2020 ransomware-hyökkäykset lisääntyivät Turkissa yli 80% edelliseen vuoteen verrattuna ja verkkohyökkäysten määrä on myös nopeassa kasvussa. Viime maaliskuussa Konyan kaupungin tietojärjestelmistä anastettiin yli miljoonan kaupunkilaisen henkilötiedot henkilötunnuksineen. Saman kuukauden aikana turkkilaisen elintarvikeketjun asiakastietokanta julkaistiin Darkwebissä. Tilanteen parantamiseksi Turkissa käynnistettiin viime vuonna kolmivuotinen kyberturvallisuuden kehitysohjelma. Ohjelma keskittyy kyberturvallisuuden parantamiseen kolmella osa-alueella. Ensimmäinen tavoite, kriittisen infrastruktuurin turvaaminen ja häiriötilanteiden hallinta 24/7-periaatteella edellyttää jatkuvassa valmiudessa olevaan valvonta- ja johtokeskuksen toimintaa. Sellainen Turkkiin on jo perustettukin, 150 asiantuntijan voimin toimiva National Cybersecurity Intervention Center. Toinen tavoite on kehittää ja ottaa käyttöön uusia teknologiaratkaisuja, joiden avulla voidaan tehostaa kyberpuolustusta. Tekoäly, bigdata sekä robotiikka ovat alueita, joilta toivotaan apua kyberpuolustuksen tehostamiseen. Turkin aktiivinen ohjelmistoteollisuus tuottaa ratkaisuja kyberpuolustuksen tarpeisiin ja maa pyrkiikin omavaraisuuteen myös perinteisemmän verkonvalvonnan ja kyberturvallisuuden alueella. Henkilöstön osaamisen ja kybertietoisuuden parantaminen on kehitysohjelman kolmas tavoite. Osaamista pyritään parantamaan tutkintoon johtavien koulutusohjelmien sekä kohdennettujen koulutusten avulla. Nykyisin Turkissa järjestetään valtionhallinnon toimesta kaksi suurempaa kyberturvallisuuden konferenssia ja näiden määrää pyritään lisäämään. Kyberpuolustuksen harjoituksia, joihin osallistuu sekä julkishallinnon että yksityisen sektorin organisaatioita, pyritään myös lisäämään. 68
|
CYBERWATCH
FINLAND
Q3
|
2021
NATO-maana Turkilla on ollut hyvät lähtökohdat kehittää kyberpuolustustaan kansainvälisten vaatimusten ja tavoitteiden mukaisesti. Kyber on Turkin armeijassa nostettu nykydoktriinien mukaisesti omaksi puolustushaarakseen, yhtenä viidestä sodankäynnin domainista. Kybersodankäyntiä johtaa Turkin armeijan Cyber Defence Command (CDC) joka on miehitetty asiantuntijoilla kaikista aselajeista. CDC tekee aktiivista yhteistyötä myös Turkin liikenneministeriön sekä muiden Nato-maiden kyberorganisaatioiden kanssa. Nato-vetoinen kyberpuolustus ja sen hyvät yhteydet myös siviilihallinnon kyberorganisaatioihin eivät ole kyenneet vähentämään kyber rikollisuutta Turkissa. Useat islamistivetoiset ryhmittymät kuten Ayyıldız Tim ja Anka Neferler ovat toteuttaneet useita kyberhyökkäyksiä sekä turkkilaisiin että kansainvälisiin kohteisiin. Viime vuonna Anka Neferler hyökkäsi Kreikan valtionhallinnon palvelimille kostoiskuna Kreikan esittämistä Turkin vastaisista lausunnoista. Turkkilaiset ryhmittymät tekevät myös yhteistyötä iranilaisten kyberrikollisten kuten esimerkiksi APT35-ryhmän kanssa. Nato-vetoinen Turkki sai kyseenalaista huomiota Yhdysvaltojen presidentinvaalien kyberpuolustus ja sen yhteydessä ainoana Nato-maana, josta yritettiin vaikuttaa vaalien hyvät yhteydet myös lopputulokseen kybertoiminnan keinoin. Turkkilainen kyber-proxy siviilihallinnon RootAyyıldız murtautui silloisen presidenttiehdokkaan Joe Bidenin kyberorganisaatioihin kotisivuille. Bidenin kotisivut täyttyivät Turkin presidentti Erdogania eivät ole kyenneet ylistävistä kuvista ja kirjoituksista ja teksteissä vaadittiin, että vähentämään Yhdysvallat lopettaa vaikuttamisensa Turkin sisäpolitiikkaan. kyberrikollisuutta Yhdysvallat on avoimesti rahoittanut Turkissa toimivia oikeisto- ja Turkissa. kurdipuolueita. Joidenkin lähteiden mukaan RootAyyıldız-ryhmällä on yhteys presidentti Erdoganin hallintoon, joka avoimesti vaalien aikaan tuki Trumpin uudelleen valintaa Yhdysvaltojen presidentiksi. Turkin monikulttuurinen tausta on mahdollistanut myös ulkomaisten äärijärjestöjen toiminnan Turkin maaperällä. Viime vuoden lopulla uutisoitiin laajasti, että palestiinalainen Hamas-järjestö oli kaikessa hiljaisuudessa perustanut oman kybersodankäynnin johtokeskuksensa Turkkiin. Kun hanke paljastui länsimaiden tiedustelulle, Turkin hallinto sanoi Hamasin toimineen sen tietämättä. Istanbuliin sijoitettu johtokeskus ei ole osallistunut varsinaisiin operaatioihin, vaan sen tehtävänä on ollut koordinoida Hamasin kybersodankäynnin resursseja ja johtaa strategista suunnittelua. Hamasin tapaus on hyvä esimerkki siitä, kuinka äärijärjestöillä on mahdollisuus luoda toimintaedellytyksiä niille ainakin osittain suosiollisen valtionhallinnon maaperällä. Turkilla on hyvät mahdollisuudet parantaa kyberpuolustuksensa tasoa. Toiminta on organisoitu selkeästi ja Nato-maana se saa tukea Yhdysvalloilta ja muilta länsimailta. Nationalistiset ja islamilaispainotteiset kyberrikollisten ryhmät tulevat kuitenkin rasittamaan Turkin pyrkimyksiä nousta kyberturvallisuuden mallimaaksi. Osin valtion suojeluksessa toimivat rikollisryhmät sekä ulkomaiset äärijärjestöt pystyvät kehittämään toimintamahdollisuuksiaan Turkin maaperältä käsin. Myös nopea digitalisaatiokehitys asettaa yhteiskunnan ja liike-elämän kyberturvallisuudelle omat haasteensa tulevaisuudessa. L Ä HTEITÄ: https://www.dni.gov/index.php/newsroom/reports-publications/reports-publications-2021/item/2192-intelligence-community-assessment-on-foreign-threats-tothe-2020-u-s-federal-elections https://nordicmonitor.com/2021/03/us-intelligence-community-marked-turkish-cyber-attack-on-bidens-campaign-site-as-a-bid-to-influence-us-elections/ https://www.bloomberg.com/news/articles/2020-12-23/europe-s-human-rights-court-hit-by-cyberattack-after-turkey-case https://www.aa.com.tr/en/science-technology/turkey-malware-attacks-up-81-in-2020/2105600 https://www.dailysabah.com/turkey/investigations/cyberattack-steals-info-of-one-million-in-turkeys-konya CCDCOE, National Cybersecurity Organisation: Turkey, 2021.
CYBERWATCH
FINLAND
|
69
Q3
|
2021
2. MERENKULUN KYBERTURVALLISUUS 1. Meriliikenteeseen kohdistuvien kyberhyökkäysten määrä on eri arvioiden mukaan nelinkertaistunut viimeisen vuoden sisällä. Maailman johtavat varustamot ja satamat ovat kärsineet tuntuvia taloudellisia tappioita kyberhyökkäysten vuoksi. 2. Merenkulun haavoittuvuus kyberhyökkäyksiä vastaan on seurausta pitkän aikavälin digitalisaatiokehityksestä. Tilanne muistuttaa pitkälti teollisuusautomaation IT/OT-ympäristöä, jossa merenkulun erikoisjärjestelmät ja nykyaikainen IT-ympäristö on sulautettu yhteen ja viety julkisten verkkojen ulottuville. 3. YK:n alaiset merenkulkujärjestöt ovat antaneet vahvan suosituksen liittää kyberturvallisuus kiinteäksi osaksi turvallisuuden johtamisjärjestelmää. Suosituksen mukaan merenkulun osapuolten tulisi auditoida kyberturvallisuutensa taso vuosittain kuluvan vuoden alusta lähtien. 4. Kyberturvallisuuden kansainvälisessä ohjauksessa on edelleen sekavuutta ja puutteita, joiden vuoksi riskinä on kyberturvallisuuden toteutuksen jääminen kertaluonteiseksi ponnistukseksi.
M
eriliikenteen merkitys globaaleissa logistiikkatoiminnoissa on pandemian sekä lentoliikenteen vähentymisen myötä kasvanut. Merenkulku on osa kriittistä infrastruktuuria, jonka häiriintyminen haittaa merkittävästi yhteiskunnan muita toimintoja. Itämerellä tapahtuvan meriliikenteen keskeytyminen on nimetty Suomen kansallisessa riskiarviossa yhdeksi pahimmista uhkaskenaarioista. Samaan aikaan meriliikenteeseen kohdistuvien kyberhyökkäysten määrä on eri arvioiden mukaan nelinkertaistunut. Varustamojen turvallisuuspäälliköt ovat nimenneet meriliikenteen keskeytymisen kyberhyökkäyksen vuoksi toiseksi merkittävimmäksi meriliikenteen riskiksi luonnonkatastrofien jälkeen. Meriliikenne ja sen tukitoiminnot kuten satamat, varustamot ja telakat ovat entistä riippuvaisempia tietojärjestelmistä ja niiden häiriöttömästä toiminnasta. Meriliikenteen osapuolten tietoverkot ja niihin liitetyt erilaiset sensorit kommunikoivat keskenään automaattisesti, jolloin monimutkainen kokonaisuus lähestyy teollista automaatiojärjestelmää kyberturvallisuuden haasteineen. Merenkulun toimiala on kärsinyt kyberhyökkäysten vuoksi viime vuosina laajoja vahinkoja. Erityisesti Intian valtamerellä merirosvot ovat harhauttaneet alusten navigointijärjestelmiä (GPS spoofing), jonka avulla alukset on saatu poikkeamaan reiteiltään alueelle, jolla alukseen on myöhemmin tunkeuduttu. Maailman kaikki neljä johtavaa konttivarustamoa, tanskalainen Moeller-Maersk, sveitsiläinen MSC, ranskalainen CMA-CGM ja kiinalainen COSCO ovat joutuneet vajaan kahden vuoden sisällä verkkohyökkäysten ja kiristyshaittaohjelmien kohteeksi. NotPetya kiristyshaittaohjelman raportoidut kustannukset olivat Moeller Maerskille noin 300 miljoonaa dollaria. Viime heinäkuussa kyberrikolliset kaatoivat usean Etelä-Afrikan sataman tietojärjestelmät, jolloin satamat joutuivat useiden päivien ajaksi siirtämään toiminnot moni verroin hitaampaan manuaaliohjaukseen. Merenkulun haavoittuvuus kyberhyökkäyksiä vastaan on seurausta pitkän aikavälin digitalisaatiokehityksestä. Tietojärjestelmiä on kehitetty merenkulun erityisvaatimusten mukaisesti, jonka tuloksena toimialan järjestelmäkehitys on jossain määrin eriytynyt muiden alojen tietojärjestelmistä. Kehitystyö on aloitettu aikakautena, jolloin kyberturvallisuus ei ollut niin suuri ongelma kuin nykyisin. Esimerkiksi tietoliikennejärjestelmiin ei alun perin ole suunniteltu salausta lainkaan (mm navigaatio). Tilanne muistuttaa pitkälti teollisuusautomaation ongelmakenttää, jossa on digitalisaation myötä jouduttu aiemmin tuntemattomaan tilanteeseen. Automaatiojärjestelmät (OT) ja toimistojen tietotekniikkajärjestelmät (IT) ovat sulautuneet yhteen ja verkottuneet keskenään ja lisäksi aiemmin suljetut verkot ovat yhteydessä Internetiin. Turvallisuusratkaisujen rakentaminen jälkeen päin on ollut työlästä ja vienyt aikaa, vaikka ratkaisut sinänsä ovat olleet yksinkertaisia. Esimerkiksi Yhdysvaltojen rannikkovartioston vuonna 2019 antama suositus kyberturvallisuuden 70
|
CYBERWATCH
FINLAND
Q3
|
2021
parantamiselle sisälsi viisi kohtaa: 1) segmentoi tietoverkot, 2) käytä vain henkilökohtaisia käyttäjätilejä, 3) älä käytä tuntemattomia USB-muistitikkuja, 4) asenna viruksentorjuntaohjelma sekä 5) asenna turvallisuuspäivitykset. Perusasioita, joita esimerkiksi kyberturvallisuuden auditoinneissa ei ole tullut eteen vuosikausiin. Toinen haavoittuvuutta lisäävä tekijä on henkilöstön matala kyberturvaosaaminen ja -tietoisuus. Vuonna 2019 tehdyn kansainvälisen tutkimuksen mukaan kolmannes kaikista meriliikenteeseen kohdistuneista onnistuneista kyberhyökkäyksistä oli seurausta henkilöstön osaamattomuudesta havaita ja torjua kyberhyökkäyksiä. Onnistuneista hyökkäyksistä suurin osa oli joko sähköpostien tai valesivustojen avulla toteutettuja haittaohjelma- sekä phishinghyökkäyksiä, joiden avulla kyberrikolliset saivat haltuunsa käyttäjien salasanoja. Loppukäyttäjä on siis hyvin usein mennyt tavalliseen ansaan eli klikannut epämääräisen sähköpostin tai nettisivuston linkkiä. Kyberturvallisuus on vasta viime aikoina löytänyt tiensä osaksi henkilökunnan turvallisuuskoulutusta, minkä odotetaan parantavan kyberturvallisuuden tilaa tältä osin. YK:n alainen merenkulun teknisiin kysymyksiin keskittyvä kansainvälinen merenkulkujärjestö, International Maritime Organization (IMO) alkoi 2010-luvun lopulla julkaista ensimmäisiä suosituksia kyberriskien hallintaan. Näiden suositusten mukaan merenkulun osapuolten tulee huomioida kyberturvallisuus osana turvallisuuden johtamisjärjestelmää ja auditoida kyberturvallisuuden taso turvallisuuden vuosiauditoinneissa vuodesta 2021 lähtien. Kyberturvallisuuden auditoinnin viitekehystä ei ole määritelty tarkasti, mutta IMO nimeää vaihtoehdoiksi esimerkiksi ISO27001-standardin, sekä yhdentoista merenkulkujärjestön laatiman käsikirjan The Guidelines on Cyber Security Onboard Ships. Jälkimmäinen dokumentti on merenkulun toimialalle räätälöity opas, joka esittelee erilaisia vaihtoehtoja kyberturvallisuuden toteuttamiseksi. Dokumentti huomioi ISOstandardia paremmin esimerkiksi IT/OT-ympäristön, mutta on luonteeltaan enemmän opastava kuin ISO-standardin kaltainen vaatimuslista. Merenkulku on hyvä Jos varustamoilla on käytössä ISO-laatujärjestelmä, turvallisuuden esimerkki toimialasta, johtamisen prosessit ovat olemassa ja kyberturvallisuuden huomiointi jossa yhdistyvät sen entistä kattavammin helpottuu. Joka tapauksessa edessä on mittava katkeamattoman toiminnan urakka, jos kyberturvallisuuden käytäntöjä ja tarpeellisia kriittisyys sekä pitkällä turvallisuuskontrolleja ei ole aiemmin ole toteutettu. Kyber ajanjaksolla kehittyneet turvallisuuden ja laadunvalvonnan sertifiointilaitokset ovat kehittäneet kyberturvallisuushaasteet. omia palvelupakettejaan kyberturvallisuuden tason arvioimiseksi ja parantamiseksi. Merenkulku on hyvä esimerkki toimialasta, jossa yhdistyvät sen katkeamattoman toiminnan kriittisyys sekä pitkällä ajanjaksolla kehittyneet kyberturvallisuushaasteet. Juuri tällaiset ympäristöt kiinnostavat sekä helppoa rahaa tavoittelevia kyberrikollisia että hybridivaikuttamista suunnittelevia valtiollisia tahoja. Vaikka kyberturvallisuuteen nyt panostetaankin aiempaa enemmän, ovat toimialan kyber turvallisuuden viitekehykset ja auditointimekanismit lähinnä suosituksia ja suuntaa antavia ohjeistuksia. Esimerkiksi valtionhallinnossa ja finanssialalla on käytössä huomattavan paljon yksiselitteisemmät vaatimukset, jotka on tulkintaeri mielisyyksien puuttumisen vuoksi myös helpompaa toteuttaa. Vuoteen 2021 asetettujen määräaikojen vuoksi on olemassa riski, että kyberturvallisuus nähdään kertaponnistuksena eikä se saavuta pysyvää asemaa turvallisuusjohdon vuosikalentereissa. Kyberturvallisuus tulisi merenkulun tieto järjestelmissä saada osaksi niin sanottua security by design -ajattelua, joka huomioi riskiperusteisesti turvallisuus mekanismien toteutuksen jo suunnitteluvaiheessa ja pakottaa järjestelmien säännölliseen turvallisuustason arviointiin sen elinkaaren kaikissa vaiheissa. Tulevaisuuden visiot itseohjautuvista laivoista edellyttävät kyberturvallisuuden tason nostoa pysyvästi uudelle tasolle. L Ä HTEITÄ: https://safety4sea.com/category/smart-parent/cyber-security/ https://www.dco.uscg.mil/Portals/9/DCO%20Documents/5p/CG-5PC/INV/Alerts/0619.pdf https://www.traficom.fi/fi/ajankohtaista/tilaisuudet/merenkulun-kyberturvallisuustilaisuus-1192020 http://www.emsa.europa.eu/ https://wwwcdn.imo.org/localresources/en/OurWork/Security/Documents/Resolution%20MSC.428(98).pdf Androjna, A. et al. (2020). An Overview of Maritime Cyber Security Challenges. Conference paper. https://www.researchgate.net/publication/344461659
CYBERWATCH
FINLAND
|
71
Q3
|
2021
3. KIINAN KYBERDIPLOMATIA 1. Kiinalla on määrätietoinen pyrkimys maailman johtavaksi suurvallaksi kaikilla osa-alueilla. Kiinan digitalisaatio on tapahtunut nopeammin kuin useimmissa länsivaltioissa. Kiina näkeekin digitalisaation – ja kyberturvallisuuden sen yhtenä osana – merkittävänä kanavana tavoitteidensa saavuttamisessa talouden ja teknologian alueella. 2. Kiinan kansalliseen turvallisuuteen liittyvä lainsäädäntö mahdollistaa kyberturvallisuuden menetelmien käytön laajasti sekä sisä- että ulkopolitiikassa. Sisäpolitiikassa kommunistinen puolue käyttää kyberturvallisuuden keinoja poliittisen ilmapiirin pitämiseen suotuisana nykyiselle hallinnolle. Kybervakoilu ja -hyökkäykset ovat osa ulkopolitiikan keinovalikoimaa, jos sen avulla voidaan tukea kansallisen turvallisuuden tavoitteita. 3. Kiina ajaa voimakkaasti valtiokeskeistä suvereniteettia tietoverkkojen hallinnassa, mikä näkyy jo tällä hetkellä Internetin käytön rajoituksina. Kiina pyrkii luomaan samanmielisten valtioiden koalition sen kyberturvallisuuslinjausten vahvistamiseksi. 4. Kiina tukee yksityisten kyber- ja ICT-yhtiöiden kehitystä ja kansainvälistymistä maan talouskasvun vauhdittamiseksi ja teknologisen aseman vahvistamiseksi. Kiinalaista teknologiaa ei kuitenkaan ole hyväksytty usean länsivallan ICT-infrastruktuuriin kyberturvallisuuden ongelmien vuoksi. Vastakkainasettelu on johtanut Kiinan vastareaktioihin ulkopolitiikassa, mikä vaikeuttaa itä-länsi -suhteiden edistämistä muilla osa-alueilla sekä mahdollista yhteistyötä kyberturvallisuuden alueella.
K
iinan nopea kansainvälistyminen sekä tieteen ja teknologian huomattava nousu ovat tuoneet mukanaan merkittäviä geopoliittisia ja taloudellisia seurauksia. Kiinan kehitys verkko- ja kyberteknologian osa-alueella heijastuu myös maailmanlaajuiseen kyberturvallisuuden toimintaympäristöön. Erityisesti digitalisaatiokehitys on ollut huimaa ja Kiinassa onkin tällä hetkellä eniten Internetin käyttäjiä maailmassa. Lisäksi nopeasti kasvava digitaalitalous synnyttää kiinalaisia teknologiajättiläisiä, kuten Huawei, Alibaba ja Baidu, jotka pystyvät entistä vahvemmin kilpailemaan globaaleilla teknologiamarkkinoilla. Kiinan kyberturvallisuuden markkinat ovat tällä hetkellä noin 25 miljardia dollaria vuodessa edustaen reilun 10% osuutta maailmassa. Kiinan markkinoiden ennustetaan kuitenkin kasvavan vuosittain suhteellisesti kaksi kertaa nopeammin muuhun maailmaan nähden seuraavien viiden vuoden aikana, jolloin Kiina edustaisi vuonna 2026 jo lähes 40% osuutta globaalista kyberturvallisuuden markkinasta. Kiinalaiset kyberturvallisuusyritykset kuten Qi An Xin, Qihoo ja ThreatBook ovat toistaiseksi vielä varsin tuntemattomia maailmalla verrattuna länsimaisiin kilpailijoihinsa. Yritykset tuottavat sekä perinteisiä että edistyksellisempiä kyberturvallisuuden ratkaisuja tietenkin kotimarkkinoille, mutta myös laajalle alueelle Kauko-idässä. Useilla yrityksillä on toimipisteet esimerkiksi Singaporessa ja Malesiassa ja suuntaus on myös Eurooppaan ja Yhdysvaltoihin. Kiinalaiset kyberturvallisuuden yritykset ottavat koko ajan kiinni länsimaiden etumatkaa sekä taloudellisesti että teknologisesti ja näin tukevat Kiinan pyrkimyksiä suurvalta-asemaan pääsemiseksi. Kiinassa, kuten missä tahansa yksipuoluejärjestelmään perustuvassa valtiossa, yksityisen sektorin, poliittisen elämän ja valtion välinen raja on häilyvä. Valtion organisaatioon ja elimiin kietoutunut Kiinan kommunistinen puolue käyttää kyberturvallisuuden keinoja puolueen aatteen tukemiseen ja myös vastakkaisten aatteiden vaientamiseen. Esimerkiksi sosiaalinen yhteiskunnan vakaus ja yleinen järjestys, kiinalaisen kulttuurin turvaaminen ja näitä uhkaavien ilmiöiden sammuttaminen ovat kiinalaiseen kansallisen turvallisuuden lainsäädäntöön kuuluvia tavoitteita. Näiden turvaamiseen kommunistinen puolue voi käyttää valtion kaikkia resursseja, mukaan lukien kyberturvallisuuden asiantuntijat ja menetelmät. Valtion ote yksityisistä yrityksistä on tiukka, jolloin myös yksityisen sektorin resurssit ovat välillisesti näiden tavoitteiden käytettävissä. 72
|
CYBERWATCH
FINLAND
Q3
|
2021
Kiina tunnetaan hyvin sen kyvyistä kybervakoilun alueella. Vakoilukykyä käytetään hyväksi sekä ulkoisia että sisäisiä kohteita vastaan. Ulkoisia kohteita eli muiden valtioiden hallintoa sekä yksityistä sektoria vakoillaan kansallisen turvallisuuden nimissä. Kansallinen turvallisuus käsitetään Kiinassa laajasti sisältäen myös taloudellisen ja teknologisen kyvykkyyden kehittämisen tavoitteiden saavuttamiseksi. Kiinan sisäisessä toiminnassa tärkein vakoilun kohde ovat toisinajattelijat, joiden liikkeitä pyritään ennakoimaan ja näin estämään hallinnon vastaisten ryhmittymien syntyminen. Kiinalla on vahva pyrkimys pitää yllä ja edelleen vahvistaa sen suvereniteettia tietoverkkojen hallinnassa. Siinä missä Yhdysvallat, Eurooppa ja muut länsivaltiot korostavat Internetin avoimuutta, yksilöllistä osallistumista ja mielipiteen ilmaisun vapautta, Kiina puolustaa suvereenien valtioiden suurempaa roolia Internetin hallinnossa. Kiina perustelee näkemystään sillä, että suvereenien valtioiden vaikutusvaltaa kasvattamalla valtion vastaisen materiaalin levittämiseen ja toiminnan edistämiseen voidaan helpommin puuttua. Kiina ei ole ajatuksineen yksin. Suurvaltioista lähimpänä tätä ajatusmaailmaa on Venäjä, jolla on ollut jo pidemmän aikaa Kiinalla on hyvät toteutuksessa kansallisen Internetin rakentaminen ja käyttöönotto. Samoista lähtökohdista huolimatta Kiinan ja Venäjän tavoitteet mahdollisuudet nousta avointen verkkojen ja kyberturvallisuuden suhteen ovat erilaiset. Siinä maailman johtavaksi missä Kiina valjastaa kyberturvallisuuden kansallisen turvallisuuden suurvallaksi monella takaamiseen ja sen suurvalta-aseman rakentamiseen, Venäjä käyttää osa-alueella, joista kyberelementtiä suoraviivaisemmin esimerkiksi hybridivaikuttamisessa kyberturvallisuus on ja kansainvälisten konfliktien yhteydessä sodankäynnin työkaluna. yksi. Kiina pyrkii tiiviimpään kansainväliseen yhteistyöhön niiden maiden kanssa, jotka ovat valmiita käyttämään kiinalaista verkkoteknologiaa, ja jotka eivät arvostele Kiinan ulkopolitiikkaa. Tällaisia maita löytyy lähes kaikilta mantereilta, erityisesti Afrikasta ja Etelä-Amerikasta. Kiinan ja länsivaltojen suhteet ovat aina olleet enemmän tai vähemmän jännitteiset. Parhaillaan elämme korkeamman jännitteen aikaa. Yhdysvallat on käynyt kauppasotaa Kiinan kanssa jo pitkään ja EU on kuluneen vuoden aikana jälleen ilmaissut huolensa Kiinan ilmasto- ja ihmisoikeuskysymyksissä. Lisäksi EU haluaa kontrolloida tiukemmin Kiinan pyrkimyksiä sijoittaa eurooppalaiseen kriittisen infrastruktuuriin kuten satamiin ja tietoliikenteeseen. Erityisesti 5G-investointien ja Huawein torjuminen useimpien eurooppalaisten maiden taholta on närästänyt Kiinaa. Sen taloudellinen kehitys maailmanmarkkinoilla lepää osin Huawein kaltaisten jättiläisyritysten varassa ja kaupallisten mahdollisuuksien heikentyminen hidastaa Kiinan suurvaltapyrkimyksiä. Huawei on pyrkinyt hälventämään epäluuloja esimerkiksi Eurooppaan perustettujen testauslaboratorioiden avulla, jotka ovat sen asiakkaiden käytettävissä. Kiinalla on hyvät mahdollisuudet nousta maailman johtavaksi suurvallaksi monella osa-alueella, joista kyberturvallisuus on yksi. Kiinan valtavat resurssit kykenevät tuottamaan maailman johtavia teknologiaratkaisuja. Kiinan yhteiskuntajärjestys ja kulttuuri poikkeavat kuitenkin monelta osin länsimaalaisesta ja yhteisymmärrystä esimerkiksi ihmisoikeuksista on haastavaa löytää. Molemmat osapuolet edistävät kaupallisin ja teknologisin keinoin oman ideologiansa levittämistä maailmalle, mikä vaikeuttaa yhteistyötä esimerkiksi kyberturvallisuuden alueella. Tilanne on harmillinen, koska tiiviimmällä yhteistyöllä olisi mahdollista taistella entistä vahvemmin esimerkiksi kansainvälistä terrorismia vastaan. L Ä HTEITÄ: Broeders et al. A coalition of the unwilling? Chinese and Russian Perspective on Cyberspace. The Hague Program for Cyber Norms Policy Brief. 2019. Bozhkov, N. China’s Cyber Diplomacy: A Primer. EU Cyber Direct. 2020. Segal, A. China’s Alternative Cyber Governance Regime. Council on Foreign Relations. 2020. https://www.politico.eu/article/european-commission-ursula-von-der-leyen-state-union-2021-china-xi-jinping/
CYBERWATCH
FINLAND
|
73
Q3
|
2021
4. KYBERVAIKUTTAMISEN KANSAINVÄLISET PELISÄÄNNÖT 1. Valtioiden välistä kybervaikuttamista tapahtuu päivittäin. Sen motiivina voi olla esimerkiksi vakoilu, kriittiseen infrastruktuurin häirintä tai poliittisen ilmapiirin muokkaaminen. Valtiot käyttävät kybervaikuttamisessa usein sijaistoimijoita eli proxyjä toiminnan alkuperän salaamiseksi. 2. Kybervaikuttamisen pelisääntöjä on yritetty laatia maiden välisten keskustelujen avulla huonoin tuloksin. Kahden maan keskenään sopimat periaatteet eivät ole julkisia, jolloin kattavaa hyväksyntää ja sitoutumista on ollut vaikea muodostaa. 3. YK:n työryhmät ovat tänä vuonna julkaisseet ensimmäisiä kansainvälisiä pelisääntöjä maiden väliselle kybervaikuttamiselle. Pelisäännöt ovat osittain korkean tason periaatteita, mutta varsin hyvin on myös määritelty selkeitä ja konkreettisia reunaehtoja. Nämä periaatteet ovat hyvä lähtökohta kansainvälisen kyberpolitiikan rungoksi tulevaisuudessa.
V
altioiden välinen kybervaikuttaminen on jokapäiväistä toimintaa. Valtiot vakoilevat toisiaan tietoverkoissa, vaikuttavat toistensa ja poliittiseen ilmapiiriin sosiaalisen median kautta ja tekevät myös kyberhyökkäyksiä toisten valtioiden tietoverkkoja ja kriittistä infrastruktuuria vastaan. Suomeenkin on kohdistunut viime aikoina lukuisia kyberhyökkäyksiä, joista osa pääsee myös julkisuuteen. Esimerkiksi viime vuoden vaihteessa julkisuuteen tuli kyberhyökkäys eduskunnan tietojärjestelmiin ja kansanedustajien sähköpostitileihin sekä edellisenä vuonna GPSpaikannusjärjestelmän häirintätapaus. Valtiot käyttävät usein hyökkäyksiinsä sijaistoimijoita eli proxyjä, osin hyökkäyksen alkuperän salaamisen vuoksi. Proxyjen käytöstä huolimatta hyökkäyksen alkuperä voidaan useimmiten lähes varmasti selvittää. Kaikki valtiot käyttävät kybervaikuttamista tavalla tai toisella, eikä sen sallitulle ja ei-sallitulle käytölle ole muodostunut kansainvälisiä pelisääntöjä. Kybervaikuttaminen nähdään jopa yhtenä sodankäynnin muotona, jolle ei ole muodostettu yhteisiä toimintaperiaatteita tavanomaisen sodankäynnin tapaan. Siinä missä Geneven sopimukset määrittävät hyvinkin tarkkaan tavanomaisen sodankäynnin reunaehdot, kybersodankäynnistä ne ovat puuttuneet kokonaan. Yksi harvoista yrityksistä sopia kybervaikuttamisen ja -sodankäynnin pelisäännöistä tapahtui viime kesäkuussa presidenttien Putin ja Biden tapaamisessa. Sitä edelsi Yhdysvalloissa tapahtunut ransomware-hyökkäys Colonial Pipeline -yhtiöön, jonka polttoaineen jakeluverkon toiminta pysähtyi hyökkäyksen vuoksi. Yhdysvallat oli jäljittänyt hyökkääjän venäläiseen proxy-toimijaan. Putinin ja Bidenin oli tarkoitus sopia kybervaikuttamisen pelisäännöistä, mutta tulokset ovat olleet toistaiseksi laihoja. Maat sopivat aloittavansa keskinäiset neuvottelut pelisääntöjen luomiseksi sekä yhteistyön vakavien kyberrikosten tutkinnaksi. Bidenin sanotaan antaneen Putinille luettelon, jossa oli listattu 16 kriittisen infrastruktuurin toimintoa, jotka tulisi jättää rauhaan kybervaikuttamiselta. Yhdistyneet kansakunnat eli YK on perustanut kaksi työryhmää, Group of Governmental Experts (GGE) ja Open-Ended Working Group (OEWG), määrittelemään kansainvälisiä periaatteita kybervaikuttamiselle. GGE perustettiin alun perin vuonna 2004 IT- ja tietoliikennepalvelujen turvallisuuden koordinointiryhmäksi. Ryhmässä on 25 jäsenmaata, jotka valitaan kolmeksi vuodeksi kerrallaan. Nykyisessä kokoonpanossa ovat mukana tärkeimmät suurvallat sekä pohjoismaista Norja ja muista lähinaapureista esimerkiksi Viro. Vuodesta 2019 lähtien GGE on keskittynyt valtioiden väliseen kybervaikuttamiseen ja sen toimintaperiaatteiden määrittelyyn. Ryhmän virallinen nimi tänä vuonna päättyvän toimikauden aikana on ”Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security”. OEWG on vuonna 2019 perustettu, GGE:n toimintaa tukeva foorumi, joka on kaikille YK:n jäsenmaille avoin. Foorumin toimintaan voi osallistua myös liike-elämän ja akateemisen tutkimuksen edustajia ja sen tarkoituksena on sekä toimia laajempana keskustelufoorumina, myös löytää konkreettisia käytännön ratkaisuja esimerkiksi ITjärjestelmien kybersuojaukseen. 74
|
CYBERWATCH
FINLAND
Q3
|
2021
GGE:n nykyisen toimikauden tärkein tavoite oli määritellä valtioiden välisen kybervaikuttamisen kansainväliset periaatteet ja julkaista ne YK:n yleiskokouksessa kesällä 2021. Työryhmä julkaisikin loppuraporttinsa ja sen sisältämät periaatteet YK:n yleiskokouksessa 14.7.2021. Raportissa todetaan, että yhteiskunnat ovat entistä enemmän riippuvaisia tietotekniikasta ja -liikenteestä ja että sekä valtioiden välinen kybervaikuttaminen että kyberrikollisuus uhkaavat ihmisten hyvinvointia ja yhteiskunnan vakautta. Varsin ajanmukainen raportti kuvailee erilaisia kyberympäristön uhkatekijöitä ja niiden erityispiirteitä, esimerkiksi kyberhyökkäyksen niin sanottua attribuutio-ongelmaa eli vaikeutta tunnistaa kyberhyökkäyksen alkuperä. Lisäksi korostetaan kyberhyökkäysten toteutusmahdollisuutta mistä päin maailmaa tahansa, tekijä, joka selvimmin erottaa kybersodankäynnin perinteisestä sodankäynnistä. Raportti sisältää yksitoista toimintaperiaatetta (”norms”). Siinä missä Geneven sopimukset kohdistuvat lähinnä valtioiden välisten sotatoimien periaatteisiin, GGE:n määrittämissä normeissa korostetaan myös valtioiden välistä yhteistyötä ei-valtiollisten toimijoiden, kuten terroristien ja kyberrikollisten toimien torjumiseksi. Periaatteet rohkaisevat valtioiden väliseen tietojenvaihtoon kyberrikosten estämiseksi ja selvittämiseksi ja keskeiseen avunantoon kyberpuolustuksen rakentamiseksi. Kansalaisten henkilökohtainen kyberturvallisuus on mainittu erikseen ja todettu, että ihmisoikeuksia ja yksityisyyden suojaa tulee kunnioittaa osana kybervaikuttamista. GGE:n periaatteet puuttuvat proxyjen käyttöön ja kieltävät valtioita tukemasta kyberrikollisten ryhmiä tai tekemästä yhteistyötä niiden kanssa. Kriittinen infrastruktuuri ja logistiikkaketjut on mainittu erikseen kiellettyinä kyberiskujen kohteina. Kansalaisten tulee voida luottaa yhteiskuntaan ja sen elintärkeisiin toimintoihin kybervaikuttamisen niitä häiritsemättä. Kriittinen infrastruktuuri ymmärretään eri maissa hiukan eri tavoin ja selvyyden vuoksi GGE:n raportti listaa erikseen esimerkiksi terveydenhuollon, energiantuotannon ja -siirron, vesi- ja jätehuollon, koulutuksen sekä parlamentaarisen vaalijärjestelmän. GGE:n periaatteet myös velvoittavat valtioita suojaamaan kriittisen infrastruktuurinsa tarpeellisilla menetelmillä kyberhyökkäysten GGE:n torjumiseksi ja infrastruktuurin häiriöttömän toiminnan kybervaikuttamisen varmistamiseksi. periaatteet ovat Kriittisen infrastruktuurin lisäksi GGE:n periaatteet rauhoittavat jääneet yllättävän kansalliset kyberturvallisuuskeskukset ja niiden CERT-toiminnot vähälle huomiolle. kybervaikuttamisen ulkopuolelle. Samassa yhteydessä kielletään myös CERT-toimintojen käyttö toista valtiota vastaan kohdistetussa kybervaikuttamisessa. GGE:n kybervaikuttamisen periaatteet ovat jääneet yllättävän vähälle huomiolle. Ne ovat osaksi korkean tason yleistavoitteita, mutta työssä on onnistuttu laatimaan myös varsin yksityiskohtaisia määritelmiä kybervaikuttamisen pelisäännöiksi. Erityisesti huomioitavaa on GGE:n tunnistama ei-valtiollisten toimijoiden muodostama uhkatekijä kriittiselle infrastruktuurille ja kehotus valtioiden väliseen yhteistyöhön tällaisten uhkatekijöiden minimoimiseksi. GGE:n periaatteilla on hyvää potentiaalia muodostua kansainvälisen kyberpolitiikan eettisiksi säännöiksi, joita nykyisessä kybertoimintaympäristössä on kaivattu jo pitkään. Ne eivät ole kuitenkaan millään lailla juridisesti sitovia, vaan suosituksia, joita voidaan noudattaa tai jättää noudattamatta. Merkittävää on kuitenkin se, että on löytynyt poliittinen yhteisymmärrys, näinkin pitkälle menevistä suosituksista. L Ä HTEITÄ: https://dig.watch/processes/un-gge United Nations – General Assembly. Report of the Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security. 14.7.2021 United Nations – General Assembly. Open-ended working group on developments in the field of information and telecommunications in the context of international security – Final Substantive Report. 10.3.2021. https://fi.wikipedia.org/wiki/Geneven_sopimukset https://www.reuters.com/world/wide-disagreements-low-expectations-biden-putin-meet-2021-06-15/
CYBERWATCH
FINLAND
|
75
CYBER SECURITY NORDIC
8–9 MARCH 2022
Messukeskus Helsinki Finland
INTERNATIONAL CYBER SECURITY NORDIC EVENT WILL BE HELD AT MESSUKESKUS HELSINKI 8–9 MARCH 2022. Once again, the event will delve into the politics, economy, reality and future of cybersecurity. The themes are presented from the business economy as well as the public administration perspectives. cybersecuritynordic.com
C S
N