FINLAND
Cyberwatch S p e c i a l
m e d i a
o f
s t r a t egic
cyber
security
CYBERSECURITY AUTOMATION – A RISING STAR?
PROMISES AND CHALLENGES ASSOCIATED WITH 5G NETWORKS Cyber operations are the spearhead of the Hybrid influencing?
M A G A Z INE
2020/1
Contents 2019/12 3 Editorial 5 Promises and Challenges Associated With 5G Networks 6 Holiday greetings from Traficom’s National Cyber Security Centre of Finland 9 Cyber operations are the spearhead of the Hybrid influencing?
WE BUILD RELIABLE CYBER SECURITY WITH A COMPREHENSIVE APPROACH
13 Modern Cyber Security Strategy and Implementation – Conditions for Zero Trust and Proactive Cyber Security Strategy 16 Women4Cyber 22 Cybersecurity automation – a rising star? 26 Cyberwatch review 43 Snapshots of energy industry
Special media of strategic cyber security
Producer and commercial cooperation Cyberwatch Finland team office@cyberwatchfinland.fi Layout Atte Kalke, Vitale Ay atte@vitale.fi ISSN 2490-0753 (print) ISSN 2490-0761 (web) Print house Printall, Tallin
Cover and content pictures Shutterstock
Publisher Cyberwatch Finland Oy Tietokuja 2 00330 Helsinki Finland www.cyberwatchfinland.fi
CYBERWATCH FINLAND
Editorial
In the Cyber World, there is nothing permanent except change THE DEVELOPMENT AND CHANGE of the cyber world is accelerating. The main targets of cybercrime seems to emphasise the "big game hunting" approach. Over the past year, cybercrime has continued to grow rapidly. Not only the increase in the volume of the attacks is significant, but more concerning is the ability of cybercriminals to produce more sophisticated and intelligent cyberattacks and operations. The development of cyber defense should be at least as fast and preferably one step ahead. The question arises whether we can do it. Many cyber security companies swear by the new opportunities offered by artificial intelligence. This may create the illusion of superiority, as cybercriminals have also harnessed artificial intelligence for their own use. In fact, the "arms race" of the cyber world is also a race for the domination of artificial intelligence. However, resources don’t always be decisive, but know-how and intelligent new innovations. The development of innovation and strategic agility will therefore be further emphasized. Events in the cyber world can be said to mirror global politics. The outlook is bleak, crises are escalating and tensions are increasing. Cyber operations have become an alternative to military action in order to achieve political goals. It is also conceivable that cyber operations allow for more aggressive policies. Cyber sabotage must be seen as a new threat model, the importance of which is highlighted as part of hybrid influencing and related information operations. The aim seems to be to create a deterrent effect and to plant uncertainty into people’s daily lives. It is becoming increasingly difficult to distinguish between the practices of state actors and of cybercriminals. We can detect the phenomena, but we cannot be sure of the origin or of its purpose. The old wisdom of warfare about the importance of concealment and deception as a success factor has also been adopted in cyber operations. Critical societal infrastructure and services have been highlighted as the main targets of the cyber attacks. Both in Finland and in other countries, cities and municipalities have been a target due to their central role in providing critical services. In this way, cyberattacks that seemed so distant are suddenly affecting the daily lives of citizens. Smart-city¨ thinking is the driving force behind urban development, with digital services and technologies at the heart. The vulnerability of modern society will increase if cybersecurity is not built into these entities following security-by-design principle. As the impact of cyber attacks becomes more familiar to the citizen, the importance of knowledge and situational awareness will be more apparent. A well-educated nation will be much better off in the face of these global security challenges. The development of cyber security therefore requires a lot of small actions that create a large body - the nation's cyber resilience, or in other words, crisis resilience. We can all be key players in the cybersecurity of our own lives by taking better care of our everyday cybersecurity and improving our skills accordingly. Aapo Cederberg Managing Director, Cyberwatch Finland Chairman of Cyber Security Committee of World UAV Federation (WUAVF)
PROMISES AND CHALLENGES ASSOCIATED WITH 5G NETWORKS text: Doctor Janne Taalas A m b a s s ador, Cyber Affairs, C y b e r Security, Cyber D i p l o m acy M i n i s t ry for Foreign A f f a i r s of Finland
THERE IS MUCH HYPE about the 5G networks: both the UN Secretary General Guterres and Chancellor Merkel referred to them in their opening speeches of the 14th Internet Governance Forum in late November in Berlin. The new 5th generation standard of mobile telecommunications system – our current systems are mainly of 4th or 3rd generation – based on 3GPP norm will technically be a major step forward and will provide users significantly improved service. It will also transform much of our communications systems by creating fast and ubiquitous connectivity. The main technological advance in the 5th generation is the introduction on Internet Protocol (IP) to mobile communications. This involves the process of the present hardware defined networks becoming software driven “virtualized” networks. Therefore, the 5G is more about software than hardware. The core technical promise of 5G with ubiquitous, ultra-high bandwidth and low latency connectivity is to us non-techies basically threefold. Firstly, it promises much faster data transfer than present 4G networks, resulting roughly in a tenfold increase. Secondly, the 5G network would significantly increase reliability and reduce the latency of communication allowing networks to be increasingly reliable at managing sensitive processes. Thirdly, the 5G networks would allow huge amount of devices to be connected simultaneously (so called massive multiple-input,
4 | CYBERWATCH FINLAND
multiple-output, MIMO). This will open a new chapter to facilitate increased usability of the Internet of Things (IoT). Much of the early 5G networks will be based on 4G network and it will take time for all the functionalities related to these new systems to come on tap. We will first see the significant increase in speed and other aspects will follow later. New network architecture will emerge as the cloud and other services will be ever closer to the customers to minimize the latency. 5G networks pose a new landscape of cyber security risks. The traditional concerns of threats related to the compromise of confidentiality, availability and integrity remain with new networks. However, the main concern is that as vital societal functions will increasingly rely on the smooth functioning of the 5G network we need to take a broader perspective to the threats. The EU has been at the forefront of analyzing the security risks related to 5G networks. The EU member states and the commission have established an excellent compendium EU coordinated risk assessment of the cybersecurity of 5G networks. 1 To me there are two key new features in the EU risk analysis compared to the earlier discussion of cyber security. Firstly, the analysis depicts sophisticated state-backed attacks towards 5G infrastructure to be the main potential security threat. As the 5G will form an essential part of
critical infrastructure of any state, it needs to be properly protected against malicious foreign influence. Secondly, in addition to associated vulnerabilities – unintended weak points, like bugs in the software, malfunctioning hardware or failures in process – the report focusses on the role of network managers and technology providers, who by definition have access to the traffic. As Commissioner Julian King put it in a recent seminar, “it is the plumbers we are concerned about, not the plumbing itself.” Finland has strongly supported a common European approach to the 5G. We have worked hard during our EU Presidency to finalize the joint risk assessment started in the spring 2019. Furthermore, we have pushed the issue up on the agenda by leading the work on EU Council conclusions on the significance of 5G to the European Economy and the need to mitigate security risks linked to 5G2 that were adapted on December 3rd. The next step in the process will be the development of a 5G security toolbox to identify effective common methodologies and tools to mitigate risks.
Read more: 1 https://ec.europa.eu/digital-single-market/en/news/ eu-wide-coordinated-risk-assessment-5g-networks-security 2 https://www.consilium.europa.eu/en/press/press-releases/2019/12/03/significance-and-security-risks-of-5g-technology-council-adopts-conclusions/
CYBERWATCH FINLAND | 5
HOLIDAY GREETINGS FROM TRAFICOM’S NATIONAL CYBER SECURITY CENTRE OF FINLAND
Happy holidays from the National Cyber Security Centre of Finland! The year 2019 has been the busiest one so far for our Centre and we are happy to share with you some of the lessons, highlights and glimpses to the future we have seen during 2019. A more comprehensive look to our year 2019 is offered in our annual report, which will be published on our website in early 2020.
6 | CYBERWATCH FINLAND
text: Jarkko Saarimäki Director of the National Cyber Security Centre (NCSC-FI) Finnish Transport and Communications Agency
THE LESSONS THAT 2019 TAUGHT US WERE THAT OFFICE 365 PHISHING AND FRAUDS ARE STILL A VERY MUCH A THREAT, FINNISH MUNICIPALITIES ARE TARGETED IN CYBER-ATTACKS AND WE SAW THE RISE OF THE ‘BIG GAME HUNTING’ -PHENOMENA.
Different phishing and fraud attempts are still the most frequent cyber security threat to organizations and citizens alike. Fraudulent messages attempt to direct the person to a new site where the person should enter their access credentials. This is the most common way how a data breach starts. This type of fraudulent messages are common especially in Office 365 email platforms. Cyber Security Centre’s alert about Office 365 phishing, the longest of our alerts dating back to summer 2018, was removed during autumn 2019. The reason is that phishing and frauds in Office 365 are the new normal state in the Finnish cyber security environment. We encourage organizations to introduce themselves to our guide about ‘Protection against Microsoft Office 365 credential phishing and data breaches’, available both in Finnish and in English. The year 2019 was also eventful on the Finnish municipalities. Several municipalities came under cyber-attacks and the state of cyber security in the municipalities in general rose to a public subject. The state of cyber security varies greatly between municipalities, both in terms of budget and personnel. The aim is often that services are produced on low-cost, which may lead to unplanned management of the services or many services residing in the same network. This increases the risk of cyber-attack.
During summer and autumn, Cyber Security Centre participated in several long-lasting analysis of cyber-attacks that targeted municipalities. The common factor in all of the attacks was the imminent effect they had into the ICT-services. In the wake of these attacks, Cyber Security Centre did technical research and discovered several open services, outdated software and office devices without protection on the Finnish municipalities networks. The municipalities were notified about these issues so that they could be remediated. Cyber Security Centre alongside with the Association of Finnish Local and Regional Authorities has recognized a need for municipality-wide information sharing and cooperation group. One of the most discussed phenomena in cyber security in 2019 were ‘Big Game Hunting’ -attacks. In these attacks, criminals selectively target larger organizations to execute ransomware in their environment. The attempt of the criminals is to encrypt as many files and services as they can in hope of a large ransom pay out from the victim. Companies such as Danish health technology manufacturer Demant, Norwegian aluminium manufacturer Norsk Hydro and Spanish media conglomerate PRISA have been the victims of ‘Big Game Hunting’ in Europe. Norsk Hydro has reported 50-65 million euro losses during the first half of 2019 because of the successful attack. Demant has estimated that the losses it has suffered amount to close 100 million dollars. When criminals get a foothold into the victim’s network, they attempt to spread themselves as wide to the network they can. Ransomware is then executed and it encrypts files, systems and backups with a strong encryption. When this is
CYBERWATCH
FINLAND | 7
done the criminals start demanding ransoms, which in some cases have been reported to be as high as over half a million euros. Potential victims are usually big companies in a good financial position but there also has been victims in municipalities, local governments and healthcare providers in the world. As there are multiple attack vectors and deployment methods, defending against ‘Big Game Hunting’ requires comprehensive cyber security management. However, as long as the victims refuse to pay the ransoms, the criminals are more reluctant to conduct these types of attacks in the future. IN THE CYBER SECURITY CENTRE’S POINT-OFVIEW, THE HIGHLIGHTS FROM 2019 WERE THE RELEASE OF TRAFICOM’S CYBERSECURITY LABEL OR TIETOTURVAMERKKI, DEVELOPMENT OF OUR CYBER SECURITY EXERCISE CAPABILITIES AND THE GENERAL ENHANCEMENT OF CYBER AWARENESS VIA OUR PUBLICATIONS AND COOPERATION WITH
exercise activities in the organisation’s annual planning. The translation of the manual to English has been started and it will be available in our website once it is ready to be published. The highlights of the year were also our campaigns to raise awareness of cyber security. During the year, Teijo Turvalisti made a comeback with new important messages about information security. We also published a guide with many assignments for safe internet and smart device use for children. At the same time, we also published a guide to children’s parents on how to talk to children about safe internet usage. The National Cyber Security Centre was also involved in developing Spoofy, an educational mobile game about cyber security for children. You can check Teijo’s tips and videos from website www.turvalistit.fi. The guides for safe internet use for children and parents is available on our website www.kyberturvallisuuskeskus.fi. Spoofy is also free to download from both App Store and Google Play.
STAKEHOLDERS.
On the end of November, we published our much-anticipated Cybersecurity label, or Tietoturvamerkki in Finnish. The labels are awarded to products and services that are designed to be secure. The recipients of the Cybersecurity label are the smart consumer devices, also known as IoT-devices. The need for these labels rose from Traficom’s intent to make the cyber security of network connected devices and services better. The current trend is that more and more devices infected by malware are classified as IoT-devices. Companies can apply for the label after they have familiarized themselves with the rules and filled out an self-assessment. The product or service is then tested and audited and if no major issues arise, the label can be then be awarded to it. The label however is ultimately aimed for the consumers. For the consumer the Cybersecurity label is a guarantee that the product or service has been developed with information security in mind and that they are able to protect users from common threats of the internet. The Cyber Security Centre has been developing its capabilities in cyber exercise domain as part of the National Emergency Supply Agency’s KYBER-2020 programme. Currently we are providing assistance to organisations vital for the security of supply for example in finding a suitable partner for a cyber exercise, providing up-to-date situation awareness services in help of planning, simulating Centre’s services in the exercise, serving as an observer during the exercise and assisting in the end-exercise analysis. One highlight of the year was definitively when we published a manual for cyber exercise organizers in Finnish. Our manual contains background information about the importance of cyber exercises, practical advice for organising an exercise, and a short glossary related to cyber exercises. The document also contains instructions for integrating
8 | CYBERWATCH FINLAND
THE FUTURE, AS WE SEE IT, IS PAVED WITH 5G AND NEW POSITIONING AND SATELLITE TECHNOLOGIES.
The 5G is coming out soon and Traficom has been preparing for it. Among the things we have done is a summary report on the risks associated with the 5G-technology. The purpose of the summary is to support risk management, preparedness and the dialogue between them, both in the public and private sectors. We also organized a 5G Cyber Security Hackathon in Oulu, a first hackathon of its kind in the world. The participants had a chance to look into the security of 5G infrastructure as well as the security of the digital services used in 5G. The transition to 5G technology will bring a greater paradigm shift than any previous mobile network generation has brought. In the future, 5G networks will be the basic structures of our digital society. Positioning services and high-precision timing are increasingly critical elements of a well-functioning society. Emergency and police operations, for example, depend on accurate position information. Traficom is the authority responsible for the operation of the Galileo satellite positioning system in Finland. There are however many uses for positioning services, and thus Traficom was part of organizing Galileo Innovation Challenge -hackathon. The purpose of the hackathon was to find accuracy, robotics and fault detection solutions that utilize the Galileo satellite system. Traficom also manages the Public Regulated Service (PRS) provided by the Galileo global navigation satellite system in Finland. The service is intended for public authorities, including emergency and security authorities, as well as companies critical for the security of supply. Finland will be one of the first EU countries to start using the service around 2022.
CYBER OPERATIONS ARE THE SPEARHEAD OF THE HYBRID INFLUENCING! text: Aapo Cederberg
INTRODUCTION
Europe is digital - and the development of digitalization and emerging technologies is only accelerating. Cyberspace has become an indispensable area of human activity, a sphere of regular security breaches and data threats, and a tool for inter-state conflict. When considering cyberspace from the nation state’s point of view, we must keep two intensifying trends in mind. First, today’s cyber questions are very political. Thus, political commitment and guidance to the development of cyberspace requires strengthening. Second, cyberspace has created a new domain for warfare and influencing, the so-called cyber dimension of modern hybrid warfare. Hybrid threats have become one of the most prominent security challenges and an important part of security cooperation in Europe.
CYBERWATCH
FINLAND | 9
WHAT IS CYBERPOLITICS?
In recent years, issues related to cyberspace and its uses have risen to the highest levels of international politics: cyberpolitics. Cyberspace used to be considered largely a matter of low politics, background conditions and processes. Today, cybersecurity is a focal point of conflicting domestic and international interests – and increasingly of the projection of state power. It is increasingly important to understand cyberspace as a political domain. This politicality is often neglected or forgotten. When considering cyberspace from the nation state’s point of view, the topical cyber questions are very political. As other domains, cyber domain should primarily be treated as a political domain. When politics is involved, the questions of power are always present. For example, in the context of war the cyber instrument is - like land, sea and air power - a means to achieve a political aim or a possibility to increase power. The strategic use of cyberspace to pursue political goals and to seek geostrategic or authoritarian advantages is increasing. There is also a current need for cyber norms and cyber diplomacy to be created through politics. With the creation of cyberspace and our deepening dependence on it, a new arena for the conduct of politics is taking shape. This process is described as “cyberization”, which refers to the ongoing penetration of all political fields by the different mediums of cyber domain. Therefore, the concept of cyberpolitics is useful. It emphasizes the importance of politics in cyber affairs. Cyberpolitics refers to the conjunction of two processes or realities: (1) those pertaining to human interactions (politics) surrounding the determination of who gets what, when and how, and (2) those enabled by the uses of cyberspace as a new arena of contention with its own modalities and realities. As Choucri notes, all politics, in the cyber and physical arenas, involve conflict, negotiation and bargaining over the mechanisms,
10 | CYBERWATCH FINLAND
institutional or otherwise, to resolve in authoritative ways the contentions over the nature of particular sets of core values. THE CYBER CHALLENGE IN MODERN SOCIETIES
The functioning of modern, strongly interconnected, global economy is based on unhindered access to information, energy, and financial flows. Unintentional or, in the worst case, intentional disruptions of these flows affect negatively the states subjected to them and the global order as whole. Moreover, because these flows are intertwined, disrupting one of them will have a damaging effect on the others - potentially leading to a cascading failure that can endanger the whole system dependent on the flows. Protecting critical infrastructure and services from cyber threats is a complicated matter. Several questions demand clarification before cyber threats can be tackled in an organized and efficient manner. Among these questions are: Which parts of the critical infrastructure should be prioritized as super critical infrastructure? What are the responsibilities of various actors, namely private companies and government, in the affected space? What are the operating areas and mandates of national and supranational entities, such as civilian organizations, police, military, and international regulating bodies? Vulnerabilities of modern societies are the main targets of cyber-attacks. In the cyber context, vulnerability is commonly defined as weakness related to information technology. The European Union Agency for Network and Information Security (ENISA) specifies vulnerability as” The existence of a weakness, design, or implementation error that can lead to an unexpected, undesirable event compromising the security of the computer system, network, application, or protocol involved”. Security of a modern society is underlining the need to define vulnerabilities and risks on all levels of the whole
ecosystem covering people, process, technology and data, and in addition governance, where the prerequisite for success or failure originally is laid down. Identifying the need for a common understanding of the existing threats, regulations, standards, risks and complexities is essential for securing the critical infrastructure and services in the future. It is up to the national authorities to decide who is overlooking the security of critical infrastructures and services. Regarding the potential targets, the most cited example is the vulnerabilities inherent in our critical infrastructure, which could be taken advantage of to create major disruptions rippling through society. Comprehensive situational awareness and understanding, as well as credible and well-trained action plans, enable the prevention of and defence against cyber-attacks. The building of a more resilient society should not be viewed only as an extra burden for already economically struggling Western societies; it is also a wonderful opportunity. Structures that allow a society to respond in an agile manner to hybrid threats also support the understanding of and coping with the complex underlying interrelations that make our modern societies fragile. These defensive structures help make our societies more functional when decision-making processes become more transparent and inclusive. CYBER-ENABLED HYBRID WARFARE
The famous Prussian military theorist Carl von Clausewitz stated in the 19th century that war was always continuation of politics with military means or simply the expression of politics by other means. The Americans have interpreted this guideline to entail that “politics and strategy are radically and fundamentally things apart - strategy begins where politics end”. Based on the theories one could say that hybrid warfare is today’s continuation of politics with hybrid capabilities. The fundamental question remains: What is
hybrid war or hybrid operation? There is no internationally agreed definition for hybrid war. Our definition bases on recent incidents and articles. As war is always widespread and encompasses all forms of warfare, hybrid warfare can be seen as operations in all possible domains and with all possible means. The often cited Russian “Gerasimov doctrine” describes modern warfare as joint operations utilizing a mix of military and non-military means to achieve political goals, and taking full advantage of the intentionally blurred line between war and peace. As it has been pointed out earlier, in the history of warfare we have seen similar activities under various terms, including for example non-linear operations, low-intensity conflict, full spectrum conflict, political warfare, unconventional warfare, irregular warfare, asymmetric warfare, and unrestricted warfare. Nevertheless, it is important to keep in mind that the art of war is developing all the time and we often encounter new mutations or rehashes of previously well-known doctrinal approaches.Cyber space is a key domain of hybrid warfare and hybrid threats, and one could even say that without modern cyber capabilities a full-scale hybrid influencing would not be possible. Cyber power is indeed a global game changer. It brings along new asymmetries to power politics. All aspects of our lives and functions of our societies will be transformed by the all-pervasive and hyper-connected digitalization. A successful hybrid operation needs a strong political leadership and mandate to the hybrid operations combined with both the will and ability to dedicate a wide array of resources for the operations on short notice. Secondly, an effective and wide-ranging intelligence apparatus is needed
CYBERWATCH
FINLAND | 11
Cyber-attacks can be more dangerous to the stability of democracies and economies than guns and tanks. - Jean-Claude Juncker, President of the European Commission
civil society organizations and individual citizens. This model has been a key element in the work for improving preparedness at the governmental and societal level. The Finnish security concept involves all stakeholders within society as hybrid attacks do not respect any artificial boundaries between sectors, nor do they separate ordinary citizens from governmental or business entities. This concept seems to be the future way of building resilience in the whole society, which will be the backbone of the hybrid defense in the near future. EUROPEAN CYBERPOLITICS TO RESPOND TO HYBRID THREATS
to scan the target countries and create a list of identified vulnerabilities. The list of identified vulnerabilities, or the list of targets, is based on the acquired knowledge of the key vulnerabilities and weaknesses that exist in the society of the target country. Third critical precondition that is often associated with hybrid operations is the information campaign preceding the hybrid operations. These kinds of information campaigns are aimed at raising support for the operations both internally and in the target country, which was seen in the case of the “polite green men” in Crimea. It has been argued that hybrid warfare is in its essence winning, or achieving the set goals, with little or no fighting. To build upon this idea, we say that in hybrid war it is nearly impossible to say when the actual fighting or organized violence - war in its classic form - begins. One of the core ideas of hybrid warfare is that it intentionally blurs the distinctions between the neatly separated Western categories of war and peace, and civilian and military operations. This blurring is achieved by utilizing a wide variety of means, violent and nonviolent, military and civilian, in a carefully planned way without unnecessarily breaching the threshold of war, even if the level of escalation varies. Many nations are currently asking how to build a hybrid defense in the future. Because of the very whole-of-society nature of hybrid threats, preparing for and addressing them requires strong measures. The preparedness arrangements in Finland offer a living example of the comprehensive security approach. Society’s vital functions are secured through collaboration between authorities, the business community,
In recent years, the EU and its Member States have increasingly exposed to hybrid and cyber threats that comprise hostile actions designed to destabilize a region or a state. Countering hybrid and cyber threats has become a priority in European security. This means that cybersecurity and hybrid threats have risen onto the level of European high politics. The increasing role of cyberpolitics, in the context of hybrid warfare, is stated in several recently published European strategies and official papers. Among others, the EU’s new cybersecurity strategy emphasizes cyber preparedness, which is central to both the Digital Single Market and the EU´s Security and Defence Union. The EU´s Joint Framework on countering hybrid threats describes how cyberattacks could disrupt digital services across the EU and how perpetrators of hybrid threats could use such attacks. Resilience is one of the pillars of the EU´s Global strategy, which highlights the role of hybrid and cyber threats in European security. There has been a strong call for the EU to adapt and increase its capacities as a security provider and enhance its capacity to counter threats of hybrid nature. This calls for greater human, technical, legal and institutional capacities. The cooperation with NATO has also been deepening and the joint declaration has enhanced abilities to counter hybrid threats, including by bolstering resilience, working together in analysis and intelligence sharing, and expanding the coordination on cybersecurity. The establishments of the EU Hybrid Fusion Cell and the European Centre of Excellence for Countering Hybrid Threats are also concrete steps forward in high politics.
Aapo Cederberg Managing Director, Cyberwatch Finland Chairman of Cyber Security Committee of World UAV Federation (WUAVF)
12 | CYBERWATCH FINLAND
MODERN CYBER SECURITY STRATEGY AND IMPLEMENTATION
– Conditions for Zero Trust and Proactive Cyber Security Strategy text: Arimo Koivisto, CCO, XXLSEC Ltd
The writer is a cyber security expert and advisor at XXLSEC Ltd, a Finnish company creating proactive cyber security technologies.
DATA SECURITY
is a complex topic for enterprises and governmental organisations. How to build a cyber security system which is good enough and cost efficient. How much can the security actually cost compared to the risk levels and lack in user experience. This dilemma is not easy to solve. A super secure system might be too hard to use, which is a big downside and thus, typically, non-acceptable. Here are some factors to consider when planning and upgrading cyber security measures and strategies. A REACTIVE OR PROACTIVE MODEL?
Many service providers offer technologies and services which monitor current ICT-solutions. IT departments
deploy, anti-virus softwares, network monitoring tools, firewalls, VPN-connections, AI, etc. to monitor, whether a cyberattacker has penetrated the system. Most advanced users have an agreement with their cyber security service provider, which offers a Security Operations Center (SOC) service. The SOC monitors everything that happens in the enterprise ICT systems and networks around-the-clock. This is done with the use of security intelligence machines, or the company’s self built SOC in order to monitor threats and anomalies etc. They assume that the attackers have already infiltrated the system and try to monitor everything perpetually to catch them. The key factor? is that SOC is capable of reacting immediately to incidents and secure the
CYBERWATCH
FINLAND | 13
based source code. Not any third party developer or user can critical data and isolate the threat. Also data vaults and run deep security audits and evaluation. They can only backups are crucial elements. Sounds good! evaluate bits and pieces of the solution. Otherwise they can This is a reactive cyber security model. Which is actually only trust the software and the hardware. And it has been based on consumer level cyber security tools. Same VPN proven in recent years that trust is no longer a good cyber technologies are used by consumers and industry/ security strategy. Only zero trust and full auditability is a enterprises. Access management and authentication good foundation for real cyber security. technologies are built on top of the same toolset that US officials are not trusting Chinese technology and vise consumers are using, such as consumer level operating versa. This means that binary based and closed/non-audisystems. Many organisations operating in critical infrastructable software are the future no more. Zero trust strategy ture like in energy, think that their system can be breached means verifying everything, and trusting nothing. and so they focus on fast recovery. Security experts monitor and try to be immediately back up and running after being In consumer grade software, security is not included by knocked down. Is it a good strategy, or is it the design, it is an extra layer enabling a reactive only one they know? security model by monitoring possible A proactive security model means malicious softwares. Security should be that threats will be avoided in included by design, as proactive measure, not as an alternative design layer advance, when designing the and trust based firmware updates system or the security layers. from an unknown vendor. Reactive model means patching License to operate’ Current binary based and monitoring consumer grade issues are becoming operating systems, network tools like IPsec, TLS, VPN, PKI, increasingly more firewalls, applications etc, which WinOS, AndroidOS, iOS etc. A critical for enterprises are monitoring your information proactive model means making security, are based on trust for those consumer grade tech software and vendor. Users are forced vulnerabilities and threats impossible to have trust in the vendor that their to exist. All risk managers know: software and/or hardware solutions are analyse – prevent – monitor – react. Better proven to be secure. Users and security reto focus more on preventing than reacting. Or searchers can not evaluate the solutions in a source code get good cyber security insurance. level and thus verify all the functionalities. Current consumer grade security and IP traffic And, how many European operating systems or technologies are not designed to create full security, they are encryption algorithms can you name? The list is too short. add-ons. There are many vulnerabilities at a software and hardware level, but also the transport layer reveals lots of HARDWARE SECURITY ISSUES WITH CURRENT ONLY meta data. Which enable the address of the attack and the TRUST BASED PLATFORMS study of organisation’s vulnerabilities and weak points. Numerous CPU vulnerability reports and supply chain One example of these common threats are ransomwares. Typically these threats are spread from an infected attack methods have been revealed in recent years. computer inside LAN or WAN, like in the case of Maersk. Hardware components and processor architectures are NotPetya is a Windows OS malware exploiting the vulnerabiclosed and not fully open for security researchers. Any lities in the consumer level operating system, hence Maersk firmware components are risky and the functions they run got infected. The malware spread through the company LAN can not be confirmed. This has lead many organisations, network infecting all computers connected. This cost Maersk even in critical infrastructure businesses like energy, more than USD200 million, and extensive damage to their banking, and telecoms, to build their cyber security strategy image, of which no insurance can compensate. They were with reactive methods. Companies do not believe they can forced to reinstall more than 4000 servers and 45000 PCs. be secured, and so they try to protect their business’ critical How to create security methods which are proactive, processes, but eventually their focus is on how to recover as instead of reactive? Proactive security means deploying soon as possible. technologies and solutions which are immune and totally License to operate’ issues are becoming increasingly isolated from these consumer grade tech threats. Those more critical for enterprises – it means secure all the threats and vulnerabilities no longer exist, when a proactive business’ critical data in all circumstances. Insurance model is deployed. companies will also require more fully auditable software and hardware solutions in order to insure critical IT CONSUMER GRADE SECURITY TOOLS – FUNDAMENTAL systems, especially when there are peoples lives at stake. For LEVEL PROBLEM example in aviation, all components in critical operations A fundamental problem with current hardware and software need to be auditable from a source code level. Although this designs is that they are based on the manufacturers binary auditability does not create security, it enables access for
14 | CYBERWATCH FINLAND
security researchers for deep inspection. This same requirement most probably will be implemented to other critical IoT and 5G connected systems in which human lives and critical life supporting elements are in place, like medical systems and autonomous vehicles.. DATA IN TRANSIT
End-to-End encryption has been an ultimate protection for data in transit. When using certified and free security technologies like AES, PKI, IPsec, RSA, TLS, etc. for data transfer security, they also create the possibility for MITM and other attacks in all common IP traffic, even in the encrypted. Moreover, methods were operating systems and rogue applications can access the device memory and send security keys to a third party, create critical risks for data in transit espionage. This is the ultimate threat for data in transit, instead of brute forcing of the encryption of stored traffic. Encryption itself is not the answer for security, especially when a potential threat is a state sponsored party. A VPN is a typical technology for secure connections. The problems with VPN solutions lie in open technologies, and they create a lot of meta data, and network operators in many countries monitor and can control the connections. Another VPN problem is scalability. VPN is based on a cryptographical design where secure connection is based on two parties. This also creates demand in multi-point connected systems as IoT central point of trust, a server and huge amount of encryption keys, which need to be secured. The management and control of such systems is difficult and costly. WAN and LAN networks are typically totally unsafe. VPNs are in place to secure connections between different branches, but LAN segments are open for attacks and offer vertical movement for the attacker. Maersk knows it well. DATA IN REST
Hardened end terminal security with strong encryption and backup mechanisms is a stable solution for data in rest security. However, since operating systems and hardware level vulnerabilities exist, data storage needs to be secured with hardware secure modules and secure operating systems.
They secure the storage environment from remote and physical attacks. In addition, undetected malwares can be in sleep mode and active even in backed up data storage. Crucial for data in rest security is to create a hardware and software solution, which secures stored encryption keys or enables dynamic, constantly redefined, keys which can not be stolen, as well as software environments which can be monitored in more detail than consumer level OS and SW platforms. DATA IN USE
One of the toughest security issues to solve is related to data in use situations. End device processing of data and protecting data during the processing. How to process the data securely without exposing critical data to vulnerabilities; letting an attacker in. Encryption technologies and CPU operating principles which support homomorphic features are needed to protect this critical phase. CYBER STRATEGY DESIGN LEVELS
Defining and updating a cyber security strategy means that CISO’s team has to think of strategies in three levels; strategic, operational and tactical. This means that at strategic level considering a reactive or proactive approach. At operational level the CISO and his team need to think of which data assets and processes must be secured with a proactive model and at tactical level which are the technologies and methods they are going to deploy. CURRENT STATE
There is not many proactive technologies and products implemented, but as we speak, these systems are available and spreading continuously. This all means that an organisation, whether an enterprise or governmental, needs to protect its data with its own security criteria, not some third party vulnerable consumer level systems. It is the time for new age, industrial level, cyber security based on non-consumer solutions with zero trust mechanisms and proactive security technologies.
CYBERWATCH
FINLAND | 15
WOMEN4CYBER
We can do it! Women have a huge role to play in strengthening cybersecurity
16 | CYBERWATCH FINLAND
a European initiative to promote women in cybersecurity and meet the growing demand for cyber professionals
BACKGROUND AND IMPORTANCE OF WOMEN4CYBER
Unlike many digital awareness initiatives for women focusing on a wide-ranging ICT sector, Women4Cyber was launched by the European Cyber Security Organisation (ECSO) to target the inherently complex cybersecurity field and to meet the growing demand for cybersecurity professionals in Europe. In January 2019, ECSO invited 30 top European female leaders from the public, private, and academic sectors working in the cybersecurity field to become the Founding Members of the initiative. The official kick-off meeting took place on 22 January 2019 in Brussels, under the patronage of then Commissioner for Digital Economy and Society, Mariya Gabriel, and with the support of the European Commission. The Founding Members discussed a set of priorities for concrete actions based on their practical knowledge, to set the strategic guidelines and vision for a sustainable future for the initiative.
Commissioner Gabriel and the Founding Members at the Women4Cyber Kick-Off Meeting (Jan 2019)
Considering the expected skills gap in cybersecurity, there is an urgent need to ensure that we are educating and training enough skilled experts to meet the demand. A report1 by Cybersecurity Ventures has predicted that there will be 3,5 million job openings in cybersecurity globally by 2021 while according to (ISC)², Europe faces a projected cybersecurity skills gap of 350,000 workers by 20222. In addition, a recent report by (ISC)² claims that women
represent only 24% of the global cybersecurity workforce3. With Women4Cyber, ECSO saw an opportunity to focus implicitly on increasing the participation of women in cybersecurity and tap into this segment of the workforce that thus far has not been sufficiently exploited. In addition to integrating cybersecurity as a cross-disciplinary topic in education programmes, we also need to attract more young girls and women to cybersecurity by demonstrating the multifaceted nature of the profession. We need to remove the misconception that cybersecurity is just a technical issue – it is about people and processes too. Cybersecurity is a field that requires not only technical experts but individuals with a high EQ (emotional intelligence) and strong managerial and soft skills. This is where we can best engage with and attract girls and women to the profession and how we can ultimately help to fill the skills gap in cybersecurity. To do so, Women4Cyber will, inter alia, work with universities in order to give visibility to existing programmes and role models on key enabling technologies, in order to enhance female participation in cyber education and demonstrate a well-balanced representation of cyber talent (women and men) in Europe. Given the importance of this issue and the overwhelmingly positive response that Women4Cyber has received since its inception, a legal body was established in September 2019 to support the growth of the initiative. The Women4Cyber “Mari Kert - Saint Aubyn” Foundation, established jointly by ECSO and Guardtime (an Estonian SME), has a dedicated governing Administration Body to manage donations and monitor the implementation of actions. It is supported by an ad-hoc advisory Council which is made up of some of the Founding Members and other advocates of the initiative. WHO IS INVOLVED IN WOMEN4CYBER
The Women4Cyber Council is currently made up of around 35 women (and a few men) from across the public, private and academic sectors in Europe. The Council members are there to advise the Foundation on the strategic direction of Women4Cyber and support the delivery of concrete actions within their respective sectors. A first Council meeting was held in Rome in September 2019, where members exchanged best practices, advised and committed to spearheading actions under the initiative. The Council members also act as ambassadors for Women4Cyber.
CYBERWATCH
FINLAND | 17
Family photo during the first meeting of the Women4Cyber Council in Rome (Sep 2019)
Nina Hyvärinen from F-Secure in Finland, a Women4Cyber Council member and member of ECSO, is an active supporter of the initiative and is helping to implement a national Women4Cyber chapter in Finland. The setting up of national and local chapters is strongly encouraged by the Foundation as the initiative needs to be adapted to the specific ecosystems of each country and region. At the Women4Cyber secretariat, we are currently working actively to roll out the first few chapters. On Women4Cyber and the future Finnish chapter, Nina Hyvärinen says: “It is a privilege to be part of this inspiring group of women. Together we are looking for ways to give a voice to those brilliant female professionals already in the field. We want to promote more women as keynote speakers and in the media. We need role models. In Finland, we are planning to set up a national chapter to support the excellent female professionals we have, and to encourage more women to cybersecurity.” Aside from the Council, Women4Cyber counts on its entire community to work on and grow the initiative together. The community aspect of Women4Cyber is absolutely crucial to achieving a tangible impact as regards awareness, education, training, and job market growth. On LinkedIn alone, Women4Cyber currently gathers around 2200 experts (predominantly female) in cybersecurity and we hope to keep expanding this network.
the cybersecurity field and Women4Cyber will do so across all levels. We will go to the schools to teach kids about cybersecurity issues (and cyber hygiene) and hopefully pique the interest of young girls who may not previously have considered cyber as a topic of interest. We will support young women in STEM and cybersecurity education, by promoting scholarships, and help them enter the workforce, by facilitating mentorships and traineeships. Finally, we will support women at all stages of their career, providing links to ICT and cybersecurity trainings (upskilling/re-skilling), and we will provide the tools to show cybersecurity as a viable career option for those re-entering the workforce. The Women4Cyber initiative has already been recognised by the European institutions. It was launched under the patronage of then Commissioner for Digital Economy and Society, Mariya Gabriel, and continues to have the support of the European Commission. We were also honoured to receive the Cyber Security Nordic Award in Helsinki in October 2019. This year’s dominant criteria for the award were increasing the visibility and significance of cybersecurity, international influence, promoting cyber expertise globally, and impact. International networking was considered very important for the promotion and dissemination of cybersecurity information. At present, there are relatively few women in technological fields, and by awarding Women4Cyber, the jury indicated their hope for this to change.
IMPORTANCE OF THE INITIATIVE NOW AND IN FUTURE
ACTIONS AND HOW YOU CAN GET INVOLVED
In growing the community and raising visibility, Women4Cyber will be able to shed light on the importance of cybersecurity and the versatile workforce that it requires. Awareness is key to increasing the participation of women in
Following the kick-off meeting in January 2019, Women4Cyber developed a Charter of Objectives and associated Roadmap of Actions4. The Roadmap of Actions is structured around six workstreams:
The aim is to provide visible role models to the community but also to have European community members engage with us and share their story. 18 | CYBERWATCH FINLAND
1 Workstream 1
Create awareness, promote best practices and visible role models
Workstream 2
Promote tailored training programmes in cybersecurity
Workstream 3
Enhance the presence of women on the cybersecurity job market
Workstream 4
Increase the presence of women in cybersecurity Research & Innovation (R&I) and in the field of emerging technologies
Workstream 5
Support and shape policies at EU and national levels that are in line with Women4Cyber’s messages
Workstream 6
Establish and coordinate international and national partnerships
Women4Cyber is an open and inclusive initiative and anyone is welcome to get involved, either by donating to the Foundation and / or actively contributing to concrete actions under the Roadmap of Actions. At the Women4Cyber secretariat, we are getting ready to launch the first action from the Roadmap: a role model campaign which will be rolled out in two phases. In the first phase, we will post snapshot profiles of the Women4Cyber Council members on social media where they will outline what they do, how they got to where they are, and what advice they would give to young women considering a career in cybersecurity. The aim is to provide visible role models to the community but also to have European community members engage with us and share their story. In the second phase, we will consolidate several of the profiles that we will have gathered from the Council and the community into the “The Book of European Cyber Women”.
HOW TO TACKLE THE PERCEPTION THAT CYBERSECURITY IS STILL A MAN’S WORLD – HIGHLIGHTING WOMEN4CYBER ROLE MODELS
As cybersecurity is still an extremely male-dominated field, Women4Cyber intends to work directly and indiscriminately with women and men alike to promote its goals and implement actions across the community and industry. While one of our main goals is to progressively change mindsets and encourage the community to take into account and value the perspective and contribution that women can bring to cybersecurity, Women4Cyber will do so in the spirit of bringing about equal representation and, ultimately, gender diversity to the field. With the Women4Cyber role model campaign still very much in its infancy, there is still work to be done to gather a comprehensive picture of existing female experts and role models in cybersecurity in Europe. Nevertheless, starting with the Women4Cyber Council, we already have an impressive array of European talent that can bring their expertise to pressing issues, showcase different career pathways, and lead from the front in bringing about real change on our targeted actions at European, local, regional, and national level. It is our hope that these women will inspire others to share their story so we can broaden the Women4Cyber role model canvas and show the multi-faceted nature of cybersecurity, both in its representation and range of skills required. The diversity of women and their backgrounds that we will showcase will be a testament to the existing talent pool in Europe as much as it will demonstrate to young girls that when it comes to cybersecurity, the sky really is the limit.
2
Blog post by Nina Olesen (European Cyber Security Organisation & Women4Cyber Secretariat) & Nina Hyvärinen (F-Secure)
3
4
Contact us: Women4Cyber@ecs-org.eu
Join our social media community: @Women4Cyber /groups/12207626/
1 Cybersecurity Ventures (sponsored by Herjavec Group) (2017), Cybersecurity Jobs Report, 2017 edition, available online at: https://www.herjavecgroup.com/wp-content/uploads/2018/07/HG-and-CV-The-Cybersecurity-Jobs-Report-2017.pdf 2 (ISC)², Europe demanding world’s fastest cybersecurity workforce growth as region’s skills shortfall is forecast at 350,000, available online at: https://www.isc2.org/~/link.aspx?_id=7A8CF784083C4EAB9BF33FEC9452174A&_z=z 3 (ISC)² (2018), Cybersecurity Workforce Report, Women in Cybersecurity, available online at: https://www.isc2.org/-/media/ISC2/Research/ISC2-Women-in-Cybersecurity-Report.ashx 4 Available at: https://www.ecs-org.eu/working-groups/news/women4cyber CYBERWATCH FINLAND | 19
CYBERSECURITY AUTOMATION – A RISING STAR? text: Nina Tapio Cyberior Oy MSc, entrepreneur, business and cyber enthusiast.
THE CYBER ERA
It’s the fourth industrial revolution, they say. Digitalization and new technologies are disrupting our lives, our minds, our activities, our businesses, and our crimes. At the same time cyber risk is proliferating and attack surfaces are changing. It is no longer enough that organisations are able to secure their own domain. As organisations are connecting business processes with trusted partners, suppliers and other third-party networks, attackers increasingly seek to compromise targets through their supply chain. New technologies such as cloud and IoT (Internet of Things) provide new attack surfaces. THREAT TRENDS
Cyberthreats are not only increasing in volume and frequency, but also evolving in sophistication and efficiency. Threat actors are relentlessly changing their TTPs (tactics, techniques, and procedures) and adapting to find new ways to compromise targets. Phishing is still one of the top trends in cyber attacks because it is so effective. Fraudulent social engineering is very difficult to remediate, as it lives from human error. Other trending threats:
States and public institutions get targeted in a growing manner Cyber-physical attacks on critical infrastructure such as electrical and transportation systems Increasing use of mobile as an attack vector Automated cyber attacks Weaponization of AI
20 | CYBERWATCH FINLAND
We have to bear in mind that where there is innovation in technology, there is innovation in cyber attacks as well. ONGOING BATTLE
It has become vital for organisations to understand that cybersecurity cannot be “solved”, but is an ongoing battle. According to McKinsey’s interviews 8 years ago with information security leaders at 25 top global companies; organisations have to shift their cybersecurity focus from protecting the perimeter to protecting data and critical digital assets.1 Yet, this seems to be a painful task for organisations. Still this year, McKinsey suggests allocating cybersecurity efforts more efficiently by identifying enterprise cyber risk and prioritizing risk reduction, instead of trying to monitor and protect everything.2 CYBERSECURITY AUTOMATION
Has automation become a lifejacket for information security professionals and decisionmakers navigating in the deep and stormy cyber-ocean? The industry is witnessing increasing investments in cybersecurity automation. Automation is a significant advantage to organisations, giving cybersecurity teams capacity that outruns manpower with flying colours. Regarding capacity, automation is thus far the only way to match defence against automated attacks. A top ability of automation tools and platforms is data creation. Data of your information system allows monitoring and analysis, not only the ability to keep track of hardware, software, and patches for instance, but also threat data, detecting infections and breaches. Data correlation and rapid
analysis turns zero-day attacks into known threats automatically defending your organisation. An even better option is the ability to secure your information systems proactively – block attackers from hopping within your system and prevent their access to your critical assets. THE OLD NEW INNOVATION
Red team testing is an old solution to finding vulnerabilities in information systems. Traditionally red team operations are done manually, which makes it slow, costly, and only a limited number of chosen attacks can be tested. Automation turns red teaming on steroids. Breach and Attack Simulation (BAS) systems run automated red team operations as real time simulations without harming the system in any way. The most sophisticated BAS systems run simulations as if you were testing on production without building load on the system so it can run 24/7. Still, efficient system-wide collection of all vulnerabilities would just explode your ticketing system and is only useful if analysed and prioritised. The best platforms are able to assess and organise attack vectors and lateral movement by severity. It’s defence by offence.³ Combined with automated blue team operations you can improve IT hygiene and security posture more efficiently than ever before - get
1. 2. 3. 4.
prioritised remediation options sorted into actionable items to ensure securing your critical digital assets. It’s so efficient that instead of saying that you save man-hours, I want to say that you gain man-hours, because the performance outruns human efforts so clearly. Another glory from automated platforms is data driven strategic information. Information based on data is the most reliable kind. Well-interpreted data from a cybersecurity platform brings colossal advantages to organisations, bridging the classic business-IT communication gap with the potential to provide visualised general and historical views and information to support strategic decisionmaking. Automation enables proficient risk assessment, again with records that can be correlated and analysed. It’s like turning cybersecurity visible. Referring to McKinsey’s suggestions, we could conclude that sophisticated automated platforms are taking us there and even further. However, the complexity of the constantly evolving cybersecurity environment is challenging not only the industry but also decisionmakers searching for security solutions that are ideal for their organisation. Stay curious, innovation happens, as we witnessed last October in Helsinki at the Cyber Security Nordic 2019 event.⁴
https://www.mckinsey.com/business-functions/mckinsey-digital/our-insights/meeting-the-cy bersecurity-challenge https://www.mckinsey.com/business-functions/risk/our-insights/the-risk-based-approach-to-cybersecurity https://xmcyber.com/ https://cyberior.fi | mail@cyberior.fi
CYBERWATCH
FINLAND | 21
Cyberwatch Finland Offers You the acknowledged and trusted Finnish Cyber Security Intelligence, a comprehensive world-
STRATEGIES AND ACTION PLANS We provide cyber security strategies and their facilitation state-level operations, private sectors and international organizations based on a holistic view of the cyber world and hybrid threats. With versatile management experience as well as expertise derived from the public and private sectors, we offer strategic action plans and their implementation for businesses and organisations.
class solution for the needs of your entire organisation. We construct and help You to implement the appropriate cyber security strategies and to understand a holistic view of the cyber world and
EDUCATION
hybrid threats. A unique impartial actor providing cyber security from strategic level to deployment models, recognising the scale of the required actions, Finnish well-known cyber expertise combined with educational competence in an online learning environment
We'll guide You to find the crucial investment targets to block the most critical vulnerabilities.
Cyberwatch Finland
www.cyberwatchfinland.fi
Cyberwatch Finland offers tailored cyber security training programs, comprehensive supervised learning sessions and e-learning courses for your executives and employees. The aim of our thread-based training is to facilitate learning and raise awareness of cyber security and hybrid threats at all levels of your organization. Our courses strengthen the ability of companies and organizations to recover from cyber attacks.
CONSULTATION AND COACHING Cyberwatch Finland provides professional and tailored situational awareness and strategic consulting, coaching and counseling for various aspects of comprehensive security. Counseling is offered for the leaders both at the private and government sector, with the goal in mind to bring true value to decision making and make investing in cyber security profitable. We provide most effective application of cyber security strategies and policies. Cyberwatch Finland provides broad spectrum cyber security lectures and presentations going into greater detail on your chosen topic.
WORKSHOPS, SEMINARS AND GAMES We offer custom workshops and seminars based on modern learning methods to understand how their cyber security strategies, teams and programs can be improved and raised to a higher level. Our seminars focus on cyber trends, incidents and emerging themes, conveying the latest knowledge on issues on cyber security trends by utilising modern learning methods and tools of analysis. Cyberwatch Finland´s training – style games challenge your knowledge of cyber defense and test your organisational capacity during simulated security breaches and attacks.
CyberwatchTV.fi
MONTHLY AND QUARTERLY REVIEWS Our reviews offer compact analyses of the most significant cyber incidents in cyberspace, bringing forth an extensive view of the background, cause and effect of each incident. Trends as well as security breaches, vulnerabilities and cyber attacks are analysed through the lens of their relative impact and importance to today’s organizations.
THEME REPORTS A Cyberwatch Theme Report provides deep analysis of a specific theme, business sector or topic of importance. Theme Reports can be ordered on a case-by-case basis and updated as required.
CYBERWATCH TV
CONTACT US
Cyberwatch Finland provides an Internet TV channel with topical interviews, discussions on cyber security and hybrid threats and live TV broadcasts of important issues of cyber security.
Cyberwatch Oy, Eteläranta 10 00130 Helsinki, Finland Aapo Cederberg, CEO +358 40 024 6746 aapo.cederberg@cyberwatch.fi Kim Waltzer, Chief Analyst +358 40 771 4737 kim.waltzer@cyberwatch.fi
CYBERWATCH FINLAND
QUARTERLY REVIEW
Q4 2019 24 | CYBERWATCH FINLAND
REVIEW 2019 / Q4 At the dawn of the New Year, it’s time to look back at what we can learn for the coming year. This review notes all the major events that took place in 2019, while also looking at what the coming 2020 will look like from a cyber security perspective. Predicting the future is knowingly uncertain, but the purpose is not to predict individual attacks, but rather the direction of the more likely events and trends in the light of current developments. Viewed through events in the cyber world, 2019 has been portrayed by the 5G security threats, the political question of the reliability of the network vendors, trade war, concern over election influencing, massive data leaks, increased ransomware attacks on cities and businesses, big game hunting, spyware bugs on smartphones and the responsibility of technology giants to improve security and reduce the abuse of their services. In the geopolitical field, there was a shift in sentiment towards mistrust - at least as regards Internet segmentation.
�
AIMING FOR A SAFER FINLAND AND EUROPE FINLAND PUBLISHED AN UPDATED CYBER STRATEGY 20191 and decided to set up a state cyber leader. The role of cyber diplomacy and
international cooperation in cyber affairs is also progressing.2 THE DIGITAL GROWTH ROADMAP 2019-2030 (TEM)3, Business Finland’s Digital Trust Program, and a FORERUNNER IN ARTIFICIAL INTELLIGENCE - THE FINAL REPORT ON THE ARTIFICIAL INTELLIGENCE PROGRAM4 highlights Finland’s means of cybersecurity competition in the international market and explores future opportunities for cyber development. FINLAND WAS THE FIRST IN EUROPE TO START ENSURING THE SAFETY OF SMART DEVICES. The Cybersecurity label, Tietoturvamarkki.fi, launched by the Finnish Transport and Communications Authority, Traficom, helps consumers make safer smart home purchases. 5 THE TIETO AND TAISTO CO-OPERATION EXERCISES have proven to be a successful way to improve the ability of companies and organisations to prepare for cyber attacks and collaborate with one another. In particular, including communication into these exercises has been seen as a significant improvement. THE JOINT CYBERCRIME ACTION TASKFORCE (J-CAT), co-ordinated by EUROPOL, has succeeded in uncovering and shutting down a number of international criminal and bot networks. A permanent mandate, the European Cyber Security Agency, ENISA, has been a driving force in promoting cyber security in Europe.6
THE EU IS LOOKING FOR A COMMON DIRECTION AND WAYS TO MINIMISE SECURITY RISKS OF THE 5G NETWORK In December, the European Union Telecommunications Council issued a verdict on the importance of 5G for the European economy and the need to mitigate the security risks associated with 5G.7 These decisions were based on a joint EU-level risk assessment of 5G networks published in October.8 The aim is to strengthen the coherent approach of the EU Member States while at the same time reinforcing the shared EU market.
\ \ \ \
Trade war and the mistrust of Huawei. Facebook, Twitter and China amid protests in Hong Kong. Attempts to influence the elections were heavily exposed. Further negotiations are needed to constrain state espionage and hacking.
POLITICAL
CYBERWATCH FINLAND
CYBERWATCH
FINLAND | 25
THE INCREASED MISTRUST OF CHINESE TECHNOLOGY AND CHINESE COMPANIES were heavily apparent throughout the year. The dispute was centred around the Chinese 5G network equipment supplier Huawei. This is due to a lack of confidence resulting from years of cyber-espionage and theft of business secrets. Finland is also the subject of large-scale active foreign intelligence inquiries. Finland is a particularly interest to Russian and Chinese intelligence services, reports the Finnish Security Police.9 The US-China trade war has kept the markets alert. The United States appears to be taking advantage of its leading position in global economy, utlizing economic coercion, such as unilateral sanctions.10 Small signs of hope for the end of the trade war have appeared towards the end of the year. The impact of the end of the trade war on the 5G debate around Huawei remains to be witnessed.
Even US companies raised doubts about the reliability and availability of their services. The US decision to restrict the provision of Adobe services to existing customers as a political lever in Venezuela was reversed at the last minute, but the incident indicated a change in the geopolitical game. Perhaps this is also a way for the US to show what foreign companies could do to them if they wished. 11 Are technology giants increasingly used as a tool for power?
HAS POLITICAL TOLERANCE FOR STATE CYBER ATTACKS INCREASED? In 2018, several countries tightened their stance on cyberattacks. According to the NATO resolution, cyber attacks can be countered by militarily, either by cyber defence or by conventional military means. The European Commission also called on its member states to identify more actively the underlying causes of cyber attacks. Initially, the change of policy was reflected in the sharpening of state statements and official accusations, but since then the statements appear to have eased. However, China’s role in the accusations is highlighted. Declining statements hardly mean that state cyber attacks or state-led espionage would have been reduced, on the contrary.
\ Israel responded to Hamas’ cyberattack with an airstrike. \ Iran fired down a reconnaissance aircraft - US responded with cyberattack \ Drone attack on Saudi Aramco, preceded by cyber attacks.
MILITARY On May 4, 2019, the Israeli Defence Forces (IDF) responded to a cyber-attack by a Hamas military organisation with an airstrike targeting the building used by the hackers in Gaza. The Israeli case was historically significant because it was the first time that an immediate military force was used to respond to a cyberattack. Cyber targets have been attacked in the past, but operations have been longer-lasting or have been part of a larger military operation. Yet, of course, intelligence and long-term monitoring of targets also played an important role in the Israeli attack. In June, Iran shot down a US intelligence aircraft on the Hormuz Strait. The United States responded by executing cyber attacks on Iran’s military systems. President Trump’s domestic political image damage was seen as the main reason for refraining from a military strike. Cyber security companies CrowdStrike and FireEye report that cyber attacks against the US administration and its critical infrastructure increased as tensions increased. Saudi Aramco, the world’s largest oil producer, was hit by an air strike. A total of 18 drones and seven cruise missile strikes halved Saudi Aramco’s daily oil production, equivalent to about 5 percent of the world oil production. Iran is being blamed for the attack. Saudi Aramco’s air strike is probably just a prelude to future attacks. Prior to the airstrike, the company has sustained several major cyber attacks, and together they show how kinetic and cyber attacks are intertwined. Iran has become known for the increase in cyber attacks in situations were it is in conflict with another state. Iran has been accused of several cyber attacks over the years, including Shamoon 2012 and its subsequent variations. Rapid developments in Iran show how actively the cyber dimension is used alongside the use of kinetic forces. Cyber sabotage and cyberattacks allow lower-threshold operations to use so-called softpower for military attack. In the future, the role and use of drone devices in military, commercial and avocational use will grow. Drones are also increasingly used as a platform for cyber attacks. Drone laws are being amended around the world in collaboration with the International organisation JARUS (Joint Authorities for Rulemaking on Unmanned Systems). These new laws and regulations are coming into effect on 6/2020. 12
26 | CYBERWATCH FINLAND
CYBERWATCH FINLAND
At the UN General Assembly on September 23rd, 27 states, including Finland, signed a Joint Statement on Responsible State Behaviour in Cyberspace. The opinion expressly condemns two types of behaviour, both of which are generally related to China, even though it is not mentioned in the statement. The statement also expresses the intention to use cyber attacks as a countermeasure. 13 The use of cyberattacks as part of defence operations seems to be increasing. This will change what is allowed on the web and vice versa. The effects may not yet be visible, but with time, the attitudes, practices and the education that drives them will change the culture of action towards a more offensive direction. It is likely that the threshold for using cyber attacks as a defence will be lowered.
\ \ \ \ \ \
ECONOMICAL
Facebook’s record high fine just a prelude to regulating digital giants? The low number of GDPR sanctions (142) is surprising. Big Game Hunting - targeting large companies and cities. Tens of millions in costs for blackmail programs. France rejects the use of Facebook’s cryptocurrency Libra in Europe. The attention towards cryptocurrencies decreased towards the end of the year.
BIG GAME HUNTING ROSE AS A PHENOMENON Cybercrime is on the rise, methods are evolving and targets will be more carefully chosen in the future. Cybercrime is closely intertwined with other criminal activities. The aim is to gather all possible information that can be re-sold to different actors. Ransomware attacks targeting large companies, such as Norsk Hydro14 in Norway, Addtech15 in Sweden and Pilz16 in Germany, are evidence of the increasing economic motivation of attackers and the rise of the so-called Big Game Hunting phenomenon. For the same reason, ransom attacks against cities increased in Finland and globally. According to Kaspersky: the most targeted entities were education 61%, municipalities 29% and Hospitals 7%. The US Federal Trade Commission (FTC) fined Facebook $ 5 billion, or nearly 4.5 billion euros, for users’ privacy violations in the Cambridge Analytica case. Compensation and fines paid to consumers, states and consumer authorities for the 2017 data breach by Equifax totalled $ 700 million (€ 630 million).
THE RELATIVELY LOW NUMBER OF GDPR SANCTIONS IS SURPRISING This has been an interesting year for the EU General Data Protection Regulation (GDPR) to impose sanctions. One would have imagined that the number of sanctions imposed on the basis of the 56 000 cases reported in the first eight months would have been significantly higher than the 142 so far. 17, 18 In terms of euros, the biggest GDPR sanctions were implemented on British Airways (€ 204 million) and the hotel chain Marriott (€ 110 million), due to data leaks.
TOP 10: HIGHEST INDIVIDUAL FINES CONTROLLER
COUNTRY
FINE [€]
British Airways
UNITED KINGDOM
204,600,000
Marriott International, Inc
UNITED KINGDOM
110,390,200
Google Inc.
FRANCE
50,000,000
Austrian Post
AUSTRIA
18,000,000
Deutsche Wohnen SE
GERMANY
14,500,000
Telecoms provider (1&1 Telecom GmbH)
GERMANY
9,550,000
National Revenue Agency
BULGARIA
2,600,000
UWV (Dutch employee insurance service provider)
THE NETHERLANDS
900,000
Morele.net
POLAND
645,000
DSK Bank
BULGARIA
511,000
Source: https://www.enforcementtracker.com/?insights
CYBERWATCH FINLAND
CYBERWATCH
FINLAND | 27
TOP 10: COUNTRIES WITH THE HIGHEST SUM OF FINES COUNTRY
TOTAL SUM OF FINES [€]
TOTAL NUMBER OF FINES
UNITED KINGDOM
314,990,200
2
FRANCE
51,100,000
5
GERMANY
24,619,925
16
AUSTRIA
18,070,100
8
BULGARIA
3,173,370
9
THE NETHERLANDS
1,360,000
2
SPAIN
1,179,600
31
POLAND
933,868
5
GREECE
550,000
3
ROMANIA
445,000
12
Source: https://www.enforcementtracker.com/?insights
ONLINE SHOPS AT THE FOREFRONT OF CYBER ATTACKS E-commerce and the companies that provide them are alluring targets for cybercriminals due to potential access to e-commerce services payment transactions, high shopping volumes, phishing for customer and credit card information, and by offering numerous scam possibilities. Online retailers not only have economical interests, but also a responsibility for the security of the trade. Therefore, cybersecurity for online shops is often also invested more than many other online services. The most straightforward way to demonstrate and measure the value of cyber security investments is to measure them through potential revenue and loss of reputation and build hedges accordingly. Small businesses do not have the ability to make big investments or the necessary skills, and criminals know this too. Small companies managing sensitive information, are potential and beneficial targets for attackers. Sales from the most popular shopping day in the United States, Black Friday, in the US alone reached $ 7.4 billion. 19 This was also reflected in the phishing attacks on online shops, which more than doubled from the previous year and nearly quadrupled in relation to their normal levels. 20 During the world’s largest shopping day, Singles Day, sales of the Chinese e-commerce giant Alibaba reached up to $ 38.4 billion in one day21. Alibaba is normally attacked by about 300 million cyber-attacks - 2.2 billion during Singles Day. 22 The question arises as to why Amazon and many other US companies are constantly being the target of data leaks, but Chinese Alibaba manages to keep information leaks under control? Will China’s closed network and strong state control over the digital online environment explain the difference? Are Chinese algorithms so much more advanced than American ones? Or does the Chinese culture of “losing face” ensure that “no leaks occur” - that is, they are just not informed about it? However, massive data leaks have also emerged in China, with millions of people openly accessing information online.
TECHNICAL
More than 3,000 security specialists and 1,258 algorithmic models worked around the clock to fend off 2.2B cyberattacks on Singles Day.
Alibaba’s algorithms may not be 100% perfect in spotting malicious activity, but they are able to recognize more than 1 million ways of cheating. - Jessie Zheng, Chief Risk Officer at Alibaba
\ More serious architectural-level vulnerabilities are found. \ Nomoreransom.org provides free tools for recovering from ransomware attacks. \ More and more attacks are coming through the affiliate network. \ Applications and services using artificial intelligence are on the rise. \ Risks related to security products are beginning to emerge. \ Technology giants bring new security features to their products.
The demanding role of technology giants as global service providers have emerged on many occasions. Tech giant services are used not only for commercial or research purposes, but also for espionage and criminal activities. Tech giants are developing new security features and imposing restrictions in order to minimise misuse. From the end-users’ perspective, services are evolving and gaining new security features that drive safer operations - in practice, at the expense of reduced privacy. It is noteworthy, that there are also risks or threats to security technology and security software such as antivirus and VPN software. A global security company Avast allegedly collects and sells information about its users anonymously.23 This type of activity is a very high risk for a trusted security company. It will be interesting to see how Avast’s stock price will react to the news. 24
28 | CYBERWATCH FINLAND
CYBERWATCH FINLAND
SERIOUS VULNERABILITIES HAVE INCREASED in workstations, smartphones, network devices and their software. The main reason for the vulnerabilities is probably the increase in the attention, interest and security research work. In addition, the increase in Bug Bounty rewards and various hackathon events is encouraging new people to hunt for vulnerabilities. Attacks through the cooperation network increased. More than 90% of hacks and leaks still start with phishing messages. Attackers seek to find and exploit vulnerabilities in the process, the so-called weak links. Attacks target several members of an organisation’s network simultaneously and over a long period of time without raising doubts within the organisation. Risk management should take into account the entire network and minimise the potential and most apparent risks.
\ Massive data leaks \ Social media services used the strong identification phone numbers for marketing purposes. \ Smartphone and their application vulnerabilities are used for spyware. \ Office 365 phishing scams are continuous. \ Ransomware programs in cities have also increased in Finland.
CITIZENS & SOCIETY
Big data leaks are on the rise: Collection # 1 (773 million email addresses), Unified Social Media User Database (1.2 billion users), Ecuadorian and Bulgarian population data, unprotected medical image banks from 52 countries, Singapore HIV Patient Database, 2.7 million recorded Health Advice Calls downloadable online, over one million biometric identifiers downloadable. Here are just the most significant. New user databases, one larger than the other, can be found online, even completely unprotected. The leakage of health data and research databases are worrying. There are always those who try to combine data from multiple data leaks and thus enrich the data with new, more up-to-date information. The short-term impact of information leakage is the potential increase in spam and phishing attempts. As attackers’ user profiles become more specific, it may also be almost impossible to distinguish between targeted phishing and scam messages. The data can be used after many years, or for example as a means of influencing elections. Repeated leaks also increase the risk of identity theft. The starting point for preparing for information leaks should therefore be clear action plans on what is to be done and how to be informed when data leaks occur- including in regards to health information.
LEGAL
\ The Finnish intelligence laws were approved by Parliament. \ The Act on the Secondary Use of Social and Health Information has been effective since April 1, 2019. \ The controversial Copyright Directive was adopted in the EU. \ The European Cybersecurity Act enters into force. \ The strong online identification of online services is changing \ European Union Payment Services Directive. \ Russian law on ‘sovereign internet’ came into force in November. \ Law on Information Management in Public Administration effective January 2020
THE FINNISH NATIONAL DATA PROTECTION ACT entered into force on 1 January 2019. At least so far, no precedent has emerged in
Finland on how to interpret the law. THE FINNISH INTELLIGENCE ACT was approved in March. 25 In May, the law on the secondary use of health information came into
force, somewhat subtly. 26 Also the controversial Copyright Directive was also adopted in March. Its effects have not yet materialised, but the Nord Stream 2 gas pipeline project, which is claimed to be linked to the German and French adoption of the directive, threatens to be on the US sanctions list before the project is even completed. 27 The sanctions may also be a way for the US to show its dissatisfaction with the EU, especially France and Germany, primarily regarding the copyright directives against US companies and on its intention not to join the anti-Huawei front. THE EUROPEAN CYBERSECURITY ACT entered into force on 27 June. It established a permanent mandate for the EU cyber security agency, ENISA, and established a European cyber security certification scheme. 28 THE SECOND EU PAYMENT SERVICES DIRECTIVE (PSD2) entered into force in mid-September. Its purpose has been to improve the strong identification of European online shops. The law does not affect the authentication processes of online shops outside the EU, but hopefully sets an example. 29 THE ‘SOVEREIGN INTERNET LAW’ CAME INTO FORCE IN RUSSIA. Russia is not yet believed to be ready for a longer term disconnection from the global Internet, yet it may already be possible in some segments of the network. China instead is believed to have better ability to operate independently within its own infrastructure.
CYBERWATCH FINLAND
CYBERWATCH
FINLAND | 29
This reflects a shift in digitalization, moving from global services to “sovereign� state controlled services and segments. In a way this can be seen as some countries reclaiming state boundaries in digital realm. It is quite possible that the proliferation of virtual network thinking and capabilities, alongside 5G, will also increase the number of smaller, sovereign virtual networks. The Public Administration Information Management Act/Act on Information Management Governance in Public Administration and related laws will enter into force in Finland on 1.1.2020. The Act promotes the compliance of information management, information security and digitalisation in government activities(28). 30
CYBER TRENDS IN 2020 \ The geopolitical tensions are unlikely to ease. \ Uncertainty in the security environment - the climate of mistrust continues. \ Election influencing will be strongly visible on the agenda of the US presidential election. \ EU 5G cooperation and common guidelines are being tested.
POLITICAL \ \ \ \ \ \
There is an increase in the use of cryptocurrencies. Libra is likely to succeed despite opposition from the United States. GDPR sanctions will increase. Cities and large companies remain popular targets of cybercrime. Investment in cyber is increasing. Cyber risks are increasingly embedded in business continuity planning.
ECONOMICAL
CITIZENS & BUSINESSES
TECHNICAL
\ The risk of a sensitive data leak is increasing, especially in regards to health data. \ Information leaks in social media services and vulnerabilities in smartphone applications are part of the new normal. \ Payments frauds relating to postal parcels are epected to increase in Finland. \ Identity thefts are on the rise globally - increase expected also in the Nordics . \ Attacks on and exploiting IoT devices are increasing. \ 5G networks and the devices utilising them are growing. \ Serious technical infrastructure level vulnerabilities are found frequently. \ Applications and services that utilise artificial intelligence are diversifying. \ Biometric authentication is becoming more common as part of Strong Identification (PSD2). \ Targeted ransom attacts increases. \ When Brexit is implemented it will affect trade agreements, as well as online customs and VAT payments. Market uncertainty and a state of change also create favourable conditions for cybercriminals. \ Cyber insurance and related claims are subject to broader inspection.
LEGAL
30 | CYBERWATCH FINLAND
CYBERWATCH FINLAND
5G RISKS AND INTERNATIONAL DEBATE
CYBERWATCH
FINLAND | 31
Network security has come up for debate, especially with the Chinese Huawei, as Americans suspect the company is leaking information to China. This due to a lack of confidence resulting from years of cyber-espionage and the theft of business secrets. The emergence of 5G technology as a revolution in digital services is an elusive entity. 5G, as a matter of concern to every citizen and organization, threatening national security in various states, and enabling cyber-espionage, is quite a breeding ground for geopolitical debate.
Major international trades often are associated with a strong political element, that includes barters, promises and even bribes. 33,34 However only a few politicians understand, want or are even able to take a stand on things that will materialise in 5 to 10 years. Not many technological experts understand the future of the business as a whole or comment on the political implications brought on by technology. Understanding the whole concept requires long-term and confidential cooperation between different parties.
DISTRUST TOWADS DIGITAL INFASTRUCTURE IS A
THE FINNISH COLLABORATIVE MODEL FOR TOTAL
SERIOUS MATTER
SECURITY AND 5G
The debate on network safety is important because the digital environment in principle is an unreliable and dangerous place. Operators, national authorities and international cooperation is a critical role in maintaining a sufficiently secure service infrastructure. The trust of businesses and citizens towards online services is important. An atmosphere of distrust can have unpredictable consequences and it can cause indifference, which in turn can facilitate cybercriminals in their actions. Unfortunatley, the responsibility for personal safety, for both companies and individuals, ultimately rests with the end user – whether they understand it or not. Therefore, the person is still the weakest link.
In Finland, the starting point for preparedness is the global security cooperation model, in which the vital functions of society are taken care of by cooperation between authorities, business, organisations and citizens. The focus is on security of supply, which also considers the cyber environment. Thanks to Nokia and Ericsson’s cybersecurity unit in Finland, there is no doubt that Finland has a deep understanding of the security and effectiveness of 5G in both commercial services and national security. Nevertheless, Finland is participating in the same 5G debate and is using Huawei technology on its 5G networks. Why is this? THE EU IS LOOKING FOR A COMMON DIRECTION AND WAYS TO MINIMISE SECURITY RISKS ON THE
COMBINING FUTURE TECHNOLOGY
5G NETWORK
AND POLITICAL DECISIONS IS DIFFICULT
In December, the European Union Telecommunications council published conclusions on the importance of 5G for the European economy and the need to mitigate the security risks associated with 5G.35 The conclusions were based on a joint EU-level risk assessment report published in October.36 The aim is to strengthen the coherent approach of the EU member state while at the same time reinforcing the joint EU market. The conclusions highlight that 5G networks will be part of the infrastructure that is crucially important to the
Commercial networks and mobile operators are responsible for the selection of network technologies and the service security. In a democracy such as Finland, the ability of political guidance to influence the choice of technology suppliers or purchasing countries is limited. Network equipment manufacturers, for their part, are experts in their field, commercial manufacturers of equipment and services, who do not comment on each other’s product.
32 | CYBERWATCH FINLAND
functions of society and the economy. The report identifies the most influential risks and threats, including the influence of third countries, but does not take a stand on individual actors. The aim is the continuous and comprehensive risk-based process that starts with the selection of service providers and continues to produce network elements and covers the entire lifetime of the networks. The conclusions also emphasises that components essential to national security should only be acquired from reliable suppliers. 5G IS ALREADY HERE – THE EUROPEAN UNION HELD THE RAPID IMPLEMENTATION OF 5G IMPORTANT
5G networks and devices that use 5G are already here. All operators in Finland offer 5G subscriptions and devices. The actual breakthrough is expected to happen in Finland in 2020.
In this respect, the need for common European risk management tools are beginning to be urgent. The need for strategic guidance and risk analysis would have been needed 7-10 years ago. On the other hand, in strategic long-term procurement, such as in 5G solutions, a delay of a couple years on a technological level should not be a threshold issue when it comes to purchasing – especially when placing a value on safety. In the coming years, the importance of understanding the whole digital environment will increase. The importance of network traffic and data encryption will also grow. Risk analysis should take into consideration the service ecosystem and the entire supply chain. There are several places where sensitive information is leaked. Despite all the technical protections, people are most at risk due to information leakages and vulnerabilities.
CYBERWATCH FINLAND
5G:N RISKIT JA KANSAINVÄLINEN KESKUSTELU Verkkojen turvallisuus on noussut keskusteluun varsinkin kiinalaisen Huawein takia, koska amerikkalaiset epäilevät yhtiön vuotavan tietoa Kiinalle. Taustalla on luottamuspula, joka on seurausta jo vuosia jatkuneesta kybervakoilusta ja liikesalaisuuksien varkauksista. 5G-teknologian tuleminen digitaalisten palveluiden revoluutiona on vaikeasti hahmotettava kokonaisuus. 5G jokaista kansalaista ja organisaatiota koskevana, eri valtioiden kansallista turvallisuutta uhkaavana ja kybervakoilun mahdollistavana asiana, on varsin otollista maaperää geopoliittiselle debatille.
EPÄLUOTTAMUS DIGITAALISTA INFRAA KOHTAAN ON VAKAVA ASIA
Keskustelu verkkojen turvallisuudesta on tärkeää, sillä digitaalinen toimintaympäristö on lähtökohtaisesti epäluotettava ja vaarallinen paikka. Operaattoreilla, kansallisilla viranomaisilla ja kansainvälisellä yhteistyöllä on kriittinen rooli palveluinfran pitämisenä riittävän turvallisena. Yritysten ja kansalaisten luottamus verkkopalveluihin on tärkeää. Epäluottamuksen ilmapiirillä voi olla arvaamattomia seurauksia ja se voi aiheuttaa välinpitämättömyyttä, mikä puolestaan helpottaa verkkorikollisia omassa toiminnassaan. Valitettavasti vastuu omasta turvallisuudesta, niin yritysten kuin yksityishenkilöiden osalta, jää viimekädessä loppukäyttäjälle - ymmärtävätpä nämä asian tai ei. Siksi henkilö on edelleen se heikoin lenkki. TULEVAISUUDEN TEKNOLOGIAN JA POLIITTISTEN PÄÄTÖSTEN YHDISTÄMINEN ON VAIKEA ASIA
Vastuu verkkoteknologioiden valinnasta ja palveluiden turvallisuudesta on kaupallisilla verkko- ja
mobiilioperaattoreilla. Suomen kaltaisessa demokratiassa poliittisen ohjauksen mahdollisuus vaikuttaa teknologiatoimittajien, tai hankintamaiden valintaan ovat rajalliset. Verkkolaitevalmistajat puolestaan ovat oman alansa asiantuntijoita, laitteiden ja palveluiden kaupallisia tuottajia, jotka eivät ota kantaa toistensa tuotteisiin. Suuriin kansainvälisiin kauppoihin liittyy usein myös vahva poliittinen elementti, johon liittyy vaihtokauppaa, lupauksia, jopa lahjuksia. 1,2 Mutta harva poliitikko ymmärtää, haluaa, tai edes pystyy omassa roolissaan ottamaan kantaa 5-10 vuoden kuluttua realisoituviin asioihin. Tuskin kovin moni teknologia-asiantuntijoistakaan ymmärtää tulevaisuuden liiketoiminnan kokonaisuutta, tai osaa ottaa kantaa teknologian tuomiin poliittisiin vaikutuksiin. Kokonaisuuden hahmottaminen vaatii pitkäjänteistä ja luottamuksellista yhteistyötä eri osapuolten välillä. SUOMEN KOKONAISTURVALLISUUDEN YHTEISTOIMINTAMALLI JA 5G
Suomessa varautumisen lähtökohtana on kokonais turvallisuuden yhteistoimintamalli, jossa yhteiskunnan elintärkeistä toiminnoista huolehditaan viranomaisten, elinkeinoelämän, järjestöjen ja kansalaisten yhteistyönä. Painopiste on huoltovarmuudessa, joka ottaa huomioon myös kybertoimintaympäristön. Kiitos Nokian ja myös Ericssonin Suomessa sijaitsevan kyberturvallisuusyksikön, Suomesta varmasti löytyy syvällistä ymmärrystä 5G:n turvallisuudesta ja vaikuttavuudesta niin kaupallisten palveluiden, kuin kansallisen turvallisuuden kannalta. Tästä huolimatta Suomi on osallisena samassa 5G-keskustelussa ja käyttää itsekin Huawein teknologiaa 5G-verkoissaan. Miksi näin? CYBERWATCH
FINLAND | 33
EU HAKEE YHTEISTÄ LINJAA JA KEINOJA
5G ON JO TÄÄLLÄ - MYÖS EUROOPAN UNIONIN
MINIMOIDA 5G-VERKON TURVALLISUUSRISKEJÄ
NEUVOSTO PITI 5G:N NOPEAA KÄYTTÖÖNOTTOA
Euroopan Unionin televiestintäneuvosto julkaisi joulukuussa päätelmät3 5G:n merkityksestä Euroopan taloudelle ja tarpeesta lieventää 5G:hen liittyviä turvallisuusriskejä. Päätelmät pohjautuivat lokakuussa julkaistuun EU-tason yhteiseen raporttiin 5G-verkkojen turvallisuuden riskiarvioinnista4. Tavoitteena on vahvistaa EUjäsenvaltioiden yhtenäistä lähestymistapaa ja samalla vahvistaa EU:n yhtenäistä markkina-aluetta. Päätelmissä korostetaan, että 5G-verkot tulevat olemaan osa infrastruktuuria, joka on ratkaisevan tärkeä yhteiskunnan ja talouden keskeisten toimintojen kannalta. Raportissa tunnistetaan merkittävimmät riskit ja uhat, myös ulkopuolisten valtioiden vaikutusmahdollisuudet, mutta raportti ei ota kantaa yksittäisiin toimijoihin. Tahtotilana on jatkuva ja kattava riskiperusteinen prosessi, joka alkaa palveluntarjoajien valinnasta ja jatkuu aina verkkoelementtien tuottamiseen, sekä kattaa koko verkkojen käyttöajan. Päätelmissä korostetaan myös, että kansallisen turvallisuuden kannalta olennaiset komponentit olisi hankittava vain luotettavilta toimittajilta.
TÄRKEÄNÄ
5G-verkot ja niitä hyödyntävät laitteet ovat jo täällä. Kaikki Suomessa toimivat operaattorit tarjoavat 5G-liittymiä ja -laitteita. Varsinaisen läpimurron uskotaan tapahtuvan vuonna 2020 myös Suomessa. Tässä suhteessa Euroopan yhteisillä riskienhallintakeinoilla alkaa olla jo kiire. Strategiselle ohjaukselle ja riskianalyysille olisi ollut tarvetta noin 7-10 vuotta sitten. Toisaalta, strategisissa pitkän tähtäimen hankinnoissa, kuten 5G-ratkaisuissa, parin vuoden viivästys teknologisen tason kiinni kirimisessä ei tulisi olla kynnyskysymys ostopäätöstä tehtäessä - etenkään, jos turvallisuudelle lasketaan mitään arvoa. Tulevina vuosina digitaalisen toimintaympäristön kokonaisuuden ymmärtämisen merkitys nousee. Myös verkkoliikenteen ja tiedon salaamisen merkitys kasvaa. Riskianalyyseissa tulee ottaa huomioon palveluiden ekosysteemi ja koko toimitusketju. Arkaluontoisen tiedon vuotamisen paikkoja on useita. Kaikista teknisistä suojauksista huolimatta suurimman riskin tietovuodoille ja haavoittuvuuksille aiheuttavat ihmiset omalla toiminnallaan.
SOURCES (REVIEW) 1. https://turvallisuuskomitea.fi/suomen-kyberturvallisuusstrategia-2019/ 2. https://um.fi/cyber-security-and-the-cyber-domain 3. https://tem.fi/julkaisu?pubid=URN:ISBN:978-952-327-405-1 4. https://www.tekoalyaika.fi/en/2019/06/the-final-report-of-finlands-artificial-intelligence-programme-available/ 5. https://tietoturvamerkki.fi 6. https://www.europol.europa.eu/activities-services/services-support/joint-cybercrime-action-taskforce 7. https://www.consilium.europa.eu/media/41595/st14517-en19.pdf 8. https://ec.europa.eu/commission/presscorner/detail/en/IP_19_6049 9. https://www.supo.fi/en/news/1/0/the_national_security_review_2019_foreign_intelligence_increasingly_interested_in_finland_s_critical_infrastructure_78667 10. https://www.fiia.fi/julkaisu/sanctions-and-us-foreign-policy-in-the-trump-era-a-perfect-storm?read 11. https://www.theverge.com/2019/10/28/20936214/adobe-venezuela-sanctions-us-executive-order 12. https://erveuutiset.erillisverkot.fi/drone-laki-parantaa-ilmailuturvallisuutta/ 13. https://thehill.com/opinion/cybersecurity/467701-playing-with-fire-global-offensive-cyber-operations 14. https://www.hydro.com/en/media/on-the-agenda/cyber-attack/ 15. https://news.cision.com/addtech/r/update-regarding-the-it-attack,c2979976 16. https://www.securityweek.com/cyberattack-causes-serious-disruptions-german-automation-firm-pilz 17. https://gdpr.eu/gdpr-requirements-data-breach-reporting/ 18. https://www.enforcementtracker.com/? 19. https://www.cnbc.com/2019/11/29/black-friday-online-sales-up-19percent-by-9-am-thanksgiving-sales-hit-record-online.html 20. https://blog.checkpoint.com/2019/11/26/november-shopping-do-it-the-smart-way/ 21. https://techcrunch.com/2019/11/11/alibaba-singles-day-record/ 22. https://www.cpomagazine.com/cyber-security/alibaba-intercepts-2-2-billion-cyber-attacks-on-singles-day/ 23. https://www.forbes.com/sites/thomasbrewster/2019/12/09/are-you-one-of-avasts-400-million-users-this-is-why-it-collects-and-sellsyour-web-habits/#2c3624e92bdc 24. https://www.londonstockexchange.com/exchange/prices-and-markets/stocks/summary/company-summary/GB00BDD85M81GBGBXSTMM.html 25. https://www.eduskunta.fi/FI/tietoaeduskunnasta/kirjasto/aineistot/kotimainen_oikeus/LATI/Sivut/tiedustelulait.aspx 26. https://www.sitra.fi/uutiset/uusi-laki-tuo-lapinakyvyytta-ja-vaikuttavuutta-sote-tietojen-hyodyntamiseen/ 27. https://www.kauppalehti.fi/uutiset/pakoteuhkaus-nord-streamille-laukesi-heti-pahimmillaan-miljardien-kaasuputki-jaa-kayttamattomana-lillumaan-itameren-pohjaan/761983e0-530d-4c83-94e9-617642e82e11 28. https://ec.europa.eu/digital-single-market/en/news/eu-cybersecurity-act-brings-strong-agency-cybersecurity-and-eu-wide-rules-cybersecurity 29. https://www.finanssivalvonta.fi/saantely/saantelykokonaisuudet/psd2/ 30. https://vm.fi/tiedonhallintalaki
SOURCES (5G) 1. 2. 3. 4.
http://www.etn.fi/index.php/13-news/10220-ericssonille-miljardisakot-lahjusten-maksamisesta https://edition.cnn.com/2019/12/03/tech/huawei-employee-detained/index.html https://www.consilium.europa.eu/media/41595/st14517-en19.pdf https://ec.europa.eu/commission/presscorner/detail/en/IP_19_6049
34 | CYBERWATCH FINLAND
KVARTAALIKATSAUS TILANNEKUVA 2019 / Q4 Uuden vuoden kynnyksellä on aika katsoa taaksepäin, mitä tulevaa vuotta varten voimme oppia. Tämä katsaus tarkastelee merkittävimpiä tapahtumia koko vuoden 2019 osalta ja pyrkii samalla arvioimaan, miltä tuleva vuosi 2020 tulee näyttämään kyberturvallisuuden näkökulmasta. Tulevaisuuden ennustaminen on tunnetusti epävarmaa, mutta tarkoitus ei ole ennustaa yksittäisiä hyökkäyksiä, vaan todennäköisempien tapahtumien ja trendien suuntia tämän hetken kehityksen valossa. Kybermaailman tapahtumien kautta tarkasteltuna vuotta 2019 ovat kuvanneet 5G:n turvallisuusuhat ja verkkolaitetoimittajien luotettavuus poliittisena kysymyksenä, kauppasota, huoli vaalivaikuttamisesta massiiviset tietovuodot, kiristyshaittaohjelmahyökkäyksien lisääntyminen kaupunkeihin ja yrityksiin, Big Game hunting -ilmiö, vakavat haavoittuvuudet, vakoilun mahdollistamat bugit älypuhelimissa, sekä teknologiajättien vastuu turvallisuuden parantamisessa ja palveluiden väärinkäytön vähentämisessä. Geopoliittisessa kentässä oli nähtävissä ilmapiirin muutos epäluottamuksen suuntaan – ainakin mitä tulee internetin segmentoitumiseen.
�
TAVOITTEENA TURVALLISEMPI SUOMI JA EUROOPPA SUOMI JULKAISI PÄIVITETYN KYBERSTRATEGIAN 20191 ja päätti perustaa valtion kyberjohtajan tehtävän. Myös kyberdiplomatian ja
kansainvälisen yhteistyön rooli kyberasioissa etenee.2 DIGITAALISEN KASVUN TIEKARTTA 2019-2030 (TEM)3 BUSINESS FINLANDIN DIGITAALISEN LUOTTAMUKSEN OHJELMA, SEKÄ EDELLÄKÄVIJÄNÄ TEKOÄLYAIKAAN - TEKOÄLYOHJELMAN LOPPURAPORTTI4 nostavat esiin Suomen kyberturvallisuuden kilpailukeinoja
kansainvälisillä markkinoilla ja tarkastelevat tulevaisuuden mahdollisuuksia kyberalan kehittämiseksi. SUOMI ALOITTI ENSIMMÄISENÄ EUROOPASSA ÄLYLAITTEIDEN TURVALLISUUDEN VARMISTAMISEN. Liikenne- ja viestintäviraston, Traficomin, lanseeraama TIETOTURVAMERKKI5 auttaa kuluttajia tekemään turvallisempia älylaitehankintoja kotiin. TIETO- JA TAISTO-YHTEISTOIMINTAHARJOITUKSET ovat osoittautuneet hyväksi keinoksi parantaa yritysten ja organisaatioiden valmiuksia varautua kyberhyökkäyksiin ja toimimaan yhteistyössä. Erityisesti viestinnän mukaan ottaminen harjoituksiin on koettu merkittäväksi parannukseksi. EUROPOLIN koordinoima kansainvälinen kyberrikosten yhteistyöverkosto, JOINT CYBERCRIME ACTION TASKFORCE (J-CAT)6 on onnistunut paljastamaan ja sulkemaan useampia kansainvälisiä rikollis- ja bottiverkkoja. Pysyvän mandaatin saanut Euroopan kyberturvallisuusvirasto, ENISA, on ollut kantavana voimana kyberturvallisuuden edistämisessä Euroopassa.
EU HAKEE YHTEISTÄ LINJAA JA KEINOJA MINIMOIDA 5G-VERKON TURVALLISUUSRISKEJÄ Euroopan Unionin televiestintäneuvosto julkaisi joulukuussa päätelmät7 5G:n merkityksestä Euroopan taloudelle ja tarpeesta lieventää 5G:hen liittyviä turvallisuusriskejä. Päätelmät pohjautuivat lokakuussa julkaistuun EU-tason yhteiseen raporttiin 5G-verkkojen turvallisuuden riskinarvioinnista8. Tavoitteena on vahvistaa EU-jäsenvaltioiden yhtenäistä lähestymistapaa ja samalla vahvistaa EU:n yhtenäistä markkina-aluetta.
\ \ \ \
Kauppasota ja epäluottamus Huaweita kohtaan. Facebook, Twitter ja Kiina keskellä Hongkongin mielenosoituksia. Vaalivaikuttamisyritykset olivat vahvasti esillä. Tarvitaan lisää neuvotteluja valtiollisen vakoilun ja hakkeroinnin rajoittamiseksi.
POLIITTINEN
CYBERWATCH FINLAND
CYBERWATCH
FINLAND | 35
VOIMISTUNUT EPÄLUOTTAMUS KIINALAISTA TEKNOLOGIAA JA KIINALAISYRITYKSIÄ KOHTAAN oli vahvasti esillä läpi koko vuoden. Kiistan keskiössä oli kiinalainen 5G-verkkolaitetoimittaja Huawei. Taustalla on luottamuspula, joka on seurausta jo vuosia jatkuneesta kybervakoilusta ja liikesalaisuuksien varkauksista. Myös Suomeen kohdistuu laajamittaista vieraiden valtioiden aktiivista tiedustelua. Suomi kiinnostaa erityisesti Venäjän ja Kiinan tiedustelupalveluita, raportoi Suomen Suojelupoliisi.
Kuva 1: Viitteitä kauppasodan loppumista? @realDonaldTrump, 12.12.2019
USA-Kiina -kauppasota piti markkinoita varuillaan. Yhdysvallat näyttää hyödyntävän rakenteellista etulyöntiasemaansa maailmantaloudessa, mikä mahdollistaa taloudellisten pakkokeinojen, kuten yksipuolisten pakotteiden hyödyntämisen.9 Pieniä toivon merkkejä kauppasodan päättymisestä on noussut loppuvuotta kohden. Mikä olisi kauppasodan päättymisen vaikutus Huawein ympärillä käytävään 5G-keskusteluun, jää nähtäväksi. Myös yhdysvaltalaisyritykset antoivat syitä epäillä heidän palveluidensa luotettavuutta ja saatavuutta. Yhdysvaltojen päätös rajoittaa Adoben palveluiden tarjoamista olemassa oleville asiakkaille poliittisena vaikutusvälineenä Venezuelassa peruttiin viime metreillä, mutta tapaus oli kuitenkin signaali geopoliittisen pelin muuttumisesta - ehkä myös Yhdysvaltojen tapa osoittaa, mitä ulkomaalaisyritykset voisivat tehdä halutessaan heille.10 Käytetäänkö teknologiajättejä yhä näkyvämmin vallankäytön välineinä?
ONKO POLIITTINEN TOLERANSSI VALTIOLLISIA KYBERHYÖKKÄYKSIÄ KOHTAAN LISÄÄNTYNYT? Vuonna 2018 useat maat kiristivät linjaansa kyberhyökkäyksiin suhtautumisessa. NATO-maiden päätöslauselman mukaan kyberhyökkäyksiin voidaan jatkossa vastata sotilaallisesti joko kyberpuolustuksen, tai tavanomaisin sotilaallisin keinoin. Myös Euroopan komissio kehotti jäsenmaitaan aktiivisemmin nimeämään kyberhyökkäysten taustalla olevat tahot. Linjamuutos näkyi alkuun valtioiden jyrkentyneinä kannanottoina ja virallisina syytöksinä, mutta sittemmin kannanotot näyttävät lientyneen. Kiinan osuus syytöksissä kuitenkin korostuu. Kannanottojen vähentyminen tuskin tarkoittaa, että valtiolliset kyberhyökkäykset olisivat vähentyneet, päinvastoin. Oletusarvo vaikuttaa olevan, että kaikki hyökkäävät ja vakoilevat.
\ Israel vastasi Hamasin kyberhyökkäykseen ilmaiskulla. \ Iran ampui alas tiedustelulennokin – Yhdysvallat vastasi kyberhyökkäyksellä \ Drone-hyökkäys Saudi Aramcoa kohtaan, jota edelsi kyberhyökkäyksiä.
SOTILAALLINEN Toukokuun neljäntenä päivänä 2019 Israelin puolustusvoimat (IDF) vastasivat sotilaallisen Hamas-järjestön kyberhyökkäykseen ilmaiskulla Gazassa sijaitsevaan hakkerien käyttämään rakennukseen. Israelin tapaus oli historiallisesti merkittävä, sillä se oli ensimmäinen kerta, kun kyberhyökkäykseen vastaamiseen käytettiin välitöntä sotilaallista voimaa. Kyberkohteita vastaan on ennenkin isketty, mutta operaatiot ovat olleet pidempikestoisia, tai ne ovat olleet osa laajempaa sotilaallista operaatiota. Toki tiedustelulla ja pitkäaikaisella kohteiden seurannalla on merkittävä rooli myös Israelin vastaiskussa. Kesäkuussa Iran ampui alas Yhdysvaltojen tiedustelulennokin Hormuzinsalmella. Yhdysvallat vastasi tekemällä kyberhyökkäyksiä Iranin sotilasjärjestelmiin. Presidentti Trumpin sisäpoliittista imagohaittaa pidettiin keskeisimpänä syynä sotilaallisesta iskusta pidättäytymiseen. Kyberturvallisuusyritykset CrowdStrike ja FireEye raportoivat, että kyberhyökkäykset Yhdysvaltain hallintoa ja sen tärkeää infrastruktuuria vastaan lisääntyivät jännitteiden kasvettua. Maailman suurin öljyntuottaja Saudi Aramco joutui ilmaiskun kohteeksi. Kaikkiaan 18 dronen ja seitsemän risteilyohjuksen isku pudotti Saudi Aramcon päivittäisen öljyn tuotannon puoleen, mikä vastaa noin viittä prosenttia maailman öljyntuotannosta. Iskusta syytetään Irania. Saudi Aramcon ilmaisku lienee vasta alkusoittoa tuleville hyökkäyksille. Ennen ilmaiskua yhtiöön on kohdistunut useita merkittäviä kyberhyökkäyksiä ja nämä yhdessä osoittavat miten kineettiset ja kyberhyökkäykset ovat kietoutuneet toisiinsa. Iran on tullut tunnetuksi lisääntyvistä kyberhyökkäyksistä tilanteissa, joissa se ajautuu konfliktiin toisen valtion kanssa. Irania on vuosien varrella syytetty useista kyberhyökkäyksistä, kuten Shamoon 2012 ja sen myöhemmät variaatiot. Iranin tapahtumien nopea eteneminen osoittaa, kuinka aktiivisesti kyberulottuvuutta käytetään kineettisen voimankäytön rinnalla. Kybersabotaasi ja kyberhyökkäykset mahdollistavat sotilaallista hyökkäystä matalamman kynnyksen operaatiot niin sanotun softpowerin käyttöön. Tulevaisuudessa drone-laitteiden rooli ja käyttökohteet kasvavat niin sotilaallisessa, kaupallisessa, kuin harrastekäytössä. Droneja käytetään myös entistä enemmän kyberhyökkäysten lavettina. Drone-lakeja ollaan muuttamassa eri puolilla maailmaa yhteistyössä kansainvälisen JARUS-organisaation kanssa (Joint Authorities for Rulemaking on Unmanned Systems). Nämä uudet lait ja regulaatiot ovat tulossa voimaan 6/2020. 11
36 | CYBERWATCH FINLAND
CYBERWATCH FINLAND
YK:n yleiskokouksessa 23. syyskuuta 27 valtiota Suomi mukaan lukien allekirjoitti yhteisen lausuman (Joint Statement on Advancing Responsible State Behavior in Cyberspace) valtioiden vastuullisesta toiminnasta kybertoimintaympäristössä. Lausunto tuomitsee nimenomaisesti kaksi käyttäytymistyyppiä, jotka molemmat yleensä liittyvät Kiinaan, vaikka sitä ei lausunnossa nimetäkään. Lausunto ilmaisee myös aikomuksen käyttää vastakeinoina myös kyberhyökkäyksiä.12 Kyberhyökkäysten käyttö osana puolustuksellista toimintaa näyttää lisääntyvän. Tämä tulee muuttamaan sitä, mikä on sallittua verkossa ja mikä ei. Vaikutukset eivät ehkä vielä näy, mutta ajan kanssa asenne, käytäntö ja siihen ohjaava koulutus muuttavat toimintakulttuuria hyökkäävämpään suuntaan. Todennäköistä on, että kynnys kyberhyökkäysten käyttämiseen puolustuskeinona madaltuu.
\ \ \ \ \ \
Facebookin ennätyssakko vasta alkusoittoa digijättien sääntelyssä? GDPR -sanktioiden lukumäärän (142) vähyys yllätti. Big Game Hunting – kohteena isot yritykset ja kaupungit. Kiristyshaittaohjelmista jopa kymmenien miljoonien kulut. Ranska tyrmää Facebookin kryptovaluutta Libran käytön Euroopassa. Kryptovaluuttojen saama huomio väheni loppuvuotta kohden.
TALOUDELLINEN
BIG GAME HUNTING -NOUSI ILMIÖNÄ Kyberrikollisuus kasvaa, menetelmät kehittyvät ja kohteet tulevat jatkossa olemaan entistä tarkemmin valittuja. Kyberrikollisuus on kietoutunut tiiviisti muuhun rikolliseen toimintaan. Tavoitteena on kerätä kaikkea mahdollista tietoa, jota voidaan myydä edelleen eri toimijoille. Suuriin yrityksiin kohdistuvat kiristyshaittaohjelmahyökkäykset, kuten norjalainen Norsk Hydro13, ruotsalainen Addtech14 ja saksalainen 15 Pilz ovat osoitus hyökkääjien kasvavista taloudellisista motiiveista ja niin sanotun Big Game Hunting -ilmiön kasvusta. Samasta syystä myös kaupunkeihin kohdistuvat kiristyshaittaohjelmahyökkäykset lisääntyivät niin Suomessa kuin globaalisti. According to Kaspersky: Ransomware -The most targeted entities were education 61% of attacks - municipalities 29% hospitals 7%.
EQUIFAXILLE JA FACEBOOKILLE ENNÄTYSSAKOT Yhdysvaltojen liittovaltion kauppakomissio (FTC) langetti Facebookille viiden miljardin dollarin eli vajaan 4,5 miljardin euron suuruiset sakot Cambridge Analytica –tapaukseen liittyvistä käyttäjien yksityisyyden loukkauksista. Vuonna 2017 tapahtuneesta Equifaxin tietomurrosta kuluttajille, osavaltioille, sekä kuluttajaviranomaisille maksamat korvaukset ja sakot nousivat yhteensä 700 miljoonaan dollariin (630 M€).
GDPR-SANKTIOIDEN SUHTEELLISEN VÄHÄINEN LUKUMÄÄRÄ YLLÄTTÄÄ EU:n yleisen tietosuoja-asetuksen (GDPR) sanktioiden langettamisen näkökulmasta tämä oli mielenkiintoinen vuosi. Olisi voinut kuvitella, että ensimmäisen kahdeksan kuukauden perustella raportoitujen 56 000 tapauksen16 perustella langetettujen sanktioiden lukumäärä olisi ollut huomattavasti suurempi, kuin tähän mennessä toteutunut 14217. Euromääräisesti suurimmat GDPR-sanktiot aiheutuivat British Airwaysin (204 M€) ja hotelliketju Marriottin (110 M€) tietovuodoista.
TOP 10: HIGHEST INDIVIDUAL FINES CONTROLLER
COUNTRY
FINE [€]
British Airways
UNITED KINGDOM
204,600,000
Marriott International, Inc
UNITED KINGDOM
110,390,200
Google Inc.
FRANCE
50,000,000
Austrian Post
AUSTRIA
18,000,000
Deutsche Wohnen SE
GERMANY
14,500,000
Telecoms provider (1&1 Telecom GmbH)
GERMANY
9,550,000
National Revenue Agency
BULGARIA
2,600,000
UWV (Dutch employee insurance service provider)
THE NETHERLANDS
900,000
Morele.net
POLAND
645,000
DSK Bank
BULGARIA
511,000
Source: https://www.enforcementtracker.com/?insights
CYBERWATCH FINLAND
CYBERWATCH
FINLAND | 37
TOP 10: COUNTRIES WITH THE HIGHEST SUM OF FINES COUNTRY
TOTAL SUM OF FINES [€]
TOTAL NUMBER OF FINES
UNITED KINGDOM
314,990,200
2
FRANCE
51,100,000
5
GERMANY
24,619,925
16
AUSTRIA
18,070,100
8
BULGARIA
3,173,370
9
THE NETHERLANDS
1,360,000
2
SPAIN
1,179,600
31
POLAND
933,868
5
GREECE
550,000
3
ROMANIA
445,000
12
Source: https://www.enforcementtracker.com/?insights
VERKKOKAUPAT KYBERHYÖKKÄYSTEN ETULINJASSA Verkkokaupat ja niitä tarjoavat yritykset ovat otollisia kohteita verkkorikollisille. Verkkokauppapalveluissa yhdistyvät maksuliikenne, suuret ostosvolyymit, asiakastietojen ja luottokorttitietojen kalastelu, sekä lukuiset huijausmahdollisuudet. Verkkokauppiailla on taloudellinen intressi, mutta myös vastuu kaupan turvallisuudesta. Kyberturvainvestointien arvon osoittamiseen ja mittaamiseen suoraviivaisin tapa on mitata sitä potentiaalisen liikevaihdon ja maineen menettämisen kautta ja rakentaa suojaukset sen mukaisesti. Pienillä yrityksillä ei ole mahdollisuutta isoihin investointeihin, eikä tarvittavaa osaamista ja tämän tietävät myös rikolliset. Kyse ei niinkään ole rahasta lunnasvaatimusten muodossa, vaan verkkokauppojen keräämästä datasta ja siksi myös pienet, arkaluontoista tietoa hallinnoivat yritykset, ovat potentiaalisia ja otollisia kohteita hyökkääjille. Yhdysvaltojen suosituimman ostospäivän, BLACK FRIDAYN, myynti pelkästään Yhdysvalloissa nousi 7,4 miljardiin dollariin18. Tämä näkyi myös verkkokauppoihin kohdistuvina tiedonkalasteluhyökkäyksinä, joiden määrä yli tuplaantui edellisvuodesta, ja liki nelinkertaistui normaaliin tasoon nähden.19 Maailman suurimman ostospäivän, SINGLES DAYN, aikana kiinalaisen verkkokauppajätti Alibaban myynti nousi jopa 38,4 miljardiin dollariin yhden vuorokauden aikana.20 Alibabaan kohdistuu normaalisti noin 300 miljoonaa kyberhyökkäystä - Singles Day -vuorokauden aikana hyökkäyksiä oli 2,2 miljardia.21 Herää kysymys, miksi Amazon ja monet muut yhdysvaltalaisyritykset ovat jatkuvasti tietovuotojen kohteena, mutta kiinalainen Alibaba onnistuu pitämään tietovuodot kurissa? Selittääkö eron Kiinan suljettu verkko ja vahva valtiollinen kontrolli digitaalisesta verkkoympäristöstä? Ovatko kiinalaisten algoritmit niin paljon kehittyneempiä kuin amerikkalaisten? Vai pitääkö kasvojen menettämisen kulttuuri huolen, että ”mitään vuotoja ei tapahdu” – eli niistä ei vain kerrota? Kuitenkin myös Kiinassa on tullut esiin massiivisia tietovuotoja, joissa on miljoonien ihmisten tietoja verkossa avoimesti saatavilla.
TEKNINEN
More than 3,000 security specialists and 1,258 algorithmic models worked around the clock to fend off 2.2B cyberattacks on Singles Day.
Alibaba’s algorithms may not be 100% perfect in spotting malicious activity, but they are able to recognize more than 1 million ways of cheating. - Jessie Zheng, Chief Risk Officer at Alibaba
\ Vakavia teknisen arkkitehtuuritason haavoittuvuuksia löytyy lisää. \ Nomoreransom.org tarjoaa ilmaisia työkaluja kiristyshaittaohjelmista toipumiseen. \ Yhä useammat hyökkäykset tulevat yhteistyökumppanuusverkoston kautta. \ Tekoälyä hyödyntävät sovellutukset ja palvelut lisääntyivät markkinoilla. \ Turvallisuustuotteisiin liittyviä riskejä alkaa nousta esiin. \ Teknologiajätit tuovat uusia turvallisuusominaisuuksia tuotteisiinsa.
Teknologiajättien vaativa rooli globaaleina palveluntarjoajina nousi esiin monissa yhteyksissä. Teknologiajättien palveluita hyödynnetään ei ainoastaan kaupallisiin tarkoituksiin, tai tutkimuksiin, mutta myös vakoiluun ja rikollisiin toimiin. Teknologiajätit kehittävät uusia turvaominaisuuksia ja tekevät rajoituksia väärinkäyttöjen minimoimiseksi. Loppukäyttäjien näkökulmasta palvelut kehittyvät ja saavat uusia turvallisuusominaisuuksia, jotka ohjaavat turvallisempaan toimintaan – käytännössä yksityisyyden vähenemisen hinnalla. Huomionarvoista on, että esiin tulee myös turvateknologian- ja tietoturvaohjelmien, kuten virustorjunta- ja VPN-ohjelmistojen, riskejä, tai uhkia. Tietoturvayritys Avastin väitetään keräävän käyttäjistään tietoa ja myyvän sitä anonymisoituna eteenpäin.22 Tämän tyyppinen toiminta on luottamusliiketoimintaa tekevälle tietoturvayhtiölle erittäin suuri riski. Mielenkiintoista seurata, kuinka Avastin osakekurssi reagoi uutiseen.23 38 | CYBERWATCH FINLAND
CYBERWATCH FINLAND
VAKAVAT HAAVOITTUVUUDET LISÄÄNTYIVÄT niin työasemissa, älypuhelimissa kuin verkkolaitteissa ja niiden ohjelmistoissa. Merkittävin syy haavoittuvuuksien löytymiseen lienee huomion, kiinnostuksen ja tietoturvatutkimustyön lisääntyminen. Myös Bug bounty -palkkioiden ja erilaisten hackathon-tapahtumien lisääntyminen rohkaisee uusia henkilöitä haavoittuvuuksien metsästämisen piiriin. Yhteistyöverkoston kautta tulevat hyökkäykset lisääntyivät. Yli 90 PROSENTTIA tietomurroista ja -vuodoista alkaa edelleen tietojenkalasteluviesteillä. Hyökkääjät pyrkivät löytämään ja hyödyntämään prosessin haavoittuvuuksia, niin sanottuja heikkoja lenkkejä. Hyökkäykset kohdistuvat yhtäaikaisesti useisiin organisaation verkoston jäseniin ja pitkän ajanjakson ajan herättämättä organisaatiossa epäilyksiä. Riskienhallinnassa tulisi huomioida koko yhteistyöverkosto ja minimoida potentiaaliset ja todennäköisimmät riskit.
\ Massiivisia tietovuotoja \ Sosiaalisen median palvelut käyttivät vahvaan tunnistautumiseen luovutettuja puhelinnumeroita markkinointitarkoituksiin. \ Älypuhelimen ja niiden sovellusten haavoittuvuuksia käytetty vakoiluun. \ Office 365 -tunnusten kalastelu (phishing) jatkuva riesa. \ Kiristyshaittaohjelmat kaupunkeihin lisääntyivät myös Suomessa.
KANSALAISET & YHTEISKUNTA
Suuret tietovuodot näyttävät tulleen jäädäkseen: Collection #1 (773 miljoonaa sähköpostiosoitetta), yhdistetty sosiaalisen median käyttäjätietokanta (1,2 miljardia käyttäjää), Ecuadorin ja Bulgarian väestön tiedot, suojaamattomia sairaanhoidon kuvapankkeja 52 eri maasta, Singaporen HIV-potilastietokanta, Ruotsissa 2,7 miljoonaa tallennettua terveysneuvonnan puhelua ladattavissa netistä, yli miljoonan ihmisen biometriset tunnisteet ladattavissa. Tässä vain merkittävimmät. Uusia, toinen toistaan suurempia käyttäjätietokantoja löytyy verkosta, jopa täysin suojaamattomina. Huolestuttavaa on terveystietoihin ja tutkimuksiin liittyvien tietokantojen vuotaminen. Aina löytyy tahoja, jotka pyrkivät yhdistämään useamman tietovuodon tiedot keskenään ja näin rikastamaan dataa uusilla ajantasaisemmilla tiedoilla. Tietovuotojen lyhyen tähtäimen vaikutuksia ovat mahdollisesti lisääntyvät roskapostit ja tietojen kalasteluyritykset. Hyökkääjien käytössä olevien käyttäjäprofiilien tarkentuessa myös kohdennettuja kalastelu- ja huijausviestejä voi olla liki mahdotonta erottaa. Tietoja voidaan käyttää vasta vuosien kuluttua, tai esimerkiksi vaalivaikuttamisen välineenä. Toistuvat tietovuodot lisäävät myös identiteettivarkauksien riskiä. Tietovuotoihin varautumisen lähtökohtana tulisikin olla selkeät toimenpidesuunnitelmat siitä mitä tehdään ja miten informoidaan, kun tieto vuotaa – myös terveystietojen osalta.
JURIDINEN
\ Suomen tiedustelulait hyväksyttiin eduskunnassa. \ Laki sosiaali- ja terveystietojen toissijaisesta käytöstä voimaan 1.4.2019. \ Kiistelty tekijänoikeusdirektiivi hyväksyttiin EU:ssa. \ Euroopan kyberturvallisuuslaki (The EU Cybersecurity Act) astui voimaan. \ Verkkopalveluiden vahva sähköinen tunnistautuminen muuttuu \ Euroopan Unionin maksupalveludirektiivi. \ Venäjän laki ”suvereenista internetistä” astui voimaan marraskuussa. \ Laki julkisen hallinnon tiedonhallinnasta voimaan tammikuussa 2020
Suomen kansallinen tietosuojalaki astui voimaan 1.1.2019. Asetuksen suoma liikkumavara kansallisille säädöksille on rajoitettu, joten EU:n yleistä tietosuoja-asetusta (GDPR) ja Suomen kansallista lakia on luettava ja sovellettava rinnakkain. Ainakaan toistaiseksi Suomessa ei ole noussut esiin ennakkotapausta siitä, miten lakia tulkitaan. Maaliskuussa hyväskyttiin Suomen tiedustelulaki24. Toukokuussa astui voimaan hieman vaivihkaa laki terveystietojen toisiokäytöstä25. Maaliskuussa hyväksyttiin myös kiistelty tekijänoikeusdirektiivi. Sen vaikutukset eivät ole vielä konkretisoituneet, mutta direktiivin hyväksymisprosessin läpimenoon Saksan ja Ranskan osalta tiettävästi kytketty Nord Stream 2-kaasuputkihanke uhkaa joutua Yhdysvaltojen sanktiolistalle jo ennen hankkeen valmistumista.26 Liekö Yhdysvalloilla motivaationa näpäyttää EU:ta, erityisesti Ranskaa ja Saksaa, pääsääntöisesti yhdysvaltalaisyrityksiin kohdistetuista tekijänoikeusdirektiiveistä ja aikomuksesta olla liittymättä Huawein vastaiseen rintamaan? Euroopan kyberturvallisuuslaki (The EU Cybersecurity Act) astui voimaan 27. kesäkuuta. Siinä asetettiin EU:n kyberturvallisuusviraston ENISA:n pysyvä mandaatti, sekä perustettiin eurooppalainen kyberturvallisuussertifiointijärjestelmä.27 Syyskuun puolivälissä astui voimaan EU:n toinen maksupalveludirektiivi (PSD2). Sen on tarkoitus parantaa eurooppalaisten verkkokauppojen vahvaa tunnistautumista. Laki ei vaikuta EU:n ulkopuolisten verkkokauppojen tunnistautumiskäytäntöihin, mutta näyttää toivottavasti esimerkkiä.28 Venäjällä astui voimaan ”riippumaton internetlaki”. Se kuvastaa hyvin globaalin aikakauden murrosta, jossa ollaan siirtymässä yhteisen luottamuksellisen digitalisaation rakentamisesta omassa hallussa olevien “suvereenien” palveluiden ja segmenttien suuntaan.
CYBERWATCH FINLAND
CYBERWATCH
FINLAND | 39
Venäjän ei vielä uskota olevan valmis pidempiaikaiseen irrottautumiseen globaalista Internetistä, mutta joidenkin verkon segmenttien osilta se lienee jo mahdollista. Kiinalla uskotaan olevan varsin hyvä kyky toimia hyvinkin itsenäisesti oman infransa puitteissa. On hyvin mahdollista, että 5G:n myötä yleistyvä virtuaaliverkkoajattelu ja -mahdollisuus lisää myös pienempien, turvallisten ”suvereenien virtuaaliverkkojen” määrää. Periaatteessa kyse on vanhasta operaattorien yritysverkkomallista, mutta päivitettynä tämän päivän tarpeisiin. Laki julkisen hallinnon tiedonhallinnasta, sekä siihen liittyvät lait tulevat voimaan Suomessa 1.1.2020. Laki edistää tiedonhallinnan yhdenmukaistamista, tietoturvallisuutta ja digitalisointia viranomaistoiminnassa. 29
KYBERMAAILMAN TRENDIT VUONNA 2020 \ Geopoliittinen jännite tuskin helpottuu. \ Turvallisuusympäristön epävarmuus - epäluottamuksen ilmapiiri jatkuu. \ Vaalivaikuttaminen tulee olemaan vahvasti esillä Yhdysvaltojen presidentinvaalien yhteydessä. \ EU:n 5G-yhteistyö ja yhteisiä suuntaviivoja koetellaan.
POLIITTINEN \ \ \ \ \ \
Kryptovaluuttojen käyttö lisääntyy. Libra onnistunee käynnistymään Yhdysvaltojen vastustelusta huolimatta. GDPR-sanktiot tulevat lisääntymään. Kaupungit ja suuryritykset edelleen verkkorikollisten suosikkikohteita. Kyberinvestoinnit lisääntyvät. Kyberriskit enenevässä määrin mukaan yritysten jatkuvuussuunnitteluun.
TALOUDELLINEN
KANSALAISET JA YRITYKSET
\ Riski arkaluontoisten tietojen vuotoihin kasvaa, erityisesti terveysdatan osalta. \ Sosiaalisen median palveluiden tietovuodot ja älypuhelinsovellusten haavoittuvuudet osa uutta normaalia. \ Tammikuussa 2020 voimaan tuleva Postin uusi veloituskäytäntö yli 22 euroa maksaville tullaukseen jääville postipaketeille lisää maksuhuijauksia. \ Identiteettivarkaudet lisääntyvät myös Suomessa.
IoT-laitteisiin kohdistuvat ja niitä hyödyntävät hyökkäykset lisääntyvät. 5G-verkot ja niitä hyödyntävät laitteet lisääntyvät. Vakavia teknisen arkkitehtuuritason haavoittuvuuksia löytyy yhä lisää. Tekoälyä hyödyntävät sovellutukset ja palvelut monipuolistuvat. Biometrinen tunnistautuminen yleistyy osana vahvaa tunnistautumista (PSD2). \ Kohdennetut kiristyshaittaohjelmat lisääntyvät. \ \ \ \ \
TEKNINEN
\ Toteutuessaan Brexit vaikuttaa mm. kauppasopimuksiin, sekä verkkokaupan tulli- ja alv-maksuihin. Markkinoiden epäselvyys ja muutostila luovat otolliset olosuhteet myös kyberrikollisille. \ Kybervakuutukset ja niihin liittyvät korvaukset nousevat laajempaan tarkkailuun.
JURIDINEN
Lähteet sivulla 34. 40 | CYBERWATCH FINLAND
CYBERWATCH FINLAND
CYBERWATCH FINLAND
SNAPSHOTS OF ENERGY INDUSTRY text: Pasi Eronen
ENERGY SECTOR STRATEGIC REVIEW #1
THE IMPORTANCE OF DEFENDING critical infrastructure, part of which electric grid and energy sector in general are, against emerging cyber threats can be traced back at least to the year 1998. It was then in the United States that the Clinton administration released Presidential Decision Directive 63 (PDD-63).1 PDD-63 underlined the importance of protecting the underlying systems, which are enabling the operations of the economy and government. Fast forward more than two decades, and the protection of critical infrastructure from cyber threats continues to be in the focus of all advanced societies dependable on the functioning national grid and energy sector, including Russia2. The latest Finnish Cyber Security Strategy, published in October 2019, also continues to mention the importance of supporting the development of cybersecurity in key sectors such as energy production and distribution.3 Nevertheless, there is still lot of work to be done, as has been reported by GAO in the US.4 The latest Worldwide Threat Assessment from The Office of Director of the National Intelligence (ODNI) continues to underline the threats emanating from cyberspace, one of the targets being critical infrastructure. 5 Key threat actors identified in this space are Russia and China. Threat Assessment suggests that Russia conducts active mapping of critical infrastructure for targets capable of inflicting substantial damage. These accusations are not baseless. The latest investigation on malware used in Russian attacks against the Ukrainian power grid in December 2016 suggests that the attackers intended to cause long-lasting damage to the power
distribution. Should the malware worked as expected, power outages might have lasted weeks or even months instead of the one-hour outage that took place.6 News reports from last summer appear to confirm the ODNI assessment of Russians probing the US critical infrastructure. A threat actor dubbed Xenotime, or Triton, has been witnessed to “probe[] the networks of at least 20 different US electric system targets, including every element of the grid from power generation plants to transmission stations to distribution stations”.7 The US cyber units have also been reportedly penetrating the Russian grid more widely and aggressively than ever before. A new, more aggressive mode of operation reflects the thinking of new leadership and also more permissive legal frameworks governing the operations. Moreover, more aggressive operational posture can be seen in addition to being preparations for retaliatory actions, also as a signaling tool flashing a warning light to Kremlin.8 Indian Kudankulam nuclear power plant (NPP) was subjected to a cyber-attack. After first denying the attack, the Indian authorities later confirmed that the administrative systems had been infected by DTrack malware. Some analysts have voiced views, which contradict the official version and suggest the penetration to have been worse than reported. The DTrack malware has been linked to North Korea bound Lazarus group. The same malware has been reported to been used to siphon financial information from Indian targets.4 Kudankulam NPP is a collaboration project between Nuclear Power Corporation of India Limited and Russian Atomstroyexport, subsidiary of Russian state owned Rosatom.10 CYBERWATCH
FINLAND | 41
LESSONS LEARNED 1. The vulnerability of energy sector and national power grid for attacks emanating from cyber domain has been publicly known for more than two decades. Also, more information has been released to public domain in recent years on cyber threat actors targeting the critical infrastructure together with their operating patterns. Nevertheless, a lot of work still remains to be done to make the energy sector more secure, including taking a full advantage of the existing security enhancing frameworks, such as the one from NIST. 2. Despite the fact that in many countries both the energy production and distribution is fully privatized civilian enterprise, nation states view it as a strategic target with significant impact in their planning. Thus, it is safe to assume that probings, penetrations, and securing foothold activities will continue in energy sector systems on all levels. Moreover, conducting activities can used as tool for diplomacy and signaling. Lastly, it is probable that cyber activities and targeting are supported by more conventional means of intelligence collection, such as human intelligence. 3. The overall deterioration of overall security situation both regionally and globally will make sure that also small countries are seen as areas, where forward positioning of implants and making conflict time preparations need to be conducted well ahead of any foreseeable conflict. 4. In addition to geopolitics, tough diplomacy, and conflicts, also criminal justifications, such as collecting ransom, may be the driving force behind attacks against the critical infrastructure in general, and energy sector in particular.
1. 2.
The White House (1998), Presidential Decision Directive/NSC-63, May 22, 1998. https://fas.org/irp/offdocs/pdd/pdd-63.htm. Kari, Martti J. (2019) Russian Strategic Culture in Cyberspace: Theory of Strategic Culture – a tool to Explain Russia´s Cyber Threat Perception and Response to Cyber Threats. Doctoral dissertation, University of Jyväskylä. https://jyx.jyu.fi/ handle/123456789/65402. 3. The Security Committee, Finland’s Cyber Security Strategy 2019. October 3, 2019. https://turvallisuuskomitea.fi/wp-content/ uploads/2019/10/Kyberturvallisuusstrategia_A4_ENG_WEB_031019.pdf. 4. United States Government Accountability Office (GAO) (2019) Critical Infrastructure Protection – Actions Needed to Address Significant Cybersecurity Risks Facing the Electric Grid. August 2019. https://www.gao.gov/assets/710/701079.pdf. 5. Coats, Daniel R. (2019) Worldwide Threat Assessment of the US Intelligence Community. Office of the Director of National Intelligence, January 29, 2019. https://www.dni.gov/files/ODNI/documents/2019-ATA-SFR---SSCI.pdf. 6. Greenberg, Andy (2019) New Clues Show How Russia’s Grid Hackers Aimed for Physical Destruction. Wired, September 12, 2019. https:// www.wired.com/story/russia-ukraine-cyberattack-power-grid-blackout-destruction/. 7. Greenberg, Andy (2019) The Highly Dangerous 'Triton' Hackers Have Probed the US Grid. Wired, June 14, 2019. https://www.wired.com/ story/triton-hackers-scan-us-power-grid/. 8. Sanger, David E., Perlroth, Nicole (2019) U.S. Escalates Online Attacks on Russia’s Power Grid. The New York Times, June 15, 2019. https://www.nytimes.com/2019/06/15/us/politics/trump-cyber-russia-grid.html. 9. Cimpanu, Catalin (2019) Confirmed: North Korean malware found on Indian nuclear plant's network. ZDNet, October 30, 2019. https:// www.zdnet.com/article/confirmed-north-korean-malware-found-on-indian-nuclear-plants-network/ & Findlay, Stephanie (2019) India confirms cyber attack on nuclear power plant. Financial Times, October 31, 2019. https://www.ft.com/content/e43a5084-fbbb-11e9a354-36acbbb0d9b6. 10. Chaudhury, Dipanjan Roy (2019) Kudankulam power plant 3rd unit moves towards operationalisation ahead of PM's Russia trip. The Economic Times, August 19, 2019. https://economictimes.indiatimes.com/industry/energy/power/kudankulam-power-plant-3rd-unit-movestowards-operationalisation-ahead-of-pms-russia-trip/articleshow/70736031.cms.
ENERGY SECTOR STRATEGIC REVIEW #1 CASE: NORSK HYDRO ASA
Norwegian aluminium and renewable energy company, Norsk Hydro ASA, was hit by a ransomware attack on March 19, 2019.1 The attack caused major impacts to company’s operations, as data on company’s PCs and servers was encrypted useless by a malware. The worst hit part of the company was Extruded Solutions, which has a global production footprint with more than 20,000 employees and yearly revenue of nearly 1.5 billion euros.2 The attack, which was apparently conducted using non-self-propagating LockerGoga ransomware3, hit 22,000 computers on 170 sites across the globe. Some analysts have suggested the entry vector to have been in Norsk Hydro’s site in the US, which would have enabled the perpetrator to bypass the Norwegian early warning system, VDI.4 According to the news reports the ransomware impacted the work of the entire workforce, including forcing the 42 | CYBERWATCH FINLAND
production lines to revert back into manual operations. Norsk Hydro refused paying the ransom and instead enrolled outside help for recovery support. In addition, they contacted the national authorities, including Norway’s National Investigation Service (Kripos) and the Norwegian National Security Authority (NSM), informing them about the attack. Sharing the information has helped authorities to dwarf similar attacks from taking place.5 Company’s response has also been applauded for its overall transparency, as the company has openly shared the information regarding the attack.6 Company’s latest update from November suggests that company has resumed normal operations, while an archived page snapshot from May indicated that company was still at that point forced to utilize manual operations and various workarounds in order to continue their business.7
LESSONS LEARNED All manual operations and workarounds increased the costs as processes were slower and not running as intended, while at the same time also decreasing the value creation, both impacting the bottom line. Additional costs from the attack were incurred as assets, such as computers, were lost and external consultation services were bought to support the company in its recovery effort. The company estimated in its third quarter report the financial impact of the attack to be around 550-650 million NOK, or 54-64 million euros, on first half of 2019 with limited impact on figures on third quarter.8 The attackers had demanded ransom in bitcoins, but had not disclosed the sum they were after. 9 While the company has reported to have a robust cyber insurance in place, by the end of third quarter Norsk Hydro reported that they have received only around 3 million euros, or roughly 5 percent of estimated costs and losses of the attack, in compensations from the insurers, including AIG. The company’s market capitalization, as calculated from company’s stock price, stands at the time of writing in 87 percent in comparison to the market capitalization figures prior the news about the attack started to make rounds in public realm.10 At this point, the attack appears to have been a criminal operation, where perpetrators had managed to gain and maintain an access to Norsk Hydro’s systems, widened their footprint while learning more about the IT landscape, and prepared for the launch of malware for a prolonged period of time. Even though a major event in itself as it stands, Norsk Hydro’s case could have been much worse, if the systems controlling the smelting process would have been rendered useless causing the solidification of metal and stopping the operations.11 While nothing at this point links to a nation state actor, or their proxy operator, it is not farfetched to think how an attack like this could disrupt and damage nationally critical production lines at the time of impending crises, when the production would be need for example in support of national defense effort. Similarly, such attacks could be used in global competition to damage competitor’s reputation and ability to deliver products to their customers. This holds true particularly at times of heated geopolitical competition and economic warfare, like we currently have.
1. 2.
https://www.hydro.com/en/media/on-the-agenda/cyber-attack/ https://www.hydro.com/en/about-hydro/our-business/extrudedsolutions/ 3. https://www.us-cert.gov/ncas/current-activity/2019/04/01/MSISAC-Releases-Security-Primer-LockerGoga-Ransomware 4. https://blog.knowit.eu/insight-eu/serious-cyber-attack-onnorwegian-firm-hydro 5. https://www.wsj.com/articles/investigators-warned-othercompanies-after-norsk-hydro-attack-11566552601 6. https://www.bbc.com/news/business-48661152 7. https://web.archive.org/web/20190519074049/https://www. hydro.com/en/media/on-the-agenda/cyber-attack/ 8. https://www.hydro.com/en-DE/media/news/2019/third-quarter2019-ramping-up-production-in-brazil-declining-marketprices/ 9. https://www.amm.com/Article/3890250/How-the-Norsk-Hydrocyberattack-unfolded.html 10. https://www.bloomberg.com/quote/NHY:NO 11. https://www.wired.co.uk/article/norsk-hydro-cyber-attack 12. https://www.bloomberg.com/news/features/2019-12-03/merckcyberattack-s-1-3-billion-question-was-it-an-act-of-war
1. According to some sources, Norsk Hydro’s recovery process represents a gold standard among private sector companies with a global footprint. They reacted quickly and decided not to pay the ransom, they communicated clearly and transparently with the media and their investors, they quickly enrolled outside help to support in the recovery process and notified national authorities, and finally they successfully reverted back to manual operations where it was deemed necessary. All the above indicates a good level of preparedness, existing contingency plans, and series of exercises that have covered response to a cyber-attack. Sharing information with authorities prevented some similar attacks from taking place elsewhere. Norsk Hydro showed even a fair share of creativity in their response, as they called back some of their retirees to support with the manual operations. 2. The level of compensation from cyber insurance can be surprisingly low, in this case it is currently around 5 percent of the known damages and business losses. Compensation processes are also lengthy and resource consuming. Moreover, as the recent Merck case suggests, attacks considered to be terrorism or acts of war, like the notorious NotPetya case, may fall completely outside of insurance policy coverage.12 3. Criminal organizations do possess capabilities similar to nation state actors and can cause major damage to their targets and also to wider economy as the impacts and collateral damage ripple through the value chain. 4. Global footprint of a company may lead into a situation, where matters such as local jurisdiction and export restrictions cause different geographic locations of the company to have varying levels of protection against cyber threats, while at the same time having access to same shared global IT infrastructure. Similarly, global footprint introduces the risk of becoming either a target, or collateral damage, for an attack having links to geopolitical competition.
CYBERWATCH
FINLAND | 43
THE BACKBONE OF CYBER SECURITY IS LEADERSHIP
OUR SERVICES STRATEGIES, RISK ANALYSIS AND ACTION PLAN
STRATEGY IMPLEMENTATION AND COUNSELING
CYBERWATCH FINLAND
TECHNOLOGIES
TAILORED REVIEWS AND THEME REPORTS
TRAINING, SEMINARS, GAMES AND WORKSHOPS
office@cyberwatchfinland.fi Tietokuja 2, 00330 Helsinki FINLAND www.cyberwatchfinland.fi
