Special Edition 2021 by Cyberwatch Finland

Spe c i a l

m e d i a

o f

s t r a t e g i c

c y b e r

M A G A Z INE

s e c u r i t y

2021

SPECIAL EDITION

STRATEGIC CYBER SECURITY

Cyberwatch analysis,

SUBMARINE COMMUNICATION CABLES AND CYBER SECURITY THREATS

CYBERSECURITY TOPS THE LIST OF CRITICAL COMPETENCIES IN A POST-COVID WORLD

the Country outlook

CONTENT 2021/Special Edition

Strategic Cyber Security

Current Security Threats Challenge the Political Leaders

The Siamese Twins of Information and Cyber Vulnerable and Almost Inseparable

7 Cyberwatch analysis, the Country outlook

18 Submarine Communication Cables and Cyber Security Threats

22 Cybersecurity tops the list of critical competencies in a post-Covid world

28 Cyber Security in Smart Cities

30 Eye from the sky: drones and urban security

33 Cyber Security challenges in Aviation and Maritime

The development of quantum technology is accelerating – cyber security must keep up

Global cyberpolitics – in your living room

Can you entrust your OT/ICS Security to your SOC-as-aService?

43 Why Skills Matter – The Future of the Cybersecurity Industry is Based on Skills, Knowledge and Education

46 “A seismic shift to digital independence is gaining momentum”

CyberwatchMagazine

Special media of strategic cyber security

PUBLISHER Cyberwatch Finland Huopalahdentie 24, 00350 Helsinki Finland www.cyberwatchfinland.fi

PRODUCER AND COMMERCIAL COOPERATION Cyberwatch Finland team office@cyberwatchfinland.fi LAYOUT Atte Kalke, Vitale atte@vitale.fi ILLUSTRATIONS Shutterstock ISSN 2490-0753 (print) ISSN 2490-0761 (web) PRINT HOUSE Scanseri, Finland

Editorial

Strategic Cyber Security // Aapo Cederberg

HE EVENTS IN THE CYBER WORLD mirror global politics. The outlook is bleak, crises are escalating, and tensions are rising. Cyber operations have become an alternative to military action in order to achieve political goals. It is also conceivable that cyber operations allow for more aggressive policies. Cyber sabotage must be seen as a new threat model, the importance of which is highlighted as part of hybrid operations and related information operations. The aim seems to be to create a deterrent effect and to plant uncertainty into people’s daily lives. It is becoming increasingly difficult to distinguish between the practices of state actors and of cybercriminals. We can detect the phenomena, but we cannot be sure of the origin or of its purpose. The old wisdom of warfare about the importance of concealment and deception as a success factor has also been adopted in cyber operations. Developments and changes in the cyber world are rapid and often happen without warning, reflecting crises in global politics. It is especially important for Finland to assess the growth of Russia's cyber capacity and the evolution of their operating methods. From Russia’s point of view, cyber performance is essential in spearheading hybrid operations. Developing cyber performance is significantly cheaper than building traditional military capabilities. Therefore, cyber performance is vital for Russia to be able to maintain its political power on a global scale and, if necessary, to act unexpectedly in regional conflicts. Russia's economic conditions are no longer sufficient to maintain their position in the arms race. Hybrid operations create the conditions for preliminary action and political surprise attacks. Europe is lagging behind in the global cyber arms race and total capacity depends on national cyber capabilities. Cyber operations and the used technologies are constantly evolving and the importance of cyber security as a component of national security is emphasised. Targets are chosen carefully and are based

on the evaluation of the possible physical and informational effects of attacks. The goal of hybrid operations is to advance political goals by creating destruction, chaos, and political uncertainty. The repercussions of cyber attacks are always much more difficult to combat than the operations themselves. The importance of cyber espionage will be emphasised in the future, as it is used to create the optimal conditions for hybrid and cyber operations. The distinction between criminals and state actors is unclear and it is becoming increasingly difficult to determine who is the perpetrator and what the real motives are. In recent years, cyber intelligence has reached a well-established position in the field of intelligence. Intelligence between states has become a day-to-day activity. The views on authorised and unauthorised methods, based on the legislation of different countries, have developed over the past decades. By using cyber intelligence, the line between the two is easily crossed, as the perpetrator does not physically come in contact with the target data. In addition, it is often difficult to determine the source of cyber operations. Leaked data eventually ends up in the data collection systems and targeting operations of the intelligence organisations of the great powers. In addition to cyber operations and intelligence, there is widespread discussion of cyber warfare. The term is ambiguous because the definitions of war and peace in cyberspace are not as clear as in physical warfare. Cyber operations and reconnaissance could be interpreted as cyber warfare, if tangible harm is caused to the systems of the other party or, for example, the results of state elections are manipulated. Determining a rule requires international cooperation to define the characteristics of cyber warfare and the boundary of acceptable action. The role of social media and the power and regulation of technology giants will be an increasingly difficult political issue. International law cannot keep CYBERWATCH

FINLAND

up with the rapid changes in the cyber world. Security issues will also be highlighted in many technology solutions. The debate around 5G technology is a good example of this; Transnational cyber operations have increased over the past year and it is being used more and more ruthlessly. Hacking, cyber espionage, and information operations through social media are increasingly candid, and the origins of which are often public knowledge. The advanced cyber-influencing capabilities of states need to be taken seriously. Critical processes should be subject to regular risk assessments and long-term cyber security development. Contingency plans for hacking and usability attacks play a vital role in maintaining operational capability. The situational picture of hybrid operations should be constantly monitored in order to better identify and protect against influencing attempts. Cyber security plays a central role in combating hybrid interference and the quality and quantity of related expert resources must be safeguarded. As offensive operation capabilities and defensive practices are built using the same systems it is often very difficult to maintain and build credible cyber capabilities. The fact that the attacker has access to the same system increases the difficulty in establishing an effective defence. Resultingly, many countries have implemented stand-alone systems which are designed to minimize threats posed by supply chain attacks. Cyber attacks will continue to be carried out mainly through, or with the help of, individuals and employees. The importance of competence is emphasised and the company's internal risk must be taken into account in the cyber risk analysis, especially with regard to employees. The cyber culture of every organisation must be developed as an integral part of the security culture. Better classification of information and data, as well as new security methods, can also significantly improve the level of cyber security. Comprehensive cyber risk analysis provides a good basis for contingency and security planning. Each employee must be responsible for their actions as it is important when it comes to ensuring the cyber security of the operating environment. All safety instructions given to the end

CYBERWATCH

FINLAND

user should be strictly followed. Organisations should ensure that employees have secure work equipment and connections to ICT services. Employees should also know how to act in case of an emergency and how to deal with cyber security threats at an individual level. The aftermath of the Covid-19 crisis will be visible in many situations over the next couple of years. Teleworking will remain a permanent practice and information leaked during the crisis will be used to plan new cyber and hybrid operations. The planning cycle for cyber operations is half a year to two years. Therefore, the risk of the likelihood of new elaborate cyber operations will remain high. Critical societal infrastructure and services have been highlighted as the main targets of cyber attacks. ¨Smart-city¨ thinking is the driving force behind urban development, with digital services and technologies at the heart. The vulnerability of modern society will increase if cyber security is not built into these entities following the security-by-design principle. As the impact of cyber attacks becomes more familiar to citizens, the importance of knowledge and situational awareness also becomes more apparent. A well-educated nation will be much better off in the face of these global security challenges. The development of cyber security therefore requires a lot of small actions that create a large body - the nation's cyber resilience, or in other words, crisis resilience. We can all be key players in the cyber security of our own lives by taking better care of our everyday cyber security and improving our skills accordingly. CYBERCRIME IS INCREASING AND DIVERSIFYING

Cybercrime continues to grow on a global scale. According to initial estimates, in 2020, cybercrime cost one thousand billion euros in damages. In this context, cybercrime is committed for economic gain. The precise selection of targets and attack methods are evolving. Critical data and information will remain the main target of cybercriminals. Ransomware attacks will also increase. Criminals seek to develop their earnings logic, for example, in the direction of, the so-called, hybridransomware, in other words, simultaneously

blackmailing organisations and individuals. This also increases the risk of the publication of information stolen in data breaches. Along with general data protection regulation, information systems containing personal data have become a popular target of data breaches. The privacy setting imposes substantial sanctions on personal data processors in cases of cyber security negligence, in which case the subject could be expected to be willing to pay high ransom in order to avoid data leakage. In addition, reputational damage is a significant and potential threat that companies want to avoid by all possible means. Criminals acquiring sensitive personal information also affects the privacy of the victims, so the possibility of blackmailing both companies and individuals with the same information increases. In the worst case, a cybercriminal can access and exploit online payment tools used by the end user. To prevent this, strong identification methods have been introduced in banking, such as mobile user authentication. New user authentication methods are effective in preventing the misuse of payment tools, but there are a number of services on the Internet where the user is authenticated with a mere username and password. These can be easily accessed and provide ample possibilities for misuse. A third form of cybercrime that is on the rise is the use of extortion malware, or ransomware. They paralyse the targets computing environment and destroy the data, unless ransom is payed. Focusing on the largest and most profitable targets (so-called BigGame Hunting) is a current trend in the use of ransomware. Time and effort are put into examining the target and into the development of a suitable method of attack. The entire process is carefully planned out. Attack methods are diversifying and are often fully tailored to the target IT environment and situation. This is done also by using artificial intelligence. In addition, Darknet sells easy-to-use ransomware tools, allowing cybercriminals with no technical knowledge to gain access to simple attack tools. In addition to criminal activity, the possibility of using cybercrime as a tool for state level hybrid operations must be considered. Increasing cybercrime can lower public confidence in information systems, creating suspicion among public authorities and thereby undermining society's ability to respond to hybrid operations. The line between state actors and cybercriminals is ambiguous and an increasing number of states are also using third parties to carry out cyber attacks. As cybercrime has become increasingly driven by state-level actors, we will see numerous new nontechnical ways to influence the target organisation and take advantage of inadequate safeguards and staff

incompetence. The scope of security must be assessed more comprehensively. An example is “tiger kidnapping” of high-profile members. Herein, questionable or sanctioned material is placed on technology belonging to the influential person or those close to them. A threat created in this way, combined with, for example, insider risk, can be a very effective course of action. The effectiveness of phishing attacks is based on the poor security of authentication. The username and password combination can be uncovered, for example, with fake login windows, if the login information is stored insecurely, the information can be stolen from databases and users by spyware, and/or the same passwords are used in many different services. Passwords are a 60-year-old invention and do not meet today’s demand for security and usability. Creating a long password spiced with special characters does not prevent phishing and it is bothersome to use. Storing passwords, for example, in browser memory and various servers makes them an attractive target for criminals. Using genuine password-less authentication requires an individual to have a device such as a cell phone or a separate FIDO security key (USB or wireless) that can be used to access an organisations applications and workstations. An example of this is using biometric authentication such as a phone’s face recognition feature or fingerprint. Password-less technology has been proven to eliminate 99.8% of attacks on identity authentication. The technology is already being used globally in numerous organisations. Legitimate password-less authentication is the most important trend of the 2020s to improve the cyber resilience of organisations against various scams and phishing attacks. A GREAT CYBER SECURITY CULTURE IS THE KEY TO SUCCESS

The management’s commitment to the development and maintenance of cyber security is the foundation of an effective cyber culture. At its best, the management perceives cyber security as a resource that can ensure the high-quality performance of core functions in all circumstances. Cyber culture is an important element for all organisations that focus on information in its various forms and whose confidentiality, integrity and availability must be ensured. The information to be protected can be, for example, customer data, product development information, or up-to-date information on a situation, but in all cases, securing the information is a basic precondition for the operations of the organisation. In addition, cyber culture is vital for an organisation whose function is based on seamless information systems and telecommunications. Once the importance of cyber culture to an organisation’s operations has been identified, the next CYBERWATCH

FINLAND

step is to develop a cyber strategy that supports that culture. It will define the cyber security objectives of the organisation, which should support the organisation’s overall strategic objectives and align with the risks connected to the critical infrastructure. The strategy ought to establish priorities in such a way that the often-limited resources can be allocated to further the most important objectives. The overall governance model for cyber security is part of the cyber strategy. The model defines the organisation involved in the implementation of cyber security as well as the main practical measures required for the application and development of cyber security. The cyber strategy must take into account all the main legal and industry requirements that apply to the organisation's operations. Finally, a process must be established to maintain the cyber strategy, that can be used to ensure that it is up to date, as well as

AAPO CEDERBERG Managing Director and Founder of Cyberwatch Finland Chairman of Cyber Security Committee of World UAV Federation (WUAVF)

CYBERWATCH

FINLAND

detect changes in the operating environment and threat profile. A cyber strategy is the starting point for the implementation of a cyber culture in an organisation. However, it is important that culture is only a guideline for employee’s actions. Enacting the culture depends on employees underlying opinions. Behind every culture, is peoples’ desire to act in a certain way to fit in with universally accepted values and virtues. The management of an organisation, through leading by example, defines these values, which are adopted by the members of the organisation. Clear values attract like-minded individuals to an organisation and those who support different values alienate themselves from the organisation. In the long run, the organisation will form a cohesive group that implements its values, in order to ensure beneficial teamwork. Defining values and actively maintaining them is the most important starting point for any kind of cultural development. 

Cyberwatch analysis, the Country outlook Who are the Cyber superpowers?

CYBERWATCH

FINLAND

US CYBER STRATEGY AND ITS PRIORITIES The political goal of the United States is to maintain

its position as a global leader and the only superpow-

er. Cyber influencing is an increasingly integral part of its military operations. Cyber capabilities have even been seen as a new line of defence. On the other hand, cyber capabilities are part of land, sea, air and space defence. In military operations, cyber-attacks are in many cases seen as an alternative option with a smaller possibility of escalation than physical attacks. At the same time, cyber-attacks target all critical U.S. operations and services. Therefore, the ability to secure the vital functions of society has been raised as a priority. Biden took the oath of office as the President of the United States on January 20, 2021, and immediately began dismantling the orders made by President Trump. His efforts to revitalise co-operation with, among others, Europe and to strengthen the role of the United States in international politics can be outlined as a show of confidence in U.S allies and at the same time a warning to competitors. At the Munich Security Conference in February 2021, Biden emphasised the United States’ commitment to transatlantic relations and the importance of European security: “I’m sending a clear message to the world: America is back and the Transatlantic relationship is back”. This objective also means that the U.S. will remain a cyber security superpower and invest in the development of offensive cyber capabilities. Overall, Biden has taken a very different approach, especially towards Russia, than his predecessor. Biden has threatened Russia with sanctions in both the Solar Winds case and the arrest of Navalny. In addition to this, in an interview with ABC news he stated that he considers Putin a “killer”. Underlying the tense relationship between the two countries is certainly the report published by the National Intelligence Council stating that Russia was involved in the 2020 presidential election, as well as the Solarwinds attacks on the critical functions of the US government such as nuclear power plants. In the coming future, the tense political climate will be reflected in the cyber world in the form of cyber attacks and advocacy campaigns. The main goal of the U.S. cyber strategy was to secure the November 2020 presidential election from various attempts of influencing. The hacking of candidates’ information systems and e-mails in previous elections, as well as the targeted influencing through social media, were to be prevented in the 2020 elections. The U.S. offensive cyber capabilities have been maintained at a high level and must be able to be used actively and exceptionally as cyber-attacks as part of political and military operations. At the same time, the cyber security of America’s own systems was suffering from incidents . Iran is

CYBERWATCH

FINLAND

expected to target large-scale cyber operations against the United States this year. Iran targeted large scale cyber operations against the United States last year. In addition, global technological developments have posed growing challenges in combating government intelligence and industrial espionage. THE FOUR KEY POINTS OF CYBER STRATEGY

The current US cyber strategy was drawn up in 2018 and includes four pillars, i.e. the main themes:

1. Defending the United States by protecting networks, systems, operations and data,

2. Supporting American well-being through digitalisation and innovation,

3. Maintaining a state of peace by developing an American cyber deterrent and, if necessary, punishing hostile actors, and

4. Promoting America from influencing operations and an open and secure Internet1.

The first pillar of the strategy was tested last year as a result of the presidential election. Russia’s attempts to influence had already been identified early on and were predicted to increase as the election approached. Elections are the cornerstone of democracy, securing them is vital in every western country. The Cybersecurity and Infrastructure Security Agency (CISA) considered the US presidential election, of November 2020, to be the biggest cyber security challenge of 2020. Efforts were made to avoid any ambiguity as seen in previous elections, and CISA released a special Protect 2020 program at the beginning of the year2. The practical measures of the program can be divided into four different areas3. The first component is the electoral infrastructure, i.e. the election information systems and the communication between them, the databases of those entitled to vote, the polling stations and their IT equipment and software. National and local authorities as well as IT service providers were supported in implementing the technical security of the electoral infrastructure. Secondly, CISA assisted candidates in securing information systems by assessing the risks and vulnerabilities, as well as providing guidance on their repairs. In addition to the United States, in several other countries there have been hacking incidents on party information systems in the run-up to elections, as well as the publishing of negative information about specific candidates.

There was a desire to prevent such influence. The third component is US citizens, who want to be protected from groundless media influence. Citizens were provided with information campaigns to identify information influencing and were warned about perceived disinformation campaigns. The fourth component is the Threat Intelligence and Operation Center, maintained by the authorities and the private sector, which attempted to identify hacking and influencing attempts in advance and alert all parties involved in the election of the identified threats. Good preparation, close co-operation between the authorities and the private sector, and experience of hacking and influencing attempts in previous elections provided a good basis for ensuring the cyber security of the elections.

Iran has not carried out or at least succeeded in any wider attacks10. Along with Iran, China, Russia and North Korea will remain as the most significant opponents of cyber warfare of the United States, but Iran’s status as an opponent is expected to grow. The United States has successfully conducted excpetional offensive cyber operations against other countries. However, a major concern for the United States is the poor level of cyber security of its own systems and thus its vulnerability to cyber intelligence and influence11. The tactics of the opponents have been different from those of the United States. Instead of large operations, several smaller and more targeted operations have been conducted that have not triggered the U.S. threshold for counter-operations12.

THE CYBER STRATEGY IS BECOMING MORE PRECISE

THE MAIN CONCERN IS THE VULNERABILITIES IN CYBER SECURITY AT THE PRIVATE SECTOR

The cyber strategy has been further refined by different ministries, for example in the Ministry of Defence (DoD), which has at the same time drawn up its own cyber strategy. Naturally, the objectives of the Ministry of Defence’s strategy are more directly related to the development of military cyber-attack and defence capabilities than the national strategy4. In line with the National Cyber Strategy and its third pillar, the United States has actively used cyber deterrence against other states. The operations that came to light have been successful. The United States succeeded in repelling Russian attempts to influence the 2020 Presidential election. The United States used pre-election cyber deterrent to warn Russian troll factories directly of interfering in the election, and on election day itself managed to drive down the troll factories ’servers5. The U.S. offensive cyber capability and global leadership will remain at least at the same level as before. In 2019, relations between the United States and Iran became tense due to various conflicts in which the United States launched several cyber-attacks against Iran. For example, in June 2019, the United States crippled Iran’s missile systems with a cyber-attack6 and in September, after Iran’s drone attack on Saudi Arabia’s oil fields, the United States momentarily paralysed Iran’s telecommunications systems and propaganda channels7. The tightening of borders between countries and Iran’s rapid technological development in offensive cyber operations have made Iran a key concern for the United States since 2020. The United States eliminated Iranian Armed Forces General Suleiman, a U.S. government server had been hacked and Iranian propaganda communications had been deposited on its home page.8. Several bodies estimated that strong counter measures were to be expected from Iran during the first half of 20209. However

Instead of the armed forces and the state administration, the main concern is the level of cyber security at the private sector. The so-called “third-party risk”, i.e. the attack on the main target through vulnerable partner networks, is one of the most significant weaknesses that has emerged in recent years.13. Another significant factor is the sharp increase in the use of civilian technology and services in the U.S. armed forces. In terms of cyber security, civilian technologies such as satellites are not on the same level as technology purely designed for the military and allow hostile cyber operations against the United States14. In addition to the armed forces, critical infrastructure, and in particular the energy and financial sectors, are estimated to be most at risk due to the low level of cyber security15. Global technological advances pose a growing threat to U.S. cyber security, particularly from the perspective of intelligence and industrial espionage. The new US Counter-Intelligence Strategy 2020-22 identifies foreign cyber intelligence and hybrid engagement as one of five counter-intelligence priorities16. Constantly evolving technology and methods of cyber espionage enable secret information retrieval from the United States as well as hybrid influence on society easily, quickly, and inexpensively. In particular, the use of IoT, 5G, quantum computing and artificial intelligence technologies as cyber intelligence tools are growing. The operational capacity of cyber counterintelligence will be improved in three areas. To develop cyber counterintelligence, a new intelligence unit will be established with the best technical expertise in cyber-threat intelligence in the United States. New tools and software are being developed to enhance cyber threat intelligence and improve situational awareness. In addition, co-operation and exchange of information between different security authorities and the private security sector will be intensified. CYBERWATCH

FINLAND

RUSSIA’S CYBER CAPABILITIES In June 2019, the United States acknowledged that

since 2012, it has conducted cyber intelligence on

Russia’s power grids and prepared for cyber-attacks by installing malware on Russia’s information infrastructure. According to President Putin’s press secretary, Dmitry Peskov, vital parts of the Russian economy are a constant target of cyber-attacks and Russia is constantly fighting to prevent the damage caused by these attacks. Foreign intelligence services are trying to penetrate Russia’s information infrastructures, especially in the logistics, banking and energy sectors. According to the Russian definition, cyberspace is an operating environment consisting of the Internet and other telecommunication networks and the technological infrastructure that guarantees their operation and the human activity performed through them. Cyberspace is a clearly defined as a limited part of information domain. According to the Russian definition, an information space is an operating environment related to the shaping, creation, modification, transmission, use and

CYBERWATCH

FINLAND

storage of information which affects the information infrastructure. The Russian concept of information security includes technological and psychological information security. The information -psychological threat is directed at the human mind, its moral and spiritual world, its socio-political and psychological orientation, and its ability to make decisions. According to Russian thinking, the information technology threat, i.e. the cyber threat in Western countries, targets information technology systems, i.e. the cyber environment. In Russia’s cyber threat perception Russia is a “besieged fort” threatened and surrounded by the United States and its Western allies. The threat is increasing and diversifying, and so are the threats presented by terrorists and extremists. The transformation of the cyber environment into a military area of operation poses a strategic threat to Russia, and large-scale cyber operations are already being carried out in peacetime. In Russia’s view, Western countries are exercising their

technical dominance in a cyber-operating environment, and the development of a Western cyber weapons and preparation for a cyber war has led to a cyber arms race. Western intelligence services are thought to have infiltrated Russian information systems for the purpose of intelligence, manipulation and alteration of information, or destruction of information. Access to information is affected by denial-of-service attacks. Automated industrial control systems are the target of cyber-attacks, and the Internet of Things (IoT) is also increasing Russia’s dependence on information networks and vulnerability to cyber-attacks. The invasions of the Mongols, Napoleon and Germany in the two world wars have created a sense of vulnerability and fear of a surprise attack on the Russians, heightened by technological backwardness and a lack of easily defensible borders towards Europe. The Russian leadership describes Russia as a besieged fortress in a constant war, and warfare in its various forms is seen, according to Clausewitz, as an extension of politics. The internal opposition, which, according to the Russian narrative, is directed and funded by Western intelligence services, creates a sense of internal threat. External and internal threats, as well as a political system largely based on power ministries, have increased the importance of the armed forces and security services. The fear of a surprise attack and internal enemies, and, for example, the feeling of vulnerability caused by technological backwardness, is also reflected in the cyber threat perception of Russia. The narrative of constant warfare and the belief in the use of force as a tool for policymaking can be seen both in the cyber threat perception and in Russia’s means of responding to the cyber threat must be experienced. Russia has

sought to protect its besieged cyber fortress by preparing to isolate the Russian segment of the Internet from the global Internet, improving the protection of critical information infrastructure, and seeking to replace foreign-imported information and communication equipment and software with Russian-made equipment and software. The internal threat will be fought through enhanced computer network monitoring, the closure of websites classified as malicious, and the identification of network users. Russia will continue to develop its cyber defence with the aim of forming a deep-rooted defence, the outer ring of which will be monitoring Russian cross-border communications and having the ability to isolate the Russian segment from the global Internet if necessary. The inner perimeter includes the telecommunications intelligence system SORM17 and the GosSOPKA18system which is for the protection of critical information infrastructure, as well as the increasingly strict user control of citizen and censorship. Russia wants to keep the level of its own cyber capabilities secret and therefore uses proxies such as various activist groups and cybercriminals in its offensive cyber operations. The goals and manner of which of these outsourced attacks operate are also likely to reflect the cyber capabilities of Russian state actors. Cyber operations are primarily seen as a means of hybrid influencing that always achieves significant information influence both domestically and in target countries. Russia’s active cyber espionage creates the conditions for cyber-influencing operations by collecting so-called target library of potential target countries. All security and intelligence organisations in Russia have created their own active and passive cyber capabilities.

Sources: Martti J Kari: Russian Strategic Culture in Cyberspace: Theory of Strategic Culture – a tool to Explain Russia´s Cyber Threat Perception and Response to Cyber Threats. University of Jyväskylä. Faculty of Information Technology. Dissertation.2019. https://jyx.jyu.fi/bitstream/handle/123456789/65402/978-951-39-7837-2_vaitos_2019_10_11_jyx.pdf?sequence=4&isAllowed=y CYBERWATCH

FINLAND

CHINA IS INVESTING HEAVILY IN THEIR CYBER CAPABILITIES 1. The Chinese cyber army is the largest in the world. The capabilities of the Chinese cyber army will be developed in the future primarily through new technologies such as artificial intelligence and quantum technology.

2. Offensive operations focus primarily on cyber espionage and hacking. Actual cyber attacks play a smaller role.

3. China’s cyber infrastructure is vulnerable. Hence, cyber defense plays an important role in the cyber strategy.

4. The United States is the main target of Chinese cyber warfare. Other targets include smaller states and ethnic groups that criticise Chinese policy, which are targeted by cyber influence as part of other means of hybrid influencing.

China’s cyber warfare is managed by a unit of the

PLA (People’s Liberation Army) called the Strategic

Support Force. The unit was established as a part of the Chinese military reform in 2015 and is currently estimated to have a strength of 145,000 soldiers. Electronic and psychological warfare, as well as space warfare, also operate under Strategic Support Force, so the number of actual cyber soldiers is only a fraction of the total strength. The United States, whose cyber army is built around the U.S. Cyber Command, can be taken as a point of reference. At its core is the Army Cyber Command, which directs information and cyber warfare as well as psychological warfare operations. In addition to the Army Cyber Command’s 16,500 soldiers, the strength of the cyber forces includes cyber soldiers from other

CYBERWATCH

FINLAND

defence divisions. In the light of data, it can be estimated that the actual strength of the cyber warfare forces, of both countries, is between 50 and 100 thousand soldiers. In addition, China in particular is known to use hacker groups independent of the actual cyber army as a middleman in state-led cyber operations. In Cyber warfare, the number of soldiers is not as significant a factor as in many other areas of warfare. In assessing the capabilities of cyber warfare, in addition to the actual cyber army other factors must be taken into account. These include the ensemble consisting of research and development, the ICT industry, telecommunications infrastructure, the use of the Internet as a channel for diplomacy and ideology, and having a comprehensive cyber strategy. Taking all these aspects into account, China is not on the same level as the United States. However, clear improvements have been seen in recent years in all areas, and especially in the area of technological development. China aims to take the lead from the U.S. in cyber capabilities by investing in research into artificial intelligence and quantum technology, as well as the development of new-era solutions in semiconductor technology and telecommunications. Chinese cyber operations’ core focus is on cyber espionage and hacking. Cyber espionage targets not only military targets, but also private sector actors. Technology companies, the financial sector and the pharmaceutical industry are especially targeted. Current examples of the latter have been discovered, as Chinese hackers have been found to have hacked the systems of companies developing coronavirus vaccines. China’s position as the world’s leading manufacturer of ICT components creates a good foundation for spying on information systems and traffic, alongside more traditional means. Backdoors built into components and embedded systems make it easier to break into information systems rather than through traditional methods, leaving less clear traces of data breaches. The interest in industrial espionage in the technology sector is related to

the ongoing race between the United States and China as the world’s leading country economically and technologically. President Xi has set a goal of making China the world’s leading nation in science and technology by 2049. The United States still has a clear lead in technological development, and therefore the timetable for reaching China’s target is moderate. Cyber forces have been strongly harnessed to achieve this goal, and industrial espionage in this area is one of the key priorities for China’s cyber operations. The position as leader of technology is a part of China’s broader goals, which are achieved not only through cyber espionage but also through traditional means of espionage. In addition to actual industrial espionage, China and the hacker groups it supports have committed data breaches that have targeted extensive customer databases. The three best-known targets are the hotel chain Marriot, the life insurance company Anthem and the finance company Equifax. Through hacking, China has gained extensive customer databases, especially from U.S. citizens. Motives for personal data breaches have been speculated, and the most likely reason is the desire of the Chinese intelligence service to identify potential sources of information and their personal weaknesses through health, financial and travel information. Such information is not normally available from open sources and the combination of different sources of personal data can provide a comprehensive picture of an individual’s personal situation and behaviour. China’s ability to engage in offensive cyber operations is excellent, although it is not quite at the U.S. level. According to statistics, China is one of the most active sources of denial of service (DDOS) attacks, but they have primarily focused on the private sector, not so much on national critical infrastructure, or government itself, where cyber espionage plays a key role. The main underlying factor in China’s desire to develop their cyber influence capabilities is its own vulnerability to cyber operations. Although, today China is one of the most active countries in the implementation of cyber espionage and attacks, it also ranks high in statistics on the countries targeted by cyber attacks and malware, as well as having vulnerabilities in their information systems. Weaknesses in cyber defence and resilience were identified about ten years ago, and since

then, investment in cyber capabilities has been systematic and rapid. Snowden’s revelations about America’s plans to leverage Western IT technology against China in 2013 gave more impetus for reform. At the end of 2016, the Cyberspace Administration of China (CAC) published its first cyber strategy, the key objectives of which include ensuring national security through cyber, protecting critical infrastructure and national cyber sovereignty. The latter objective means, in practice, developing the self-sufficiency of ICT systems through indigenous operating systems, telecommunications technology and software. For example, China has lacked a vibrant cyber technology industry that is now being mobilised as part of the development of national cyber security. China wants to create more global companies the magnitude and rank of Huawei. China’s main enemy in cyber and other activities is the United States. China is in a constant trade war with the United States, and in information and cyber warfare, the countries are each other’s number one opponents. Recently, China has also been active in exposing US-sponsored cyber-attack and espionage cases. Last winter, the Chinese cyber security company Qihoo brought up a case, which was also widely published in Western media. According to the news, the hacker group APT-39, supported by the U.S, had been spying on and disrupting Chinese airlines and air traffic control systems for more than a decade, as well as collecting passenger lists from flights operating at Chinese airports. The second most important opponents of China’s cyber warfare are states that prominently criticise Chinese policy. This group includes, for example, Hong Kong, Taiwan, South Korea, Indonesia and India. In addition, cyber-influencing is targeted at anti-Chinese ethnic groups such as Tibetans and especially Uighur activists. China’s most important cyber partner is Russia. In recent years, China and Russia have converged, especially in the use and development of ICT technology. Prominent examples of co-operation within the past year include Russia’s decision to widely adopt Huawei technology, and the China-Russia co-operation agreement on the control of illegal online content.

Sources: https://www.cfr.org/backgrounder/chinas-modernizing-military https://www.cybercom.mil/Components/ https://carnegieendowment.org/2019/04/01/what-are-china-s-cyber-capabilities-and-intentions-pub-78734 https://asianmilitaryreview.com/2020/01/china-broadens-cyber-options/ https://technode.com/2020/04/30/china-to-impose-new-cybersecurity-rules-for-networks/ Roundtable – The Future of Cybersecurity across the Asia-Pacific. Asia Policy, vol 15 n:o 2 (4/2020), 57–114. https://www.cpomagazine.com/cyber-security/chinese-hackers-off-to-a-busy-start-in-2020-with-massive-1q-cyber-espionage-campaign/ https://www.politico.com/story/2019/05/09/chinese-hackers-anthem-data-breach-1421341 https://blog.360totalsecurity.com/en/the-cia-hacking-group-apt-c-39-conducts-cyber-espionage-operation-on-chinas-critical-industries-for-11-years/ https://www.reuters.com/article/us-russia-china-internet-idUSKBN1WN1E7

CYBERWATCH

FINLAND

INDIA 1. India’s cyber capabilities are currently limited in relation to the great powers, but their performance is evolving rapidly through important partnerships.

2. India is in a constant cyber war with China, North Korea and Pakistan. China’s effective cyber espionage poses a serious threat to European companies outsourcing IT services from India. Through the subcontracting chains of cyber security, India has a global impact on the development of digital and cyber security.

3. Numerous projects are underway in India to improve the level of cyber security. India’s importance and influence in the field of cyber security will grow rapidly in the coming years.

India wants to develop into a global superpower and

develop its national cyber capabilities with this in

mind. The ICT business is an important source of welfare for India, currently generating a turnover of around 200 billion USD. The figure is predicted to grow to 350 billion USD by 2025, by which time the ICT business would represent 38% of total business in India. Nevertheless, India’s cyber capabilities are still limited compared to other great powers. For example, while the United States, China, and Russia have had cyber warfare forces for years, India was only able to organise cyber warfare operations under one organisation last year.

CYBERWATCH

FINLAND

The first tasks of General Mohit Gupta, Commander of the Defence Cyber Agency, established in autumn 2019, have been to create a doctrine of cyber warfare and to combine the separate cyber functions of the land, naval and air forces to achieve a common goal. The defence branches of the Indian Armed Forces have traditionally had an independent status and little co-operation, so there are challenges in joining cyber forces. The Defence Cyber Agency has also struggled with budgetary challenges, and General Gupta opened a political debate on the subject earlier this year by proposing a 10% stake in the state’s IT budget to be used to fund cyber operations. In regards to national security, cyber security is the responsibility of the Ministry of the Interior. Established in 2015, the Cybercrime Coordination Centre has focused on developing the cyber capability of the police authority. Since its establishment, the function has been expanded from police authority to a separate division in the administration of the Ministry of the Interior. The Cyber and IT Security Division currently includes, for example, the CERT function and they also create national practices for cyber security to be implemented in the Indian business community. India relies on partners to develop their cyber capabilities. Within the last year, four important cooperation agreements have been announced. In addition to fintech and digitalisation, the topic of cyber security has been raised as a top priority for the traditionally strong partnership between the UK and India. At the end of last year, India and France signed a co-operation agreement concerning, for example, shared cyber intelligence, combating cyber threats related to 5G

technology, security certification of software products, and research into artificial intelligence and quantum technology. In June, India signed a similar agreement with Australia and one with Israel in July. Last year, the Indian CERT Center also signed a letter of intent with Traficom for the exchange of information related to cyber security. Alongside these cyber security cooperation projects, India is likely to significantly improve its cyber performance over the next 2-3 years. India’s main cyber opponents are Pakistan, North Korea and China. Pakistan’s cyber capabilities are, at most, at India’s level and its position as India’s cyber enemy is mainly limited to occasional hacking of government websites and harassment of authorities through social media. North Korea and China are much more serious opponents. According to the Indian CERT Center, in the spring and summer, both countries have carried out DDOS and phishing attacks causing extensive damage, especially to the IT infrastructure of the Indian government. In addition, in line with its strategy, China has been active in cyber espionage. China has been found to have broken into a number of not only public administration services, but also the information systems of multinational companies based in India. China knows that many large global companies have outsourced their IT services to India. Hence, this opens up the possibility of spying on large global companies as well, as the level of cyber security in this sector has been weak. This is also reflected in the interest and activities of cybercriminals in India. For several years now, India has been at the top of the list of being one of the most vulnerable countries in regards to cyber security. Investment in cyber security has not increased, even though over the past year, more than half of large Indian companies had, according to their own estimates, suffered serious damage as a result of cyber attacks and espionage. Although India is regarded a superpower of IT services, not enough has been invested in the implementation of cyber security. Data centres located in India provide services to several Western companies and organisations. Deficiencies in

cyber security, and in particular China’s activity in cyber espionage against India, also pose a serious threat to Finnish and European companies. Cybercriminals and spies like to attack information systems where hacking is easiest to implement, increasing the likelihood of a so-called third-party risk scenario. India is one of the fastest digitising countries in the world in regards to almost all available meters. The share of people using the internet is growing rapidly, the number of terminals is growing intensively and there is a constant increase in investment in telecommunications infrastructure. The ICT sector has more than a million employees. India has recognised the importance of cyber security as part of digitalisation as a whole, and several government-sponsored projects have been launched over the past year to support cyber security development and education. At least the Ministries of the Interior, Defense and Transport are involved in cyber security projects. In addition, numerous cyber security coordination groups have been set up in the country as a collaboration between the private sector and academia. Thus, there is enough activity, but there are challenges in clarifying the management model. In particular, however, training is currently being strongly increased on a number of different fronts, and with the expansion of cyber awareness, a clear change in work culture is expected. In Finland, it is often discussed that cyber security issues are not addressed enough at steering group level in corporate organisations. In India, there has been positive development, with surveys at the beginning of this year showing that about 70% of large Indian companies had a cyber security director sitting on the company’s management team or board. The outlook for cyber security in India has recently changed in a positive direction. Developments are still fragmented and management models unclear, but the direction is right. Given the country’s vast resources and knowledge capital in the IT area, India has the full potential to become one of the great powers in cyber security in the coming years.

Sources: https://www.indiatoday.in/india/story/china-north-korea-pakistan-cyber-attacks-warfare-india-websites-1693123-2020-06-26 https://www.ey.com/en_in/consulting/ey-global-information-security-survey-2020 https://eucyberdirect.eu/content_research/cyber-resilience-and-diplomacy-in-india/ https://www.dsci.in/sites/default/files/DSCI-Annual-Report-2019-20.pdf https://www.ibef.org/industry/information-technology-india.aspx Cyber Resilience and Diplomacy in India, EU Cyber Direct, 2019.

CYBERWATCH

FINLAND

AFRICA 1. China and Russia have a geopolitical interest in Africa and both trade with various African countries and invest in the area. Commercial activity also provides a good opportunity for both countries to influence decisions regarding technology, which can contribute to their goals in cyber operations.

2. The cyber warfare capabilities of African countries are still subpar. Nigeria is emerging as Africa’s leading country in cyber warfare.

3. Africa is susceptible to cybercrime and espionage. At a societal level, not enough has been invested in cyber security and only a few countries have cyber strategies or legislation. Citizens’ cyber skills and companies’ investment in cyber security are inadequate and no rapid improvement is expected.

From a cyber security perspective, Africa, a conti-

nent comprised of 54 countries, is very different

from other continents. The telecommunications and technology infrastructure is underdeveloped and technical know-how is very much in the hands of non-African companies and states. The same is true for other critical infrastructure. IT systems and equipment come almost entirely from outside the continent, there is no in-house production. The current situation could be regarded as typical of the former colonies. Knowledge was in the hands of the former colonial power and was not transferred to the local population. Several former Asian colonies, most notably India, have been able to reverse the situation and are currently the world’s leading producers of ICT technology and services. African countries have not been able to develop technology and knowledge capital as effectively and are still highly dependent on external actors for cyber security. The technology and knowledge gap has increased foreign investment in Africa in recent years. Of the former colonial powers, the United Kingdom, France

CYBERWATCH

FINLAND

and the Netherlands, as well as the United States, are generally at the forefront of foreign investment. However, more recently, China has also become one of the most active investors. In addition to investment, China is an active trading partner with several countries and has been actively involved in high-tech projects in Africa. Chinese network technology has been used to build the telecommunications infrastructure, and several positioning systems built in Africa are based on the Chinese BeiDou navigation service. In addition to China, Russia is also an active trading partner, especially in countries in northern Africa. Russia exports arms to several African countries and has participated in the training of local armed forces. In addition, Russia, like China, has shown interest in high-tech exports. Foreign states are interested in Africa mainly for its natural resources, such as oil, agricultural raw materials and mining. Africa is currently experiencing a technological void in many areas, making it a fertile ground for high-tech trade as well. In areas in which the United States and much of Europe reject Chinese network technology for example, in Africa it is welcomed with open arms. Indeed, Africa provides China and Russia with an excellent platform for their own cyber-influencing goals, which is important for Western powers to keep in mind when operating in Africa. The cyber capabilities of African armed forces have developed in recent years, but are still at a very early stage. In the mid-2010s, various Ministries of Defence woke up to the need to develop cyber defence capabilities, and in recent years a few countries have established their first cyber warfare units. In this field, Nigeria is one of the most developed countries in Africa. The Nigerian military has announced that it will now also be training in cyber warfare in its annual war exercise, Exercise Crocodile Smile. The exercise will be held in late 2020 and is reportedly the first cyber warfare exercise ever organised by the armed forces of an African country. The pressure to develop a cyber defence has arisen due to two different factors. Other states, as well as international cybercriminals, have taken advantage of Africa’s undeveloped cyber defence capabilities by channeling cyber attacks through Africa. African countries want to prevent the use of their telecommunications infrastructure as a platform for state actors and

cybercrime operations. Another factor is the growing use of the cyberspace by local criminal and terrorist groups. In Nigeria, for example, the Boko Harum terrorist organisation is making effective use of the cyberspace to recruit members and spread its ideology. The State Security Service wants to address the situation through cyber operations. The armed forces of various countries are continually improving their cyber capabilities, but progress has been slow so far. The number of Internet users in Africa is rising faster than the development of citizens’ cyber skills. At the beginning of 2020, there were approximately 570 million Internet users in Africa, representing just over 40% of the total population. The number of Internet users is predicted to exceed one billion by the end of the 2020s. National cyber capability inadequacy is a widely recognised problem. Every day, thousands of Africans connect a recycled IT device to the Internet for the first time in their lives, without guidance or knowledge on the basics of cyber security. The situation is not much better in the business sector either. There is a limited amount of employees with practical cyber security experience. The international organisation ISACA, which certifies security professionals, estimates that less than five percent of all security certificate holders in the world live in Africa. Africa is at the forefront of pirated software in the world, and in Libya and Zimbabwe, for example, it is estimated that up to 90% of operating systems are unlicensed copies. If your operating system is not

licensed you will not receive vital security updates, due to which your IT device will quickly be infected with viruses and malware. In addition to the weak protection, cybercriminals are also interested in the lack of cyber law in Africa. Only about half of African countries have cyber legislation in place or under construction. Cybercriminals have been found to change the area in which they act according to the developments in legislation. Once a state has enacted cyber security legislation including sanctions, criminals have moved to a weaker country. Admittedly, the resources for cybercrime investigation are also limited in Africa than in the rest of the world, so legislation per se is not a very strong deterrent. Cybercrime is growing rapidly in Africa and unfortunately a sudden turn for the better cannot be predicted. Cyber security training opportunities are slowly increasing. Improving know-how will bring much-needed cyber security manpower, but will also enable skills to be used for criminal activity. Developments in cyber security legislation and other societal activism are important factors in changing attitudes to ensure that the next generation of cyber experts develop in the right direction. About a year ago, the African Union Cybersecurity Expert Group (AUCSEG) was set up by the African Union to improve cooperation between countries. Their work is still at an early stage and their resources are limited, so the positive effects are likely to be seen only in the longer term. 

Sources: https://www.tandfonline.com/doi/full/10.1080/1097198X.2019.1603527 https://army.mil.ng/?p=3659 https://www.defenceweb.co.za/cyber-defence/armscor-cybersecurity-unit-up-and-operational/ https://www.serianu.com/downloads/KenyaCyberSecurityReport2018.pdf

Endnotes: 1 2 3 4 5 6 7

https://www.whitehouse.gov/wp-content/uploads/2018/09/National-Cyber-Strategy.pdf https://www.cisa.gov/protect2020 https://www.cisa.gov/sites/default/files/publications/ESI%20Strategic%20Plan_FINAL%202.7.20%20508.pdf https://media.defense.gov/2018/Sep/18/2002041658/-1/-1/1/CYBER_STRATEGY_SUMMARY_FINAL.PDF https://www.govtech.com/security/US-Military-Steps-Up-Cyberwarfare-Effort.html https://www.nytimes.com/2019/06/22/us/politics/us-iran-cyber-attacks.html https://www.reuters.com/article/us-usa-iran-military-cyber-exclusive/exclusive-u-s-carried-out-secret-cyber-strike-on-iran-in-wake-of-saudi-oil-attackofficials-idUSKBN1WV0EK 8 https://www.bbc.com/news/technology-51008811 9 https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2020/01/13/the-cybersecurity-202-get-ready-for-serious-cyberattacks-from-iran-experts-say/5e1b7ef288e0fa2262dcbc70/ 10 https://www.scmagazine.com/home/security-news/cyberattack/iran-maintaining-on-going-cyber-efforts-no-response-yet-to-soleimani-killing/ 11 https://www.govtech.com/security/America-Is-Not-Ready-for-War-in-Cyberspace-Experts-Warn.html 12 Ibid. 13 https://www.afcea.org/content/stavridis-warns-russia-and-china-cyber-attacks 14 https://www.militarytimes.com/opinion/commentary/2019/09/04/the-us-is-unprepared-for-space-cyberwarfare/ 15 https://www.governing.com/security/Underdefended-Americas-Vulnerable-Energy-Infrastructure.html 16 https://www.dni.gov/files/NCSC/documents/features/20200205-National_CI_Strategy_2020_2022.pdf 17 Operatiivistutkinnallisten toimenpiteiden järjestelmä 18 Valtiollinen järjestelmä tietokonehyökkäysten havaitsemiseen, torjumiseen ja seurausten eliminointiin

CYBERWATCH

FINLAND

Submarine Communication Cables and Cyber Security Threats text: Dr. MARTTI LEHTO Professor, Cyber Security, Col G.S (ret.) Faculty of Information Technology, University of Jyväskylä, Adjunct professor in National Defence University, Air and Cyber warfare

The submarine communication cables form a vast network on the seabed and transmit massive amounts of data across oceans. They provide over 95% of international telecommunications—not via satellites as it is commonly assumed. The global submarine network is the “backbone” of the Internet, and enables the ubiquitous use of email, social media, phone and banking services.

SUBMARINE COMMUNICATION CABLES

Submarine communication cables have been important for strategic communication since the mid-19th century, and fibre optics in the 1990s made modern sea cabling even more critical. Nowadays sea cables transfer nearly all our global telecommunications data. Questions concerning national security and cyber security have always been relevant from the perspective of the development of submarine communication networks. Security concerns have not only affected decisions concerning the route and landings, but also used as arguments when, in

(Source: Reddit)

n present day, no technology other than submarine cable systems, have not had such a strategic impact on our society without being known as such by the people. This also means that it is at the same time a very interesting target for hackers, cyber attackers, terrorist and state actors. They seek to gain access to information that travels through the networks of the continents that are connected to each other with sea cables. The Figure below, presents how different parts of the world, today, are connected to each other by optical submarine cables.

CYBERWATCH

FINLAND

different stages of history, the role of cable networks and wireless solutions have been debated. Furthermore, security concerns have hindered, for example, plans aiming at the utilisation of submarine fibre-optic infrastructure for scientific purposes. The figure below is a simplified model of the submarine cable network. Every cable landing station has been built in the same way, depending on the beach area, of course, which is the delivery site for the submarine optical cables. When using large capacity systems and new types of modulation technology in submarine cable systems, the best possible cable tapping points for cyber attackers are after every optical repeaters or amplifiers. Between continent cable station sites, the branching points and other submarine

cable system ends, there are many optical amplifiers every 50 km. In some parts of cable systems, there are also equalisers (passive or active). Dense Wavelength Division Multiplexing (DWDM) is an optical multiplexing technology used to increase bandwidth over existing fibre networks. DWDM works by combining and transmitting multiple signals simultaneously at different wavelengths on the same fibre. The device and components used in DWDM technology cause some form of crosstalk in one form or another. Devices used in DWDM technology include filters, wavelength multiplexers and demultiplexers, switches, and optical amplifiers. Crosstalk is also caused by the fibre itself due to its non-linearity. Therefore, eavesdropping over the cable cannot be prevented.

This whole system also needs electrical energy. Energy input to the system can be made from one or more earth points. We also need to take care of power supply systems, so that we can be certain that they do not have any vulnerabilities that an attacker can take advantage of, and in this way gain access to our systems. CYBER THREATS AGAINST SUBMARINE COMMUNICATION CABLES

There are many possibilities from which cyber attackers could get access into the submarine optical cable systems and to its management and control systems. We also have a good indication that cyber attackers, hackers and terrorists can use artificial intelligence to enable them to use vulnerabilities in submarine optical cable systems, in order to penetrate systems and its services. After that, they also have the possibility to attack the data centres, which are located in different parts of the world. Submarine optical cable systems on land and beach areas, are the easiest areas for attackers to penetrate systems.

CYBERWATCH

FINLAND

Deep Sea ~ 200 m +

Continental Shelf ~ 100 – 200 m

Offshore Area ~ 50 – 100 m

Near Shore Area ~50 m

Submarine Cable Cyber Threat Segment

Land and Beach Area

The following table illustrates the Submarine Cable Cyber Threat Matrix based on different group of the attackers.

Cyber vandalism Cyber-crime (data theft) Cyber terrorism Cyber espionage Cyber warfare Threat impact level in colors: Yellow = Medium; Red = High

Green = Low;

The Matrix shows that different attackers have different capabilities to influence the submarine cable in different parts of the sea area. CYBER INTELLIGENCE AGAINST SUBMARINE COMMUNICATION CABLES

During the early days of the history of submarine cables, the terrestrial links and coastal segments were considered as the weakest and most vulnerable parts vis-à-vis the external security threats. However, the underwater cables, which cannot be kept under constant surveillance, have been targeted by intelligence services since the beginning of the 20th century. As a part of operations, military has cut the cables of the opposing side to redirect the information flow into cables that were being monitored by their own intelligence service. Intelligence collection from submarine cables can be done by eavesdropping (tapping) or side channel eavesdropping exploiting optical overflow or hacking control systems of cables.

The geographical location of the installation of a tapping device depends on the depth of the sea and the distance of the installation place from the mainland. 20

CYBERWATCH

FINLAND

EAVESDROPPING OF THE CABLES

Tapping means connecting/installing intelligence collection device(s) to the cable or to the fibre pair either on the ground, at a landing point, in points where the traffic is amplified or in the seabed. The exploitation of optical overflow can be done either in the cross-connection points of the fibre pairs/ cable or from one fibre pair to another. The geographical location of the installation of a tapping device depends on the depth of the sea and the distance of the installation place from the mainland. Deep sea complicates the installation of tapping devices. The distance from the tapping device to the mainland, where the remote-control unit and the selectors are, should be as short as possible for practical reasons. The superpowers have the intention and need, technical equipment, skills and practice to collect intelligence from submarine cables also in the demanding environment. Cable collection is technically possible in the bottom of the sea and in the points, where the cable is not in the sea, i.e. on the ground. In practice, it is also possible at points where the traffic is amplified or where there is another physical access to the cable (for example in teleoperator facilities). According to open source reports, the modified Seawolf-class submarine USS Jimmy Carter is almost certainly able to tap the submarine communication cables. In the USS Jimmy Carter, there is a constructed multi-mission platform, which enables the use of a Remotely Operated Underwater Vehicle (ROV). ROV can be used for installing tapping devices to submarine communication cables. Even if this is technically possible; some experts consider this kind of intelligence collection too risky and expensive. Russia´s Defense Ministry Main Directorate of Deep-Sea Research (Главное управление глубоководных исследований, GUGI) Military Unit 40056 is responsible for Russian ‘underwater engineering’. The task of this unit is to eavesdrop communications cables, install movement sensors, and collect the wreckage of ships, aircraft, and satellites from the seabed. The divers work at depths of 3000-6000 meters in miniature submarines. One of the ships of GUGI is a special purpose intelligence collection ship Yantar. Yantar’s equipment and devices are designed for deep-sea tracking, as well as for connecting to top-secret communication cables. The home port of Yantar is Severomorsk in Kola Peninsula. Yantar can act as a mothership to Rus (AS-37) and Consul (AS-39) class deep-sea vehicles. The task of this unit is to eavesdrop communications cables, which can operate at depth up to 6000 meters. Yantar can also be used as a mothership for ARS-600 deep diving manned submersible, which can operate at depth of 600 meters.

HACKING OF THE CABLES

Hacking is the other way to collect intelligence from the submarine cables. All the main intelligence services have possibility to access to submarine cable system by hacking remote controlled network manage systems. Equipment like Reconfigurable Optical Add/Drop Multiplexers (ROADM) in control facilities of submarine cable systems can be remotely manipulated for either intelligence collection or malicious activity (malware etc.) such as cutting the connection in the cable. In addition, some non-state actors might have the capability to intrude the submarine communication cable at least in the landing stations. If attackers hack the submarine optical cable systems, they will also have access to the submarine optical cable management system, and after that they have the opportunity to do what they want and what suits their purpose. THE INTERNATIONAL MARITIME LAW DOES NOT PROTECT AGAINST CYBER ATTACKS

The international maritime law does not give an opportunity to enact laws and regulations for the protection of submarine cables outside territorial sea, including using new technologies, as well as against new threats with using unmanned and autonomous weapon systems. The international maritime law only consider damage to s submarine cable as a crime. Although, it is possible outside territorial sea to conduct operational action within the framework of a criminal investigation or the prevention of a crime. Taking in an account the specifics of maritime zones which are located outside of state sovereignty, it is not possible to ensure and build an effective system for the protection of submarine cables outside the territorial waters of the state against all types of threats, including cyberattacks, using unmanned and autonomous weapon systems. There is a need for more comprehensive threat intelligence and protection. International law will be applying the right to self-defence or collective security operations authorised by the Security Council in the case of cyberattacks, including the necessary requirements for its implementation, and establishes the necessary standards of evidence to justify the use of force. The momentum and attribution of cyberattacks makes distinguishing between the actions of terrorists, criminals and nation-state sponsored attackers difficult. However, international law does not have the tools to carry out the identification of the attacker, especially in the case of cyberattacks, because it is not a purpose for the international law.

This article based on the research made in the University of Jyväskylä: Martti Lehto, Aarne Hummelholm, Katsuyoshi Iida, Tadas Jakstas, Martti J. Kari, Hiroyuki Minami, Fujio Ohnishi ja Juha Saunavaara, Arctic Connect Project and cyber security control, ARCY, Faculty of Information Technology, publication No. 78/2019

SUMMARY

Because submarine cable systems have such a considerable strategic impact on our society, that also means that it is a very interesting target for hackers, cyber attackers, terrorist and state actors. We need to look at potential adverse threats as the submarine optical cable routes are extensive and run under water. In addition, there are many countries who have the ability to join (tapping) fibre optic cables under the water or at a landing station to eavesdrop information or hacking or sniffing the cables. All the states that are in the area, which the cable is running through, have interest, motivation and technical capabilities to collect intelligence information from these cables at least in the points, where the cable is on land. Real point-to-point encryption is the only way to fight against the cyber intelligence in submarine communication cables. Technology may help in cyber security. High capacity systems, nowadays, have the capability to use a measurement system like Coherent Optical Time Domain Reflectometry (COTDR). The use of COTDR should be investigated more carefully as it is used for searching for faults and may also be used to detect tapping via cable connections. Furthermore, Artificial intelligence (AI) tools and methods will be solutions to protect submarine fibre-optic cable systems. AI based systems using Neural Networks and Deep Learning are, even today, capable of detecting and preventing different cyber-attacks. The submarine cable system is technically very complex, and in the future, there will be many new technical solutions, transmission speeds will increase, and usability and quality requirements will also increase. This places significant demands on the management and control of the system as well as its cyber security. We should also take into consideration the long-life cycle of submarine optical cables, which is about 25 years, in security design.  CYBERWATCH FINLAND | 21

Cybersecurity tops the list of critical competencies in a post-Covid world // Henna Virkkunen

he Covid-19 pandemic has been a major crisis not only for small and medium-sized enterprises (SMEs), but for nearly all economic actors. Yet it is safe to say that the SMEs have been hit hardest. This is not a small thing, since SMEs are a major source of job creation and account for an increasing share of employment in almost every EU country. The pandemic has not swiped away the big challenges Europe is facing, but rather accelerated them. Solutions towards climate neutrality and the digital

CYBERWATCH

FINLAND

transition need to be found in a post-Covid world of increased scarcity. Already before the crisis, digital illiteracy and a limited uptake of digital technologies have for long been key challenges within the SME ecosystem. In some ways, such as through workingfrom-home practices and remote meetings, the pandemic may have accelerated the shift towards digital ways of doing things. This is obviously a positive thing. However, it still leaves us far away from the comprehensive digital transition needed

Pic tu re :

Mäntyniemi kko Mi

Henna Virkkunen is a Member of the European Parliament from Finland and a Former Minister of Education, Transport, Public Administration and Local Government. In the European Parliament, Virkkunen is a member of the EPP Group and the Committee on Industry, Research and Energy (ITRE), as well as a substitute member of the Committee on Transport and Tourism (TRAN).

throughout European economy, especially within the SME sector. With SMEs, the backbone of our economy, Europe is faced with a double-dilemma. On one hand, only a thriving community of SMEs making use of digital technologies and data can position Europe as a world leader in shaping the digital economy. Thus far we are falling behind our competitors, and only 17 % of European SMEs have successfully integrated digital technologies into their businesses, compared to 54% of larger companies. This is a real and pressing challenge, which needs to be addressed. As highlighted by the European Commission’s recent White Paper on SME Strategy, digitalisation can provide great opportunities for SMEs to improve the efficiency of production processes and ability to innovate products and business models. Using advanced disruptive technologies, such as blockchain, Artificial Intelligence (AI), and Cloud and High-Performance Computing (HPC), we can dramatically boost SMEs competitiveness. The Commission’s SME Strategy features good initiatives and puts digital transition in the heart of EU actions. It even features the word “digital” 58 times. Yet I think we need to go further. We need tailored education and training to fit SMEs’ needs. We also need necessary funding for EU level initiatives in the new Multiannual Financial Framework (MFF) and Next Generation EU recovery package, as well as broad private sector industry-led initiatives. This, like most issues, will not be solved solely by the public sector. However, with digital transition comes also digital vulnerability. This is the second part of the dilemma. Many traditional SMEs are often uncertain in their choice of digital business strategy, have problems tapping large repositories of data available to larger companies and shy away from advanced AI-based tools and applications. At the same time, they are very vulnerable to cyber threats. As a continent and a market, we are not only lacking behind in the deployment of digital and emerging technologies, but also inadequately recognize the risks that need to be addressed when doing so. While resilience has become a buzzword in Brussels in the aftermath of Covid-19, cybersecurity has not yet gained the prominence it deserves. Ideally, it would go hand-in-hand with the EU digital upskilling agenda, as an integral part of it.

Cyberthreats are a real concern to the already more vulnerable post-Covid SMEs. Studies suggest that the economic impact of cybercrime increased fivefold between 2013 and 2017. Even during normal times, 60 % of SMEs who suffer a cyberattack do not recover from it. After the crisis, and with even narrower resources, the number could be much higher. Research by the US-based Ponemon Institute and IBM shows that the global average cost of a data breach is a whopping 3,9 million dollars. Combined with the limited focus and knowledge on cybersecurity, the increased volume and cost of cyberthreats leaves much of the European economy vulnerable. This has an impact way beyond individual companies. Considering the importance of both the digitalisation of European businesses, and the need to ensure their resilience in the face of multitude of threats, public inference is justified and necessary. Since the cash reserves of many SMEs are now hollowing close to zero, the issue is not just how these SMEs will survive the acute part of the crisis without a regular cash flow, but how can they invest in digitalisation and upskilling workforce. After all, digital transition is for most companies the only viable solution for ensuring sustainable growth in the future. The European Commission has proposed various actions to take, and I expect the European Parliament to endorse majority of the proposals. With the support of the Digital Europe Programme, the Commission hopes to develop Digital Crash Courses for SME employees to gain proficiency in areas such as AI, cybersecurity or blockchain. The idea is that EU’s Digital Innovation Hubs (DIHs) will take an intermediary role between SMEs, universities and training providers at the local level. Incubating activities will assist SMEs in becoming part of data-driven ecosystems. Another interesting proposal is to facilitate “digital volunteers” programme, which allows for young skilled people and experienced seniors alike to share their digital competences with traditional businesses. It is clear that the Commission’s proposals do not yet go far enough and more ambition is needed. Another key addition to the proposals should be a targeted focus on cybersecurity. This is a field in which Finland, as one of the countries paving the way with industry-leading companies and a digital-literate public, has a lot to contribute.  CYBERWATCH

FINLAND

The development of quantum technology is accelerating – cyber security must keep up

// Antti Vasara President & CEO VTT Technical Research Centre of Finland Ltd @ahavasara

The development of quantum technology may change the future of humanity and, at the same time, bring new, sustainable growth to Finland. Cyber security must be developed at the same pace with quantum technology.

he major changes in different industrial sectors over the recent decades can be largely attributed to digitalisation and the improved power of computers. The development of quantum technology accelerates this change and increases the computing power to a higher level than we can currently imagine, opening totally new opportunities for, e.g.,modelling, complex simulations and machine learning. In the future, the enormous computing power of quantum computers can be harnessed for solving major global problems, accelerating the development of medicines and vaccines, or for effectively finding new

CYBERWATCH

FINLAND

ways to overcome climate change, for example. This future is closer and closer: quantum technologies are already breaking out of research laboratories to wider use. In the coming decades, the use will expand to different industrial sectors and open new application areas. Latest by the 2040s, quantum computers will already be used for doing so amazing things that it is impossible to forecast them in the present day. Exponential computing power can lead to an exponential leap in productivity, which would allow adapting the Earth’s resources to the well-being needs of the growing humanity.

OPPORTUNITY WORTH BILLIONS OF EUROS

For Finland, the development of quantum technology offers opportunities for sustainable economic growth. If we gain foothold in quantum technology, this could generate a new, significant branch of technology industry for us. The first steps have already been taken: VTT Technical Research Centre of Finland Ltd and Aalto University are currently in the process of acquiring the first quantum computer to Finland. Over the next few years, investments will be made in its development and use. Finland has a lot of expertise in superconductive circuits, complex radio systems and sensors created in quantum and cold physics laboratories. We also have quantum technology companies already in operation. The starting point is good, but we need to enhance our competence in all areas of quantum technology. We must also invest in state-of-the-art manufacturing and research infrastructure and launch a national research, development and innovation programme in quantum technology. With such measures, Finland may even become one of the world’s leading countries in selected fields of quantum technology in the future. NEED FOR QUANTUM-SAFE METHODS

The huge potential of quantum technology also poses threats to cyber security. It has been known for long that a powerful quantum computer would be able to break the existing encryption methods. As technology develops, this has become a significant risk in recent years. Cryptography must be developed at the same pace as quantum technology, and the existing data networks must be protected using quantum-safe security methods. The project coordinated by VTT examines the possibilities provided by the existing methods and develops new methods, thus building quantum-safe cryptography. One of the key issues is the standardisation of new encryption methods and algorithms. Once a standard has been drawn up, its adoption will take at least several

years. When it comes to development, we must look dozens of years ahead to ensure that information to be kept confidential in the long term remains secure. The US organisation for standardisation, National Institute of Standards and Technology, has launched a competition to seek new algorithms for future standards and for introduction to extensive use. In Finland, work aimed at standardisation is carried out, for example, in the extensive Post Quantum Cryptography project coordinated by Business Finland. Today’s quantum computers cannot yet break encryption, and the forecasts about machines capable of doing so vary greatly. However, we must be prepared for the development to advance rapidly. QUANTUM TECHNOLOGY FOR THE USE OF CYBER SECURITY

Quantum computers are often seen exclusively as a threat to cyber security and the development and standardisation of quantum-safe encryption methods as the key effort. But in addition to threats, quantum technology also provides opportunities for cyber security. There are areas in cyber security that require a lot of computing, machine learning and modelling. Perhaps, the computing power of quantum computers lends itself to improving cyber security much earlier than for breaking encryption. The development of quantum-safe encryption methods may also accelerate the generation of innovations based on digital trust. Ensuring cyber security in our current information networks in the era of quantum technology is one issue to solve. Another future issue relates to how to guarantee the security of actual quantum computers. At the moment, the focus is on the implementation of quantum computers themselves and not on their security aspects. However, we should also be thinking about this within the next few years in order to avoid the pitfalls of traditional computers in quantum machines. 

CYBERWATCH

FINLAND

Current Security Threats Challenge the Political Leaders // Jarno Limnéll Professor of cybersecurity at Aalto University

Recent conflicts, such as the current escalation between the US and Iran, or the on-going low intensity warfare in Eastern Ukraine, serve as topical examples of the role played by ”cyber” and ”hybrid”, which emerged as buzzwords on security agendas around the world over the last two decades.

ybrid threat means combining and synchronizing different means and methods of influencing, and acting in a covert and deniable way, aim both to confuse the adversary, or disrupt their actions without crossing the threshold of war. Such way of engaging adversaries in the so-called gray zone is expected to play an increasingly prominent role in conflict during this decade. It is time to refresh the discussion covering hybrid treats and bring it to a new level in order to succeed in the emerging security environment of the 2020s.

FAST PACE OF TECHNOLOGICAL DEVELOPMENT AFFECTS SECURITY

One of the key challenges in the current security environment plagued by hybrid threats is to keep up the pace with ever accelerating development of technology and the society-wide tide of digitalization. As a megatrend, technology becomes one with everything, turning ubiquitous, and thus calls for strong political attention together with honest evaluation of the security implications of the developments. Looking this challenge from the security perspective, it becomes clear that an ever-greater level of estimation and foresight is needed together with an ability to assess hybrid threats and risks of technology misuse. 26

CYBERWATCH

FINLAND

As a concrete example, if we prepare ourselves in elections meddling by an external hostile party only by taking into account the interference tools and methods that we have witnessed to have been used and those that we have experienced earlier by ourselves, we are doomed to be always one step behind. On the other hand, it is necessary for us, and the decisionmakers, to admit that we will never be able to anticipate all the possible risks and avenues for attack. Hybrid threat environment challenges citizens, business leaders, and political decisionmakers in particular in many new ways. For example, thinking about the concept of deterrence in the current threat space, or pondering proportional response to spread of fake news and or data manipulation targeting critical national information assets, new kinds of ‘red lines’ must be drawn, contingency plans created and political guidance envisioned and established. Thus, it is fair to say that today´s technology related security questions have truly entered the realm of high politics. A GROWING GAP

Unfortunately, despite many threat indicators sounding alarm, there seems to be a growing gap between policymakers and those championing the technological development. Political decision-makers do not quite

understand the complexities of technology, and also do not fully appreciate its groundbreaking and society shaking impacts. At the same time, the most of those living in the bleeding edge of technological developments are not fully aware of the wide societal impacts of technologies they unleash to the world and the ensuing policy challenges. The magnitude of this separation will be further highlighted during this decade, as the primary question in technological realm will not be about if something can be done – but why, when, where and by whom it will, or perhaps more importantly, should be done? In the world of politics, it becomes increasingly important to ask the question who can make well-informed decision governing technological advances, and the security implications that they will bring along? Answering these questions influences significantly how we can both preempt some and defend successfully against the emerging hybrid threats in this decade. HOLISTIC APPROACH OFFERS A SOLUTION

A holistic approach to security is needed more than ever in the 2020s. Driving this need are the above discussed developments, where cyber operations and hostilities are increasingly becoming more integrated with other types of

operations and hostilities forming into hybrid threats. Even if the role cybersecurity and technology will be emphasized more in political security analysis, a holistic perspective is essential to understand the big picture. As it is well presented in the latest Global Risks Report, a holistic approach is particularly needed when trying to understand various kinds of complex interconnections between different risks. Individual risks should not be separated under isolated assessment from the holistic security context, strategic approach and political decision-making. Hybridity is a useful concept in thinking about the current security issues, since it embraces the interconnected nature of today´s threats and risks that we are experiencing. It also illustrates well the multiplicity of actors and the diversity of threats. Therefore, in politics “hybrid politics” is a cogent term to describe both the importance of a holistic approach and the importance of including also high politics into these matters. One challenge lies in the fact that current policy actions and responses are based on a rather static and siloed situational understanding of the security environment, not fully recognizing the dynamic and holistic nature of hybridity. Having a more inclusive hybrid politics

approach, it will be possible to find better answers also to current cyber challenges in the hybrid security environment. Many societies have embraced the concept of comprehensive security as a necessity in order to provide security to their citizenry, improve their resilience, and prepare the societies for still unknown threats. In the comprehensive security model championed by countries such as Finland, the national security is built in tight, trust-based cooperation between the authorities, members of business community, non-governmental organizations, and citizens. The model is inherently inclusive, everyone can contribute to the shared security. But that is not yet enough, as in hybrid politics it is necessary for us to think further. Collaborative thinking should extend even further than today, especially when preparing for threats that are not confined to national boundaries. Despite some recent isolationist tendencies in global politics, a co-operative approach between “like-minded nations” and with “like-minded global companies” is a prerequisite when countering effectively both current and emerging security threats. For us to be successful, a “shared responsibility” and “together”, instead of “alone” or “first”, have to become the keywords in this decade´s security thinking.  CYBERWATCH

FINLAND

Cyber Security in S HELSINKI CITY: FROM AUTHORITY TO ENABLER

An innovation company for the City of Helsinki, Forum Virium aims to build Helsinki into the most functional smart city in the world. This is done in collaboration with companies, the scientific community and residents. We want to future-proof the city and do this by providing a testbed for innovative solutions. In particular innovations that help reach the goal of carbon neutrality by 2035. Many of our approximately 40 projects relate to data, IoT, behaviour change and, notably, smart mobility. AUTONOMOUS TRANSPORT AS A CHANGEMAKER IN A SMART CITY

As a smart city, we are constantly on the lookout for mobility solutions to keep the city liveable and accessible. Part of Helsinki’s official strategy is to focus on demand-driven transport and to promote new mobility technologies. Autonomous transportation projects are an important part of the work of Forum Virium’s Smart Mobility team. Within this field, the focus is on drones and on self-driving

28 | CYBERWATCH FINLAND

shuttle buses, due to the contribution they are expected to make to a more efficient supply system, and more attractive public transport respectively. Of course also here, Helsinki city’s CO2 neutrality goals are a key driver of our work. CYBER SECURITY IN OUR PROJECTS: AUTONOMOUS SHUTTLE BUSES

Forum Virium has been involved in shared autonomous transport projects since 2015, by doing tests, together with companies, in increasingly challenging environments. Cyber security is at the heart of such systems: autonomous shuttles employ a combination of high-tech sensors and innovative algorithms to detect and respond to their surroundings, including radar, LIDAR, GPS and computer vision. For cities and transport authorities it is vital that they are as safe as possible, as they are used for public transport. In the ongoing large FABULOS project, consortia from Finland, Estonia and Norway pilot their turnkey prototype solutions in five European cities in 2020.

The companies carry the responsibility of providing a safe and secure system. In this Pre-Commercial Procurement, the so-called international Buyers Group (consisting of four cities, a Ministry and a public transport operator) have set certain functional requirements. The remote operations and the control room management of their robotbus fleets have to be rigorously tested and validated against cyber attacks. The system is to be subjected to a hacking attack by an external organisation with proper credentials, in order to verify that the system has sufficient protection both in the physical and virtual interfaces. In addition, we encourage the Consortia to set up a bug bounty system and to subject the system to a hackathon-type of event. Remote operation and fleet management systems must pass external validation for cyber safety by guidelines of National Cyber Security Authorities. CYBER SECURITY IN OUR PROJECTS: DRONES

Forum Virium Helsinki has already been a partner or closely linked to drone

Smart Cities

// Heidi Heinonen and Renske Martijnse-Hartikka Forum Virium Helsinki, Smart Mobility Team

Carbon neutral drone solutions in Southern Finland is funded by the European regional development fund and will go on until the end of 2021.

related projects like New Solutions in City Logistics or Aviapolis Liikennelabra during the last couple of years. Nevertheless, the first only drone focused project Carbon neutral drone solutions in Southern Finland started last September at Forum Virium Helsinki and one month later it was presented in the 1st drone congress in Finland organised by Cyberwatch Finland. The main objective of the project is to pilot and promote carbon neutral and emissions-free drone services for the purposes of logistics, remote security, and environmental control, and develop them into new forms of business to replace combustion engine forms of mobility and transport. Just as with self-driving shuttle buses, the key elements of such services are built firmly around security aspects. Especially the autonomous and BVLOS (beyond visual line of sight) flights conducted in a reserved airspace need to be secured against any kind of cyber risks so that the drone is under control during the whole flight and can be taken down by the control centre at any moment without causing any damage to people or

surroundings. Nevertheless, the most serious risk would be a case where a hacker gets into the drone’s navigation system and takes control of it. Firstly, it could cause serious damage if crashed purposely to a crowd or building, and secondly, the content it carries could fall into the wrong hands. According to the content, that could be also data, the consequences could be more or less serious. Other cybersecurity issues within the civil drone industry are for example geofencing and U-space. Geofencing is supposed to prevent drones from flying in forbidden no-drone zones but it seems not to be 100% reliable. The so-called U-space airspace that is currently under development consists of a set of digital services and is therefore also highly related to security issues. Once in use, the U-space will make possible autonomous drones to fly in the same low altitude airspace together with other aircraft as it will enable the sharing of flight management information between different users. In order to be reliable it needs to answer to the highest cyber security requirements.

KNOWLEDGE-BUILDING FOR SAFE AND SMART CITIES

For cities, being public authorities, it is always “safety first” for innovations. Especially ones that involve AI, algorithms and sensors. Companies that we work with need to prove that operations in our city, among our residents, are secure. Setting these standards is a difficult task, not least because of the lack of knowledge among many city stakeholders on topics such as cyber security in (autonomous) mobility. Therefore, close cooperation with companies and research institutes is crucial. Information exchange, increasing our expertise and building an ecosystem of knowledgeable partners in the field of cyber security in autonomous mobility is what we strive to do. Testing and piloting are the best way of doing this and are therefore at the heart of the work of Forum Virium Helsinki. 

CYBERWATCH

FINLAND | 29

Eye from the sky: drones and urban security // Dr. Antti Perttula Principal Lecturer, Systems Engineering Head of Aircraft Engineering Studies Tampere University of Applied Sciences Dr. Markus Aho Principal Lecturer, Industrial Technology Intelligent Machines Tampere University of Applied Sciences

In many smart cities’ visions, drones have several crucial duties including logistics and security monitoring. Unfortunately, many technology applications exploiting drones have also their questionable side. Drones can be used for good and bad purposes. How drones can benefit our urban live? Can they also decrease security, and how to cope with this? We will address these important questions in this article. HISTORY OF DRONES

Flying drones have a long history. Probably the earliest one, Kettering Bug, was developed by US Army during the First World War in 1918. It can be defined as an aerial torpedo, a forerunner of present-day cruise missiles. It was able

to reach targets up to 120 km and it flew at 80 kilometers per hour (Cornelisse, 2002, U.S. Air Force Publication). Before airplanes, balloons were used to carry out military actions remotely. In 1859, Austrians attracted Venice by pilotless balloons loaded with bombs.

Since then, the drone business has expanded hugely. Currently, sales of flying drones has reached two billion euros in a year and the amount is expected to double in five years. In addition, it has been predicted that the drone services market would reach 20

Venice balloon bombs (Prof. Jurij Drushnin, Monash University) and Kettering Bug (the National Museum of the USAF)

CYBERWATCH

FINLAND

Smallest Drone Ever (Hd Wallpaper Regimage, 2019) and Northrop Grumann X-47B (Military Machine, 2020)

billion in 2022 (MarketWatch 2019). In military sector, these numbers are many times larger. One of the most expensive drones is Northrop Grumann X-47B with estimated price tag of USD 405 million (Military Machine, 2020). Drones are an integral part of modern warfare and currently most of the military operations utilize drones. The sizes of drones vary a lot, the largest one being bigger than Airbus A320 passenger airplane and smallest ones only some millimeter long. DRONES IN SMART CITY

There are many possible applications for drones in urban areas. Especially, drones offer excellent platform for city logistics and many kinds of sensors. The raising trend is to use low carbon solutions for mail and packet delivery in centers of smart cities. Drone logistics provides one solution and if done autonomously, it can also save labour costs and increase security. Large logistics related companies, such as DHL, Google, Amazon and UPS, have already shown their strategies for drone logistics. In 2019, UPS was the first company to receive from US aviation authority (FAA) a permission for autonomous commercial cargo transportation in ‘beyond visual line of sight conditions’ (BVLOS). At Tampere University of Applied Sciences, we have got a permission from Finnish civil aviation authority (CAA), Traficom, to carry out BVLOS flights in Tampere area for research purposes. City of Tampere in Finland, aims for innovative and sustainable smart city solutions and, among others, has provided specific test site for new drone related experiments. Drones can be used in several sensoring purposes, such as air quality and traffic congestions monitoring, and collecting data from activities of single or groups of people. Drones can quickly transport many kinds of sensors to areas, where immediate measurements are needed. The data can then be transmitted online, e.g., to Fire, Search and Rescue and Police organization. By drone, one can also inspect the conditions of infrastructure and mechanical failures in high buildings, such as antenna masts, bridges and chimneys, and measure heath losses and check assembly’s quality for buildings. SAFETY CONCERNS IN URBAN AREAS

In urban areas, buildings and other infrastructures are close and drones operate in people’s normal living environment. People are physically present there and

apply many kinds of communication and data transfer systems, becoming more and more wireless. Same time, drone operations are based on wireless data transfer. The signal transmitting channel needs enough capacity to serve also the peak load situations with many simultaneous channel users. The coming 5G network may help here. However, there is always possibility to interfere or even block the communication system by just increasing RF noise. For this purpose, illegal jammers can be bought online cheaply. Drones are equipped with several sensors and cameras, which can cause privacy concerns. Commercial drones are built using normal consumer grade components, which are not as reliable as components in normal aircrafts. Similarly, there is not back-up systems for critical functions, such as energy sources, motors and propellers. One significant safety risk is the drone pilot. The pilot may not have enough understanding about the physical or technical constrains of drones and experience of the severe weather conditions. DRONES AS THREATS

Drones have several sensors, antennas and cameras, which make them very useful spying devices. They can fly over physical barriers and can reach high buildings and antenna masts. Drones can capture data from WIFI hot spots, disrupt networks, carry explosives and guns. There are also cases, where drones have been used to carry illegal ware and for smuggling goods between countries. If a drone would hit on airplanes, it could destroy parts of fuselage, wings or blades in jet engines and the whole aircraft finally. Small drones are difficult to detect, because they have low acoustic and thermal signatures and low-power RF transmitters. Thus, for radar, they look like birds, and air traffic control radars ignore birds. DECREASING DRONE RISKS

In digital trust, appropriate IT security practice is important, including checking unauthorized access points and making sure the SW updates come from a reliable partner. Transferred control data between drones and transmitter should be encrypted. Almost all drones are carrying cameras. They can look through windows without closed window blinds, which detect and disrupt drones’ views. Make “What-if ”-scenarios when needed: What could drone see through the CYBERWATCH

FINLAND

ISIS jihadis planning a drone bomb attacks on England fans at Russia World Cup (The Sun 1 Apr 2018)

window like managing director’s laptop display? Drone pilot should understand when he or she has full control of drone. How to prevent an attacker hijacking the controls? If something strange happens, for example, if the positioning or control signal are jammed, the drone should land autonomously. Data transmitting channel should have enough band-with, low latency and enough speed; new 5G system may help with these issues. Drones should be designed only by highly qualified persons, who understand the reliability and stability of components and mechanical structures; know the critical functions to be duplicated; and can manage external and internal mechanical, electrical and RF interferences, including EMC. In urban areas, drones should fly only through pre-defined flying paths, which will not be located directly above people. ATTACK TO DRONES

There are several possible levels of attack. The whole drone can be taken in control from its normal planned use mission. It is

possible to interfere the flight control computer’s internal processes or data transfer channel between the drone and controlling station. In addition, it is possible to change the navigation data by interfering navigation antennas and as mentioned earlier, all RF signals can be blocked completely by jammers. Also, artificial Intelligence (AI) can be used to attack drones. AI type of malware can let drone operate normally until a precise target is located. Target can be identified by facial recognition or other means from kilometers away. After identifying the target, AI takes over the control and commands the drone to complete the forced task. Sometimes, the malware is almost impossible to be found among the normal drone’s SW. Marc Ph. Stoecklin from IBM says: “DeepLocker can leverage several attributes to identify its target, including visual, audio, geolocation and system-level features. As it is virtually impossible to exhaustively enumerate all possible trigger conditions for the AI model, this method would make it extremely challenging for malware

analysts to reverse engineer the neural network and recover the mission-critical secrets, including the attack payload and the specifics of the target.” ANTIDRONE MEASURES

The off-the-shelf drones of the largest manufactures, DJI and Parrot, have a geofencing software, which prevent drone flies over airports or other restricted areas. However, geofencing in Parrot’s drones, can be turned off. In addition, one can build a drone without any geofencing hardware or software and block the drone GPS signals. Also hacking SW is available. In some cases, guns deploying nets, birds of prey (“Eagles trained to take down drones” -BBC News 8.3.2016) and lasers are used to take drones down. However, in urban areas and in airports, it is difficult to use lasers, jammers or a sniper to shoot a drone down. To jam the signals is possible, but illegal in the major part of the West. Fortunately, also other techniques exist to take over and capture or land drones (refer, e.g., Sensofusion). 

CONCLUSION Drones are entering our everyday lives, also in cities. They are very good and flexible for certain applications and save money and environment. However, we need to understand also the risks they may have because of unreliable components, unprofessional pilots, weather conditions or simply if someone or AI takes over the control and misuse them. Fortunately, there are many actions to decrease the risks, the hardest one being to force drones to land immediately On the one hand, the accelerated digitalization has increased drone related research, technological development and many new practical applications for smart cities. On the other hand, further research and policymaking is needed fast to find and deploy drone technologies and practices safely.

32 | CYBERWATCH FINLAND

Cyber Security challenges in Aviation and Maritime // Professor Martti Lehto University of Jyväskylä

CYBERWATCH

FINLAND

INTRODUCTION

ransportation system is a part of the critical national infrastructure. Transportation systems support the movement of people and goods within a national and international level and include the combination of vehicles, infrastructure, and operations. Disruption of the transport network has significant impacts on everyday life of citizens, national defence and security, and the vital functions of the state. This critical infrastructure is managed and maintained by a complex set of actors, each of whom tackle cyber security differently. The cyber security risk landscape in transport is currently evolving towards the point that risks that were once considered unlikely began occurring with regularity. This ongoing trend can be attributed to higher maturity of attack tools and methods, increased exposure, and increased motivation of attackers. In the past, most of the attacks were conventional and the attackers were individuals or small groups. Nowadays, we see a new breed of attacks, targeted and sophisticated, where the attackers are using advanced cyber weapon that is developed by intelligence, military, or terror organizations. These attacks are called Advanced Persistent Threats (APTs) and it usually refers to a group, such as a foreign government, with both the capability and the intent to target a specific entity persistently and effectively. AVIATION

Aviation is a cornerstone of national and international commerce, trade, and tourism, which means even an isolated incident could spark a crisis of confidence in the entire sector. The potential impacts on stock market value, stability, and national gross domestic product make securing and protecting the connected aviation world a critical element of national security.

CYBERWATCH

FINLAND

Cyber threats to the aviation sector are rapidly becoming a major issue for airlines, aircraft manufacturers and authorities. Cyber risk is significant and growing in the aviation sector, with 85% of airline CEOs expressing concern about cyber risk. For example, the civil aircraft manufacturer Airbus Group is hit by up to 12 cyberattacks per year, mostly in the form of ransomware and hostile actions carried out by state-sponsored attackers. According to a study by the European Aviation Security Agency (EASA), there is an average of 1,000 airport cyber-attacks per month. Cybersecurity is a growing concern for civil aviation, as organizations increasingly rely on electronic systems for critical parts of their operations, including safety-critical functions. The case study in USA shows the situation. A team of experts of US Homeland Security remotely hacked a Boeing 757, which was parked at the airport in Atlantic City. The team got the airplane on September 19, 2016 and two days later, an expert was successful in accomplishing a remote, non-cooperative, penetration. The civil aviation system consists of a patchwork of interconnected components, systems, and networks, which could have vulnerabilities. The potential for cyber incidents that could jeopardize communications and information exchanges between various aviation stakeholders, impact safety and security and damage aviation business continuity has increased over the years. The aviation system should have the cyber security management built-in in all levels, continuously to manage current and future cyber-threats and vulnerabilities. The levels are international, national and business entity levels. Different fields in aviation are e.g., the manufacturers, airlines, maintenance, repair, and overhaul organizations (MROs), airports, air navigation service providers and security service providers. Cybersecurity encompasses the protection of electronic systems from malicious electronic attack (unlawful interference) and the means of dealing with the consequences of such attacks. An example of the cyber-attack against aviation: In 2015 an attack on the IT network of the LOT airline of Poland caused at least 10 flights to be grounded. It was one of the first reported cases of hackers causing cancellations. LOT encountered an IT attack that affected the ground operation systems. As a result, LOT was not able to create flight plans and outbound flights from Warsaw are not able to depart.

MARITIME

The maritime sector is a vital part of the global economy, whether it is carrying cargo, passengers, or vehicles. Maritime digital transformation is part of the ongoing transition in the traffic systems. With around 50,000 ships at sea or in port at any one time, the maritime transport industry is highly exposed to cyber-attacks. Vessels do not need to be attacked directly. An attack can arrive via a company’s shore-based Information Technology (IT) systems and very easily penetrate a ship’s critical onboard Operational Technology (OT) systems. These systems are used for a variety of purposes, including access control, navigation, traffic monitoring, and information transmission. Although the interconnectivity and utilization of the cyber systems facilitate transport, they can also present opportunities for exploitation, contributing to risk for the maritime systems. There are several key issues that make cybersecurity for the maritime industry particularly complex, challenging, and confusing. There are many different classes of ships, tugs, and boats, all of which operate in very different environments. These vessels tend to have different computer systems built into them. Many of those systems are designed to last no more than three decades. Placed in another context, many ships operate outdated and unsupported operating systems, which are the ones most prone to cyberattacks. Ships are increasingly using systems that rely on digitization, digitalization, integration, and automation, which call for cyber risk management on board. As technology continues to develop, information technology and operational technology onboard ships are being networked together – and more frequently connected to the internet. Maritime technical environment consists of the interconnected system of systems of vessels, fairway, and harbours. In this environment the cyber security of the connections will need to be ensured. Securing the cyber aspects of interconnected system hosted by multiple stakeholders requires system-of-systems view in cyber security. ENISA has published the EU report on cyber security challenges in the Maritime Sector. This principal analysis highlights essential key insights, as well as existing initiatives, as a baseline for cyber security. The high-level recommendations are given for addressing these risks, cyber threats are a growing menace, spreading to all industry sectors that relying on ICT systems. One key finding of the report is that Maritime cyber security awareness is currently low, to

non-existent. A holistic, risk-based approach is needed, assessment of maritime specific cyber risks, as well as identification of all critical assets within this sector. One example of the cyber-attack against maritime. Cyber breach affecting Cosco’s operations in the US Port of Long Beach, on 24 July 2018, which affected the giant’s daily operations. The company’s network broke down, and some electronic communications were not available as a result. CONCLUSION

Technical and economic development has led to networking and increasing interdependencies between production, services and transport and entire society. In recent years attacks against critical infrastructures, critical information infrastructures and the internet connected vehicles have become ever more frequent and complex because perpetrators have become more professional. There are several reasons for conducting cyber-attacks against the transportation sector. Due to the reliance of trade on the transport sector, an attack could be used to affect trade in general, or even target a specific commodity and its availability. Airports can be targeted to affect tourism, material transportation or business travel. The greatest fear faced by transportation agencies is the potential for accidents, mass chaos, and even injuries or loss of life due to disruptions to critical infrastructure. Cyber security as an essential part of the critical infrastructure will need to be ensured. Securing the cyber aspects of interconnected transport system hosted by multiple stakeholders requires system-of-systems view in cyber security. That means a holistic approach of cyber security to be considered to take care in all decision levels of stakeholders. The speed of innovation, technological advancement, and adversary capability is potentially outstripping policy and regulatory development in many areas of the transport ecosystem. This cyber security challenge will not be an easy one for the industry or international and national policy leaders, but collaboratively tackling it is critical for getting ahead of adversaries as well as for understanding and subsequently mitigating the risks. Making transport systems resilient against cyber adversaries stretches from concept through design, assurance, supply, build, delivery, and operations. With a shifting and evolving threat landscape that is growing as fast as the potential attack surface, managing risk, and looking far enough ahead is a complex, multi-stakeholder challenge. 

CYBERWATCH

FINLAND

YOUR STRATEGIC CYBER SECURITY PARTNER AND ADVISER

Shaping Dependable Cyber Security with a Comprehensive Approach When looking for an experienced partner to aid in the development of situational awareness in the prevention of cyber attacks, we are the answer. We will strengthen your organisation's ability to recover from possible crisis situations, and guide you in acquiring a comprehensive approach to cyber security. Our mission is to secure the functions and services of critical infrastructure as well as protect your organisation's most valuable assets. We will guide you to a strong cyber security culture which will strengthen your organisation’s resilience to a cyber crisis and reduce your business risks. We provide a holistic understanding of the interdependences of people, practices and technologies, and recommend steps to improve this whole ecosystem. Cyberwatch Finland is a strong and dependable partner, helping you respond to the challenges posed by cyber space.

WELCOME TO OUR NEW STUDIO-OFFICE Huopalahdentie 24, 00350 Helsinki FINLAND

A Passion for a Cyber Safe World

Cyberwatch Finland www.cyberwatchfinland.fi

Global cyberpolitics – in your living room // Mirva Salminen Researcher Arctic Centre University of Lapland

he idea of the neutrality of technology in the face of global power struggles has been questioned for some time. Nonetheless, the ordinariness of cyberpolitics remains less understood. Yes, it involves high-profile cyber-attacks on critical infrastructure, online terrorist recruitment and fiery exchange of words between world leaders on Twitter, but also your everyday interactions on social media, ability to use digital services when needed and choice of technology and its manufacturers. Global cyberpolitics takes place in your living room, but did you notice? As digitalisation is intruding the structures of society ever deeper, the criticality of information and communication technologies for the functioning of society has been recognised. Cyberspace has been securitised as an object of state level security decisions, policies and administrative arrangements. It has become internationally accepted that the digital actions of a state’s opponents may justify the recourse to exceptional measures to return the balance of power. At the same time, global cyberpolitics has generally become understood as relations between states and their representatives. While the United States and China dispute over particular corporations and the actions of each other and Russia questions the effective principles of internet governance, news articles your friend shared on social media about Covid-19 only infecting particular ethnic groups may easily pass as an apolitical fact. The

existence of fake news, deepfakes, troll factories and intensifying strategic influence are known facts, but may not feel like an everyday issue. However, political influence targeting everyone in cyberspace is not restricted to the times of elections, but shapes our perceptions and actions on a daily basis. For long, technology corporations denied their role in cyberpolitics in the name of the neutrality of technology and/ or freedom of speech. It was stated that technology in itself was not good or bad, but what people chose to do with it. Yet, by deciding not to intervene in hate speech, dissemination of disinformation or denial of historical facts, global social media giants took a political decision for which they are gradually becoming accountable for. Freedom of speech is not an absolute right but needs to be balanced against the realisation of other human rights. Similarly, non-governmental organisations and consumers are gradually picking up the questions of corporate social and environmental responsibility related to the extraction of raw materials for ICT and the use of developing countries as disposal sites for electronics. Consumer decisions are political decisions alike. At the supranational level, and alongside becoming a cybersecurity actor, the European Union is creating itself room in cyberpolitics as a regulator of the single market, a facilitator of responsible digital innovations, as well as a patron of privacy and other fundamental rights. However, it also reaffirms the contract as

the primary means to constitute the relationship between a consumer and a service provider with particular legal effects. Thus, it cannot affect what you choose to share, opt in for or opt out from. At the international level, the United Nations has been investigating digitalisation and cybersecurity for over two decades, but only last year corporations and civil society representatives entered the discussion in the General Assembly’s First Committee and highlighted the importance of human aspects of cybersecurity. The human aspects entail political influence, both from top-down and from bottom-up. #MeToo and Black Lives Matter movements serve as prime examples of the latter. Pressing the like button may not have much instant influence, but channelling support through a number of channels at best empowers actors to act against injustice in the long run. In global cyberpolitics, you are not merely an object whose perceptions and opinions can be affected through information campaigns or whose ability to act can be restricted through a denial of service attack or ransomware. You are a political actor and influencer alongside states, corporations, NGOs and other actors – whether you recognise this role or not. The intensifying responsiblisation of individuals for cybersecurity, for example, in discourse on digital skills as civic skills highlights the importance of acknowledging this role. Sharing a video clip online may seem harmless, but still lead to liability if causing a detriment.  CYBERWATCH

FINLAND

The Siamese Twins of Information and Cyber - Vulnerable and Almost Inseparable Cyber infrastructure is in many ways inseparable from its content. Damage to either one may result in the failure of the whole system. The Information domain is in many ways the more vulnerable of the two due to its fuzziness and unclarity. Recent developments have shown that improving preparedness in one area has moved attackers’ attention to the other. National actions are seldom enough when trying to protect our information and cyber spaces.

// Antti Sillanpää Erikoistutkija | Senior Researcher Turvallisuuskomitean sihteeristö | Secretariat of the Security Committee

ELECTIONS AS A CASE

Tactics of grand scale information operations seem to change. This is evident when we analyse what has been happening around election campaigns. Interference has caused problems for democratic processes for a long time. However, it was Russian meddling with the U.S. and French elections that raised this as a concern for Western democracies.

Democratic countries tend to be slow to act, if there is no imminent threat looming. Luckily, election security protection was something that nations prioritised, e.g. Prior to its parliamentary elections, EU announced concrete measures in order to strengthen the resilience of the Union’s democratic systems.2 In Finland, the Ministry of Justice took Finnish parliamentary

election security to the Security Committee and following its advice established a cross-government task force. It focused on informing the public, political actors, civil servants and media about the threats. In addition, the group analysed co-operation between different authorities. Based on the final report recommendations, several steps have been taken or are in the making. Finland

The methods used to interfere with elections include hacking, denial-of-service attacks, spreading of fake news, harassment towards candidates and parties, threats and bullying, trolling and the use of bot networks to steer the direction of debates1. The goal can be to support or undermine a political actor or to undermine confidence in the process. Hostile action can target authorities (electoral systems and processes, supporting authorities), political actors (campaigns, parties, individual politicians), general public (electorate and others) and media.

38 | CYBERWATCH FINLAND

is only one example, several countries have improved their processes and regulations. MOVING TARGETS, CHANGING TACTICS

The Increased efforts to protect voting have been successful, judging by election security reports, e.g. the Finnish report boldly says “work to support cyber security in the parliamentary elections was a success” and further “Major attempts to interfere with the elections were not detected”3. We can see how in Western Europe, the public outcry on foreign meddling has quieted down. It is even possible that even the attempts to distort are few and within long intervals. There are couple of explanations why potential troublemakers would change their behaviour. Many of the items in the list below are linked to each other. Firstly, election interference might be “out of fashion” in the meddling business. Hostile actors create new plots to shake democracies. Secondly, nations’ efforts to counter interference are actually working and it is more difficult to rig improved systems. Thirdly, the public attention of the election system has caused amateur hackers to shy away. Lastly, the risk-reward ratio for adversaries has changed. When authorities and other stakeholders are alert, the risk of getting caught is higher. And, after Salisbury incident we have seen how public attribution can really have an impact on international

relations. Russia felt that open and free societies can synchronise their actions rapidly, when necessary. All or some of these items listed above have guided hostile actors to change their focus. As physical structures are better guarded, the efforts have moved to new targets. The softest target is human thinking. The purpose of a state actor attacker has remained the same, to weaken the competitor. In NATO parlance, the information environment has three dimensions: physical, informational and cognitive. 4 Hostile information activities can cause havoc by attacking any one of these. The cognitive dimension is an effort to give context to what is happening or has happened. If this sensemaking is disturbed, people feel lost. In an electoral point of view, this could mean complete distrust of elections, news media, authorities, alienation from others and even a lost sense of the purpose of democracy. According to Jessica Brandt, from Alliance for Securing Democracy, the Russian focus with the U.S. elections is to create division among the electorates by pumping mistrust into to the system, “… the perception of insecurity can be just as damaging as insecurity itself”. 5 Similar thinking is echoed in the new U.S. Counter-Intelligence Strategy 2020-2022, “…These campaigns are designed, for example, to sway public opinion against U.S. Government policies or in favour of

foreign agendas, influence and deceive key decision makers, alter public perceptions, and amplify conspiracy theories… Our adversaries regard deception or manipulation of the views of U.S. citizens and policymakers to be an effective, inexpensive, and low-risk method for achieving their strategic objectives”. 6 PROTECTING OUR FREE WILL

Democracies are vulnerable to determined attackers. However, election protection has shown that enhanced co-operation is an effective way of supporting societies. Despite the excellent track record of whole of government/society approaches, these models have shortcomings. They don’t fully grasp the impact of international business. As there are not enough incentives for international social media companies to protect information space, countries are pushing for more regulation. For smaller media markets, it is important that the work is done jointly, eg. the European Commission is modifying liability rules for platforms, with a proposal due by the end of the year.7 Currently the emphasis is on heavier regulation, but all actors should feel responsible. Protection of healthy cyber and information environments in one country helps everyone. In these domains everyone is connected, everyone is a neighbour to everyone. 

1 https://vnk.fi/en/article/-/asset_publisher/suomessa-on-maailman-parhaat-vaalit-mieti-miksi2 https://ec.europa.eu/commission/presscorner/detail/en/IP_18_5681 3 https://valtioneuvosto.fi/en/article/-/asset_publisher/1410853/eduskuntavaalien-turvallisuutta-tukenut-varautumistyo-oli-onnistunutta 4 https://fas.org/irp/doddir/army/atp3-13-1.pdf 5 https://www.bloomberg.com/news/videos/2020-03-03/-balance-of-power-full-show-03-03-2020-video 6 https://www.dni.gov/files/NCSC/documents/features/20200205-National_CI_Strategy_2020_2022.pdf 7 https://www.bloomberg.com/news/articles/2020-02-12/u-k-to-regulate-internet-in-crackdown-on-social-media-companies

CYBERWATCH

FINLAND

THE U.S. AND CHINA TECH RIVALRY ESCALATES FURTHER

Can you entrust your OT/ICS Security to your SOC-as-a-Service? // Franco Monti

ince about five years specialized service providers offer companies to take over the entire security monitoring as a service for them. At the beginning only larger companies, sometimes those with international business activities started to take Security Operation Center services on board. In most cases these were typically threat monitoring and vulnerability management. Threat monitoring was used to identify

any incident occurring and provide immediate alarming of the company monitored with enriched data about what happened and about how critical the situation is. In the case of vulnerability management in most cases of-theshelf products were used and directly included into the SOC service in order to provide detailed information about any security issue by non-patched system components or security weaknesses in a customer’s infrastructure.

Figure 1 - Traditional IT-centric SOC Model

FRANCO MONTI – SENIOR PARTNER MONTI STAMPA FURRER & PARTNERS AG (MSFPARTNERS.COM), SWITZERLAND Franco Monti is co-owner and co-founder of MSFPartners.com, a Swiss cyber security boutique with offices in Switzerland and Dubai. He can draw on many years of experience in protection for critical infrastructures (IT & OT/ICS). Over this period, he has accumulated a wealth of expertise in developing cyber security strategies and drawing up complex cyber security programmes. He takes responsibility for Swiss and international projects that focus on setting up security operations centres, introducing incident management and protecting IT and OT infrastructures. Franco has graduated in engineering at the Swiss Federal Institute of Technology (ETH) and in business administration at the University of St. Gallen (HSG).

CYBERWATCH

FINLAND

In order to be capable monitoring a customer, SOC providers usually install a SIEM (Security Information and Event Management). The SIEM is a core element of any SOC services, providing correlation on millions of events happening in every company in a single month. These events are correlated inside a SIEM and filtered in a way that all ongoing malicious activities become visible to the SOC and its customer – usually not more than a few dozen per months. Using the SIEM and further subject matter expertise, SOC organizations are mapping every incident found to any known attack pattern. They provide their customer with detailed information, the criticality of the incident and assistance about what to do next to respond to the incident and how to recover best. Traditionally, the service portfolio of large national or international SOC providers has been focused on the IT of their customers. Over last years they gained significant expertise how effectively and efficiently protect an IT environment with office automation, corporate networks, firewalls, proxy servers or clients and servers. By collecting log files from all relevant IT infrastructures, they feed this information for correlation into the SIEM. When it comes to the protection of manufacturing facilities or of critical infrastructure such as e.g. components of the grid or of power plants in utility companies, the classic SOC mechanism does not work anymore. In this environment industrial specific control infrastructure has been established. In the past this was used to isolate from IT and to separately manage dedicated industrial components. Such an environment is called Industrial Control Systems (ICS) in manufacturing or Operational Technology (OT) in the utility industries. ICS/OT infrastructure consists of control systems (SCADA) to manage industrial controllers (PLCs) which again are driving industrial equipment such as e.g. robots, any production line equipment, turbines, water purification or gas pipelines. ICS/OT environments are driven by real-time processes. There, it is no longer possible to easily retrieve security log files from the infrastructure without risking

interrupting the industrial processes or to put the controllers out of sync. In cases where industrial controllers stumble because of unforeseen process intervention, the danger of significant industrial damage or accidents immediately rises. This is why special methodology and care needs to be applied to monitor ICS/OT environments against cyber security attacks. That is why we consider the establishment of an OT concept as key before any installation of OT monitoring. Traditional SOC providers have been faced with new requirements to connect as well ICS/OT infrastructure to their SOC and to correlate events happening in the IT environment with those coming from ICS/OT. Given the attack pattern of many well-known industrial cyber-attacks this makes perfectly sense. However, most SOC providers have not yet gained enough experience on how to deal with these classes of industrial events. Therefore, they don’t know how to absorb best OT monitoring into their service. All the expertise gained from monitoring typical IT environments cannot be used to understand events, incidents and even vulnerabilities coming from an industrial environment. Today’s SOC provider’s personnel are IT professionals with excellent skills to protect their customer’s corporate business IT. When it comes to understand the dynamics of an industrial process in many cases their experience is NIL. The challenge is huge for SOC providers. In order to understand how to react on an ICS/OT event coming from the OT monitoring there is a need to have employees in the SOC who deeply understand industrial processes, networks and all relevant components. Those who understand these events are typically specialized, well trained industrial engineers who hardly ever change their jobs to work for a SOC provider. On the other hand, when connecting the OT monitoring to the SOC service, those ICS/OT engineers in many cases do not recognize a value-add brought by the SOC provider. They argue, that they already have full security transparency using their OT CYBERWATCH

FINLAND

monitoring management console in their control centers and act accordingly when an alert arrives. So, does it then make sense to connect OT monitoring to a SOC and can you entrust them to keep your ICS/OT safe? Our experience tells us yes but… there need to be some measures in place to benefit from connecting OT monitoring to a SOC. First of all, in most industrial environments ICS/OT engineers to not monitor cyber security 7x24x365 due to a lack of resources and due to the cost evolving with this. In such a constellation, a SOC could already provide a significant increase of protection by monitoring the ICS/ OT infrastructure around the clock. If an incident arrives, say during the weekend, a best-effort incident response process could be initiated by the SOC provider alarming plant engineers on duty or trying to contact the cyber security officers of their customer. Second, as most attacks are beginning in the IT environment of a company before they touch ICS/OT. Example attacks are Ukraine 1 and 2 on Ukraine’s electricity infrastructure, or TRITON when the Safety Instrument Systems (SIS) became attacked for the first time in history. The usual way is to get access to a company by social engineering. Once the attacker lands inside the IT, he or she moves laterally into the ICS/OT network. There, SCADA systems and PLCs are target

equipment which the attacker tries to compromise, using either well known vulnerabilities or zero-day approaches to e.g. modify the firmware or to add malicious code to a controller. A SOC helps to find quicker ways to stop such an attack by providing correlation not only between its log sources, but as well between IT and ICS/OT. This could become critical to immediately stop an attack as early as possible in the kill-chain. Third, we experienced in our projects a huge advantage in establishing ICS/OT specific scenarios which help the security monitoring personnel in the SOC to quicker and better understand the technical nature of an ICS/OT incident or vulnerability. ICS/OT scenarios are linked with the typical use cases every SOC offers to its customers. A classic use case can have one or several scenarios. These have a significant benefit for the plant engineers as they gain an additional view by the SOC when malicious activities occur. Finally, it is fair to say, that if a SOC provider and his customer work together in establishing the right ICS/ OT scenarios, it becomes very beneficial to connect OT monitoring to the SOC and to establish a companywide security posture, not only covering IT but as well ICS/ OT – at least that is what we observe every day in real life projects protecting ICS/OT environments. 

Figure 2 - SOC Use Cases have one or several ICS/OT scenarios - Example scenario

It is no use saying, ‘We are doing our best.’ You have got to succeed in doing what is necessary. – Winston Churchill

CYBERWATCH

FINLAND

Why Skills Matter – The Future of the Cybersecurity Industry is Based on Skills, Knowledge and Education // Mika Susi Executive Director at Finnish Information Security Cluster (FISC)

During the last few years we have seen a lot of discussion on the European cybersecurity skills gap. Some assess that there actually is no gap – it’s rather a myth. The actual problem seems to be that employers and employees don’t find each other easily enough, or there is an imminent mismatch of expectations and demands.

owever, according to many studies the lack of a competent workforce is definitely hindering the growth of the cybersecurity industry in Europe. This creates problems for our global competitiveness. Therefore, we have a huge interest in educating and training an adequate pool of cybersecurity professionals for the needs of the industry to succeed in the ever expanding and complex digital world.

DEFINING A CYBERSECURITY PROFESSIONAL – WHERE IS THE TALENT?

Finland has a top-quality education system all the way from kindergarten to the highest academic levels. Our 15-year-olds score very well in OECD´s PISA rankings. Our polytechnics, universities and institutes conduct world-class research. We also have had a blooming ICT sector already for decades and we appraise our tradition of high-tech innovation, not to mention our exceptional knowledge in mobile and network technology solutions. So, where is the problem? This high-ranked education system produces a good amount of skilful professionals every year. Still around 60 percent of Finnish cybersecurity businesses say they have had problems in hiring enough skilful workers. As much as one third of businesses estimate that the lack of a competent workforce is the most significant problem hindering their growth. The question remains, where do these products of a top-level education system disappear to? Simply, most of the graduating students seem to get their first job from another branch of industry. The main argument people tend to make is that the system doesn’t produce exactly the right kind of professionals for the needs of the cybersecurity industry. This is of course more or less true, but when viewed more closely, what kind of businesses would actually need them, the answers range extensively as in any other sector of the ICT industry. We actually continuously compete over the same professionals with other sectors of business. We really need to think about what we can offer over the other sectors.

CYBERWATCH

FINLAND

RE-BRANDING THE INDUSTRY AND BROADENING THE TALENT POOL

The first, very interesting question is, why someone chooses to work in the cybersecurity industry? Or rather – why someone chooses not to? Luckily it seems that, at least in Finland, young people believe that the cybersecurity sector is quite compelling. According to several studies our spearhead companies have a very good employer brand. However, this is not the situation everywhere in Europe. Other new tech-sector branches may seem to offer more possibilities for talented and creative people. Maybe our industry needs to do some re-branding. The cybersecurity sector is still very male dominated – as many technical sectors tend to be. More women should definitely play a bigger role in cybersecurity. Our industry is also very famous for emphasising threats, sometimes overly so. Although it is very compelling to highlight – or even exaggerate – all the possible digital threats and risks, sometimes a good look in the mirror is welcomed. We can’t only bring up threats, we need to emphasise productivity to increase accountability and efficiency. Simply we should speak the language of business leaders: we are not just taking and spending resources, we are actually improving the quality and enabling success. It’s a question of producing more revenue for our clients. NOT ALL CYBERSECURITY JOBS ARE TECHNICAL – CYBERSECURITY IS SOMETHING MUCH MORE

Our industry brand may be a bit too technical. Not many potential future professionals know that one doesn’t always have to be deeply technically oriented in order to work in the cybersecurity sector. Everyone also understands that a successful cybersecurity company can’t be run and managed by engineers, only selling products and services designed by engineers to other engineers. There probably is an increasing number of people whose skills must be utilized more and more in a new digital economic environment. Some may for example

be professionals of analyzing human behavior, social and cultural structures or digital economics. They might be professionals of social engineering techniques, communication or sales, but are not yet cybersecurity professionals. Since the beginning of digital technology, our everyday life and digital structures have been merging rapidly. We should keep in mind that there will probably be a need for more jobs that are not yet commonly recognized as cybersecurity professions. We definitely need these people – how do we attract them to work for our industry? GO FOR DIGITAL “CARPENTERS AND PLUMBERS” WITH GOOD LEARNING SKILLS AND MOTIVATION

The second interesting observation that has been widely addressed is the possible mismatch between expectations and demands. We need top professionals, but at the same time not all employees need to have a PhD in computer science in order to work in the industry. It is also understandable that an entry-level junior can’t be a 100 percent match when a company is seeking for a cybersecurity professional. The threshold for entering the industry should be lower. You can be a perfectly good software engineer or coder in the cybersecurity industry without being a top security-pro when entering working-life. So, instead of waiting for complete professionals to show up, we could invest more in life-long learning and emphasize constant development of the skills we need. We actually could use more “carpenters and plumbers” of the digital age equipped with good learning skills and motivation.

TAKING ON THE CHALLENGE – HOW TO CONVERT SKILLS TO SUCCESS?

Another concern, unfortunately, is that the public sector in many European countries has not understood the strategic meaning of cybersecurity as a question of industrial and trade policies respectively. Nevertheless, a growing number is starting to understand that you can’t have strong national security without an adequate cybersecurity sector. Finding solutions on how to build a strong ecosystem with different actors in society is very demanding. This especially means creating prosperous innovation and a system of commercialisation, keeping the market growing and its gears turning. Undeniably regulation has a role. We tend to have a tradition of a legislative body telling us what we can’t do, even though rules and regulations in the digital era should be built from another perspective – how we enable something to be done. So, we need to broaden our view, re-brand our industry, enable effective investments and develop strong cross-sectoral co-operation. But eventually the future of the cybersecurity industry depends on our ability to produce, attract and use talent. These might be the key questions for Europe to answer during the following years. If we don’t raise our voice and address them ourselves – someone else will. 

GO UNOFFICIAL!

The third interesting possibility to broaden the cybersecurity talent pool is going unofficial. This means connecting with white-hat hackers and blooming local cybersecurity enthusiasts and volunteer networks. This is where business professionals can meet young self-taught cybersecurity experts deeply interested in improving their skills and competencies. Connecting these unofficial networks and the industry is essential. It both motivates young talented people to join the cybersecurity industry and get more education, while introducing a great talent scouting possibility for businesses looking for a skilful and ready-to-learn minded workforce.

Finding solutions on how to build a strong ecosystem with different actors in society is very demanding. CYBERWATCH

FINLAND

“A seismic shift to digital independence is gaining momentum” // Harri Sundvik and Aapo Cederberg

Cyberwatch CEO Aapo Cederberg interviewed Harri Sundvik, former Executive Chairman for Helsinki and London based cyber security company (XXLSEC) Privecomms, in last June. Harri had just returned from London to spend a few summer weeks in Helsinki. Highlights of their discussion are summarised below.

AC: TELL ME A FEW WORDS ABOUT YOUR BACKGROUND.

HS: My roots are in Northern Finland, City of Raahe, which was once voted as the “most boring city” in Finland. Post my school years I studied in Helsinki and in London. An interview in the City of London in 1988 by JPMorgan led me to a 30 year banking career – where I have spent most of my years in investment banking work, advising Nordic companies in mergers and acquisitions and equity capital raising, most of this in technology related deals. Post front line banking I have assumed a few Board roles and started advising technology start ups in their strategy initiatives and capital raising. AC: HOW DID CYBER SECURITY COME TO THE PICTURE?

HS: The first deeper engagement came though my advisory work for Nokia, which back in 2000 decided to build their new enterprise strategy around key acquisitions and partnerships with security companies. A few years later I gained a new perspective to the same topic as I became member of the European Leadership Team for Bank of America Merrill Lynch. Among the memorable highlights were management meetings where the the Bank’s almighty CTO submitted proposals for cybersecurity investments worth millions of Dollars ...and every single time the vote was a resounding “Yes”...in all honesty, we simply did not know better, and would not dare to stop any plans that the technology gurus were promoting. The latest and definitely the most interesting step came my way just a 46

CYBERWATCH

FINLAND

couple of years ago when my long term friend Simo Salminen introduced me to the newly established (XXLSEC) Privecomms team, and I was given the opportunity to join the team in the early stages of the Company’s development and global sales effort. AC: LET’S TALK ABOUT (XXLSEC) PRIVECOMMS – WHAT MAKES YOU DIFFERENT IN THE SECTOR?

HS: As one of the forerunners to break new ground, (XXLSEC) Privecomms has adopted the so called “Zero Trust” model as the key building block for all development work from the very beginning. At high level, the fundamental assumption – increasingly appropriate for this day and age – is that when you are faced with technologies, your complete your own Due Diligent before you assume that the presented technology or application can be trusted. This is a huge shift in the technology world where so much has been taken “at face value” especially when presented by any of the “Big Tech” names. This Zero Trust positioning is now gaining increasing momentum on global basis, strongly endorsed by Governments and leading enterprises. As an extension of the Zero Trust philosophy, (XXLSEC) Privecomms has introduced a product platform which is built on the principles of Clean Hardware and Clean Software. Again, (XXLSEC) Privecomms has been one of the leaders in implementing this important concept for modern communication platforms. The Data Rain solution, and the just released Prive TX device, are shining examples of the work by the (XXLSEC) Privecomms team. And there is more to come for sure.

AC: WHAT ARE YOUR PERSPECTIVES ON CYBERSECURITY IN TODAY’S WORLD GIVEN YOUR LONDON PERSPECTIVE AND YOUR GLOBAL CONTACTS. WHAT IS NEW WHEN YOU LOOK AT THE BIG PICTURE?

HS: Fascinating time indeed, a couple of things that I would highlight in particular. One of the big picture themes at global and country level is that of Digital Independence and Digital Sovereignty. This stems partly from the current geopolitical climate. We have seen the news about China and Russia building their own internet. Equally, the leading EU countries have raised the need for Digital platforms which are not controlled by the powers in the West or in the East. Germany and France are making very strong public statements on this matter and are prepared to back them up with significant financial commitments. This is worth watching very closely as it has implications at multiple levels. This drive for Independence has attracted new focus on integrity. This is where Zero Trust gets another expression. It is clear that in the new world trust cannot be assumed – it has to be earned every day. And a certain degree of independence is absolutely necessary to be able to “walk the talk” with integrity. This independence is not going to be free for all – a strategic and financial commitment is needed to reach this ambition. AC: LETS MOVE THIS DISCUSSION TO A LOWER LEVEL – WHAT IS HAPPENING IN THE CORPORATE WORLD FROM CYBER PERSPECTIVE?

HS: As you have seen in the corporate headlines, the traditional “Big Tech” names are “playing defence”. Their earlier

dominant market position has been restricted by the competition regulations and new practices. But, most interestingly for us, the introduction of Zero Trust is challenging the market positions even further. Small and nimble technologies with true transparency will evolve at record speed. This is, in fact; a significant positive opportunity to build competitive edge. AC: YOU MENTIONED THAT CYBERSECURITY IS GAINING GROUND IN THE MODERN SUSTAINABILITY AGENDA – WHAT DO YOU MEAN BY THAT?

HS: Interestingly, cybersecurity has moved to the very top of the Sustainability Agenda with two fundamental drivers. Firstly, appropriate cybersecurity practices and investments are de facto seen as important elements in any Company’s “license to operate”. The writing on the wall is very simple: If you have not proactively invested in your cyber security platform, and ensured, among other things, that your processes and client data is covered, you simply do not have the credentials to run your business. The second dimension stems from the now ongoing shift of working practices where we are facing a new cyber security challenge at the every day working level. People have moved their work stations to their homes – but the cyber security front line fire-wall is still in the office! This is the ultimate “Left Behind” horror story for pretty much all corporate CTOs and CIOs. There will be a few movies and books around in a year or so simply telling the sad story of rather dramatic cyber interventions which were masterfully executed at this extraordinary time. The increased focus on cybersecurity, and some recent high profile “accidents”, have led to another shift in mindsets and relevant strategies. In the old world the highest level of security used to be the privilege of just a handful of people or some top secret Government or military entities. In the present and new word the scope of “critical infrastructure” has increased dramatically – and the amount of people and organizational entities requiring the highest level of security, has increased dramatically.

networks. Post this decision, the critical views on the decision have become stronger. The Special Committee which was asked to ANY VIEW ON THIS YOU WANT TO review the matter, is expected to come up SHARE FROM CYBER PERSPECTIVE? HS: There is a real “headache” in the with a new ruling sometime in June – July. corporate world in the ongoing movement It would not be a surprise to see the Johnson government tightening their ruling even to use the Cloud to store and process important data. Sadly the trust and security further – if not blocking the Huawei access considerations in this move have been kept to the 5G UK market altogether. in the “back-seat” all too long. The good news is that there are advanced technology AC: YOU SHARED A GREAT SUMMER PICTURE FROM YOUR NORTH LONDON solutions emerging to tackle this challenge. HOME SURROUNDINGS IN HAMPSTEAD In particular the latest MPP/MPC based WITH A FAMILIAR LOOKING RED PHONE technologies are a significant step forward BOOT. IS THERE MORE TO THIS to create an advanced security level. Some ROMANTIC LONDON PICTURE THAN WHAT MEETS THE EYE? industries will lead the way - we will soon see multiple healthcare related applications HS: I knew you would love the setting! But in all seriousness, this actually sumps up our – people have been all too trusting in this conversation. As you know the British are respect... the best in the world of sticking to things which have been “tried and tested” AC: I TAKE IT THAT LIVING IN over the years – the red phone boot is the LONDON, YOU HAVE BEEN FOLLOWING ultimate proxy for a comfort toy in cyber THE UK GOVERNMENT / HUAWEI security: you might be tempted to thing DISCUSSION VERY CLOSELY. ANY that the old was good. But there must be a PERSPECTIVES YOU MAY WANT TO reason why these phone boots have pretty SHARE – WHAT IS GOING TO HAPPEN? much disappeared from HS: This is happening as we speak, so a very tough call to make. As you remember the face of the earth. The front line has shifted – it Boris Johnson’s Government actually approved last year a limited non-core role is time to move on – and for Huawei in the build out of the new 5G fast!.  AC: WE DISCUSSED THE OVERRIDING TECHNOLOGY SHIFT TO THE CLOUD –

HARRI SUNDVIK Finnish and British national, lived in London since 1987 Personal Mission Statement: Bring Life – Serve Well – Be a Good Steward Professional career: + JPMorgan investment Bank in London 1988 – 2006, MD Co-Head of Nordic Investment Banking Team + Bank of America Merrill Lynch, 2006 – 2016 Head of Nordic Investment Banking, member of European Leadership Committee, Vice-Chairman + Hintsa Performance UK, Executive Chairman 2017-2018 Current roles: Board member and advisor for multiple technology companies. Former Executive Chairman for cybersecurity company (XXLSEC) Privecomms.

05 Harri Sundvik Harri Sundvik

CYBERWATCH

FINLAND

CYBER SECURITY NORDIC

6–7 October 2021 Messukeskus Helsinki Finland

EVENT OF THE INDUSTRY. CYBER SECURITY NORDIC is an event where decision-makers in cyber security meet, network and learn. The event for the top executives, leading decision-makers and government officials. The event consists of top-notch presentations by leading specialists on the current issues within the field of cyber security. The program will be released soon, be ready to be amazed! cybersecuritynordic.com

C S