Spe c i a l
m e d i a
o f
s t r a t e g i c
c y b e r
M A G A Z INE
s e c u r i t y
2021/2
DIPLOMACY AND DIGITAL TECHNOLOGY
STRATEGIC CYBER SECURITY
Cyberwatch analysis,
THE CHANGING WORLD NEEDS NEW AND AGILE METHODS TO IMPROVE CYBER SECURITY
the Country outlook
CONTENT 2021/2
3
31
44
Strategic Cyber Security
Cyber Security challenges in Aviation and Maritime
Telecoms new normal
8 Diplomacy and Digital Technology
10 Russia’s Background in Cyber Warfare
17 Cyberwatch analysis, the Country outlook – Who are the Cyber superpowers?
34 The changing world needs new and agile methods to improve cyber security – it is easy to boost information security in companies!
35 Your power hangs by a bit
39 The importance of operational technology in the built environment you operate in – Managing operational risks through silos
46
14
Next step: development of cyber security competence
48
Cyberwatch Quarterly review / Cyberwatch kvartaalikatsaus
66 Cyber Security Nordic returns live in October / Cyber Security Nordic palaa lokakuussa livenä
CyberwatchMagazine
Special media of strategic cyber security
PUBLISHER Cyberwatch Finland Huopalahdentie 24, 00350 Helsinki Finland www.cyberwatchfinland.fi
PRODUCER AND COMMERCIAL COOPERATION Cyberwatch Finland team office@cyberwatchfinland.fi LAYOUT Atte Kalke, Vitale atte@vitale.fi ILLUSTRATIONS Shutterstock ISSN 2490-0753 (print) ISSN 2490-0761 (web) PRINT HOUSE Scanseri, Finland
Editorial
Strategic Cyber Security // Aapo Cederberg
T
HE EVENTS IN THE CYBER WORLD mirror global politics. The outlook is bleak, crises are escalating, and tensions are rising. Cyber operations have become an alternative to military action in order to achieve political goals. It is also conceivable that cyber operations allow for more aggressive policies. Cyber sabotage must be seen as a new threat model, the importance of which is highlighted as part of hybrid operations and related information operations. The aim seems to be to create a deterrent effect and to plant uncertainty into people’s daily lives. It is becoming increasingly difficult to distinguish between the practices of state actors and of cybercriminals. We can detect the phenomena, but we cannot be sure of the origin or of its purpose. The old wisdom of warfare about the importance of concealment and deception as a success factor has also been adopted in cyber operations. Developments and changes in the cyber world are rapid and often happen without warning, reflecting crises in global politics. It is especially important for Finland to assess the growth of Russia's cyber capacity and the evolution of their operating methods. From Russia’s point of view, cyber performance is essential in spearheading hybrid operations. Developing cyber performance is significantly cheaper than building traditional military capabilities. Therefore, cyber performance is vital for Russia to be able to maintain its political power on a global scale and, if necessary, to act unexpectedly in regional conflicts. Russia's economic conditions are no longer sufficient to maintain their position in the arms race. Hybrid operations create the conditions for preliminary action and political surprise attacks. Europe is lagging behind in the global cyber arms race and total capacity depends on national cyber capabilities. Cyber operations and the used technologies are constantly
evolving and the importance of cyber security as a component of national security is emphasised. Targets are chosen carefully and are based on the evaluation of the possible physical and informational effects of attacks. The goal of hybrid operations is to advance political goals by creating destruction, chaos, and political uncertainty. The repercussions of cyber attacks are always much more difficult to combat than the operations themselves. The importance of cyber espionage will be emphasised in the future, as it is used to create the optimal conditions for hybrid and cyber operations. The distinction between criminals and state actors is unclear and it is becoming increasingly difficult to determine who is the perpetrator and what the real motives are. In recent years, cyber intelligence has reached a well-established position in the field of intelligence. Intelligence between states has become a day-to-day activity. The views on authorised and unauthorised methods, based on the legislation of different countries, have developed over the past decades. By using cyber intelligence, the line between the two is easily crossed, as the perpetrator does not physically come in contact with the target data. In addition, it is often difficult to determine the source of cyber operations. Leaked data eventually ends up in the data collection systems and targeting operations of the intelligence organisations of the great powers. In addition to cyber operations and intelligence, there is widespread discussion of cyber warfare. The term is ambiguous because the definitions of war and peace in cyberspace are not as clear as in physical warfare. Cyber operations and reconnaissance could be interpreted as cyber warfare, if tangible harm is caused to the systems of the other party or, for example, the CYBERWATCH
FINLAND
|
3
results of state elections are manipulated. Determining a rule requires international cooperation to define the characteristics of cyber warfare and the boundary of acceptable action. The role of social media and the power and regulation of technology giants will be an increasingly difficult political issue. International law cannot keep up with the rapid changes in the cyber world. Security issues will also be highlighted in many technology solutions. The debate around 5G technology is a good example of this; Transnational cyber operations have increased over the past year and it is being used more and more ruthlessly. Hacking, cyber espionage, and information operations through social media are increasingly candid, and the origins of which are often public knowledge. The advanced cyber-influencing capabilities of states need to be taken seriously. Critical processes should be subject to regular risk assessments and long-term cyber security development. Contingency plans for hacking and usability attacks play a vital role in maintaining operational capability. The situational picture of hybrid operations should be constantly monitored in order to better identify and protect against influencing attempts. Cyber security plays a central role in combating hybrid interference and the quality and quantity of related expert resources must be safeguarded. As offensive operation capabilities and defensive practices are built using the same systems it is often very difficult to maintain and build credible cyber capabilities. The fact that the attacker has access to the same system increases the difficulty in establishing an effective defence. Resultingly, many countries have implemented stand-alone systems which are designed to minimize threats posed by supply chain attacks. Cyber attacks will continue to be carried out mainly through, or with the help of, individuals and employees. The importance of competence is emphasised and the company's internal risk must be taken into account in the cyber risk analysis, especially with regard to employees. The cyber culture of every organisation must be developed as an integral part of the security culture. Better classification of information and data, as well as new security methods, can also significantly improve the level of cyber security. Comprehensive cyber risk analysis provides a good basis for contingency and security planning. Each employee must be responsible for their actions as it is important when it comes to
4
|
CYBERWATCH
FINLAND
ensuring the cyber security of the operating environment. All safety instructions given to the end user should be strictly followed. Organisations should ensure that employees have secure work equipment and connections to ICT services. Employees should also know how to act in case of an emergency and how to deal with cyber security threats at an individual level. The aftermath of the Covid-19 crisis will be visible in many situations over the next couple of years. Teleworking will remain a permanent practice and information leaked during the crisis will be used to plan new cyber and hybrid operations. The planning cycle for cyber operations is half a year to two years. Therefore, the risk of the likelihood of new elaborate cyber operations will remain high. Critical societal infrastructure and services have been highlighted as the main targets of cyber attacks. ¨Smart-city¨ thinking is the driving force behind urban development, with digital services and technologies at the heart. The vulnerability of modern society will increase if cyber security is not built into these entities following the security-by-design principle. As the impact of cyber attacks becomes more familiar to citizens, the importance of knowledge and situational awareness also becomes more apparent. A well-educated nation will be much better off in the face of these global security challenges. The development of cyber security therefore requires a lot of small actions that create a large body - the nation's cyber resilience, or in other words, crisis resilience. We can all be key players in the cyber security of our own lives by taking better care of our everyday cyber security and improving our skills accordingly. CYBERCRIME IS INCREASING AND DIVERSIFYING
Cybercrime continues to grow on a global scale. According to initial estimates, in 2020, cybercrime cost one thousand billion euros in damages. In this context, cybercrime is committed for economic gain. The precise selection of targets and attack methods are evolving. Critical data and information will remain the main target of cybercriminals. Ransomware attacks will also increase. Criminals seek to develop their earnings logic, for example, in the direction of, the so-called, hybridransomware, in other words, simultaneously blackmailing organisations and individuals. This also increases the risk of the publication of information stolen in data breaches. Along with general data protection regulation, information systems containing personal data have
become a popular target of data breaches. The privacy setting imposes substantial sanctions on personal data processors in cases of cyber security negligence, in which case the subject could be expected to be willing to pay high ransom in order to avoid data leakage. In addition, reputational damage is a significant and potential threat that companies want to avoid by all possible means. Criminals acquiring sensitive personal information also affects the privacy of the victims, so the possibility of blackmailing both companies and individuals with the same information increases. In the worst case, a cybercriminal can access and exploit online payment tools used by the end user. To prevent this, strong identification methods have been introduced in banking, such as mobile user authentication. New user authentication methods are effective in preventing the misuse of payment tools, but there are a number of services on the Internet where the user is authenticated with a mere username and password. These
can be easily accessed and provide ample possibilities for misuse. A third form of cybercrime that is on the rise is the use of extortion malware, or ransomware. They paralyse the targets computing environment and destroy the data, unless ransom is payed. Focusing on the largest and most profitable targets (so-called BigGame Hunting) is a current trend in the use of ransomware. Time and effort are put into examining the target and into the development of a suitable method of attack. The entire process is carefully planned out. Attack methods are diversifying and are often fully tailored to the target IT environment and situation. This is done also by using artificial intelligence. In addition, Darknet sells easy-to-use ransomware tools, allowing cybercriminals with no technical knowledge to gain access to simple attack tools. In addition to criminal activity, the possibility of using cybercrime as a tool for state level hybrid operations must
CYBERWATCH
FINLAND
|
5
be considered. Increasing cybercrime can lower public confidence in information systems, creating suspicion among public authorities and thereby undermining society's ability to respond to hybrid operations. The line between state actors and cybercriminals is ambiguous and an increasing number of states are also using third parties to carry out cyber attacks. As cybercrime has become increasingly driven by state-level actors, we will see numerous new nontechnical ways to influence the target organisation and take advantage of inadequate safeguards and staff incompetence. The scope of security must be assessed more comprehensively. An example is “tiger kidnapping” of high-profile members. Herein, questionable or sanctioned material is placed on technology belonging to the influential person or those close to them. A threat created in this way, combined with, for example, insider risk, can be a very effective course of action. The effectiveness of phishing attacks is based on the poor security of authentication. The username and password combination can be uncovered, for example, with fake login windows, if the login information is stored insecurely, the information can be stolen from databases and users by spyware, and/or the same passwords are used in many different services. Passwords are a 60-year-old invention and do not meet today’s demand for security and usability. Creating a long password spiced with special characters does not prevent phishing and it is bothersome to use. Storing passwords, for example, in browser memory and various servers makes them an attractive target for criminals. Using genuine password-less authentication requires an individual to have a device such as a cell phone or a separate FIDO security key (USB or wireless) that can be used to access an organisations applications and workstations. An example of this is using biometric authentication such as a phone’s face recognition feature or fingerprint. Password-less technology has been proven
to eliminate 99.8% of attacks on identity authentication. The technology is already being used globally in numerous organisations. Legitimate password-less authentication is the most important trend of the 2020s to improve the cyber resilience of organisations against various scams and phishing attacks. A GREAT CYBER SECURITY CULTURE IS THE KEY TO SUCCESS
The management’s commitment to the development and maintenance of cyber security is the foundation of an effective cyber culture. At its best, the management perceives cyber security as a resource that can ensure the high-quality performance of core functions in all circumstances. Cyber culture is an important element for all organisations that focus on information in its various forms and whose confidentiality, integrity and availability must be ensured. The information to be protected can be, for example, customer data, product development information, or up-to-date information on a situation, but in all cases, securing the information is a basic precondition for the operations of the organisation. In addition, cyber culture is vital for an organisation whose function is based on seamless information systems and telecommunications. Once the importance of cyber culture to an organisation’s operations has been identified, the next step is to develop a cyber strategy that supports that culture. It will define the cyber security objectives of the organisation, which should support the organisation’s overall strategic objectives and align with the risks connected to the critical infrastructure. The strategy ought to establish priorities in such a way that the often-limited resources can be allocated to further the most important objectives. The overall governance model for cyber security is part of the cyber strategy. The model defines the organisation involved in the implementation of cyber
In the long run, the organisation will form a cohesive group that implements its values, in order to ensure beneficial teamwork.
6
|
CYBERWATCH
FINLAND
security as well as the main practical measures required for the application and development of cyber security. The cyber strategy must take into account all the main legal and industry requirements that apply to the organisation's operations. Finally, a process must be established to maintain the cyber strategy, that can be used to ensure that it is up to date, as well as detect changes in the operating environment and threat profile. A cyber strategy is the starting point for the implementation of a cyber culture in an organisation. However, it is important that culture is only a guideline for employee’s actions. Enacting the culture depends on employees underlying opinions. Behind every culture, is
peoples’ desire to act in a certain way to fit in with universally accepted values and virtues. The management of an organisation, through leading by example, defines these values, which are adopted by the members of the organisation. Clear values attract like-minded individuals to an organisation and those who support different values alienate themselves from the organisation. In the long run, the organisation will form a cohesive group that implements its values, in order to ensure beneficial teamwork. Defining values and actively maintaining them is the most important starting point for any kind of cultural development.
AAPO CEDERBERG Managing Director and Founder of Cyberwatch Finland Chairman of Cyber Security Committee of World UAV Federation (WUAVF)
CYBERWATCH
FINLAND
|
7
Diplomacy and Digital Technology // Janne Taalas
D
igital technology has become increasingly important in diplomacy. In order to understand the emergence of the Cyber Diplomacy it is useful to look what drives this transformation. The traditional view regarding foreign policy and technology considers technology as one of the parameters of the state’s international power, like size of population or economy. The rationale is that technology brings economic power and military advantage, for example development of iron, powder and nuclear weapons. This perspective is still relevant for a new digital era, but there are three new reasons which are pushing the issues related to digital technology higher on the international agenda. First, the growth of digital infrastructure has provided unprecedented opportunities to interfere in another state’s affairs without military force. Cyber espionage: hybrid action through social media platforms and outright digital sabotage have become real possibilities for states over the last ten years or so. Such a degree of interference without the use of military force has not been seen before in human history. Further-
Ambassador Janne Taalas has been appointed CEO of CMI Martti Ahtisaari Peace Foundation The Cyberwatch Finland team warmly congratulates Janne on his appointment
8
|
CYBERWATCH
FINLAND
more, these means could and are increasingly deployed in peacetime not only during armed conflict. Some states have made ample use of the new possibilities: The recent SolarWinds supply chain attack is one of the largest cyber espionage operations ever uncovered. The election meddling during the US elections and Brexit vote have also been well documented. Cyber sabotage has been less prevalent, but there are notable cases in the context of Iran's nuclear program and war in Ukraine. North Korea deserves a special mentioning as the UN reports depict it as a modern day pirate state that raids Bitcoin exchanges that bolster its ailing finances. Another development that has pushed digital technology into the international agenda is the intensification of superpower competition: China has challenged American leadership and is using technological means to contest U.S. military dominance while simultaneously increasing its global heft. Digital technology is both a means of increasing China’s capability and a field to challenge the USA. This has brought about an intensifying struggle for the ability to define and manage the international digital infrastructure and its use
Cyber diplomacy hence increasingly straddles a very real clash of values.
(e.g. location and standards). The polarization spills over to trade relations, financing and science policy. International actors - such as states and companies - must increasingly take into account superpower competition in their actions on issues of digital technology. The third development are more and more intrusive technologies and the growing importance of fundamental and human rights in the foreign policy of several countries such as Finland. As digital technologies are in some states increasingly applied to restrict human rights - they are particularly used in large scale digital surveillance and data collection – a fundamental gap has emerged between those that promote digital technologies to empower individuals and those that would use the new technologies to create authoritarian control state. Cyber diplomacy hence increasingly straddles a very real clash of values. As none of the three drivers seems to be abating, it is safe to predict that the cyber diplomacy will become an ever more important aspect of state-to-state interaction in years to come. For Finland this means that we have to bolster our resilience as well as capabilities to detect and respond to malicious cyber activities by states. The work within the European Union as well as global cooperation with like minded states is of crucial importance in this respect. The EU drive to increase its digital sovereignty within a transatlantic framework is a major attempt to answers to these three interlocking developments pushing cyber issues ever higher on international agendas.
JANNE TAALAS Ambassador Janne Taalas has worked in cyber diplomacy since 2019 and has served at the Ministry for Foreign Affairs of Finland some twenty five years. During his career he has acted as the Special Envoy to the 2020 Afghanistan Conference, Ambassador of Finland to Italy, Malta and San Marino (2015 to 2019), Deputy Permanent representative in the Finnish Mission to the United Nations in New York (2010-2015) and Director of Policy Planning in Finnish Ministry for Foreign Affairs (2008-2010). Ambassador Taalas holds a Doctor of Philosophy in Politics from the University of Oxford (St Antony’s College) and degrees in Politics and Economics from University of Jyväskylä.
CYBERWATCH
FINLAND
|
9
Russia’s Background in Cyber Warfare // Juha Wihersaari
10
|
CYBERWATCH
FINLAND
1. Background Information Cyber-attacks cannot go unnoticed if one follows the news. Some of the attacks are conducted by criminal aimed at extorting money from targets, whilst some are carried out by state actors aimed at promoting their interests in one way or another. In some cases, the two may overlap, as states often have criminal hackers amidst their ranks. In addition to criminals, Western countries are targeted by hacker groups linked to Russia, China, Iran and North Korea. Why is Russia rigorously carrying out cyber-attacks in the West. Is it perhaps preparing for war or something else? In 2013, Russian military scientists Tchekinov and Bogdanov published a study in which they defined modern warfare and the difference between war and peace from a Russian perspective. According to them, the difference between war and political conflict is that in war, non-military means are used in a large-scale military operation in addition to military means, whereas the arsenal of political conflict includes only non-military means. In their study, Tchekinov and Bogdanov called the former “new generation warfare” and the latter a hybrid warfare. Despite its name, according to the researchers only the former is warfare. According to Tchekinov and Bogdanov, the “new generation warfare” is an international armed conflict in which non-military means must also be used in a comprehensive and integrated manner. These include, in particular, information operations and psychological operations, but also ideological, diplomatic and economic activities. Notably, in 2013, the chief of Russia’s General Staff, Army General Valery Gerasimov, also presented the above-mentioned issue in great detail when describing the future of warfare. The then president of the Russian Academy of Military Sciences, Army General Mahmut Gareyev, also expressed his support for Tchekinov and Bogdanov’s definitions of warfare. Tskhinov and Bogdanov defined hybrid warfare as an interstate operation in which national interests are fought for indirectly and military force
is used only as a deterrent. In 2019, Gerasimov went even further by arguing that primarily non-military methods are used and only if they fail, military measures are taken. Aleksander Bartosh, the current leading expert on hybrid warfare, wrote in the 2018 issue of the Russian General Staff’s magazine that the biggest change in the transition from the Cold War to hybrid war is the shift from ideological differences to differences between civilisations. In Russia's view, therefore, they are fighting for the livelihood of their ideology and culture. The winner of such a war will not only gain control of the losing state and its resources, but it will also have the right to decide the future of that state. Hence, from Russia's point of view, this is a struggle between Western civilisation and Russia. In connection to this, Russia’s efforts to test and separate its Internet, Runet, from the rest of the world ought to be taken into account. Today, according to Bartosh, Russia's hybrid warfare strategy increasingly includes an attempt to achieve a deterrent effect asymmetrically through cyber weapons, whereas in the earlier stages of warfare development it was carried out using conventional armed forces. The impact of modern cyber weapons on the armed forces, industry, transport and the lives of citizens is already estimated to be close to that of a nuclear weapon. Similarly, in the United States, the significance of nuclear intimidation in the cyber era is being pondered and even the need to respond to cyber-attacks with nuclear attacks is being considered. There is growing concern in Western countries that their nuclear strike capability could be paralysed by a cyber-attack. The long-term nature of Russia's efforts is illustrated by the fact that already in 2013, students were being recruited to the cyber sector to develop a “new nuclear weapon” for Russia. In the current global political climate, there is no indication of a decrease in the cyber operations of Russia or other states. Cyber operations are ideal for hybrid warfare, as almost all critical systems are on the Internet and therefore accessible. In
CYBERWATCH
FINLAND
|
11
addition, as the hacking of the Finnish Parliament demonstrated, an attack cannot be linked to a specific governmental organisations for certain, only to the country of origin. In Russian literary works, cyber warfare is a Western concept that specifically targets computers and computer networks. Information warfare is separate from this. According to the Russian definition, information warfare (Информационная война ) covers both and is divided into psychological and technical warfare. Information warfare connects the two sub-elements
closely. On the other hand, psychological warfare can be fought completely without electronic systems. According to the Russian definition, psychological warfare is consistently waged even during peacetime, while technical warfare is associated with wars and armed conflicts. From this it can be concluded, however, that hybrid warfare also takes place in the cyber dimension. However, for the sake of clarity, the terms information warfare and cyber warfare will be used hereafter to refer to the Russian terms and definitions mentioned previously.
2. The Intelligence Community Russia's cyber forces are a part of the country's intelligence community, and it would be useful to be acquainted with the components of the Russian intelligence community including the division of labor and the main tasks of various organisations. The Russian intelligence community comprises of four intelligence organisations, two of which are primarily focused on foreign intelligence and two on counter-intelligence and security. In practice, however, the situation is more complex, as the responsibilities of different organisations overlap. Although Russian intelligence organisations have good financial resources, there is rivalry between them for the best results and additional resources. This has led to various organisations attempting to expand their expertise into the areas of others. RUSSIAN INTELLIGENCE COMMUNITY
The FSB is the largest and most powerful of the intelligence organisations, and its main task is counter-
intelligence. The FSB also has the best access to top management due to President Putin’s background and an excellent position when competing for resources. Under the guise of a crisis, FSB seeks to expand into the foreign intelligence sector in the countries of the former Soviet Union. This expansion has created tension between FSB and both GRU and SVR, which carry out foreign intelligence as their main tasks. Tensions have increased significantly, especially in connection with the events in Ukraine in 2014. SVR and GRU are primarily responsible for foreign intelligence, both of which have agent networks and intelligence personnel in foreign embassies. SVR specializes in long-term intelligence operations, while GRU is a more aggressive and risk-taking intelligence player. According to a GRU officer, this is related to the spetsnaz culture, which includes not only reconnaissance missions and intelligence gathering but also sabotage missions. Due to its background, GRU has signal and satellite intelli-
Russian Intelligence Community
12
|
CYBERWATCH
FINLAND
gence capabilities, equipment for reconnaissance missions and Spetsnaz troops. As part of the General Staff of the Armed Forces of the Russian Federation, the GRU also has the right to present its case directly to the President. The war in Georgia in 2008 was a failure for the GRU. After the war, the responsibilities of 1,000 GRU officers were reduced, plans were made to transfer the Spetsnaz units to the military, and discussions were held on the downgrading of the GRU from central administration to administration. However, the change of leadership in 2009 and 2011 changed the situation. After which, the GRU undertook active measures, including assassinations, use of surrogate forces and political pressure. The transfer of Spetznaz troops was canceled in 2013 and the events in Ukraine in 2014 were
already a great success for the GRU. In addition to traditional means, GRU has for more than 10 years invested heavily in cyber warfare and created a signature style of spectacular “spetsnaz-type” cyber operations. Despite a few failures, currently, the GRU’s position as the “Kremlin’s cyber-fist” is stable. THE TASKS OF RUSSIAN INTELLIGENCE ORGANISATIONS
The Federal Protective Service, FSO, is responsible for protecting government members and facilities and also includes the Presidential Security Service SBP. FSO has also sought to expand to new areas and aims to become the security service responsible for the entire intelligence community.
Responsibilites of Russian intelligence organizations
3. Tasks and Resources In January 2017, a Russian expert declared that the most significant tasks of the cyber forces of the Russian Armed Forces are 1) to monitor suspicious networks and activity of potential adversaries and to search for all possible vulnerabilities; 2) to strive for the systematic creation of backdoors in the opponent's networks for future cyber operations and to develop new methods and tools for penetrating these networks; 3) support other operations with cyber operations. This is a rather long process. When hacking into a more extraordinary target, preparations begin by creating the appropriate software. The above-mentioned tasks do not mention issues related to data security and protection. The reason for this is probably their high level of secrecy, which means that they cannot be revealed to the public. According to a well-known Russian security company, all cyber warfare
efforts aim to disrupt the information systems of the enemy's economic and financial institutions and state organisations, as well as disrupt the daily life of the entire state. In connection with the latter, the primary aim is to disrupt areas that are important for the viability of the population centres and the functioning of society, such as drinking and sewage systems, electricity distribution systems, and communication and transport connections. While this is an indication of the threats that Russia faces, it can also characterise the way in which Russia operates. In January 2017, the international security company, Zecurion Analytics, estimated that Russia’s cyber forces are the fifth strongest in the world, with a size of about 1,000 people and an annual budget of about $ 300 million. The United States, China, Britain and South Korea are ahead of Russia. The United States was estimated to have CYBERWATCH
FINLAND
|
13
a cyber force of 9,000 people with an annual budget of $ 7 billion. China has the largest cyber force with 20,000 people, but with an annual budget of only $ 1.5 billion. Zecurion Analytics’ estimate may have comprised only of military cyber intelligence personnel, as in the spring of 2016, the German intelligence service BND had estimated the strength of Russia’s cyber forces at 4,000 people. This assessment was based on the total number of cyber personnel of the military intelligence GRU, the security
service FSB and the foreign intelligence service SVR. The difference between the recent estimates, may also be explained by the information security forces in Russia, which may have been included in the German assessment. According to the recent US National Cyber Power Index 2020, Russia ranks fourth in the world, behind the United States, China and the United Kingdom. Although it is a very different kind of study, it nevertheless indicates the magnitude of Russia's cyber-attack capacity.
4. Cyber Forces A. HISTORY
The first links to the activities of hackers in Russia appeared in the world consciousness during the Kosovo war in 1999, but they did not become more widely known until 2007 in connection to the The Bronze Soldier statue dispute in Tallinn. The very next year, during the war in Georgia, the Armed Forces tested the combination of cyber operations with armed aggression. Russia has only been actively developing its cyber performance for less than ten years. In addition to military intelligence, it is believed that there are hackers in the ranks of the security service FSB and foreign intelligence service SVR. The first denial-of-service attack on the Chechen rebel website Kavkaz.org, in August 1999, is considered an FSB operation, so its cyber operations began the same year as the above-mentioned anti-Kosovo cyber operations. It is estimated that the FSB's hacking activities began in 2010, which is also in line with the cyber activities of military intelligence. Foreign intelligence services have not reached a consensus regarding the existence of a SRV cyber division. However, the division of labor in intelligence and information on the operations strongly suggest that SVR, which specializes in intelligence, would also be involved in cyber intelligence. The Russian Armed Forces began to consider cyber forces in 2012 and the matter was made public by Deputy Prime Minister Dmitry Rogozin, who informed that the Russian authorities have considered establishing a cyber leadership roadmap to ensure information security in the Armed Forces and state administration. A year later, Rogozin stated that cyber weapons were a priority and their impact on the communication systems of troops was more effective than artillery preparation. This strategy later materialised in eastern Ukraine. In the spring of 2013, the Minister of Defence Sergei Shoigu had stated that scientific units were being formed 14
|
CYBERWATCH
FINLAND
within the Armed Forces, and in which skilled university students took part in the research. There are currently 19 scientific units, eight of which explore new innovative technologies. In the summer of 2013, the Ministry of Defence said that a new division would be established in the Armed Forces to take care of information security and would be in charge of monitoring and processing information coming from abroad and combating cyber threats. In January 2014, it was revealed that a roadmap had been established in Russia, and in May 2014, the Ministry of Defence declared that information warfare force had been established. The Snowden scandal, unveiled in the United States in June 2013, gave further impetus to the establishment of cyber forces within the Russian Armed Forces, and in the same year, Russian Minister of Defence Shoigu also launched a recruitment campaign for cyber experts called the “Great Hunt” of coders. The goal was to recruit the most capable coders possible as quickly as possible. In addition to the top graduates, self-taught hackers were also recruited based on their skill, even from criminal backgrounds. Simultaneously, the cyber sector was recruiting signal processing experts capable of dismantling cyber defence and telecommunications protocols. Although it was declared in the media that the Information Warfare Force of the Russian Armed Forces had been ready to operate since 2014, the Armed Forces remained silent on the matter. Officially, the cyber force did not exist until the Russian Minister of Defence unexpectedly acknowledged its existence in February 2017. The announcement may have been influenced by the fact that in January 2017, an international security company had released a report on the strengths and funding of cyber forces in various countries. Even though the Russian media delightfully boasted about Russia’s performance in regards to the rest of the world, the Russian Armed Forces did not take any immediate stance
on the matter. In addition to recruiting cyber personnel, the Russian Ministry of Defence began to hasten the development of high technology. In the spring of 2014, “the Main High Technology Directorate” was established under the Deputy Minister of Defence, General Pavel Popov, to oversee the leading institutions in information and telecommunications technology, in innovative technologies and in the research and development of robotics. Alongside robotics, there is no doubt that artificial intelligence is also being developed, the success of which President Putin has proclaimed for several years. In his view, the one who triumphs over artificial intelligence will rule the world. B. CYBER ATTACK CAPABILITY
Russia's well-known hacker groups are linked to the Federal Security Service (FSB), the Main Intelligence Directorate (GRU) and the Foreign Intelligence Service (SVR). The Federal Security Service is not known to have links to hacker groups. ATP 28 is considered to be the most prominent hacker group in many evaluations. It has operated since the mid-2000s and is incredibly experienced and knowledgeable. The group has highly sophisticated custom software at its disposal, which is an indication of state-level experience. ATP 28 often targets governments, military actors, security organisations and defence companies. Based on these targets, ATP 28 is justifiably linked to the GRU. The group’s best-known aliases are Fancy Bear and Tsar Team. Operating since 2010, ATP 29 is considered one of the most advanced and experienced hacker groups. The group is thought to be working with both the FSB and the SVR. Western European governments and diplomatic
organisations have been main targets of ATP 29, however the group has also targeted military, energy and telecommunications companies around the world. A state-level operator has developed the ATP 29 software. ATP 29 is also known as Cozy Bear and The Dukes. The Sandworm Team is hacker group specialising in cyber espionage since 2009. They often go for the same targets as ATP 28, but by using commercial products. Typical targets have been companies associated with the Ukrainian government, the energy sector, media and telecommunications, academic institutions and industrial control systems. The Sandworm Team is associated with GRU's operations, and the group is also known as Voodoo Bear and Black Energy. Turla is a cyber espionage group that has been in operation since at least 2008. It has targeted government organisations and embassies in more than 100 countries. Nasa and CENTCOM are known targets. Turla has repeatedly used psychological manipulation as a method of attack prior to phishing operations. The group is linked to the FSB and is also known as Venomous Bear and Snake. In addition to the “official” hacker groups mentioned above, there are criminal hacker groups in Russia that do not have direct links to intelligence organisations, but whose activities serve Russia’s interests. These include various hacker groups targeting banks and financial institutions all around the world. These hacker groups do not have to worry about government intervention. These include groups such as Carbanak, FIN7 and Cobalt Group. Of the new scientific units, the 9th Scientific Unit is related to electronic warfare. This units seeks to develop electronic warfare to enable attacks on the control
The most significant hacker groups in Russia
CYBERWATCH
FINLAND
|
15
mechanisms of gas pipes, electricity grinds, and military communication networks close the borderlines. This suggests that GRU is increasingly using such electronic warfare systems also abroad. C. CYBER DEFENCE CAPABILITY
According to a valid assessment, the 8th Directorate of the Russian General Staff has been transformed into Information Security Command to which military unit No. 31659 is subordinated. It is estimated that it has under its control at least scientific units of military branches (navy, air force, ground forces, intelligence) whose research focuses on information security related issues. In addition to the research organisation, Russia is resolutely building its ability to defend itself against cyber-attacks. Information security organisations can be found at every level, and these organisations are taught, practiced and tested through various exercises.
5. Conclusions Russia believes that it is fighting the West for its livelihood, and information warfare and cyber warfare play a very important role in this. This affects Russia’s decision-making in foreign and security policy. Due to the situation, Russia is systematically investing in the development of new technology and constantly improving the attack and defence capabilities of information and cyber warfare. This is best seen in a variety of different cyber-attacks, some of which are not even recognised as such. There is no visible change in sight, at least during current Russian leadership.
JUHA WIHERSAARI Colonel (ret.), Juha Wihersaari is Doctoral Researcher and Member of the Russia Research Group at the Finnish National Defence University. He has a General Staff Officer’s Degree from year 1993 and he served in the Finnish Defence Forces until 2015. Wihersaari’s military experience includes positions mainly in Military Intelligence, where he served 26 years. During his career Wihersaari served two times as Defence Attache: the first time in the Eastern Europe (inc. Ukraine) and the second time in the Middle East (inc. Turkey). He also served five years as the Director of the Finnish Signal Intelligence. Since 2016 Wihersaari has been the owner and the Director of JITINT, small Intelligence and Security Company. His Doctoral Research is focused on Hybrid Warfare in the Russian Art of War: “Hybridisodankäynti venäläisessä sotataidossa”.
6. Bibliography Bommakanti, Kartik: The Impact of cyber warfare on nuclear deterrence: A conceptual and empirical overview, Observer Research Foundation, 2018, https://www.orfonline.org/research/the-impact-of-cyber-warfare-on-nuclear-deterrence-a-conceptual-and-empiricaloverview-45305/ Cunningham, Conor: A Russian Federation Information Warfare Primer, Research report, The Henry M. Jackson School of International Studies, University of Washington, 12.11.2020, https://jsis.washington.edu/news/a-russian-federation-information-warfare-primer/ Galeotti, Mark: Putin’s hydra: Inside Russia’s intelligence services, Policy brief, European Council on Foreign Relations, 11.5.2016, https://ecfr.eu/publication/putins_hydra_inside_russias_intelligence_services/ Giles, Keir: Handbook of Russian Information Warfare, NATO Defence College, 2016, https://krypt3ia.files.wordpress.com/2016/12/fm_9.pdf Lysenko, Volodymyr & Brooks, Catherine: Russian information troops, disinformation, and democracy, First Monday, Volume 23, Number 5 - 7 May, 2018, https://firstmonday.org/ojs/index.php/fm/article/download/8176/7201 Lilly, Biljana & Cheravitch, Joe: The Past, Present, and Future of Russia’s Cyber Strategy and Forces, 12th International Conference on Cyber Conflict, NATO CCDCOE Publications, Tallinn, 2020, https://ccdcoe.org/uploads/2020/05/CyCon_2020_8_Lilly_Cheravitch.pdf Russian Cyber Units, Congressional Research Service, January 4, 2021, https://crsreports.congress.gov/product/pdf/IF/IF11718 Russian Military Intelligence: Background and Issues for Congress, Congressional Research Service, November 24, 2020, https://fas.org/sgp/crs/intel/R46616.pdf Russia’s Most Dangerous Cyber Threat Groups, IntSights, http://wow.intsights.com/rs/071-ZWD-900/images/RussianAPTs.pdf Stoutland, O & Pitts-Kiefer, Samantha: Nuclear weapons in the new cyber age, NTI, September, 2018, https://media.nti.org/documents/Cyber_ report_finalsmall.pdf Voo, Julia & Hemani, Irfan & Jones, Simon, DeSombre, Vinnona & Cassidy, Daniel & Schwarzenbach: National Cyber Power Index 2020, Belfer Center, Harvard Kennedy School, September 2020, https://www.belfercenter.org/sites/default/files/2020-09/NCPI_2020.pdf
16
|
CYBERWATCH
FINLAND
Cyberwatch analysis, the Country outlook
Who are the Cyber superpowers?
CYBERWATCH
FINLAND
|
17
US CYBER POLICY AND ITS PRIORITIES Mirroring its foreign policy, the United States view of
the cyber sphere is driven by the goal to maintain its
position as a global leader and only superpower. However, under the direction of President Biden this goal needs to be seen in the context of the domestic renewal of the United States, including, strengthening the middle class and bolstering democratic processes. After the elections, cyber policy has not fully formed: there are some new elements and significant continuation. The direction of change can be seen in Alejandro Mayorkas’ proposed five core principles: championing a free and secure cyberspace; a focus on cyber-resilience as well as defense; a risk-based approach, based on data; shared responsibility and Integrating diversity, equity and inclusion. Biden took the oath of office as the President of the United States on January 20, 2021, and immediately began dismantling a multitude of orders made by President Trump. His efforts to revitalise co-operation and to strengthen the role of the United States in international politics can be outlined as a show of confidence in U.S allies. Biden maintained this position at the Munich Security Conference in February 2021. Here, Biden emphasised the United States’ commitment to transatlantic relations and the importance of European security: “I’m sending a clear message to the world: America is back, and the Transatlantic relationship is back”. Notwithstanding Biden’s commitment to renewing democracy, the U.S. will remain a cyber security superpower and invest in the development of offensive cyber capabilities. Despite the United States commitment to be a key player in the cybersphere there is still a lack of a consolidated strategy. In February 2021, Biden announced an “urgent initiative” to improve nations cybersecurity. This movement has been seen for example in software vendors being required to disclose breeches to the United States government users. The United States is still developing a cyber strategy that fits in line with their changing foreign policy. This will likely culminate when the new cyber director of the CISA is appointed. The Biden administration has largely followed the Trump’s footsteps regarding the question of 5G. Continuing sanctions caused Huawei’s growth to slow down largely in overseas sales. Despite this, growth remained steady in China. This unenthusiastic stance towards Huawei is likely to remain with the adoption of 5G and alliances with different providers will prove an important choice for governments with large political ramifications. When developing their cyber strategy, the new administration of the United States has been forced to react to current challenges in the cybersphere. As director 18
|
CYBERWATCH
FINLAND
of the NSA Paul Nakasone has reflected on the increasing capabilities of foreign nations to conduct cyber operations. As seen from the case of SolarWinds, supply chain attacks pose a widespread threat to many facets of the United States. In addition to the traditional threats of cyber-attacks such as data loss and influencing, supply chain attacks are often developed through the target nations infrastructure. These threats are not escalated to armed conflict and thus they are able to exploit areas of hazy jurisdiction in the United States. The Biden administrations response to these threats has been a push for a more intensive cyber defense. This would be done by creating larger cost for the attacker in the form of offensive capabilities. However, fears of attacks coming from within the United States still remain. The second challenge the United States government must account for is the apparent lack of microchips. In order to maintain its status, the United States may be forced to repatriate supply. THE FOUR KEY POINTS OF CYBER STRATEGY
The current US cyber strategy was drawn up in 2018 and includes four pillars, i.e. the main themes: 1. Defending the United States by protecting networks, systems, operations and data,
2. Supporting American well-being through digitalisation and innovation,
3. Maintaining a state of peace by developing an American cyber deterrent and, if necessary, punishing hostile actors, and
4. Promoting America from influencing operations and an open and secure Internet,
The practical measures of the program can be divided into four different areas. The first component is the electoral infrastructure, i.e. the election information systems and the communication between them, the databases of those entitled to vote, the polling stations and their IT equipment and software. National and local authorities as well as IT service providers were supported in implementing the technical security of the electoral infrastructure. Secondly, CISA assisted candidates in securing information systems by assessing the risks and vulnerabilities, as well as providing guidance on their repairs. In addition to the United States, in several other countries there have been hacking incidents on party information systems in the
run-up to elections, as well as the publishing of negative information about specific candidates. There was a desire to prevent such influence. The third component is US citizens, who want to be protected from groundless media influence. Citizens were provided with information campaigns to identify information influencing and were warned about perceived disinformation campaigns. The fourth component is the Threat Intelligence and Operation Center, maintained by the authorities and the private sector, which attempted to identify hacking and influencing attempts in advance and alert all parties involved in the election of the identified threats. Good preparation, close co-operation between the authorities and the private sector, and experience of hacking and influencing attempts in previous elections provided a good basis for ensuring the cyber security of the elections. The first pillar of the strategy was tested last year as a result of the presidential election. Russia’s attempts to influence had already been identified early on and were predicted to increase as the election approached. Elections are the cornerstone of democracy, securing them is vital in every western country. The Cybersecurity and Infrastructure Security Agency (CISA) considered the US presidential election, of November 2020, to be the biggest cyber security challenge of 2020. Efforts were made to avoid any ambiguity as seen in previous elections, and CISA released a special Protect 2020 program at the beginning of the year. Under the Biden administration, it is unlikely that we will see a complete upheaval of the 2018 cyber security strategy. However, changes in line with Bidens aim of “renewing democracy” are likely; this will include revising the current cyber strategy using a more global perspective highlighting the role of allies. These changes will most probably occur after the appointment of the new head of the CISA. THE MAIN CONCERN IS THE VULNERABILITIES IN CYBER SECURITY AT THE PRIVATE SECTOR.
In the current state of cyber affairs, the main concern for the United states is not the armed forces or state administration, but rather the level of cyber security in the private sector. The DHS (Department of Homeland Security)
Secretary Alejandro Mayorkas stressed the need for the public and private sector to work closely together to defend against, and respond to, rising cyber-attacks. Supply side attacks have become more common and the threat of an “insider risk” are at an all-time high. In addition, with Biden’s $2 trillion pledge to improving infrastructure, cybersecurity will play a pivotal role: the United States has already fell behind in ensuring widespread cybersecurity in relation to the EU and China. The landscape of large companies in the United States proves to be the perfect arena for supply side attacks. As seen from the SolarWinds case, the threat posed by entering through a subcontractor is much larger due to lower costs and a larger area of impact. Moreover, these attacks also have spillover effects in regard to the government which has had users compromised. There is a large negative externality that the companies must be made to internalize. Large companies in the United States also face the problem of a growing “insider threat”. The United States has however taken an active 6 step approach in an attempt to limit accidental and witting leaks of information. In terms of cyber security, civilian technologies such as satellites are not on the same level as technology purely designed for the military and allow hostile cyber operations against the United States. In addition to the armed forces, critical infrastructure, and in particular the energy and financial sectors, are estimated to be most at risk due to the low level of cyber security. These areas will face an even larger threat of cyber-attacks if Bidens $2 trillion injection into infrastructure is not coupled with strict cybersecurity initiatives. On the whole, the United States is lagging behind in integrating cybersecurity in everyday life: development of smart cities, the IoT, and 5G. As these technologies are growing as cyber intelligence tools. The operational capacity of cyber counterintelligence will be improved in three areas. To develop cyber counterintelligence, a new intelligence unit will be established with the best technical expertise in cyber-threat intelligence in the United States. New tools and software are being developed to enhance cyber threat intelligence and improve situational awareness. In addition, co-operation and exchange of information between different security authorities and the private security sector will be intensified.
SOURCES: https://www.governing.com/security/Underdefended-Americas-Vulnerable-Energy-Infrastructure.html https://www.cisa.gov/sites/default/files/publications/ESI%20Strategic%20Plan_FINAL%202.7.20%20508.pdf (https://www.reuters.com/article/us-usa-biden-cyber-exclusive/exclusive-software-vendors-would-have-to-disclose-breaches-to-u-s-government-users-undernew-order-draft-idUSKBN2BH37I ) (https://www.cnet.com/news/huawei-ban-full-timeline-us-sanctions-china-5g-revenue-growth-china/) (https://www.infosecurity-magazine.com/news/dhs-secretary-biden-admin/ ) (https://www.cnn.com/2021/03/31/politics/infrastructure-proposal-biden-explainer/index.html https://www.dhs.gov/science-and-technology/cybersecurity-insider-threat ). CYBERWATCH
FINLAND
|
19
CHINA IS INVESTING HEAVILY IN THEIR CYBER CAPABILITIES 1. The Chinese cyber army is the largest in the world. The capabilities of the Chinese cyber army will be developed in the future primarily through new technologies such as artificial intelligence and quantum technology.
2. Offensive operations focus primarily on cyber espionage and hacking. Actual cyberattacks play a smaller role.
3. China’s cyber infrastructure is vulnerable. Hence, cyber defense plays an important role in the cyber strategy.
4. The United States is the main target of Chinese cyber warfare. Other targets include smaller states and ethnic groups that criticise Chinese policy, which are targeted by cyber influence as part of other means of hybrid influencing.
China's cyber warfare is managed by a unit of the
PLA (People's Liberation Army) called the Strategic Support Force. The unit was established as a part of the Chinese military reform in 2015 and is currently estimated to have a strength of 145,000 soldiers. Electronic and psychological warfare, as well as space warfare, also operate under Strategic Support Force, so the number of actual cyber soldiers is only a fraction of the total strength. The United States, whose cyber army is built around the U.S. Cyber Command, can be taken as a point of reference. At its core is the Army Cyber Command, which directs information and cyber warfare as well as psychological warfare operations. In addition to the Army Cyber Command’s 16,500 soldiers, the strength of the cyber forces includes cyber soldiers from other defense divisions. In the light of data, it can be estimated that the actual strength of the cyber warfare forces, of both countries, is between 50 and 100 thousand soldiers. In addition, much like Russia, China is known to use hacker groups independent of the actual cyber army as a middleman in state-led cyber operations. In Cyber warfare, the number of soldiers is not as significant a factor as in many other areas of warfare. In assessing the capabilities of cyber warfare, in addition to the actual cyber army other factors must be taken into account. These include the ensemble consisting of research and development; the ICT industry; telecommunications infrastructure; the use of the Internet as a 20
|
CYBERWATCH
FINLAND
channel for diplomacy and ideology; and having a comprehensive cyber strategy. Taking all these aspects into account, China is not on par with United States. However, clear improvements have been seen in recent years in all areas, and especially in the area of technological development. China aims to take the lead from the U.S. in cyber capabilities by investing in research into artificial intelligence and quantum technology, as well as the development of new-era solutions in semiconductor technology and telecommunications. The Chinese cyber operations’ core focus is on cyber espionage and hacking. Cyber espionage targets not only military targets, but also private sector actors. Technology companies, the financial sector and the pharmaceutical industry are especially targeted. Current examples of the latter have been discovered, as Chinese hackers have been found to have hacked the systems of companies developing coronavirus vaccines. China's position as the world's leading manufacturer of ICT components creates a good foundation for spying on information systems and traffic, alongside more traditional means. Backdoors built into components and embedded systems make it easier to break into information systems rather than through traditional methods, leaving fewer clear traces of data breaches. The interest in industrial espionage in the technology sector is related to the ongoing race between the United States and China as the world’s leading country economically and technologically. President Xi has set a goal of making China the world’s leading nation in science and technology by 2049. The United States still has a clear lead in technological development, and therefore the timetable for reaching China’s target is moderate. Cyber forces have been strongly harnessed to achieve this goal, and industrial espionage in this area is one of the key priorities for China’s cyber operations. The position as leader of technology is a part of
China’s broader goals, which are achieved not only through cyber espionage but also through traditional means of espionage. In addition to actual industrial espionage, China and the hacker groups it supports have committed data breaches that have targeted extensive customer databases. The three best-known targets are the hotel chain Marriot, the life insurance company Anthem and the finance company Equifax. Through hacking, China has gained extensive customer databases, especially from U.S. citizens. Motives for personal data breaches have been speculated. The most likely reason is the desire of the Chinese intelligence service to identify potential sources of information and their personal weaknesses through health, financial and travel information. Such information is not normally available from open sources and the combination of different sources of personal data can provide a comprehensive picture of an individual's personal situation and behaviour. China’s ability to engage in offensive cyber operations is excellent, although it is not quite at the U.S. level. According to statistics, China is one of the most active sources of denial of service (DDOS) attacks, but they have primarily focused on the private sector, rather than national critical infrastructure, or governments themselves, where cyber espionage plays a key role. The main underlying factor in China’s desire to develop their cyber influence capabilities is its own vulnerability to cyber operations. Not with standing the fact that, China is one of the most active countries in the implementation of cyber espionage and attacks, it also ranks high in statistics on the countries targeted by cyber-attacks and malware, as well as having vulnerabilities in their information systems. Weaknesses in cyber defense and resilience were identified about ten years ago, and since then, investment in cyber capabilities has been systematic and rapid. Snowden’s revelations about America’s plans to leverage Western IT technology against China in 2013 gave more impetus for reform.
At the end of 2016, the Cyberspace Administration of China (CAC) published its first cyber strategy, the key objectives of which included ensuring national security through cyber, protecting critical infrastructure and national cyber sovereignty. The latter objective means, developing the self-sufficiency of ICT systems through proprietary operating systems, telecommunications technology and software. For example, China has lacked a vibrant cyber technology industry that is now being mobilised as part of the development of national cyber security. China wants to create more global companies with the same magnitude and rank of Huawei. China's main enemy in cyber and other activities is the United States. China is in a constant trade war with the United States, and in information and cyber warfare, the countries are each other’s number one opponent. Recently, China has also been active in exposing US-sponsored cyber-attack and espionage cases. Last winter, the Chinese cyber security company Qihoo brought up a case, which was also widely published in Western media. According to the news, the hacker group APT-39, supported by the U.S, had been spying on and disrupting Chinese airlines and air traffic control systems for more than a decade, as well as collecting passenger lists from flights operating at Chinese airports. The second most important opponents of China’s cyber warfare are states that prominently criticise Chinese policy. This group includes, for example, Hong Kong, Taiwan, South Korea, Indonesia and India. In addition, cyber-influencing is targeted at anti-Chinese ethnic groups such as Tibetans and especially Uighur activists. China's most important cyber partner is Russia. In recent years, China and Russia have converged, especially in the use and development of ICT technology. Prominent examples of co-operation within the past year include Russia's decision to widely adopt Huawei technology, and the China-Russia co-operation agreement on the control of illegal online content.
SOURCES: https://www.cfr.org/backgrounder/chinas-modernizing-military https://www.cybercom.mil/Components/ https://carnegieendowment.org/2019/04/01/what-are-china-s-cyber-capabilities-and-intentions-pub-78734 https://asianmilitaryreview.com/2020/01/china-broadens-cyber-options/ https://technode.com/2020/04/30/china-to-impose-new-cybersecurity-rules-for-networks/ Roundtable – The Future of Cybersecurity across the Asia-Pacific. Asia Policy, vol 15 n:o 2 (4/2020), 57–114. https://www.cpomagazine.com/cyber-security/chinese-hackers-off-to-a-busy-start-in-2020-with-massive-1q-cyber-espionage-campaign/ https://www.politico.com/story/2019/05/09/chinese-hackers-anthem-data-breach-1421341 https://blog.360totalsecurity.com/en/the-cia-hacking-group-apt-c-39-conducts-cyber-espionage-operation-on-chinas-critical-industries-for-11-years/ https://www.reuters.com/article/us-russia-china-internet-idUSKBN1WN1E7 CYBERWATCH
FINLAND
|
21
INDIA 1. India’s cyber capabilities are currently limited in relation to the great powers, but their performance is evolving rapidly through important partnerships.
2. India is in a constant cyber war with China, North Korea and Pakistan. China’s effective cyber espionage poses a serious threat to European companies outsourcing IT services from India. Through the subcontracting chains of cyber security, India has a global impact on the development of digital and cyber security.
3. Numerous projects are underway in India to improve the level of cyber security. India’s importance and influence in the field of cyber security will grow rapidly in the coming years.
India wants to develop into a global superpower and expand upon its national cyber capabilities with this in mind. The ICT business is an important source of income for India, currently generating a turnover of around 200 billion USD. The figure is predicted to grow to 350 billion USD by 2025, by which time the ICT business would represent 38% of total business in India. Nevertheless, India’s cyber capabilities are still limited compared to other great powers. For example, while the United States, China, and Russia have had cyber warfare units for years,
22
|
CYBERWATCH
FINLAND
India was only able to organise cyber warfare operations under one organisation last year. The first tasks of General Mohit Gupta, Commander of the Defense Cyber Agency, established in autumn 2019, have been to create a doctrine of cyber warfare and to combine the separate cyber functions of the land, naval and air forces to achieve a common goal. The defense branches of the Indian Armed Forces have traditionally had an independent status and little co-operation, so there are challenges in joining cyber forces. The Defense Cyber Agency has also struggled with budgetary challenges, and General Gupta opened a political debate on the subject earlier this year by proposing a 10% stake in the state’s IT budget to be used to fund cyber operations. In regard to national security, cyber security is the responsibility of the Ministry of the Interior. Established in 2015, the Cybercrime Coordination Centre has focused on developing the cyber capability of the police authority. Since its establishment, the function has been expanded from police authority to a separate division in the administration of the Ministry of the Interior. The Cyber and IT Security Division currently includes, for example, the CERT function and they also create national practices for cyber security to be implemented in the Indian business community. India relies on partners to develop their cyber capabilities. Within the last year, four important cooperation agreements have been announced. In addition to fintech
and digitalisation, the topic of cyber security has been raised as a top priority for the traditionally strong partnership between the UK and India. At the end of last year, India and France signed a co-operation agreement concerning, shared cyber intelligence, combating cyber threats related to 5G technology, security certification of software products, and research into artificial intelligence and quantum technology. In June, India signed a similar agreement with Australia and one with Israel in July. Last year, the Indian CERT Center also signed a letter of intent with Traficom for the exchange of information related to cyber security. Alongside these cyber security cooperation projects, India is likely to significantly improve its cyber performance in the next 2-3 years. India’s main cyber opponents are Pakistan, North Korea and China. Pakistan’s cyber capabilities are, at most, at India’s level and its position as India’s cyber enemy is mainly limited to occasional hacking of government websites and harassment of authorities through social media. North Korea and China are much more serious opponents. According to the Indian CERT Center, in the spring and summer, both countries have carried out DDOS and phishing attacks causing extensive damage, especially to the IT infrastructure of the Indian government. In addition, in line with its strategy, China has been active in cyber espionage. China has been found to have broken into a number of not only public administration services, but also the information systems of multinational companies based in India. China knows that many large global companies have outsourced their IT services to India. Hence, this opens up the possibility of spying on large global companies as well, as the level of cyber security in this sector has been weak. This is also reflected in the interest and activities of cybercriminals in India. For several years now, India has been at the top of the list of being one of the most vulnerable countries in regard to cyber security. Investment in cyber security has not increased, even though over the past year, more than half of large Indian companies had, according to their own estimates, suffered serious damage as a result of cyber-attacks and espionage. Although India is regarded a superpower of IT services, not enough has been invested in the
implementation of cyber security. Data centres located in India provide services to several Western companies and organisations. Deficiencies in cyber security, and in particular China's activity in cyber espionage against India, also pose a serious threat to Finnish and European companies. Cybercriminals and spies like to attack information systems where hacking is easiest to implement, increasing the likelihood of a so-called third-party risk scenario. India is one of the fastest digitising countries in the world in regard to almost all available metrics. The share of people using the internet is growing rapidly, the number of terminals is growing intensively and there is a constant increase in investment in telecommunications infrastructure. The ICT sector has more than a million employees. India has recognised the importance of cyber security as part of digitalisation as a whole, and several government-sponsored projects have been launched over the past year to support cyber security development and education. The Ministries of the Interior, Defense and Transport are involved in cyber security projects. In addition, numerous cyber security coordination groups have been set up in the country as a collaboration between the private sector and academia. Thus, there is enough activity, but there are challenges in clarifying the management model. In particular, however, training is currently being strongly increased on a number of different fronts, and with the expansion of cyber awareness, a clear change in work culture is expected. In Finland, it is often discussed that cyber security issues are not addressed enough at steering group level in corporate organisations. In India, there has been positive development, with surveys at the beginning of this year showing that about 70% of large Indian companies had a cyber security director sitting on the company’s management team or board. The outlook for cyber security in India has recently changed in a positive direction. Developments are still fragmented and management models unclear, but the direction is right. Given the country’s vast resources and knowledge capital in the IT area, India has the full potential to become one of the great powers in cyber security in the coming years.
SOURCES: https://www.indiatoday.in/india/story/china-north-korea-pakistan-cyber-attacks-warfare-india-websites-1693123-2020-06-26 https://www.ey.com/en_in/consulting/ey-global-information-security-survey-2020 https://eucyberdirect.eu/content_research/cyber-resilience-and-diplomacy-in-india/ https://www.dsci.in/sites/default/files/DSCI-Annual-Report-2019-20.pdf https://www.ibef.org/industry/information-technology-india.aspx Cyber Resilience and Diplomacy in India, EU Cyber Direct, 2019. CYBERWATCH
FINLAND
|
23
AFRICA 1. China and Russia have a geopolitical interest in Africa and both trade with various African countries and invest in the area. Commercial activity also provides a good opportunity for both countries to influence decisions regarding technology, which can contribute to their goals in cyber operations.
2. The cyber warfare capabilities of African countries are still subpar. Nigeria is emerging as Africa’s leading country in cyber warfare.
3. Africa is susceptible to cybercrime and espionage. At a societal level, not enough has been invested in cyber security and only a few countries have cyber strategies or legislation. Citizens’ cyber skills and companies' investment in cyber security are inadequate and no rapid improvement is expected.
From a cyber security perspective, Africa, a continent comprised of 54 countries, is very different from other continents. The telecommunications and technology infrastructure are underdeveloped and technical knowhow is very much in the hands of non-African companies and states. The same is true for other critical infrastructure. IT systems and equipment come almost entirely from outside the continent, there is no in-house production. The current situation could be regarded as typical of the
24
|
CYBERWATCH
FINLAND
former colonies. Knowledge was in the hands of the former colonial power and was not transferred to the local population. Several former Asian colonies, most notably India, have been able to reverse the situation and are currently the world’s leading producers of ICT technology and services. African countries have not been able to develop technology and knowledge capital as effectively and are still highly dependent on external actors for cyber security. The technology and knowledge gap has increased foreign investment in Africa in recent years. Of the former colonial powers, the United Kingdom, France and the Netherlands, as well as the United States, are generally at the forefront of foreign investment. However, more recently, China has also become one of the most active investors. In addition to investment, China is an active trading partner with several countries and has been actively involved in high-tech projects in Africa. Chinese network technology has been used to build the telecommunications infrastructure, and several positioning systems built in Africa are based on the Chinese BeiDou navigation service. In addition to China, Russia is also an active trading partner, especially in countries in northern Africa. Russia exports arms to several African countries and has participated in the training of local armed forces. In addition, Russia, like China, has shown interest in high-tech exports. Foreign states are interested in Africa mainly for its natural resources, such as oil, agricultural raw materials and mining. Africa is currently experiencing a technologi-
cal void in many areas, making it a fertile ground for high-tech trade. In areas in which the United States and much of Europe reject Chinese network technology for example, in Africa it is welcomed with open arms. Indeed, Africa provides China and Russia with an excellent platform for their own cyber-influencing goals, which is important for Western powers to keep in mind when operating in Africa. The cyber capabilities of African armed forces have developed in recent years but are still at a very early stage. In the mid-2010s, various Ministries of Defense realised the need to develop cyber defense capabilities, and in recent years a few countries have established their first cyber warfare units. In this field, Nigeria is one of the most developed countries in Africa. The Nigerian military has announced that it will now also be training in cyber warfare in its annual war exercise, Exercise Crocodile Smile. The exercise will be held in late 2020 and is reportedly the first cyber warfare exercise organised by the armed forces of an African country. The pressure to develop a cyber defence has arisen due to two different factors. Other states, as well as international cybercriminals, have taken advantage of Africa’s undeveloped cyber defence capabilities by channeling cyber-attacks through Africa. African countries want to prevent the use of their telecommunications infrastructure as a platform for state actors and cybercrime operations. Another factor is the growing use of the cyberspace by local criminal and terrorist groups. In Nigeria, for example, the Boko Haram terrorist organisation is making effective use of the cyberspace to recruit members and spread its ideology. The State Security Service wants to address the situation through cyber operations. The armed forces of various countries are continually improving their cyber capabilities, but progress has been slow so far. The number of Internet users in Africa is rising faster than the development of citizens’ cyber skills. At the beginning of 2020, there were approximately 570 million Internet users in Africa, representing just over 40% of the total population. The number of Internet users is predicted to exceed one billion by the end of the 2020s. National
cyber capability inadequacy is a widely recognised problem. Every day, thousands of Africans connect a recycled IT device to the Internet for the first time in their lives, without guidance or knowledge on the basics of cyber security. The situation is not much better in the business sector either. There is a limited number of employees with practical cyber security experience. The international organisation ISACA, which certifies security professionals, estimates that less than five percent of all security certificate holders in the world live in Africa. Africa is at the forefront of pirated software in the world, and in Libya and Zimbabwe, for example, it is estimated that up to 90% of operating systems are unlicensed copies. If your operating system is not licensed you will not receive vital security updates, due to which your IT device will quickly be infected with viruses and malware. In addition to the weak protection, cybercriminals are also interested in the lack of cyber law in Africa. Only about half of African countries have cyber legislation in place or under construction. Cybercriminals have been found to change the area in which they act according to the developments in legislation. Once a state has enacted cyber security legislation including sanctions, criminals have moved to a weaker country. Admittedly, the resources for cybercrime investigation are also more limited in Africa than in the rest of the world, so legislation per se is not a very strong deterrent. Cybercrime is growing rapidly in Africa and unfortunately a sudden turn for the better cannot be predicted. Cyber security training opportunities are slowly increasing. Improving know-how will bring much-needed cyber security manpower but will also enable skills to be used for criminal activity. Developments in cyber security legislation and other societal activism are important factors in changing attitudes to ensure that the next generation of cyber experts develop in the right direction. About a year ago, the African Union Cybersecurity Expert Group (AUCSEG) was set up by the African Union to improve cooperation between countries. Their work is still at an early stage and their resources are limited, so the positive effects are likely to be seen only in the longer term.
SOURCES: https://www.tandfonline.com/doi/full/10.1080/1097198X.2019.1603527 https://army.mil.ng/?p=3659 https://www.defenceweb.co.za/cyber-defence/armscor-cybersecurity-unit-up-and-operational/ https://www.serianu.com/downloads/KenyaCyberSecurityReport2018.pdf CYBERWATCH
FINLAND
|
25
Cyberwatch Finland
A PA S S I O N FOR A S A F E C YBER W O R L D
W
e provide a situational picture and analysis of the ever-changing operating environment as a foundation for and the development of cyber security of critical services and infrastructure.
We conduct a cyber risk analysis and use modern methods to support your organisation’s comprehensive risk management, including the implications of cyber security. You will also receive tailored and cost-effective solutions, for instance, for staff training and the implementation of the most effective practices and new technology. Through our international network of experts, we bring forth the best specialists and technologies in the industry to support your cyber strategy. Working together, we can create a cyber culture that minimises risks and strengthens your organisation’s resilience to crises. Cyberwatch Finland strengthens the resilience of your organisation and helps prevent costly cyber disasters
B E N E F I TS AND COMP E T I T I V E A D V A N T A G E S : Improved situational awareness is the basis for better decision-making. Our clients can establish a holistic cyber security strategy, build situational awareness across the organisation, and take the necessary measures to build cyber resilience. We provide a comprehensive roadmap for a realistic cyber culture and cyber hygiene for your entire organisation. Our experts have the ability to interpret and present complex cyber world phenomena and developments in an easy-to-understand format, utilising the latest technology, easily adaptable methods, and various media formats. Our mission is to secure the functions of critical infrastructure as well as protect your organisation´s most valuable assets. We guide you to a solid cyber security culture that strengthens your organisation’s resilience to crises and reduces business risks. We provide a holistic understanding of the interdependence of people, practices and technology, and their development opportunities. We rely on the model of continuous improvement and boldly look for new business models.
COMPANY Cyberwatch Finland´s strategic-level international expertise is based on experience and an extensive network of experts. Our mission is to be our clients most trusted partner. Therefore we are constantly looking for the best ways to create a steady strategic cyber security roadmaps to ensure your cyber security to the highest possible level.
Cyberwatch Finland Cyberwatch Finland Oy • Huopalahdentie 24, 00350 HELSINKI FINLAND www.cyberwatchfinland.fi
Cyberwatch Finland F O R M U L ATING A DEP E N D A B L E C Y B E R S E C U R I TY WITH A C O M P R E H E N S I V E A P P R O A CH Strategic cyber expertise requires a holistic view and understanding of the interdependencies of people, practices and technology, and the opportunities for development that they offer. Skilful cyber management in a digital operating environment requires reliable strategic cyber situational awareness and a cyber risk analysis tailored for you needs.
With the use of roadmaps, designed to create a safer corporate culture, we train executive teams and governments to develop their as a part of comprehensive crisis management, overall security and to ensure future competitiveness. Cyberwatch Finland strengthens the resilience of your organisation and helps prevent costly cyber disasters.
O UR SERVICES Cyber security strategies, risk analysis and roadmaps We develop cyber security strategies, risk SCA N M E analyses and roadmaps for cities and municipalities, states, companies and organisations aimed at a safer corporate culture, based on extensive strategic expertise and experiences. The end result of well-executed strategy planning, and implementation is resilience: an organisation’s stronger crisis resilience and defence against cyber attacks.
Strategic situational awareness to support management and decisionmaking A cyber security risk assessment is done to help determine your organisation’s capabilities and limitations in detecting, preventing and responding to the evolving cyber threats.
Our expert reviews, offer compact analyses of the most significant incidents in cyberspace, providing an extensive view of the background, cause and effect of each incident.
SCAN ME
Modern education with e-learning and hybrid-learning methodologies SCA N M E
Risk analysis is a key tool in facilitating your cyber security planning. Together, we begin by identifying risks, threats in your operating environment and vulnerabilities in your own organisation in order to be able to define the value and likelihood of the risk.
Strategic analysis and reports of the cyber world On the basis of a comprehensive strategy, a concrete roadmap and capacity building plan will be created. It defines how cyber security should be managed and how people should be trained, what technologies and best practices are needed, as well as all the other necessary practical actions and resourcing.
AI-powered analysis and information services based on our expertise
As a conceptual service, we produce monthly reviews, tailored seminars, webinars, games, workshops, podcasts and learning development solutions by utilising the latest technology and an international network of experts.
S C AN M E
Innovative and unique cyber security technologies SCA N M E
We support our customers in building resilient critical infrastructure through services and technical solutions that meet the cybersecurity requirements at the highest level in the fastchanging world.
SCAN ME
We think cyber. We talk business. We provide security. Gain transparency on your IT and OT/ICS security MSFPartners.com assessment approach The Cybersecurity Maturity Assessment makes cybersecurity measurable – not only for today (static), but over time (dynamic).
Red Team Attack • What is it? Practical security test from an attacker’s point of view: Real-life test of how far an attacker would get in the current cybersecurity environment. • What does it test? Effectiveness and responsiveness of security measures (technology, processes and staff).
Security Maturity Assessment • What is it? Interview-based and holistic assessment of the security posture, usually based on a cybersecurity framework. • What does it test? Governance, risk management, organisation, roles & responsibilities, processes, technical cybersecurity measures and tools.
Holistic Security Assessment
Vulnerability Scan • What is it? Automated scan of the computer environment for known weaknesses (i.e. security holes). • What does it test? Infrastructure, network and applications. Scan is being done from inside of the company.
Breach Assessment • What is it? Real-life detection of successful hacking activities. Verify whether attackers have already got a foothold in the company. • What does it test? Scan for both traces of previous attacks and current suspicious network traffic with the help of software sensors.
© MSFPartners 2020
Our well structured and tailored security maturity assessment for IT and OT/ICS will not only reveal the cybersecurity gaps to be addressed, but also delivers detailed recommendations how to sustainably improve the security controls Work package
Actions
Deliverables
© MSFPartners 2020
Risk- & Threat Analysis
• Analyse crown jewels from a business point of view • Analyse threat actors & potential impact on the enterprise
Assessment
Definition & prioritisation of measures
• Review of existing policies, controls and processes. • Interviews with key staff
• Analysis of all findings
• Report
• Report
• Report
• Workshop with Senior Management
• Workshop with Senior Management
• Workshop with Senior Management
• Compile prioritized action list (recommendations)
www.msfpartners.com
Remediation program
• Work out actionable remediation program with company’s key resources
• Program and project plans • Required resources (financials & staff)
Seite 3
Cyber Security challenges in Aviation and Maritime // Dr. Martti Lehto
MARTTI LEHTO Dr. Martti Lehto, (Military Sciences), Col (GS) (ret.) works as a Cyber security professor in the University of Jyväskylä in the Faculty of Information Technology. He has over 30 years’ experience as developer and leader of C4ISR Systems in Finnish Defence Forces. Now he is a Cyber security and Cyber defence researcher and teacher and the pedagogical director of the Cyber Security MSc. program. He is also Adjunct professor in National Defence University in Air and Cyber Warfare. He has over 100 publications, research reports and articles on the areas of C4ISR systems, cyber security and defence, information warfare, air power and defence policy. Since 2001 he has been the Editor-in-Chief of the Military Magazine “The development of strategic cyber situational awareness requires the ability to produce analyzed information about the events in cyberspace and thus create the required situational awareness.”
CYBERWATCH
FINLAND
|
31
T
INTRODUCTION
ransportation system is a part of the critical national infrastructure. Transportation systems support the movement of people and goods within a national and international level and include the combination of vehicles, infrastructure, and operations. Disruption of the transport network has significant impacts on everyday life of citizens, national defence and security, and the vital functions of the state. This critical infrastructure is managed and maintained by a complex set of actors, each of whom tackle cyber security differently. The cyber security risk landscape in transport is currently evolving towards the point that risks that were once considered unlikely began occurring with regularity. This ongoing trend can be attributed to higher maturity of attack tools and methods, increased exposure, and increased motivation of attackers. In the past, most of the attacks were conventional and the attackers were individuals or small groups. Nowadays, we see a new breed of attacks, targeted and sophisticated, where the attackers are using advanced cyber weapon that is developed by intelligence, military, or terror organizations. These attacks are called Advanced Persistent Threats (APTs) and it usually refers to a group, such as a foreign government, with both the capability and the intent to target a specific entity persistently and effectively. AVIATION
Aviation is a cornerstone of national and international commerce, trade, and tourism, which means even an isolated incident could spark a crisis of confidence in the entire sector. The potential impacts on stock market value, stability, and national gross domestic product make securing and protecting the connected aviation world a critical element of national security.
32
|
CYBERWATCH
FINLAND
Cyber threats to the aviation sector are rapidly becoming a major issue for airlines, aircraft manufacturers and authorities. Cyber risk is significant and growing in the aviation sector, with 85% of airline CEOs expressing concern about cyber risk. For example, the civil aircraft manufacturer Airbus Group is hit by up to 12 cyberattacks per year, mostly in the form of ransomware and hostile actions carried out by state-sponsored attackers. According to a study by the European Aviation Security Agency (EASA), there is an average of 1,000 airport cyber-attacks per month. Cybersecurity is a growing concern for civil aviation, as organizations increasingly rely on electronic systems for critical parts of their operations, including safety-critical functions. The case study in USA shows the situation. A team of experts of US Homeland Security remotely hacked a Boeing 757, which was parked at the airport in Atlantic City. The team got the airplane on September 19, 2016 and two days later, an expert was successful in accomplishing a remote, non-cooperative, penetration. The civil aviation system consists of a patchwork of interconnected components, systems, and networks, which could have vulnerabilities. The potential for cyber incidents that could jeopardize communications and information exchanges between various aviation stakeholders, impact safety and security and damage aviation business continuity has increased over the years. The aviation system should have the cyber security management built-in in all levels, continuously to manage current and future cyber-threats and vulnerabilities. The levels are international, national and business entity levels. Different fields in aviation are e.g., the manufacturers, airlines, maintenance, repair, and overhaul organizations (MROs), airports, air navigation service providers and security service providers. Cybersecurity encompasses the protection of electronic systems from malicious electronic attack (unlawful interference) and the means of dealing with the consequences of such attacks. An example of the cyber-attack against aviation: In 2015 an attack on the IT network of the LOT airline of Poland caused at least 10 flights to be grounded. It was one of the first reported cases of hackers causing cancellations. LOT encountered an IT attack that affected the ground operation systems. As a result, LOT was not able to create flight plans and outbound flights from Warsaw are not able to depart.
MARITIME
The maritime sector is a vital part of the global economy, whether it is carrying cargo, passengers, or vehicles. Maritime digital transformation is part of the ongoing transition in the traffic systems. With around 50,000 ships at sea or in port at any one time, the maritime transport industry is highly exposed to cyber-attacks. Vessels do not need to be attacked directly. An attack can arrive via a company’s shore-based Information Technology (IT) systems and very easily penetrate a ship’s critical onboard Operational Technology (OT) systems. These systems are used for a variety of purposes, including access control, navigation, traffic monitoring, and information transmission. Although the interconnectivity and utilization of the cyber systems facilitate transport, they can also present opportunities for exploitation, contributing to risk for the maritime systems. There are several key issues that make cybersecurity for the maritime industry particularly complex, challenging, and confusing. There are many different classes of ships, tugs, and boats, all of which operate in very different environments. These vessels tend to have different computer systems built into them. Many of those systems are designed to last no more than three decades. Placed in another context, many ships operate outdated and unsupported operating systems, which are the ones most prone to cyberattacks. Ships are increasingly using systems that rely on digitization, digitalization, integration, and automation, which call for cyber risk management on board. As technology continues to develop, information technology and operational technology onboard ships are being networked together – and more frequently connected to the internet. Maritime technical environment consists of the interconnected system of systems of vessels, fairway, and harbours. In this environment the cyber security of the connections will need to be ensured. Securing the cyber aspects of interconnected system hosted by multiple stakeholders requires system-of-systems view in cyber security. ENISA has published the EU report on cyber security challenges in the Maritime Sector. This principal analysis highlights essential key insights, as well as existing initiatives, as a baseline for cyber security. The high-level recommendations are given for addressing these risks, cyber threats are a growing menace, spreading to all industry sectors that relying on ICT systems. One key finding of the report is that Maritime cyber security awareness is currently low, to non-existent. A holistic, risk-based approach is needed, assessment of maritime
specific cyber risks, as well as identification of all critical assets within this sector. One example of the cyber-attack against maritime. Cyber breach affecting Cosco’s operations in the US Port of Long Beach, on 24 July 2018, which affected the giant’s daily operations. The company’s network broke down, and some electronic communications were not available as a result. CONCLUSION
Technical and economic development has led to networking and increasing interdependencies between production, services and transport and entire society. In recent years attacks against critical infrastructures, critical information infrastructures and the internet connected vehicles have become ever more frequent and complex because perpetrators have become more professional. There are several reasons for conducting cyber-attacks against the transportation sector. Due to the reliance of trade on the transport sector, an attack could be used to affect trade in general, or even target a specific commodity and its availability. Airports can be targeted to affect tourism, material transportation or business travel. The greatest fear faced by transportation agencies is the potential for accidents, mass chaos, and even injuries or loss of life due to disruptions to critical infrastructure. Cyber security as an essential part of the critical infrastructure will need to be ensured. Securing the cyber aspects of interconnected transport system hosted by multiple stakeholders requires system-of-systems view in cyber security. That means a holistic approach of cyber security to be considered to take care in all decision levels of stakeholders. The speed of innovation, technological advancement, and adversary capability is potentially outstripping policy and regulatory development in many areas of the transport ecosystem. This cyber security challenge will not be an easy one for the industry or international and national policy leaders, but collaboratively tackling it is critical for getting ahead of adversaries as well as for understanding and subsequently mitigating the risks. Making transport systems resilient against cyber adversaries stretches from concept through design, assurance, supply, build, delivery, and operations. With a shifting and evolving threat landscape that is growing as fast as the potential attack surface, managing risk, and looking far enough ahead is a complex, multi-stakeholder challenge.
CYBERWATCH
FINLAND
|
33
The changing world needs new and agile methods to improve cyber security –
it is easy to boost information security in companies! Information security now! It is important that companies identify the material that they need to protect to enable efficient protection. Complex isolated networks are not always as well isolated as you would think. The feasibility study (Toteutettavuustutkimus) conducted by the National Cyber Security Centre Finland successfully tested and developed new, agile and scalable methods for improving these areas.
What is TONTTU?
organisations critical to emergency supply – and the results did not disappoint. The project showed that the cybersecurity of society’s critical services can be improved with methods that are easy to implement. The organisations themselves felt that the pilot brought them direct and immediate benefits.
Key findings
The words “cybersecurity” and “easy” are rarely found in the same sentence. This is one of the key issues that the feasibility study nicknamed TONTTU by the National Cyber Security Centre Finland of the Finnish Transport and Communications Agency Traficom aimed to change. The ease of doing things is at centre stage when the aim is to improve the overall security of society on a larger scale. The overwhelming majority of Finnish companies are small or medium-sized. Hundreds or even thousands of them participate in implementing the critical functions of our society. The security solutions aimed at large companies rarely work for smaller companies that do not have special expertise or separate resources for cybersecurity. On the other hand, the schedules of the information security personnel of large companies are full of ongoing projects, which affects the availability of the existing resources. Regardless of the size of the company, it is likely that the resources are low. People are interested in easy ways to develop cybersecurity. Do such ways exist? This is what the TONTTU project studied together with 11
The findings of the feasibility study included the following: Leaks in isolated information networks were found in nine organisations. Potential vulnerabilities were found in seven organisations’ own or their suppliers’ services. In two cases, suspicions of exploitation were also related to the vulnerabilities, one of which was confirmed for the working group. The suspected data breaches were not related to the operative networks. Data leaks in internet services becoming more common also affected the participants of the project. Seven organisations identified victims of data leaks among their personnel. Some of the participants had already identified the victims of a data leak earlier and started to train their personnel regularly to protect themselves and their working environment from the harmful effects of the leaks.
EDITORS NOTE: The original article was published on the National Cyber Security Centre Finland website https://www.kyberturvallisuuskeskus.fi/en/ajankohtaista/ toteutettavuustutkimus
34
|
CYBERWATCH
FINLAND
The TONTTU project once again shows the ability of Finnish co-operation and how small country and its efficient ecosystem works as a great sand box for almost any topic.
Your power hangs by a bit
F
or modern societies, steady flow of electricity is essential. The infrastructure that upholds the entire electricity supply chain from production to distribution is considered as critical infrastructure, and it is regulated closely. As the technology used to maintain the system develops, it provides more surface layers for both kinetic and non-kinetic attacks. Disrupting this supply chain would have cascading effects across society. In the past, security discussions around electricity systems have mainly focused on physical incidents in electricity networks and cyber incidents in information technology (IT) systems. Today’s electricity systems consist of integrated energy and communication networks, thus requiring an integrated view on physical and cyber requirements. The entire supply chain for electricity includes a variety of companies that organise the production, trading, marketing, transmission, and supply of electricity. An increased cross-border integration of markets, the digitalisation of operations, legacy systems and the real-time system impact with minimum disturbance requirements will place significant burden in securing the sector from cyber threats. Cyber threats against individual power plants and electricity grids are well-known and documented. There are several regulatory contexts in the EU and the US in which cyber security risk mitigation frameworks and compliance measures are introduced and addressed. Of these, the EU’s
// Julia Vainio
Network and Information Systems Directive (NIS Directive) from 2016 is one of the most prominent set of rules. The NIS Directive is currently undergoing a revision, with a proposed directive hopefully being implemented in the coming months. Even as electricity grids and networks have been established as critical infrastructure and vulnerable to cyber attacks, the market aspect of the formula is often left unaccounted for. Risk analyses and cyber threat reports draw our attention to cyber risks related to Supervisory Control and Data Acquisition (SCADA) systems of individual power plants, or DDoS attacks on the physical grid and utilities. Those institutions and establishments that deal with the business side of balancing the supply and demand of electricity remain often outside the scope of interest. It is somewhat as if a risk analysist would describe in high detail cyber risks related to individual public companies and their supply chains and failed to mention the possible repercussions of Nasdaq being hit by a debilitating cyber attack. HOW IS POWER TRADED?
A power exchange is essentially a trading platform that aims to satisfy the supply and demand for electricity in a market-efficient manner. In the European Union’s internal energy market, Nominated Electricity Market Operators (NEMOs) act as market operators in national or regional markets.
CYBERWATCH
FINLAND
|
35
According to the EU Regulation 2015/1222 of 24 July 2015 (CACM Regulation), NEMOs work closely with Transmission System Operators (TSOs) to ensure security of energy supply, increasing competitiveness, affordable prices, and proper functioning of coupled markets. Power exchanges are most often done through Day-ahead and Intraday markets. To read more about the Day-ahead and Intraday trading, see the attached info box. Essentially, Day-ahead markets have so far been the more common ones, where potential buyers and sellers place their bids before the day’s market, hence the name Day-ahead. With the rise of intermittent sources of electricity and digitalisation of the electricity system, the Intraday market is gaining in popularity. Within the intraday-market, the bidding and selling is done nonstop, thus making the market more responsive. For the future, the EU has set a goal of a fully integrated internal energy market, which would facilitate cross-border energy trading with a non-discriminatory market access. Opening the market to various aggregators, prosumers, and distributed renewable generation requires greater use of ICT, such as various flexibility platforms, and a switch from Day-Ahead markets towards more real-time exchange of data on Intraday markets. Another key development is the rapid pace of digitalisation of the European energy infrastructure and market. New technologies such as distributed renewable generation, smart metering, virtual power plants, and Internet of Things systems topped with prosumers and decentralisation of energy systems will bring forth greater flexibility and efficiency. From cyber security perspective, however, these improvements would require fast and continuous security analyses and decision-making processes for system operators, as well as secure data exchange routes close to real-time transactions. In addition, these developments require market operators and market exchanges themselves put more attention to cyber security risk mitigation strategies and data privacy issues. WHY SHOULD WE BE WORRIED?
Switching from Day-ahead market logic towards more Intraday trading can significantly improve the effectiveness of power generation, transmission network management and market related tasks. Response times become shorter and technical advancements make quick responses to outages possible. However, digitalisation of the energy sector translates to increased exposure to cyber incidents and attacks. Widespread connectivity and data 36
|
CYBERWATCH
FINLAND
collection require increased data security for customers, systems, and assets. Because power exchanges and electricity grid operations are thoroughly interlinked, a sudden loss of visibility to either part of the power exchange – Day-ahead or Intraday – would have very severe consequences for the entire supply chain. Both TSOs and distribution system operators (DSO) would have limited information on where to deliver electricity to, and how much. Cross-border trade would suffer and there might be a risk of disbalancing the entire electricity system. WHAT THREATS ARE THERE?
Power exchanges are a lucrative target for several different malign actors. Disrupting the exchange and thus corrupting the information TSOs and DSOs depend on for deliveries would benefit both Advanced Persistent Threat (APT) actors as well as hacktivists or criminals targeting the exchange for ransom. Infiltrating into the system and manipulating the existing exchange data could yield significant monetary returns for criminal groups or individuals. NEMOs operating power exchanges are subject to similar cyber threats as any other critical infrastructure provider. These include social engineering efforts, like the general office ICT-system hacks in Ukraine in 2015, through which the attackers gained access privileges to the SCADA and field systems; or exploitation of vulnerabilities in the outsourcing chain, like the recent massive SolarWinds hack, and the Windows Exchange vulnerability have demonstrated. In the Microsoft Exchange Zero-Day attacks, adversaries have been able to access email accounts, steal data and drop malware on target machines for long-term remote access. According to various researchers, electricity companies are found among the inflicted parties. Recent events show how operators close to power exchange operators have already been hit. In May 2020, ELEXON, a company that facilitates payments on the UK electricity market, fell victim to a cyber attack, when attackers using ransomware programme REvil, managed to access the company’s internal IT systems. The company had been running an outdated version of Pulse Secure, which was the backdoor the attackers exploited to gain access to the system. To the company’s good fortune, their Balancing and Settlement Code (BSC) Central Systems – essentially the systems that capture data on actual supply and demand volumes so ELEXON can bill the parties involved in either Day-ahead trading or Intraday trading correctly – are hosted and operated by a third-party service provider. In this case, there were no communications link or data traffic between the BSC Central Systems or the internal
Figure 1 AHMADIAN et al. 2019 Modelling Cyber Attacks on Electricity Market Using Mathematical Programming with Equilibrium Constraints
ELEXON network which was compromised. The attackers later published confidential files and data, such as files containing staff passports, analysis data and enterprise renewal applications. Had the attackers gained access to the transaction data, they would have been able to disrupt one of the core functions of energy supply markets. There are types of attack vectors that could be particularly harmful if targeted towards power exchange operators. These are called False Data Injection (FDI) attacks, which can carry two types of motivation for the attacker: general damage and monetary gains. The cyber security of electrical networks has become increasingly challenging for TSOs because of the increased integration of communication devices into smart grid systems. Smart grid measurement devices in the field send data to the closest data collector device (an IP-based router) using radio frequency signals. This collected data is transferred to central energy management system by using a SCADA system. SCADA systems use firewalls to secure their communication networks. There are many possibilities for cyber attacks during this data exchange from disrupting radio frequency devices to manipulating the firewall systems. If an attacker would be able to gain knowledge of all system configuration information, such as grid topology information, system parameters, details of the state estimation algorithm and bad data detection, it would
have the ability to manipulate all meter measurements and launch a successful false data injection campaign. However, in real life this is rarely the case, and the attacker has less-than-perfect system information and constraints. An attacker, who would then participate in a virtual bidding process on either Day-ahead or Intraday market, would inject the false data into electricity grid’s measurement devices. The idea would be to buy virtual power at lower priced nodes and sell it back at higher priced nodes. To avoid detection from the TSO, the attacker would need to take into consideration the actual physical constrains in the given power system, such as load balance and power flow constraints. The aim of the attacker would be to inject false data into the measurement system to maximize its profit by trading in the Day-ahead and Intraday markets. Figure 1 illustrates the Inter-correlation of false data injections and attacker's profit as virtual bidder. WHAT CAN WE DO?
An adequate level of cyber security should be a non-negotiable part of any modern power exchange’s security strategy. Power exchanges provide a critical factor in the constant availability and affordability of electricity. As European Cyber Security Strategies and NIS directives show, there is a strong need for normative instruments from both European and national authorities. These can include rules, regulations and directives, obligation for audits, or mandatory cyber security schemes. Economic CYBERWATCH
FINLAND
|
37
instruments, such as clear financial incentives for reaching set goals could provide a lucrative target for market actors. Power exchange companies themselves must implement a ‘security first’ approach in design, and demand this from their subcontractors and new market entrants, such as smart meters which integrate energy and communica-
tion systems in their design. Power exchange ICT-personnel need regular training on cyber security matters. In addition, there needs to be increased cross-border exchange of information between NEMOs on cyber security frameworks and best practices, as well as clearly defined contact persons for any affected customers or shareholders in case of an incident.
Wholesale electricity markets JULIA VAINIO Julia Vainio works in the public sector as an Information Security Officer. Previously, she was seconded as the first Finnish Subject Matter Expert on energy security at NATO Energy Security Centre of Excellence, where she was responsible for strategic analysis on electricity and gas networks. Her alma mater is University of Turku, from where she graduated as Master of Social Sciences.
38
|
CYBERWATCH
FINLAND
In the Day-ahead market, a closed blind auction is conducted once a day, all year round, with the aim of trading all hours of the following day during that auction. Succeeding the auction, NEMO produces aggregated curves based on the willingness of participants to sell or buy electricity at their determined volumes and prices. Then a single price for each hour is set where the curves for sell price and buy price meet, considering network constraints. Members of the power exchange trade most of their electricity through Day-ahead markets. Most common members include utilities, municipal and regional suppliers, banks and financial service providers, electricity trading companies, energy-intensive industries, transmission and distribution system operators, and aggregators with either power plant pools or virtual power plants. Intraday market is a continuous trading spot, where market participants trade 24 hours a day with sameday deliveries. This method allows for a high-level of flexibility, as electricity can be traded up to 5 minutes before delivery and through hourly, half-hourly or quarter-hourly contracts. Intraday markets have become more popular as energy transition has evolved. With increased production of intermittent sources of electricity, such as wind or solar, intraday trading balances the Day-ahead market. A well-functioning Intraday market will also reduce the need for additional cost reserves, as electricity is able to flow within its allocated capacities around the entire market. Currently, there are tens of different market zones in Europe, and a total of 16 NEMOs that are responsible for these market operations. A NEMO can also operate in other member states different from its original designation, thus offering its trading services as “passporting NEMO”. As an example, Nord Pool – owned by Nordic TSOs – enables participants to trade Day-ahead in 15 countries and across 21 bidding zones, and their overall trade volumes are around 500 TWh annually.
The importance of operational technology in the built environment you operate in
MANAGING OPERATIONAL RISKS THROUGH SILOS In an average 50.000m2 office building there may be tens of thousands of sensors and other IoT devices and maybe dozens of different management and control systems in a smart or notso-smart building environment. Only the fire alarm system may have dependencies to several networks or network segments. And still the procurement process is usually not as meticulous and t a r g e t - o r i e n t e d a s i n I T s o u r c i n g // Hanna Pikkusaari
CYBERWATCH
FINLAND
|
39
O
perational Technology (OT) has evolved in the shades. When it comes to the built environment only, it’s an extremely complicated environment running the heart and soul of a building and providing opportunities for wider cooperation - the smart cities. But before we can get there and be a part of the ecosystem, we have to become aware that OT is actually an enabler for IT and for the whole business - any business. The unseen problem in the built environment is that in a construction project the life cycle management is often forgotten in the purchase process and the dependencies are not understood - not even considered. The future is not taken into consideration when the investors only purchase for a construction project - even though they would consider and follow the carbon neutrality ambitions. And what does this cause? It causes trouble for the project and for the life cycle management. When you don’t have an array of specialists looking after all the crazy amount of dependencies and requirements, you can’t
succeed without a huge bucket of luck when ramping up and starting to use all the important OT (operational technology) and services almost at the same time. And after the project, when you didn’t have someone setting the requirements for the life cycle management before purchasing the complicated systems and the network environments, you get only repair debt on the day one. And when you don’t have the information and cybersecurity (ICS) specialist on board, you get a swaying house of cards. I don’t think there is such a thing as a smart building. Not yet. Even the Smart Readiness Indicator for Buildings (SRI) doesn’t direct to actual measures. You get what you measure but you don’t get a smart building following those guidelines. It’s important to notice that the concept of SRI is about readiness. But when introducing enterprise architecture (EA) and committing the construction project and the life cycle management to follow an EA framework spiced up with SRI, that’s when you are close to the goal.
HANNA PIKKUSAARI Smart Technology Advisor, Speaker and Educator, Osaango Ltd. Hanna has more than fifteen years of experience in information and operational technology related business process and service development. Hanna’s most recent responsibilities include operational and property technology (OT and PropTech) and IoT related change program leadership, information and cyber security, continuity, and enterprise architecture in one of Finland’s biggest retail companies and a significant property owner and user, K Group. Before leaping from IT service development to OT and PropTech Hanna oversaw implementation projects from machine learning and serverless big data environments to marketing automation, RFID, and many things in between. Hanna has a Diploma in Leadership, BBA in IT and university studies from University of Helsinki in theoretical and applied physics and mathematics. Osaango Ltd. has been listed as one of the key players in the global API management market forecast 2020-2025 by Market Data Forecast.
40
|
CYBERWATCH
FINLAND
In an IT environment an ICS audit process can be challenging but doable. The focus is usually clear and it delivers an understandable documentation of the as-is situation and a task list to proceed by. But in the OT (operational technology) environment if you perform an ICS audit just before the launch to find and fix last minute defects, it’s way too late. I would like to pose a question to everyone near or inside the construction and lifecycle management of the built environment: How do you take over this challenge? I have learned that we have to understand the dependencies and the consequences of the processes and we have to understand the customers’ needs and encourage them to take over the topic. And I have also learned that it’s not about single decision makers but the whole industry to change it’s perspective, ambitions and goals. We have to find square one and build the future with stronger knowhow and unified targets.
So, to sum up the previous, leading and managing operational technology is all about risk management. It’s about the power, ability and courage to make cross-functional decisions impacting all the strong built silos. And it changes the starting position of a complex project. It requires a totally new perspective and new knowhow in the industry where IT and OT are going to follow the same path and learning from each other. OT (operational technology) is the enabler for any business and that’s why the goals should be set and the risks should be managed by the business. The architecture is complex and the dependencies are strong and some of them critical. That’s why visible and understandable OT is better than hidden and secret.
CYBERWATCH
FINLAND
|
41
When excel isn´t enough anymore!
4Ks ERM - software for comprehensive and centralized risk management.
4Ks toimisto@4ks.fi
www.4ks.fi
Hellenberg International has 25 years record in assisting public and private clients in critical infrastructure protection and crisis management related projects. Our senior team has been contracted by the European Commission (DG Home Affairs, DG Enterprise, DG ECHO etc.), the United Nations, the Ministry of Defence of Finland and the NATO.
We have been serving major international corporations such as AVSECO, SAAB, MTR, Airbus, Finnair and Siemens. We have been interacting with the US State Department, the US Ministry of Energy, Rosatom, the Singapore Civil Defence Force and many others.
www.hellenberg.org
CYBERWATCH
Your Your employees employees can stop stop
99%
FINLAND | 43
of ofall all online online attacks attacks
Make them them your your strongest strongestlink link https://hygiene.badrap.io/watch/ https://hygiene.badrap.io/watch/
Telecoms new normal // Mika Lauhde
O
n August 5th 2020 the US was starting systematic process to splinter the global internet. US government was releasing the policy that was leveraging the US information service providers to force the rest of the digital economy to exclude Chinese businesses. This was not happening by one single cut, but actually with several steps. First major step was the US “Clean Path” program, which was launched April 2020, and which was designed to pressure European operators to avoid purchasing 5G equipment from Huawei and ZTE and this way establish China free connectivity between US and its embassies around the world. But this has been now impacting wider and perhaps differently than US government was thinking originally. One of the reasons is Covid-19 which was making clear for all the countries that 5G, and future telecom generations, can be equally essential tools to fight against pandemic and downscaling economy, similar way as national competence to develop vaccine. Countries around the world, those considering having fair competences to take active role in future telecommunication development, were starting gearing up different approaches to meet their national goals; both technical and commercial. Starting from national supply chain creation all the way to national IPR(intellectual property) ownerships regulations. The tool, how to make this next telecom miracle happening in national soil, is called OpenRAN or Open Radio Access Network (O-RAN). Concept based on interoperability and standardization of RAN elements including a unified interconnection standard for white-box hardware and open source software elements from different vendors. With other words creating telecom solution which is not controlled or developed any single vendor but it is joint global effort; including both software and hardware. And there is now several “OpenRAN” industry organizations competing who will be the one creating winning OpenRAN solution. Starting from US department of defense to current operators and SME companies. According US “National Strategy for Critical and Emerging Technologies” published in October 2020.
44
|
CYBERWATCH
FINLAND
There is clear view how the telecommunication leadership should be moved to US hands and that there will be no room for equal partnerships. And US is having clear software development competence advantage coming from huge footprint of Operating systems (both PC and mobile devises) and ecosystems supporting those. And US has been reserving 750mUSD to make this happen. But creating Chinese and European manufacturer free OpenRAN is not happening without counter reaction. India has been also taking bold move to ensure their national telecommunications. Like India ministry of telecommunication was stating January 2021, Indian telecom core should be Indian. Those subsidies what Indian companies are just now receiving are far beyond what Chinese or European vendors are getting from their governments. But Indian government is also thinking similar way as US, that vendors need to move their R&D, manufacturing, Intellectual properties, etc. to Indian soil to able to carry on selling their products just now and this way gradually supporting building Indian national competence development. And already now, some Indian companies are making statements to have OpenRAN technology available for Indian operators. Japan government published report similar way from Japan’s a bit longer term target setting to lead 6G in whole world and is therefore investing almost 500mUSD this year and considerable amount of money also in coming years for local Telecom development. According the plan Japan core should be ready in year 2025. Only four years from now. This should be happening by Japanese private companies, academic and National Institute of Information and Communications Technology which works under Telecom ministry. And US –Fujitsu 5G radio is already incorporating technology for OpenRAN macro site and greenfield networks. European commission is thinking OpenRAN as well. EU has been just making decision to boost creation of digital sovereignty which will be happen trough financial controls, ecosystem creation, technology development and protection of European compa-
nies and their IPR’s from hostile take overs. Naturally Ericsson and Nokia could gain from this, but intention is to have the Europeans SME industry to join as well. And avoid the financing leaking outside EU as it has been happening so far. EU commission might consider giving support for this area trough Horizon program together with wish that Nokia and Ericsson would be part of that and contributing to this work, but nothing concrete is on the table. And the list is still going on. Germany has been reserving 2billion € economy stimulation money for OpenRAN, UK’s network Diversity strategy has 250m£ to support OpenRAN and South Korea, China, all are claiming similar intentions. If these intentions are commercially, or technically feasible, are another issue, but just now they are serving the agenda how governments are responding lack of vaccine for hospitals or band wide and national control for telecom networks. Conventional telecom equipment vendors like Huawei, Nokia, Ericsson, Cisco have not been eager to claim that technologies like OpenRAN would able to
change the world yet. After all, areas where OpenRAN is not very good are security, interoperability, scalability, increaser operational complexity, total cost of operation etc. And somebody should solve those issues. OpenRAN, will not go away. It will live parallel with current technology ecosystem. And will therefore generating fragmentation to current technology field. Even OpenRAN would never be so cost efficient, high performance, advanced, etc. like solutions made by dedicated hardware’s….quantity of countries developing that, availability, political reasons and national ownership might overrule those facts. AND THE END GAME WITH OPENRAN?
The end game of OpenRAN could naturally end up many different ways, but there are similarities to one previous historical event called “Starswars” from year 1983 decleared by President Reagan. Strategic initiative which was having technically almost impossible promise and was leading heavy economic spending mainly in US and Russian side. But was not generating any real added value for anyone. This time, the economic impact might hit totally other countries (those who are just investing heavily for national OpenRAN) and in case in case these countries will not join their fragmented national OpenRAN projects to serve one globally standardized and certified solutions (like under 3GPP) the final winner might, against all the odds, be OpenRAN which will be based on OPS-5G (lead by DARPA under department of US Defense) even currently it’s impact to industry is considered smallest and then there might happen new share of global telecommunication suppliers especially in western countries. In that case Europe is in exactly in the same situation with telecom where Europe is with chipset technology. There is no that technology anymore.
MIKA LAUHDE Global Vice-President, Cybersecurity & Privacy, Huawei
CYBERWATCH
FINLAND
|
45
Next step: development of cyber security competence ONE CHALLENGE FOR OUR CYBER ENVIRONMENT
T
he continuously developing ICT platform currently consists of a triad: the fifth generation of mobile telephony (5G), the Internet of Things (IoT) and artificial intelligence (AI). With every new day, the IoT is increasingly present in daily life comprising a network of sensors, devices, machines, and robots. The capabilities of AI grow every day; 5G is also present in our environment more and more. The IoT-AI-5G triad represents the foundation for a change of the current human life paradigm to a new one: a ‘smart human society’, based on innovation. This challenge needs understanding and understanding needs education, which produces competencies. AIMING FOR EXCELLENCE AT DIFFERENT LEVELS OF SOCIETY
Strong national cyber security requires the necessary skills and broad participation at all levels of society. Producers of digital solutions and services need to be able to make secure devices and services. Citizens, in turn, need to be able to use the services of the digital information society safely, and to identify the risks associated with the use of different devices, products and services. The content and learning pathways of the education system should be designed in such a way that the education system produces more mature experts for the needs of business and society. In addition, there would be enough opportunities for updating skills and cyber security in specific areas. DEVELOPMENT OF CYBER SECURITY EDUCATION AND TRAINING
The planning of cybersecurity education considers the cybersecurity competence needs of both the business community and public administration. Firstly, early childhood education lays the foundations for children to understand how to use the products and services of the digital society safely. 46
|
CYBERWATCH
FINLAND
// Pertti Kuokkanen
Secondly, basic education ensures that young people have adequate skills to operate in a digital environment and that they understand and protect themselves from cyber security threats. Thirdly, high school education expands and deepens these skills, and lays the foundation for industry-specific expertise in higher education. Professional training should, where appropriate, include cyber security issues as part of the basic professional skills in the field. Safe operation in the digital environment and related skills must be integrated into study in a way that is suitable for the profession, regardless of the student and the profession. Lastly, to develop professional and complementary cyber security expertise, competence paths are planned, which utilize existing content and create new ones if necessary. International activities cannot be forgotten; joint cyber security training should be considered centrally, regardless of industry. It is good to utilize virtual implementations and other cost-effective solutions when organizing trainings. STRENGTHENING COOPERATION ON CYBER SECURITY EXERCISES
Close co-operation between authorities, industry and organizations in cyber security exercises improves value chains that are critical to the functioning of society. Common cyber training environments are utilized in cyber security training activities, and at the same time the continuity of training activities and cross-administrative guidance are ensured. CURRENT EDUCATIONAL ASPECTS IN PRACTICE
The formation of cyber competence of education can be provided on condition that the structure and content of its preparation are relevant to modern trends in ICT in education, selection of content and forms of training in accordance with the types of information activities, as well as educational and cognitive activities should be focused on professional education activity. In the conditions of
insufficient preparation of teachers for the introduction of cyber courses in the educational process, it is necessary to add tasks related to the formation of cyber literacy of teachers and cyber literacy of students as their professional development. The modern world is quarantined due to the COVID-19 virus, so MOOC (Massive Open Online Course), Claned or other education templates are of interest not only to students but also to teachers. After all, online courses today are an impulse for teachers to learn distance learning technologies that will let them qualitatively prepare future professionals. As most of them do not have experience in developing their own distance learning courses, the procedure for creating and conducting a MOOC or others proved to be a difficult but interesting process. The use of MOOCs to improve the skills of teachers of professional pre-higher education is possible with modern facilities and software,
providing the readiness of pedagogical, academic and research staff to master the competencies of media technology, as well as the motivational basis for professional competence of future professionals. Thus, it was found that the MOOC within in-service education for teachers of professional pre-higher education allow to improve not only professional competencies, but also cyber and media education. AS A RESULT, THE RESILIENCE OF SOCIETY IS SIGNIFICANTLY IMPROVED.
To ensure the best effectiveness, the degree studies produced by the cybersecurity education system must be planned in co-operation with various actors and the content of the studies must be regularly updated to meet the needs of different actors. Also considering the needs of basic citizens to update their skills.
PERTTI KUOKKANEN Senior adviser, project manager Pertti Kuokkanen, Colonel (ret), PhD (Politics) and DOM and LEAN certified international expert on Cyber issues. He has over 25 years of experience in change management and training projects in different organizations and a track record with a successful leadership in complex ICT projects and training. He has served as member of organizing committee in the ECCWS and ICCSM and worked as senior advisor at Cyberwatch since 2018.
References: https://link.springer.com/chapter/10.1007/978-981-15-8206-6_13 “Safety and Security in Knowledge Landscapes” Ehdotus valtioneuvoston periaatepäätökseksi kyberturvallisuuden kehittämisohjelmasta 13.1.2021 https://apcz.umk.pl/czasopisma/index.php/PPS/article/view/ PPS.2021.07.01.004 ”Use of massive open online courses to develop media educational competence of teachers of professional pre-higher education institutions.” CYBERWATCH
FINLAND
|
47
Cyberwatch Finland
QUARTERLY REVIEW
48
|
CYBERWATCH
FINLAND
Q1 2021
CONTENT 1.
3.
Country Analysis: The United Kingdom
The Cyber Security of Industrial Automation Systems
2.
4.
User Authentication Methods that are More Secure than Passwords
Cybercrime Progress Report
The first quarterly review of 2021 begins, as usual, with a country analysis. This time the UK will be the subject of the analysis. The UK has been a driving force in cyber security in the EU. The impact of Brexit on the overall cyber security in Europe varies from industry to industry, but generally, the negative effects are lower than expected. Over the past year, the UK has set up a National Cyber Force to unite the cyber capabilities of the military, police and intelligence to protect the country from terrorists, cybercriminals and foreign cyber influence. The unit is a consequence of the so-called ‘Fusion Doctrine’ thinking, where industry-specific expertise is concentrated into a single organisation and under a single management model. Would this be a possible solution to improve Finland's disorderly cyber defence? Weak passwords are traditionally the biggest threats to cyber security. Studies show that one-third of ransomware attacks and more than half of intrusions into information systems are done using exposed or hacked passwords. Multi-factor identification or so-called strong identification has found its way into many information systems and online services and has significantly improved their security. Completely password-less identification can be a possible option when attempting to eliminate password vulnerabilities. The potential threat of industrial automation systems has increased. State-led cyber actors test the defence of systems and their ability to return to normal operation. Automation systems are targeted by cyber attacks as a means of hybrid operations and to undermine public confidence in the vital functions of society. Automation systems – an increasing interest to cyber criminals - will be exposed to more targeted, complex, and better equipped attacks in the future. Cybercrime is on the rise while traditional crime is on a moderate decline. The popularity of cybercrime is due to its cost-effective implementation, the lower risk of getting caught and the lesser consequences. The intelligence services of the great powers use proxies or so-called APT groups for hacking and other illegal cyber operations. Cybercrime has traditionally required good IT skills, but now can also be ordered as a service, making methods of cybercrime available to other criminals. In the fight against cybercriminals, emphasis is placed on an up-to-date cyber awareness and threat intelligence, which can be used to prevent previously identified threats.
CYBERWATCH
FINLAND
|
49
1. COUNTRY ANALYSIS: THE UNITED KINGDOM 1. The UK is gathering its offensive cyber forces into the new National Cyber Force (NCF). Organising based on the same skills and resources is part of a new doctrine of which authorities in other countries should take note.
2. The National Cyber Security Centre (NCSC) takes on a key role as a guarantor and developer of cyber security in society. The NCSC, together with its European sister organisations, must ensure that the maintenance of cyber security situational awareness and the management of anomalies continue, despite Brexit.
3. Brexit has had less of an impact on the overall cyber security in Europe than expected. Trade co-operation and labour mobility are decreasing, but the exchange of information between countries, which is important for cyber security, continues as before.
Last November, Boris Johnson, the Prime Minister of the United Kingdom, announced the establishment of a new
unit capable of offensive cyber operations. The new unit will be called the National Cyber Force (NCF) and will be
operated by cyber professionals brought in from four different organisations. These organisations are the Government Communications Headquarter (GCHQ), the foreign intelligence service MI6, and the Ministry of Defense and its Defense Science and Technology Laboratory (DSTL). Until now, each organisation has had its own offensive cyber security unit. Offensive cyber activity aims to proactively eliminate or weaken the ability of those who pose a threat to cyber security. Offensive measures thus prevent the realisation of cyber threats and reduce the pressure placed on defense. For example, terrorist communication can be disrupted, and recruitment websites closed. Electoral influence can be prevented as well by closing troll accounts and hostile services can be subject to denial-of-service attacks. There has been cooperation between the organisations in the past. In particular, the Ministry of Defense and the GCHQ have worked closely together to carry out targeted attacks as well as long term interference against terrorist organisation’s information operations and communications. The NCF brings together offensive cyber expertise and technology into one unit, making it easier to manage and further develop their operation. At the moment the unit employs a few hundred people, but the goal is to increase the number of staff tenfold during this decade. 50
|
CYBERWATCH
FINLAND
Organising based on skills and resources is still rare among public authorities, both in the UK and internationally. Joint working groups have been set up between authorities, but their management has been kept strictly under operational silos. The police, army and intelligence cyber forces have been operating separately, but this time the intention is to bring together similar expertise and technology to work under one organisation. The core tasks of the NCF are all cyber operations in support of national security, from the disruption of terrorist communications and combating cybercrime; to the fight against cyber attacks by other states and carrying out offensive operations. The NCF represents the ‘Fusion Doctrine’ thinking, which originated in 2018 from the policy of the British government. It states that activities based on the same expertise and resources should be merged into the same unit in every area in the public administration where it is deemed necessary, but especially in security-related activities. This new doctrine has been seen as necessary to counteract more complex attacks, especially as hybrid operations and warfare become more prevalent. The doctrine is also seen internationally as a clear step forward compared to previous operating models. In the United States, for example, cyber expertise and resources are scattered among the NSA, CIA, FBI, and military. The doctrine’s potential in implementing cyber security should be openly assessed in other countries as well as in Finland. In terms of defensive cyber security, a key player in the UK is the National Cyber Security Center (NCSC). The NCSC has a similar role as our Cyber Security Center in maintaining societal cyber security. The NCSC manages the UK national cyber security situational awareness and incident management acting as an important advisor to the business sector in the practical implementation of cyber security. The NCSC takes care of the dissemination of cyber security awareness and provides training materials, as well as monitors the quality of education from elementary school to university. It is also possible for private training companies to receive the NCSC certification for their training packages. Similar to the services of our Cyber Security Center, the NCSC tests cyber security products and assigns them security ratings. In the future, the role of the NCSC, together with its European sister organisations, will be to ensure that the maintenance of cyber security situational awareness and the management of anomalies continue at a high level, despite Brexit. The impact of Brexit on the overall picture of cyber security in Europe varies by industry, but overall remains insignificant. The EU Data Protection Regulation and the NIS Directive on Network Security have already been transposed into UK local law before Brexit, allowing the security in these areas to remain at the same level as in the EU. Militarily, cooperation with the EU will continue as before through NATO. Defense technology collaboration will also continue without significant changes. With regard to border control and the police, the United Kingdom was at risk of being excluded from Europol's intelligence systems and Schengen border control systems. Both systems play a key role in monitoring terrorists and criminal movement in Europe. According to recent discussions, a cooperative mechanism is in the works to allow for the exchange of information as before. Despite the EU, collaboration in intelligence continues under intelligence cooperation agreements. The so-called “5/9/14 eyes” agreements, the latter two of which also involve EU countries, guarantee the exchange of information, despite Brexit. In addition to this, the UK has bilateral agreements with various countries that allow cyber security threat information to be transferred between countries. The UK, like many other countries, suffers from a shortage of cyber professionals. Leaving the EU will inevitably affect labor mobility and slow down the increase in cyber professionals. The impact on the cyber security software and service market is similar. Despite the special arrangements, additional bureaucracy regarding cross-border trade has slowed cooperation. SOURCES: https://globalriskinsights.com/2021/01/uk-government-announces-new-national-cyber-force/ https://www.gchq.gov.uk/news/national-cyber-force https://www.army-technology.com/features/national-cyber-force-defending-the-cyber-domain/ https://rusi.org/commentary/fusion-doctrine-one-year https://www.ncsc.gov.uk/ https://www.kcl.ac.uk/cyber-security-brexit-and-beyond
CYBERWATCH
FINLAND
|
51
2. USER AUTHENTICATION METHODS THAT ARE MORE SECURE THAN PASSWORDS 1. Traditionally, weak passwords are the biggest threats to cyber security. Studies show that a third of ransomware attacks and more than half of intrusions into information systems are done using weak passwords.
2. Several solutions have been developed to replace passwords, but implementation has been hampered by slow standardisation and the additional technological costs. In recent years, regulations in various fields have begun to require strong, i.e., multi-factor, user identification, which has accelerated the introduction of common solutions.
3. The mobile phone has become a widespread basic component of strong authentication and has been used as a replacement for passwords.
4. There are numerous strong identification back-end systems on the market. Taking into account the user experience in the implementation of new identification methods is important so that it can be widely adopted.
Username and password identification has been used since the beginning of information systems. Even today, it is
the most common method of user authentication implemented in connection with information systems and applications. The username is used to identify the person using the system, and the purpose of the password is to ensure that they are the real owner of the username. Within an organisation, a username is often public information, as it can be used to find other users within the organisation with whom you need to communicate. The password, on the other hand, is confidential information that should only be in the possession of the user. Passwords are a critical component in implementing cyber security. If a third party finds out a user's password, they will gain access to information systems and information or IT resources that they could not otherwise access. Password security can be ensured by keeping the password private and by using a password that is not easy to guess or technically ascertain. The password should therefore be sufficiently long, preferably random and not a real word. 52
|
CYBERWATCH
FINLAND
Hacking passwords is one of the most popular ways for cybercriminals to gain access to a targeted information system. According to research, about half of the intrusions into information systems have been made by finding out a user's password. In these cases, the first entrance into the system occurred using an existing user’s account. About a third of the rapidly increasing ransomware malware has been spread by exploiting passwords. The inadequacy of passwords has been common knowledge from the beginning and various ways have been developed to improve the quality of passwords. Password quality requirements can be programmed into most operating systems, forcing users to determine passwords that are long and complex enough and change them regularly. In addition, user training plays an important role in educating users on the requirements for a secure password, thus reducing the security risk posed by weak passwords. Other identification methods can also be used in information systems. The three basic methods of identifying a user are biometric authentication, a device in the user’s possession which generates an access code, i.e., a password or even a PIN code. Identification based on a personal feature, i.e. biometrics, is often difficult to implement. For example, fingerprint or face recognition systems have hitherto required expensive devices as well as a multimodal biometric management system. Recently, there has been implementation of such a system, for example, Microsoft's Windows Hello, which uses the pre-built camera on the computer and does not require additional equipment. The device in the possession of the user can be, for example, an identification device connected to the USB port, a so-called token, or smart card. The use of which is also protected by a PIN. In this case, so-called strong identification would be used, an object in the possession of the user (smart card) as well as information in the possession of the user (PIN number). Over the last couple of decades, the tokens have been adopted as an authentication method to replace passwords. It has been difficult to carry out large-scale deployment due to the slow development of standardisation and the reluctance of device manufacturers to integrate token readers into, for example, laptops. Other similar methods have not been successful, mainly because of additional hardware and the identity management systems would only be used for user authentication, which is therefore an additional cost compared to passwords. The mobile phone is possessed by majority of citizens and is increasingly being used as a means of user identification. Like a smart card, a mobile phone combines the two basic components of user identification: a device held by the user and secret information only in their possession. Mobile phone authentication therefore meets the requirements for strong user authentication. All information system users also own a mobile phone, hence there is no additional hardware cost for user identification. In recent years, the PSD2 standard, which regulates the security of digital banking services, domestic banks and the payment card companies Visa and MasterCard have also taught Finnish consumers to use mobile phones for strong user authentication. It seems that mobile authentication has had positive user experiences, as few people long for one-time password lists. Mobile phone use is perceived as a safe and easy way to authenticate a user in the context of online services. Numerous mobile phone identification systems are still available on the market. Technically, none of these are superior to others. The lack of system-level standardisation means that each organisation has to make the decision whether to implement strong user authentication. However, the end-user experience is largely the same regardless of the system. The network service sends an authentication request to the registered phone and the user confirms it with a PIN or a biometric feature. Additional security can be implemented with authentication applications installed on phones; in which case the application generates a one-time password to confirm the authentication request. The end-user experience therefore plays a key role in improving the security of user authentication. If end users do not adopt the new method or find it too cumbersome, the method ceases to be, no matter how technically safe it may be. SOURCES: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/950063/Cyber_Security_Breaches_Survey_2019_-_Main_ Report_-_revised_V2.pdf https://www.precisesecurity.com/articles/weak-passwords-caused-30-of-ransomware-infections-in-2019/ UK's National Cyber Security Centre, Cyber Security Breaches Survey 2019 https://www.securitymagazine.com/articles/91572-weak-passwords-caused-30-of-ransomware-infections-in-2019
CYBERWATCH
FINLAND
|
53
3. THE CYBER SECURITY OF INDUSTRIAL AUTOMATION SYSTEMS 1. Automation systems are often used to operate and monitor critical infrastructure. Older automation systems suffer from a number of cyber security issues that are laborious to fix.
2. Automation systems are being connected to the Internet, exposing them to the same cyber threats as other IT systems. Automation systems are attractive targets for cyber attacks due to their poor protection and substantial repercussions.
3. Industrial automation systems are also the target of hybrid operations. State actors are testing the operation of the systems and their ability to return to normal.
4. In the future, automation systems will be exposed to more targeted, complex and better developed attacks. Automation systems are of increasing interest to cybercriminals.
Industrial automation systems are a key component of critical infrastructure: They are used to monitor and control, for example, the distribution of electricity and water. Automation systems based on different standards have been implemented for decades, long before the global networking which began in the 1990s. One of the oldest standards for automation systems is the SCADA (Supervisory Control and Data Acquision) which is still in use. SCADA systems have traditionally been physically separated from other networks because their control and monitoring have taken place from the system control room and there has been no need for remote connections. Physical isolation has also been an effective way to control security, but it has also had negative effects on the security of systems. Old automation systems have not been updated at the same pace as other IT systems, and obsolete versions of software and operating systems are widely used. Versions of Windows XP and 7, for which security updates have been unavailable for years, are still widely used as part of older automation systems. In addition, over the years, the systems have been hard-coded with default passwords, and management of operations has not been designed for possible denial-of-service attacks. Automation systems are being connected to the public network and traditional IT systems. In this context, the term IT / OT often occurs, which refers to the combination of traditional IT systems and industrial automation
54
|
CYBERWATCH
FINLAND
(OT = Operational Technology). The reason for connecting systems to the Internet is the need to use the systems remotely, as well as the need for real-time operation where controlled and monitored devices communicate directly with each other. When a closed system is connected to the Internet or other IT infrastructure, it is exposed to the same security risks as other IT systems. In newer automation systems, security has been taken into account, but the security of older systems as such is not at a level where connecting to the Internet would be risk-free. There have been surprisingly few successful attacks on automation systems compared to their poor security and the considerable impact that an attacker can achieve. Perhaps the most famous attack on automation systems dates ten years, when the Stuxnet worm was spread to an Iranian uranium enrichment plant through an USB memory stick and was eventually able to dismantle the centrifuges used for enrichment. Since then, the world has experienced numerous serious attacks on automation systems, such as the NotPetya malware in 2017. Ukraine was the main target of the Russian NotPetya malware, however it also effectively spread to the rest of the world, halting the Danish shipping company Maersk and causing more than 1 billion euros in financial damage globally. One of the more recent serious attacks is the paralysis of the electricity distribution network in Mumbai, India, by a group of Chinese hackers. According to the ICS CERT, the U.S. organisation for the cyber security of automation systems, there are a few hundred serious cyber attacks on automation systems each year, and the number is growing. In Finland, only one successful cyber-attack on automation systems has been recorded. In 2015, the heating system of an apartment building in Lappeenranta collapsed as a result of a denial-of-service attack. In this case, it was a distributed denial-of-service attack (DDoS), the target of which was outside of Finland and the equipment of the condominium was used as part of the attack. The heating system equipment could not withstand the drastically increased load on the network and the heating system stopped working. Critical infrastructure attacks are often part of the hybrid operations of other states, as well as an experiment on infrastructure, how a target responds to an attack, and how quickly it is able to restore vital functions. Much of the critical infrastructure is based on the use of industrial automation systems such as energy production and transport. The role of automation systems in maintaining national defense capabilities is significant protecting them even in the event of a military conflict is important. Critical infrastructure is also of increasing interest to cybercriminals, who aim to profit financially, in the form of ransoms required in the event of a ransomware attack. Determining the culprit when considering attacks on critical infrastructure is increasingly difficult. The objective may be state hybrid operations, financial gain of criminals, or industrial espionage by competitors. In most cases, the profit seeker does not carry out the cyber-attack but uses a third party instead. The safety of automation systems is being actively improved. According to an American study, critical infrastructure operators invest most in improving user management, logging, and encryption of telecommunications connections. Isolation of automation networks from the public network by means of a new generation of firewalls as well as physical isolation are also popular method. New systems are built with security features that do not need to be fixed later on. Backup methods have also been further developed: the distribution of electricity or water is not entirely dependent on information systems, but operations can also be controlled manually. Despite improved security, automation systems remain on the list of the most attractive targets for cyber attacks. The trend in this area leans towards more precise and diverse attacks. Increasingly, cyber attacks are targeted at specific critical infrastructural players and the methods of attack are selected on the basis of the vulnerabilities identified in the target. Ransomware attacks on automation systems will also increase. In addition to hybrid operations, actual cybercrime is increasingly targeting critical infrastructure and its automation systems. SOURCES: https://mumbaimirror.indiatimes.com/mumbai/cover-story/oct-12-blackout-was-a-sabotage/articleshow/79312959.cms https://svenska.yle.fi/artikel/2016/11/07/smaltande-i-ishall-och-kallt-i-flera-hus-natverksattack-stallde-till-det-i https://yle.fi/uutiset/3-9278183 https://safety4sea.com/cm-maersk-line-surviving-from-a-cyber-attack/ https://www.fortinet.com/content/dam/fortinet/assets/white-papers/WP-Independent-Study-Pinpoints-Significant-Scada-ICS-Cybersecurity-Risks.pdf Mutsuo, N., Hirufomi, H. (2017). ”An Analysis of the Actual Status of Recent Cyberattacks on Critical Infrastructures”, NEC Technical Journal, vol 12/2017. https://www.nec.com/en/global/techrep/journal/g17/n02/170204.html https://www.cisa.gov/sites/default/files/publications/Securing_Industrial_Control_Systems_S508C.pdf
CYBERWATCH
FINLAND
|
55
4. CYBERCRIME PROGRESS REPORT 1. Cybercrime is on the rise while traditional crime is on a moderate decline. The reason for the popularity of cybercrime is its cost-effective implementation, the lower risk of getting caught and the lesser consequences.
2. The superpowers use cybercriminals for illegal information collection and cyber operations. Cybercrime can also be used as a tool in hybrid operations.
3. Cybercrime has traditionally required good IT skills. It can also be ordered as a service, making cybercrime methods available to all.
4. An up-to-date cyber situational awareness and threat intelligence enable the prevention of cybercrime: Threat intelligence is the next step in the future of cyber defense.
Cybercrime’s share in the overall field of crime is constantly growing. The amount of cybercrime has increased by
about 70% in 2014-20, while other crime is on a moderate decline. In this context, cybercrime refers to illegal
activities that either directly target information systems or use information technology as the main tool for committing crimes. Worldwide, the most common forms of cybercrime have been the disruption of information systems through malware or DDoS, as well as hacking. Approximately 1,300 cybercrime cases were reported in Finland in 2019, and preliminary estimates for 2020 predict that the number will increase to approximately 1,500. Finland differs from the global trend in that the majority of cybercrime is conducted through hacking and only a small proportion of cases are harassment of information systems or networks. A large part of domestic data breaches target the personal e-mail or other online service account of an individual or company employee. The motives of cybercriminals can be varied, but most often they are driven by the pursuit of financial gain. Cybercrime has integrated with organised crime, and cybercrime is often used to raise funds for criminal organisations’ other activities. In addition, cybercrime is much more cost-effective and the risk of being caught and the consequences are often lesser than that of traditional crime. In addition to organised crime, cybercrime is also committed by individuals. According to a study conducted in Finland, the motives of domestic individual cybercriminals were often to test their IT skills and due to a dispute with the target person or organisation. Cybercrime is increasingly becoming a state-run activity. Some states use cybercriminals as so-called proxies to conceal their own illegal activities and when the cybercriminals have the methods and know-how to achieve the desired goals. The use of proxies in cyber operations is usually not driven solely by economic objectives, instead they are used mostly for intelligence, cyber espionage and political interference. State-funded and state-led cybercrime groups are commonly referred to as APTs (Advanced Persistent Threat). In addition to this, APT is also a name used for targeted cyber attacks and malware. APT groups are not just any criminals, but usually have an ideological or political connection to the state that funds their activities. Some APT groups operate solely on behalf of the state, and other groups may conduct their own additional economically driven criminal activities 56
|
CYBERWATCH
FINLAND
as well. All the great powers are taking advantage of APT groups, although most prominent users are China, Russia, Iran and North Korea. Security companies that provide tools against malware give each APT group a unique number identification. An example is APT31, of which the Finnish Parliament was the target of in the autumn of 2020; China is suspected to be the backbone of APT31. The group specializes in intrusions targeting various countries' administrations, defense and aerospace industries, telecommunications, media and insurance companies. When commissioned by states, APT groups typically perform cyber espionage, but also perform desired disruption operations, especially against critical infrastructure, to test infrastructure security and recovery. They may also conduct hybrid operations; in which case the aim is to undermine the target’s overall image and confidence in public services. For example, data breaches in health care undermines the citizens' trust in health services, which in turn can affect the stability of society. In recent years, cybercrime has evolved into a service business, Cybercrime-as-a-Service, or CaaS. The term can mean both conducting cyber attacks on behalf of another and/or the manufacture and sale of criminal equipment. As a service, a series of denial-of-service attacks on a desired target can be sold or the supplier can be paid to spy on the target and collect data through hacking. Other actors specialise in the development of software to be used as a tool in cybercrime. In particular, target-specific custom-developed ransomware programs, are on the rise. If customised malware is too expensive, ransomware tools are also available to help criminals make simpler malware themselves. Cybercrime has traditionally required good IT skills, but the tools and methods of cybercrime are also available to other criminals through the cybercrime service industry. In addition, the elements of cybercrime can be used more easily as part of other crimes. For example, in the event of a housebreaking a cyber attack can cripple alarm systems, making it easier to commit the main crime against the target. It is possible to fight cybercrime, but an even better outcome can be achieved if preparation is done in advance. Preparedness is facilitated by identifying threats and knowing the operating methods. The various APT groups and their activities are constantly monitored around the world, and the modes of operation of these cyber-attacks are analysed in depth. By knowing the attackers who specialise in your field, their operating strategies and methods, it is possible to successfully develop the security of your own IT infrastructure. In cyber security, precaution is known by the term threat intelligence, which unfortunately many domestic organisations have yet to include in their own security operations. Threat intelligence goes beyond normal SOC (Security Operation Center) operations. Threat intelligence not only responds to attack information generated by sensors, but also seeks to anticipate the most likely attacks, their perpetrators, motives, and practices. The introduction of threat intelligence is the next significant step in building the future of cyber defense. SOURCES: https://www.cyber-observer.com/cyber-news-29-statistics-for-2020-cyber-observer/ https://www.statista.com/topics/780/crime/ https://poliisi.fi/blogi/-/blogs/tietoverkkorikollisuus-poliisin-silmin-2019-2020 https://www.fireeye.com/current-threats/apt-groups.html#undisclosed Maurer, Tim. Cyber Mercenaries: The State, Hackers, and Power. Cambridge, 2018. Pajunen, Iina. Tietojärjestelmiin kohdistuvat rikokset Suomessa. Pro Gradu -tutkielma. Jyväskylän yliopisto, 2020. https://www.kaspersky.com/enterprise-security/apt-intelligence-reporting https://cybernews.com/security/crimeware-as-a-service-model-is-sweeping-over-the-cybercrime-world/
EXAMPLES OF PROMINENT APT GROUPS: State
Name
Typical Targets
Iran
APT39
The Middle East, telecommunications, personal registers
APT35
USA, Western Europe, cyber espionage, VIP persons
APT33
USA, Saudi Arabia, South Korea, energy sector, aviation industry
APT40
Using cyber espionage to support China’s foreign infrastructure projects (“Belt and Road”)
APT31
State administrations, the defence and aviation industry, cyber espionage
APT30
ASEAN (Association of the Southeast Asian Nations) members
APT38
Finance sector, cryptocurrencies, pharmaceutical industry (COVID-vaccines), Also known as ”Lazarus”
APT37
South Korea, Japan, Vietnam, electronics industry, aviation industry, health care
APT29
USA, Western Europe, cyber espionage, pharmaceutical industry (COVID-vaccines)
APT28
Eastern Europe, NATO-countries, defence industry
China
North Korea Russia Source: FireEye
CYBERWATCH
FINLAND
|
57
KVARTAALIKATSAUS Q1/2021 SISÄLLYS 1.
3.
Maa-analyysi – Iso-Britannia
Teollisuuden automaatiojärjestelmien kyberturvallisuus
2. Salasanoja turvallisemmat käyttäjätunnistuksen menetelmät
4. Kyberrikollisuuden tilannekatsaus
Vuoden 2021 ensimmäisen kvartaalikatsauksen aloittaa perinteiseen tapaan maa-analyysi. Tällä kertaa
vuorossa on Iso-Britannia, joka on ollut EU:n kantavia voimia kyberturvallisuuden alueella.
Brexitin vaikutukset eurooppalaiseen kyberturvallisuuden kokonaiskuvaan vaihtelevat toimialoittain, mutta kokonaisuudessaan negatiiviset vaikutukset jäävät ennakoitua pienemmiksi. Iso-Britannia on viime vuoden aikana perustanut National Cyber Force -yksikön, jonka tarkoituksena on yhdistää armeijan, poliisin ja tiedustelun kyberkyvykkyydet maan suojaamiseksi terroristeilta, kyberrikollisilta ja vieraiden valtioiden kybervaikuttamiselta. Yksikkö on seuraus ns. Fusion Doctrine -ajattelusta, missä tiettyyn toimialaan liittyvää osaamista keskitetään samaan organisaatioon ja yhden johtamismallin alle. Olisiko tässä yksi mahdollinen ratkaisu Suomen hajallaan olevan kyberpuolustuksen terävöittämiseen? Heikot salasanat ovat perinteisesti kyberturvallisuuden suurimpia uhkia. Tutkimusten mukaan kolmannes ransomware-hyökkäyksistä ja yli puolet tietojärjestelmiin tunkeutumisesta tehdään paljastuneiden, tai murrettujen salasanojen avulla. Kaksivaiheinen eli niin sanottu vahva tunnistaminen on löytänyt tiensä moniin tietojärjestelmiin ja verkkopalveluihin, sekä parantanut näiden turvallisuutta oleellisesti. Myös täysin salasanaton käyttäjän tunnistaminen voi olla varteenotettava vaihtoehto, kun salasanojen heikkouksista halutaan päästä eroon. Teollisuuden automaatiojärjestelmien uhkapotentiaali on noussut. Valtiojohtoiset kybertoimijat testaavat järjestelmien puolustusta ja kykyä palautua normaaliin toimintaan. Kyberhyökkäyksiä kohdistetaan automaatiojärjestelmiin myös hybridivaikuttamisen välineenä ja niiden avulla pyritään heikentämään kansalaisten luottamusta yhteiskunnan elintärkeisiin toimintoihin. Automaatiojärjestelmiin kohdistetaan tulevaisuudessa entistä kohdennetumpia, monimutkaisempia ja paremmin valmisteltuja hyökkäyksiä. Automaatiojärjestelmät kiinnostavat entistä useammin myös kyberrikollisia. Kyberrikollisuus kasvaa samalla, kun perinteinen rikollisuus on maltillisessa laskusuunnassa. Kyberrikollisuuden suosiota selittävät sen kustannustehokas toteutustapa, sekä pienempi kiinnijäämisen ja seurausten riski kuin muussa rikollisuudessa. Suurvaltojen tiedustelupalvelut käyttävät tietomurtoihin ja muihin laittomiin kyberoperaatioihin välikäsinä eli proxyinä niin sanottuja APT-ryhmiä. Kyberrikollisuus on perinteisesti edellyttänyt hyvää tietotekniikan osaamista. Kyberrikoksia voi nykyisin tilata myös palveluna, jolloin kyberrikollisuuden menetelmät ovat myös muiden rikollisten ulottuvilla. Kyberrikollisten torjunnassa korostuvat ajantasainen kybertilannekuva, sekä uhkatiedustelu, joiden avulla voidaan parhaimmillaan ehkäistä ennakolta havaittuja uhkatekijöitä.
58
|
CYBERWATCH
FINLAND
1. MAA-ANALYYSI – ISO-BRITANNIA 1. Iso-Britannia yhdistää offensiivisen kybervoimansa uuteen National Cyber Force -yksikköön (NCF). Samaan osaamiseen ja resursseihin perustuva organisoituminen on osa uutta doktriinia, josta muidenkin maiden viranomaiset voisivat ottaa oppia.
2. Kansallisen kyberturvallisuuskeskuksen NCSC:n rooli yhteiskunnan kyber turvallisuuden varmistajana ja kehittäjänä on keskeinen. NCSC:n tulee eurooppalaisten sisarorganisaatioiden kanssa varmistaa, että kyberturvallisuuden tilannekuvan ylläpito ja poikkeamien hallinta jatkuvat brexitistä huolimatta nykyisellä tasolla.
3. Brexitin vaikutus eurooppalaiseen kyberturvallisuuden kokonaiskuvaan jää oletettua vähäisemmäksi. Kaupallinen yhteistyö ja työvoiman liikkuvuus hidastuvat, mutta kyberturvallisuuden kannalta tärkeä maiden välinen tietojenvaihto jatkuu lähes entiseen tapaan.
Iso-Britannian pääministeri Boris Johnson ilmoitti viime marraskuussa uuden, offensiiviseen kyber toimintaan kykenevän yksikön perustamisesta. Uuden yksikön nimi on National Cyber Force (NCF) ja sen rungon muodostavat neljästä organisaatiosta siirtyvät kyberammattilaiset. Nämä organisaatiot ovat signaalitiedustelusta vastaava Government Communications Headquarter (GCHQ), ulkomaan tiedustelupalvelu MI6, sekä puolustusministeriö ja sen tutkimuslaboratorio Defence Science and Technology Laboratory (DSTL). Kullakin organisaatiolla on ollut tähän asti omat offensiivisen kyberturvallisuuden yksikkönsä. Offensiivinen eli hyökkäyksellinen kybertoiminta tähtää proaktiivisesti eliminoimaan, tai heikentämään kyberturvallisuutta vaarantavien tahojen toimintakykyä. Offensiiviset toimenpiteet estävät siis kyberuhkan toteutumisen ja vähentävät puolustukseen kohdistuvaa painetta. Esimerkiksi terroristien internetissä tapahtuvaa viestintää voidaan häiritä, tai sulkea rekrytointiin tarkoitettuja nettisivuja. Vaaleihin liittyvää mielipidevaikuttamista voidaan ehkäistä sulkemalla trollien some-tilejä ja vihamielisiin palveluihin voidaan kohdistaa palvelunestohyökkäyksiä. Yhteistoimintaa on ollut organisaatioiden välillä aiemminkin. Erityisesti puolustusministeriö ja GCHQ ovat toimineet tiiviissä yhteistyössä toteuttamalla täsmähyökkäyksiä, sekä pidempiaikaista häirintää terroristijärjestöjen informaatiovaikuttamista ja viestintää vastaan. NCF kokoaa offensiivisen kybertoiminnan osaamisen ja teknologian samaan yksikköön, jolloin toiminnon johtaminen ja sen
edelleen kehittäminen on helpompaa. Yksikön vahvuus on toistaiseksi muutamia satoja henkilöitä, mutta tarkoitus on kymmenkertaistaa henkilöstön määrä 2020-luvun aikana. Samaan osaamiseen ja resursseihin perustuva organisoituminen on viranomaisten keskuudessa vielä harvinaista, sekä Iso-Britanniassa, että kansainvälisesti. Yhteisiä työryhmiä on viranomaisten välillä perustettu, mutta toimintojen johtaminen on kuitenkin pidetty tiukasti toiminnallisissa siiloissa. Poliisin, armeijan ja tiedustelun kyberjoukot ovat toimineet omissa komentolinjoissaan, mutta tällä kertaa tarkoituksena on aidosti koota samaan osaamiseen ja teknologiaan perustuva erikoisosaaminen yhteen ja samaan organisaatioon. NCF:n ydintehtäviksi mainitaan kaikki kansallista turvallisuutta tukevat kyberoperaatiot terroristien viestinnän häirinnästä ja kyberrikollisuuden torjunnasta muiden valtioiden kyberhyökkäysten torjuntaan ja hyökkäyksellisten operaatioiden suoritukseen. NCF edustaa niin sanottua Fusion Doctrine -ajattelua, joka sai alkunsa vuonna 2018 Iso-Britannian hallituksen linjauksesta. Sen mukaan samaan osaamiseen ja resursseihin perustuvia toimintoja tulisi fuusioida samaan yksikköön kaikkialla julkishallinnossa, missä se nähdään tarpeelliseksi, mutta erityisesti turvallisuuteen liittyvissä toiminnoissa. Uusi doktriini on nähty tarpeelliseksi erityisesti hybridi vaikuttamisen ja -sodankäynnin yleistyessä ja toimimaan aiempaa monitahoisempia hyökkäysskenaarioita vastaan. Doktriini on selvä edistysaskel aiempiin toimintamalleihin verrattuna kansainvälisestikin. Edelleen esimerkiksi Yhdysvalloissa kyberosaaminen ja resurssit ovat hajallaan NSA:lla, CIA:lla, FBI:llä ja armeijalla. Doktriinin mahdollisuuksia kyberturvallisuuden toteuttamiseksi tulisi arvioida avoimesti myös muissa maissa, sekä meillä Suomessa. Puolustuksellisen kyberturvallisuuden osalta keskeinen toimija UK:ssa on National Cyber Security Centre (NCSC), jolla on meidän Kyberturvallisuuskeskustamme vastaava rooli yhteiskunnan kyberturvallisuuden ylläpidossa. NCSC koordinoi UK:n kansallista kyberturvallisuuden tilannekuvaa ja poikkeaman hallintaa, sekä toimii yritysmaailman tärkeänä neuvonantajana kyberturvallisuuden käytännön toteutuksessa. NCSC pitää huolta kyberturvallisuus tietoisuuden levittämisestä, tarjoaa koulutusmateriaalia ja valvoo koulutuksen laatua peruskoulusta yliopistotasolle asti. Myös yksityisten koulutusyritysten on mahdollista saada NCSC Certified -leima koulutuspaketeilleen. Lisäksi NCSC testaa kyberturvallisuustuotteita ja antaa näille turvallisuusluokitukset kotimaisen Kyberturvallisuus keskuksen palvelujen tapaan. Tulevaisuudessa NCSC:n tehtävänä on eurooppalaisten sisarorganisaatioiden kanssa varmistaa, että kyberturvallisuuden tilannekuvan ylläpito ja poikkeamien hallinta jatkuvat brexitistä huolimatta nykyisellä tasolla. CYBERWATCH
FINLAND
|
59
Brexitin vaikutukset eurooppalaiseen kyberturvallisuuden kokonaiskuvaan vaihtelevat toimialoittain, mutta kokonaisuudessaan ne jäävät ennakoitua pienemmiksi. EU:n tietosuoja-asetus ja verkkoturvallisuuden NIS-sopimus on viety Iso-Britannian paikalliseen lainsäädäntöön jo ennen brexitiä, mikä mahdollistaa turvallisuustason säilymisen EU:n kanssa samalla tasolla näillä alueilla. Sotilaallisesta näkökulmasta katsoen yhteistyö EU:n kanssa jatkuu entiseen malliin NATOn kautta. Samalla foorumilla jatkuu myös puolustusteknologiaan liittyvä yhteistyö ilman, että brexitillä olisi sanottavaa vaikutusta tulevaisuuteen. Rajavalvonnan ja poliisin osalta nähtiin suurena riskinä Iso-Britannian jääminen Europolin tiedustelujärjestelmien ja Schengen-maiden rajavalvontajärjestelmien ulkopuolelle. Molemmat järjestelmät ovat avainasemassa terroristien ja rikollisten liikkeiden seuraamiseksi Euroopassa. Viimeisten keskustelujen mukaan tälle alueelle on valmistumassa yhteistyömekanismi, joka mahdollis-
taa tietojen vaihdon entiseen tapaan. Tiedusteluyhteistyö jatkuu EU:sta huolimatta tiedusteluun liittyvien yhteistyösopimusten nojalla. Niin sanotut ”5/9/14 eyes” -sopimukset, joissa kahdessa jälkimmäisessä on mukana myös EU-maita, takaavat tiedonvaihdon brexitistä huolimatta. Lisäksi IsoBritannialla on kahdenvälisiä sopimuksia eri maiden kanssa, joiden nojalla myös kyberturvallisuuden uhkatietoa on mahdollista siirtää maiden välillä. Iso-Britannia kärsii monen muun maan tavoin kyberalan ammattilaisten puutteesta. Ero EU:sta vaikuttaa väistämättä työvoiman liikkuvuuteen ja hidastaa kyberammattilaisten määrän kasvua. Vaikutukset kyberturvallisuuden ohjelmisto- ja palvelumarkkinoihin ovat saman suuntaiset. Huolimatta erityisjärjestelyistä yhteistyö EU-maiden ja EU:ssa sijaitsevien yritysten kanssa hidastuu byrokratian lisääntyessä unionin rajat ylittävässä kaupankäynnissä.
LÄHTEET: https://globalriskinsights.com/2021/01/uk-government-announces-new-national-cyber-force/ https://www.gchq.gov.uk/news/national-cyber-force https://www.army-technology.com/features/national-cyber-force-defending-the-cyber-domain/ https://rusi.org/commentary/fusion-doctrine-one-year https://www.ncsc.gov.uk/ https://www.kcl.ac.uk/cyber-security-brexit-and-beyond
2. SALASANOJA TURVALLISEMMAT KÄYTTÄJÄTUNNISTUKSEN MENETELMÄT 1. Heikot salasanat ovat perinteisesti kyberturvallisuuden suurimpia uhkia. Tutkimusten mukaan kolmannes ransomwarehyökkäyksistä ja yli puolet tietojärjestelmiin tunkeutumisesta tehdään heikkojen salasanojen avulla.
2. Salasanojen korvaamiseksi on kehitetty useita ratkaisuja, mutta käyttöönoton esteenä ovat olleet hidas standardointi ja teknologian tuomat lisäkustannukset. Viime vuosina eri alojen regulaatiot ovat alkaneet vaatia vahvaa eli kaksiosaista käyttäjän tunnistamista, mikä on vauhdittanut yleiskäyttöisten ratkaisujen käyttöönottoa.
3. Matkapuhelin on hyvää vauhtia yleistynyt vahvan tunnistamisen peruskomponentiksi ja sen käyttö myös salasanan korvaajana jatkaa yleistymistään.
4. Markkinoilla on lukuisia kilpailevia vahvan tunnistamisen taustajärjestelmiä. Käyttäjäkokemus uusien tunnistusmenetelmien toteutuksessa on tärkeää, jotta uusi menetelmä voidaan omaksua laajasti käyttöön.
60
|
CYBERWATCH
FINLAND
Käyttäjätunnusta ja salasanaa on käytetty käyttäjien
tunnistusmenetelmänä tietojärjestelmien alusta asti. Tänäkin päivänä se on yleisin tietojärjestelmien ja sovellusten yhteyteen toteutettu käyttäjäntunnistuksen menetelmä. Käyttäjätunnuksen avulla yksilöidään järjestelmää käyttävä henkilö ja salasanan tarkoitus on varmistaa, että käyttäjätunnuksella operoiva henkilö on tunnuksen oikea omistaja. Organisaation sisällä käyttäjätunnus on usein julkinen tieto, koska sen avulla voidaan löytää samasta organisaatiosta muut käyttäjät, joiden kanssa on tarvetta esimerkiksi viestiä sähköpostin, tai muiden sovellusten avulla. Salasana taas on salassa pidettävä tieto, jonka tulisi olla vain käyttäjän itsensä hallussa. Salasana on kriittinen komponentti kyberturvallisuuden toteutuksessa. Jos ulkopuolinen saa selville käyttäjän sala sanan, voi hän esiintyä tietojärjestelmissä väärällä identiteetillä ja päästä käsiksi tietoihin tai IT-resursseihin, joihin ei muutoin voisi päästä. Salasanan turvallisuudesta voidaan huolehtia pitämällä salasana vain käyttäjän omana tietona, sekä käyttämällä sellaista salasanaa, joka ei ole helposti arvattavissa, tai teknisesti selvitettävissä. Salasanan tulee olla siis riittävän pitkä ja mieluiten satunnainen merkkijono, eikä selväkielinen sana.
Salasanojen murtaminen on kyberrikollisten suosituimpia tapoja päästä sisään kohteena olevaan tietojärjestelmään. Tutkimusten mukaan noin puolet tietojärjestelmiin tunkeutumisista on tehty selvittämällä jonkun käyttäjän salasana, jolloin ensimmäinen vierailu järjestelmässä on tapahtunut voimassa olevan käyttäjätilin avulla. Nopeasti lisääntyvien ransomware-haittaohjelmien levittämisessä noin kolmanneksessa on käytetty hyväksi käyttäjiltä selville saatuja salasanoja. Salasanojen heikkoudet on ymmärretty varhain ja salasanojen laadun parantamiseksi on kehitetty erilaisia keinoja. Salasanojen laatuvaatimukset voidaan ohjelmoida useimpiin käyttöjärjestelmiin ja näin pakottaa käyttäjä määrittelemään riittävän pitkiä ja monimutkaisia salasanoja, sekä vaihtamaan niitä riittävän usein. Lisäksi käyttäjien koulutus on tärkeässä asemassa, kun halutaan opettaa käyttäjille turvallisen sanasanan vaatimukset ja vähentää tällä tavoin heikkojen salasanojen aiheuttamaa turvallisuusriskiä. Käyttäjän tunnistamiseen tietojärjestelmissä voi käyttää myös muita menetelmiä. Käyttäjän tunnistamisen kolme perusmenetelmää ovat käyttäjän henkilökohtainen ominaisuus, käyttäjän hallussa oleva väline, tai käyttäjällä oleva salainen tieto eli salasana, tai vaikkapa PIN-koodi. Henkilökohtaiseen ominaisuuteen eli biometriikkaan perustuva tunnistaminen on usein hankala toteuttaa. Esimerkiksi sormenjäljen, tai kasvot tunnistavat järjestelmät ovat tähän asti edellyttäneet kalliita lukulaitteita, sekä usein monimutkaista biometristen ominaisuuksien hallintajärjestelmää. Viime aikoina tällaisiakin toteutuksia on nähty; esimerkiksi Microsoftin Windows Hello, jossa käytetään tietokoneessa valmiiksi olevaa kameraa, eikä lisälaitteita tarvita. Käyttäjän hallussa oleva esine voi olla esimerkiksi USB-porttiin liitettävä tunnistusväline, niin sanottu token, tai älykortti, jonka käyttö on lisäksi suojattu PIN-luvulla. Tässä tapauksessa käytettäisiin niin sanottua vahvaa tunnistamista eli käyttäjän hallussa olevaa esinettä (älykortti), sekä käyttäjän hallussa olevaa tietoa (PIN-luku). Älykorttia on soviteltu parin vuosikymmenen aikana salasanat korvaavaksi tunnistusmenetelmäksi. Laaja mittaisen käyttöönoton esteinä ovat olleet standardoinnin hidas kehitys, sekä laitevalmistajien haluttomuus integroida älykortin lukijoita esimerkiksi kannettaviin tietokoneisiin. Muutkaan vastaavat menetelmät eivät ole
menestyneet lähinnä sen vuoksi, että ylimääräinen laitteisto ja tunnistusmenetelmän hallintajärjestelmä on hankittava ainoastaan käyttäjän tunnistamiseen, mikä on näin ollen kaikissa tapauksissa lisäkustannus salasanoihin verrattuna. Matkapuhelin on löytänyt tiensä jo kaikkien kansalaisten taskuun ja sitä käytetään entistä useammin myös käyttäjän tunnistusvälineenä. Älykortin tavoin matkapuhelimessa yhdistyvät käyttäjän tunnistamisen kaksi peruskomponenttia: väline, joka on käyttäjän hallussa sekä tieto, jolla vain omistaja pääsee käyttämään tunnistusvälinettä. Matkapuhelintunnistus täyttää siis vahvan käyttäjätunnistuksen vaatimukset. Jokainen tietojärjestelmiä käyttävä ihminen omistaa myös matkapuhelimen, joten ylimääräisiä laitekustannuksia ei käyttäjän tunnistamisesta tule. Digitaalisten pankkipalvelujen turvallisuutta säätelevä PSD2-standardi, kotimaiset pankit, sekä maksukortti yhtiöt Visa ja MasterCard ovat viime vuosina opettaneet suomalaisetkin kuluttajat vahvaan käyttäjäntunnistukseen matkapuhelimen avulla. Käyttäjäkokemus on toteutettu ilmeisen hyvin, koska harva enää haikailee kerta käyttöisten salasanalistojen perään, vaan yleisesti matkapuhelimen käyttö koetaan turvallisena ja helppona tapana vahvistaa käyttäjän henkilöllisyys verkkopalvelujen yhteydessä. Markkinoilla on tarjolla edelleen lukuisia matkapuhelinta hyödyntäviä tunnistusjärjestelmiä. Mikään näistä ei ole teknisesti ylivertainen muihin verrattuna ja järjestelmätason standardoinnin puute aiheuttaa sen, että kukin organisaatio joutuu tekemään omat valintansa vahvan käyttäjätunnistuksen toteuttamiseksi. Loppukäyttäjän kokemus on kuitenkin pääosin samanlainen eri järjestelmiä käytettäessä. Verkkopalvelu lähettää palveluun rekisteröityyn puhelimeen tunnistuspyynnön ja käyttäjä vahvistaa sen PIN-luvulla, tai vaikkapa sormenjäljen avulla. Lisäturvallisuutta voidaan toteuttaa puhelimiin asennettavilla autentikointisovelluksilla, jolloin sovellus generoi vain hetken voimassa olevan kertakäyttösalasanan tunnistuspyynnön vahvistamiseen. Loppukäyttäjän kokemus onkin avainroolissa, kun halutaan parantaa käyttäjätunnistuksen turvallisuutta. Jos loppukäyttäjät eivät omaksu uutta menetelmää, tai kokevat sen jotenkin liian hankalaksi, menetelmä kuihtuu pois, oli se teknisesti miten turvallinen tahansa.
LÄHTEET: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/950063/Cyber_Security_Breaches_Survey_2019_-_Main_ Report_-_revised_V2.pdf https://www.precisesecurity.com/articles/weak-passwords-caused-30-of-ransomware-infections-in-2019/ UK’s National Cyber Security Centre, Cyber Security Breaches Survey 2019 https://www.securitymagazine.com/articles/91572-weak-passwords-caused-30-of-ransomware-infections-in-2019 CYBERWATCH
FINLAND
|
61
3. TEOLLISUUDEN AUTOMAATIOJÄRJESTELMIEN KYBERTURVALLISUUS 1. Kriittisen infrastruktuurin toimintaan ja valvontaan käytetään usein automaatiojärjestelmiä. Vanhemmat automaatiojärjestelmät kärsivät useista kyberturvallisuuden ongelmista, joita on työlästä korjata.
2. Automaatiojärjestelmiä liitetään yhä useammin internetiin, mikä altistaa ne samoille kyberuhkille kuin muutkin ITjärjestelmät. Automaatiojärjestelmät ovat houkuttelevia kyberhyökkäyksen kohteita niiden huonon suojauksen ja korkean vaikutuspotentiaalin vuoksi.
3. Teollisuuden automaatiojärjestelmät ovat myös hybridivaikuttamisen kohteena. Järjestelmien toimintaa ja kykyä palautua normaaliin toimintaan testataan valtiollisten toimijoiden taholta.
4. Automaatiojärjestelmiin kohdistetaan tulevaisuudessa entistä kohdennetumpia, monimutkaisempia ja paremmin valmisteltuja hyökkäyksiä. Automaatiojärjestelmät kiinnostavat entistä useammin myös kyberrikollisia.
Teollisuuden automaatiojärjestelmät ovat keskeinen osa kriittistä infrastruktuuria. Niiden avulla valvotaan ja ohjataan esimerkiksi sähkön ja veden jakelun toimintaa. Erilaisiin standardeihin perustuvia automaatiojärjestelmiä on toteutettu jo vuosikymmenten ajan, kauan ennen maailman verkottumista, joka alkoi 1990-luvulla. Vanhimpia automaatiojärjestelmien standardeja on vieläkin käytössä oleva SCADA (Supervisory Control And Data Acquision). SCADA-järjestelmät on perinteisesti erotettu fyysisesti muista verkoista, koska niiden ohjaus ja valvonta on tapahtunut järjestelmien valvomosta käsin, eikä etäyhteyksille ole ollut tarvetta. Fyysinen eristäminen on ollut myös tehokas turvallisuuskontrolli, mutta eristämisellä on ollut myös negatiivisia vaikutuksia järjestelmien turvallisuuteen. Vanhoja automaatiojärjestelmiä ei ole päivitetty samaan tahtiin kuin muita IT-järjestelmiä ja ohjelmistoista, sekä käyttöjärjestelmistä on laajasti käytössä auttamattomasti vanhentuneita versiota. Esimerkiksi Windowsin versiot XP ja 7, joihin turvapäivityksiä ei ole enää ollut saatavilla vuosiin, ovat edelleen yleisesti käytössä osana vanhempia automaatiojärjestelmiä. Lisäksi järjestelmiin on vuosien varrella kovakoodattu esimerkiksi oletussalasanoja, eikä
62
|
CYBERWATCH
FINLAND
niiden suorituskyvyn hallintaa ole suunniteltu mahdollisten käytettävyydenestohyökkäyksien varalle. Automaatiojärjestelmiä liitetään nykyisin entistä useammin julkiseen verkkoon ja perinteisiin IT-järjestelmiin. Tässä yhteydessä esiintyy usein termi IT/OT, mikä tarkoittaa juuri perinteisen IT-järjestelmien ja teollisuuden automaation (OT=Operational Technology) yhdistämistä. Syynä internetiin liittämiselle on tarve käyttää järjestelmiä etäyhteyden avulla, sekä usein vaatimus reaaliaikaisesta toiminnasta, joissa ohjattavat ja valvottavat laitteet kommunikoivat suoraan keskenään. Kun suljettu järjestelmä kytketään internetiin tai muuhun IT-infrastruktuurin, se joutuu alttiiksi samoille turvallisuusriskeille kuin muutkin IT-järjestelmät. Uudemmissa automaatiojärjestelmissä turvallisuus on huomioitu, mutta vanhempien järjestelmien turvallisuus sellaisenaan ei ole sillä tasolla, että liittäminen internetiin olisi riskitöntä. Automaatiojärjestelmiin on tehty yllättävän vähän onnistuneita hyökkäyksiä verrattuna niiden huonoon suojaustasoon ja hyökkääjän saavutettavissa olevaan korkeaan vaikutukseen. Hyökkääjän näkökulmasta potentiaalinen hyöty on siis korkea ja kohteena automaatio järjestelmä on houkutteleva. Maailman kenties tunnetuin automaatiojärjestelmiin kohdistunut hyökkäys on kymmenen vuoden takaa, jolloin Stuxnet-mato levitettiin iranilaiseen uraanin rikastamoon USB-muistin avulla ja joka lopulta hajotti rikastamiseen käytettäviä sentrifugeja. Tämän jälkeen maailmalla on koettu lukuisia automaatiojärjestelmiin kohdistuneita vakavia hyökkäyksiä, esimerkiksi NotPetya haittaohjelma vuonna 2017. NotPetya oli Venäjän lähinnä Ukrainaan kohdistama hyökkäys, mutta se levisi tehokkaasti myös muualle maailmaan pysäyttäen esimerkiksi tanskalaisen Maersk-varustamon toiminnan ja aiheutti globaalisti yli miljardin euron taloudelliset vahingot. Yksi viimeisimpiä vakavia hyökkäyksiä on kiinalaisen hakkeriryhmän aiheuttama sähkönjakeluverkon lamauttaminen vuorokaudeksi Intian Mumbaissa. Yhdysvaltojen automaatiojärjestelmien kyberturvallisuutta valvovan ICS CERT -organisaation mukaan vakavia automaatiojärjestelmiin kohdistuvia kyberhyökkäyksiä tapahtuu vuosittain muutamia satoja ja määrä on kasvusuunnassa. Suomessa julkisuuteen on päätynyt tiettävästi vain yksi onnistunut automaatiojärjestelmiin kohdistunut kyberhyökkäys. Vuonna 2015 lappeenrantalaisen kerrostalon lämmitysjärjestelmä kaatui palvelunestohyökkäyksen seurauksena. Tässä tapauksessa kyseessä oli hajautettu palvelunestohyökkäys (DDOS), jonka kohde oli Suomen ulkopuolella ja taloyhtiön laitteita käytettiin osana
DDOS-hyökkäystä varsinaiseen kohteeseen. Lämmitysjärjestelmän laitteet eivät kuitenkaan kestäneet rajusti lisääntynyttä verkon kuormitusta ja lämmitysjärjestelmä lakkasi toimimasta. Kriittiseen infrastruktuuriin kohdistuvat hyökkäykset ovat usein osa toisen valtion harjoittamaa hybridivaikuttamista, sekä infrastruktuuriin kohdistuvaa kokeilua, miten kohde reagoi hyökkäykseen ja kuinka nopeasti se pystyy palauttamaan elintärkeät toiminnot ennalleen. Suuressa osassa kriittistä infrastruktuuria toiminta perustuu teollisten automaatiojärjestelmien käyttöön, kuten energiantuotanto ja liikenne. Automaatiojärjestelmien rooli kansallisen puolustuskyvyn ylläpidossa on merkittävä, joten niiden suojaaminen jopa sotilaallisen konfliktin varalle on tärkeää. Kriittinen infrastruktuuri kiinnostaa entistä enemmän myös kyberrikollisia, joiden tavoitteena on hyötyä taloudellisesti esimerkiksi ransomware-hyökkäyksen yhteydessä vaadittavien lunnaiden muodossa. Kriittiseen infrastruktuuriin kohdistuvat hyökkäykset ovat osa-alue, missä toimijoiden väliset rajat hämärtyvät ehkä kaikkein eniten. Taustalla voi olla valtiollisia hybridivaikuttamisen tavoitteita, rikollisten taloudellisia pyrkimyksiä, tai kilpailijoiden harjoittamaa teollisuusvakoilua. Useimmissa tapauksissa hyödyn tavoittelija ei suorita kyberhyökkäystä itse, vaan käyttää kolmatta osapuolta varsinaiseen hyökkäykseen.
Automaatiojärjestelmien turvallisuutta parannetaan aktiivisesti. Amerikkalaisen tutkimuksen mukaan kriittisen infrastruktuurin toimijat panostavat eniten käyttäjänhallinnan, lokituksen, sekä tietoliikenne yhteyksien salauksen parantamiseen. Myös automaatio verkkojen eristäminen julkisesta verkosta uuden suku polven palomuurien, sekä fyysisen eristämisen avulla ovat suosituimpien keinojen listalla. Uusiin järjestelmiin rakennetaan jo valmiiksi turvallisuusominaisuuksia siten, ettei niitä tarvitse jälkeen päin paikata, kuten vanhempia järjestelmiä. Myös varamenetelmiä on edelleen kehitetty, eikä sähkön, tai veden jakelu ole täysin riippuvainen tietojärjestelmistä, vaan toimintaa voidaan ohjata myös manuaalisesti. Turvallisuuden parantamisesta huolimatta automaatiojärjestelmät pysyvät houkuttelevimpien kyberhyökkäysten kohteiden listalla. Suuntaus tälläkin alueella on entistä kohdistetumpiin ja monipuolisempiin hyökkäyksiin. Kyberhyökkäyksiä suunnataan entistä useammin tiettyä kriittisen infrastruktuurin toimijaa vastaan ja hyökkäysmenetelmät valitaan kohteesta tunnistettujen haavoittuvuuksien perusteella. Myös ransomware-hyökkäykset automaatiojärjestelmiä kohtaan tulevat lisääntymään. Hybridivaikuttamisen ohella varsinainen kyberrikollisuus suuntautuu entistä useammin kriittiseen infrastruktuuriin ja sen automaatio järjestelmiin.
LÄHTEET: https://mumbaimirror.indiatimes.com/mumbai/cover-story/oct-12-blackout-was-a-sabotage/articleshow/79312959.cms https://svenska.yle.fi/artikel/2016/11/07/smaltande-i-ishall-och-kallt-i-flera-hus-natverksattack-stallde-till-det-i https://yle.fi/uutiset/3-9278183 https://safety4sea.com/cm-maersk-line-surviving-from-a-cyber-attack/ https://www.fortinet.com/content/dam/fortinet/assets/white-papers/WP-Independent-Study-Pinpoints-Significant-Scada-ICS-Cybersecurity-Risks.pdf Mutsuo, N., Hirufomi, H. (2017). ”An Analysis of the Actual Status of Recent Cyberattacks on Critical Infrastructures”, NEC Technical Journal, vol 12/2017. https://www.nec.com/en/global/techrep/journal/g17/n02/170204.html https://www.cisa.gov/sites/default/files/publications/Securing_Industrial_Control_Systems_S508C.pdf
CYBERWATCH
FINLAND
|
63
4. KYBERRIKOLLISUUDEN TILANNEKATSAUS 1. Kyberrikollisuus kasvaa samalla, kun perinteinen rikollisuus on maltillisessa laskusuunnassa. Kyberrikollisuuden suosiota selittävät sen kustannustehokas toteutustapa, sekä pienempi kiinnijäämisen ja seurausten riski, kuin muussa rikollisuudessa.
2. Suurvallat käyttävät kyberrikollisia laittomaan tiedonhankintaan ja kyberoperaatioihin. Kyberrikollisuutta voidaan käyttää myös hybridivaikuttamisen välineenä.
3. Kyberrikollisuus on perinteisesti edellyttänyt hyvää tietotekniikan osaamista. Kyberrikoksia voi tilata myös palveluna, jolloin kyberrikollisuuden menetelmät ovat muidenkin rikollisten ulottuvilla.
4. Ajantasainen kybertilannekuva ja uhkatiedustelu mahdollistavat kyberrikollisuuden ennalta ehkäisyn. Uhkatiedustelu on seuraava kehitysaskel tulevaisuuden kyberpuolustuksen rakentamisessa.
Kyberrikollisuuden osuus rikollisuuden kokonais
kentässä kasvaa jatkuvasti. Kyberrikollisuuden määrä on kasvanut vuosina 2014-20 noin 70% samalla, kun muu rikollisuus on globaalisti maltillisessa laskusuunnassa. Kyberrikollisuudella ymmärretään tässä yhteydessä laittomia toimia, jotka joko kohdistuvat suoraan tietojärjestelmiin, tai joissa on käytetty tietotekniikkaa pääasiallisena rikosten tekemisen apuvälineenä. Yleisimpiä kyberrikollisuuden muotoja maailmanlaajuisesti ovat olleet tietojärjestelmien toiminnan häirintä haittaohjelman, tai käytettävyyshyökkäyksen avulla, sekä tietomurrot. Suomessa rekisteröitiin vuonna 2019 noin 1300 kyberrikollisuustapausta ja vuoden 2020 alustavat arviot ennustavat määrän kasvavan noin 1500:aan. Suomi eroaa globaaleista trendeistä siten, että suurin osa kyberrikollisuudesta on tietomurtoja ja vain pieni osa tapauksista on tietojärjestelmien tai -verkkojen häirintätapauksia. Kotimaisista tietomurroista suurin osa on kohdistunut yksittäisen henkilön, tai yrityksen työntekijän henkilökohtaiseen sähköposti-, tai muun verkkopalvelun tiliin. Kyberrikollisten motiivit voivat olla moninaiset, mutta useimmiten niiden takana on taloudellisen hyödyn tavoittelu. Kyberrikollisuus on sulautunut järjestäytyneeseen rikollisuuteen ja kyberrikoksia käytetäänkin usein 64
|
CYBERWATCH
FINLAND
rikollisorganisaatioiden varainhankintaan ja muun toiminnan rahoittamiseen. Kyberrikosten tekeminen on lisäksi huomattavasti kustannustehokkaampaa ja kiinnijäämisriski, sekä seurausvaikutukset ovat usein matalampia kuin fyysisissä rikoksissa, mikä lisää kyberrikollisuuden houkuttelevuutta. Järjestäytyneen rikollisuuden lisäksi kyberrikoksia tekevät yksittäiset henkilöt. Suomessa tehdyn tutkimuksen mukaan kotimaisten yksin toimineiden kyberrikollisten motiivina oli usein tietotekniikkaan liittyvien taitojen testaaminen, sekä riitautuminen kohteena olevan henkilön, tai organisaation kanssa. Kyberrikollisuus on entistä useammin myös valtio johtoista toimintaa. Jotkut valtiot käyttävät kyberrikollisia niin sanottuina proxyinä oman laittoman toimintansa salaamiseen ja silloin, kun rikollisorganisaatioilta löytyy menetelmiä ja tietotaitoa haluttujen tavoitteiden saavuttamiseen. Proxyjen käyttö kyberoperaatioissa ei yleensä ole pelkästään taloudellisten tavoitteiden ajamaa toimintaa, vaan proxyjen kautta toteutetut kyberoperaatiot kohdistuvat useimmiten tiedusteluun, kybervakoiluun ja poliittiseen vaikuttamiseen. Valtioiden rahoittamia ja ohjaamia kyberrikollisten ryhmiä kutsutaan yleisesti nimellä APT (Advanced Persistent Threat). Tämän lisäksi APT on yleisnimi myös kohdistetuille kyberhyökkäyksille ja haittaohjelmille. APT-ryhmät eivät ole mitä tahansa rikollisia, vaan heillä on yleensä ideologinen, tai poliittinen yhdysside toimintaa rahoittavaan valtioon. Jotkut APT-ryhmät toimivat vain ja ainoastaan valtion lukuun ja toisilla ryhmillä voi olla valtioiden toimeksiantojen lisäksi omaa, taloudelliseen hyötyyn tähtäävää rikollista toimintaa. Kaikki suurvallat käyttävät APT-ryhmiä hyväkseen, vaikka julkisuudessa pinnalla ovat erityisesti Kiina, Venäjä, Pohjois-Korea ja Iran. Tietoturvayhtiöt, jotka tarjoavat työkaluja haitta ohjelmia vastaan, nimeävät APT-ryhmät yleensä numerolla. Esimerkkinä APT31, jonka tekemän tietomurron kohteeksi Suomen eduskunta joutui syksyllä 2020. APT31:n taustavoimaksi epäillään Kiinaa ja se on erikoistunut tietomurtoihin, joiden kohteena ovat eri maiden hallintoelimet, puolustus- ja ilmailuteollisuus, tele kommunikaatio, media ja vakuutuslaitokset. Valtioiden tilaamana APT-ryhmät tekevät tyypillisesti verkkovakoilua, mutta myös suorittavat haluttuja häirintäoperaatioita erityisesti kriittistä infrastruktuuria vastaan testatakseen infrastruktuurin suojausta ja palautumista. Tavoitteena voi olla myös hybridivaikuttaminen, jolloin tarkoitus on heikentää kohteen yleistä imagoa ja kansalaisten luottamusta julkisiin palveluihin. Esimerkiksi terveydenhuoltoon kohdistuneet tietomurrot heikentävät
kansalaisten luottamusta terveyspalveluihin, mikä omalta osaltaan voi vaikuttaa yhteiskunnan vakauteen. Osa kyberrikollisuutta on viime vuosina kehittynyt eräänlaiseksi palveluliiketoiminnaksi, Cybercrime-asa-Service eli CaaS. Termi voi tarkoittaa sekä toisen puolesta palveluna tehtyjä kyberhyökkäyksiä, että rikoksentekovälineiden valmistusta ja myyntiä niiden käyttäjille. Palveluna voidaan myydä esimerkiksi sarja palvelunestohyökkäyksiä haluttuun kohteeseen, tai suorittaa kohteen vakoilua ja tietojen hankintaa tietomurron avulla. Toiset toimijat ovat erikoistuneet kyberrikosten välineenä käytettävien ohjelmistojen kehittämiseen. Erityisesti kasvussa ovat tilauksesta kehitettävät ransomware- ohjelmat, joita muut rikolliset voivat hankkia juuri haluttuun kohteeseen räätälöitynä. Jos kohteeseen räätälöity haittaohjelma on liian kallis, tarjolla on myös ransom ware-työkaluja, joiden avulla on mahdollista itse valmistaa yksinkertaisempia haittaohjelmia. Kyberrikollisuus on perinteisesti vaatinut hyvää tietoteknistä osaamista, mutta palvelutuotannon myötä kyberrikollisuuden työkalut ja menetelmät ovat myös muiden rikollisten ulottuvilla. Lisäksi kyberrikollisuuden elementtejä on mahdollista käyttää aiempaa helpommin osana muuta rikollisuutta. Esimerkiksi kiinteistöön
murtautumisen yhteydessä voidaan kyberhyökkäyksellä lamauttaa hälytysjärjestelmät, jolloin kohteeseen tehtävän pääasiallisen rikoksen suorittaminen helpottuu. Kyberrikollisuutta on mahdollista torjua, mutta vielä parempi lopputulos saadaan aikaiseksi, jos rikoksiin varaudutaan ennakolta. Varautumista helpottaa uhka tekijöiden tunnistaminen ja näiden toimintamenetelmien tunteminen. Eri APT-ryhmiä ja näiden toimintaa seurataan maailmalla jatkuvasti ja näiden suorittamien kyberhyökkäysten tekotapoja analysoidaan syvällisesti. Kun tunnetaan omaan toimialaan erikoistuneet hyökkääjät ja näiden toimintastrategiat ja -menetelmät, on oman IT-infrastruktuurin suojaus mahdollista toteuttaa entistä paremmin. Kyberturvallisuudessa ennalta varautuminen tunnetaan termillä uhkatiedustelu (threat intelligence), jota valitettavan harva kotimainen organisaatio on vielä ottanut omaan työkalupakkiinsa. Uhkatiedustelu vie tavanomaisen SOC-toiminnan (Security Operation Center) astetta pidemmälle. Uhkatiedustelussa ei pelkästään reagoida sensorien tuottamaan hyökkäysinformaatioon, vaan pyritään ennakoimaan todennäköisimmät hyökkäykset, niiden tekijät, motiivit ja tekotavat. Uhkatiedustelun käyttöönotto on seuraava merkittävä kehitysaskel tulevaisuuden kyberpuolustuksen rakentamisessa.
LÄHTEET: https://www.cyber-observer.com/cyber-news-29-statistics-for-2020-cyber-observer/ https://www.statista.com/topics/780/crime/ https://poliisi.fi/blogi/-/blogs/tietoverkkorikollisuus-poliisin-silmin-2019-2020 https://www.fireeye.com/current-threats/apt-groups.html#undisclosed Maurer, Tim. Cyber Mercenaries: The State, Hackers, and Power. Cambridge, 2018. Pajunen, Iina. Tietojärjestelmiin kohdistuvat rikokset Suomessa. Pro Gradu -tutkielma. Jyväskylän yliopisto, 2020. https://www.kaspersky.com/enterprise-security/apt-intelligence-reporting https://cybernews.com/security/crimeware-as-a-service-model-is-sweeping-over-the-cybercrime-world/
OTOS TUNNETUISTA APT-RYHMISTÄ Valtio
Nimi
Tyypilliset kohteet
Iran
APT39
Lähi-itä, telekommunikaatio, henkilörekisterit
APT35
USA, Länsi-Eurooppa, kybervakoilu, VIP-henkilöt
APT33
USA, Saudi-Arabia, Etelä-Korea, energiasektori, ilmailuteollisuus
APT40
Kiinan ulkomaisten infrastruktuurihankkeiden tukeminen (”Belt and Road”) kybervakoilun avulla
APT31
Valtioiden hallintoelimet, puolustus- ja ilmailuteollisuus, kybervakoilu
APT30
ASEAN (Association of the Southeast Asian Nations) jäsenmaat
APT38
Finanssisektori, kryptovaluutat, lääketeollisuus (COVID-rokotteet), tunnetaan myös nimellä ”Lazarus”
APT37
Etelä-Korea, Japani, Vietnam, elektroniikka-, ilmailuteollisuus, terveydenhuolto
APT29
USA, Länsi-Eurooppa, kybervakoilu, lääketeollisuus (COVID-rokotteet)
APT28
Itä-Eurooppa, NATO-maat, puolustusteollisuus
Kiina
Pohjois-Korea
Venäjä
Lähde: FireEye
CYBERWATCH
FINLAND
|
65
returns live in October // Tarja Gordienko
66
|
CYBERWATCH
FINLAND
Photos: Messukeskus, Helsinki
Cyber Security Nordic
C
yber Security Nordic will continue in October from where it left off in the successful kick-start event in March. The digital leap continues and companies are increasingly required to have cybersecurity expertise. Like many other events, Cyber Security Nordic was trampled by the pandemic last year and took a deep breath during the gap year. A few weeks ago, a one-day kick-start online event with domestic performers was organized, and next autumn there are plans to return to the earlier international concept and scope. Even the date is decided. Cyber Security Nordic will gather industry experts and company key persons to Messukeskus Helsinki on 6-7 October as a physical event. CYBER COMPETENCE SECURES GROWTH
Hybrid influencing, hacking attempts and other cyber threats are increasing and becoming more complex all the time. Most of the participants in the spring kick-off attended the event in order to develop their professional cyber skills and saw as the most important thing the updating of their knowledge of cyber security best practices in an operating environment overturned by the pandemic. Cyber Security Nordic identifies and solves digital challenges for companies and administrations in the current turbulent operating environment and fosters new cyber experts in companies. The event will delve into the new normal of digital security with keynote speeches, case examples and discussions. There will be top international
performers, and discussions will go into politics, economy and visions for the future. “With the rapid digitalization of business and growing client demands, cyber security now needs to be high on the agenda of every business decision maker. Cyber security is not only about combating threats in the online world, but it also offers companies opportunities to grow and improve competitiveness,” concluded Mika Susi of the Finnish Information Security Cluster at the spring kick-off. SIGNIFICANT CYBER SECURITY RECOGNITION TO BE PRESENTED
In October, after a one-year break, the Cyber Security Nordic Award will also be presented. Increasing the visibility and importance of cyber security, innovations, the promotion of cyber expertise internationally and the effectiveness of operations are decisive in selecting the winner. The award has been presented twice earlier. In 2019, the award was given to the Women4Cyber initiative and in 2018 to Aapo Cederberg CEO and Founder of Cyberwatch Finland. The Cyber Security Nordic event will be held for the fourth time as a live seminar. Messukeskus’ partner in the arrangements is the Finnish Information Security Cluster, and the strategic partners of the event are Accenture Security, F-Secure, Microsoft and Trend Micro. Cyber Security Nordic’s programme will be published on the event’s website www.cybersecuritynordic.com and the event can be followed on social media with the tag #cybersecuritynordic2021.
CYBERWATCH
FINLAND
|
67
CYBER SECURITY NORDIC
6–7 October 2021 Messukeskus Helsinki Finland
EVENT OF THE INDUSTRY. CYBER SECURITY NORDIC is an event where decision-makers in cyber security meet, network and learn. The event for the top executives, leading decision-makers and government officials. The event consists of top-notch presentations by leading specialists on the current issues within the field of cyber security. The program will be released soon, be ready to be amazed! cybersecuritynordic.com
C S
N
