Cyberwatch Finland magazine 1/2021 by Cyberwatch Finland

Spe c i a l

m e d i a

o f

s t r a t e g i c

c y b e r

M A G A Z INE

s e c u r i t y

2021/1

IS IT POSSIBLE TO PREDICT HOW THE CYBER YEAR 2021 WILL UNFOLD?

THE CHALLENGE OF COUNTERING HYBRID THREATS

QUARTERLY REVIEW Q4 2020 KVARTAALIKATSAUS Q4 2020

Holistic Approach Is Necessary to Solve the Security Issues of This Decade

CONTENT 2020/4

Is it Possible to Predict how the Cyber Year 2021 will Unfold?

5 things to focus on in 2021 to cybersecure your business

Bad News Concerning SolarWinds Supply Chain Attack Will Continue to Unfold for Quite Some Time More

06 The Challenge of Countering Hybrid Threats

10 Strategic Cyber Security Situational Awareness

20 A Cyber Secure Strategy or Strategic Cyber Security?

Cyberwatch Quatrterly review

Credible Security = Facts + Perceptions

Holistic Approach Is Necessary to Solve the Security Issues of This Decade

Cyber espionage: the problem that isn’t

Protecting your critical infrastructure in scale

CyberwatchMagazine

Special media of strategic cyber security

PUBLISHER Cyberwatch Finland Tietokuja 2 00330 Helsinki Finland www.cyberwatchfinland.fi

PRODUCER AND COMMERCIAL COOPERATION Cyberwatch Finland team office@cyberwatchfinland.fi LAYOUT Atte Kalke, Vitale atte@vitale.fi ILLUSTRATIONS Shutterstock ISSN 2490-0753 (print) ISSN 2490-0761 (web) PRINT HOUSE Scanseri, Finland

Editorial

Is it Possible to Predict how the Cyber Year 2021 will Unfold? // Aapo Cederberg

HE EXCEPTIONAL YEAR of 2020 has

ended, which has brought various aspects of cyber security into the limelight. The Covid-19 crisis has caused an unprecedented digital leap through teleworking and other new digital services. Alongside this digital leap, a cyber leap is also required in order for the security of electronic services to evolve simultaneously with digitalisation. In practice, this means creating a new and credible cyber culture. The management of every company and organisation must outline a logical course of action starting with proper cyber situational awareness and a continuous up-to-date cyber risk analysis. The role of senior management is to make timely decisions and allocate sufficient resources to develop people’s ability to adopt new innovative technologies and to embed a cyber security culture in line with company’s security culture and business strategy. Last year, we witnessed the increase of new variants of cyber operations and the consistent growth of cybercrime. The question arises as to whether this came as a shock? Maybe not, perhaps the alarming developments in the cyber world were not taken seriously. At the beginning of last March, FISC (Finnish Information Security Cluster), for the first time, organised an event where Finnish cyber security companies presented their estimates on cost of future cyber development. Corona, its explosive spread, and its impact on our operating environment were not mentioned in any forecast, however other costs were brought up in one way or another. Were they taken seriously, perhaps not? However, preparing for future cyber threats is a basic condition for the success of all companies especially in the future, as this past year has shown us. The Cyberwatch Finland team reviews the development of the cyber world through quarterly reviews and by developing foresight with, for example, an artificial intelligence-based cyber engine. Developing foresight however, is made difficult due to global interdependence.

Everything is connected and black swans are unavoidable. Global politics influence the direction of cyber operations and the selection of targets, and conversely, successful cyber operations always cause a political crisis. This link is stronger than ever before, and cyber attacks are increasingly used to influence political decision-making. Russia and China have strengthened their capabilities by building their own independent Internets including all applications and are improving their satellite systems. Securing one’s own operating conditions is important if one wants to paralyse the opponent’s operational capacity and at the same time safeguard one’s own financial interests. Global political tensions are rising, and this was quite evident in the target choices for cyber operations and their set goals. Examples of this are the attacks on FireEye and government structures in the United States. The risk of escalation increases when nuclear weapons are targeted, in particular the firing and control systems. Concerns about this development were also expressed by the Chief of the General Staff of the Russian Armed Forces, General Valery Gerasimov. At the same time, he denied that Russia had been behind the cyber operations against the US. This is essentially a cyber world “cat and mouse game”, that is being used to reach the desired results in information influence operations. The attacks on FireEye demonstrate how cyber companies are becoming an interesting target. It is particularly worrying, that the attack tools developed over the years by white-hat hackers may have fallen into the wrong hands. This reminds us that no one is safe. The long-predicted storm and increase in the volume of attacks on healthcare providers has been a special corona phenomenon, as the importance of healthcare as a supercritical target has only been further emphasised. Adherence to the hybrid principle in ransomware attacks was also an ingenious new innovation, blackmailing money from companies and organisations, but CYBERWATCH

FINLAND

also from victims of data leaks. Some state actors use more and more the services of criminals – the concept crime as a service increasing. The phenomenon of global technology giants being targeted is also on the rise, as they are key components in global interdependence. We received a sample of this when a cyber attack paralysed Google’s services globally; at many remote workstations, operations came to a standstill. On 16 December 2020, the EU presented a new cyber security strategy. It was met with high expectations. However, will the goals in regards to leadership, pioneering and independence be met as the strategy continues to follow EU’s diplomatic and governing approach in defining proposals and initiatives in terms of regulation, investment and politics. The three main areas of the strategy are defined as 1. Resilience, technological sovereignty and leadership. 2. Developing operational capabilities to prevent, deter and respond to threats. 3. Promoting a global and open cyber environment through increased cooperation. The Cyber Security Strategy aims to strengthen the EU’s leadership in international norms and standards in the cyber environment. And to work more closely with partners around the world to promote a global, transparent, stable and secure cyber environment based on the rule of law, human rights, fundamental freedoms and democratic values. As part of a comprehensive digital security and development package, the EU’s new cyber strategy will remain somewhat ambiguous, leaving many goals to be desired. The need for leadership is acknowledged in the strategy, but practical implication depends on national measures. Cyber regulation is underdeveloped, yet no additional support will be given by the EU, even if it is thought to be part of the EU’s role. It has been emphasised EU’s digital independence, however, this will not be achieved through these measures. In particular, China and the United States are gaining ground as they compete for global leadership. On a positive note, cyber security has become more widely integrated into the development of the digital future and European security cooperation. The most significant part of the strategy is the reform of the Network and Information Security Directive, i.e. the NIS 2 Directive. Planning and executing cyber operations require information about the activities and vulnerabilities of the targets. The increase in cyber espionage and the

information generated from data leaks are utilised in the selection of targets and the development of attack tactics. Government intelligence services make use of key data collected both by themselves and by criminals. Cyber espionage is a continuous activity that requires longterm perseverance. The ability to analyse and combine data is important in increasing the agility of cyber attacks. This data is becoming increasingly valuable on the black market and opens new business opportunities for the cyber criminals. The easiest way to develop cyber security is to prevent cyber espionage by building a better cyber security culture. This is done by improving skills, practices, and technology. There are always economic interests behind global politics. This was reflected in the 5G discussions last year. Technologically, these are new generation systems that are also of great economic interest. This is a particularly critical area for national security. Cyber espionage and the necessary back doors have become the focus of attention. Digital independence and trust are pivotal. Many countries are questioning the reliability of cyber partners and how much they are willing to pay for digital independence. Teleworking is not the only matter evoking change. Urbanisation, the development of smart buildings and homes as well as logistics systems are based on the continuous development of digital systems. At the same time, their vulnerabilities and the risk of cyber attacks increase. The principle of “secure by design” is prominently talked about, but its practical implementation is unfamiliar. In the future, architects, space designers and even condominium management agencies need to understand digital and cyber security and take them into consideration in their work. Cyber security must be comprehensively involved throughout the life cycle of buildings and systems. Cyber attacks have increasingly evolved into military weapons as well. We have seen cases in the Middle East where traditional attacks have been replaced by cyber attacks. The skilful selection of targets generated a substantial impact and thus achieved the military objectives set for the operation. Many military experts say we are entering an era where an effective defensive cyber defence is no longer enough, and the focus needs to be shifted to developing offensive capabilities. These developments were predicted a year ago and they will certainly continue next year. Of course, Black

It is necessary to predict the future in order to prepare for future cyber challenges and secure the new normal digital “post-Covid” era.

CYBERWATCH

FINLAND

swans will occur this year as well. In light of previous predictions, it seems that the playing field will continue to intensify, and targets that will allow one to achieve their desired goals and cause global chaos will be sought out. Satellite systems, and in particular their control and support ecosystem, offer good conditions for this. In order to recover from the corona crisis, economic development is extremely important. Therefore, influencing the various domains of the economy will certainly become a target of cyber operations using

newer and smarter techniques. The importance of foresight will increase in the future and new innovative strategic cyber security solutions are needed. The importance of smart cyber security strategies is emphasised. It is necessary to predict the future in order to prepare for future cyber challenges and secure the new normal digital “post-Covid” era. Competence development and new innovations are essential to provide a good precondition in meeting future challenges. 

AAPO CEDERBERG Managing Director and Founder of Cyberwatch Finland Chairman of Cyber Security Committee of World UAV Federation (WUAVF)

CYBERWATCH

FINLAND

The Challenge of Countering Hybrid Threats // Dr Teija Tiilikainen

6 | CYBERWATCH FINLAND

ybrid threats are unconventional threats that challenge the comprehensive security and stability of democratic societies. They take advantage of the values of open and democratic societies by turning them into a major source of insecurity. Forms of hybrid action are not necessarily illegal; they tend rather to operate within a grey area between legal and illegal. Due to their ambiguous and hybrid nature these threats cause great difficulties for their target countries in finding the appropriate measures to fight against them. It is typical of hybrid threats, perpetrators of which are undetectable, to make existing legal or law enforcement mechanisms unusable. Countering hybrid threats is one of the key concerns among democratic states today. THE INTERNATIONAL ENVIRONMENT

There are several transitions taking place in the current international system. There has been a major shift in the balance of power among states, whilst, simultaneously

new types of actors are strengthening their position in international politics. The number of powerful non-state actors, from intergovernmental organisations and multinational companies to terrorist groups and even powerful individuals, is growing immensely. These trends have led to a gradual weakening of the post-war international order, including its norms and institutions and the mutual trust among its actors. Such an environment of transition and disorder provides a fertile ground for unconventional instruments of power. These â&#x20AC;&#x2DC;hybrid meansâ&#x20AC;&#x2122; are partly linked to the conflicting values in the current international system and the efforts of non-democratic states to take advantage of vulnerabilities within the political and societal systems of their democratic counterparts. They can be equally linked to the efforts of weaker actors to balance the shortcomings in their power arsenal. This threat environment also nourishes an emergence of unconventional alliances between states and non-state

Cooperation among the democratic states is the key in countering hybrid threats.

CYBERWATCH

FINLAND

actors in promotion of shared interests. The unconventional power instruments such as disinformation campaigns, cyber attacks, disturbance of critical infrastructure, election interference or even different forms of hybrid warfare are cost-efficient in comparison to the more conventional forms of power politics. They are also much more difficult to attribute, lowering the risks of countermeasures and sanctioning. COUNTERING HYBRID THREATS

Countering hybrid threats forms a challenge for Western actors, be they state actors, the EU or NATO. Firstly, they have to be capable of protecting their societies without compromising their key values. Modern societiesâ&#x20AC;&#x2122; technological vulnerabilities form another challenge when taking into account the existing interconnectedness of critical infrastructures and possibilities to affect their functioning via cyberspace. A third challenge can be discerned in the vulnerabilities of the rule of law. Many forms of hybrid action take advantage of gaps in the normative frameworks, national or international, or operate within a grey area between what is legal and what is not. This kind of action causes serious problems for democratic governments to take action and protect themselves as both the nature of the attack and the legal basis for necessary countermeasures remain ambiguous. Cooperation among the democratic states is the key in countering hybrid threats. Along with their Member States both the EU and NATO have strengthened their policies and preparedness vis-Ă -vis hybrid threats during the past few years. As complex institutional entities, they share the same vulnerabilities in regards to their

CYBERWATCH

FINLAND

functioning and integrity. Furthermore, their tasks and mandates require them to act in support of their Member States in this field. The EU and NATO have thus consolidated their efforts in responding to hybrid threats and enhancing the resilience of their Member States through different policy instruments, new institutional structures and practices, including better coordination and sharing of good practices. Fields in which both organisations have been active are cyber security and critical infrastructure protection. For the EUâ&#x20AC;&#x2122;s part, enhancing resilience takes the form of legislative projects and mapping vulnerabilities in major fields of critical infrastructure protection. NATO approaches this issue through its policies on civil preparedness, which has been gaining new momentum recently. Both organisations are focusing on the challenge posed by cyber security, recognising the vulnerabilities of their own functions, and those of their Member States. NATO thus declared cyber defence as a part of its collective defence and recognised cyberspace as a domain of operations in which NATO must defend itself as effectively as in any other domain. Apart from its strengthened legislative measures, the EU has established cyber defence projects within the framework of Permanent Structured Cooperation (PESCO) and agreed on a foundation for sanctions against cyber attacks constituting a threat to the Union or its Member States. Countering hybrid threats became one of the topics for the new strategic partnership between the EU and NATO, on which the organisations agreed in 2016. In their Joint Declaration the two actors decided to boost their activity to counter hybrid threats by working together on analysis, prevention, and early detection,

through timely information sharing and cooperating on strategic communication and response. As a part of the implementation of the Joint Declaration, EU and NATO encouraged the Member States of both organisations to participate in the European Centre of Excellence for Countering Hybrid Threats (CoE) established in 2017. This CoE has currently 29 participating states covering most EU members and the US, Canada, Turkey, Norway and Montenegro of NATO’s non-EU

members. The CoE covers a wide range of projects aiming to analyse various forms of hybrid action, make their forms and the strategies of the actors behind them visible and thus enhance the resilience of its participating states. The CoE operates as a network-based organisation; it brings together experts from its participating states to share experiences and good practices. The CoE is an additional key interlocutor, for the key EU and NATO bodies in countering hybrid threats, sharing the outcome of its work to these key bodies. In accordance with its original goal, the CoE provides a joint platform for the two organisations in countering hybrid threats and building resilience. By raising awareness, deepening co-operation and providing innovative and better suited policy tools the CoE contributes to the protection of Western democracies against hybrid threats. 

TEIJA TIILIKAINEN Teija Tiilikainen is the Director of the European Centre of Excellence for Countering Hybrid Threats. Previously, she was the Director of the Finnish Institute of International Affairs (20102019) and has been the Director of the Network of European Studies at the University of Helsinki (2003-2009). She has also served as Secretary of State at the Ministry for Foreign Affairs of Finland from 2007 to 2008. She was a member of the European Convention in 2002-03 and a member of the Panel of Eminent Persons on European Security as a Common Project led by Ambassador Wolfgang Ischinger in 2015-16. In 2018, Dr Tiilikainen was nominated part-time professor (non-residential) at the European University Institute (School of Transnational Governance) in Florence. She is currently the vice-chair of the executive board of the University of Helsinki.

CYBERWATCH

FINLAND

Strategic Cyber Security Situational Awareness Todayâ&#x20AC;&#x2122;s leaders and decision-makers need efficient strategic cyber situation awareness to secure sensitive data, sustain fundamental operations of society, and protect national infrastructure. The cyber security approach requires a right measured cyber threat intelligence, real time cyber-attack detection and especially the ability to cyber-attack early warning. // Martti Lehto

CYBERWATCH

FINLAND

here are a wide range of Internet threats and attacks from viruses and worms, to distributed denial of service (DDoS) attacks and data theft and data manipulation and critical infrastructure paralysis. Many proactive techniques have been proposed to deal with these threats. All these techniques pursue the same goal - preventing attackers from reaching their objectives. There are different systems for a proactive approach against cyber security threats. Those are carried out through the early detection of potential malicious action of a system, evaluating the scope of malicious action, and using or proposing suitable response against any kind of detectable security event. SIGNIFICANCE OF CRITICAL INFRASTRUCTURES

Securing the continuity of critical infrastructure operation and rapid recovery from incidents are particularly vital in order to minimise the knock-on effects of service outages on society’s functions. The forming and maintenance of cyber security situational awareness at different levels of responsibility of critical infrastructure operation and making the decisions needed in each individual situation play a key role in continuity management. The complex interdependencies of critical infrastructures necessitate extensive situational awareness with broad coverage regarding the national cyber security situation and the factors affecting it. Timely decision-making by the Government and the authorities can be supported by producing the strategic situational picture of cyber security needed to manage the securing of society’s vital functions. The situational picture system is used for the management of different incidents and emergencies, data collection and analysis, communications, decision-making, and leadership. The strength of organizations’ situation awareness is the possibility to learn about threats directly from the own operating network or partners and the use of announcements of the National Cyber Security Centre. On the other hand, overall situation awareness is often based on scattered data, and obtaining situation awareness of the entire operating network is challenging. Real-time situation awareness of IT assets and operational technology (OT) is also challenging. EU PERSPECTIVE

The EU lacks collective strategic situational awareness of cyber threats. This is because national authorities do not systematically gather and share information - such as that available from the private sector - which could help assess the state of cybersecurity in the EU. The latest EU cybersecurity strategy (16.12.2020) emphasizes the importance of the situation awareness and early warnings on cybersecurity incidents to authorities and all interested stakeholders. To this end,

the EU Commission proposes to build a network of Security Operations Centres (SOC) across the EU, and to support the improvement of existing centres and the establishment of new ones. Through sustained cooperation, this network will provide warnings on cybersecurity incidents, including the Joint Cyber Unit. A Joint Cyber Unit would serve as a virtual and physical platform for cooperation for the different cybersecurity communities in the EU, with a focus on operational and technical coordination against major cross border cyber incidents and threats. CHALLENGES OF THE CURRENT STATE IN FINLAND

Based on the research in 2017 in Finland the situational picture of the cyber environment is fragmented, and any understanding of it as a whole is based on information shared between the authorities, the private sector, researchers and experts. A situational picture that would cover all national cyber environment actors is not being put together and analysed, and capability for making decisions is lacking. Lack of powers prevents the creation of efficient observation capability and thus a cyber security situational picture needed for effective management. While different actors have systems built for their own use, shared national situational awareness that could be used both at the strategic and operative level is lacking. The current operating model is sufficient for managing minor cyber-attacks, but situational awareness and understanding are inadequate for thwarting complex and extensive attacks. The structure for maintaining situational awareness was improved as the strategy was formulated, but it continues to have shortcomings at the practical level. Yet unresolved questions are associated with maintaining a shared situational picture, including who needs what information, on what cycle it is needed, and what type of information is required. From the perspective of improving cyber security preparedness, we must be able to trust that information will flow during incidents and that the actors will know how to respond to it as indicated by their duties. In terms of the strategic-level situational picture, the fact that private sector actors do not generally bring the violations or data break-ins observed by them to the attention of the authorities is problematic. The reason for this frequently is the confidentiality of data and risks to reputation. Due to the complexity of the cyber environment, an ability to analyse all observations would be vital, as events in the cyber environment can only be understood through an analysed big picture. ANALYSIS OF THE CURRENT STATE OF CYBER SECURITY SITUATIONAL AWARENESS

The different parties involved in developing national situational awareness should be able to improve their

CYBERWATCH

FINLAND

operations through more effective technical methods, strengthen network-based operation and focus on utilising artificial intelligence methods in shared use. The most significant organisations associated with the functional capacity of Finnish society have developed a relatively good ability to observe the situational picture for the part of technical capabilities. Their ability to do so is also improved by networking within their sectors and partly also more extensively, which is supported by good cooperation between the authorities and the private sector. The significance of situational awareness shaped by different organisations’ situational pictures (situational picture and its analysis) for the management of entire national cyber security is crucial. The response to national incidents consists of the techniques used by different organisations, procedures developed for responding to incidents, and the observation data of different trust networks. This fragmented ability to observe the organisation-specific situational picture and the data reserves it entails could also be used in the analysis phase of large-scale incident management. Preconditions for this arrangement would include the strategic cyber security situational awareness, the creation of joint operating models and an arrangement based on voluntary exchange of information. A joint data warehouse would enable the further processing of information to analyse a large-scale incident. The required analysis capabilities could be implemented as a network (virtual analysis).

MARTTI LEHTO Professor in Cyber Security University of Jyväskylä Martti has over 30 years of experience mainly as developer and leader of C4ISR Systems in Finnish Defence Force and Air Force. I’m PhD (Military Sciences) and working as a Professor (Cyber Security) in the Faculty of Information Technology at the University of Jyväskylä. I’m also Adjunct professor in National Defence University in Air and Cyber Warfare. My research interest is Cyber Security and Cyber Defence. I have over 150 publications and research reports on areas of C4ISR systems, information warfare, security and defence policy, leadership and management. Since 2001 I have been the Editor-in-Chief of the Military Magazine which is the leading military publication in Finland. Specialties: Cyber Defence and Security, Air Power and Cyber Security, C4ISR Systems, Military materiel procurement, Systems Thinking Research mentioned in the article is made in the University of Jyväskylä: Lehto M., Limnéll J., Kokkomäki T., Pöyhönen J., Salminen M. Strategic leadership of cyber security in Finland, Publications of the Government´s analysis, assessment and research activities 28/2018

CYBERWATCH

FINLAND

CONCLUSION

Due to the increasing attack surfaces on IT / OT and critical infrastructure systems and limited, national cyber capabilities, the number of service disruptions and cyber-attacks against essential systems and networks is constantly rising. Therefore, strategic cyber situational awareness is absolutely essential. The different parties involved in developing national situational awareness must be able to improve their operations through more effective technical methods, strengthen network-based operation and focus on utilising technical methods in shared use. Efficient cybersecurity for networked complex critical infrastructures of nation is a challenging task. In this task, strategic cybersecurity situational awareness is a cornerstone to ensure that all systems vital to society are protected in a meaningful way. However, strategic cybersecurity situational awareness can be built in various ways. Several artificial intelligence-based monitoring and analyzing techniques can be applied. The usage of situational awareness varies from short-term operational to long-term strategic decision making. The national strategic cyber-policy, appropriate legislation, and its suitability to improve strategic situational awareness are key criteria and imperative for national resilience. 

www.hybridcoe.fi

Hellenberg International has 25 years record in assisting public and private clients in critical infrastructure protection and crisis management related projects. Our senior team has been contracted by the European Commission (DG Home Affairs, DG Enterprise, DG ECHO etc.), the United Nations, the Ministry of Defence of Finland and the NATO.

We have been serving major international corporations such as AVSECO, SAAB, MTR, Airbus, Finnair and Siemens. We have been interacting with the US State Department, the US Ministry of Energy, Rosatom, the Singapore Civil Defence Force and many others.

www.hellenberg.org

CYBERWATCH

FINLAND | 13

Holistic Approach Is Necessary to Solve the Security Issues of This Decade // Jarno Limnéll

t is time to refresh the discussion covering hybrid treats and bring it to a new level in order to succeed in the emerging security environment of the 2020s. Hybrid threat means combining and synchronizing different means and methods of influencing, and acting in a covert and deniable way, aim both to confuse the adversary, or disrupt their actions without crossing the threshold of war. Such way of engaging adversaries in the so-called gray zone is expected to play an increasingly prominent role in conflict during this decade. One of the key challenges in the current security environment plagued by hybrid threats is to keep up the pace with ever accelerating development of technology and the society-wide tide of digitalization. As a megatrend, technology becomes one with everything, turning ubiquitous, and thus calls for strong political attention together with honest evaluation of the security implications of the developments. Looking this challenge from the security perspective, it becomes clear that an ever-greater level of estimation and foresight is needed together with an ability to assess hybrid threats and risks of technology misuse. As a concrete example, if we prepare ourselves in elections meddling by an external hostile party only by

CYBERWATCH

FINLAND

taking into account the interference tools and methods that we have witnessed to have been used and those that we have experienced earlier by ourselves, we are doomed to be always one step behind. On the other hand, it is necessary for us, and the decisionmakers, to admit that we will never be able to anticipate all the possible risks and avenues for attack. Hybrid threat environment challenges citizens, business leaders, and political decisionmakers in particular in many new ways. For example, thinking about the concept of deterrence in the current threat space, or pondering proportional response to spread of fake news and or data manipulation targeting critical national information assets, new kinds of ‘red lines’ must be drawn, contingency plans created and political guidance envisioned and established. Thus, it is fair to say that today´s technology related security questions have truly entered the realm of high politics. A holistic approach to security is needed more than ever in the 2020s. Driving this need are the above discussed developments, where cyber operations and hostilities are increasingly becoming more integrated with other types of operations and hostilities forming into hybrid threats. Even if the role cybersecurity and technology will be emphasized more in political security

analysis, a holistic perspective is essential to understand the big picture. A holistic approach is particularly needed when trying to understand various kinds of complex interconnections between different risks. Individual risks should not be separated under isolated assessment from the holistic security context, strategic approach and political decision-making. Hybridity is a useful concept in thinking about the current security issues, since it embraces the interconnected nature of today´s threats and risks that we are experiencing. It also illustrates well the multiplicity of actors and the diversity of threats. Therefore, in politics “hybrid politics” is a cogent term to describe both the importance of a holistic approach and the importance of including also high politics into these matters. One challenge lies in the fact that current policy actions and responses are based on a rather static and siloed situational understanding of the security environment, not fully recognizing the dynamic and holistic nature of hybridity. Having a more inclusive hybrid politics approach, it will be possible to find better answers also to current cyber challenges in the hybrid security environment.

Many societies have embraced the concept of comprehensive security as a necessity in order to provide security to their citizens, improve their resilience, and prepare the societies for still unknown threats. In the comprehensive security model championed by countries such as Finland, the national security is built in tight, trust-based cooperation between the authorities, members of business community, non- governmental organizations, and citizens. The model is inherently inclusive, everyone can contribute to the shared security. But that is not yet enough, as in hybrid politics it is necessary for us to think further. Collaborative thinking should extend even further than today, especially when preparing for threats that are not confined to national boundaries. Despite some recent isolationist tendencies in global politics, a co-operative approach between “like-minded nations” and with “like-minded global companies” is a prerequisite when countering effectively both current and emerging security threats. For us to be successful, a “shared responsibility” and “together”, instead of “alone” or “first”, have to become the keywords in this decade´s security thinking.

JARNO LIMNÉLL Professor, cybersecurity, Aalto University CEO, Tosibox Jarno Limnéll is Professor of Cybersecurity at Aalto University, Finland, and an adjunct professor in three other Finnish universities. He has been working with security issues for over 20 years, and has a profound understanding of the global threat landscape, combined with the courage to address the most complex issues. Professor Limnéll has published a comprehensive list of works on security issues. “It is increasingly important that we understand what is happening in the cyber domain and how different s trends are affecting to our activities. Cyberwatch provides an excellent strategic situational awareness reviews and I strongly recommend it.”

CYBERWATCH

FINLAND

Tailored resilience At CGI, security is part of everything we do. We help you assess the risks, protect the business and operate with confidence. Our comprehensive security services are tailored to your needs.

Learn more: cgi.fi/kyber

It is wise to learn from the past, and yet, the future requires even more from us. We listed five lessons for business leads on how to improve the cybersecurity of their business in 2021. // Mika HĂĽllfast

CYBERWATCH

FINLAND

A smart person learns from other people’s mistakes In addition to the coronavirus pandemic, the year 2020 will be remembered for its cybersecurity news. The top news story in Finland was the Vastaamo case: a database with sensitive patient information was breached. The information security company FireEye’s difficulties and the cyberattack against the Parliament of Finland also made the headlines. Some good points can be drawn from these examples.

1 2 3

MERE RESOURCES ARE NOT ENOUGH TO PREVENT CYBERATTACKS

FireEye has probably the best possible professionals and technological solutions to secure their business. The same is true with the Parliament. A central governmental actor must have had sufficient resources and been very familiar with the threat landscape. But the opposing side has many aces up its sleeve. First of all, it has complicatedness on its side. An IT environment which is comprised of thousands of components, must be always configured in the right way and be always updated to the latest versions. Secondly, the opposing side has time on its side. It doesn’t care about working hours – at least not the Finnish Working Hours Act. Nights, weekends, and holidays shouldn’t have an effect on abilities. – Resources are not enough to prevent cyber problems. However, their likelihood and impact can be significantly lowered with resources well spent.

YOU CAN’T PROTECT EVERYTHING

According to FireEye, the ”only” tools compromised were those that are used for the consulting business. The attackers were unable to get their hands on the crown jewels of product development. This is essential in terms of their business continuity. If the source codes of information security products had been exposed, the company would have probably faced insurmountable difficulties. The Vastaamo case could have had a better ending if information about confidential therapy sessions and other client information had been separated. – Choose what you protect, preferably based on risks.

DAMAGE CAN BE MINIMIZED WITH GOOD COMMUNICATION

It is interesting to compare how different cyber breach cases have been communicated to the public. Our cases have some good and bad examples. FireEye chose to be honest: “Yes, this happened. Here are the instructions on how to minimize the damage.” It turned out to be a good approach, and the company is probably able to continue its business. This is a good lesson to remember. Prepare a crisis communication plan and test it regularly. – Communication helps you ride out a bad situation – but only if you are mastering it.

MIKA HÅLLFAST VP Cybersecurity Development A seasoned security professional, Mika has 15 years of experience in technology, architecture and cybersecurity. With a keen focus on translating business requirements into technical solutions, Mika works with clients across industries, including government, banking, communications and oil and gas. Currently on secondment to CGI’s global cybersecurity practice, Mika manages the ongoing learning program for CGI’s 1,400 cybersecurity experts, contributes to thought leadership, and speaks at security industry conferences. He also advises on security projects, bringing his practical, business-focused approach to CGI clients around the world.

CYBERWATCH

FINLAND

A smart organization is prepared A new year has a lot of promise. The impact of coronavirus is likely to weaken towards the end of the year, but the accelerated digitalization it has brought along will not slow down. During 2021, more business processes and other processes will be integrated into automatic or semi-automatic information processing. Manual work is replaced with increasing speed: paper documents, old systems, and communication between people are replaced with automatic and technical tools. This change is naturally driven by efficiency, new business opportunities, and technological advancements, which all guide our choices towards activities that are all the more dependent on cybersecurity. In this way we are all responsible for the future: The next time you consider a new digital process or technology, ask yourself and your team whether you need all the data you gather and whether you have sufficient resources to handle it.

4 5

IF YOU CAN’T PROTECT, DON’T COLLECT

Are you sure you need all that data? Could your service be offered with less information gathering – less personal data, less confidential information? Are you able to delete the data after it is no longer relevant? Can the information be anonymized before it is transferred like in Koronavilkku (Finnish Covid-19 contact tracing app), for example? Is it possible to separate confidential and non-confidential information and to store them separately? – Information handling comes at a cost. Cost optimization of it starts with gathering less data.

CYBERSECURITY EXPENSES ARE PART OF BUSINESS EXPENSES

Cybersecurity expenses have long been part of ICT expenses without a direct link to business. With new digital development projects, a significantly better option would be to budged the costs of the required protection and allocate the costs directly to the activity in question. Too common are those business cases which don’t take into account costs of protection and, as a result, present the wrong calculations on profitability – this way the true profitability of new digital services is not apparent. Let’s take a classic example of starting an online store. Even though fire insurance, physical locks, and security guards might not be needed, you must take into account the continual updating of software components and application firewalls, and monitoring of information security. The year 2021 is a good time to start allocating cybersecurity expenses to the business that is being protected. That project will not be completed within a year. Digitalization offers a great promise. With its efficiency it will solve many of the current challenges we currently face and produce new opportunities to those who will take advantage of it. However, it is wise to learn from the past. Some of us remember the arrival of email – this new service established its position remarkably fast. The information security issues that came along with it, such as spam, encryption, and sender verification, have resulted in decades of fixing. As digitalization speeds up, organizations create dozens of “email systems” every year, and the number of information systems just keeps on growing. IT departments or information security managers don’t have sufficient resources to manage all the maintenance and the control of dependencies. – Cybersecurity should be an integral part of planning from the beginning. 

Happy digital year of promises!

CYBERWATCH

FINLAND

A Cyber Secure Strategy or Strategic Cyber Security? // Timo Kotilainen

he relationship between cyber security and corporate strategy is somewhat problematic. In the long run, it is easy to identify a trend where changing revenue logic and business models are increasingly relying on digital operations. On the other hand, the growing complexity of cyber security tends to increase the severity of the challenge. To be able to consider the strategic dimension of cyber security, coordination and dedication from company management is required. To support this it would be beneficial to build processes that integrate cyber security into the strategic planning and implementation of a business. As the impact of digitalisation on business grows, from a strategic point of view it would be useful to understand its implications on cyber security. This is rather demanding indeed. Yet, even a simple and systematic research into the general risks associated with a strategy may not be accomplished by many medium-sized companies. There are certain situations and strategic steps in which a cyber security review should be conducted. One such situation is when a step becomes a leap, a so-called “Digital leap”. Especially if previous experience, skills and competencies are unsatisfactory. Growing a service business with remote maintenance, taking advantage of 5G in OT systems, opening up e-commerce, etc. require careful consideration of cyber security. The implementation of the strategy is often accompanied by inorganic growth, ie acquisitions. Of course, the intentions of each purchase varies, however in all cases it is important to understand the cyber security level of each item and the potential required investment. All in all, it can be anticipated that in the future, there will be an increasing need for organisations to examine the cyber security risk territory associated with the strategy in question. If this ability is not found in the organisation itself, one must look for expertise elsewhere. Strategic cyber security, on the other hand, focuses on business opportunities rather than on risks. What is meant by this, is a situation in which cyber security is a major factor in competitiveness. Fewer companies will have to, or will have the opportunity to, consider this possibility. The desired results in the so called competition come from either lowering costs or the differentiation of services. We are ready to invest in cyber security today, due to the fact that it will significantly reduce the amount and likelihood of greater costs in the future. It is possible, albeit demanding, to find more effective ways to understand risks and measures and thus be more cost-effective than competitors. However, since cyber security investments are only a percentage of a company’s total costs, this fine-tuning is not very relevant in the big picture. But instead, the fact that our own supply is more cyber-secure than that of competitors is relevant. This is certainly more difficult in the consumer business. The consumer is driven by factors other than safety, but the damage to ones reputation can be fatal, for example in the healthcare sector. In the B2B segment, on the other hand, there is more room for companies to differentiate from one another with cyber security. This has been exploited mainly by companies providing digital services such as video conferencing, e-mail and storage services. But as the value of digital components grows, cyber security becomes an increasingly interesting competitive factor to many more companies. 

TIMO KOTILAINEN

CYBERWATCH

FINLAND

The author acts as a cyber security strategy advisorand the Chairman of the Board at Viria Oyj

Cyberwatch-Magazine News Q4/2020

Credible Security = Facts + Perceptions The goal of a propagandist is to influence information and how it is received by citizens, especially in e l e c t i o n s . C y b e r security actors have an important role to play in ensuring that citizens have equal access to information and are able to act accordingly. Hostile actors seek to limit access to unbiased information through, among other things, extensive disinformation and the destruction of trust. // Dr Antti Sillanpää

CYBERWATCH

FINLAND

he credibility of the U.S. presidential election voting system has been questioned in entirely new ways. Despite the harsh debate, there has been little, if any, evidence. In regards to cyber security, one of the most interesting arguments is the role of Dominion Voting Systems, a company that supplies voting systems, in Joe Biden’s election victory. On November 12, 2020, President Trump tweeted: “Report: Dominion deleted 2.7 million Trump votes nationwide.” Sidney Powell, one of Trump’s lawyers, suggested, among other things, that the number of votes received by the Democratic Party on Dominion’s machines increased and that the votes were processed abroad. The allegations also included that the “oligarchs and dictators” set up a company with strong ties to Venezuela, China and Iran. There are also the most peculiar claims about Dominion’s secret algorithms circulating the Internet. The company’s reputation management has not been able calm the storm. In its response, it has revealed, among other things, its private, American ownership. The Canadian-based company recalls that the election results can be easily checked. And so it has been done. An MSN feature had counted whether Biden had received more votes in constituencies supported by the Dominion system. Regardless of the counting system, Biden was the winner in the review done by ten constituency states. Harri Hursti, an election security expert interviewed by the New York Times in Georgia, believes that Dominion is being blamed for actions that it is not guilty of. From the perspective of traditional media and fact-checkers, Dominion seems to be telling the truth. However, the company had become a target of Trump supporters already in the previous election. Dominion had donated to the Clinton Foundation, but donations had also been made to Republican Senate Majority Leader. In a project supported by the Clinton Foundation in the Caribbean, Dominion equipment had been used. Electronic voting possesses its own risks, which are also anticipated. It is common American practice that processes are decentralised. There are more than ten system vendors, three of which are considerably larger. This contributes to reducing the chance that fraud could be inflicted everywhere. THE FASTEST HAND WINS

Individuals that seek to defend the truth lag behind when the perpetrator is free to choose its target. Since the information domain is filled quickly, one should, without hesitation, attempt to surpass their shortcomings. In the case of Dominion, it is seen that 22

CYBERWATCH

FINLAND

fact-checking and traditional journalism did not have time to alleviate the outrage. The idea that foreign forces and the opposition had fiddled with voting devices was planted in the susceptible minds of the people. And this case was just one of many complementary conspiracy theories. People’s opinions are very difficult to alter. Those who make original claims can always demand more evidence. It is often difficult to give evidence of a non-event result. In similar contexts, the Kremlin’s explanations are often such that it disputes the facts presented by others and always demands more information. This cycle of denial and demand for additional information can be extended indefinitely. Action against the truth is hostile, be it from any direction. To disassemble is easier than to repair. It will take decades to repair the trust that has now been tarnished. ACCESS TO UNBIASED OR DIVERSE INFORMATION

The distributor of disinformation benefits from being able to decide where and when to start spreading fraudulent information. By preventing people from accessing information, the impact of the attack can be enhanced. Opinions are made so fast that perhaps even a day’s delay can cause irreversible damage. Sharing diverse information during elections is particularly important. This is another reason why the media should ensure its cyber security. In free societies, there are various routes information can take and its flow is more difficult to prevent. By extensive circulation of disinformation, the assailant can reach the same desired result. The consumers believe it to be true due to the recurrence of similar stories, even if individually they seem inconceivable. Googling ‘Dominion’ will bring up very similar conspiracy theories on the subject. The corona virus, new pandemics and the possible fears of terrorism bring about new problems to the voting system. Voters or journalists will not be able to meet the candidates. The reduction in natural contact weakens the link between the voter and the politician and underlines the importance of security, fairness and diversity in digital communications. Social media giants provide us with information, yet whether it is unbiased is unknown. Studies have shown how recommendation algorithms reinforce bubbles. Invisible recommendation algorithms are particularly intimidating because it is not known how they restrict the flow of data. Companies themselves do not currently have enough incentives or regulation to ensure equal and reliable access to information for voters. In addition, we as citizens do not demand better

access to information that we do not like. It is natural for us to surround ourselves with like-minded people and content. MEASURABLE SECURITY IS ONLY ONE DIMENSION

I discussed the matter of electronic voting systems with two international experts. They were familiar with the systems and their undeniable advantages. The other turned to me and asked about the Finnish approach. I referred to the Finnish paper-ballot-booth voting system when answering: “We are very conservative in this matter. We have a reliable system and we do not want to give it up. ” In connection with the previous Finnish elections the Prime Minister’s Office, the Ministry of Justice and the Security Committee launched the “Best Elections in the World” campaign to remind people of the reliability of the system and that one should be proud of our

election system. Finland’s simple and traditional way of voting is understood by everyone. Simple matters are easy to explain. What is easy to explain is credible. Thus, the security of systems must be proven not only by facts but also by intuition and perception. In addition, evidence must be accessible when needed, which is starting to sound like an almost impossible feat. A cyber security system must not only be secure it must also be look, sound and feel secure. 

DR ANTTI SILLANPÄÄ CEO and researcher at Linkitin Oy Dr Antti Sillanpää and Linkitin support strategy implementation and workforce well-being by providing network analysis of organizations. In addition, research activities include cyber security, co-operation, and information activities. He is currently on leave from the Secretariat of Security Committee of Finland. Between 2015 and 2018 he was assigned to NATO Strategic Communications Centre of Excellence in Riga, Latvia. His post was Chief of the Technical and Scientific Development Branch. Earlier in his career he has worked in journalistic and managerial positions for different television news outlets. He holds a Doctor of Science in Technology degree from the Helsinki University of Technology, a Master of Social Science degree from the Helsinki University and a Master of Economics degree from the Helsinki School of Economics. His doctoral thesis focused on networks, competition, and strategies. You can find more at linkitin.fi.

MORE ABOUT THE TOPIC: https://www.dominionvoting.com/election2020-setting-the-record-straight/ https://www.businessinsider.com/sidney-powell-hypes-election-lawsuit-despite-trump-disowning-2020-11?r=US&IR=T https://www.reuters.com/article/uk-factcheck-dominion-software-trump-law-idUSKBN27S2Z9 https://www.msn.com/en-us/news/politics/swing-state-counties-that-used-dominion-voting-machines-mostly-voted-for-trump/ar-BB1bxn03 https://www.nytimes.com/2020/11/11/technology/no-dominion-voting-machines-did-not-delete-trump-votes.html https://en.wikipedia.org/wiki/Dominion_Voting_Systems https://www.snopes.com/fact-check/rumor-alert-dominion-voting-systems-fraud-claims/ https://www.politifact.com/factchecks/2020/nov/13/facebook-posts/no-evidence-dominion-voting-systems-caused-widespr/ https://www.nbcnews.com/better/lifestyle/problem-social-media-reinforcement-bubbles-what-you-can-do-about-ncna1063896 https://heavy.com/news/dominion-voting-systems-glitch-clinton-pelosi-michigan-georgia/ https://apnews.com/article/fact-check-trump-legal-team-false-claims-5abd64917ef8be9e9e2078180973e8b3

CYBERWATCH

FINLAND

Cyber espionage:

THE PROBLEM THAT ISNâ&#x20AC;&#x2122;T

// Eneken Tikk & Mika Kerttunen

CYBERWATCH

FINLAND

fter the recent penetrations of a Finnish mental health service provider’s patient database as well as the Finnish parliament, both the Speaker of the Parliament and the President of Finland condemned the breaches as ominous cyberattacks. President Niinistö’s message was very clear: Our feeling of security has also been eroded by new digital threats. Whether the target is Parliament or individual citizens’ health data, the word ‘data breach’ is not strong enough to describe the problem. Cyberattacks threaten security; they are attacks against not only individuals but also our entire social order. We must improve our ability to foil them, also at the international level.”.1

The 2020 EU Cyber Security Strategy observes “the EU institutions, bodies and agencies being regular targets of cyberattacks, particularly cyber-espionage”.2 The United Kingdom security service MI5 views cyber espionage to present “a real risk to the economic well-being of the UK” and “a direct threat to UK national security”.3 Cyber espionage is hardly a non-issue. Without sufficient level of intelligence preparation, including cyber espionage, any targeted cybercrime activity or effect-creating cyber operation would not be successful. Yet cyber espionage is a stigmatized, dead-on-arrival topic that has become next to impossible to discuss, especially in an international setting.4 It is time to change that. The absence of any clear international legal stand on espionage does not dilute but underlines the problem. UNDERSTANDING ESPIONAGE

The purpose of state intelligence - national, military or other agency - is to support political and operative planning and decision-making. Intelligence doctrine refers to assessment and estimations of the operational environment.5 Accordingly, business or competitive intelligence supports corporate decision-making, for example design, manufacturing and marketing. Espionage constitutes a particular aspect of intelligence where data and information are gathered by covert means and without the possessor’s authorization, hence the lay-man, and legal, term of spying. Espionage thus exploits target data, information and systems for an actor’s benefit. Consequently, all espionage is an intelligence activity but not all intelligence activities are espionage. Many forms of intelligence, most obviously open-source intelligence and signal intelligence do not require illegal or unauthorized access, e.g. penetration of other states’ information and communication systems or the stealing of information.

As defined in a US joint intelligence doctrine, intelligence “includes the organizations, capabilities, and processes involved in the collection, processing, exploitation, analysis, and dissemination of information or finished intelligence.”6 The process begins with intelligence requirements, disseminates immediate, initial and finalized products such as information, assessments, estimates and recommendations for action, and ends with evaluation and reflective feedback – only to start again with new intelligence and information requirements.7 Intelligence can thus be seen as a cybernetic chain linked to political and operative decision-making, another cybernetic chain of events.8 ASSESSING CYBER ESPIONAGE

As a logical chain of considerations, acts and consequences, intelligence activities like all human and social ones can be ethically assessed by their intentions, virtue and consequences.9 As examined above, political (cyber) espionage is conducted in support of planning and decision-making. We can presume that the thought or anticipated action is against the will of the targeted entity – otherwise covert and unauthorized action would not be needed, because it goes against the target’s interest. Cyber espionage undermines dignity and integrity, steals opportunities - in the concrete terms of data, information and intellectual property - and forces the target to take corrective action, which it otherwise would not have taken. Cyber espionage thus subjects and suppresses one sovereign state to another’s will. The very act of intelligence gathering, including for example illegal penetration of information and communication systems, does not necessarily cause destructive effects.10 As Libicki reiterates, virtual penetration does require forced entry but uses stolen credentials or exploits vulnerabilities, and unintentionally open avenues of access.11 The act nevertheless is illegal or unauthorized by any target state norms and standards. The target entity is thus an involuntary object of another state’s operations. Acts of espionage therefore erode friendly relations between states and trust in international life. All targeted operations require some intelligence gathering and analysis, nowadays most increasingly in form of cyber espionage. Consequential action is likely to follow espionage. Political and operational actions against another state, which require espionage to be conducted is always unfriendly.12 When leading to the use of force, espionage becomes part of a hostile, coercive and violent action-chain likely to escalate tensions and intensify open conflicts. Furthermore, the difference between network based (cyber) espionage and effect-creating operations is a line

CYBERWATCH

FINLAND

drawn in the sand. After successful penetration into information systems and the gathering of data and information, it is easy and tempting to plant destructive malware in these target environments. Finally, the proliferation of capable tools and available targets has promoted investigative and inquisitory cyber espionage. We should abandon the romantic view of espionage as harmless and rather limited information gathering combined with innocent analysis. Cyber espionage targets both the public sector and private sectors, human beings and their sensitive information, and national security as well as national health care systems. It is deliberately suppressing, dismisses the autonomy and sovereign stance of the target, and is often by its intended consequences hostile. It is increasing by severity and diversity. SHORTCOMINGS OF THE CURRENT APPROACH Capabilities, resilience and deterrence

The 2020 European Union Cyber Security Strategy seeks to increase Europe’s collective resilience against cyber threats. This is achieved within three areas of EU action (1) resilience, technological sovereignty and leadership; (2) operational capacity to prevent, deter and respond and (3) global and open cyberspace through increased cooperation.13 The Cyber Security Strategy remains silent on how cyber espionage in particular should be tackled nationally, within the EU, or globally. We may conclude that resilience and operational capacity can be seen not only to curb cyber espionage, but also having the potential of making cyber espionage operations more costly. The global/international endeavours the EU needs to take do not contain any explicit or direct means or mechanisms to deal with cyber espionage. On the other hand, the Cyber Security Strategy facilitates “solid shared situational awareness and the ability to prepare rapidly a joint EU position”.14 To serve this purpose and to advance intelligence cooperation on cyber threats and activities, a Member States’ EU cyber intelligence working group at the EU Intelligence and Situation Centre is to be established.15 Diplomacy

An EU non-paper on cyber diplomacy comprehensively emphasises human rights, and the voluntary non-binding rules of responsible state behaviour in cyberspace and cyber capacity-building.16 This, however, is stuck in the quagmire created by the previous rounds of the United Nations Group of Governmental Experts (GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security. Given the chosen threat-centric and confrontational 26

CYBERWATCH

FINLAND

context, cyber diplomacy is reduced to a function of cyber security where dialogue and consultation are more curiosities than normalcies. On the other side, Russia and China stress an absolute view of state sovereignty and promote the use of information technology for internal security and the control of their publics’ on-line and off-line behaviour. They do not want to restrict network intelligence (cyber espionage), either.17 International law

The international community has vividly, and for relatively long, debated the parameters of cyberoperations, countermeasures and responses and the right of self-defence. Quite surprisingly, there is less interest in decisively tackling the peacetime protection of civilians and the civil society, and there is close to zero discussion, in the context of international cybersecurity, of cyber espionage. A literal but also selective reading of international law would lead to a conclusion that as espionage is not explicitly outlawed, it is not problematic under general public international law. Admittedly, certain aspects of international law may be legally questionable, privacy infringements comprise an obvious example. The question, turned to the intentions and consequences of espionage, quickly results in replies that nothing is broken and no harm is done – and therefore the prohibitions of the use of force and intervention do not lead to computer network exploitation, either.18 Yet, when the US National Security Agency had tapped the mobile phones of Chancellor Merkel and President Rousseff, Germany and Brazil tabled a UN General Assembly resolution referring to human rights - and explicitly to “arbitrary or unlawful interference with privacy, family, home or correspondence, and the right to enjoy protection of the law against such interference or attacks.”19 The discussion gets somewhat more complex when the question of violation of sovereignty is tabled – this could well be the context of the (in)famous claims about sovereignty not being a rule at all in the context of cyber operations. The mainstream international cyber law discourse only underscores (and feeds) the appetite to conduct cyber espionage without any serious legal outcry. TAKING ACTION AGAINST CYBER ESPIONAGE

It is possible to start promoting and developing international law and peaceful relations to rein in cyber espionage. The issue is not about prohibiting either espionage or defence. If, and when, cyber espionage is identified as a serious cyber security challenge and national security

concern, cyber security strategies should contain explicit countering lines of action. For effective prioritization of efforts and allocation of resources there is the need to analyse the logic and conduct of cyber espionage. Based on this analysis, espionage-specific measures may include changes in penal, administrative and cyber legislation, improved confidentiality of data, increasing situational and work force awareness as well as developing professional and academic programs. The analysis should also reveal areas and threats which may be less prioritized.

Similarly, states need determined and creative diplomatic manoeuvring to gather a group of like-minded countries to counter the threat of the cyber establishment. There is the need to draw a clear line between the tolerable and intolerable state behaviour in cyberspace. States can demand political (public) control of intelligence activities, restrict intelligence targets and, based on the exposed incidents start drafting more binding political and normative measures.20 Instead of dictating, states need discussion and global diplomacy pursuing shared understanding. Based on our observations of

ENEKEN TIKK AND MIKA KERTTUNEN Dr.Iur. Eneken Tikk and D.Soc.Sc Mika Kerttunen are founders of the Cyber Policy Institute, an independent consultancy specialized on cyber diplomacy, regional capacity building, IT law and policy. Together with the Erik Castren Institute, Eneken and Mika are running the 1nternat10nal Law project. Their current research focuses on friendly relations, peaceful settlement of disputes and cyber conflict prevention.

CYBERWATCH

FINLAND

numerous cyber capacity-building events, desire for this kind of policy and diplomacy is increasing. States should not accept the self-righteous justification President Obama offered for the NSA’s activities abroad, which did not mention the NSA-Merkel issue: [t]he legal safeguards that restrict surveillance against U.S. persons without a warrant do not apply to foreign persons overseas. This is not unique to America; few, if any, spy agencies around the world constrain their activities beyond their own borders. And the whole point of intelligence is to obtain information that is not publicly available.”21 There are restrictive legal views on espionage.22 Apart from the harm arguments, as discussed above, it is hard to see how any cyber operation, including computer network exploitation, would stand the test of good faith, friendly relations, international cooperation or even

peaceful settlement of disputes – all part of international law in their own right. A good exercise would be to examine what makes states and some scholars go to such great lengths to justify the ‘no-problem’ view of cyber espionage. The international discussion could start with some more common-sense questions – is it true that every state conducts cyber espionage, especially to the point of sustained presence in uncountable networks? Is it true there are no victims, no escalatory tendencies, no harm and no impact whatsoever on the target governments, societies or international organizations? If the answers to these questions are negative, states need to determine whether or not international law has anything at all to contribute to this discussion? Or how should the claim that every state has some sort of national legal consequences for conducting espionage be read? That cyber espionage is not an international issue? What possible reading is there of the currently seemingly life-long exile of Edward Snowden and the 140 years of imprisonment facing Julian Assange? Their putative

Sources 1

“Emails compromised in cyberattack on Finland’s Parliament”. YLE News (December 28, 2020). Available at https://yle.fi/uutiset/osasto/news/emails_compromised_in_cyber_ attack_on_finlands_parliament/11716393; “President of the Republic Sauli Niinistö’s New Year’s Speech on 1 January 2021”. https://www.presidentti.fi/en/speeches/president-ofthe-republic-sauli-niinistos-new-years-speech-on-1-january-2021/. 2 European Commission (2020) The EU’s Cybersecurity Strategy for the Digital Decade, p. 24. https://ec.europa.eu/digital-single-market/en/news/eus-cybersecurity-strategy-digitaldecade. 3 MI 5 (2021) Cyber. https://www.mi5.gov.uk/cyber. 4 Numerous accounts of cyber war, information war and the new ‘perfect’ or ‘virtual’ weapons often choose not to address cyber espionage, too. 5 Joint Chiefs of Staff (2013) Joint Intelligence (JP 2-0), p. ix. https://www.jcs.mil/Portals/36/Documents/Doctrine/pubs/jp2_0.pdf. The purpose of supporting planning and decisionmaking is explicit in Western and Nordic field manuals, too, as well as in Clausewitz’s Vom Kriege (Carl von Clausewitz (ed. Marie von Clausewitz) (1991/1832) Vom Kriege. Ferd. Dümmler Verlag, Köln, book 1, chapter 6). 6 JP 2-0, ix-x, I-2 and I-3. 7 For a detailed account of the US military doctrinal understanding of intelligence, see JP 2-0, p. I-5 - I-23. 8 For an analysis of organizing and conducting [here: Chinese] national intelligence – cyber espionage, see Nigel Inkster (2015) China’s Cyber Power, Adelphi Series 55:456, chapter “Cyber Espionage”, p. 51-82. DOI: 10.1080/19445571.2015.1181443. 9 E.g. Peter Olsthoorn (2011) Intentions and Consequences in Military Ethics. Journal of Military Ethics, Vol. 10, No. 2, 81-93; Robert W. Kolb (ed.) (2007) Encyclopedia of Business Ethics and Society. SAGE Reference. DOI:http://dx.doi.org/10.4135/9781412956260. 10 Martin Libicki (2007) Conquest in Cyberspace. National Security and Information Warfare. Cambridge University Press, Cambridge, p. 28-29 and 79-80. Here, Libicki uses the expression of spying and electronic eavesdropping as synonyms to cyber espionage. 11 Martin Libicki (2020) Steps to an Ecology of Cyberspace as a Contested Domain. In Eneken Tikk and Mika Kerttunen (eds.) Routledge Handbook of International Cybersecurity. Routledge, Abingdon, p. 134-147. 12 As Chancellor Merkel commented after the NSA had tapped her mobile phone, “spying between friends just isn’t on”. “Snowden NSA: Germany drops Merkel phone-tapping probe”. BBC News (June 12, 2015). https://www.bbc.com/news/world-europe-33106044. 13 The EU’s Cybersecurity Strategy for the Digital Decade, p. 4 and sections II:1, II:2 and II:3. 14 The EU’s Cybersecurity Strategy for the Digital Decade, p. 17. 15 Ibid. 16 “Non-Paper on EU Cyber Diplomacy by Estonia, France, Germany, Poland, Portugal and Slovenia”. https://www.auswaertiges-amt.de/blob/2418986/206b3bf9aa4ef45a288739923 1840d23/201119-non-paper-pdf-data.pdf. 17 Personal observations of United Nations and regional cybersecurity processes and events in 2012-2021. 18 Michael Schmitt (2017) Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (2nd ed.). Cambridge: Cambridge University Press; Catherine Lotrionte (2014) “Countering State-Sponsored Cyber Economic Espionage under International Law”. 40 North Carolina Journal of International Law and Commercial Regulation 443; and Jeremy Wright (2019) “Cyber and International Law in the 21st Century”. https://www.gov.uk/government/speeches/cyber-and-international-law-in-the-21st-century. 19 “Brazil, Germany introduce resolution on Right to Privacy in the Digital Age at UN General Assembly”. Access Now (November 1, 2013). https://www.accessnow.org/brazilgermany-introduce-resolution-on-the-right-to-privacy-in-the-digital/. 20 Ashley Deeks has made a similar case on surveillance. See, Ashley Deeks (2015) “An International Legal Framework for Surveillance”. Virginia Journal of International Law 55:2, 291-368. 21 “Obama’s Speech on N.S.A. Phone Surveillance”. The New York Times (January 17, 2014). https://www.nytimes.com/2014/01/18/us/politics/obamas-speech-on-nsa-phonesurveillance.html. To be fair, many leaders and most security and intelligence professionals would wholeheartedly share President Obama’s views. 22 For food for thought, see Aaron Shull (2013) Cyber Espionage and International Law. Global Internet Governance Academic Network, Annual Symposium 2013; Johan-Christoph Woltag (2014) “Computer Network Operations Outside of Armed Conflict”. In J.-C. Woltag Cyber Warfare: Military Cross-Border Computer Network Operations under International Law. Cambridge University Press, Cambridge, p. 85-174; Christopher S. Yoo (2015) Cyber Espionage or Cyberwar? International Law, Domestic Law and Self-Protective Measures. In Jens D. Ohlin, Kevin Govern and Claire Finkelstein (eds.) Cyberwar. Law and Ethics of Virtual Conflicts. Oxford University Press, Oxford, p. 189-190; Russel Buchan (2018) Cyber espionage and international law. Hart, Oxford, UK.; Inaki Navarrete and Russell Buchan (2019) “Out of the Legal Wilderness: Peacetime Espionage, International Law and the Existence of Customary Exceptions.” Cornell International Law Journal Vol. 51: No. 4, Article 4.

CYBERWATCH

FINLAND

penalties signal that espionage is a tradecraft that powerful countries want to be free to exercise but are willing to go to great lengths to mute both the existence of and any discussion. Or, if espionage indeed has not been problematic under international law for a long time, is cyber espionage changing the scene? The presumed silence of international law should not stop but ignite debate how to develop international law to better shape a friendlier and more peaceful public international order. States that: care about their independence and rule of law; have suffered cyber espionage both from adversarial and “friendly” actors; and do not consider the current practice of cyber espionage as conducive of developing shared understanding of and responses to issues of cybersecurity, all need to make a move at least towards the discussion of the issue. Opinions, political, legal as well as public, even slowly evolving to restrict or otherwise restrain peacetime cyber espionage will make it harder for the superpowers to step outside the norms.

Your Your employees employees canstop stop can

Computer network exploitation by nations with top-tier offensive capabilities does not only affect other governments. Cyber espionage hurts corporations and puts people at risk. If governments insist on the inevitability of computer network exploitation, it is time to discuss the conditions and boundaries of this privilege: where should we allocate respective responsibilities and costs? 

99%

of all online attacks attacks

Make them them your your strongest link Make https://hygiene.badrap.io/watch/ https://hygiene.badrap.io/watch/

Cyberwatch Finland

SHAPING DEPENDABLE CYBER SECURITY WITH A COMPREHENSIVE APPROACH We help our customers to anticipate the risks and to manage the process of cyber security in a coherent and consistent way. At the same time, we are building a safer and more sustainable world together. Cyberwatch Finland provides comprehensive cyber security solutions.  Cyber security strategies, risk analysis and roadmaps  Strategic situational awareness to support management and decision-making  Strategic analysis of the developments in the cyber world  AI-powered analysis and information services based on our expertise  Modern education with e-learning and hybrid-learning methodologies  Innovative and unique cybersecurity technologies We have a holistic and global view of the cyber security ecosystem and the ability to implement tailored and integrated solutions in all markets. We operate on a network based model, that includes respected Finnish and international cyber security companies and experts. The company is owned by members of the core management team.Our experts are, for example, the authors of the first Finnish Cyber Security Strategy. Our concept is built on academic research of different national cyber security approaches. The Finnish comprehensive security concept and its holistic approach is proven to be the most effective in addressing complex and wide-ranging cyber threats. Our mission is to be our clients most trusted partner. Therefore we are constantly looking for the best ways to create a steady strategic cyber security roadmaps to conduct your cyber security to the highest possible level.

OUR STRENGTH IS THE UNIQUE COMBINATION OF SECURITY AND CYBER EXPERTICE Unique strategic-level international expertise and understanding is based on an extensive network of experts and the utilisation of new innovations and artificial intelligence-based analysis methods. Our experts have the ability to interpret and present complex cyber world phenomena and developments in an easy-tounderstand format, utilising the latest technology, easily adaptable methods, and various media formats. Comprehensive strategic management skills, experience, know-how and the ability to divide it into smaller entities. Easily approachable and understandable entities, we do not mystify or intimidate, but we improve our customers' daily lives by increasing awareness.We rely on the model of continuous improvement and boldly look for new business models. We are always one step ahead, taking into account cyber world trends, phenomena, threats and opportunities, analysing their impact on organisation’s ’operating models at both the strategic and operational levels. Without forgetting the most important thing in society, which is the human being.

STRATEGIES, RISK ANALYSIS AND ROADMAPS

FACILITATION OF CYBER SECURITY LEADERSHIP

INNOVATIVE TECHNOLOGIES

TAILORED REVIEWS AND SPECIAL REPORTS

TRAINING, SEMINARS, GAMES AND WORKSHOPS

OUR SERVICES

BENEFITS FOR CUSTOMERS

COMPETITIVE ADVANTAGE

Cyberwatch Finland offers strategic cyber security services for state-level operations, corporations and organisations, based on a holistic view of the cyber world and hybrid threats. Our expertise is cyber security strategies, risk analysis and roadmaps.

Improved situational awareness is the basis for better decision-making Our clients can establish a holistic cyber security strategy, build situational awareness across the organisation, and take the necessary measures to build cyber resilience.

Our mission is to secure the functions of critical infrastructure as well as protect your organisation's most valuable assets. We guide you to a solid cyber security culture that strengthens your organisationâ&#x20AC;&#x2122;s resilience to crises and reduces business risks. We provide a holistic understanding of the interdependence of people, practices and technology, and their development opportunities.

Our analysis gives you strategic situational awareness to support your management and decision-making. Additionally, we offer modern education with e- learning and hybrid-learning methodologies.

We provide the comprehensive roadmap for a realistic cyber culture and cyber hygiene for your entire organisation.

Our scope of delivery includes innovative cyber security technologies.

CYBERWATCH FINLAND office@cyberwatchfinland.fi

Tietokuja 2, 00330 Helsinki FINLAND

www.cyberwatchfinland.fi

When excel isn´t enough anymore!

SECURE CONNECTIVITY BETWEEN USERS, DEVICES AND CLOUD SERVICES We have taken connectivity and made it simple. Our people, technology and software have created a new standard for secure IoT connectivity, remote maintenance and network management. TOSIBOX® products are developed and manufactured in Finland and used worldwide. www.tosibox.com

4Ks ERM - software for comprehensive and centralized risk management.

4Ks toimisto@4ks.fi

www.4ks.fi

Haluatko mukaan kyberturvallisuusalan merkittävimpään verkostoon Suomessa? Rakennamme yhdessä turvallista digitaalista Suomea! www.fisc.fi

Bad News Concerning SolarWinds Supply Chain Attack Will Continue to Unfold for Quite Some Time More // Pasi Eronen

CYBERWATCH

FINLAND

n Sunday, December 13, news broke out about the largest cyber operation of recent years against the U.S. government targets by an advanced persistent threat actor, APT29, associated with Foreign Intelligence Service of Russian Federation, also known as SVR (Служба внешней разведки Российской Федерации).[1] The original reporting shared details regarding the email systems of The U.S. Treasury Department and Commercial Department having been compromised, but as there has been more information coming out regarding the incident, the devastating size of the hack is slowly becoming revealed. According to the sources, Russian operatives had successfully penetrated SolarWinds, an Austin, TX -based company offering their clients, among other products, also a widely used IT full stack management platform called Orion.[2] SolarWinds’ customer base, which may also include users of other products than their Orion platform, included according to SolarWinds’ website, more than 425 of the U.S. Fortune 500 companies, all U.S. telecommunications companies, all branches of the U.S. military, National Security Agency, and The Pentagon, to name a few.[3] Once in, the Russian hackers proceeded to compromise a build server to have SolarWinds serve their customers a poisoned update of the Orion platform, including Russian injected malware. The distributed malware was later named SUNBURST by one of the compromised entities, FireEye.[4] The poisoned SolarWinds Orion platform update, which opened a backdoor to the target systems for access, and possibly also for insertion of additional tools for ensuring the foothold and continued access, was downloaded by the SolarWinds’ customers more than 18,000 times.[5] Nevertheless, it seems that the perpetrators were highly selective with their targeting.[6] This selective targeting sets the SolarWinds case apart from the NotPetya case associated with the GRU Sandworm team, where a destructive supply chain attack spread worldwide like a wildfire causing more than an estimated $10 billion in damages.[7] In addition to the government targets, one of the targets was an internationally well-known cybersecurity company, FireEye, which lost to the hackers tools they had been using in their penetration testing, or red teaming, activities.[8] This

brazen targeting eventually led to the unfolding of the SolarWinds case, as FireEye investigators also detected other organizations had been targeted utilizing the same intrusion vector.[9] According to some estimates, Russian operatives had initially penetrated the SolarWinds systems already back in October 2019 and made a test run with their chosen method of poisoning an update, but did not yet operationalize their access.[10] The operationalization took place according to the current understanding in March 2020, which has given Russian operatives possibly more than nine months of access to the targeted systems.[11] To remedy the situation, Microsoft, itself a victim of SolarWinds hack, together with other industry partners, took over or sinkholed the domain used in command and control of the infected systems.[12] Such sinkholing was a continuation of similar operations conducted by Microsoft, where they had been crippling the perpetrators’ operations by disrupting their command and control networks.[13] In addition to the U.S. based companies, U.S. states, and governmental targets, such Departments of State and Homeland Security and National Nuclear Security Administration, according to Microsoft’s analysis, targets residing across the globe, spanning from Canada to the United Kingdom and Belgium, have also been infected by SolarWinds poisoned update.[14] Similarly, organizations such as NATO have been investigating if they have been infected.[15] It is not far-fetched to assume that similar investigations are taking place across the world. Governments and private organizations alike are scrambling to identify, if the SolarWinds hack has impacted them, and if there have been any malicious activities in their systems because of the hack. As the hacks had a grave national security significance, also the United States Government scrambled into action. According to the reports, the National Security Council was summoned for a meeting on Saturday, December 12, to cover the hack.[16] Cybersecurity and Infrastructure Security Agency (CISA) issued a rare emergency directive on December 14, ordering the government organizations to disable the affected SolarWinds tool in their networks. Following CISA directive, National Security Council announced on

As more information is being revealed about the SolarWinds hack, there is a growing discussion in the expert community on potential impacts and additional motivations behind the hack. 34

CYBERWATCH

FINLAND

December 15 the establishment of Cyber Unified Coordination Group (UCG) to coordinate the whole-of-government response to the incident.[17] The USG announcement was followed by the joint statement by Federal Bureau of Investigations (FBI), CISA, and the Office of the Director of National Intelligence (ODNI) regarding their work on investigating the breach.[18] Throughout the process, both NSA and CISA have issued advisories and alerts to share technical information with the community fighting the breaches. [19] There has also been information released about a second entity[20], which has been in the SolarWindsâ&#x20AC;&#x2122; systems, but if the situation is similar to the DNC case back in 2016 when GRU and SVR were in the same systems, or something else like two competing nations both having access to SolarWinds systems, it is too early to say for sure. Moreover, linked with SolarWinds investigation, authorities have warned that the perpetrators have also been using other means than just SolarWinds associated malware to access their targets,

such flaws in VMWare and bypassing of multi-factor authentication.[21] In addition to attribution conducted by commercial companies, Russian involvement in the SolarWinds hack has also been confirmed by the political figures in the U.S. For example, Secretary of State Mike Pompeo suggested Russia as the perpetrator in the SolarWinds case.[22] Similar statements have been made by senators Marco Rubio (R.) and Mitt Romney (R.) and by a number of politicians from the other side of the aisle. [23] According to the news sources, Biden transition team members have been pondering potential avenues for responding to the system penetrations, including new financial sanctions and potentially going even further.[24] The current White House has not publicly made Kremlin accountable for the systems penetrations but has instead muddled the waters by suggesting that other players, such as China, may have been in play.[25] At the time of the writing, the main goal for the SolarWinds hack, and the broad access it granted for the

PASI ERONEN Pasi is an international security analyst, advisor, and writer. In my research and analysis work, I have focused on strategic cybersecurity and non-conventional adversarial strategies, also known as hybrid influencing and warfare. My additional fields of expertise include hostile foreign influence operations and the intersection of technology and security policy. My work has been published by a number of international outlets, including CNN, The Wall Street Journal, and Bloomberg. I speak regularly at regional events and major international conferences. My professional career includes stints with the Finnish defense establishment and governmental organizations dedicated to comprehensive security and hybrid threats. I am a Finnish Defence Forces reserve officer, and I have served in crisis management missions both as a soldier and civilian with NATO and the EU.

CYBERWATCH

FINLAND

Russian intelligence, appears to have been to secure a foothold in selected systems for intelligence collection. While infuriating, and to some degree also embarrassing, the intelligence collection is a normal and, in many ways, also a necessary part of international affairs. Nevertheless, at the same time, it is good to keep in mind that a foothold secured for intelligence collection could also be transformed into a platform for destructive operations. Intents may change as time passes, also changing the risk calculus of the victim. Thus, careful target analysis and the nature of targeted systems may reveal a lot of information about the perpetrators’ intents. According to some, there have also been signs of critical infrastructure companies being affected by SolarWinds, but not necessarily been penetrated after the original infection. [26] As more information is being revealed about the SolarWinds hack, there is a growing discussion in the expert community on potential impacts and additional motivations behind the hack. Other than intelligence collection, the listed motivations have included Russia building a deterrent against the U.S. cyber-attacks against targets in Russia, or Russian interests elsewhere. Moreover, it has been speculated that a foothold in the U.S. systems would have served as a bargaining chip, should the elections meddling prevention related activities by the U.S. authorities against Russian actors have become too painful to bear.

While some public outrage and follow-up actions are necessary for the optics and political purposes, it is improbable that outside of limited response such as sanctions, there will be any significant public retribution against Russia or their interests, in cyber or in other domains. Most of the response related actions will be concentrated on learning more about the Russian intents, their available resources for human operated missions, target prioritization processes, and their overall tradecraft. Furthermore, the focus is also put on the global breadth of the hack, what information got stolen during the time Russian operatives had access to the systems, trying to rid the systems from any remaining unauthorized parties, and learning how to defend better against similar attacks in future. While the former U.S. government officials are trying to grasp the SolarWinds case’s full ramifications, Kremlin has denied having anything to do with the hacks.[27] Nevertheless, on December 20, Putin congratulated his security services for the work well-done on a national day of celebration for the members of the country’s security services while standing in front of SVR headquarters.[28] Meanwhile, the market reaction to the SolarWinds case was swift and painful. SolarWinds’ stock is at the time of the writing trading around $16 price per share, one third less than just one month ago. 

Sources [1] https://www.reuters.com/article/us-usa-cyber-treasury-exclsuive/exclusive-u-s-treasury-breached-by-hackers-backed-by-foreign-government-sources-idUSKBN28N0PG [2] https://www.nytimes.com/2020/12/13/us/politics/russian-hackers-us-government-treasury-commerce.html, https://www.solarwinds.com/orion-platform [3] https://web.archive.org/web/20201214065921/, https://www.solarwinds.com/company/customers [4] https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html [5] https://arstechnica.com/information-technology/2020/12/18000-organizations-downloaded-backdoor-planted-by-cozy-bear-hackers/ [6] https://arstechnica.com/information-technology/2020/12/only-an-elite-few-solarwinds-hack-victims-received-follow-on-attacks/ [7] https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/ [8] https://www.nytimes.com/2020/12/13/us/politics/russian-hackers-us-government-treasury-commerce.html, https://www.fireeye.com/blog/threat-research/2020/12/evasive-attackerleverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html [9] https://www.bloomberg.com/news/articles/2020-12-15/fireeye-stumbled-across-solarwinds-breach-while-probing-own-hack [10] https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helpsprotect/ [11] https://www.zdnet.com/article/sec-filings-solarwinds-says-18000-customers-are-impacted-by-recent-hack/ [12] https://www.zdnet.com/article/microsoft-was-also-breached-in-recent-solarwinds-supply-chain-hack-report/, https://www.zdnet.com/article/microsoft-and-industry-partners-seizekey-domain-used-in-solarwinds-hack/ [13] See for example: https://www.darkreading.com/attacks-breaches/microsoft-sinkholes-6-fancy-bear-apt28-internet-domains/d/d-id/1332628 [14] https://www.bloomberg.com/news/articles/2020-12-17/u-s-states-were-also-hacked-in-suspected-russian-attack, https://www.politico.com/news/2020/12/17/nuclear-agency-hackedofficials-inform-congress-447855, https://www.npr.org/2020/12/18/947914979/microsoft-says-40-customers-hit-by-ongoing-hack-of-government-agencies [15] https://www.bloomberg.com/news/articles/2020-12-14/u-k-government-nato-join-u-s-in-monitoring-risk-from-hack [16] https://www.reuters.com/article/us-usa-cyber-treasury-exclsuive/exclusive-u-s-treasury-breached-by-hackers-backed-by-foreign-government-sources-idUSKBN28N0PG [17] https://twitter.com/WHNSC/status/1338863139278913537 [18] https://www.cisa.gov/news/2020/12/16/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure [19] See for example: https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2451159/nsa-cybersecurity-advisory-malicious-actors-abuse-authentication-mechanismsto/, https://us-cert.cisa.gov/ncas/alerts/aa20-352a [20] https://www.reuters.com/article/us-usa-cyber-solarwinds/second-hacking-team-was-targeting-solarwinds-at-time-of-big-breach-idINKBN28T0U1, https://www.zdnet.com/ article/a-second-hacking-group-has-targeted-solarwinds-systems/ [21] https://krebsonsecurity.com/2020/12/vmware-flaw-a-vector-in-solarwinds-breach/ [22] https://www.npr.org/2020/12/19/948318197/pompeo-russia-pretty-clearly-behind-massive-solarwinds-cyberattack [23] https://www.forbes.com/sites/andrewsolender/2020/12/17/trump-takes-bipartisan-criticism-for-silence-on-massive-cyber-attack/ [24] https://www.reuters.com/article/usa-cyber-breach-biden/bidens-options-for-russian-hacking-punishment-sanctions-cyber-retaliation-idUSKBN28U0DV, https://www.reuters.com/ article/usa-cyber-breach-idUSKBN28U0IK [25] https://www.bloomberg.com/news/articles/2020-12-19/trump-downplays-massive-hack-floats-china-as-possible-culprit?srnd=cybersecurity [26] For some related discussion, see for example: https://www.linkedin.com/feed/update/urn:li:activity:6745762156412776448/ [27] https://www.nytimes.com/2020/12/16/opinion/fireeye-solarwinds-russia-hack.html, https://www.themoscowtimes.com/2020/12/21/russia-denies-role-in-us-cyber-attacks-a72426 [28] http://en.kremlin.ru/events/president/news/64681

CYBERWATCH

FINLAND

CYBERWATCH FINLAND

QUARTERLY REVIEW

Q4 2020 CYBERWATCH

FINLAND

Quarterly

review

1. Country Analysis: Africa 2. The Development of Cyber Capabilities at an Individual level 3. The Cyber Security of Satellites 4. Cyber Security as a Part of the Management Agenda 5. The Cyber Security of Cloud Services

This time around, the country analysis will focus on the entire continent of Africa. The cyber

security of this 54-nation body is currently in a much worse position in comparison to the rest of  the world. The cyber education is subpar, citizens’ cyber skills are underdeveloped, pirated software is widely used and cybercrime is on the rise. Other states and international cybercriminals use Africa as an arena for their activities, mainly due to a lack of legislation and cyber defence capabilities. The technological void in Africa is of interest to China and Russia, which have succeeded in spreading their own technology to the region. This review will also investigate the cyber skills of individuals and the possibilities of developing and assessing them. Citizens’ cyber skills are important not only for them as individuals, but also as an important element in developing national crisis resilience. Citizens’ cyber skill level is directly proportional to the development of digitalisation. In highly digitalised societies, citizens’ cyber skills and awareness are also better than in less digitally developed countries. There is a shortage of cyber security professionals all over the world. Education is fragmented and the overall picture is difficult to comprehend. Established certificates are essential, but the quality and price of the courses vary immensely. Moreover, this review will discuss cyber security in space. For the time being, this topic will primarily revolve around satellites and the systems that support them, but space travel, at least on a small scale, will also be possible in the near future. The main cyber threats to satellite systems are signal interference and spoofing. Interference with satellite systems has also been used as a means of hybrid operations and the likelihood of this will increase in the future. The cyber security of satellite systems is generally high, infiltrated generally only by state actors or groups supported by them. However, the continuous development of cyber security is necessary because the performance of cybercriminals is constantly improving. This year, much has been said about the involvement and responsibility of corporate management in implementing cyber security. Several companies have been daunted by cyber crises, and for good reason, the competence of management has been tested. Responsibility for cyber security starts from the board of directors, and the management team already has a very concrete role in the implementation of cyber security. The biggest mistake a management team can make is to treat cyber security as a one-time effort. The management team must take care of their cyber security continuously. Cyber risks and their impact need to be quantified and the level of cyber security should be evaluated regularly. When a cyber risk materialises, the importance of communication in the management team’s operations will increase. Finally, the security of cloud services will be assessed. Deploying a cloud service is ultimately about trusting the service provider. If trust is in place, cloud services can, at least in the private sector, almost invariably provide better cyber security than a self-managed IT environment. Defining responsibilities and comprehending them correctly is a key part of implementing the cyber security of cloud services. With written agreements, misunderstandings about the division of responsibilities can be avoided and allow for the preparation for problem situations. Cloud services can be used in public administration after a careful risk analysis. Cyber security standards can also be used to support decision-making.

CYBERWATCH

FINLAND

CYBERWATCH FINLAND

1. COUNTRY ANALYSIS: AFRICA 1. China and Russia have a geopolitical interest in Africa and both trade with various African countries and invest in the area. Commercial activity also provides a good opportunity for both countries to influence decisions regarding technology, which can contribute to their goals in cyber operations.

2. The cyber warfare capabilities of African countries are still subpar. Nigeria is emerging as Africa’s leading country in cyber warfare.

3. Africa is susceptible to cybercrime and espionage. At a societal level, not enough has been invested in cyber security and only a few countries have cyber strategies or legislation. Citizens’ cyber skills and companies’ investment in cyber security are inadequate and no rapid improvement is expected.

From a cyber security perspective, Africa, a continent comprised of 54 countries, is very different from other continents. The telecommunications and technology infrastructure is underdeveloped and technical know-how is very much in the hands of non-African companies and states. The same is true for other critical infrastructure. IT systems and equipment come almost entirely from outside the continent, there is no in-house production. The current situation could be regarded as typical of the former colonies. Knowledge was in the hands of the former colonial power and was not transferred to the local population. Several former Asian colonies, most notably India, have been able to reverse the situation and are currently the world’s leading producers of ICT technology and services. African countries have not been able to develop technology and knowledge capital as effectively and are still highly dependent on external actors for cyber security. The technology and knowledge gap has increased foreign investment in Africa in recent years. Of the former colonial powers, the United Kingdom, France and the Netherlands, as well as the United States, are generally at the forefront of foreign investment. However, more recently, China has also become one of the most active investors. In addition to investment, China is an active trading partner with several countries and has been actively involved in high-tech projects in Africa. Chinese network technology has been used to build the telecommunications infrastructure, and several positioning systems built in Africa are based on the Chinese BeiDou navigation service. In addition to China, Russia is also an active trading partner, especially in countries in northern Africa. Russia exports arms to several African countries and has participated in the training of local armed forces. In addition, Russia, like China, has shown interest in high-tech exports. Foreign states are interested in Africa mainly for its natural resources, such as oil, agricultural raw materials and mining. Africa is currently experiencing a technological void in many areas, making it a fertile ground for high-tech trade as well. In areas in which the United States and much of Europe reject Chinese network technology for example, in Africa it is welcomed with open arms. Indeed, Africa provides China and Russia with an excellent platform for their own cyber-influencing goals, which is important for Western powers to keep in mind when operating in Africa. The cyber capabilities of African armed forces have developed in recent years, but are still at a very early stage. In the mid-2010s, various Ministries of Defence woke up to the need to develop cyber defence capabilities, and in recent years a few countries have established their first cyber warfare units. In this field, Nigeria is one of the most developed countries in Africa. The Nigerian military has announced that it will now also be training in cyber warfare in its annual war exercise, Exercise Crocodile Smile. The exercise will be held in late 2020 and is reportedly the first cyber warfare exercise ever organised by the armed forces of an African country. The pressure to develop a cyber defence has arisen due to two different factors. Other states, as well as international cybercriminals, have taken advantage of Africa’s undeveloped cyber defence capabilities by channeling cyber attacks through Africa. African countries want to prevent the use of their telecommunications infrastructure as a platform for state actors and cybercrime



CYBERWATCH FINLAND

CYBERWATCH

FINLAND

operations. Another factor is the growing use of the cyberspace by local criminal and terrorist groups. In Nigeria, for example, the Boko Harum terrorist organisation is making effective use of the cyberspace to recruit members and spread its ideology. The State Security Service wants to address the situation through cyber operations. The armed forces of various countries are continually improving their cyber capabilities, but progress has been slow so far. The number of Internet users in Africa is rising faster than the development of citizens’ cyber skills. At the beginning of 2020, there were approximately 570 million Internet users in Africa, representing just over 40% of the total population. The number of Internet users is predicted to exceed one billion by the end of the 2020s. National cyber capability inadequacy is a widely recognised problem. Every day, thousands of Africans connect a recycled IT device to the Internet for the first time in their lives, without guidance or knowledge on the basics of cyber security. The situation is not much better in the business sector either. There is a limited amount of employees with practical cyber security experience. The international organisation ISACA, which certifies security professionals, estimates that less than five percent of all security certificate holders in the world live in Africa. Africa is at the forefront of pirated software in the world, and in Libya and Zimbabwe, for example, it is estimated that up to 90% of operating systems are unlicensed copies. If your operating system is not licensed you will not receive vital security updates, due to which your IT device will quickly be infected with viruses and malware. In addition to the weak protection, cybercriminals are also interested in the lack of cyber law in Africa. Only about half of African countries have cyber legislation in place or under construction. Cybercriminals have been found to change the area in which they act according to the developments in legislation. Once a state has enacted cyber security legislation including sanctions, criminals have moved to a weaker country. Admittedly, the resources for cybercrime investigation are also limited in Africa than in the rest of the world, so legislation per se is not a very strong deterrent. Cybercrime is growing rapidly in Africa and unfortunately a sudden turn for the better cannot be predicted. Cyber security training opportunities are slowly increasing. Improving know-how will bring much-needed cyber security manpower, but will also enable skills to be used for criminal activity. Developments in cyber security legislation and other societal activism are important factors in changing attitudes to ensure that the next generation of cyber experts develop in the right direction. About a year ago, the African Union Cybersecurity Expert Group (AUCSEG) was set up by the African Union to improve cooperation between countries. Their work is still at an early stage and their resources are limited, so the positive effects are likely to be seen only in the longer term. Sources: https://www.tandfonline.com/doi/full/10.1080/1097198X.2019.1603527 https://army.mil.ng/?p=3659 https://www.defenceweb.co.za/cyber-defence/armscor-cybersecurity-unit-up-and-operational/ https://www.serianu.com/downloads/KenyaCyberSecurityReport2018.pdf

2. THE DEVELOPMENT OF CYBER CAPABILITIES AT AN INDIVIDUAL LEVEL 1. The cyber skill level of citizens is directly proportional to the development of digitalisation. In highly digitalised societies, citizens’ cyber skills and awareness are better than in less digitally developed countries. Regular cyber security campaigns support positive development and effort should be made to further develop these campaigns in the future as well.

2. There is a shortage of cyber security professionals all over the world. Education is fragmented and the overall picture is difficult to comprehend. Established certificates are important, but the quality and price of the courses vary drastically. Undergraduate education with an emphasis on cyber security and the integration of cyber studies into other university studies must be increased in order to eliminate the skill gap.

3. Employees’ cyber skills play a key role in implementing a company’s cyber security. In-house cyber security training and briefing need to be improved so that employees are aware of their responsibilities and know how to act correctly in different situations.

4. The importance of cyber security, within a company, has come to the attention of decision makers. This has become especially apparent in the context of data breaches. There is a need for independent strategy-driven cyber training so that decision-makers understand the importance of cyber security for a company’s overall strategy and preparedness.

40 | CYBERWATCH FINLAND

Citizens’ cyber skills are important not only for them as individuals, but also as an important element in developing national crisis resilience. Personal cyber skills are needed for the proper protection of one’s own IT terminals and for the use of digital services, so that they do not pose a threat to privacy or broader cyber security. The cyber domain is one of the key tools for hybrid operations. For example, fake news, hacking and malware attacks can destabilise society if citizens do not recognise fraudulent information and do not know how to protect themselves from large-scale cyber attacks or other crises. Citizens’ basic cyber security skills are directly dependent on the level of development of digitalisation and general IT skills. Countries which are only taking their first steps towards digitalisation pose the weakest skills. For example, in several countries in Africa thousands of people a day receive an Internet-connected computer or smartphone for the first time. Inexperienced people have access to mainly global commercial services and, of course, social media, which will be used without the awareness of appropriate security. In highly digitalised countries, digital public administration services are available with strong identification and basic cyber security practices are followed in working life, which means that the starting point for cyber security is, of course, at a higher level. Regular cyber security campaigns are a good way to maintain and develop basic cyber security skills. These have also been organised annually in Finland, for example in the form of a national cyber security day. In recent years, the Cyber Security Center has done an excellent job of spreading cyber awareness among citizens. The cause is also supported by activities all around Europe, for example in the form of the annual Cyber Security Month held in October. Repetitive cyber communication may seem numbing, but it needs to be repeated and further developed so that various cyber crises such as hacking and malware attacks do not act as the sole triggers for citizens. The shortage of information and cyber security professionals has grown rapidly. ISC2, an American provider of certification services within the industry, estimates that the global need for cyber security experts has grown from a million to about four million. According to the same study, there are about three million cyber experts at work, so there is a need for more than double that of the current workforce. The training of cyber security professionals has long been based on commercially available courses and various additional courses. Commercial courses, sometimes very different in terms of content, have been seen as the basis to measure the competence of individuals in the absence of a more general assessment framework. The educational background of information security professionals vary immensely. Having a degree in computer science or technical studies is the most common, but people with other educational backgrounds also work in cyber security expert positions. Cyber security is also one of the few areas in which it is still possible to succeed without a formal education. An active hobby, internship in a new profession or further studies provide a fairly diverse background of expertise among cyber security professionals. In recent years, study programs, focused on information security and cyber security, have been launched in various countries. Finland has been a pioneer in this area and masters’ degrees and other programs in cyber security are available at universities and other educational institutions. Elsewhere in Europe, such as the United Kingdom and Spain, it is now possible to study for a bachelor’s degree in cyber security. Undergraduate education specialising in cyber security therefore needs to be expanded rapidly in order to address labor shortages and collectively improve the skills level of cyber professionals. In addition to citizens and cyber professionals, the third major group is employees of companies and organisations. Corporate cyber policies are based on company-specific risk analysis and the controls and policies are defined on the basis of this analysis. Regardless of the general cyber security skills, employees must be able to comply with the company’s own cyber security guidelines. In an endlessly digitalising world, cyber security is a civic skill and this concept should, for example, be embedded in almost all business education. General cyber security knowledge is useful, but in addition it is necessary to know, for example, how to handle files of different levels of importance or how to act against malware and to whom to report them. Cyber security training in critical infrastructure companies and organisations, for example, is generally decent. The trainings have traditionally been organised in a trainer-led class or in digital form as self-study. Training is compulsory, but participation is often not adequately monitored. In addition, training is often provided months after the start of the employment, when in actuality it should be provided as part of the orientation in the first few days. Measuring cyber competence is less common. Often the employees are assessed by an exam at the end of a digital course, in which a sufficient number of correct answers must be given or the exam will have to be retaken. Measuring the competence or performance level in the field of cyber security is generally rare, hence the appropriate metrics should be developed in this area.



CYBERWATCH

FINLAND

A fourth important group in cyber education is general managers in business and politics. Various crisis situations in the form of hacking, malware or denial-of-service attacks have brought the importance of cyber security to the attention of decision makers. Decision-makers must, of course, master the basic skills of cyber security like any other employee, but special understanding is needed in integrating cyber security into the company’s strategy and developing preparedness accordingly. Decision-makers are, of course, assisted by leaders specialising in cyber security, but a strategic understanding of cyber security is also needed in the same way as in the fields of economics or production management. Cyber security companies offer a surprising amount of cyber security training for decision-makers. These occasions are often two- to three-hour briefings, where relevant content is often combined with a commercial segment about the products the company is offering. There is widespread need for independent, strategy-driven cyber education in both the public administration and the private sector. Sources: Cybersecurity Skills Development in the EU, 12/2019. ENISA. Cybersecurity Workforce Study 2020, ISC2. Wang & Wang. Knowledge Management for Cybersecurity in Business Organizations: A Case Study, 4/2019. Journal of Computer Information Systems. Kabanda et al. Exploring SME cybersecurity practices in developing countries, 2018. Journal of Organizational Computing and Electronic Commerce. https://www.enisa.europa.eu/news/ecsm-2020-files/ecsm-2020-fi.pdf https://www.kyberturvallisuuskeskus.fi/fi/ajankohtaista/kyberturvallisuuden-superkuukausi-taalla-taas https://ec.europa.eu/digital-single-market/en/policies/digital-skills https://cybersec4europe.eu/addressing-the-shortage-of-cybersecurity-skills-in-europe/

3. THE CYBER SECURITY OF SATELLITES 1. The use of space and satellites in the area of research and telecommunications services is growing. The supply of satellite based positioning services is increasing. Satellite systems are complex entities that often form the critical point of services, making satellites an attractive target for cyber operations.

2. The lack of cyber security standardisation for satellite systems has been a major weakness in the development of cyber security. However it is gaining momentum due to the release of the US Cybersecurity Principles for Space Systems this fall.

3. The main cyber threats to satellite systems are signal interference and spoofing. Interfering with satellite systems has also been used as a means of hybrid operations and its likelihood will increase in the future.

Telecommunications services and research in various areas have been utilising space since the 20th century. Satellites can be used to provide services that would be impossible or difficult to implement without the use of space. Satellite calls and television broadcasts are familiar examples of services that have made telecommunications possible all over the world for decades. Today, GPS and other location services are available to every smartphone user, and much of the Internet’s intercontinental telecommunications pass through satellites. The market for satellite-based services has exceeded 100 billion US dollars in recent years and is growing moderately at an annual rate of a few percent. There are currently just under three thousand satellites operating in space, most of which are controlled by the United States. The majority of satellites are in commercial use and the most common services are telecommunications, positioning, remote sensing and the collection of various measurement data for weather forecasts. About 10% of satellites are used for military purposes, the main purpose of which is to gather intelligence and transmit military communications. The satellite system is often the most critical component of the service chain. For example, satellites are used in tele communications services that are not cost-effective or possible to implement using a terrestrial telecommunications network. As a result, the backup system has not been implemented or its coverage and efficiency are poor. Positioning systems are another example of services that are difficult to implement with other methods with similar efficiency. A successful cyber attack on a single target will cause extensive consequences, increasing the attractiveness of satellites as targets for hybrid operations The standardisation of the cyber security of satellite systems is under development. Most of the standards regulate security, including cyber security, between ground stations and between ground stations and satellites from a rather broad perspective. In addition this, criteria have been developed for assessing the safety of satellite project subcontractors. The lack of substantial cyber security standardisation has been perceived as a significant weakness in the implementation of cyber security in satellite systems. Standardisation gained momentum this fall when President Trump’s administration released high-level cyber security principles for space systems, according to which actual standardisation effort in the United States is progressing.



CYBERWATCH

FINLAND

The basic components of a satellite system are the satellite itself, the ground segment that controls it, and the connection between them. The cyber security of the system varies depending on the intended use. The security of military satellites is of the highest level. Only dedicated components are used in the manufacture of satellites, the connections are encrypted with algorithms for military use, and the ground segments are implemented in accordance with the standards of the armed forces. Commercial satellite systems also have a high level of security, however they also use commercial components and information systems, which can facilitate hacking. The satellite design, implementation and launch into orbit, as well as the monitoring and application of satellite operations, is a complex entity involving hundreds of companies and other parties. Long supply chains and multi-supplier projects are always vulnerable, although strict corporate security controls are used to reduce the risk. Attempts made by China and Iran to break into the IT equipment of key personnel within the project organisation, and thereby gain access to the satellite project data, itself, were recently made public. After the turn of the century, there have been a handful of known cases in which an outsider has gained control of a satellite. For example, Hackers managed to break into the British SkyNet satellite and demanded a ransom for the release of the satellite. The most well-known case is from 2008, when a Chinese hacking group reportedly got full control of two NASA satellites for a few minutes. In addition to this, cases have emerged in the late 2010s in which the information systems of the ground segment have been successfully infected with malware and the computers of key personnel have been successfully intruded. interference and falsification of satellite signal information are the most likely cyber operations used to break into a satellite and its command systems. Currently, Almost every country’s armed forces are capable of interfering with satellites, and is also within reach for cybercriminals. Disruption of telecommunications connections and location services is an almost daily activity, especially in war zones. In 2018, a GPS jamming operation carried out by Russia, in connection with an international military exercise, was also experienced in Finland. The effect of interference can be reduced, fr example, by transmitting positioning signals at a higher power and at several different frequencies. GPS data forgery also occurs from time to time, which has been detected on several occasions in recent years, for example in maritime traffic. Disinformation can be prevented by encrypting the satellite signal and restricting the distribution of the encryption key to authorised personnel only, so that it cannot be falsified by a third party and thereby mislead the end user with incorrect location or time information. The European Union’s Galileo satellite positioning system is being built mainly to make the PRS service available to public authorities, which will be used to address the above mentioned threats. In November 2020, the Finnish government has decided that Finland will introduce this service when it is completed by the end of 2024. Entities dependent on satellite services, such as maritime and air transport, use several parallel systems, so that interference with one system or falsification of data does not yet disrupt operations, even if they are significantly impaired. Thus, interference is of great importance as one of the means of hybrid operations, especially when several different methods are used to influence the function and stability of the object. Therefore, data interference and falsification can be predicted to increase in the future, especially as a component of hybrid operations. Despite the challenges mentioned above, the cyber security of satellite systems is at a high level. Large-scale interference with or intrusion into satellite systems is usually only possible for state actors or entities supported by them. The development of cyber security in this sector is continuous, which is necessary, as the operational capacity of cybercriminals is constantly improving. Due to their critical nature, satellite systems will be a very attractive target in the future, both in terms of cyber influencing by states and as a target for cybercriminals. Sources: https://www.whitehouse.gov/presidential-actions/memorandum-space-policy-directive-5-cybersecurity-principles-space-systems/ https://spacenews.com/tag/cybersecurity/ https://www.hackasat.com/ https://www.thespacereview.com/article/3950/1 https://www.japcc.org/cyber-threats-to-space-systems/ https://www.cnbc.com/2018/06/19/china-based-hacking-breached-satellite-defense-companies-symantec.html Falco, G. ”Cybersecurity Principles for Space Systems”, 2018. Journal of Aerospace Information Systems. Bailey et al. “Defending Spacecraft in the Cyber Domain”, 2019. Center for Space Policy and Strategy, The Aerospace Corporation. Rajagopalan, R. “Electronic and Cyber Warfare in Outer Space”, 2019. The United Nations Institute for Disarmament Research.

CYBERWATCH

FINLAND

4. CYBER SECURITY AS A PART OF THE MANAGEMENT TEAM AGENDA 1. According to a four-square analysis by the World Economic Forum, cyber security risks remain among the highest in probability and impact amidst all global risks. The spectrum of cyber risks is wide and management teams need to consider them from different perspectives as part of risk management and business strategy. The development of personnel’s cyber security competencies should also be the responsibility of a management team.

2. The biggest mistake of management is to treat cyber security as a one-time effort. Cyber security must be taken care of at an executive level as an ongoing process. Cyber risks and their impact need to be quantified and the level of cyber security should be measured regularly.

3. In addition to risk management and preparedness, the management team also has an important role to play when a cyber risk materialises. Management must have an action plan to manage the situation and restore operations. Communication also plays an important role in the company’s public image.

The World Economic Forum’s global risk forecast for 2020 indicates that cyber security risks remain in the highest quarter of all risks in terms of both probability and impact. In recent years, risks related to climate change have established themselves at the top of these forecasts, but cyber risks have ranked in the top five almost every year for the past decade. The World Economic Forum’s perspective on risk analysis is, of course, broader than what individual companies and organisations should be prepared for. Global risks affect companies in different sectors in different ways. For some companies, climate change can be a potential risk and for others, change can even create new opportunities. However, due to the increasingly rapid internationalisation and digitalisation of business, cyber risks will affect almost all companies, which should also be taken into account by the management team. Management teams should have a holistic view of the various components of cyber security and their impact on their own business. After large-scale cyber-attacks and hacking, management teams often realise that they are at risk of being a target. Fear of the negative publicity after/associated with a cyber attack is enough to trigger management to introduce measures to reduce the risk. New cyber security standards and legislative initiatives will have the same effect, especially if there are significant sanctions for non-compliance. A good example of the latter is a data protection reform, that took place a couple years ago, that prompted several companies to increase investment not only in the development of actual data protection processes, but also in improving cyber security. The recent Act on Information Management in Public Administration has also generated some activity, although direct sanctions are not as severe as in the area of data protection. According to domestic observations, risks related to cyber security are often treated as one risk factor. However, the nature and effects of cyber risks are multidimensional. The risk analysis should distinguish between, for example, cyber espionage, hacking, denial-of-service attack, and malware damage. In addition, the effects can be manifold, such as interrupting operations, leakage of product development information to a competitor, financial losses due to, for example, fraud or loss of service capacity, and the loss of reputation. The communication of risks and their effects to the management team must include all relevant information so that the management team can decide on appropriate measures to combat the risks. In recent years, according to latest international research, cyber security has gained a more important position on the management agenda. This year, it has also gained momentum due to the corona pandemic, as digitalisation has taken a giant leap in the operations of most companies. According to research done this autumn, the significance of risks related to cyber security rose to the top in management assessments leaving behind, for example, financial and business-risks. However, the significant position that



CYBERWATCH

FINLAND

cyber security has in the agenda has proved to be a temporary achievement. Driven by new legislation or a major hack, the management team will commission an assessment of the current state of cyber security and launch measures to “get things right”. According to domestic observations, it often happens that after a momentary activity, the matter gradually disappears from the agenda and does not reappear unless something new and significant happens. The management team must ensure that the state and the areas of development of cyber security are regularly assessed and the development of the operating environment and performance is constantly monitored. Management teams should receive regular information on cyber risks and the company’s ability to respond to them. According to a recent American study, the top three priorities of company management teams’ for cyber reviews are 1) understandable, non-technical language use, 2) quantitative analysis of cyber risks and their impacts, and 3) measurable development of a firm’s ability to combat cyber risks. The performance of cyber and risk management directors has improved in recent years as three out of five members of the management team feel that they understand almost everything presented in the cyber review. Simultaneously, however, reviews and reports are said to be too technical. Creating a link between cyber issues and quantitative values is difficult. From an economic point of view, possible threats and their effects cannot be assessed, and no proper metrics have been developed to monitor performance developments. These areas need to be improved so that management teams can guide cyber security work within their own roles. The goal should be to create good “cyber risk literacy” for management teams so that they can make the right decisions and guide the company’s actions for improvement by anticipating risks. The role and responsibilities of management teams do not end with preparedness and by minimising cyber risks. The true operational capability of a management team is tested when a serious cyber risk materialises. Smaller risks materialise on a daily basis in large organisations and are handled by cyber security managers and experts. The Management Team is informed of the materialisation and impact of minor cyber risks and of the corrective measures taken through routine reports, and there is no need for the Management Team to intervene in the details of such events. It is therefore important to create a clear division of labor for managing different levels of cyber risks and to give operational cyber professionals peace of mind at work. Management is responsible for practicing crisis management and initiating measures quickly. The realisation of a cyber risk can trigger the security breach notification obligation defined in various regulations and legislation, in which case the issue quickly becomes a management level issue. The notification required by the regulation itself is simple to make, but ultimately it is the responsibility of the company’s top management. Failure to notify is a serious breach of current data protection legislation and cyber security directives. Yet, it still happens even in Finland, as it has been made public this autumn. An important task of the management team is therefore to ensure that the notification process works sufficiently. Even in a serious case, it is a good idea to leave the operational defence against cyber violations to experts. The involvement of authorities is again the task and decision of the management team. The success of external communication almost completely determines the company’s future image and whether the financial consequences will be short-term or long-term. Adherence to the facts, the protection of a company’s customers and other confidential information and the rapid restoration of operational viability give the public the impression that the company’s management is prepared for potential cyber risks and has ensured that it is capable when faced with a crisis situation. Strategic understanding of the cyber world phenomenon and the capability to combat cyber risks should be routine for management teams. Sources: https://hbr.org/2020/09/does-your-board-really-understand-your-cyber-risks https://www.kyberturvallisuuskeskus.fi/sites/default/files/media/publication/T_KyberHV_digiAUK_220120.pdf Internet Security Alliance, Cyber Risk Oversight 2020 – Key Principles and Practical Guidance for Corporate Boards in Europe, 2020. PwC, Global Digital Trust Insights Survey 2021 – Cybersecurity Comes of Age, 2020. World Economic Forum, The Global Risks Report 2020, 2020.

5. THE CYBER SECURITY OF CLOUD SERVICES 1. Introducing a cloud service is about trusting the service provider. If trust is in place, cloud services almost invariably offer better cyber security than your own IT environment.

2. Defining responsibilities and understanding them correctly is a key part of implementing cyber security in cloud services. With written agreements, misunderstandings about the division of responsibilities and preparation for problem situations can be avoided.

3. The use of cloud services is also possible for public administration services if risk analysis favours it as a solution. Standards guiding cyber security can also be used to support decision-making.

CYBERWATCH

FINLAND

Cloud services are an integral part of digitalisation. Most of us have, unknowingly switched to cloud services in the

form of iCloud, Samsung Cloud or OneDrive, for example. The benefits offered by cloud services, such as cost-effectiveness,  flexibility and scalability, enable new, more agile operating models. Cloud services are quickly becoming the default option in the production of IT services and the creation of new technological platforms and digital services in local data centres are more of an exception. Deploying a cloud service is about the customer’s trust in the service provider as well as any IT outsourcing. If necessary, servers, telecommunication connections, data storage and / or processing, as well as maintenance tasks can be outsourced to the cloud service. The higher the degree of trust, the more components can be outsourced to the service provider. Typically, in a cloud service, several different customers use the same IT resources. There are also private cloud services available in which the customer is offered dedicated solutions beginning from the hardware level. The services are packaged in a so-called hybrid solution, in which some of the services are produced from shared capacity and other parts from a private service. In addition, in cloud service implementation models, it is possible to choose whether to outsource only infrastructure, operating systems or also applications and services and their maintenance. These are the so-called IaaS, PaaS, and SaaS service models. From a cyber security perspective, the question arises as to how security is implemented and how to ensure that other customers or completely outside parties do not gain access to outsourced data or services? In most cases, a cloud service provider is able to implement higher level cyber security than the customer organisation with its limited cyber security resources.. The core business of the service provider is the efficient and secure provision of cloud services, and all resources and processes are allocated to this core business. With cloud services, It is possible to invest more effectively in the physical security of servers, service availability, continuity, operating system upgrades, and other important cyber security functions than in an organisation where IT services play a supporting role. Thus, service providers have the resources and know-how to implement cyber security at a high level, but what about trust? Can a third party be trusted to manage cyber security at a high standard and outsource critical IT resources effectively? The reliability of IT services can usually be measured in two ways. We can rely on the operator’s reputation, certificates and other third-party assessments. This is usually the case for large, international service providers, where it is not practically possible to check the quality of services and cyber security on their own. Another option is to use smaller service providers that are familiar to the customer, with whom trust can also be built through personal communication and contact. Regardless of trust, a contract should always be devised. In addition to commercial and operational quality conditions, the division of responsibilities between the parties plays an important role, especially in matters related to cyber security. It is a big mistake to think that, for example, an ISO27k-certified operator handles all cyber security related tasks. The closer we get to the hardware and operating system level, the more responsibility the service provider usually has. Typically, the customer is responsible for at least the cyber security of the terminals as a whole, as well as the definition and management of access rights for both applications and data usage. Dialogue between the service provider and the customer is important to ensure the correct configuration of the service to ensure the functionality and security of the service. There are more detailed definitions in public administration for assessing the reliability of cloud services. In its guidelines issued in 2018 and 2020, the Ministry of Finance has come to rather positive conclusions about the use of cloud services. According to these guidelines, “there are no barriers to choosing to use cloud services, as long as it takes into account the requirements in the same way as normal ICT procurement” (VM, 2018). Careful risk analysis is, of course, necessary when considering a cloud service model. Obstacles or at least challenges to the use of cloud services can be caused by high demands on service continuity or confidentiality, as well as problem situations related to various regulations. It is possible for the cloud service provider to have access to all basic information processed in the service. If the service processes or stores confidential information, it can be protected by encryption. For the public administration, the requirements for ensuring confidentiality are described in the Criteria for Assessing the Information Security of Cloud Services (PiTuKri) published by the Cyber Security Center last year. According to it, a cloud service containing security class IV information must be, with all its components, located entirely in Finland, but it can be a private service provider. For security class III information, the internal cloud service of the organisation can be used. In some cases, a so-called community cloud, such as a shared cloud service shared by the same administrative sector, is possible. For example, Valtori has created different cloud service products for various customers in public administration, in accordance with their security requirements,

CYBERWATCH

FINLAND

The G-Cloud project, launched in 2011 by the UK government, is a good example of implementing a community cloud. Public administration ICT resources are centralised so that all branches of government procure their ICT services from their G-Cloud community cloud service. The services are provided by separately agreed public administration organisations, for example Government Digital Service provides ERP services and British Council CRM services. If the security class allows it, the services can also be implemented as a hybrid model, in which case public cloud services managed by G-Cloud can be used. Naturally, some public services remain outside the cloud due to high security standards, but in general, the “cloud first” principle launched in the British Public Administration has led most branches of government to switch to cloud services. The country in which the services are provided is an important factor in assessing the continuity of the service in different situations. International service providers usually have well-established recovery plans in case of various accidents and natural phenomena, in which case the location of the service is not that relevant from a continuity perspective. However, crisis situations that threaten national security are different. In these situations, network connections may be restricted within Finland’s geographical borders. Many critical infrastructure companies as well as public administration organisations must also be able to operate in situations that threaten national security, in which case a domestic service provider is the only possible option. In terms of regulations, data protection legislation is the most important factor determining the choice of cloud service. In most cases, the production of the service and the processing of data must take place within the EU or in separately approved countries whose data protection practices are at the same level as in Finland. For this reason, several international service providers have set up service centres in the EU to provide cloud services to European customers.  Sources: Traficom / Kyberturvallisuuskeskus. Pilvipalveluiden turvallisuuden arviointikriteeristö (PiTuKri), 2019. Valtiovarainministeriö. Julkisen hallinnon pilvipalvelulinjaukset, 2018. Valtiovarainministeriö. Tuottavuutta pilvipalveluilla, 2020. Huoltovarmuusorganisaatio, Digipooli. Kyberhäiriötilanteet, varautuminen ja toiminta, 2019. https://www.isc2.org/-/media/ISC2/Landing-Pages/2020-Cloud-Security-Report-ISC2.ashx https://www.gov.uk/guidance/g-cloud-suppliers-guide https://www.ncsc.gov.uk/collection/cloud-security

Kvartaalikatsaus Q4/2020 1. Maa-analyysi: Afrikka 2. Kybertaitojen kehittäminen yksilötasolla 3. Satelliittien kyberturvallisuus 4. Kyberturvallisuus johtoryhmien agendalla 5. Pilvipalvelujen kyberturvallisuus

Vuoden viimeisen neljänneksen maa-analyysin kohteena on tällä kertaa kokonainen maanosa eli Afrikka. Tämän 54 valtion

kokonaisuuden kyberturvallisuus on tällä hetkellä paljon huonommassa asemassa kuin muualla maailmassa. Kyberalan koulutus  on toistaiseksi vähäistä, kansalaisten kybertaidot ovat kehittymättömät, piraattiohjelmistoja käytetään yleisesti ja kyberrikollisuus on kasvussa. Muut valtiot ja kansainväliset kyberrikolliset käyttävät Afrikkaa toimintansa alustana lähinnä puutteellisen lainsäädännön ja kyberpuolustuskyvyn vuoksi. Afrikan teknologiatyhjiö kiinnostaa Kiinaa ja Venäjää, jotka ovatkin onnistuneet levittämään omaa teknologiaansa alueelle. Toisena aiheena tarkastelemme yksilön kybertaitoja ja niiden kehittämisen ja mittaamisen mahdollisuuksia. Kansalaisten kybertaidot ovat tärkeitä paitsi henkilölle itselleen, myös tärkeä osatekijä kansallisen kriisinsietokyvyn ja resilienssin kehittämisessä. Kansalaisten kybertaitojen taso on suoraan verrannollinen digitalisaation kehitykseen. Pitkälle digitalisoituneissa yhteiskunnissa myös kansalaisten kybertaidot ja -tietoisuus ovat paremmalla tasolla kuin matalan kehitystason maissa. Kyberturvallisuuden ammattilaisista on pulaa kaikkialla maailmassa. Koulutus on sirpaleista ja kokonaiskuvaa on vaikea saada. Vakiintuneet sertifikaatit ovat arvossaan, mutta kurssien laatu ja hinta vaihtelee paljon. Kolmas aiheemme pureutuu kyberturvallisuuteen avaruudessa. Toistaiseksi aihe kulminoituu satelliitteihin ja niiden tukena toimiviin järjestelmiin, mutta myös avaruusmatkailu ainakin pienessä mittakaavassa on mahdollista lähitulevaisuudessa. Satelliittijärjestelmien keskeiset kyberuhkat ovat signaalin häirintä sekä tietojen väärentäminen eli spoofing. Satelliittijärjestelmien häirintää on käytetty myös hybridivaikuttamisen välineenä ja sen todennäköisyys lisääntyy tulevaisuudessa. Satelliittijärjestelmien kyber

CYBERWATCH

FINLAND

turvallisuus on yleisesti ottaen korkealla tasolla ja niihin tunkeutuminen on mahdollista lähinnä valtiollisille toimijoille tai näiden tukemille ryhmittymille. Kyberturvallisuuden jatkuva kehittäminen on kuitenkin tarpeellista, koska myös kyberrikollisten suorituskyky paranee jatkuvasti. Yritysten johdon osallistumisesta ja vastuusta kyberturvallisuuden toteutukseen on puhuttu julkisuudessa paljon juuri tänä vuonna. Erilaiset kyberkriisit ovat ravistelleet useita yrityksiä ja syystäkin on johdon toimintaa silloin arvioitu tarkasti. Kyberturvallisuuden vastuu alkaa hallituksesta ja johtoryhmällä on jo varsin konkreettinen rooli kyberturvallisuuden toteutuksessa. Johtoryhmien suurin virhe on käsitellä kyberturvallisuutta kertaponnistuksena. Kyberturvallisuudesta tulee huolehtia johtoryhmätasolla jatkuvana prosessina. Kyberriskit ja niiden vaikutus on kvantifioitava ja kyberturvallisuuden tasoa tulee mitata säännöllisesti. Kyberriskin toteutuessa viestinnän osuus johtoryhmän toiminnassa kasvaa. Viimeinen aiheemme arvioi pilvipalvelujen turvallisuutta. Pilvipalvelun käyttöönotossa on viime kädessä kyse luottamuksesta palveluntarjoajaan. Jos luottamus on kunnossa, pilvipalvelut voivat tarjota ainakin yksityisellä sektorilla lähes poikkeuksetta paremman kyberturvallisuuden kuin omassa hallinnassa oleva IT-ympäristö. Vastuiden määrittelyt ja niiden ymmärtäminen oikein ovat keskeinen osa kyberturvallisuuden toteutumista pilvipalveluissa. Sopimuksilla vältetään vastuunjaon väärinkäsitykset ja voidaan varautua ongelmatilanteisiin. Pilvipalveluja voidaan käyttää julkishallinnossa huolellisen riskianalyysin jälkeen. Päätöksenteon tukena voidaan käyttää myös kyberturvallisuutta ohjaavia standardeja.

1. MAA-ANALYYSI: AFRIKKA 1. Kiinalla ja Venäjällä on geopoliittista mielenkiintoa Afrikkaa kohtaan ja molemmat käyvät kauppaa Afrikan eri maiden kanssa sekä tekevät investointeja. Kaupallinen aktiivisuus antaa molemmille maille hyvän mahdollisuuden vaikuttaa myös teknologiavalintoihin, mikä voi edistää molempien maiden kybervaikuttamisen tavoitteita.

2. Kybersodankäynnin kyvykkyydet ovat Afrikan maissa vielä matalalla tasolla. Nigeria on nousemassa Afrikan johtavaksi kybersodankäynnin maaksi.

3, Afrikka on kaikilta osin otollinen kyberrikollisuudelle ja -vakoilulle. Yhteiskunnallisella tasolla ei ole panostettu kyberturvallisuuteen riittävästi ja harvasta maasta löytyy kyberstrategiaa tai -lainsäädäntöä. Kansalaisten kybertaidot ja yritysten panostukset kyberturvallisuuteen ovat matalalla tasolla eikä nopeaa tilanteen parantumista ole odotettavissa.

Afrikka on 54 maan kokonaisuus, joka on kyberturvallisuuden näkökulmasta monella tavalla hyvin erilainen kuin muut maanosat. Tietoliikenteen ja -tekniikan infrastruktuuri on kehittymätön ja tekninen osaaminen on hyvin paljon Afrikan ulkopuolisten yritysten ja valtioiden käsissä. Sama tilanne on myös muun kriittisen infrastruktuurin osalta. Tietotekniset järjestelmät ja laitteet tulevat lähes täysin maanosan ulkopuolelta, omaa tuotantoa ei ole. Tilannetta voisi luonnehtia entisille siirtomaille tyypilliseksi, jossa osaaminen on ollut isäntävaltion käsissä eikä tietotaitoa ole siirretty paikalliselle väestölle. Useat Aasian entiset siirtomaat, kärkiesimerkkinä Intia, ovat kyenneet kääntämään tilanteen positiiviseksi ja ovat tällä hetkellä maailman johtavia ICT-teknologian ja -palvelujen tuottajia. Afrikan maat eivät ole kyenneet kehittämään teknologia- ja osaamispääomaa yhtä tehokkaasti, ja ne ovat kyberturvallisuudessa edelleen hyvin riippuvaisia ulkoisista toimijoista. Teknologia- ja osaamistyhjiö on kasvattanut viime vuosina ulkomaisia investointeja Afrikkaan. Vanhoista isäntävaltiosta Iso-Britannia, Ranska ja Alankomaat lisättynä Yhdysvalloilla ovat yleisesti ulkomaisten investointien kärjessä, mutta viime aikoina myös Kiina on kirinyt aktiivisimpien sijoittajien joukkoon. Investointien lisäksi Kiina on aktiivinen kauppakumppani useiden maiden kanssa ja se on aktiivisesti osallistunut korkean teknologian hankkeisiin Afrikassa. Tietoliikenneinfrastruktuurin rakentamisessa on käytetty kiinalaista verkkoteknologiaa ja useat Afrikkaan rakennetut paikannusjärjestelmät perustuvat kiinalaiseen BeiDou-navigointipalveluun. Kiinan ohella myös Venäjä on aktiivinen kauppakumppani erityisesti Pohjois-Afrikan maille. Venäjä vie aseita useille Afrikan maille ja on osallistunut paikallisten asevoimien koulutukseen. Lisäksi Venäjä on Kiinan tavoin osoittanut kiinnostusta korkean teknologian vientiin. Maanosan ulkopuolisten valtioiden mielenkiinto Afrikkaa kohtaan kohdistuu pääasiassa sen luonnonvaroihin, esimerkiksi öljyyn, maatalouden raaka-aineisiin sekä kaivostoimintaan. Afrikassa on tällä hetkellä monella osa-alueella teknologiatyhjiö, jonka vuoksi se on otollinen maaperä myös korkean teknologian levittämiseen. Siinä missä Yhdysvallat ja suuri osa Eurooppaa hylkii vaikkapa kiinalaista verkkoteknologiaa, Afrikassa se otetaan avosylin vastaan. Afrikka tarjoaakin Kiinalle ja Venäjälle erinomaisen alustan omille kybervaikuttamisen tavoitteilleen, mikä on länsivaltojen hyvä pitää mielessä Afrikassa operoidessaan.



CYBERWATCH

FINLAND

Afrikan maiden asevoimien kybertoimintakyky on viime vuosina kehittynyt, mutta kyvykkyydet ovat vielä hyvin varhaisella tasolla. 2010-luvun puolivälissä eri maiden puolustusministeriöt havahtuivat tarpeeseen kehittää erityisesti puolustuksellista kybertoimintakykyä ja viimeisten vuosien aikana muutamat maat ovat perustaneet ensimmäisiä kybersodankäynnin yksiköitä. Tällä osa-alueella Nigeria on yksi kehittyneimmistä Afrikan maista. Nigerian armeija on tiedottanut harjoittelevansa vuotuisessa pääsotaharjoituksessaan Excercise Crocodile Smile tänä vuonna myös kybersodankäyntiä. Harjoitus pidetään loppuvuonna 2020 ja se on tiettävästi ensimmäinen Afrikan maiden asevoimien koskaan järjestämä kybersotaharjoitus. Paine kyberpuolustuksen kehittämiseen on tullut kahdesta eri suunnasta. Muut valtiot sekä myös kansainväliset kyberrikolliset ovat käyttäneet hyväkseen Afrikan kehittymätöntä kyberpuolustuskykyä kanavoimalla kyberhyökkäyksiä Afrikan maiden kautta. Afrikan maat haluavat estää niiden tietoliikenneinfrastruktuurin käytön valtiollisten toimijoiden ja kyberrikollisten operaatioiden alustana. Toinen tekijä on kasvava kyberavaruuden käyttö paikallisten rikollis- ja terroristiryhmien toiminnassa. Esimerkiksi juuri Nigeriassa Boko Harum -terroristijärjestö käyttää kyberavaruutta tehokkaasti hyväkseen jäsenten rekrytoinnissa ja oman sanomansa levittämisessä ja valtion turvallisuusviranomaiset haluavat puuttua tilanteeseen kybervaikuttamisen keinoin. Eri maiden asevoimissa kybertoimintakykyä parannetaan jatkuvasti, mutta kehitys on toistaiseksi hidasta. Afrikkalaisten Internet-liittymien määrä nousee nopeammin kuin kansalaisten kybertaitojen kehitys. Vuoden 2020 alussa Afrikassa oli noin 570 miljoonaa Internet-käyttäjää, mikä edustaa reilua 40% osuutta kokonaisväestöstä. Internet-käyttäjien määrän on ennustettu ylittävän miljardin rajan 2020-luvun loppuun mennessä. Kansalaisten kybertaitojen heikko taso on laajasti tunnustettu ongelma. Joka päivä tuhansia afrikkalaisia kytkee käytettynä hankitun IT-laitteen ensimmäistä kertaa elämässään Internetiin ilmaan opastusta tai tietotaitoa kyberturvallisuuden perusasioista. Tilanne ei ole paljon parempi yritysmaailmassakaan. Käytännön kyberturvakokemusta omaavat työntekijät ovat harvassa. Tietoturva-ammattilaisia sertifioiva kansainvälinen ISACA-järjestö arvioi, että alle viisi prosenttia kaikista maailman tietoturvasertifikaattien haltijoista asuu Afrikan mantereella. Afrikka on maailman kärjessä piraattiohjelmistojen käytössä ja esimerkiksi Libyassa ja Zimbabwessa on arvioitu jopa 90% käyttöjärjestelmistä olevan lisensoimattomia kopioita. Jos käyttöjärjestelmällä ei ole lisenssiä, siihen ei myöskään saa elintärkeitä turvapäivityksiä, jolloin IT-laite saastuu nopeasti viruksista ja haittaohjelmista. Kyberrikollisia kiinnostaa Afrikassa heikon suojauksen lisäksi myös kyberlainsäädännön puute. Noin puolella Afrikan maista on voimassa tai valmisteluvaiheessa olevaa kyberlainsäädäntöä. Kyberrikollisten on havaittu vaihtavan toiminta-aluetta lainsäädännön kehityksen mukana. Kun valtiovalta on saanut aikaiseksi kyberturvaan liittyvää lainsäädäntöä sanktioineen, rikolliset ovat siirtyneet heikommassa asemassa olevan maan toimintakentälle. Tosin kyberrikosten tutkintaresurssit ovat myös Afrikassa vähäisemmät kuin muualla maailmassa, joten sinänsä lainsäädäntö ei ole kovin vahva pelote. Kyberrikollisuus on Afrikassa nopeassa kasvussa ja valitettavasti nopeaa käännettä parempaan ei voida ennustaa. Kyberturvallisuuden koulutusmahdollisuudet lisääntyvät hitaasti. Tietotaidon parantuminen tuo lisää kaivattua kyberturvallisuuden työvoimaa, mutta mahdollistaa myös taitojen käytön rikolliseen toimintaan. Kyberturvallisuuden lainsäädännön kehitys ja muu yhteiskunnallinen aktiivisuus ovat tärkeitä tekijöitä asenteiden muutoksessa, jotta voidaan varmistaa tulevan sukupolven kyberasiantuntijoiden kehittyminen oikeaan suuntaan. Afrikan unionin toimesta on noin vuosi sitten perustettu yhteistyöelin African Union Cybersecurity Expert Group (AUCSEG), jonka tarkoituksena on vauhdittaa eri maiden välisiä yhteistyöhankkeita. Ryhmän työ on vielä alkuvaiheessa ja sen resurssit ovat rajalliset, joten positiiviset vaikutukset tullaan näkemään todennäköisesti vasta pidemmällä aikavälillä. Lähteitä: https://www.tandfonline.com/doi/full/10.1080/1097198X.2019.1603527 https://army.mil.ng/?p=3659 https://www.defenceweb.co.za/cyber-defence/armscor-cybersecurity-unit-up-and-operational/ https://www.serianu.com/downloads/KenyaCyberSecurityReport2018.pdf

2. KYBERTAITOJEN KEHITTÄMINEN YKSILÖTASOLLA 1. Kansalaisten kybertaitojen taso on suoraan verrannollinen digitalisaation kehitykseen. Pitkälle digitalisoituneissa yhteiskunnissa myös kansalaisten kybertaidot ja -tietoisuus ovat paremmalla tasolla kuin matalan kehitystason maissa. Säännölliset kyberturvakampanjat tukevat positiivista kehitystä ja niiden sisällön kehittämiseen tulee panostaa myös tulevaisuudessa.

2. Kyberturvallisuuden ammattilaisista on pulaa kaikkialla maailmassa. Koulutus on sirpaleista ja kokonaiskuvaa on vaikea saada. Vakiintuneet sertifikaatit ovat arvossaan, mutta kurssien laatu ja hinta vaihtelee paljon. Kyberturvallisuuteen painottunutta perustutkintoon tähtäävää opetusta sekä kyberopintojen liittämistä muihin korkeakouluopintoihin tulee lisätä osaamisvajeen poistamiseksi.

CYBERWATCH

FINLAND

3. Työntekijöiden kybertaidot ovat avainasemassa yrityksen kyberturvallisuuden toteutuksessa. Yritysten sisäistä kyberturvallisuuskoulutusta ja -tiedotusta tulee tehostaa, jotta työntekijät tuntevat vastuunsa ja osaavat toimia oikein eri tilanteissa.

4. Kyberturvallisuuden merkitys yrityksen liiketoiminnalle on tullut päättäjätason tietoisuuteen erityisesti tietomurtojen yhteydessä. Riippumattomalle strategialähtöiselle kyberkoulutukselle olisi tarvetta, jotta päättäjät ymmärtävät kyberturvallisuuden merkityksen yrityksen kokonaisstrategialle ja varautumiselle.

Kansalaisten kybertaidot ovat tärkeitä paitsi henkilölle itselleen, myös tärkeä osatekijä kansallisen kriisinsietokyvyn ja resilienssin kehittämisessä. Henkilökohtaisia kybertaitoja tarvitaan omien IT-päätelaitteiden asianmukaiseen suojaamiseen sekä digitaalisten palvelujen käyttöön siten, ettei niistä muodostu uhkaa yksityisyyden suojalle tai muulle kyberturvallisuudelle. Kybertoiminta ympäristö on hybridivaikuttamisen yksi keskeinen väline. Esimerkiksi valeuutisten, tietomurtojen ja haittaohjelmahyökkäysten avulla yhteiskunnan vakautta on mahdollista horjuttaa, jos kansalaiset eivät tunnista disinformaatiota eivätkä osaa suojautua laajoilta kyberhyökkäyksiltä tai muilta -kriiseiltä. Kansalaisten kyberturvallisuuden perustaidot ovat suoraan riippuvaisia digitalisaation kehityksen ja yleisen IT-osaamisen tasosta. Perustaidot ovat huonoimmat maissa, jotka ottavat digitalisaation ensi askelia. Esimerkkinä tässäkin katsauksessa esiintyvät useat Afrikan maat, joissa tuhannet ihmiset päivässä saavat ensimmäistä kertaa käsiinsä Internetiin kytketyn tietokoneen tai älypuhelimen. Kokemattomien ihmisten ulottuvilla on lähinnä globaaleja kaupallisia palveluja sekä tietenkin sosiaalinen media, jota aletaan käyttää välittömästi ilman tietoisuutta asiallisesta turvallisuudesta. Korkean digitalisaation maissa on tarjolla julkishallinnon digitaalisia palveluja vahvalla tunnistuksella ja työelämässä noudatetaan kyberturvallisuuden peruskäytäntöjä, jolloin lähtökohta kyberturvallisuuteen on luonnollisesti korkeammalla tasolla. Säännölliset kyberturvakampanjat ovat hyvä keino kyberturvallisuuden perustaitojen ylläpitämiseen ja kehittämiseen. Tällaisia on Suomessakin järjestetty vuosittain esimerkiksi kansallisen tietoturvapäivän muodossa. Viime vuosina Kyberturvallisuuskeskus on tehnyt erinomaista työtä kybertietoisuuden levittämisessä kansalaisten keskuuteen. Työtä tukevat myös Euroopan tason aktiviteetit esimerkiksi vuosittain lokakuussa järjestettävän kyberturvallisuuskuukauden muodossa. Toistuva kyberviestintä voi tuntua puuduttavalta, mutta sitä tulee kuitenkin toistaa ja kehittää edelleen, etteivät erilaiset kyberkriisit kuten tietomurrot ja haittaohjelmahyökkäykset toimi kansalaisten ainoina herättäjinä. Pula tietoja kyberturvallisuuden ammattilaisista on kasvanut nopeasti. Alan sertifiointipalveluja tuottava amerikkalainen ISC2 arvioi globaalin työvoimatarpeen kasvaneen noin neljään miljoonaan kyberturvallisuuden asiantuntijaan, kun luku oli vielä vuosi sitten miljoonan pienempi. Saman tutkimuksen mukaan työssä olevia kyberasiantuntijoita on noin kolme miljoonaa, joten tarve on nykyiseen työvoimaan verrattuna yli kaksinkertainen. Kyberturvallisuuden ammattilaisten koulutus on jo pitkään perustunut kaupallisiin kursseihin ja erilaisiin lisäkurssituksiin. Kaupalliset, sisällön puolesta joskus hyvinkin erilaiset sertifikaatit ovat olleet ainoita ammattitaidon mittareita yleisemmän arviointikehyksen puuttuessa. Tietoturva-ammattilaisten varsinaiset tutkintoon johtavat opinnot ovat eri tasoisia. Tyypillisin tausta löytyy tietojenkäsittelyn tai teknisten opintojen eri tasoisista tutkinnoista, mutta myös muun koulutustaustan omaavia henkilöitä työskentelee kyberturvallisuuden asiantuntijatehtävissä. Kyberturvallisuus on myös yksi harvoista alueista, joissa on mahdollista vielä menestyä puhtaasti aktiivisen harrastuksen pohjalta. Aktiivinen harrastuneisuus, kouluttautuminen uuteen ammattiin tai perusopintojen laajentaminen lisäopinnoilla on aina suositeltavaa, mutta se myös tuottaa varsin kirjavan osaamistaustan kyberturvallisuuden ammattilaisten keskuuteen. Viime vuosina eri maissa on käynnistetty tietoja kyberturvallisuuteen keskittyneitä opinto-ohjelmia. Suomi on ollut tällä alueella edelläkävijä ja kyberturvallisuuden maisteri- ja muita koulutusohjelmia on saatavilla korkeakouluissa ja muissa oppilaitoksissa. Myös muualla Euroopassa kuten esimerkiksi Isossa-Britanniassa ja Espanjassa on nykyisin mahdollista opiskella kyberturvallisuuden perustutkinto. Kyberturvallisuuteen erikoistunutta perustutkinto-opetusta onkin nopeasti laajennettava, jotta työvoiman puute saadaan paikattua sekä kyberammattilaisten osaamistaso harmonisoitua. Kansalaisten ja kyberammattilaisten lisäksi kolmas merkittävä ryhmä ovat yritysten ja organisaatioiden työntekijät. Yritysten kyberpolitiikat perustuvat yrityskohtaiseen riskianalyysiin ja kontrollit sekä toimintaperiaatteet määritellään riskianalyysin perusteella. Yleisistä kyberturvallisuustaidoista riippumatta työntekijöiden tulee kyetä noudattamaan yrityksen omia kyberturvallisuuden sääntöjä. Digitalisoituvassa maailmassa kyberturvallisuus on kansalaistaito, ja näkökulma tulisi upottaa esimerkiksi lähes kaikkeen liiketoimintaopetukseen. Yleinen kyberturvallisuuden tietotaito on hyödyllistä, mutta sen lisäksi on konkreettisesti tiedettävä, miten esimerkiksi käsitellä eri turvallisuusluokkien tiedostoja tai miten toimia ja kenelle ilmoittaa



CYBERWATCH

FINLAND

haittaohjelmasta. Kyberturvallisuuden koulutus esimerkiksi kriittisen infrastruktuurin yrityksissä ja organisaatioissa on yleisesti ottaen hyvällä tasolla. Koulutukset on järjestetty perinteisesti kouluttajavetoisena tai digitaalisessa muodossa itseopiskeluna. Koulutukset on määritelty pakollisiksi, mutta usein niihin osallistumista ei valvota riittävästi. Lisäksi koulutus järjestetään usein hyvinkin pitkän ajan päästä työsuhteen aloittamisesta, kun se pitäisi järjestää jo perehdytyksen yhteydessä työsuhteen ensimmäisinä päivinä. Kyberosaamisen mittaaminen on harvinaisempaa. Usein mittaaminen on järjestetty digitaalisen kurssin lopuksi suoritettavalla kokeella, jossa tulee antaa riittävä määrä oikeita vastauksia tai tentin joutuu tekemään uudelleen. Osaamis- tai suoritustason mittaaminen on yleisestikin kyberturvallisuuden alueella harvinaista ja metriikkaa tulisi kehittää myös tällä saralla. Neljäs kyberkoulutuksen tärkeä ryhmä ovat yleisjohtajat esimerkiksi elinkeinoelämän ja politiikan alueilla. Erilaiset kriisitilanteet tietomurtojen, haittaohjelmien tai käytettävyyshyökkäysten muodossa ovat tuoneet kyberturvallisuuden merkityksen konkreettisesti päättäjien tietoisuuteen. Päättäjien tulee tietysti hallita kyberturvallisuuden perustaidot siinä missä kenen tahansa muunkin työntekijän, mutta erityistä ymmärrystä tarvitaan kyberturvallisuuden yhdistämisessä yrityksen strategiaan ja sen mukaiseen varautumisen kehittämiseen. Päättäjillä on apunaan tietenkin kyberturvallisuuteen erikoistuneita johtajia, mutta tarvitaan myös strategista ymmärrystä kyberturvallisuudesta samalla tavalla kuin talouden tai tuotannon ohjaamisen alueella. Kyberturvallisuusyritykset tarjoavat päättäjille suunnattua kyberturvakoulutusta yllättävänkin paljon. Nämä tilaisuudet ovat usein parin-kolmen tunnin tietoiskuja, joissa asialähtöinen sisältö on usein yhdistetty kaupalliseen viestiin yrityksen tuotetarjonnasta. Riippumattomalle, strategialähtöiselle kyberkoulutukselle olisi laajaa tarvetta sekä julkishallinnossa että yksityisellä sektorilla. Lähteitä: Cybersecurity Skills Development in the EU, 12/2019. ENISA. Cybersecurity Workforce Study 2020, ISC2. Wang & Wang. Knowledge Management for Cybersecurity in Business Organizations: A Case Study, 4/2019. Journal of Computer Information Systems. Kabanda et al. Exploring SME cybersecurity practices in developing countries, 2018. Journal of Organizational Computing and Electronic Commerce. https://www.enisa.europa.eu/news/ecsm-2020-files/ecsm-2020-fi.pdf https://www.kyberturvallisuuskeskus.fi/fi/ajankohtaista/kyberturvallisuuden-superkuukausi-taalla-taas https://ec.europa.eu/digital-single-market/en/policies/digital-skills https://cybersec4europe.eu/addressing-the-shortage-of-cybersecurity-skills-in-europe/

3. SATELLIITTIEN KYBERTURVALLISUUS 1. Avaruuden ja satelliittien käyttö tutkimuksen ja tietoliikenteen palvelujen tuottamisessa kasvaa. Satelliittipaikannuksen tarjonta kasvaa. Satelliittijärjestelmät ovat monimutkaisia kokonaisuuksia, jotka muodostavat usein palvelujen kriittisen pisteen, mikä tekee satelliiteista houkuttelevan kohteen kybervaikuttamiselle.

2. Satelliittijärjestelmien kyberturvallisuuteen liittyvän standardoinnin puute on ollut merkittävä heikkous kyberturvallisuuden kehityksessä, mutta asia on saanut uutta vauhtia Yhdysvaltojen julkaistua avaruusjärjestelmien kyberturvallisuuden periaatteet tänä syksynä.

3. Satelliittijärjestelmien keskeiset kyberuhkat ovat signaalin häirintä sekä tietojen väärentäminen eli spoofing. Satelliittijärjestelmien häirintää on käytetty myös hybridivaikuttamisen välineenä ja sen todennäköisyys lisääntyy tulevaisuudessa.

Tietoliikennepalvelut ja eri alueiden tutkimustoiminta ovat hyödyntäneet avaruutta jo viime vuosisadalta lähtien. Satelliittien avulla voidaan tarjota palveluja, jotka olisivat ilman avaruuden käyttöä mahdottomia tai vaikeita toteuttaa. Satelliittipuhelut ja -televisiolähetykset ovat meille kaikille tuttuja esimerkkejä palveluista, joiden avulla tele- ja tietoliikenne on ollut mahdollista ympäri maailmaa jo vuosikymmeniä. GPS ja muut paikannuspalvelut ovat tänään jokaisen älypuhelimen käyttäjän ulottuvilla ja Internetin mannertenvälisestä tietoliikenteestä suuri osa kulkee satelliittien kautta. Satelliittien käyttöön perustuvien palvelujen markkinat ovat viime vuosina ylittäneet sadan miljardin US dollarin rajan ja kasvavat maltillisesti muutaman prosentin vuosivauhdilla. Avaruudessa on tällä hetkellä vajaat kolme tuhatta toiminnassa olevaa satelliittia, joista suurin osa on Yhdysvaltojen hallinnassa. Valtaosa satelliiteista on kaupallisessa käytössä ja yleisimmät palvelut ovat tietoliikenne, paikannus, kaukokartoitus ja erilaisen mittaustiedon kerääminen esimerkiksi sääennusteita varten. Noin 10% satelliiteista on sotilaskäytössä pääasiallisena tarkoituksenaan tiedustelutiedon kerääminen ja sotilasviestiliikenteen välittäminen. Satelliittijärjestelmä on usein palveluketjun kriittisin komponentti. Satelliitteja käytetään esimerkiksi tietoliikennepalveluissa, joita ei ole kustannustehokasta tai mahdollista toteuttaa maanpäällisen tietoliikenneverkon avulla. Näin ollen varajärjestelmääkään



CYBERWATCH

FINLAND

ei ole toteutettu tai sen kattavuus ja tehokkuus on heikko. Paikannusjärjestelmät ovat toinen esimerkki palveluista, joita on vaikea korvata muilla menetelmillä vastaavalla tehokkuudella. Onnistuneella kyberhyökkäyksellä yksittäiseen kohteeseen on mahdollista saada aikaan suuri vaikutus, mikä lisää satelliittijärjestelmien houkuttelevuutta kybervaikuttamisen kohteena. Kyberturvallisuuden standardointi satelliittijärjestelmien osalta on kehitysvaiheessa. Suurin osa standardeista säätelee maa-asemien sekä niiden ja satelliittien välistä turvallisuutta laajemmasta näkökulmasta ja kyberturvallisuutta on käsitelty osana näitä standardeja. Lisäksi on laadittu kriteeristöjä satelliittiprojektin alihankkijoiden turvallisuuden arviointiin. Varsinaisen kyberturvallisuuden standardoinnin puute on koettu merkittäväksi heikkoudeksi satelliittijärjestelmien kyberturvallisuuden toteutuksessa. Standardointi sai vauhtia tänä syksynä, kun presidentti Trumpin hallinto julkaisi avaruusjärjestelmien korkean tason kyberturvallisuusperiaatteet, joiden mukaisesti varsinainen standardointityö Yhdysvalloissa etenee. Satelliittijärjestelmän perusosat ovat itse satelliitti, sitä ohjaava maasegmentti sekä näiden väliset yhteydet. Järjestelmän kybersuojaus vaihtelee käyttötarkoituksen mukaan. Sotilassatelliittien suojaus on korkeimmalla tasolla. Satelliittien valmistuksessa käytetään vain dedikoituja komponentteja, yhteydet on salattu sotilaskäyttöön tarkoitetuilla algoritmeilla ja maajärjestelmät on toteutettu asevoimien standardien mukaisesti. Kaupallisten satelliittijärjestelmien suojaus on myös korkealla tasolla, mutta näissä käytetään myös kaupallisia komponentteja ja tietojärjestelmiä mikä voi helpottaa järjestelmään murtautumista. Satelliittijärjestelmän suunnittelu, toteutus, laukaisu kiertoradalle sekä satelliitin toiminnan valvonta ja operointi on monimutkainen kokonaisuus, johon osallistuu satoja yrityksiä ja muita osapuolia. Pitkät toimitusketjut ja monitoimittajaprojektit ovat aina haavoittuvia, vaikka riskiä pyritäänkin pienentämään tiukoilla yritysturvallisuuden tarkastuksilla. Viime vuosina on tullut julkisuuteen ainakin Kiinan ja Iranin tukemia yrityksiä murtautua projektiorganisaation avainhenkilöiden IT-laitteisiin ja tätä kautta päästä käsiksi itse satelliittiprojektin tietoihin. Tällä vuosituhannella on tiedossa kourallinen tapauksia, joissa ulkopuolinen taho on saanut satelliitin hallintaansa. Aivan vuosituhannen vaihteessa hakkerit onnistuivat murtautumaan brittiläisen SkyNetin satelliittiin ja vaativat lunnaita satelliitin vapauttamisesta. Kuuluisin tapaus on vuodelta 2008, jolloin tiettävästi kiinalainen hakkeriryhmä sai täydelliseen hallintaansa kaksi NASAn satelliittia muutamiksi minuuteiksi. Lisäksi 2010-luvun loppupuolelta tunnetaan tapauksia, joissa maasegmentin tietojärjestelmät on onnistuttu saastuttamaan haittaohjelmalla ja maa-asemien avainhenkilöiden tietokoneisiin on onnistuneesti tunkeuduttu. Satelliittiin ja sen komentojärjestelmiin murtautumista todennäköisempiä kybervaikuttamisen muotoja ovat häirintä ja satelliitin signaalitietojen väärentäminen. Satelliittien häirintään eli palvelunestohyökkäykseen kykenevät tällä hetkellä lähes jokaisen maan asevoimat ja mahdollisuus on myös kyberrikollisten ulottuvilla. Tietoliikenneyhteyksien ja paikannuspalvelujen häirintä on lähes jokapäiväistä toimintaa erityisesti sotatoimialueilla. Suomessakin koettiin vuonna 2018 Venäjän toteuttama GPS-häirintäoperaatio kansainvälisen sotaharjoituksen yhteydessä. Häirinnän vaikutusta voidaan pienentää mm. lähettämällä paikannussignaalit suuremmalla teholla ja usealla, toisistaan eroavilla taajuuksilla. GPS-tietojen väärentämistä tapahtuu myös aika ajoin, mistä on tehty useita havaintoja viime vuosina esimerkiksi meriliikenteessä. Harhautus voidaan estää salaamalla satelliittisignaali ja rajoittamalla salausavaimiston jakelua vain valtuutetuille käyttäjille, jolloin kolmas osapuoli ei voi sitä väärentää ja sitä kautta harhauttaa loppukäyttäjää virheellisellä sijainti- tai aikatiedolla. Euroopan unionin Galileo-paikannussatelliittijärjestelmään rakentuu lähinnä viranomaisille suunnattu PRS-palvelu, jossa nämä uhkat on pyritty huomioimaan. Suomen hallitus on marraskuussa 2020 päättänyt, että Suomi ottaa tämän palvelun käyttöön, kun se valmistuu vuoden 2024 loppuun mennessä. Satelliittipalveluista riippuvaiset tahot kuten esimerkiksi meri- ja lentoliikenne käyttävät useita rinnakkaisia järjestelmiä, joten yhden järjestelmän häirintä tai tietojen väärentäminen ei vielä keskeytä toimintaa, vaikka haittaa sitä merkittävästi. Häirinnällä onkin suuri merkitys yhtenä hybridivaikuttamisen välineenä, kun usealla eri menetelmällä halutaan vaikuttaa kohteen toimintaan ja sen vakauteen. Häirinnän ja tietojen väärentämisen voidaankin ennustaa lisääntyvän tulevaisuudessa erityisesti hybridivaikuttamisen osatekijänä. Edellä mainituista haasteista huolimatta satelliittijärjestelmien kyberturvallisuus on korkealla tasolla. Satelliittijärjestelmien laajamittainen häirintä tai niihin murtautuminen on yleensä mahdollista vain valtiollisille toimijoille tai näiden tukemille tahoille. Kyberturvallisuuden kehitys tällä alueella on jatkuvaa mikä onkin tarpeen, sillä kyberrikollisten toimintakyky paranee jatkuvasti. Satelliittijärjestelmät ovat niiden kriittisyyden vuoksi tulevaisuudessa erittäin houkutteleva kohde sekä valtioiden kybervaikuttamisessa että kyberrikollisten maalitauluna. Lähteitä: https://www.whitehouse.gov/presidential-actions/memorandum-space-policy-directive-5-cybersecurity-principles-space-systems/ https://spacenews.com/tag/cybersecurity/ https://www.hackasat.com/ https://www.thespacereview.com/article/3950/1 https://www.japcc.org/cyber-threats-to-space-systems/ https://www.cnbc.com/2018/06/19/china-based-hacking-breached-satellite-defense-companies-symantec.html Falco, G. ”Cybersecurity Principles for Space Systems”, 2018. Journal of Aerospace Information Systems. Bailey et al. “Defending Spacecraft in the Cyber Domain”, 2019. Center for Space Policy and Strategy, The Aerospace Corporation. Rajagopalan, R. “Electronic and Cyber Warfare in Outer Space”, 2019. The United Nations Institute for Disarmament Research.

CYBERWATCH

FINLAND

KYBERTURVALLISUUS JOHTORYHMIEN AGENDALLA 1. Maailman talousfoorumin nelikenttäanalyysin mukaan kyberturvallisuuden riskit pysyvät korkeimman todennäköisyyden ja vaikuttavuuden neljänneksessä kaikkien globaalien riskien joukossa. Kyberriskien kirjo on laaja ja johtoryhmien tulee huomioida niiden eri näkökulmat osana riskienhallintaa ja liiketoimintastrategiaa. Henkilöstön kyberturvallisuuden osaamisen kehittäminen tulee olla myös johtoryhmien vastuulla.

2. Johtoryhmien suurin virhe on käsitellä kyberturvallisuutta kertaponnistuksena. Kyberturvallisuudesta tulee huolehtia johtoryhmätasolla jatkuvana prosessina. Kyberriskit ja niiden vaikutus on kvantifioitava ja kyberturvallisuuden tasoa tulee mitata säännöllisesti.

3. Riskien hallinnan ja varautumisen lisäksi johtoryhmällä on tärkeä rooli myös silloin, kun kyberriski toteutuu. Johtoryhmällä tulee olla toimintasuunnitelma tilanteen hallintaan ja toiminnan palautukseen. Viestintä on myös tärkeässä roolissa yrityksen julkisuuskuvan kannalta.

Maailman talousfoorumin globaali riskiennuste vuodelle 2020 kertoo, että kyberturvallisuuteen liittyvät riskit pysyvät korkeimmassa neljänneksessä sekä todennäköisyyden että vaikuttavuuden puolesta. Viime vuosina ilmaston muutokseen liittyvät riskit ovat vakiinnuttaneet asemansa ennusteiden kärkipaikoilla, mutta kyberriskit ovat sijoittuneet top5-listalle lähes joka vuosi viimeisen vuosikymmenen aikana. Maailman talousfoorumin näkökulma riskianalyysiin on tietenkin laajempi kuin mihin yksittäisten yritysten ja organisaatioiden tulee varautua. Globaalit riskit koskettavat eri alojen yrityksiä eri tavoin. Joillekin yrityksille ilmaston muutos voi olla potentiaalinen riski ja toisille muutos voi luoda jopa uusia mahdollisuuksia. Liiketoiminnan yhä nopeamman kansainvälistymisen ja digitalisaation vuoksi kyberriskit koskettavat kuitenkin lähes kaikkia yrityksiä, mikä tulee huomioida myös johtoryhmätyöskentelyssä. Johtoryhmillä tulisi olla kokonaisvaltainen näkemys kyberturvallisuuden eri osakokonaisuuksista ja niiden vaikutuksesta oman yrityksen liiketoimintaan. Laajojen kyberhyökkäysten ja tietomurtojen jälkeen johtoryhmät usein havahtuvat ajatukseen, että voisiko sama tapahtua meidän kohdallamme. Pelko negatiivista julkisuutta saaneen kyberriskin toteutumisesta saa helposti aikaan johtoryhmätason toimenpiteitä riskin estämiseksi. Sama vaikutus on uusilla kyberturvallisuuteen liittyvillä standardeilla ja lakialoitteilla sekä erityisesti silloin, jos näiden noudattamatta jättämisestä on mahdollisuus saada merkittäviä sanktioita. Jälkimmäisestä hyvä esimerkki on pari vuotta vanha tietosuojauudistus, joka sai usean yrityksen kasvattamaan investointeja paitsi varsinaisten tietosuojaprosessien kehitykseen, myös kyberturvallisuuden parantamiseen. Tuore tiedonhallintalaki on myös saanut pientä aktiivisuutta aikaiseksi, vaikka sen yhteydessä eivät suorat sanktiot olekaan niin raskaita kuin tietosuojan alueella. Kotimaisten havaintojen mukaan kyberturvallisuuteen liittyvät riskit käsitellään riskianalyysissä usein yhtenä kokonaisena riskitekijänä. Kyberriskien olomuoto ja vaikutukset ovat kuitenkin moniulotteisia. Riskianalyysissä tulisi erottaa toisistaan esimerkiksi kybervakoilu, tietomurto, käytettävyyshyökkäys ja haittaohjelman aiheuttamat vahingot. Lisäksi vaikutukset voivat olla moninaiset, esimerkiksi toiminnan keskeytys, tuotekehitystietojen vuotaminen kilpailijalle, taloudelliset tappiot esimerkiksi huijausten yhteydessä tai palvelukyvyn laskuna sekä maineen menetys. Riskien ja niiden vaikutusten kommunikointi johtoryhmätasolle tulee sisältää kaikki aiheeseen liittyvät näkökulmat, jotta johtoryhmässä voidaan päättää asianmukaisista toimenpiteistä riskien torjumiseksi. Tuoreimpien kansainvälisten tutkimusten mukaan kyberturvallisuus on viime vuosina saanut lisää tilaa johtoryhmien agendalla. Asiaa on tänä vuonna vauhdittanut myös koronapandemia, minkä vuoksi digitalisoituminen on ottanut jättiharppauksen useimpien yritysten toiminnassa. Tutkimusten mukaan tänä syksynä kyberturvallisuuteen liittyvät riskit nousivat ykkössijalle johtoryhmien arvioissa jättäen jälkeensä esimerkiksi taloudelliset sekä kilpailijoihin liittyvät liiketoimintariskit. Usein lisääntynyt tila agendalla on kuitenkin osoittautunut väliaikaiseksi saavutukseksi. Uuden lainsäädännön tai laajan tietomurron siivittämänä johtoryhmä teettää kyberturvallisuuden nykytilan arvioinnin ja käynnistää toimenpideohjelman, jotta ”asiat saadaan kuntoon”. Kotimaisten havaintojen mukaan usein käy niin, että hetkellisen aktiivisuuden jälkeen asia poistuu vähitellen agendalta eikä tilanteeseen herätä, ellei jotain uutta ja merkittävää tapahdu. Johtoryhmän tulee huolehtia siitä, että kyberturvallisuuden tila ja kehityskohteet arvioidaan säännöllisesti ja toimintaympäristön sekä suorituskyvyn kehitystä seurataan jatkuvasti. Johtoryhmien tulee saada säännöllisesti tietoa kyberriskeistä sekä yrityksen kyvystä vastata riskeihin. Tuoreen amerikkalaisen tutkimuksen mukaan johtoryhmien top3-toivetta kyberkatsauksille ovat 1) ymmärrettävä, ei-tekninen kielenkäyttö, 2) kvantitatiivinen analyysi kyberriskeistä ja niiden vaikutuksista sekä 3) mitattavissa oleva kehitys yrityksen kyvystä torjua kyberriskejä. Kyber- ja riskienhallintajohtajien esiintymiskyky on viime vuosina parantunut, koska kolme viidestä johtoryhmän jäsenestä kokee ymmärtävänsä lähes kaiken mitä kyberkatsauksessa esitetään. Samanaikaisesti kuitenkin katsausten ja raporttien sanotaan olevan edelleen liian teknisiä. Kyberasioiden kytkentä numeroihin on heikommalla tasolla. Uhkakuvia



CYBERWATCH

FINLAND

ja niiden vaikutuksia ei osata arvioida taloudellisesta näkökulmasta eikä suorituskyvyn kehityksen seurantaan ole laadittu kunnollista metriikkaa. Näitä osa-alueita tulee parantaa, jotta johtoryhmät pystyvät ohjaamaan kyberturvallisuuden työtä oman roolinsa puitteissa. Tavoitteena tulisi olla johtoryhmien hyvän ”kyberriskien lukutaidon” luominen, jotta osataan tehdä oikeita päätöksiä ja ohjata yrityksen parantamistoimenpiteitä riskejä ennakoiden. Johtoryhmien rooli ja vastuu ei pääty varautumiseen ja kyberriskien minimointiin. Johtoryhmän todellinen toimintakyky punnitaan silloin, kun vakava kyberriski toteutuu. Vähäisempiä riskejä toteutuu suurissa organisaatioissa päivittäin ja näiden käytännön hallinnasta vastaavat kyberturvallisuuden johtajat ja asiantuntijat. Johtoryhmä saa tiedon vähäisempien kyberriskien toteutumisesta ja niiden vaikutuksista sekä korjaavista toimenpiteistä säännöllisen raportoinnin kautta, eikä johtoryhmän ole tarpeen puuttua tällaisten tapahtumien yksityiskohtiin. Onkin tärkeää luoda selvä työnjako eri tasoisten kyberriskien hallintaan ja antaa operatiivisille kyberammattilaisille työrauha. Johdon vastuu on kriisijohtamisen harjoittelussa ja toimenpiteiden nopeassa käynnistämisessä. Kyberriskin toteutuminen voi ylittää eri asetuksissa ja lainsäädännössä määritellyn tietoturvaloukkauksen ilmoituskynnyksen, jolloin tapauksesta tulee nopeasti johtoryhmätason asia. Itse asetusten vaatima ilmoitus on helppo tehdä, mutta viime kädessä siitäkin vastaa yrityksen korkein johto. Ilmoittamisvelvollisuuden laiminlyönti on nykyisen tietosuojalainsäädännön ja verkkoturvallisuus direktiivien aikaan vakava rikkomus. Silti sellaista tapahtuu Suomessakin, kuten tänä syksynä olemme julkisuudesta saaneet kuulla. Johtoryhmän tärkeä tehtävä on siis varmistaa, että ilmoitusprosessi toimii asianmukaisesti. Kyberloukkauksen operatiivinen torjunta on vakavassakin tapauksessa hyvä jättää asiantuntijoiden tehtäväksi. Viranomaisavun kytkentä tapaukseen on taas johtoryhmätason tehtävä ja päätös. Ulkoisen viestinnän onnistuminen määrittää lähes täysin yrityksen tulevaisuuden imagon ja sen, jäävätkö taloudelliset seuraukset lyhyt- vai pitkäaikaisiksi. Tosiasioissa pitäytyminen, yrityksen asiakkaiden ja muiden luottamuksellisten tietojen suojeleminen sekä toimintakyvyn nopea palauttaminen antavat julkisuuteen kuvan siitä, että yrityksen johto on valmistautunut mahdollisiin kyberriskeihin ja se on varmistanut yrityksen hyvän toimintakyvyn kriisitilanteessa. Oikea-aikainen ja realistinen strategisen tason tilanneymmärrys kybermaailman ilmiöstä ja mahdollisuuksista niiden torjumiseksi tulisi olla johtoryhmien rutiinia. Lähteitä: https://hbr.org/2020/09/does-your-board-really-understand-your-cyber-risks https://www.kyberturvallisuuskeskus.fi/sites/default/files/media/publication/T_KyberHV_digiAUK_220120.pdf Internet Security Alliance, Cyber Risk Oversight 2020 – Key Principles and Practical Guidance for Corporate Boards in Europe, 2020. PwC, Global Digital Trust Insights Survey 2021 – Cybersecurity Comes of Age, 2020. World Economic Forum, The Global Risks Report 2020, 2020.

PILVIPALVELUJEN KYBERTURVALLISUUS 1. Pilvipalvelun käyttöönotossa kyse on luottamuksesta palveluntarjoajaan. Jos luottamus on kunnossa, pilvipalvelut tarjoavat lähes poikkeuksetta paremman kyberturvallisuuden kuin oma IT-ympäristö.

2. Vastuiden määrittelyt ja niiden ymmärtäminen oikein ovat keskeinen osa kyberturvallisuuden toteutumista pilvipalveluissa. Sopimuksilla vältetään vastuunjaon väärinkäsitykset ja varaudutaan ongelmatilanteisiin.

3. Pilvipalvelujen käyttö on mahdollista myös julkishallinnon palveluille, jos riskianalyysi puoltaa ratkaisua. Päätöksenteon tukena voidaan käyttää myös kyberturvallisuutta ohjaavia standardeja.

Pilvipalvelut ovat kiinteä osa digitalisaatiokehitystä. Suurin osa meistä on siirtynyt pilvipalvelujen käyttäjäksi huomaamatta esimerkiksi iCloudin, Samsung Cloudin tai OneDriven muodossa. Pilvipalvelujen tarjoamat edut kuten kustannustehokkuus, joustavuus ja skaalautuvuus mahdollistavat uusia, entistä ketterämpiä toimintamalleja. Pilvipalveluista on nopeasti tulossa perusoletus IT-palvelujen tuotantoon ja paikallisiin konesaleihin perustettavat uudet teknologiset alustat ja digitaaliset palvelut alkavat olla erityistapaus. Pilvipalvelun käyttöönotossa on kyse asiakkaan luottamuksesta palveluntarjoajaan samoin kuin missä tahansa IT-ulkoistuksessa. Pilvipalveluun voidaan haluttaessa ulkoistaa palvelimet, tietoliikenneyhteydet, datan tallennus ja/tai prosessointi sekä ihmisten suorittamat ylläpitotehtävät. Mitä korkeampi on luottamuksen aste, sitä useampi komponentti on mahdollista ulkoistaa palvelun tarjoajalle. Tyypillisesti pilvipalvelussa useat eri asiakkaat käyttävät samoja IT-resursseja. Tarjolla on myös yksityisiä pilvipalveluja, joissa asiakkaalle tarjotaan dedikoidut ratkaisut rautatasolta lähtien. Palveluja on paketoitu niin sanottuun hybridiratkaisuun, jossa osia palveluista tuotetaan jaetusta kapasiteetista ja muita osia yksityisestä palvelusta. Lisäksi pilvipalvelujen toteutusmalleissa on mahdollista valita, ulkoistetaanko pelkästään infrastruktuuri, käyttöjärjestelmät vai myös sovellukset ja palvelut sekä niiden ylläpito. Tällöin kyseessä ovat niin sanotut IaaS, PaaS, ja SaaS-palvelumallit.



CYBERWATCH

FINLAND

Kyberturvallisuuden näkökulmasta nousee helposti esiin kysymys, miten turvallisuus on toteutettu ja miten varmistetaan, että muut asiakkaat tai täysin ulkopuoliset eivät pääse kiinni ulkoistettuun dataan tai palveluihin. Useimmissa tapauksissa pilvipalvelun tarjoaja kykenee toteuttamaan kyberturvallisuuden laadukkaammin ja tehokkaammin kuin asiakasorganisaatio oman IT-infrastruktuurinsa suojaamisen. Palveluntarjoajan ydinliiketoimintaa on pilvipalvelujen tehokas ja turvallinen tuottaminen ja kaikki resurssit ja prosessit on kohdennettu tähän ydintoimintaan. Palvelintilojen fyysiseen turvallisuuteen, palvelujen käytettävyyteen, jatkuvuuden varmistamiseen, käyttöjärjestelmien päivityksiin ja muihin kyberturvallisuuden tärkeisiin toimintoihin on mahdollista panostaa korkeammalla tasolla kuin organisaatiossa, jossa IT-palvelut ovat muuta toimintaa tukevassa roolissa. Palveluntuottajilla on siis resursseja ja tietotaitoa kyberturvallisuuden toteuttamiseen korkealla tasolla, mutta tässä kohdassa kuvaan astuu luottamus. Voidaanko luottaa siihen, että ulkopuolinen toimija on hoitanut kyberturvallisuuden tasokkaasti ja antaa tälle ulkoistettavaksi toiminnan kannalta kriittiset IT-resurssit. IT-palvelujen luotettavuutta voi mitata yleensä kahdella tavalla. Voimme luottaa toimijan maineeseen, sertifikaatteihin sekä muihin ulkopuolisten antamiin arvioihin. Tämä tapa tulee yleensä kysymykseen isojen, kansainvälisten palveluntarjoajien kohdalla, joiden palvelujen laadun ja kyberturvallisuuden tarkastaminen omakohtaisesti ei ole käytännössä mahdollista. Toinen vaihtoehto on käyttää pienempiä, asiakasta lähellä olevia palveluntarjoajia, joiden kanssa luottamus voidaan rakentaa myös henkilökohtaisen kommunikaation ja kontaktin avulla. Paraskin luottamus on hyvä kirjata sopimuksiin. Kaupallisten ja toiminnan laatuun liittyvien ehtojen lisäksi tärkeässä roolissa on vastuunjako osapuolten kesken erityisesti kyberturvallisuuteen liittyvissä asioissa. On suuri virhe ajatella, että esimerkiksi ISO27ksertifikaatin omaava toimija hoitaa kaikki kyberturvallisuuteen kuuluvat tehtävät kokonaisvaltaisesti. Mitä lähemmäs rauta- ja käyttöjärjestelmätasoa mennään, sitä enemmän vastuuta on yleensä palveluntuottajalla. Tyypillisesti asiakkaan vastuulle jää ainakin päätelaitteiden kyberturvallisuus kokonaisuudessaan sekä käyttöoikeuksien määrittely ja hallinta niin sovellusten kuin tietojenkin käytön osalta. Vuoropuhelu palveluntuottajan ja asiakkaan välillä on tärkeää, jotta voidaan varmistaa palvelun oikea konfiguraatio palvelun toiminnallisuuden ja turvallisuuden varmistamiseksi. Julkishallinnossa on tarkemmat määrittelyt pilvipalvelujen luotettavuuden arvioinnille. Valtiovarainministeriö on tehnyt vuosina 2018 ja 2020 antamissaan ohjeistuksissa varsin positiivisen linjauksen pilvipalvelujen käyttöön. Näiden linjausten mukaan ”pilvipalvelujen valinnalle ei ole esteitä, kunhan siinä otetaan vaatimukset huomioon normaalien ICT-hankintojen tapaan” (VM, 2018). Huolellinen riskianalyysi on tietenkin tarpeellinen pilvipalvelumallia harkittaessa. Esteitä tai ainakin haasteita pilvipalvelujen käytölle voivat aiheuttaa korkeat vaatimukset palvelun jatkuvuudelle tai luottamuksellisuudelle sekä erilaisiin regulaatioihin liittyvät ongelmatilanteet. Pilvipalvelun tuottajan on mahdollista päästä käsiksi kaikkeen palvelussa käsiteltävään selväkieliseen tietoon. Jos palvelussa käsitellään tai talletetaan luottamuksellista tietoa, voidaan dataa suojata salauksella. Julkishallinnon osalta vaatimuksia luottamuksellisuuden varmistamiseksi on kuvattu Kyberturvallisuuskeskuksen viime vuonna julkaisemassa Pilvipalvelujen turvallisuuskriteeristössä (PiTuKri). Sen mukaan turvallisuusluokan IV tietoja sisältävän pilvipalvelun tulee sijaita kaikilta osiltaan Suomessa, mutta palveluntarjoaja voi olla yksityinen. Turvallisuusluokassa III voidaan käyttää organisaation sisäistä pilvipalvelua. Joissain tapauksissa niin sanottu yhteisöpilvi, esimerkiksi saman hallinnonalan jakama yhteinen pilvipalvelu on mahdollinen. Esimerkiksi Valtori on tuotteistanut eri tasoisia pilvipalveluita julkishallinnon asiakkaiden käyttöön turvallisuusvaatimusten mukaisesti. Iso-Britannian hallituksen jo vuonna 2011 lanseeraama G-Cloud -hanke on hyvä esimerkki yhteisöpilven toteutuksesta. Julkishallinnon ICT-resurssit on keskitetty siten, että kaikki hallinnonalat hankkivat ICT-palvelunsa G-Cloud yhteisöpilvestä. Palveluja tuottavat erikseen sovitut julkishallinnon organisaatiot, esimerkiksi Government Digital Service tuottaa ERP-palvelut ja British Council CRM-palvelut. Turvallisuusluokan niin salliessa, palvelut voidaan toteuttaa myös hybridimallina, jolloin voidaan käyttää julkisia pilvipalveluja G-Cloudin hallinnoimana. Luonnollisesti osa julkishallinnon palveluista pysyy pilven ulkopuolella korkeiden turvallisuusvaatimusten vuoksi, mutta yleisesti brittien julkishallinnossa lanseerattu ”cloud first” -periaate on saanut useimmat hallinnonalat siirtymään pilvipalvelun käyttäjäksi. Palvelujen tuottamisen sijaintimaa on tärkeä tekijä arvioidessa palvelun jatkuvuutta eri tilanteissa. Kansainvälisillä palveluntarjoajilla on yleensä hyvin laaditut toipumissuunnitelmat erilaisten onnettomuuksien ja luonnonilmiöiden varalta, jolloin sijaintimaalla ei ole jatkuvuuden kannalta välttämättä merkitystä. Kansallista turvallisuutta uhkaavat kriisitilanteet ovat kuitenkin erilaisia. Näissä tilanteissa verkkoyhteydet voivat olla rajoitettu Suomen maantieteellisten rajojen sisäpuolelle. Useiden kriittisen infrastruktuurin yritysten sekä julkishallinnon organisaatioiden on pystyttävä toimimaan myös kansallista turvallisuutta uhkaavissa tilanteissa, jolloin kotimaassa toimiva palveluntuottaja on ainoa mahdollinen vaihtoehto. Regulaatioiden osalta tietosuojalainsäädäntö on merkittävin pilvipalvelun valintaa määräävä tekijä. Palvelun tuottaminen ja tietojen käsittely tulee useimmissa tapauksissa tapahtua EU:n sisällä tai erikseen hyväksytyissä maissa, joiden tietosuojakäytännöt ovat samalla tasolla kuin Suomessa. Tästä syystä useat kansainväliset palveluntuottajat ovat perustaneet EU:n alueelle palvelukeskuksia, joista käsin pilvipalveluja tuotetaan eurooppalaisille asiakkaille.  Lähteitä: Traficom / Kyberturvallisuuskeskus. Pilvipalveluiden turvallisuuden arviointikriteeristö (PiTuKri), 2019. Valtiovarainministeriö. Julkisen hallinnon pilvipalvelulinjaukset, 2018. Valtiovarainministeriö. Tuottavuutta pilvipalveluilla, 2020. Huoltovarmuusorganisaatio, Digipooli. Kyberhäiriötilanteet, varautuminen ja toiminta, 2019. https://www.isc2.org/-/media/ISC2/Landing-Pages/2020-Cloud-Security-Report-ISC2.ashx https://www.gov.uk/guidance/g-cloud-suppliers-guide https://www.ncsc.gov.uk/collection/cloud-security

CYBERWATCH

FINLAND

Protecting your critical infrastructure in scale // Aki Knuuti

ll organisations want to prevent their critical infrastructure from cyber attacks. When the mandate is to provide support to ecosystems or critical systems, protecting gets complex. Unfortunately when protecting ecosystems or nation wide supplier systems, the solutions are rarely designed for scale. There are some exceptions, National Cyber Security Centre Finland has a long track record of being on forefront in cyber infrastructure protection. Finnish National Cyber Security Centre Finland (NCSC-FI) has been successful in expanding its reach to support critical infrastructure organisations. Finnish Autoreporter-service run by the NCSC-FI has kept the Finnish networks one of the cleanest in cyberspace for over 15 years. But typical cyber security solutions are centralised and rely on traditional enterprise solutions,

which in turn require money, expertise and continuous oversight by the analysts. As a result, smaller, but still critical, players are on their own - nobody has time to help them with practical matters. During the summer 2020 Traficom carried out a pilot with a new approach, instead of focusing on just the most critical organisation it was chosen to expand the scope and help organisations of all sizes in scale. The pilot had stunning results and stellar feedback from the participants. Pilot contained new technologies from finnish cyber security companies, Badrap Oy and SensorFu Oy, who shared Traficom’s vision of easily deployable security products which everybody can use. In a pilot critical organisations of all sizes deployed the products to production in a record time. Rapid deployment led to fast discovery of issues, and quick fixes.

badrap.io

Companies use badrap.io to identify and fix their assets. Content producers and brokers use badrap.io to reach companies with targeted information.

Assets Security information

Security information and Þxes

Assets

Company

SensorFu

Microsoft Microsoft Amazon Google 56

CYBERWATCH

FINLAND

ARI KNUUTI Helping organisation and ecosystems to solve their cyber security issues +358 40 510 0316

In the pilot, Badrap.io allowed the security content producers and brokers to reach companies with targeted security information with a flexible and easily deployable way. The service helped companies to fix their issues. SensorFu Beacon allowed companies to continuously monitor for potential leaks in isolated networks. The pilot was successful in many ways. By using the approach the participating companies found and fixed a number of practical issues. About 20% of them had subdomain takeover issues, close to 80% of the organisations discovered network leaks and approximately 70% of organisations discovered data breach victims within their staff. Also 70% organisations identified potential issues from their supplier’s infrastructure. All this was carried out with minimal deployment effort from the

participants. One critical aspect of the project was rapid deployment of monitoring without creating extra burden of operations to participating organisations. Almost all were in production after three months from the start of the whole pilot. All the participating organisations had good cyber security procedures and were sufficiently staffed to maintain activities. Some of them worked with subcontractors. Despite these capabilities they found significant issues which might have been part of broader infiltration or preparation of a cyber attack. Due to the information provided, they were able to respond rapidly and take down the threats posed to them. Over all 50% of organisations got crucial information to improve their practices and improved their cyber hygiene.  CYBERWATCH

FINLAND

www.msfpartners.com

About Monti Stampa Furrer & Partners AG (MSFPartners.com), Switzerland MSFPartners assist our clients in protecting their operational and business activities in developing an integrated cyber security framework and identifying supportive technologies that enable to identify and prevent cyber-attacks on critical infrastructure and systems, protecting data privacy, prevent data leakage and as well help to respond systematically when attacked. Based on our IT and OT protection projects with companies in various industries over the past years, MSFPartners has gained a significant reputation in protecting critical infrastructure in both IT and OT but as well in Smart Metering or IIOT environments. MSFPartners is based in Zürich with several offices in Switzerland and has a subsidiary company in Dubai, UAE.

MSFPartners.com – Offering a broad cyber security service portfolio

Our Services

Characteristics

Cyber Security IT and OT Strategies

• Deriving necessary Cyber Security blueprint from business needs • Formulating Cyber Security roadmaps and programs • Providing financial cyber security investment planning

Maturity y Assessment IT and OT

• Assessment of cyber y security y maturity y score and resilience against g attacks in both,, IT and OT

Cyber Security Technology Evaluation

• Scouting for new technologies and cyber security methodologies • Formulation of RFP specifications • Leading entire RFP processes

Red Team and S Security it Assessments

• Conducting complex penetration tests, assessing cyber security weaknesses and incident response capabilities biliti • Verifying robustness of VPN access to corporate resources and home-office configurations

Cyber Resilience

• • • •

Incident Response

• Conducting emergency engineering support in case of severe attacks

GDPR/DSGVO

• Auditing GDPR compliance • Formulating g GDPR p programs g • Proposing measures to prevent data loss

Establishing Incident Response Plan and Runbooks Emergency cyber response organization Cyber contingency and recovery plans (BCM) Cyber crisis exercise (C-Level, operational Level)

FOR SECURE AND RESILIENT COMMUNICATION PRIVE communication solutions provide secure and resilient mobile devices and independent networks for all core communication applications including voice, video and data transfer. PRIVE platform secures operating capability in all circumstances even when public networks are not available.

Privecomms Oy

sales@privecomms.com

www.privecomms.com

YOUR STRATEGIC CYBER SECURITY PARTNER AND ADVISER

Shaping Dependable Cyber Security with a Comprehensive Approach When looking for an experienced partner to aid in the development of situational awareness in the prevention of cyber attacks, we are the answer. We will strengthen your organisation's ability to recover from possible crisis situations, and guide you in acquiring a comprehensive approach to cyber security. Our mission is to secure the functions and services of critical infrastructure as well as protect your organisation's most valuable assets. We will guide you to a strong cyber security culture which will strengthen your organisationâ&#x20AC;&#x2122;s resilience to a cyber crisis and reduce your business risks. We provide a holistic understanding of the interdependences of people, practices and technologies, and recommend steps to improve this whole ecosystem. Cyberwatch Finland is a strong and dependable partner, helping you respond to the challenges posed by cyber space.

WELCOME TO OUR NEW STUDIO-OFFICE Tietokuja 2 00330 Helsinki FINLAND

A Passion for a Cyber Safe World

CYBERWATCH FINLAND www.cyberwatchfinland.fi

Cyberwatch Finland magazine 1/2021

Articles inside

Cyber espionage: the problem that isn’t

5 things to focus on in 2021 to cybersecure your business

Holistic Approach Is Necessary to Solve the Security Issues of This Decade

Strategic Cyber Security Situational Awareness

The Challenge of Countering Hybrid Threats

Is it Possible to Predict how the Cyber Year 2021 will Unfold?