FINLAND
Cyberwatch S p e c i a l
m e d i a
o f
s t r a t egic
cyber
security
M A G A Z INE
TRANSFORMING THE WAY WE THINK, LIVE AND MOVE
QUARTERLY REVIEW Q1 2020 KVARTAALIKATSAUS Q1 2020
Current Security Threats Challenge the Political Leaders
2020/1
Contents 2020/1
14 48 50 3
16
48
Editorial
Energy Sector Strategic Review, CASE: Sandworm
Cyber Security in Smart Cities
Submarine Communication Cables and Cyber Security Threats
8
18 The Siamese Twins of Information and Cyber - Vulnerable and Almost Inseparable
When Intelligence Comes into Play, Cyber Security is in Danger of Being Forgotten
54
21 Cyberwatch Finland: Quarterly review
Eye from the sky: drones and urban security
12
43
57
The corona presents the importance of self-sufficiency
Snapshots of energy industry
COVID-19 – The World After
Current Security Threats Challenge the Political Leaders
46 Cybersecurity management draws on an up-to-date cybersecurity policy
2 | CYBERWATCH FINLAND
Cederberg
50
New Complex Threats like Covid-19 require more effective and coherent Crisis Management system
14
Aapo
Special media of strategic cyber security Publisher Cyberwatch Finland Tietokuja 2 00330 Helsinki Finland www.cyberwatchfinland.fi Producer and commercial cooperation Cyberwatch Finland team office@cyberwatchfinland.fi Layout Atte Kalke, Vitale atte@vitale.fi ISSN 2490-0753 (print) ISSN 2490-0761 (web) Print house Scanseri, Finland
Cover and content pictures Shutterstock
4
THREATS HAVE CHANGED AND BECOME INCREASINGLY MORE CHALLENGING.
Ed di it to or ri ia al l E
Forecast of Cyber Security 2020
I
T IS OFTEN ARGUED that generals always prepare for past war. Are we only prepared for cyber threats that have already happened? The aim should be the prevention of new cyber operations and subsequent effects. This is achieved by substantially improving our cyber defence. Resilience arises from a series of small steps in the right direction. This will not work, if we do not have a comprehensive understanding of the development of the cyber world. The worst situation would be if cyber attackers were to surprise us with a tidal wave like the spreading of the corona virus. A vaccine for the coronavirus has not yet been developed and the after-effects are unpredictable. The same unpredictability arises from a cyberattack if our businesses and organizations are not well prepared. Cyber operations have become an increasingly integral part of global politics. In this decade, the internet may be divided into three parts: an USA, China and Russia driven internet. The objectives behind this are political aspirations as well as military and security interests. There is a growing desire for more control and more effective espionage, digital self-sufficiency, and empowerment. There is a risk of cyber operations developing into more hostile operations and becoming a part of a more aggressive policy. By increasing the ability to influence by destroying the opponent's internet and digital infrastructure more widely. This creates the "corona effect", and there is a risk it might blow up without any control. What do we do as “outsiders”? We suffer from adverse effects - our digitalisation is not working, and our economy is suffering through global interdependencies. The creation of a European Internet has been requested to help safeguard our digital independence. Could it help? Probably a step in the right direction. However, no one has suggested that we ought to build a cybersecure European Internet. Would it even be possible? The answer is no, of course it may be better than the internet on other continents, but the cyber world is never 100% secure. The corona crisis teaches us that we must be prepared for surprises and create a new security culture to meet even more complex challenges. Preparing for cyber crises requires a new security culture and more innovative solutions. Our cyber defence must be more strategically agile. Easier said than done. The cornerstone of our future cyber culture is certainly a holistic understanding of the building blocks of cyber security and the recognition facts. We need to be able to act and secure the vital functions of our society in situations where global connections are not working. We have already seen the GPS system shut down at critical moments, how the submarine cables can be cut off, and in the future the 5G network will be disrupted and the entire internet will go dark. Even in these situations, the most critical functions of societies must operate, such as government leadership, health care and the basic services of the population. In the future, it is not enough to be prepared to secure critical infrastructure and services. In the planning process, we must define what is supercritical to our societies. Securing the supercritical functions of society must not be based on normal commercial connections and services, they must be at highest level of security. Suitable and robust technological solutions have been developed also in Finland. The expertise already exists, only the right situational awareness is needed for decision makers and there is enough determination to be prepared for the worst-case scenarios. After all, we have stated that we are well prepared, and we have trained our decision-makers at the national defence courses and various national exercises. Threats have changed and become increasingly more challenging. Good leadership’s significance rises to the peak of the mountain. I think the understanding of preparedness and the importance of a reliable situational awareness has become evident. In the future we must be prepared for everything possible and even what is deemed impossible.
AAPO CEDERBERG
Managing Director and Founder of Cyberwatch Finland Chairman of Cyber Security Committee World UAV Federation (WUAVF)
of
CYBERWATCH
FINLAND | 3
SUBMARINE COMMUNICATION CABLES
AND CYBER SECURITY THREATS
text: Dr. MARTTI LEHTO Professor, Cyber Security, Col G.S (ret.) Faculty of Information Technology, University of Jyväskylä, Adjunct professor in National Defence University, Air and Cyber warfare
The submarine communication cables form a vast network on the seabed and transmit massive amounts of data across oceans. They provide over 95% of international telecommunications—not via satellites as it is commonly assumed. The global submarine network is the “backbone” of the Internet, and enables the ubiquitous use of email, social media, phone and banking services.
I
The Figure below, presents how different parts of the world, today, are connected to each other by optical submarine cables. SUBMARINE COMMUNICATION CABLES
Submarine communication cables have been important for strategic communication since the mid-19th century, and fibre optics in the 1990s made modern sea cabling
(Source: Reddit)
n present day, no technology other than submarine cable systems, have not had such a strategic impact on our society without being known as such by the people. This also means that it is at the same time a very interesting target for hackers, cyber attackers, terrorist and state actors. They seek to gain access to information that travels through the networks of the continents that are connected to each other with sea cables.
4 | CYBERWATCH FINLAND
even more critical. Nowadays sea cables transfer nearly all our global telecommunications data. Questions concerning national security and cyber security have always been relevant from the perspective of the development of submarine communication networks. Security concerns have not only affected decisions concerning the route and landings, but also used as arguments when, in different stages of history, the role of cable networks and wireless solutions have been debated. Furthermore, security concerns have hindered, for example, plans aiming at the utilisation of submarine fibre-optic infrastructure for scientific purposes.
The figure below is a simplified model of the submarine cable network. Every cable landing station has been built in the same way, depending on the beach area, of course, which is the delivery site for the submarine optical cables. When using large capacity systems and new types of modulation technology in submarine cable systems, the best possible cable tapping points for cyber attackers are after every optical repeaters or amplifiers. Between continent cable station sites, the branching points and other submarine cable system ends, there are many optical amplifiers every 50 km. In some parts of cable systems, there are also equalisers (passive or active).
Dense Wavelength Division Multiplexing (DWDM) is an optical multiplexing technology used to increase bandwidth over existing fibre networks. DWDM works by combining and transmitting multiple signals simultaneously at different wavelengths on the same fibre. The device and components used in DWDM technology cause some form of crosstalk in one form or another. Devices used in DWDM technology include filters, wavelength multiplexers and demultiplexers, switches, and optical amplifiers. Crosstalk is also caused by the fibre itself due to its non-linearity. Therefore, eavesdropping over the cable cannot be prevented. This whole system also needs electrical energy. Energy input to the system can be made from one or more earth points. We also need to take care of power supply systems, so that we can be certain that they do not have any vulnerabilities that an attacker can take advantage of, and in this way gain access to our systems.
CYBERWATCH
FINLAND | 5
CYBER THREATS AGAINST SUBMARINE
CYBER INTELLIGENCE AGAINST SUBMARINE
COMMUNICATION CABLES
COMMUNICATION CABLES
There are many possibilities from which cyber attackers could get access into the submarine optical cable systems and to its management and control systems. We also have a good indication that cyber attackers, hackers and terrorists can use artificial intelligence to enable them to use vulnerabilities in submarine optical cable systems, in order to penetrate systems and its services. After that, they also have the possibility to attack the data centres, which are located in different parts of the world. Submarine optical cable systems on land and beach areas, are the easiest areas for attackers to penetrate systems. The following table illustrates the Submarine Cable Cyber Threat Matrix based on different group of the attackers.
During the early days of the history of submarine cables, the terrestrial links and coastal segments were considered as the weakest and most vulnerable parts vis-à-vis the external security threats. However, the underwater cables, which cannot be kept under constant surveillance, have been targeted by intelligence services since the beginning of the 20th century. As a part of operations, military has cut the cables of the opposing side to redirect the information flow into cables that were being monitored by their own intelligence service. Intelligence collection from submarine cables can be done by eavesdropping (tapping) or side channel eavesdropping exploiting optical overflow or hacking control systems of cables.
Deep Sea ~ 200 m +
Continental Shelf ~ 100 – 200 m
Offshore Area ~ 50 – 100 m
Near Shore Area ~50 m
Submarine Cable Cyber Threat Segment
Land and Beach Area
EAVESDROPPING OF THE CABLES
Cyber vandalism Cyber-crime (data theft) Cyber terrorism Cyber espionage Cyber warfare Threat impact level in colors: Yellow = Medium; Red = High
Green = Low;
The Matrix shows that different attackers have different capabilities to influence the submarine cable in different parts of the sea area.
The geographical location of the installation of a tapping device depends on the depth of the sea and the distance of the installation place from the mainland.
6 | CYBERWATCH FINLAND
Tapping means connecting/installing intelligence collection device(s) to the cable or to the fibre pair either on the ground, at a landing point, in points where the traffic is amplified or in the seabed. The exploitation of optical overflow can be done either in the cross-connection points of the fibre pairs/cable or from one fibre pair to another. The geographical location of the installation of a tapping device depends on the depth of the sea and the distance of the installation place from the mainland. Deep sea complicates the installation of tapping devices. The distance from the tapping device to the mainland, where the remote-control unit and the selectors are, should be as short as possible for practical reasons. The superpowers have the intention and need, technical equipment, skills and practice to collect intelligence from submarine cables also in the demanding environment. Cable collection is technically possible in the bottom of the sea and in the points, where the cable is not in the sea, i.e. on the ground. In practice, it is also possible at points where the traffic is amplified or where there is another physical access to the cable (for example in teleoperator facilities). According to open source reports, the modified Seawolfclass submarine USS Jimmy Carter is almost certainly able to tap the submarine communication cables. In the USS Jimmy Carter, there is a constructed multi-mission platform, which enables the use of a Remotely Operated Underwater Vehicle (ROV). ROV can be used for installing tapping devices to submarine communication cables. Even if this is technically possible; some experts consider this kind of intelligence collection too risky and expensive. Russia´s Defense Ministry Main Directorate of Deep-Sea Research (Главное управление глубоководных исследований, GUGI) Military Unit 40056 is responsible for Russian ‘underwater engineering’. The task of this unit is to eavesdrop communications cables, install movement sensors, and collect the wreckage of ships, aircraft, and satellites from the seabed. The divers work at depths of
3000-6000 meters in miniature submarines. One of the ships of GUGI is a special purpose intelligence collection ship Yantar. Yantar’s equipment and devices are designed for deep-sea tracking, as well as for connecting to top-secret communication cables. The home port of Yantar is Severomorsk in Kola Peninsula. Yantar can act as a mothership to Rus (AS-37) and Consul (AS-39) class deep-sea vehicles. The task of this unit is to eavesdrop communications cables, which can operate at depth up to 6000 meters. Yantar can also be used as a mothership for ARS-600 deep diving manned submersible, which can operate at depth of 600 meters.
This article based on the research made in the University of Jyväskylä: Martti Lehto, Aarne Hummelholm, Katsuyoshi Iida, Tadas Jakstas, Martti J. Kari, Hiroyuki Minami, Fujio Ohnishi ja Juha Saunavaara, Arctic Connect Project and cyber security control, ARCY, Faculty of Information Technology, publication No. 78/2019
HACKING OF THE CABLES
Hacking is the other way to collect intelligence from the submarine cables. All the main intelligence services have possibility to access to submarine cable system by hacking remote controlled network manage systems. Equipment like Reconfigurable Optical Add/Drop Multiplexers (ROADM) in control facilities of submarine cable systems can be remotely manipulated for either intelligence collection or malicious activity (malware etc.) such as cutting the connection in the cable. In addition, some non-state actors might have the capability to intrude the submarine communication cable at least in the landing stations. If attackers hack the submarine optical cable systems, they will also have access to the submarine optical cable management system, and after that they have the opportunity to do what they want and what suits their purpose. The International Maritime Law Does Not Protect Against Cyber Attacks The international maritime law does not give an opportunity to enact laws and regulations for the protection of submarine cables outside territorial sea, including using new technologies, as well as against new threats with using unmanned and autonomous weapon systems. The international maritime law only consider damage to s submarine cable as a crime. Although, it is possible outside territorial sea to conduct operational action within the framework of a criminal investigation or the prevention of a crime. Taking in an account the specifics of maritime zones which are located outside of state sovereignty, it is not possible to ensure and build an effective system for the protection of submarine cables outside the territorial waters of the state against all types of threats, including cyberattacks, using unmanned and autonomous weapon systems. There is a need for more comprehensive threat intelligence and protection. International law will be applying the right to self-defence or collective security operations authorised by the Security Council in the case of cyberattacks, including the necessary requirements for its implementation, and establishes the necessary standards of evidence to justify the use of force. The momentum and attribution of cyberattacks makes distinguishing between the actions of terrorists, criminals and nation-state sponsored attackers difficult.
However, international law does not have the tools to carry out the identification of the attacker, especially in the case of cyberattacks, because it is not a purpose for the international law. SUMMARY
Because submarine cable systems have such a considerable strategic impact on our society, that also means that it is a very interesting target for hackers, cyber attackers, terrorist and state actors. We need to look at potential adverse threats as the submarine optical cable routes are extensive and run under water. In addition, there are many countries who have the ability to join (tapping) fibre optic cables under the water or at a landing station to eavesdrop information or hacking or sniffing the cables. All the states that are in the area, which the cable is running through, have interest, motivation and technical capabilities to collect intelligence information from these cables at least in the points, where the cable is on land. Real point-to-point encryption is the only way to fight against the cyber intelligence in submarine communication cables. Technology may help in cyber security. High capacity systems, nowadays, have the capability to use a measurement system like Coherent Optical Time Domain Reflectometry (COTDR). The use of COTDR should be investigated more carefully as it is used for searching for faults and may also be used to detect tapping via cable connections. Furthermore, Artificial intelligence (AI) tools and methods will be solutions to protect submarine fibre-optic cable systems. AI based systems using Neural Networks and Deep Learning are, even today, capable of detecting and preventing different cyber-attacks. The submarine cable system is technically very complex, and in the future, there will be many new technical solutions, transmission speeds will increase, and usability and quality requirements will also increase. This places significant demands on the management and control of the system as well as its cyber security. We should also take into consideration the long-life cycle of submarine optical cables, which is about 25 years, in security design. CYBERWATCH
FINLAND | 7
NOVEL CORONAVIRUS AND OTHER COMPLEX THREATS
REQUIRE EFFECTIVE RESPONSE, CASE FINLAND text: Dr. TIMO HELLENBERG CEO, Hellenberg International Ltd. PERTTI JALASVIRTA Partner, Cyberwatch Finland
8 | CYBERWATCH FINLAND
G
lobal novel coronavirus (COVID-19) has today (7.4.) infected more than 1,300,00 people worldwide and caused death of 75,000. The most confirmed cases worldwide are now in United States. Most of the modeling show that the peak of the death rate will likely hit both Europe and United States in next few weeks. For instance, the Finnish capital Helsinki has imposed a capital region quarantine until April 19 and the Russian capital Moscow has imposed a citywide quarantine until further notice. THE TRANSFORMED OPERATING ENVIRONMENT
Complex exceptional situations and emergencies such as the novel coronavirus or Covid-19 has challenged bot the European Union and its Member States´. This is the use of these instruments at a local and municipal level in situations of disturbances under normal conditions, where the source, nature and duration of the threat are more difficult to determine. In Finland, the Ministry of the Interior published in December 2017 the Finnish National CBRNE1 (CBRNE threat refers to chemical substances (C), biological pathogens (B), radioactive substances (R) and nuclear weapons (N) as well as explosives (E), along with incidents of misuse of other knowledge.) Strategy which aims to continuously improve the prevention and preparedness of CBRNE threats and situations in order to secure society and its vital functions and services. Efforts must be improved to meet the goals of the development and strategy. The cooperation between the public and private sector is essential for the further development of CBRN security cooperation in the Baltic Sea Region. The private sector’s interest in CBRN security needs to be quickly revived. Public support and intergovernmental cooperation alone cannot be the only action. The expertise of the private sector is needed to complement the expertise and actions of public authorities. As technology solutions become more widely available with lower costs and CBRNE and cyber knowledge develop, it becomes increasingly more available for criminal and other gray area actors, leading to a significant increase in the potential of complex hybrid attacks. Critical infrastructures and vital societal functions can be effectively paralysed, for example, by a CBRNE-based targeted attacks. When these attacks take place, they will have very wide-ranging negative effects on the current networked society, at worst crippling the vital functions and services of society. The interdependencies are surprising and often only become apparent during the crisis. We have been able to monitor these multiplier effects with the rapid spread of the the novel coronavirus (COVID-19). Interdependences in today’s networked world is very deeply integrated. The coronavirus pandemic has shown
how the effects cumulate and the critical functions of society are rapidly overloaded, as well as how resource scarcity emerges as multiple threats materialise. These situations require PPP collaboration and contingency planning at the local level, as well as training to improve continuity management. The use and circulation of emergency stocks should also be considered in complex crises, in particular in healthcare preparation. Here, our security of supply system rises to an unpredictable value. Finding operating models and management structures capable of meeting the functional requirements of the operating environment is of particular importance in countering various hybrid threats. A hybrid operating environment is characterised by accelerating rate of change, complexity, and partial unpredictability. NATIONAL CRISIS MANAGEMENT
The protection of vital functions of society is directed, supervised and co-ordinated by the Government Council and the sectoral ministries in their administrative sphere. Each sectoral and responsible authority exercises its statutory powers to prepare and launch operations. The responsible authority shall direct the operational activities, initiate disaster management activities, be responsible for communications and report on the situation in accordance with agreed practices. Other authorities, state and municipal institutions are involved and provide official assistance to the extent necessary to manage the situation. The Government and the ministries are supported by the Council of State’s command centre. It consists of an executive section, a Situation Center and Communications Center, the two latter of which are run by the Prime minister’s Office. The Security Committee within the Ministry of Defence is a permanent and broad-based cooperative body on precautionary measures. Its role is to assist the Government and the Ministries. The Security Committee shall, where appropriate, act as an expert body in the event of any disruption in society. The management of hybrid threat prevention has special features that are different from other normal and abnormal situations. The key factor is time. Preparing a hybrid attack can be done secretly and over a long period of time, but the attack itself can be carried out in a very short time and its effects are immediately apparent. The key challenge relates to leadership, especially in the context of wide-ranging and severe malfunctions and their associated jurisdiction. There is no clear operational model and resources for practical action in the event of a hybrid operation disruption. We lack an efficient approach policy and the resources to determine what is most critical in maintaining critical infrastructure and securing critical operations in the event of disruptions that require quick CYBERWATCH
FINLAND | 9
decisions. In other words, where national resources are primarily directed in the event of a disruption or which systems critical to vital functions in society are brought back up first. Municipalities have a central role in providing and maintaining critical services. Combating hybrid threats should be better taken into account in urban and municipal preparation, planning and risk assessments. MULTIPLE EFFECTS
Crisis management must have the accurate situational awareness in order to be able to take timely decisions. Decision-makers need to understand the role of transport and aerial personnel similar to that of hospital care staff, for example in the spread and treatment of the coronavirus. For example, most of the cases detected so far have come to Finland via air and thus place cabin crew in a special position in respects to the coronavirus exposure. According to experts, in the instance of a droplet infection on an airplane, the infectious virus spreads one row forward and one backwards. The turnaround process of an aircraft usually takes one hour and cleaning the aircraft around ten minutes. It is easy to deduce that, as we know the life expectancy of the virus on surfaces, the new passengers on the same rows of seats are exposed to the virus. This is repeated over and over again in the airplane from one airport to another and at some point, most of the airplane may be spreading the virus, and not just from human to human anymore. A similar risk is also posed by the flight crew, as they use the same toilet facilities as the passengers.
�TO BE DONE� SUGGESTIONS:
1. The novel coronavirus (COVID-19) will have vast effects on the global economy and politics. Simultaneously there is upcoming tendency for a rising trend in international hybrid influence. 2. Many new digital innovations are introduced into the healthcare industry at an accelerating pace, with the goal of cost and operational efficiency. While focusing on productivity through new innovations, it is easy to underestimate and forget the impact of cyber threats. 3. The research data collected from healthcare personnel is valuable in the hands of outsiders. Health care ranks among the top five targets of cyber-attacks. Traditionally, healthcare has focused on patient and device safety, but preparedness for cyber and hybrid attacks has not been a priority. 4. The coronavirus pandemic demonstrates that in the current situation, the capacity of available healthcare at national and even European level has been rapidly exhausted. The differences are very large and the spread rates vary greatly from country to country, which affect the spread and consequences of the crisis. 5. We are facing major challenges and diverse training needs to be increased. Attitudes towards competence development in organizations must change. Risk analyses should be routinely in use. New threats are constantly changing, and new ones are emerging in the around-the-clock digital world. Organizations need to go through the process of continuous competence development and respond to the challenge of digitalisation. Training and skills development are great opportunities and inexpensive ways to invest in organizational resilience. This ensures that the organization’s personnel are a strength in the preparation for cyber and hybrid attacks.
According to experts, in the instance of a droplet infection on an airplane, the infectious virus spreads one row forward and one backwards.
10 | CYBERWATCH FINLAND
6. Particularly detrimental is the “I have nothing to hide� attitude, which leads to the person becoming the target of influencing. Digital services and platforms have made each of us have a significant amount of information available online. If our digital status changes to the interest of criminals and other actors in the network, it is quick and easy for individuals to influence the organization and the network as a whole. 7. The resources of state actors and cybercrime are multiplied compared to public procurement law enforcement agencies and other authorities as well as the private sector actors. Criminal and state actors have the opportunity to hire the best resources, invest in the development of cyber-attack methods and weapons, set up legitimate businesses and start-up companies as a cover to achieve their goals. 8. In an asymmetric and rapidly advancing crisis situation affecting the governmental sector, such as the coronavirus pandemic, silo-like decision-making machinery does not work. According to the audit report of the National Audit Office, in a widespread cyber-violation situation, countermeasures to large-scale attacks on several branches of the government have not been planned or accounted for. Against this backdrop, experts from the National Institute for Health and Welfare (THL) do not have the opportunity to take the lead if it is not found in the Government itself. The current pandemic is a good example of the capacity of silo-like operating models to deal with a rapidly evolving crisis, which is interpreted as sector-specific in Finland, but which is by definition a multi-dimensional crisis that requires decisions and action by the Prime Minister and the entire Government.
9. Nowadays, administrative sectors primarily look at security for their own needs, leaving out the broader societal perspective. Therefore, in addition to the administrative solutions already existing in the current environment of hybrid threats, Finland must create a Prime Minister- centered strategic crisis management model, starting with accountability, front line leadership and supporting mechanisms within the Government. It is important to ensure clear leadership and leadership responsibilities, and not leave the management to the responsibility or coordination of the administration. 10. In this new operating environment, the prime ministerial and governmental leadership model requires the ability to create and build situational awareness as a basis for decision-making and action. Building a coherent and shared situational awareness requires shared situational awareness, centralised and well-networked leadership. 11. At national level, an evaluation model should be established to measure which vital functions in society are in place and at what time and how they can be validated in the event of disruption or exceptional circumstances. The measures to be taken shall safeguard and ensure the continuity of activities essential to the functioning of society as close to normal conditions as possible under all circumstances. 12. The overall goal in Finland should be to improve the resilience of the vital functions and services of society to the municipal and citizen level. The aim must be to increase the hybrid capacity of Finnish municipalities and local actors to a) identify, b) capture / respond to, and c) prepare for a new kind of global security threat, the hybrid threat.
CYBERWATCH
FINLAND | 11
THE CORONA PRESENTS THE IMPORTANCE OF SELF-SUFFICIENCY text: PETTERI JÄRVINEN Veteran computer geek, IT pro, non-fiction writer, public speaker and owner of Petteri Järvinen Ltd (Oy)
The corona epidemic has made everyone aware of how dependent we are on foreign trade and providers. Chinese factories produce equipment and consumer goods, southern Europe produces fruits and vegetables, and a global logistics chain delivers these goods to the right place at the right time.
12 | CYBERWATCH FINLAND
W
hen a pandemic strikes, business is disrupted and stopped. The consequences can be catastrophic. Finland is prepared for military threats and to an extent, cyber threats, but the health threat seems to have surprised the whole world. Are we focused on protecting ourselves from the right threats? One day, the epidemic will ease and the return to normal will begin. Then Finland’s reserve stock and self-sufficiency in food production will receive the praise they deserve. Due to its location, Finland is more resilient to crises than many Central European countries. In the aftermath, it is also a good time to think about IT self-sufficiency. In this respect Europe is greatly behind. To put it frankly, you can say that the programs are made in the US and the equipment in China. Europe only has narrow IT expertise, of which the gaming industry and 5G networks are good examples. Technology has become an instrument of power politics, which is only gaining more importance as China challenges the global leadership of the United States. Whoever controls software and hardware will continue to rule the economy and thus the world. Hidden within visible power there lies a perplexing and mysterious power that is invisible to the general public. Softwares can be used to create backdoors or intentional vulnerabilities that help intelligence and the country’s own economy to gain a competitive advantage. Undocumented features, such as backdoors or kill switches, can be embedded at deep inside hardware, which can paralyse the device from all over the world. Information systems technology is so complex and layered that it is impossible for the buyer to fully understand what they have actually acquired. Particularly in software, the constant need for upgrades means that the buyer is in the seller’s grasp throughout the life cycle of the system. There are already real life examples of this. In the spring of 2019, the United States banned American software companies from cooperating with Chinese Huawei. The closure of the Android operating system and application store was a serious blow to Huawei’s booming phone business.
In the fall of the same year, Adobe, known for its graphics software, was forced by a presidential order to stop using its cloud services in Venezuela. Since the programs don’t work without the cloud, the country’s photographers and all visual production were in short supply, until, Trump eased the ban. Europe is in a difficult position, set between the United States and China. Up until Trump’s election, we could count on the Western countries to stand together, and the US would not leave us in danger. However, the situation has since changed. The US is becoming more independent and self-serving. Now is the last moment to start developing European IT skills and building cyber-autonomy. In some areas, it may be too late, but a genuine effort is enough to speed things up and bring about positive development. The key is to start making the ball roll. Movement always creates new movement, the effects will multiply. The competition for computer operating systems has long been lost. Nothing is a challenge for Windows dominance, but it may not even be necessary. The EU could take one of the many secure open source Linux distributions, audit its code and recommend this version to the public administration. It would be essential to take care of the whole life cycle: updates, drivers, certificates and everything else related to a secure IT environment. No one can be forced to change operating systems, but the example of a secure Linux could attract application developers and eventually companies. Similar measures could be applied to smartphones, browsers and certificates. Everyone should be able to provide a secure EU option. Nokia and Ericsson show that there are opportunities in the ever-evolving market. Europe is in a good position in regards to 5G technology and IoT devices, as long as it can be maintained. Cyber self-sufficiency, above all, a guarantee of our own security and independence, but it also has an impact on information security and the fight against industrial espionage. The majority of hacking and web fraud is based on deception or manipulation of the user. Technology or self-sufficiency can not be used to protect against these attacks. Therefore, nothing lessens the importance of user education and alertness.
Technology has become an instrument of power politics, which is only gaining more importance as China challenges the global leadership of the United States. Whoever controls software and hardware will continue to rule the economy and thus the world.
CYBERWATCH
FINLAND | 13
CURRENT SECURITY THREATS CHALLENGE THE POLITICAL LEADERS text: JARNO LIMNÉLL Professor of cybersecurity at Aalto University, CEO at TOSIBOX
Recent conflicts, such as the current escalation between the US and Iran, or the on-going low intensity warfare in Eastern Ukraine, serve as topical examples of the role played by ”cyber” and ”hybrid”, which emerged as buzzwords on security agendas around the world over the last two decades.
H
ybrid threat means combining and synchronizing different means and methods of influencing, and acting in a covert and deniable way, aim both to confuse the adversary, or disrupt their actions without crossing the threshold of war. Such way of engaging adversaries in the so-called gray zone is expected to play an increasingly prominent role in conflict during this decade. It is time to refresh the discussion covering hybrid treats and bring it to a new level in order to succeed in the emerging security environment of the 2020s. FAST PACE OF TECHNOLOGICAL DEVELOPMENT AFFECTS SECURITY
One of the key challenges in the current security environment plagued by hybrid threats is to keep up the pace with ever accelerating development of technology and the society-wide tide of digitalization. As a megatrend, technology becomes one with everything, turning ubiquitous, and thus calls for strong political attention together with honest evaluation of the security implications of the developments. Looking this challenge from the security perspective, it becomes clear that an ever-greater level of estimation and foresight is needed together with an ability to assess hybrid threats and risks of technology misuse. 14 | CYBERWATCH FINLAND
As a concrete example, if we prepare ourselves in elections meddling by an external hostile party only by taking into account the interference tools and methods that we have witnessed to have been used and those that we have experienced earlier by ourselves, we are doomed to be always one step behind. On the other hand, it is necessary for us, and the decisionmakers, to admit that we will never be able to anticipate all the possible risks and avenues for attack. Hybrid threat environment challenges citizens, business leaders, and political decisionmakers in particular in many new ways. For example, thinking about the concept of deterrence in the current threat space, or pondering proportional response to spread of fake news and or data manipulation targeting critical national information assets, new kinds of ‘red lines’ must be drawn, contingency plans created and political guidance envisioned and established. Thus, it is fair to say that today´s technology related security questions have truly entered the realm of high politics. A GROWING GAP
Unfortunately, despite many threat indicators sounding alarm, there seems to be a growing gap between policymakers and those championing the technological development. Political decision-makers do not quite understand the
complexities of technology, and also do not fully appreciate its groundbreaking and society shaking impacts. At the same time, the most of those living in the bleeding edge of technological developments are not fully aware of the wide societal impacts of technologies they unleash to the world and the ensuing policy challenges. The magnitude of this separation will be further highlighted during this decade, as the primary question in technological realm will not be about if something can be done – but why, when, where and by whom it will, or perhaps more importantly, should be done? In the world of politics, it becomes increasingly important to ask the question who can make well-informed decision governing technological advances, and the security implications that they will bring along? Answering these questions influences significantly how we can both preempt some and defend successfully against the emerging hybrid threats in this decade. HOLISTIC APPROACH OFFERS A SOLUTION
A holistic approach to security is needed more than ever in the 2020s. Driving this need are the above discussed developments, where cyber operations and hostilities are increasingly becoming more integrated with other types of operations and hostilities
forming into hybrid threats. Even if the role cybersecurity and technology will be emphasized more in political security analysis, a holistic perspective is essential to understand the big picture. As it is well presented in the latest Global Risks Report, a holistic approach is particularly needed when trying to understand various kinds of complex interconnections between different risks. Individual risks should not be separated under isolated assessment from the holistic security context, strategic approach and political decision-making. Hybridity is a useful concept in thinking about the current security issues, since it embraces the interconnected nature of today´s threats and risks that we are experiencing. It also illustrates well the multiplicity of actors and the diversity of threats. Therefore, in politics “hybrid politics” is a cogent term to describe both the importance of a holistic approach and the importance of including also high politics into these matters. One challenge lies in the fact that current policy actions and responses are based on a rather static and siloed situational understanding of the security environment, not fully recognizing the dynamic and holistic nature of hybridity. Having a more inclusive hybrid politics approach, it will be possible to find better answers also to
current cyber challenges in the hybrid security environment. Many societies have embraced the concept of comprehensive security as a necessity in order to provide security to their citizenry, improve their resilience, and prepare the societies for still unknown threats. In the comprehensive security model championed by countries such as Finland, the national security is built in tight, trust-based cooperation between the authorities, members of business community, non-governmental organizations, and citizens. The model is inherently inclusive, everyone can contribute to the shared security. But that is not yet enough, as in hybrid politics it is necessary for us to think further. Collaborative thinking should extend even further than today, especially when preparing for threats that are not confined to national boundaries. Despite some recent isolationist tendencies in global politics, a co-operative approach between “like-minded nations” and with “like-minded global companies” is a prerequisite when countering effectively both current and emerging security threats. For us to be successful, a “shared responsibility” and “together”, instead of “alone” or “first”, have to become the keywords in this decade´s security thinking. CYBERWATCH
FINLAND | 15
ENERGY SECTOR STRATEGIC REVIEW
CASE: SANDWORM
text: PASI ERONEN International security analyst and consultant
S
andworm, also known as CyberBerkut, APT28, or Fancy Bear among others, is a moniker for a hacker group tied to Russian military intelligence agency, the GRU (GU)1, or as it is known officially The Main Directorate of the General Staff of the Armed Forces of the Russian Federation (Гла́вное управле́ние Генера́льного шта́ба Вооружённых сил Росси́йской Федера́ции). Within the GRU’s organization, Sandworm has been associated to Unit 744552, which has also been listed as one of the GRU linked entities that took part in the U.S. presidential elections interference back in 2016.3 Looking into the key events that Sandworm has been associated with since 2014, the first event in this timeline took place in May 2014 at the time of Ukraine’s Presidential elections, the first after unfolding of Maidan events between late 2013 and early 2014. A hacker group calling themselves CyberBerkut, a now-known Sandworm alias4, attacked routers, software and hard drives at Ukraine’s National Election Commission with the objective of hobbling the release of the official vote count and producing false results.5 In December 2015 and again in December 2016, a Russian hacker group already identified as Sandworm, was
16 | CYBERWATCH FINLAND
responsible for power blackouts in Ukraine; the first publicly recorded electric outage blamed explicitly on a cyber-attack.6 Reports from the U.S. intelligence community and security companies describe Russian cyber-probing of U.S. electric utilities, and experts saying that the United States may be vulnerable to an attack similar to two that took place in Ukraine. In June 2017, NotPetya, first presumed to be a ransomware program, then later tied to Sandworm, crippled several Ukrainian ministries and private companies including shipping and logistics giant Maersk.7, 8 The estimated costs of NotPetya have raised to several hundreds of millions per affected company, and more than 10 Billion dollars worth of damage globally.9 In February 2018, during the 2018 Winter Olympics in Pyeongchang, Russian cyber operatives, namely Sandworm, disguised as North Korean hackers in a manner of classic false flag operation, breached several hundreds of computers in use of 2018 Winter Olympics Games organizers. Russian operatives managed to cause some minor disruptions to the Games’ internet connectivity, broadcast systems, and ticketing systems.10
LESSONS LEARNED FROM SANDWORM ACTIVITIES FROM THE CRITICAL INFRASTRUCTURE PROTECTION PERSPECTIVE 1. Nation states are interested 4. Probing, penetrating, in gaining a permanent foothold establishing foothold, and in computer systems that allow finally attacking critical them to control the parts of infrastructure, such as national adversary’s critical or regional electric grid or infrastructure that they are elections systems, serves a interested in, and that offer number of purposes, only one them an avenue for tactical or being causing a temporary or strategic level impacts. According more prolonged black-out or a to sources, at the moment there glitch in vote counting. Mere are at least ten nation states probing can serve a political with proven interest and purpose of a warning and capability to penetrate such signaling to the adversary about systems. their vulnerabilities. Establishing a more permanent foothold, and announcing it 2. While there are initiatives, such either in back-channel as Digital Geneva Convention communications with an adversary driven by Microsoft, there is or even publicly, may serve as a little evidence to support an idea deterrent trying to influence that nations would refrain from adversary’s cost-benefit targeting parts of critical calculations. Lastly, causing infrastructure in support of physical effects, in addition to preparing the battle space for their tactical or operational their potential future operations. impacts, serve also as a tool On the contrary, looking critical for influencing the psyche of infrastructure and other key citizens and decision makers targets from the military both in the targeted society, planner’s perspective, striking but also elsewhere, as attacks parts of critical infrastructure are often being observed and offers an interesting way to evaluated by external parties, hamper adversary’s war such as partners and allies, but preparations, cause additional also private sector companies. logistical and other friction in
5. Protection of critical infrastructure from cyber-attacks demands wide co-operation both nationally and internationally. Private sector companies play a key role in protection of the critical infrastructure, as in most cases the ownership and operational responsibility is with private sector companies. Nevertheless, private sector efforts need support from public sector entities and the government, for example in the form of information exchange covering the latest threat information. Second area of cooperation comes in the form of exercises, where the readiness of the critical infrastructure entities can be tested and improved in a controlled environment. International cooperation plays also an important role, as many of the threats and patterns of operation emerge in one place prior making their way elsewhere. Furthermore, heavily interconnected and interdepended systems demand all parts of the system to be protected with the same vigilance for all to stay safe and operational.
3. As of now the cyber-attacks against critical infrastructure and particularly against electric grid have been limited by their geographic reach and relatively short by their duration. While this is the case now, according to expert estimations, a dedicated and well-prepared attacker could cause wider and lengthier effects. Such attack with major consequences might be more probable in highly developed and widely automatized Western systems, which have limited analog back-up systems available for operating the system manually.
6. Lastly, the sheer number of publicly known successful cyberattacks targeting critical infrastructure, yearly warnings from intelligence community, and public investigations by private sector cyber security companies suggest that there are actors with necessary capabilities in place to launch a successful attack against critical infrastructure targets, should there be an intent for it in place. Thus, in addition to protecting critical infrastructure from attacks, a special attention should be put on improving the resilience and quick-recovery-from-attack capacity of critical infrastructure.
target society, and cause physical and psychological effects.
References - CASE: Sandworm 1.
Meduza. (2018) What is the GRU? Who gets recruited to be a spy? Why are they exposed so often? https://meduza.io/en/feature/2018/11/06/ what-is-the-gru-who-gets-recruited-to-be-a-spy-why-are-they-exposed-so-often. Greenberg, Andy (2019) Sandworm A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers. Doubleday, New York, NY, USA.; Greenberg, Andy (2019) Here’s the Evidence That Links Russia’s Most Brazen Cyberattacks. November 15, 2019. https://www.wired.com/story/ sandworm-russia-cyberattack-links/. 3. Mazzetti, Mark; Benner, Katie (2018) 12 Russian Agents Indicted in Mueller Investigation. The New York Times, July 13, 2018. https://www.nytimes.com/2018/07/13/us/politics/mueller-indictment-russian-intelligence-hacking.html. 4. GOV.UK (2018). UK exposes Russian cyber attacks. October 4, 2018. Accessible at https://www.gov.uk/government/news/uk-exposes-russian-cyberattacks. 5. Clayton, Mark (2014) Ukraine election narrowly avoided 'wanton destruction' from hackers. The Christian Science Monitor, June 17, 2014. https://www.csmonitor.com/World/Passcode/2014/0617/Ukraine-election-narrowly-avoided-wanton-destruction-from-hackers. 6. Greenberg, Andy (2019) Sandworm A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers. Doubleday, New York, NY, USA.; 7. Nakashima, Ellen. “Russian Military Was behind ‘NotPetya’ Cyberattack in Ukraine, CIA Concludes.” The Washington Post. January 12, 2018. https://www.washingtonpost.com/world/national-security/russian-military-was-behind-notpetya-cyberattack-in-ukraine-ciaconcludes/2018/01/12/048d8506-f7ca-11e7-b34a-b85626af34ef_story.html, Andy Greenberg (2018) The Untold Story of NotPetya, the Most Devastating Cyberattack in History. August 22, 2018. Accessible at https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/. 8. Nicole Perlroth, Mark Scott, and Sheera Frenkel, “Cyberattack Hits Ukraine Then Spreads Internationally,” The New York Times, June 27, 2017, https://www.nytimes.com/2017/06/27/technology/ransomware-hackers.html. 9. Forrest, Conner. “NotPetya Ransomware Outbreak Cost Merck More than $300M per Quarter.” TechRepublic, October 30, 2017. https://www. techrepublic.com/article/notpetya-ransomware-outbreak-cost-merck-more-than-300m-per-quarter/; “The Global Risks Report 2018.” World Economic Forum, January 17, 2018. http://www3.weforum.org/docs/WEF_GRR18_Report.pdf; CBS News (2019) What can we learn from the "most devastating" cyberattack in history? August 22, 2018. https://www.cbsnews.com/news/lessons-to-learn-from-devastating-notpetya-cyberattack-wiredinvestigation/. 10. Nakashima, Ellen. “Russian Spies Hacked the Olympics and Tried to Make It Look like North Korea Did It, U.S. Officials Say.” The Washington Post. February 24, 2018. https://www.washingtonpost.com/world/national-security/russian-spies-hacked-the-olympics-and-tried-to-make-it-looklike-north-korea-did-it-us-officials-say/2018/02/24/44b5468e-18f2-11e8-92c9-376b4fe57ff7_story.html. Greenberg, Andy (2019) The Untold Story of the 2018 Olympics Cyberattack, the Most Deceptive Hack in History. Wired, October 17, 2019. https://www.wired.com/story/untold-story-2018olympics-destroyer-cyberattack/.
2.
CYBERWATCH
FINLAND | 17
THE SIAMESE TWINS OF INFORMATION AND CYBER VULNERABLE AND ALMOST INSEPARABLE text: ANTTI SILLANPÄÄ Erikoistutkija | Senior Researcher Turvallisuuskomitean sihteeristö | Secretariat of the Security Committee
Cyber infrastructure is in many ways inseparable from its content. Damage to either one may result in the failure of the whole system. The Information domain is in many ways the more vulnerable of the two due to its fuzziness and unclarity. Recent developments have shown that improving preparedness in one area has moved attackers’ attention to the other. National actions are seldom enough when trying to protect our information and cyber spaces.
ELECTIONS AS A CASE
Tactics of grand scale information operations seem to change. This is evident when we analyse what has been happening around election campaigns. Interference has caused problems for democratic processes for a long time. However, it was Russian meddling with the U.S. and French elections that raised this as a concern for Western democracies.
Democratic countries tend to be slow to act, if there is no imminent threat looming. Luckily, election security protection was something that nations prioritised, e.g. Prior to its parliamentary elections, EU announced concrete measures in order to strengthen the resilience of the Union’s democratic systems.2 In Finland, the Ministry of Justice took Finnish parliamentary election security to the Security
Committee and following its advice established a cross-government task force. It focused on informing the public, political actors, civil servants and media about the threats. In addition, the group analysed co-operation between different authorities. Based on the final report recommendations, several steps have been taken or are in the making. Finland is only one example, several countries
The methods used to interfere with elections include hacking, denial-of-service attacks, spreading of fake news, harassment towards candidates and parties, threats and bullying, trolling and the use of bot networks to steer the direction of debates1. The goal can be to support or undermine a political actor or to undermine confidence in the process. Hostile action can target authorities (electoral systems and processes, supporting authorities), political actors (campaigns, parties, individual politicians), general public (electorate and others) and media.
18 | CYBERWATCH FINLAND
have improved their processes and regulations. MOVING TARGETS, CHANGING TACTICS
The Increased efforts to protect voting have been successful, judging by election security reports, e.g. the Finnish report boldly says “work to support cyber security in the parliamentary elections was a success” and further “Major attempts to interfere with the elections were not detected”3. We can see how in Western Europe, the public outcry on foreign meddling has quieted down. It is even possible that even the attempts to distort are few and within long intervals. There are couple of explanations why potential troublemakers would change their behaviour. Many of the items in the list below are linked to each other. Firstly, election interference might be “out of fashion” in the meddling business. Hostile actors create new plots to shake democracies. Secondly, nations’ efforts to counter interference are actually working and it is more difficult to rig improved systems. Thirdly, the public attention of the election system has caused amateur hackers to shy away. Lastly, the risk-reward ratio for adversaries has changed. When authorities and other stakeholders are alert, the risk of getting caught is higher. And, after Salisbury incident we have seen how public attribution can really have an impact on international relations. Russia felt that open and free
societies can synchronise their actions rapidly, when necessary. All or some of these items listed above have guided hostile actors to change their focus. As physical structures are better guarded, the efforts have moved to new targets. The softest target is human thinking. The purpose of a state actor attacker has remained the same, to weaken the competitor. In NATO parlance, the information environment has three dimensions: physical, informational and cognitive. 4 Hostile information activities can cause havoc by attacking any one of these. The cognitive dimension is an effort to give context to what is happening or has happened. If this sensemaking is disturbed, people feel lost. In an electoral point of view, this could mean complete distrust of elections, news media, authorities, alienation from others and even a lost sense of the purpose of democracy. According to Jessica Brandt, from Alliance for Securing Democracy, the Russian focus with the U.S. elections is to create division among the electorates by pumping mistrust into to the system, “…the perception of insecurity can be just as damaging as insecurity itself”. 5 Similar thinking is echoed in the new U.S. Counter-Intelligence Strategy 2020-2022, “…These campaigns are designed, for example, to sway public opinion against U.S. Government policies or in favour of foreign
agendas, influence and deceive key decision makers, alter public perceptions, and amplify conspiracy theories… Our adversaries regard deception or manipulation of the views of U.S. citizens and policymakers to be an effective, inexpensive, and low-risk method for achieving their strategic objectives”. 6 PROTECTING OUR FREE WILL
Democracies are vulnerable to determined attackers. However, election protection has shown that enhanced co-operation is an effective way of supporting societies. Despite the excellent track record of whole of government/society approaches, these models have shortcomings. They don’t fully grasp the impact of international business. As there are not enough incentives for international social media companies to protect information space, countries are pushing for more regulation. For smaller media markets, it is important that the work is done jointly, eg. the European Commission is modifying liability rules for platforms, with a proposal due by the end of the year.7 Currently the emphasis is on heavier regulation, but all actors should feel responsible. Protection of healthy cyber and information environments in one country helps everyone. In these domains everyone is connected, everyone is a neighbour to everyone.
1 https://vnk.fi/en/article/-/asset_publisher/suomessa-on-maailman-parhaat-vaalit-mieti-miksi2 https://ec.europa.eu/commission/presscorner/detail/en/IP_18_5681 3 https://valtioneuvosto.fi/en/article/-/asset_publisher/1410853/eduskuntavaalien-turvallisuutta-tukenut-varautumistyo-oli-onnistunutta 4 https://fas.org/irp/doddir/army/atp3-13-1.pdf 5 https://www.bloomberg.com/news/videos/2020-03-03/-balance-of-power-full-show-03-03-2020-video 6 https://www.dni.gov/files/NCSC/documents/features/20200205-National_CI_Strategy_2020_2022.pdf 7 https://www.bloomberg.com/news/articles/2020-02-12/u-k-to-regulate-internet-in-crackdown-on-social-media-companies
CYBERWATCH
FINLAND | 19
Security Committee Cooperation generates security for society
www.turvallisuuskomitea.fi/en
SECURE CONNECTIVITY BETWEEN USERS, DEVICES AND CLOUD SERVICES We have taken connectivity and made it simple. Our people, technology and software have created a new standard for secure IoT connectivity, remote maintenance and network management. TOSIBOXÂŽ products are developed and manufactured in Finland and used worldwide. www.tosibox.com
Hellenberg International has 25 years record in assisting public and private clients in critical infrastructure protection and crisis management related projects. Our senior team has been contracted by the European Commission (DG Home Affairs, DG Enterprise, DG ECHO etc.), the United Nations, the Ministry of Defence of Finland and the NATO.
We have been serving major international corporations such as AVSECO, SAAB, MTR, Airbus, Finnair and Siemens. We have been interacting with the US State Department, the US Ministry of Energy, Rosatom, the Singapore Civil Defence Force and many others.
www.hellenberg.org
20 | CYBERWATCH FINLAND
CYBERWATCH FINLAND | 20
CYBERWATCH FINLAND
QUARTERLY REVIEW Hackers attack every
39 seconds, on average 2,244 times a day
Q1 2020 CYBERWATCH
FINLAND | 21
QUARTERLY REVIEW Q1/2020 1. Cyber trends Q1 / 2020. 2. US Cyber Strategy and its Priorities for 2020 3. Russia's Cyber Capabilities 4. The Importance of the Submarine Cable Network for Cyber Security 5. Influencing Information is Part of Cyber Operations 6. Cyber Sabotage has Become a Major Cyber Threat 7. Building a Cyber Culture Requires Lot of Small Actions and Collaboration
1. CYBER SECURITY FORECAST 2020 During the first quarter of the year, the globally spread coronavirus, or covid-19, has changed everything we do and made it harder for every company and person to do business. When the pandemic from China spread to Europe, we have seen how differently countries are responding and trying to manage the crisis. There are many similarities to a global cyber crisis. We do not know exactly what has happened, or why, and we do not know who is behind these phenomena. Most visibly, we see the after-effects and all possible actions and resources need to be focused on managing them. Reliable and up-to-date communication is worth an incomputable amount. Fierce rumours have already circulated about the use of biological weapons, and speculation about the motives will certainly continue for a long time. Cybercriminals has also taken advantage of the crisis; for example, various phishing messages and fake websites have increased significantly. Attempts are being made to exploit people’s distressed state of mind and to create more chaos and uncertainty. The politicization of cyber security has reflected in world politics and the state actors’ growing interest in cyber and information influencing. Influencing electoral results has been particularly prominent, while other forms of influence and cyber-espionage have received less attention. The fragmentation of the Internet has long been talked about. Huawei has offered to build a new, better global Internet that can overcome the weaknesses of the existing Internet. This initiative was presented at the ITU (International Telecommunication Union) meeting. China is striving to become a global actor and a key player in all digital foras of the world. Cyber espionage is an integral part of all political cyber operations. A good example is Iran’s increased cyber-impact
Ransomware Attacks Predicted to Occur Every 11 Seconds in 2021 with a Cost of 20 Billion USD. 22 | CYBERWATCH FINLAND
following the US air strike, although Iran’s missile strikes attracted the most media attention. The US-China trade war has also increased cyber operations between countries. Many studies have mentioned ransomware as the biggest trend in cybercrime and its rapid increase. Ransomware is constantly evolving into new and more sophisticated forms, and the ‘ransomware as a service’ concept is very popular in the ‘Dark Internet’. Increasingly, ransomware programs also target government organisations. The malware can spread throughout the organisation’s internal network, which can at worst encrypt all network drives, cloud files, and even backups. CYBERCRIME IS BECOMING MORE AND MORE PROFESSIONAL
Cyber criminals are becoming more professional and are quickly learning new skills to efficiently identify vulnerabilities and to exploit them in attacks. Cybercrime attacks are strategically well planned. Attacks are increasingly complex, progressive, combining multiple means, and thus more challenging to defend against. It is likely that the number of sophisticated, targeted and long-lasting attacks will increase. Cyber-criminals are looking for deeper architectural access into the systems of different organisations, into the heart of the hardware. Attacks that exploit BIOS or other firmware vulnerabilities indicate that the deeper the technology extends, the more system access they will have. Successful hardware attacks allow an attacker to gain access to a physical machine without triggering any alarms. It is challenging to detect these attacks in a timely fashion, as virtual machines, the entire memory, and all disk drives continue to function normally, even after a reboot and reinstallation. The technical aspects of artificial intelligence are gaining new nuances. In principle, artificial intelligence will adapt and personalise according to the individual’s own needs and behaviour. Continuous iterations, algorithms and machine learning support the development of artificial intelligence, which will allow it to make decisions independently in the future. In the future, we will see more and more hybrid work
TOP 6 TARGET INDUSTRIES FOR CYBER ATTACK
TOP 6 TARGET INDUSTRIES FOR CYBER ATTACK
1. Business 2.Healthcare/ Medical 3.Banking/Credit/Financial 4. Government/Military 5. Education 6. Energy/Utilities
1. Web 2. Healthcare/Medical 3.Accommodation 4.Public sector 5.Retail 6. Banking/Financial
(Source RedTeam)
(Source Hackernoon )
between man and artificial intelligence, where both parties are responsible for a specific issue. The purpose of artificial intelligence is to create new tools that enable us to achieve better and more effective results in less time. Working with artificial intelligence will also become more common, with the automation process taking big leaps forward. Authentication services have become more widespread and a variety of means have been developed for authentication. Fingerprint recognition, face recognition and iris recognition are currently the most well-known means of identification in biometrics, and progress is being made towards clear personalised identification. People are genetically diverse and have personal habits, and therefore no additional passwords will be needed for authentication in the future. Although the situation facilitates the individual identification of people, it also carries risks. A good example is the facial recognition technology, which has already been harnessed to some extent. It facilitates individual verification, but there is a risk of losing personal privacy. Losing and changing a single password is common and easy, but if a person loses their biometrics, the risks of abuse are unpredictable. The same issue applies to iris recognition and fingerprint recognition. The intention of banks and companies is to move towards biometric identification. Authorities should monitor whether the resilience of banks and companies is enough to protect customer privacy and usage. FORESIGHT PLAYS A KEY ROLE
All organisations should constantly test their own cyber capabilities in their current operating environment. For example, in telecommunication testing, it is not enough to only perform stress tests in a controlled manner, or in simulated situations. Sensors cannot collect alarmed data and samples only as anticipated, but they must continue to do so in real-time by collecting behavioural data that is slightly different. Only this will allow threats to be detected in a timely manner and reduce the response time. Prevention and anticipation are key. In an ever-changing environment, we need to act faster and adapt to events that
are more and more difficult to predict. The human element is often the weakest link. Human activity is more difficult to anticipate, so knowledge management and education are becoming increasingly important factors. Some sort of malfunction or damage will be a part of our daily lives. Revealing these problems, asking for guidance, and responding quicker are the most important precautions for any organisation. Lowering the notification threshold strengthens the performance of the organisation. High-quality fraudulent mechanisms are so advanced that even the best expert cannot avoid falling for them. The cornerstone of cyber security is a holistic understanding of cyber security and the recognition of factual information. We need to be able to act and secure the vital functions of our society in situations where global connections are not working. We have already seen the GPS system shut down at critical moments, and the submarine cables being cut off. In the future, we will surely see the disruption of the 5G network, and even the internet going dark as a whole. Even in these situations, the most critical functions of society must operate, such as government leadership, health care and the livelihood of the population. In the future, it is not enough for us to be prepared to secure critical infrastructure and services. In the planning process, we must understand what is ‘supercritical’ to our society. Securing the supercritical functions of society must not be based on commercial platforms and services, but on strong national digital sovereignty. Suitable technological solutions have been developed in Finland. The expertise already exists, only the right situational awareness is needed for decision makers and there is enough determination to be prepared for the worst-case scenarios. Threats have already changed and are becoming increasingly challenging. Good leadership’s significance rises to the peak of the mountain. Practical implementation of the Emergency Law has just been implemented. Hopefully this has improved the understanding of preparedness and the importance of a reliable situational awareness has become evident. CYBERWATCH
FINLAND | 23
2. US CYBER STRATEGY AND ITS PRIORITIES FOR 2020 The political goal of the United States is to maintain its position as a global leader and the only superpower. Cyber influencing is an increasingly integral part of its military operations. Cyber capabilities have even been seen as a new line of defence. On the other hand, cyber capabilities are part of land, sea, air and space defence. In military operations, cyber-attacks are in many cases seen as an alternative option of attack with a smaller possibility of escalation than physical attacks. At the same time, cyber-attacks target all critical U.S. operations and services. Therefore, the ability to secure vital functions of society has been raised as a priority. The main goal of the U.S. cyber strategy is to secure the November 2020 presidential election from various attempts of influencing. The hacking of candidates’ information systems and e-mails in previous elections, as well as the targeted influencing through social media, are to be prevented in the forthcoming elections. The U.S. offensive cyber capabilities are maintained at a high level and must be able to be used actively and spectacularly as cyber-attacks as part of political and military operations. At the same time, the level of cyber security in America’s own systems is suffering from incidents, and Iran is expected to target large-scale cyber operations against the United States this year. In addition, global technological developments pose growing challenges in combating government intelligence and industrial espionage.
THE FOUR KEY POINTS OF CYBER STRATEGY
The current US cyber strategy was drawn up in 2018 and includes four pillars, i.e. the main themes: 1. Defending the United States by protecting networks, systems, operations and data, 2. Supporting American well-being through digitalisation and innovation, 3. Maintaining a state of peace by developing an American cyber deterrent and, if necessary, punishing hostile actors, and 4. Promoting American from influencing operations an open and secure Internet1. The first pillar of the strategy will be tested this year as a result of the presidential election. Russia’s attempts to influence have already been identified and are likely to increase as the election approaches. Elections are the cornerstone of democracy, securing them is vital in every western country. The Cybersecurity and Infrastructure Security Agency (CISA) considers the US presidential election, of November 2020, to be the biggest cyber security challenge of 2020. Efforts are being made to avoid any ambiguity as seen in previous elections, and CISA released a special Protect 2020 program at the beginning of the year2. In addition to CISA, the program includes other governmental security and intelligence organisations, as well 24 | CYBERWATCH FINLAND
as, private cyber companies, social media companies, and universities and research institutes. The practical measures of the program can be divided into four different areas3. The first component is the electoral infrastructure, i.e. the election information systems and the communication between them, the databases of those entitled to vote, the polling stations and their IT equipment and software. National and local authorities as well as IT service providers will be supported in implementing the technical security of the electoral infrastructure. Secondly, CISA assists candidates in securing information systems by assessing the risks and vulnerabilities, as well as providing guidance on their repairs. In addition to the United States, in several other countries there have been hacking incidents on party information systems in the run-up to the elections, as well as the publishing of negative information about specific candidates. There is a desire to prevent such influence. The third component is US citizens, who want to be protected from groundless media influence. Citizens will be provided with information campaigns to identify information influencing and be warned about perceived disinformation campaigns. The fourth component is the Threat Intelligence and Operation Center, maintained by the authorities and the private sector, which seeks to identify hacking and influencing attempts in advance and to alert all parties involved in the election to the identified threats. Good preparation, close co-operation between the authorities and the private sector, and experience of hacking and influencing attempts in previous elections provide a good basis for ensuring the cyber security of the elections. It must be considered likely that the US will be able to prevent major data breaches and reduce the negative effects of outside information influence in the presidential election. THE CYBER STRATEGY IS BECOMING MORE PRECISE
The cyber strategy has been further refined by different ministries, for example in the Ministry of Défense (DoD), which has at the same time drawn up its own cyber strategy. Naturally, the objectives of the Ministry of Defence’s strategy are more directly related to the development of military cyber-attack and defence capabilities than the national strategy4. In line with the National Cyber Strategy and its third pillar, the United States has actively used cyber deterrence against other states. The operations that came to light have been successful. The United States succeeded, at least in part, in repelling Russian attempts to influence in the 2018 congressional election. The United States used pre-election cyber deterrent to warn Russian troll factories directly of interfering in the election, and on election day itself managed to drive down the troll factories ’servers5. The U.S. offensive cyber capability and global leadership will remain at least at the same level this year as before. Last year, relations between the United States and Iran tightened in various conflicts in which the United States
launched several cyber-attacks against Iran. For example, in June 2019, the United States crippled Iran’s missile systems with a cyber-attack6 and in September, after Iran’s drone attack on Saudi Arabia’s oil fields, the United States momentarily paralyzed Iran’s telecommunications systems and propaganda channels7. The tightening of borders between countries and Iran’s rapid technological development in offensive cyber operations have made Iran a key concern for the United States in 2020. In early January, after the United States eliminated Iranian Armed Forces General Suleiman, a U.S. government server had been hacked and Iranian propaganda communications had been deposited on its home page.8. Several bodies estimate that strong counter measures are expected from Iran during the first half of 20209. However, by the end of February, Iran had not carried out or at least succeeded in any wider attacks10. Along with Iran China, Russia and North Korea will maintain their positions as the most significant opponents of cyber warfare of the United States, but Iran’s status as an opponent is expected to grow this year. The United States has successfully conducted spectacular offensive cyber operations against other countries. However, a major concern for the United States is the poor level of cyber security of its own systems and thus its vulnerability to cyber intelligence and influence11.The tactics of the opponents have been different from those of the United States. Instead of large and spectacular operations, several smaller and more targeted operations have been conducted that have not triggered the U.S. threshold for counter-operations12. THE MAIN CONCERN IS THE VULNERABILITIES IN CYBER SECURITY AT THE PRIVATE SECTOR
Instead of the armed forces and the state administration, the main concern is the level of cyber security at the private sector. The so-called “third-party risk”, i.e. the attack on the main target through vulnerable partner networks, is one of the most significant weaknesses that has emerged in recent
years.13. Another significant factor is the sharp increase in the use of civilian technology and services in the U.S. armed forces. In terms of cyber security, civilian technologies such as satellites are not on the same level as technology purely designed for the military and allow hostile cyber operations against the United States14. In addition to the armed forces, critical infrastructure, and in particular the energy and financial sectors, are estimated to be most at risk due to the low level of cyber security15. Global technological advances pose a growing threat to U.S. cybersecurity, particularly from the perspective of intelligence and industrial espionage. New US Counter-Intelligence Strategy 2020-22 identifies foreign cyber intelligence and hybrid engagement as one of five counter-intelligence priorities16. Constantly evolving technology and methods of cyber espionage enable secret information retrieval from the United States as well as hybrid influence on society easily, quickly, and inexpensively. In particular, the use of IoT, 5G, quantum computing and artificial intelligence technologies as cyber intelligence tools are growing. The operational capacity of cyber counterintelligence will be improved in three areas. To develop cyber counterintelligence, a new intelligence unit will be established with the best technical expertise in cyber-threat intelligence in the United States. New tools and software are being developed to enhance cyber threat intelligence and improve situational awareness. In addition, co-operation and exchange of information between different security authorities and the private security sector will be intensified. The U.S. cyber strategy, in all its areas, will face significant challenges this year. Active development efforts aiming at one goal; ensuring the security and independence of the presidential election. The security and credibility of the elections, as well as the narrative of the external threat to the elections, will play a major role in itself. The election is the single most significant yardstick for how successful the United States will be in cybersecurity in 2020.
Cybercrime will cost the world
6 trillion USD annually by 2021
CYBERWATCH
FINLAND | 25
29,94 %
of malware was delivered by email. (Verizon)
3. RUSSIA’S CYBER CAPABILITIES In June 2019, the United States acknowledged that since 2012, it has conducted cyber intelligence on Russia’s power grids and prepared for cyber-attacks by installing malware on Russia’s information infrastructure. According to President Putin’s press secretary, Dmitry Peskov, vital parts of the Russian economy are a constant target of cyber-attacks and Russia is constantly fighting to prevent the damage caused by these attacks. Foreign intelligence services are trying to penetrate Russia’s information infrastructures, especially in the logistics, banking and energy sectors. According to the Russian definition, cyberspace is an operating environment consisting of the Internet and other telecommunication networks and the technological infrastructure that guarantees their operation and the human activity performed through them. Cyberspace is a clearly defined as a limited part of information domain. According to the Russian definition, an information space is an operating environment related to the shaping, creation, modification, transmission, use and storage of information which affects the information infrastructure. The Russian concept of information security includes technological and psychological information security. The information -psychological threat is directed at the human mind, its moral and spiritual world, its socio-political and psychological orientation, and its ability to make decisions. According to Russian thinking, the information technology threat, i.e.
26 | CYBERWATCH FINLAND
the cyber threat in Western countries, targets information technology systems, i.e. the cyber environment. In Russia’s cyber threat perception Russia is a “besieged fort” threatened and surrounded by the United States and its Western allies. The threat is increasing and diversifying, and so are the threats presented by terrorists and extremists. The transformation of the cyber environment into a military area of operation poses a strategic threat to Russia, and large-scale cyber operations are already being carried out in peacetime. In Russia’s view, Western countries are exercising their technical dominance in a cyber-operating environment, and the development of a Western cyber weapons and preparation for a cyber war has led to a cyber arms race. Western intelligence services are thought to have infiltrated Russian information systems for the purpose of intelligence, manipulation and alteration of information, or destruction of information. Access to information is affected by denial of service attacks. Automated industrial control systems are the target of cyber-attacks, and the Internet of Things (IoT) is also increasing Russia’s dependence on information networks and vulnerability to cyber-attacks. The invasions of the Mongols, Napoleon and Germany in the two world wars have created a sense of vulnerability and fear of a surprise attack on the Russians, heightened by technological backwardness and a lack of easily defensible borders towards Europe. The Russian leadership describes
Ransomware costs businesses more than
75 billion per year.
Russia as a besieged fortress in a constant war, and warfare in its various forms is seen, according to Clausewitz, as an extension of politics. The internal opposition, which, according to the Russian narrative, is directed and funded by Western intelligence services, creates a sense of internal threat. External and internal threats, as well as a political system largely based on power ministries, have increased the importance of the armed forces and security services. The fear of a surprise attack and internal enemies, and, for example, the feeling of vulnerability caused by technological backwardness, is also reflected in the cyber threat perception of Russia. The narrative of constant warfare and the belief in the use of force as a tool for policymaking can be seen both in the cyber threat perception and in Russia’s means of responding to the cyber threat must be experienced. Russia has sought to protect its besieged cyber fortress by preparing to isolate the Russian segment of the Internet from the global Internet, improving the protection of critical information infrastructure, and seeking to replace foreign-imported information and communication equipment and software with Russian-made equipment and software. The internal threat will be fought through enhanced computer network monitoring, the closure of websites classified as malicious, and the identification of network users. Russia will continue to develop its cyber defence with the aim of forming a deep-rooted defence, the outer ring of which will be monitoring Russian cross-border communica-
USD
tions and having the ability to isolate the Russian segment from the global Internet if necessary. The inner perimeter includes the telecommunications intelligence system SORM17 and the GosSOPKA18system which is for the protection of critical information infrastructure, as well as the increasingly strict user control of citizen and censorship. Russia wants to keep the level of its own cyber capabilities secret and therefore uses proxies such as various activist groups and cybercriminals in its offensive cyber operations. The goals and manner of which of these outsourced attacks operate are also likely to reflect the cyber capabilities of Russian state actors. Cyber operations are primarily seen as a means of hybrid influencing that always achieves significant information influence both domestically and in target countries. Russia’s active cyber espionage creates the conditions for cyber-influencing operations by collecting so-called target library of potential target countries. All security and intelligence organisations in Russia have created their own active and passive cyber capabilities.
Source:Martti J Kari: Russian Strategic Culture in Cyberspace: Theory of Strategic Culture – a tool to Explain Russia´s Cyber Threat Perception and Response to Cyber Threats. University of Jyväskylä. Faculty of Information Technology. Dissertation.2019. https://jyx.jyu.fi/ bitstream/handle/123456789/65402/978-951-39-7837-2_vaitos_2019_10_11_jyx.pdf?sequence=4&isAllowed=y
CYBERWATCH
FINLAND | 27
4. THE IMPORTANCE OF THE SUBMARINE CABLE NETWORK FOR CYBER SECURITY Recently, global attention has focused on the development of 5G technology and the new security threats that it brings along with it. This is important, but still 95% of international telecommunications travel through the submarine cable network, and not through satellites as it is commonly believed. The global submarine cable network is the backbone and enabler of the global internet. A lot of critical information is made available through cyber-espionage. This information is of interest to state actors as well as cyber criminals, terrorists and hackers. In Finnish waters, the construction of the Russian submarine cable network has been seen mainly as an environmental problem. All major powers are interested in the global submarine cable network in much the same way as developing a 5G network. The hidden agenda is the increase of political influence and the desire to create new hybrid modes of action. China has been increasingly willing to finance the construction of new cable networks as part of its global New Silk Road Initiative. China’s particular interest is the construction of cables that transit through the Arctic into Europe and thus apparently seeking to reduce dependency on existing cable networks. The Northeast cable plays a key role in the redistribution plays a key role in the division of roles of political superpowers. For China in particular, the cable has an important role to play in China’s efforts to gain a permanent foothold in Europe; it is one of the key components in building a global digital silk road. The Northeast cable drops network latencies to milliseconds, enabling Chinese telecom operators, cloud
28 | CYBERWATCH FINLAND
service providers and e-shops to compete, somewhat on an equal front, for the usability against American platform and service companies such as Amazon, Google, Facebook and eBay. From a European perspective, the northeast cable presents an alternative for American service providers, but Chinese services, in turn, have their own challenges. Russia, through whose territorial waters the cable will pass, will add its own challenge. It will not hesitate to use its ability to monitor traffic and, at worst, sabotage cable activities. From Finland’s point of view, the strategic submarine cable is the new Baltic submarine cable, which offers the Northeast channel and a direct extension to Central Europe past Sweden. It is also part of the China’s strategic digital silk road, although its financial involvement in the construction of the cable is not needed this time. The Baltic Sea cable is also one of the main routes for Russian data traffic to Europe and beyond. Finland’s importance as a hub for new submarine cables will grow significantly from the perspective of the great powers. China and Russia, in particular, have a strong interest in making data traffic move smoothly on the new cables. The U.S. interest is almost the opposite, as its current data traffic hegemony can only be reached in one direction - down. Cybersecurity threats on the submarine cable network are part of the national security of every state and the safeguarding of a vital function in society. When looking at the cyber threat of the submarine cable network, one has to look at the whole associated ecosystem and its vulnerabilities, which are exploited by cyber attackers.
The submarine cable network should be part of every state’s cyber risk analysis. Cyber espionage is certainly the most likely threat. However, the most catastrophic effects are caused by the paralysis and destruction of the cable network as part of a wider hybrid impact, or military crisis. The national contingency planning and continuity management are key tools here. System backups and alternative methods of communication are needed to secure the most critical functions of our society in all circumstances. A significant challenge is the monitoring of the submarine cable network. Various intelligence and surveillance systems can be connected in the depths of the seas and used as part of the intelligence systems of state security organisations. They serve as good sensors in modern AI-based intelligence systems. We know that the control and destruction of the submarine cable network is part of the submarine and underwater strategies of the great powers. The protection of submarine cables is also a challenge to national and international law. National responsibility and
scope for action are limited to each state’s own territorial waters. The international water area remains a grey area. The International Law of the Sea defines the disruption and destruction of a cable network as a criminal offence, but it speaks nothing of cyber espionage and influence. In addition, damage investigation and attribution are difficult and always requires international cooperation. The great powers, which have the resources to operate the monitoring and repair of submarine cables, can, of course, invoke the right to self-defence of the UN Charter and take retaliatory action on that basis. Smaller countries do not have this opportunity. Countries like Finland must plan their communications intelligently, using cryptological solutions to protect confidential information, and plan to ensure the use of alternative telecommunications solutions. New technologies also offer many new opportunities to protect and secure our vital communications. “End-to-end” encryption is the easiest and most secure solution to ensure the most critical communication.
The number of attacks via IoT devices has increased by
600%
CYBERWATCH
FINLAND | 29
Cyberwatch Finland
BUILDING RELIABLE CYBER SECURITY WITH A COMPREHENSIVE APPROACH THE BACKBONE OF CYBER SECURITY IS LEADERSHIP BUILDING CYBER RESILIENCE
Analysis Reliable information and analysis to stay on top of the constantly evolving cyber challenges.
Strategies We help to create cyber security strategies that protect countries, companies, organizations and the global Digital Society.
A TRUSTED CYBER SECURITY PARTNER AND ADVISER
STRENGTHENING NATIONAL CYBER CAPABILITIES
Cyberwatch Finland provides comprehensive cyber security solutions. Cyber security strategies and action plans Strategic situational awareness to support management and decisionmaking Strategic analysis of the cyber world Modern cyber education Innovative and unique cybersecurity technologies.
With 15 years of experience in building cyber capabilities for Finland, our team has proved its ability to address complex, national-scale security issues, solving major problems even with limited resources.
We have a holistic and global view of the cyber security ecosystem and the ability to implement tailored and integrated solutions in all markets. We operate on a network based model, that includes respected Finnish and international cyber security companies and experts. The company is owned by members of the core management team. Our experts are the authors of the first Finnish Cyber Security Strategy.
Resilience A comprehensive security approach is essential to build resilience against diverse cyber and hybrid threats.
Our concept is built on academic research of different national cyber security approaches. The Finnish comprehensive security concept and its holistic approach is proven to be the most effective for addressing complex and wide-ranging cyber threats.
As a result, we have developed a deep understanding of the cyber risks and threats facing societies and large organisations. We know how to craft well-focused cyber security solutions that can be adapted to changes in the threat landscape. Our capabilities and experience cover cyber security regulation and processes as well as preventive and detective cyber security. Our approach helps identifying both technical and process weaknesses on digital society. We can bring tried and tested support packages from all these fields to help solve our clients’ needs.
AWARENESS
PEOPLE
POLICY
LEADERSHIP KNOWLEDGE
CULTURE TECHNOLOGY
PROCESSES
DECISIONS
VALUES COLLABORATION
“WHEN THE FUNCTIONING OF A WHOLE SOCIETY IS UNDER THREAT, THE DEFENCE AND CYBER SECURITY MEASURES MUST ALSO BE DEVELOPED IN A COMPREHENSIVE MANNER.“
OUR SERVICES
STRATEGIES, RISK ANALYSIS AND ACTION PLANS
Aapo
FACILITATION OF CYBER SECURITY LEADERSHIP
INNOVATIVE TECHNOLOGIES
Cederberg,
TAILORED REVIEWS AND THEME REPORTS
CEO
and
Founder
TRAINING, SEMINARS, GAMES AND WORKSHOPS
CYBER SECURITY CAPACITY BUILDING
CYBER SECURITY RISK ASSESSMENT
STAY INFORMED, STAY SECURE
We provide cyber security strategies and facilitation for state-level operations, the private sector and international organizations, based on a holistic view of the cyber world and hybrid threats.
A cyber security assessment to helps determine your organization’s capabilities to detect, prevent, contain and respond to the evolving cyber threats.
Our expert reviews offer compact analyses of the most significant incidents in cyberspace, providing an extensive view of the background, cause and effect of each incident. Theme Reports provide an in-depth analysis of topical issues, a specific business sector and other topics of importance.
SOLID SUPPORT FOR YOUR STRATEGY PROCESS AND CYBER RESILIENCE
INVEST IN SKILLS NOW, SAVE COSTS LATER!
INNOVATIVE TECHNOLOGIES
We offer strategic coaching and counseling for government and business leaders. Our tailor-made support helps your organization to establish a holistic strategy, build your awareness, and take the necessary steps to ensure cyber resilience.
office@cyberwatchfinland.fi
Cyberwatch Finland offers tailored cyber security training programs, comprehensive supervised learning sessions and e-learning courses for your executives and employees. Our training facilitates learning and raises awareness of cyber security and hybrid threats at all levels of your organization – strengthening your ability to prevent and recover from cyber attacks.
CYBERWATCH FINLAND
We support our customers in building resilient ICT infrastructure through services and technical solutions that meet the cybersecurity requirements of a fast-changing world. Our solutions are designed to proactively manage the cyber risks facing all business and operation critical ICT infrastructures.
Tietokuja 2, 00330 Helsinki FINLAND
www.cyberwatchfinland.fi
Cybercrime subtracts roughly
15–20%
of the value generated by internet technology
5. INFORMATION INFLUENCING IS PART OF CYBER OPERATIONS
INFORMATION INFLUENCING has become more provocative. Disinformation is also increasingly used to defame individual people. Some countries have introduced so-called ‘troll factories’ designed to spread false propaganda. A Russian troll factory in Africa was recently discovered. Russia appears to be building up the network of troll factories, making tracing more difficult and increasing the efficiency. The best countermeasure against disinformation is fact-based journalism, which combats large masses of social media information. Media giants have a huge responsibility for the content they publish to their citizens and the direction in which their opinions are directed. The different rules of the Internet also make it a challenging situation. Restrictions and limitations are in principle determined by the different states. State actors and critical companies are the target of continuous information influencing, and may also be targeted at a single employee, in a prominent position, whose activities they wish to complicate. Identifying fake news is becoming increasingly difficult as the media is fragmented and information influencing is increasingly campaigned. The importance of education is emphasised in recognising false information and understanding the importance of source criticism. Information influence and disinformation create distorted images and direct people’s opinions and behaviours. Information influencing is increasingly intertwined with cyber operations. For example, malware attacks associated with information operations shake up our basic infrastructure. The events seem to be the handwriting of individual factors, but there is still state influence behind it. As an effective means of information influencing, malware attacks are sophisticated and false information that is published is
32 | CYBERWATCH FINLAND
of much higher quality. Its appearance and content are designed to look as real and high-quality as possible, with added images and videos to dispel doubts and to reinforce authenticity. The whole false news package is thus very compact, which makes it difficult to question the truth of the information. Cyber operations and the information effects they generate are part of, for example, the basic concept of Russian hybrid operations. Denial-of-service attacks are not only aimed at disrupting the sites of the selected target but have become an alternative model for producing massive amounts of false news. The intention is to replace quantity with quality, but at the same time the amount of information and news that has been shared has exploded, making it increasingly difficult to extract fact-based news from the masses. Artificial intelligence has extended its helping hand to prevent and support information influencing. Artificial intelligence has begun to be used to detect and prevent false news and bot activity. With advanced text-comprehension and audiovisual technologies combined with a sophisticated algorithm, AI is already able to make some independent decisions. To make operations more efficient, algorithms incorporate people’s prejudices, desires, expectations, and unacceptable vocabulary, which are used to screen content that should be removed from the news stream. Challenges have arisen in artificial intelligence-based information filtering. For example, as a result of the Covid-19 epidemic, social media usage has increased dramatically, which together with staff quarantines and illnesses has led social media giants to increasingly resort to artificial intelligence-based information filtering, which has been reflected in increased data filtering errors.
Ransomware attacks are growing more than
350% annually
6. CYBER SABOTAGE HAS BECOME A MAJOR CYBER THREAT International experts have recognised cyber sabotage as a new threat. It is an activity in which an attacker operates at a lower level than war, trying to stay below the threshold of war. Objectives may include creating instability in the target country, testing offensive cyberattacks, hybrid operations preparation, or preparing for war. Russia is using cyber sabotage as part of its hybrid operations. Shamoon is a modular computer virus from 2012. The virus was used in a cyber-attack on the national oil companies in Saudi Arabia and RasGas in Qatar. The attack targeted 35,000 Saudi Aramco workstations, causing the company to interrupt the operations for the week it took to restore its services. A group called the “Cutting Sword of Justice” took responsibility for the attack. In December 2015, hackers struck a Ukrainian energy company and succeeded in cutting off electricity distribution. This multiple entry cyber-attack left 225,000 Ukrainians without electricity for six hours. A similar attack took place in the Kiev region in December 2016. Russian security organisations are suspected to have been behind those attacks. Already in the spring of 2014, James R. Clapper, Senior Director of US Intelligence, pronounced that the largest global threats are cyber-attacks and cyber-attacks on critical infrastructure, even though he considered the potential for a major cyber-attack in the next two years to be minimal. In the summer of 2016, the correspondent of Internal Security of England, MI5 director, Jonathan Evans, said a major cyberattack (such as an electricity network paralysis or a banking disruption) could at worst paralyse British society as a whole. In June 2017, the Petya / NonPetya malware infested the widely used M.E.Doc accounting software in Ukraine, which quickly spread to Ukrainian and international operators who had access to the accounting software. Banks, ministries, news-
papers and power companies were targeted in Ukraine. Over 80 percent of the sites were in Ukraine, however, dozens of international players were also targeted. This malware, following WannaCry, spread rapidly around the world and paralysed many IT systems. Petya / NonPetya was disguised as blackmail, but the demand for ransom was just a smokescreen. The real purpose of the attack was to paralyse the critical functions of society and bring about political instability, or at least to test the operation of an offensive attack. This multi-stage attack by a state actor was also a testament to the attacker’s ability to produce a deterrent effect. So far, The cost of the attack has been over $ 2.2 billion. These examples illustrate how critical infrastructure is being attacked causing serious damage to vital functions of society and, at worst, to human life and health. According to various estimates, cyber-attacks currently cause 1-2% of GDP loss in the western countries. Information manipulation is one of the actions typically used in cyber sabotage. Finnish companies operating in Russia are potential targets of cyber sabotage. The goals may be political and economical purposes and cybercrime ambitions. There is no internationally accepted definition of cyber sabotage. However, it can be defined in the light of the cases described above. Cyber sabotage is the use of cyberattacks to achieve maximum physical destruction and human deterrence. Cyber sabotage operations are preceded by careful target intelligence and grounding to maximise physical destruction by digital attack, produce significant information effects, and destabilise the target’s social structures and cause fear and insecurity in humans. Most commonly the targets are the critical infrastructure and services of society. CYBERWATCH
FINLAND | 33
7. BUILDING A CYBER CULTURE REQUIRES A LOT OF SMALL ACTIONS AND COLLABORATION Organisations’ Cybersecurity Culture (CSC) refers to information, beliefs, perceptions, attitudes, assumptions, norms, and values regarding our cybersecurity and how they are reflected in our behaviour in the digital operating environment. The purpose of CSC is to make cyber security attitudes an integral part of an employee’s work, habits and behaviour by incorporating them into daily activities. Adopting employees’ cyber-safe habits and processes enables the flexible cyber culture to evolve naturally and become part of the broader organisational culture of the company. However, as business environments are constantly changing, organisations need to actively maintain and adapt their cyber culture to respond to new technologies and threats, as well as changing objectives, processes, and structures. A successful cyber culture changes the security thinking of all employees (including the security team), improving the resilience of the company, especially when it is launched, whilst taking into account the diverse needs of employees. It helps to avoid the need for intense and time-consuming security measures that prevent the employees from executing their assigned roles effectively. Most internal information leaks within organisations are the result of human error, and even though cyber security practices are common, employees can consider them as guidelines rather than rules. Not even technology can protect organisations if security policies are integrated incorrectly and the tools in common use are misused. Against this backdrop, developing a cybersecurity culture will bring about a changed mindset, promote security awareness and risk perception, and maintain a tight organisational culture instead of trying to force everyone to behave safely. The need for a cybersecurity culture has been
34 | CYBERWATCH FINLAND
recognised within organisations by several groups of staff. It reflects the commonly accepted thinking that the way in which an organisation operates depends on the common beliefs, values and actions of its employees and that their attitude towards cyber security is embedded in it. It has also been recognised that cyber security awareness campaigns, or the communication of possible threats, do not provide sufficient protection against ever-evolving cyber-attacks. It is also acknowledged, that technical cyber security solutions are not in a vacuum. They must be consistent with other business processes so that employees do not have to choose between doing their jobs or following the security policy. In the end, however, it is argued that people are the weakest link in the organisation. This statement can be changed by working together, educating and building a work community where employees are knowledgeable and cyber security advocates. Building cyber culture requires tools and practices that are contextualised to the needs and circumstances of individual organisations. While they are generally targeted at those employed in security functions and/or teams responsible for enhancing the security of the digital work environment, cybersecurity capabilities need to be enhanced for all employees, regardless of role or seniority. This is to ensure common understanding on what is required to initiate and produce the construction of the organisation’s own cyber security culture. Building a cybersecurity culture requires clear guidelines, processes, indicators and possibly reward systems that are understood by all employees to measure agreed standards. It requires leadership and strategic decisions to build a strong business model and focus internal resources towards the future.
CYBERWATCH KVARTAALIKATSAUS Q1/2020 1. 2. 3. 4. 5. 6. 7.
Kybermaailman ilmiöt ja trendit Q1/2020. USA:n kyberstrategia ja sen painopistealueet 2020 Venäjän kyberkyvykkyys Merikaapeliverkon merkitys kyberturvallisuudelle Informaatiovaikuttaminen on osa kyberoperaatioita Kybersabotaasi noussut merkittäväksi kyberuhkaksi Kyberkulttuurin rakentuminen vaatii paljon pieniä tekoja ja yhteistyötä
1. KYBERTURVALLISUUDEN TULEVAISUUDEN NÄKYMÄT 2020 Vuoden ensimmäisellä neljänneksellä globaalisti levinnyt koronavirus eli covid-19 on muuttanut kaikkea toimintaamme ja vaikeuttanut kaikkien yritysten ja jokaisen ihmisen jokapäiväistä toimintaa. Kiinasta alkaneen pandemian levittyä Eurooppaan olemme nähneet miten eri valtiot reagoivat ja pyrkivät hallitsemaan kriisiä. Tilanteessa on paljon yhtäläisyyksiä globaaliin kyberkriisiin. Emme tiedä tarkalleen mitä on tapahtunut, tai miksi, emmekä tiedä, kuka näiden ilmiöiden takana on. Selvimmin näemme seurannaisvaikutukset ja niiden hallintaan on keskitettävä kaikki mahdolliset toimet ja resurssit. Luotettava ja ajantasainen viestintä nousee arvoon arvaamattomaan. Liikkeelle on jo lähtenyt hurjia huhuja biologisen aseen käytöstä ja spekulointi motiiveista jatkuu varmasti vielä pitkään. Kyberrikolliset ovat myös käyttäneet kriisiä hyväkseen; esimerkiksi erilaiset kalasteluviestit ja feikkisivustot ovat lisääntyneet huomattavasti. Ihmisten hädänalaista tilaa yritetään käyttää hyödyksi ja luodaan lisää kaaosta sekä epävarmuutta. Kyberturvallisuuden politisoituminen näkyy maailmanpolitiikassa ja valtiollisten toimijoiden kasvavana kiinnostuksena kyber- ja informaatiovaikuttamiseen. Erityisen näkyvästi on ollut esillä vaalituloksiin vaikuttaminen, muiden vaikuttamisen muotojen ja kybervakoilun jäädessä vähemmälle huomiolle. Internetin jakautumisesta on puhuttu jo pitkään. Huawei on tarjoutunut rakentamaan uuden
paremman globaalin internetin, jolla voitaisiin poistaa nykyisessä internetissä olevat heikkoudet. Tämä aloite tehtiin ITU:n (International Telecommunication Union) kokouksessa. Kiina pyrkii kaikilla digitaalisilla maailman foorumeilla nousemaan globaaliksi toimijaksi ja avainpelaajaksi. Kybervakoilu liittyy oleellisena osana kaikkiin poliittisiin kyberoperaatioihin. Hyvänä esimerkkinä voi pitää Iranin kasvanutta kybervaikuttamista USA:n lennokki-iskun jälkeen, vaikka suurimman mediahuomion keräsi Iranin ohjusiskut. USA:n ja Kiinan kauppasota on myös lisännyt maiden välisiä kyber operaatioita. Useat tutkimukset mainitsevat ehkä suurimmaksi kyberrikollisuuden trendiksi kiristyshaittaohjelmat (ransomware), sekä niiden määrän nopean kasvun. Kiristyshaittaohjelmista syntyy jatkuvasti uusia kehittyneempiä muotoja, ja lisäksi kiristyshaittaohjelma palveluna -konsepti on hyvin suosittu internetin ”pimeillä markkinoilla” (dark internet). Kiristyshaittaohjelmat kohdistuvat yhä useammin myös valtiollisiin organisaatioihin. Kiristyshaittaohjelma voi levitä koko organisaation sisäverkkoon, jolloin se voi pahimmillaan salata kaikki verkkolevyt, pilvipalvelujen tiedostot, ja jopa varmuuskopiot. KYBERRIKOLLISUUS AMMATTIMAISTUU
Kyberrikolliset kehittyvät entistä ammattimaisemmiksi ja oppivat nopeasti uusia taitoja löytääkseen tietoturva-aukot mahdollisimman nopeasti ja pystyäkseen
Tietojenkalasteluhyökkäyksiä tapahtuu
joka 30 sekunti.
hyödyntämään niitä hyökkäyksissä. Kyberrikollisten tekemät hyökkäykset ovat strategisesti hyvin suunniteltuja. Hyökkäykset ovat yhä monimutkaisempia, asteittain toteutettuja, useita eri keinoja yhdisteleviä ja siten haasteellisempia puolustaa. On todennäköistä, että kehittyneiden, tarkkaan kohdistettujen ja pitkäkestoisten hyökkäysten määrä lisääntyy. Kyberrikolliset etsivät sisäänpääsyä organisaatioiden järjestelmiin arkkitehtuurisesti yhä syvemmältä, laitteistojen ytimestä. BIOS-, tai muita laiteohjelmien haavoittuvuuksia hyödyntävät hyökkäykset osoittavat, että järjestelmä saadaan kaapattua sitä täydellisemmin, mitä syvemmälle tekniikassa mennään. Onnistuneiden laitteistohyökkäysten avulla hyökkääjä pääsee fyysiseen koneeseen ilman hälytyksiä. Näitä hyökkäyksiä on haasteellista tunnistaa ajoissa, koska virtuaalikoneet, koko muistialue ja kaikki levyasemat jatkavat toimintaansa normaalisti, jopa uudelleenkäynnistyksen ja uudelleen asennuksen jälkeen. Tekoälyn tekniset aspektit ovat saamassa uusia vivahteita. Lähtökohtaisesti tekoäly tulee mukautumaan ja personoitumaan yksilön omien tarpeiden ja käyttäytymisen mukaan. Jatkuvat toistot, algoritmit ja koneoppiminen tukevat tekoälyn kehitystä, jonka seurauksena se pystyy jatkossa tekemään itsenäisiä päätöksiä. Tulevaisuudessa tulemme entistä enemmän näkemään ihmisen ja tekoälyn välistä hybridityöskentelyä, jossa molemmat osapuolet vastaavat tietystä asiakokonaisuudesta. Tekoälyn tarkoituksena on luoda uusia työkaluja, joiden avulla voimme saavuttaa parempia ja tehokkaampia lopputuloksia lyhyemmässä ajassa. Tekoälyjen välinen työskentely tulee myös CYBERWATCH
FINLAND | 35
entistä yleisemmäksi, jonka ohessa automaatioprosessi tulee ottamaan suuria harppauksia eteenpäin. Tunnistautumispalvelut ovat yleistyneet ja todentamiseen on kehitelty useita eri keinoja. Sormenjälkitunnistus, kasvojen tunnistus ja iiristunnistus ovat tällä hetkellä biometriikan tunnetuimmat tunnistautumiskeinot, ja kehitys etenee kohden selkeää yksilöllistävää tunnistautumista. Ihmiset erottuvat geneettisesti toisistaan henkilökohtaisten tapojen perusteella, eikä ylimääräisiä salasanoja enää tulevaisuudessa tarvita tunnistautumisprosessissa. Vaikka tilanne helpottaa ihmisten yksilöllistä tunnistautumista, se pitää sisällään riskejä. Hyvä esimerkki on kasvojentunnistusteknologia, joka on valjastettu jo jossain määrin hyötykäyttöön. Sen avulla yksilöllinen todentaminen helpottuu, mutta riskinä on henkilökohtaisen yksityisyyden menettäminen. Yksittäisen salasanan menettäminen ja vaihtaminen on tavallista ja helppoa, mutta jos henkilön yksilölliset kasvot ja biometriikan menettää väärälle taholle, väärinkäytön riskit ovat ennakoimattomat. Sama yhtälö pätee myös iiristunnistukseen ja sormenjälkitunnistukseen. Pankkien ja yritysten tahtotila on edetä kohti biometrista tunnistautumista. Viranomaisten tulee seurata riittääkö pankkien ja yritysten resilienssi turvaamaan asiakkaiden yksityisyys ja käyttötarpeet.
ENNAKOINTITYÖ AVAINASEMASSA
Kaikkien organisaatioiden tulisi testata jatkuvasti omaa kyberkyvykkyyttään vallitsevassa toimintaympäristössään. Esimerkiksi tietoliikennetestauksessa ei riitä se, että tehdään stressitestejä vain hallitusti, tai simuloiduissa tilanteissa. Sensoreilla ei voi kerätä hälytystietoja ja näytteitä vain ennakoidusti, vaan tämänkin on jatkossa tapahduttava reaaliaikaisesti keräämällä kaikesta vähänkin poikkeavaa käyttäytymistietoa. Vain tämä mahdollistaa uhkien huomaamisen ajoissa ja reagointiaika niihin lyhenee. Varautuminen ja ennakointi ovat avainasemassa. Jatkuvasti muuttuvassa ympäristössä on toimittava nopeammin ja sopeuduttava ennalta yhä vaikeammin arvattaviin tapahtumiin. Ihminen on usein heikoin lenkki. Ihmisen toimintaa on vaikeampi ennakoida, joten osaamisen ylläpitäminen ja koulutus tulevat yhä merkityksellisimmiksi tekijöiksi. Se, että toimii väärin, tai jokin vahinko on tapahtunut, tulee olemaan meidän jokaisen arkipäivää. Niistä kertominen, ohjeiden kysyminen ja reagoiminen nopeammin ovat tärkeimpiä varautumistekijöitä kaikille organisaatioille. Ilmoituskynnyksen alentaminen vahvistaa organisaation toimintakykyä. Erittäin laadukkaat huijausmekanismit ovat niin kehittyneitä, ettei edes paras asiantuntija voi välttyä niihin lankeamista. Kyberturvallisuuden peruskivi on kokonaisvaltainen ymmärrys kyberturvalli-
suuden osatekijöistä sekä tosiasioiden tunnustaminen. Meidän on pystyttävä toimimaan ja turvaamaan yhteiskuntamme elintärkeät toiminnot tilanteissa, joissa globaalit yhteydet eivät toimi. Olemme jo nähneet GPS-järjestelmän sammuttamisen kriittisillä hetkillä, ja merikaapeleiden katkeamisen. Tulevaisuudessa tulemme varmasti näkemään 5G-verkon häiriöitä, ja jopa koko internetin pimenemisen. Näissäkin tilanteissa yhteiskunnan kaikkein kriittisimpien toimintojen pitää toimia, kuten valtion johtamisen, terveydenhuollon ja väestön toimeentulonturvan. Jatkossa ei riitä, että varaudumme kriittisen infran ja palveluiden turvaamiseen. Suunnittelussa on ymmärrettävä, mikä on yhteiskuntamme kannalta ”super kriittistä”. Yhteiskunnan superkriittisten toimintojen turvaaminen ei saa perustua kaupallisten yhteyksien ja palveluiden varaan, vaan niissä täytyy olla vahva kansallinen digitaalinen suvereniteetti. Suomessa on kehitetty tähän soveltuvia teknologisia ratkaisuja. Osaaminen on olemassa, jos vain päätöksentekijöiden tilannekuva on selkeä ja rohkeus riittää pahimman varalle varautumiseen. Uhkakuvat ovat jo muuttuneet ja kehittyvät koko ajan entistä haasteellisemmiksi. Johtajuus nousee temppelin harjalle. Valmiuslain käyttöönottamista on juuri harjoiteltu käytännössä. Toivottavasti tämä on parantanut ymmärrystä varautumisesta ja luotettavan tilannekuvan tärkeydestä.
2. USA:N KYBERSTRATEGIA JA SEN PAINOPISTEALUEET 2020 Yhdysvaltojen poliittisena päämääränä on säilyttää asemansa globaalina toimijana ja ainoana suurvaltana. Kyberoperaatiot ovat entistä kiinteämpi osa sen sotilaallista suorituskykyä. Kybersuorituskykyjä on pidetty jopa uutena puolustushaarana. Toisaalta kyberkyvykkyys on osa maa-, meri-, ilma- ja avaruuspuolustusta. Sotilaallisissa operaatioissa kyberhyökkäykset nähdään monessa tapauksessa vaihtoehtoisena hyökkäystapana, jonka eskalaatiovaikutus on pienempi kuin fyysisillä hyökkäyksillä. Saman aikaan kyberhyökkäykset kohdistuvat kaikkiin USA:n kriittisiin toimintoihin ja palveluihin. Siksi kyky yhteiskunnan elintärkeiden toimintojen turvaamiseen on nostettu prioriteetiksi. Yhdysvaltojen kyberstrategian päätavoite on marraskuun 2020 presiden-
36 | CYBERWATCH FINLAND
tinvaalien turvaaminen ulkovaltojen erilaisilta vaikuttamisyrityksiltä. Edellisten vaalien tietomurrot ehdokkaiden tieto järjestelmiin ja sähköposteihin, sekä sosiaalisen median kautta tapahtunut kohdennettu vaikuttaminen halutaan estää tulevissa vaaleissa. Yhdysvaltojen offensiivinen kyberkyvykkyys pidetään korkealla tasolla ja sitä on pystyttävä käyttämään aktiivisesti ja näyttävinä kyberhyökkäyksinä osana poliittisia ja sotilaallisia operaatioita. Samaan aikaan amerikkalaisten omien järjestelmien kyberturvallisuuden taso kärsii ongelmista ja erityisesti Iranin odotetaan kohdistavan laajoja kyberoperaatioita Yhdysvaltoja vastaan kuluvana vuonna. Lisäksi globaali teknologinen kehitys tuo kasvavia haasteita valtiollisen tiedustelun ja teollisuusvakoilun torjumiseksi.
KYBERSTRATEGIAN NELJÄ PAINOPISTETTÄ
Yhdysvaltojen voimassa oleva kyberstrategia on laadittu vuonna 2018 ja se sisältää neljä pilaria eli pääteemaa: 1. Yhdysvaltojen puolustaminen suojaamalla verkot, järjestelmät, toiminnot ja data, 2. Amerikkalaisen hyvinvoinnin tukeminen digitalisaation ja innovaatioiden avulla, 3. Rauhantilan säilyttäminen kehittämällä amerikkalaista kyberpelotetta ja tarvittaessa rankaisemalla vihamielisiä tahoja sekä 4. Amerikkalaisen vaikutusvallan edistäminen avoimen ja turvallisen Internetin avulla1.
Kyberrikollisuus maksaa maailmantaloudelle
6 biljoonaa vuoteen
Strategian ensimmäinen pilari joutuu todelliseen testiin kuluvan vuoden aikana presidentinvaalien johdosta. Venäjän vaikuttamisyrityksiä on jo havaittu ja niiden lisääntyminen vaalien lähestyessä on todennäköistä. Vaalit ovat demokratian kulmakivi, joten niiden turvaaminen on jokaisessa länsimaassa elintärkeää. Yhdysvaltojen kyberturvallisuuden ja kriittisen infrastruktuurin laitos CISA (Cybersecurity and Infrastructure Security Agency) pitää vuoden 2020 suurimpana kyberturva haasteena Yhdysvaltojen presidentinvaaleja marraskuussa 2020. Edellisten vaalien epäselvyydet halutaan välttää kaikin voimin, ja CISA julkaisikin vuoden alussa vaalien turvaamiseen tähtäävän erityisen Protect 2020 -nimisen ohjelman2. Ohjelmassa ovat mukana CISAn lisäksi muut valtiolliset turvallisuus- ja tiedusteluorganisaatiot, yksityiset kyberyritykset, sosiaalisen median yritykset sekä yliopistot ja tutkimuslaitokset. Ohjelman käytännön toimenpiteet voidaan jakaa neljään eri osa-alueeseen3. Ensimmäinen osa-alue on vaalien infrastruktuuri eli vaalitietojärjestelmät ja näiden välinen tietoliikenne, äänioikeutettujen tietokannat, äänestyspaikat ja niiden IT-kalusto ja ohjelmistot. Valtakunnallisia ja paikallisia viranomaisia sekä IT-palvelu toimittajia tuetaan vaalien infrastruktuurin teknisen turvallisuuden toteutuksessa. Toiseksi CISA avustaa vaaliehdokkaiden tietojärjestelmien turvaamisessa arvioimalla tietojärjestelmän riskejä ja haavoittuvuuksia, sekä opastamalla niiden korjauksissa. Yhdysvaltojen lisäksi useissa muissa maissa on vaalien kynnyksellä tehty tietomurtoja puolueiden tietojärjestelmiin, sekä julkaistu ehdokkaan kannalta negatiivisia tietoja ja tällainen vaikuttaminen halutaan estää. Kolmas osa-alue on Yhdysvaltain kansalaiset, joita halutaan suojella asiattomalta informaatiovaikuttamiselta. Kansalaisille suunnataan informaatio vaikuttamisen tunnistamiseen opastavia tiedotuskampanjoita ja varoitetaan havaituista disinformaatio kampanjoista.
2021
USD vuodessa,
mennessä
Neljäs osa-alue on viranomaisten ja yksityisen sektorin ylläpitämä uhkatiedustelun ja viestinnän keskus, joka pyrkii tunnistamaan tietomurtojen ja informaatiovaikuttamisen yritykset ennakolta ja varoittamaan kaikkia vaalien osapuolia havaituista uhkista. Hyvä valmistautuminen, viranomaisten ja yksityissektorin tiivis yhteistyö, sekä kokemukset edellisten vaalien tietomurroista ja vaikuttamisyrityksistä luovat hyvän pohjan vaalien kyber turvallisuuden varmistamiseen. On pidettävä todennäköisenä, että USA kykenee estämään suuret tietomurrot ja vähentämään ulkopuolisen informaatiovaikuttamisen negatiivisia vaikutuksia presidentin vaaleissa. KYBERSTATEGIA TARKENTUU Kyberstrategiaa on edelleen tarkennettu toimialakohtaisesti esimerkiksi puolustusministeriössä (DoD), joka on laatinut samaan aikaan oman kyberstrategiansa. Luonnollisesti puolustusministeriön strategiassa tavoitteet liittyvät kansallista strategiaa suoraviivaisemmin sotilaallisen kyberhyökkäyksen ja -puolustuksen kyvykkyyksien kehittämiseen4. Kansallisen kyberstrategian ja sen kolmannen pilarin mukaisesti Yhdysvallat on aktiivisesti käyttänyt kyberpelotetta muita valtioita kohtaan. Julkisuuteen tulleet operaatiot ovat olleet onnistuneita. Yhdysvallat onnistui ainakin osittain torjumaan venäläisten vaikuttamisyritykset vuoden 2018 kongressivaalien yhteydessä. Yhdysvallat käytti kyberpelotetta ennen vaaleja varoittamalla suoraan venäläisiä trollitehtaita vaaleihin sekaantumisesta ja itse vaalipäivänä onnistuivat ajamaan trollitehtaiden palvelimet alas5. Yhdys valtojen offensiivinen kyberkyvykkyys ja globaalisti johtava asema tulevat säilymään vähintään samalla tasolla kuluvan vuoden aikana kuin tähänkin asti. Viime vuonna Yhdysvaltojen ja Iranin välit kiristyivät eri konflikteissa, joiden yhteydessä Yhdysvallat teki useita kyberhyökkäyksiä Irania vastaan. Esimerkiksi kesäkuussa 2019 Yhdysvallat lamautti kyberhyökkäyksellä Iranin ohjusjärjestelmät6 ja syyskuussa Iranin hyökättyä lennokeilla Saudi-Arabian
öljykentille, Yhdysvallat lamautti hetkellisesti Iranin tietoliikennejärjestelmiä ja propagandakanavia7. Maiden välien kiristyminen ja Iranin nopea tekninen kehittyminen offensiivisissa kyberoperaatioissa on nostanut Iranin Yhdysvaltojen keskeiseksi huolenaiheeksi vuonna 2020. Tammikuun alussa Yhdysvaltojen eliminoitua Iranin asevoimien kenraali Suleimanin, Yhdysvaltojen julkishallinnon palvelimelle oli tunkeuduttu ja kotisivuille talletettu Iranin propagandaviestintää8. Useat tahot arvioivat, että Iranilta on odotettavissa voimakkaita vastareaktioita vuoden 2020 ensimmäisen puoliskon aikana9. Iran ei kuitenkaan ole helmikuun loppuun mennessä toteuttanut laajempia hyökkäyksiä tai ainakaan laajemmin onnistunut niissä10. Iranin ohella Kiina, Venäjä ja Pohjois-Korea säilyttävät asemansa Yhdysvaltojen merkittävimpinä kybersodankäynnin vastustajina mutta Iranin painoarvon odotetaan kasvavan kuluvan vuoden aikana. Yhdysvallat on toteuttanut menestyksellä näyttäviä offensiivisia kyberoperaatioita muita maita kohtaan. Näyttää siltä, että kyberpuolustus ei pysy hyökkäyskyvykkyyden perässä. Merkittävä huolenaihe Yhdysvalloille on sen omien järjestelmien heikko kyberturvallisuuden taso ja tätä kautta alttius kybertiedustelulle ja -vaikuttamiselle11. Vastustajien taktiikka on ollut erilainen kuin Yhdysvalloilla. Suurten ja näyttävien operaatioiden sijaan on tehty useita pienempiä ja kohdistetumpia operaatioita, jotka eivät ole laukaisseet Yhdysvaltojen kynnystä vastaoperaatioihin12. YKSITYINEN SEKTORI HUOLENAIHEENA
Asevoimien ja valtionhallinnon sijaan suurin huoli kohdistuu yksityisen sektorin kyberturvan tasoon. Niin sanottu ”third-party risk” eli hyökkäys pääkohteeseen heikosti suojattujen kumppaniverkostojen kautta on yksi merkittävimpiä heikkouksia, joka on noussut esille viime vuosien aikana13. Toinen merkittävä tekijä on siviiliteknologian ja -palvelujen käytön voimakas lisääntyminen Yhdysvaltojen asevoimissa. Siviiliteknologia kuten CYBERWATCH
FINLAND | 37
esimerkiksi satelliitit eivät ole kybersuojauksen näkökulmasta samalla tasolla kuin puhtaasti sotilaskäyttöön tarkoitetut järjestelmät ja mahdollistavat vihamieliset kyberoperaatiot Yhdysvaltoja vastaan14. Asevoimien lisäksi kriittinen infrastruktuuri ja erityisesti energia- ja finanssitoimialat ovat arvioiden mukaan suurimmassa vaarassa heikon kyberturvallisuuden tason vuoksi15. Globaali teknologiakehitys muodostaa kasvavan uhkan Yhdysvaltojen kyberturvallisuudelle erityisesti tiedustelun ja teollisuusvakoilun näkökulmasta. Yhdysvaltojen tuore vastatiedustelun strategia 2020-22 nimeää vieraiden valtioiden kybertiedustelun ja hybridivaikuttamisen yhdeksi viidestä vastatiedustelun paino
pistealueista16. Jatkuvasti kehittyvät teknologiat ja kybervakoilun menetelmät mahdollistavat Yhdysvaltoihin kohdistuvan salaisen tiedonhankinnan sekä hybridi vaikuttamisen yhteiskuntaan helposti, nopeasti ja edullisesti. Erityisesti IoT, 5G, kvanttilaskentaan perustuva tietojenkäsittely sekä tekoäly ovat teknologioita, joiden käyttö kybertiedustelun välineinä on kasvamassa. Kybervasta tiedustelun toimintakykyä parannetaan kolmella osa-alueella. Kybervastatiedustelun kehittämiseksi perustetaan uusi tiedusteluyksikkö, johon keskitetään Yhdysvaltojen paras kyberuhkien tiedustelun tekninen osaaminen. Kyberuhkien tiedustelun tehostamiseen ja tilannekuvan parantami-
seen kehitetään uusia työkaluja ja ohjelmistoja. Lisäksi yhteistyötä ja tiedonvaihtoa eri turvallisuusviranomaisten sekä yksityisen turvallisuussektorin välillä tehostetaan. Yhdysvaltojen kyberstrategia kaikilla sen osa-alueilla on merkittävien haasteiden edessä kuluvan vuoden aikana. Aktiiviset kehitystoimet tähtäävät tänä vuonna yhteen maaliin, presidentinvaalien turvallisuuden ja riippumattomuuden takaamiseen. Vaalien turvallisuus ja luotettavuus, sekä vaaleihin kohdistuvan ulkopuolisen uhkan narratiivi tulee näyttelemään suurta roolia itsessään. Vaalit ovat merkittävin yksittäinen mittapuu sille, kuinka Yhdysvallat onnistuu kyberturvallisuudessa vuonna 2020.
3. VENÄJÄN KYBERKYVYKKYYS Kesäkuussa 2019 Yhdysvallat myönsi, että se on toteuttanut vuodesta 2012 alkaen tietoverkko tiedustelua Venäjän sähköverkoissa ja valmistellut kyberhyökkäyksiä asentamalla haittaohjelmia Venäjän informaatio infrastruktuuriin. Presidentti Putinin lehdistösihteerin Dmitri Peskovin mukaan Venäjän talouden elintärkeät osat ovat jatkuvien kyberhyökkäysten kohteena ja Venäjä käy jatkuvaa kamppailua estääkseen näiden hyökkäysten aiheuttamat vahingot. Ulkovaltojen tiedustelupalvelut yrittävät tunkeutua Venäjän informaatioinfrastruktuuriin, erityisesti logistiikka-, pankki- ja energiasektoreilla. Venäläisen määritelmän mukaan kybertila on toimintaympäristö, joka muodostuu Internetin ja muiden telekommunikaatioverkkojen ja niiden toiminnan ja niiden avulla toteutettavan inhimillisen toiminnan takaavan teknologisen infrastruktuurin kokonaisuudesta. Kybertila on selvästi määritetty ja rajattu osa informaatiotilaa. Venäläisen määritelmän mukaan informaatiotila on toimintaympäristö, joka liittyy informaation muodostamiseen, luomiseen, muokkaamiseen, välittämiseen, käyttöön ja säilyttämiseen ja joka vaikuttaa informaatioinfrastruktuuriin ja informaatioon. Venäläinen käsite informaatioturvallisuus sisältää informaatioteknisen ja
informaatiopsykologisen turvallisuuden. Informaatiopsykologinen uhka kohdistuu ihmisen mieleen, tämän moraaliseen ja henkiseen maailmaan, sosiaalispoliittiseen ja psykologiseen suuntautuneisuuteen sekä kykyyn tehdä päätöksiä. Venäläisen ajattelun mukaan informaatiotekninen uhka eli länsimaisittain kyberuhka kohdistuu informaatioteknisiin järjestelmiin eli kyberympäristöön. Venäjän kyberuhkakuvassa Venäjä on Yhdysvaltojen ja sen johtamien länsimaiden uhkaama ja ympäröimä ”piiritetty linnake”. Uhka on lisääntymässä ja monimuotoutumassa ja uhkaa muodostavat myös terroristit ja ääriliikkeet. Kybertoimintaympäristön muuttuminen sotilaalliseksi operaatioalueeksi muodostaa strategista uhkaa Venäjälle ja laajojakin kyberoperaatioita toteutetaan jo rauhan aikana. Venäjän näkemyksen mukaan länsimaat käyttävät teknistä ylivalta- asemaansa kybertoimintaympäristössä ja lännen kyberaseen kehittäminen ja kybersotaan valmistautuminen on johtanut kyberasevarustelukilpaan. Länsimaisten tiedustelupalveluiden katsotaan tunkeutuvan venäläisiin tietojärjestelmiin tavoitteena tiedustelu, tiedon manipuloiminen ja muuttaminen tai tiedon tuhoaminen. Tiedon saatavuuteen vaikutetaan palvelunestohyökkäyksillä. Teollisuuden automatisoidut ohjausjärjes-
telmät ovat kyberhyökkäysten kohde ja esineiden internet (IoT) lisää Venäjänkin riippuvuutta tietoverkoista ja haavoittuvuutta kyberhyökkäyksille. Mongolien, Napoleonin ja Saksan kahdessa maailmansodassa tapahtuneet maahantunkeutumiset ovat luoneet venäläisissä haavoittuvuuden tunnetta ja yllätyshyökkäyksen pelkoa, jota lisää teknologinen jälkeenjääneisyys ja helposti puolustettavien rajojen puute Euroopan suunnassa. Venäjän johto kuvaa Venäjän olevan jatkuvassa sodassa oleva piiritetty linnake ja sodankäynti sen eri muodoissa nähdään von Clausewitzin mukaisesti politiikan jatkeena. Sisäinen oppositio, jota venäläisnarratiivin mukaan länsimaiset tiedustelupalvelut ohjaavat ja rahoittavat, aiheuttaa sisäisen uhkan tunnetta. Ulkoinen ja sisäinen uhka sekä suurelta osin voimaministeriöihin nojaava poliittinen järjestelmä ovat lisänneet asevoimien ja turvallisuuspalveluiden merkitystä. Yllätyshyökkäyksen ja sisäisten vihollisten pelko ja esimerkiksi teknologisen jälkeenjääneisyyden aiheuttama haavoittuvuuden tunne näkyy myös kyberuhkakuvassa. Jatkuvan sodankäynnin narratiivi ja usko voimankäyttöön politiikan tekemisen välineenä näkyy sekä kyberuhkakuvassa että Venäjän keinoissa vastata kokemaansa kyberuhkaan. Venäjä on pyrkinyt suojaamaan piiritettyä kyberlinna-
Ransomware maksaa yrityksille
yli 75 miljardia 38 | CYBERWATCH FINLAND
USD vuodessa.
kettaan valmistelemalla Internetin venäläisen segmentin eristämistä globaalista Internetistä, parantamalla kriittisen informaatioinfrastruktuurin suojaamista ja pyrkimällä korvaamaan ulkomailta tuotavat tieto- ja kommunikaatiolaitteet ja - ohjelmistot Venäjällä valmistetuilla laitteilla ja ohjelmistoilla. Sisäistä vihollista vastaan taistellaan tehostetulla tietoverkkojen valvonnalla, haitalliseksi luokiteltavien verkkosivujen sulkemisella ja tietoverkon käyttäjien tunnistamisella. Venäjä tulee jatkamaan kyberpuolustuksensa kehittämistä tavoitteena muodostaa syvä puolustus, jonka ulkokehänä on Venäjän rajat ylittävän tietoliikenteen seuraaminen ja kyky tarvittaessa eristää venäläinen segmentti
globaalista internetistä. Sisemmillä kehillä on muun muassa tietoliikennetiedustelujärjestelmä SORM17 ja kriittisen informaatioinfrastruktuurin suojaamiseen tarkoitettu GosSOPKA18- järjestelmä sekä yhä tiukemmaksi käyvä käyttäjien valvonta ja sensuuri. Venäjä haluaa pitää oman kyberkyvykkyytensä salassa ja siksi käyttää offensiivisissa kyberoperaatioissaan proxeja kuten erilaisia aktivistiryhmiä ja kyberrikollisia. Näiden ulkoistettujen hyökkäysten päämääristä ja toimintatavoista heijastunee myös Venäjän valtiollisten toimijoiden kyberkyvykkyys. Kybersuorituskyvyt nähdään ensisijaisesti hybridivaikuttamisen välineinä, joilla aina saavutetaan merkittäviä informaatiovaikutuksia niin kotimaassa
kuin kohdemaissakin. Venäjän aktiivisella kybervakoilulla luodaan edellytyksiä kybervaikuttamisoperaatioille keräämällä niin sanottuja maaliluetteloita mahdollisista kohdemaista. Venäjän kaikki turvallisuus- ja tiedusteluorganisaatiot ovat luoneet oman aktiivisen ja passiivisen kyberoperaatio kyvykkyytensä. Lähde: Martti J Kari: Russian Strategic Culture in Cyberspace: Theory of Strategic Culture – a tool to Explain Russia´s Cy ber Threat Perception and Response to Cyber Threats. Jyväskylän yliopisto. Informaatioteknologian tiedekunta. Väitöskirja. 2019. https://jyx.jyu.fi/bitstream/handle/123456789/65402/978-951-39-78372_vaitos_2019_10_11_jyx.pdf?sequence=4&isAllowed=y
4. MERIKAAPELIVERKON MERKITYS KYBERTURVALLISUUDELLE Viime aikoina on globaali huomio kiinnittynyt 5G-teknologian kehitykseen ja sen tuomiin uusiin turvallisuusuhkiin. Asia on tärkeä, mutta kuitenkin 95 prosenttia kansainvälisestä telekommunikaatiosta kulkee merikaapeliverkossa, eikä satelliittien kautta kuten usein virheellisesti kuvitellaan. Globaali merikaapeliverkosto on todellisuudessa globaalin internetin selkäranka ja mahdollistaja. Sieltä on saatavissa kybervakoilun keinoin paljon kriittistä tietoa. Tästä tiedosta ovat kiinnostuneita niin valtiolliset toimijat kuin kyberrikolliset, terroristit ja hakkerit. Suomen lähivesillä Venäjän merikaapeliverkon rakentaminen on nähty lähinnä ympäristöongelmana. Todellisuudessa kaikkien suurvaltojen mielenkiinto kohdistuu globaaliin merikaapeliverkkoon ihan samalla tavalla kuin 5G-verkon kehittämiseen. Taustalla on tavoite poliittisen vaikutusvallan kasvattamiseen ja halu uusien hybridivaikuttamiskeinojen luomiseen. Kiina on kasvavassa määrin ollut halukas rahoittamaan uusien kaapeliverkostojen rakentamista osana globaalia silkkitie aloitettaan. Erityinen kiinnostus sillä on arktisen alueen kautta kulkevan kaapelien rakentamiseen Eurooppaan ja siten ilmeisesti pyrkimys vähentää riippuvuutta jo olemassa olevista kaapeliverkoista. Koillisväyläkaapelilla on keskeinen rooli suurvaltapolitiikan korttien uudelleenjaossa. Erityisesti Kiinalle kaapelilla on tärkeä rooli sen pyrkiessä saamaan pysyvän jalan-
sijan Euroopassa; se on yksi keskeisistä komponenteista globaalin digitaalisen silkkitien rakentamisessa. Koillisväyläkaapeli pudottaa verkon latensseja millisekunteihin niin, että sen avulla kiinalaiset teleoperaattorit, pilvipalvelutarjoajat ja verkkokaupat pystyvät käytettävyyden suhteen kilpailemaan vähintään tasapäisesti amerikkalaisten alusta- ja palveluyhtiöiden, kuten Amazon, Google, Facebook ja eBay kanssa. Euroopan näkökulmasta Koillisväyläkaapeli tuo vaihtoehdon amerikkalaisille palvelutarjoajille, mutta kiinalaispalveluissa on puolestaan omat haasteensa. Oman lisänsä tuo vielä Venäjä, jonka aluevesien kautta kaapeli tulee kulkemaan. Se ei tule
epäröimään käyttää mahdollisuuttaan seurata liikennettä ja pahimmillaan sabotoida kaapelin toimintaa. Suomen kannalta strateginen merikaapeli on uusi Itämerikaapeli, joka tarjoaa Koillisväyläkaapelille suoran jatkon edelleen Keski-Eurooppaan ohi Ruotsin. Myös se on kiinalaisten suunnitelmissa osa digitaalista silkkitietä, vaikka sen taloudellista osallistumista ei kaapelin rakentamisessa tällä kertaa tarvittukaan. Itämerikaapeli on yksi valtaväylistä myös venäläiselle dataliikenteelle Eurooppaan ja edelleen siitä eteenpäin. Suomen merkitys uusien merikaapelien solmukohtana tulee kasvamaan merkittävästi suurvaltojen näkö-
TOP 6 -TOIMIALAT kyberhyökkäysten kohderyhminä 1. Web 2. Terveydenhuolto 3. Majoitus/hotelli 4. Julkinen sektori 5. Vähittäiskauppa 6. Pankit & Finanssiala (Lähde: Hackernoon)
CYBERWATCH
FINLAND | 39
kulmasta. Erityisesti Kiinalla ja Venäjällä on vahva intressi saada dataliikenne liikkumaan sujuvasti uusissa kaapeleissa. Yhdysvaltain intressi on lähes vastakkainen, koska sen nykyisestä dataliikenteen hegemoniasta pääsee vain yhteen suuntaan – alaspäin. Merikaapeliverkon kyberturvallisuus uhkat ovat osa jokaisen valtion kansallista turvallisuutta ja yhteiskunnan elintärkeiden toimintojen turvaamista. Merikaapeliverkoston kyberuhkaa tarkasteltaessa on katsottava koko siihen liittyvää ekosysteemiä ja siinä olevia haavoittuvuuksia, jota kyberhyökkääjät käyttävät hyväkseen. Merikaapeliverkoston tulisi olla osa jokaisen valtion kyberriskianalyysia. Kybervakoilu on varmasti todennäköisin uhka. Vaikutuksiltaan dramaattisin on kuitenkin kaapeliverkoston lamauttaminen ja tuhoaminen osana laajempaa hybridivaikuttamista, tai sotilaallista kriisiä. Kansallinen varautumisjärjestelmä ja jatkuvuuden hallinnan suunnittelu ovat
tässä keskisiä työkaluja. Varajärjestelmiä ja korvaavia kommunikaatiomenetelmiä tarvitaan, jotta yhteiskuntamme kaikkein kriittisimmät toiminnat pystytään turvaamaan kaikissa olosuhteissa. Merkittävän haasteen muodostaa merikaapeliverkon valvonta. Erilaisia tiedustelu ja valvontajärjestelmiä voidaan kytkeä merten syvyyksissä ja käyttää niitä osana valtiollisten turvallisuusorganisaatioiden tiedustelujärjestelmiä. Ne palvelevat hyvinä sensoreina moderneissa tekoäly pohjaisissa tiedustelujärjestelmissä. Tiedämme, että merikaapeliverkon valvonta ja tuhoaminen on osa suurvaltojen sukellusvene- ja vedenalaisen toiminnan strategioita. Merikaapeleiden suojaaminen on myös haaste kansalliselle ja kansainväliselle oikeudelle. Kansallinen vastuu ja toimintamahdollisuudet rajoittuvat jokaisen valtion omille aluevesille. Kansainvälinen vesialue jää harmaaksi alueeksi. Kansainvälinen merioikeus määrittelee kaapeliverkon
katkaisun ja tuhoamisen rikolliseksi teoksi, mutta kybervakoilusta ja vaikuttamista ei siinä puhuta mitään. Lisäksi vaurioiden tutkinta ja attribuutio on vaikeaa ja edellyttää aina kansainvälistä yhteistyötä. Suurvallat, joilla on resursseja operoida merikaapeleiden valvomiseksi ja korjaamiseksi, voivat toki vedota YK:n peruskirjan itsepuolustusoikeuteen ja ryhtyä sen pohjalta vastatoimenpiteisiin. Pienemmillä mailla ei tätä mahdollisuutta ole. Suomen kaltaisten maiden tulee suunnitella tietoliikenteensä älykkäästi, käyttäen kryptologisia ratkaisuja luottamuksellisen tiedon suojaamiseksi ja suunnittelulla varmistaa vaihtoehtoisten tietoliikenneratkaisujen käyttömahdollisuudet. Uudet teknologiat tarjoavat myös monia uusia mahdollisuuksia elintärkeiden kommunikaatiomme suojaamiseen ja varmistamiseen. ”End-to-end”-kryptaus on kaikkein helpoin ja varmin ratkaisu kaikkein kriittisimmän kommunikaation varmistamiseksi.
5. INFORMAATIOVAIKUTTAMINEN ON OSA KYBEROPERAATIOITA INFORMAATIOVAIKUTTAMINEN on kehittynyt entistä provokatiivisemmaksi. Disinformaatiota käytetään enenevässä määrin myös yksittäisten ihmisten mustamaalaamiseen. Eräät valtiot ovat ottaneet käyttöönsä ns. trollitehtaita, joiden tarkoituksena on levittää valheellista propagandaa. Äskettäin paljastui Venäjän trollitehdas Afrikassa. Venäjä näyttäisi rakentavan trollitehtaiden verkostoa, näin jäljittäminen tehdään vaikeammaksi ja toimintaan saadaan lisää tehoa.
Parhaana vastatoimena disinformaatiota vastaan toimii faktapohjainen journalismi, joka kamppailee suurien sosiaalisen median informaatiomassojen kanssa. Mediajäteillä on valtava vastuu sisällöstä, jonka ne julkaisevat kansalaistensa näkyviin, ja siitä mihin suuntaan mielipiteitä ohjataan. Haasteellisen tilanteesta tekee myös internetin erilaiset pelisäännöt. Rajoitteet ja rajoitukset ovat lähtökohtaisesti valtioiden määriteltävissä. Valtiolliset toimijat ja kriittiset yritykset ovat jatkuvan informaa-
TOP 6 -TOIMIALAT kyberhyökkäysten kohderyhminä 1. Yritykset 2. Terveydenhuolto 3. Pankit & Finanssiala 4. Valtionhallinto/Armeija 5. Koulutus 6. Energia (Lähde: RedTeam)
40 | CYBERWATCH FINLAND
tiovaikuttamisen kohteena ja kohteeksi voi valikoitua myös yksittäinen merkittävässä asemassa oleva työtekijä, jonka toimintaa halutaan hankaloittaa. Valheellisen uutisoinnin tunnistaminen hankaloituu yhä enemmän median pirstaloituessa ja informaatiovaikuttamisen lisääntyvän kampanjoinnin vuoksi. Koulutuksen merkitys korostuu vale uutisten tunnistamisessa ja lähdekritiikin merkityksen ymmärtämisessä. Informaatiovaikuttamisella ja disinformaatiolla luodaan vääristyneitä mielikuvia, ohjataan ihmisten mielipiteitä ja käyttäytymis malleja. Informaatiovaikuttaminen on entistä enemmän kietoutunut kyberoperaatioihin. Esimerkiksi info-operaatioihin yhdistetyt haittaohjelmahyökkäykset ravistelevat perusinfrastruktuuriamme. Tapahtumat näyttävät olevan yksittäisten tekijöiden käsialaa, mutta taustalla on kuitenkin valtiollinen vaikuttaminen. Informaatiovaikuttamisen tehokeinona haittaohjelmahyökkäykset ovat kehittyneet ja valheellinen tieto, jota julkaistaan, on paljon laadukkaampaa. Sen ulkomuoto ja sisältö on muokattu näyttämään mahdollisimman aidolta ja laadukkaalta sekä siihen on lisätty kuvia ja videoita, hälventämään epäilyksiä ja
vahvistamaan todentuntuisuutta. Kokonaisuudessaan valheellinen uutispaketti on siis hyvin kompakti, jonka seurauksena on vaikea kyseenalaistaa uutisen todenmukaisuutta. Kyberoperaatiot ja niillä saatavat informaatiovaikutukset ovat osa, esimerkiksi Venäjän hybridioperaatioiden peruskonseptia. Palvelunestohyökkäyksillä ei pyritä pelkästään lakkauttamaan valitun kohteen sivustojen toimintaa, vaan vaihtoehtoiseksi malliksi on tullut tuottaa suuria massoja valheellisia uutisia. Tarkoituksena on korvata määrä laadulla, mutta samaan aikaan jaetun tiedon ja uutisoinnin määrä on kasvanut räjähdysmäisesti ja siksi on yhä
vaikeampi poimia suuresta massasta faktapohjaiset uutiset. Tekoäly on ojentanut auttavan kätensä informaatiovaikuttamisen estämiseksi ja tueksi. Tekoälyä on alettu hyödyntämään valheellisen uutisoinnin ja botti toiminnan tunnistamiseksi ja ehkäisemiseksi. Kehittynyt tekstinymmärrys tekniikka sekä audiovisuaalisuus ovat kytköksissä harjautuneeseen algoritmiin, jonka lopputuloksena on jo jossain määrin itsenäisiä päätöksiä tekevä tekoäly. Toiminnan tehostamiseksi algoritmeihin tuodaan mukaan ihmisten ennakkoluulot, toiveet, odotukset ja ei
hyväksyttävä sanasto, joiden perusteella uutisvirrasta seulotaan sisällöt, jotka tulisi poistaa. Tekoälypohjaisessa informaation suodatuksessa on ilmennyt haasteita. Esimerkiksi Covid-19 -epidemian johdosta sosiaalisen median käyttö on lisääntynyt rajusti, tämä yhdessä henkilökunnan karanteenien ja sairastumisten myötä on johtanut siihen, että sosiaalisen median jätit ovat joutuneet turvautumaan yhä enemmän tekoälypohjaiseen informaation suodattamiseen, mikä on näkynyt lisääntyneinä tietojen suodatus virheinä.
6. KYBERSABOTAASI NOUSSUT MERKITTÄVÄKSI KYBERUHKAKSI Kansainvälisten asiantuntijoiden piirissä kybersabotaasi on otettu uudeksi uhkamuodoksi. Se on toimintaa, jossa hyökkääjä operoi sotaa alemmalla tasolla pyrkien pysymään sodan kynnyksen alapuolella. Tavoitteina voivat olla epävakauden aiheuttaminen kohdemaassa, offensiivisten kyberhyökkäys kykyjen testaaminen, hybridioperaatioiden valmistelu, tai sodan valmistelu. Venäjä käyttää kybersabotaasin keinoja osana hybridioperaatioitaan. Shamoon on modulaarinen tietokone virus vuodelta 2012. Virusta käytettiin tietoverkkohyökkäykseen Saudi-Arabian ja Qatarin RasGasin kansallisia öljy-yhtiöitä vastaan. Hyökkäys kohdistui 35 000 Saudi-Aramcon työasemaan aiheuttaen yrityksen toimintaan viikon katkoksen, joka tarvittiin palveluiden palauttamiseksi ennalleen. Ryhmä nimeltään ”Cutting Sword of Justice” otti vastuun hyökkäyksestä. Joulukuussa 2015 hakkerit iskivät ukrainalaiseen energiayhtiöön ja onnistuivat katkaisemaan sähkönjakelun. Tämä usealla eri tavalla toteutettu kyberhyökkäys jätti 225 000 ukrainalaista ilman sähköä kuudeksi tunniksi. Samanlainen hyökkäys toteutettiin Kievin alueella joulukuussa 2016. Hyökkäyksen takana epäillään olleen Venäjän turvallisuusorganisaatiot. Yhdysvaltain tiedustelutoiminnan korkein johtaja JAMES R. CLAPPER nosti jo vuoden 2014 keväänä globaaleista uhkista suurimmaksi kriittiseen infrastruktuuriin kohdistuvat kyberhyökkäykset ja kybervakoilun, vaikka pitikin suuren tietoverkkohyökkäyksen mahdollisuutta vähäisenä vielä seuraavien kahden vuoden kuluessa. Kesällä
2016 Englannin sisäisestä turvallisuudesta vastaavan MI5:n johtaja JONATHAN EVANS totesi laajamittaisen kyberhyökkäyksen (esimerkiksi sähköverkkojen lamauttamisen tai pankkiliikenteen keskeyttämisen) pystyvän pahimmillaan lamaannuttamaan koko brittiyhteiskunnan. Kesäkuussa 2017 Petya/NonPetya -haittaohjelma saastutti Ukrainassa laajasti käytetyn M.E.Doc -kirjanpito-ohjelmiston, jonka kautta se levisi nopeasti ukrainalaisiin ja kansainvälisiin toimijoihin, joilla oli yhteys kyseiseen kirjanpito-ohjelmaan. Ukrainassa muun muassa pankit, ministeriöt, sanomalehdet ja sähköyhtiöt joutuivat kohteeksi. Yli 80 prosenttia kohteista oli Ukrainassa, mutta kymmenet kansainväliset toimijat olivat myös kohteina. Tämä WannaCry:tä seurannut haittaohjelma levisi nopeasti ympäri maailmaa ja lamautti useita IT-järjestelmiä. Petya/NonPetya naamioitiin kiristyshaittaohjelmaksi, mutta lunnaiden vaatiminen oli vain savuverho. Hyökkäyksen todellinen tarkoitus oli lamauttaa yhteiskunnan kriittisiä toimintoja ja aikaansaada poliittista epävakautta, tai ainakin testata hyökkäysoperaation toimivuutta. Tämä valtiollisen toimijan toteuttama monivaiheinen hyökkäys oli myös osoitus hyökkääjän kyvykkyydestä – tuotettiin pelotevaikutusta. Hyökkäyksestä aiheutuneet kustannukset ovat tähän saakka olleet yli 2,2 miljardia dollaria. Nämä esimerkit osoittavat, kuinka kriittistä infrastruktuuria vastaan hyökätään ja aiheutetaan vakavia vaurioita yhteiskunnan elintärkeille toiminnoille ja pahimmassa tapauksessa ihmisten hengelle ja terveydelle. Useiden arvioiden mukaan
kyberhyökkäykset aiheuttavat tällä hetkellä länsimaissa 1-2% bkt:n menetykset. Informaation manipulointi on yksi kybersabotaasissa tyypillisesti käytetty toimi. Venäjällä toimivat suomalaiset yritykset ovat potentiaalisia kybersabotaasin kohteena. Tavoitteena voi olla poliittiset ja taloudelliset päämäärät sekä kyberrikolliset ambitiot. Kybersabotaasilla ei ole kansainvälisesti hyväksyttyä määritelmää. Se voidaan kuitenkin määritellä edellä kuvattujen tapausten valossa. Kybersabotaasi on kyberhyökkäysten käyttämistä niin, että niillä saavutetaan maksimaalinen fyysinen tuho ja inhimillinen pelotevaikutus. Kybersabotaasioperaatioita edeltää huolellinen kohteiden tiedustelu ja maalittaminen jotta digitaalisella hyökkäyksellä saavutettaisiin maksimaalinen fyysinen tuhovaikutus, aiheutettaisiin merkittäviä informaatiovaikutuksia, ja joilla horjutetaan kohteen yhteiskuntarakenteita ja aiheutetaan ihmisissä pelkoja ja epävarmuutta. Kohteena ovat useimmiten yhteiskunnan kriittinen infra ja palvelut.
Kyberrikollisuus vie
15–20 %
vuosittain internetin luomasta bisnesarvosta.
CYBERWATCH
FINLAND | 41
7. KYBERKULTTUURIN RAKENTUMINEN VAATII PALJON PIENIÄ TEKOJA JA YHTEISTYÖTÄ Organisaatioiden kyberturvallisuuskulttuurilla (Cybersecurity Culture, CSC) tarkoitetaan tietoa, uskomuksia, käsityksiä, asenteita, meidän kyberturvallisuuttamme koskevia oletuksia, normeja sekä arvoja ja miten ne ilmenevät meidän käyttäytymisessä digitaalisessa toimintaympäristössämme. CSC:n tarkoituksena on tehdä kyberturvallisuuteen liittyvistä näkökohdista olennainen osa työntekijän työtä, tapoja ja käyttäytymistä sisällyttämällä ne päivittäisiin toimiin. Työntekijöiden kyberturvallisten tapojen ja prosessien omaksuminen antaa joustavalle kyberkulttuurille mahdollisuuden kehittyä luonnollisesti ja muodostua osaksi yrityksen laajempaa organisaatiokulttuuria. Liiketoimintaympäristöt kuitenkin muuttuvat jatkuvasti, joten organisaatioiden on aktiivisesti ylläpidettävä ja mukautettava kyberkulttuuriaan reagoidakseen uusiin tekniikoihin ja uhkiin sekä muuttuviin tavoitteisiin, prosesseihin ja rakenteisiin. Onnistunut kyberkulttuuri muuttaa koko henkilöstön (mukaan lukien tietoturvatiimin) turvallisuusajattelua, parantaen yrityksen resiliteettiä, varsinkin kun se käynnistetään huomioiden työntekijöiden erilaiset tarpeet, välttäen pakottamista raskaisiin ja aikaa vieviin suojaustoimenpiteisiin, jotka estävät henkilöstöä suorittamasta tehokkaasti liiketoiminnan avaintoimintoja. Suurin osa organisaatioiden
sisäisistä tietovuodoista on seurausta ihmisten toiminnasta, ja vaikka kyberturvallisuuskäytännöt ovat yleisiä, työntekijät voivat pitää niitä ohjeina pikemmin kuin sääntöinä. Teknologia ei myöskään voi suojata organisaatioita, jos se on integroitu väärin ja yhteisiä työkaluja käytetään väärin. Tätä taustaa vasten kyberturvallisuuskulttuurin kehittämisellä saadaan aikaan ajattelutavan muutos, edistetään turvallisuustietoisuutta ja riskien havaitsemista sekä ylläpidetään tiivistä organisaatiokulttuuria sen sijaan, että yritettäisiin pakottaa turvalliseen käyttäytymiseen. Kyberturvallisuuskulttuurin tarve on huomattu organisaatioiden sisällä useiden eri henkilöstöryhmien taholta. Se kuvastaa yhteisesti hyväksyttyä ajattelua, jonka mukaan organisaation toimintatapa riippuu työntekijöidensä yhteisistä vakaumuksista, arvoista ja toiminnasta, ja että heidän asenteensa kyberturvallisuuteen sisältyy siihen. On myös tunnistettu, etteivät kyberturvallisuustietoisuuden lisäämiskampanjat, tai uhkakuvista tiedottaminen yksinään tarjoa riittävää suojaa jatkuvasti kehittyviltä kyberhyökkäyksiltä. Tunnistetaan myös, että tekniset kyberturvallisuusratkaisut eivät ole tyhjiössä. Niiden on toimittava sopusoinnussa muiden liiketoimintaprosessien kanssa, jotta työntekijät eivät joudu valitsemaan tekevätkö he työnsä, vai
noudattavatko turvallisuuskäytäntöjä. Loppujen lopuksi kuitenkin on kyseessä väite, jonka mukaan ihmiset ovat organisaation heikoin lenkki. Tämä väite on muutettavissa yhdessä tekemällä, kouluttamalla ja rakentamalla työyhteisö, jossa työntekijät ovat osaavia ja asiantuntevia kyberturvallisuuden puolustajia. Kyberkulttuurin rakentamiseen tarvitaan välineitä ja käytäntöjä, jotka on suunniteltu kontekstuaaliseksi yksittäisten organisaatioiden tarpeisiin ja olosuhteisiin. Vaikka ne on yleensä suunnattu turvallisuustiimeissä työskenteleville ja / tai tiimeille, joiden tehtävänä on lisätä digitaalisen työympäristön turvallisuutta, on kaikkien työntekijöiden kyberturvallisuuskykyä kasvatettava, ja yhteisen ymmärryksen varmistamiseksi, riippumatta roolista tai ikärakenteesta, on saatava riittävä käsitys siitä, mitä vaaditaan aloittamaan ja tuottamaan organisaation oman kyberturvallisuuskulttuurin rakentaminen. Kyberturvallisuuskulttuurin rakentuminen vaatii selkeät kaikille työntekijöille ymmärrettävät ohjeistukset, prosessit, mittarit ja mahdollisesti palkkiojärjestelmät, joilla sovittuja toimenpiteitä mitataan. Se vaatii johtajuutta ja strategisia päätöksiä vahvan liiketoimintatavan rakentamiseksi ja sisäisten resurssien kohdentamiseksi tulevaisuutta varten.
SOURCES/LÄHTEET 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18.
https://www.whitehouse.gov/wp-content/uploads/2018/09/National-Cyber-Strategy.pdf https://www.cisa.gov/protect2020 https://www.cisa.gov/sites/default/files/publications/ESI%20Strategic%20Plan_FINAL%202.7.20%20508.pdf https://media.defense.gov/2018/Sep/18/2002041658/-1/-1/1/CYBER_STRATEGY_SUMMARY_FINAL.PDF https://www.govtech.com/security/US-Military-Steps-Up-Cyberwarfare-Effort.html https://www.nytimes.com/2019/06/22/us/politics/us-iran-cyber-attacks.html https://www.reuters.com/article/us-usa-iran-military-cyber-exclusive/exclusive-u-s-carried-out-secret-cyber-strike-on-iran-in-wake-ofsaudi-oil-attack-officials-idUSKBN1WV0EK https://www.bbc.com/news/technology-51008811 https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2020/01/13/the-cybersecurity-202-get-ready-for-seriouscyberattacks-from-iran-experts-say/5e1b7ef288e0fa2262dcbc70/ https://www.scmagazine.com/home/security-news/cyberattack/iran-maintaining-on-going-cyber-efforts-no-response-yet-to-soleimanikilling/ https://www.govtech.com/security/America-Is-Not-Ready-for-War-in-Cyberspace-Experts-Warn.html Ibid. https://www.afcea.org/content/stavridis-warns-russia-and-china-cyber-attacks https://www.militarytimes.com/opinion/commentary/2019/09/04/the-us-is-unprepared-for-space-cyberwarfare/ https://www.governing.com/security/Underdefended-Americas-Vulnerable-Energy-Infrastructure.html https://www.dni.gov/files/NCSC/documents/features/20200205-National_CI_Strategy_2020_2022.pdf Operatiivistutkinnallisten toimenpiteiden järjestelmä. (Russian: Система оперативно-разыскных мероприятий, lit. 'System for Operative Investigative Activities') is the technical specification for lawful interception interfaces of telecommunications and telephone networks operating in Russia. Valtiollinen järjestelmä tietokonehyökkäysten havaitsemiseen, torjumiseen ja seurausten eliminointiin. The GosSOPKA system which is the acronym for the ГосСОПКА system – National system for detection, prevention and elimination of consequences of cyber attacks.
42 | CYBERWATCH FINLAND
CYBERWATCH FINLAND
SNAPSHOTS OF ENERGY INDUSTRY text: PASI ERONEN International security analyst and consultant
NATIONAL POWER GRIDS AND ENERGY SECTOR TARGETS ARE UNDER THREAT DURING THE ON-GOING GEOPOLITICAL TENSIONS The New York Times (NYT) reported back in June 2019 that the United States had installed malware on Russian power grid as a warning and to demonstrate US capabilities and motivation to use more aggressive cyberattacks. Russia, in turn, told that it has detected and rejected the cyberattacks in the United States.1,2 These operations and statements of superpowers reflect global politics. By publicizing the US penetration of the Russian electricity grid, the US tries to establish a cyber- deterrent in a fashion vaguely similar to nuclear age mutual assured destruction – any attack on American targets, such as elections, may lead to counterattack against Russian electric grid. Such attack could also be used in an asymmetric way, for example as a response to a kinetic attack against the US, or its allies. Moreover, making such information public gives out also a message that Russia is not safe, even if it tries to establish an ability to detach itself from the worldwide internet at will. Lastly, being more open about the cyber capabilities can be traced back to the recent changes in American cyber posture, them becoming more proactive in the domain.3
It is also good to keep in mind that similar activities against the US power grid has been reported by the US intelligence community for years, latest in January 2019 in the Office of Director of National Intelligence’s (ODNI) Worldwide Threat Assessment of the US Intelligence Community.4 The threat is not an illusionary one, as was clearly demonstrated by actors, namely Sandworm, linked to Russian state in Ukraine back in 2015 and again in 2016. 5 To heighten the risk in 2020, cyberattacks, such as using wiper malware, against critical infrastructure and energy sector targets has also been demonstrated by Iran. The recent elimination of Maj. Gen. Qassem Soleimani might embolden Iranians to act more aggressively, such as launching disruptive and destructive attacks, in cyber domain against Americans and their allies with potential for unanticipated second and third order effects.6 These current developments were also reflected in the latest insights released by the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA), where Iranian threat profile was covered together with risk mitigation measures. 7,8 CYBERWATCH
FINLAND | 43
RANSOMWARE ATTACKS CONTINUE TO THREATEN ALSO ENERGY SECTOR Ransomware attacks continued worldwide having also impacts on critical infrastructure, such as electricity distribution. In Johannesburg, South Africa, a ransomware program that hit City Power company’s systems in July 2019 caused power distribution problems and regional power outages. The problems caused by the ransomware attack included the paralysis of systems
used for the procurement of electricity by consumer clients, and the systems used in solving the regional electricity distribution problems. The company estimated back in July that up to a quarter of a million people in the Johannesburg area may have been impacted by the information system problems linked to the attacks. 9, 10
IN ADDITION TO EXTERNAL AND INTERNAL THREATS NUCLEAR POWER PLANTS ALSO SUFFER FROM BAD SECURITY CULTURE In September 2019, India’s Russian-made nuclear power plant (Kudankulam Nuclear Power Plant, KNPP) was infected with a malware. The malware attack was confirmed by the Indian power company, Nuclear Power Corporation of India Ltd (NPCIL). The Russian state nuclear company, Rosatom, which has been selected to deliver the nuclear power plant also for Finnish power company, Fennovoima, owns Atomstroyexport, the manufacturer of the attacked Indian power plant, KNPP. According to the company, the malicious program only infected its administrative network, but did not reach its critical internal network, the one used to control the power plant’s nuclear reactors. NPCIL said the two networks were isolated, or in other words air-gapped. 11, 12 According to some sources, the malware used in the target-tailored attack was DTRACK, which has been linked to the North Korean Lazarus hacker group. The Dtrack malware have been usually spotted in politically-motivated cyber-espionage operations, and in attacks targeting financial institutions, including those in India. Reports suggest that large amounts of data were transferred from the administrative networks of the nuclear power plant, which could serve numerous purposes, including gathering intelligence on power plant’s design, or
44 | CYBERWATCH FINLAND
intellectual property theft, or in support of planning more attacks. The political intent of the attacks cannot be ruled out, as the attack could have been done in service of India’s regional competitor, Pakistan. Malware attacks on nuclear power plants are always critical. Since the KNPP is a new power plant, the significance of the malware attack increases. An additional worrisome aspect of the attack was the severely outdated belief by Indian authorities implicit in their press releases on protective nature of network isolation by air gapping, which has been proven an ineffective and insufficient approach against targeted attacks conducted by nation state linked actors. On a separate incident involving nuclear power plant, in July 2019 employees of a Ukrainian nuclear power plant, South Ukraine Nuclear Power Plant, connected a part of the internal network of the power plant into the public network in order to mine cryptocurrencies. 13 Connecting an internal network to a public network may have endangered the plant’s security, even though the critical industrial network was apparently not affected. Nevertheless, the Ukrainian security service, SBU, investigated the event for possible leak of information. The case shows how an individual employee, or so-called “Insider risk”, can pose a high risk for the critical infrastructure of the state.
LESSONS LEARNED Wide Co-operation in Protecting the Electric Grid from Cyber Threats May Have Positive Spillover Effects for All Parties Involved The United States and the Baltic States agreed to co-operate in order to protect the Baltic energy grid from network attacks during the upcoming decoupling and desynchronization of Baltic grid from Russia’s electricity network.14 Estonia, Latvia and Lithuania have been members of NATO and the European Union since 2004, but are still due to historical reasons synchronized with Russian electricity network. The countries plan to integrate into the European energy network by 2025. Lithuania confirmed that it is specifically searching for US technology companies to renew its energy systems and to help in fending off possible cyber-attacks. The Baltic countries are working together in order to seek strategic and technical support to strengthen both energy networks and cyber security. It is also about political decision-making, strengthening of NATO cooperation, as well as the US foothold in the Baltic Sea Region. It is in the interest of the US to strengthen its role in the critical infrastructure in Europe, and particularly in the Baltic States. Collaboration can also be viewed in the context of maintaining US forward presence in Baltics helping the US to obtain more information on and a better understanding of Russia. 15 Collaboration is also important for the EU. The integration of the Baltic electricity network into the EU-wide energy grid will unify the EU electricity grid by removing the Baltic energy island. Furthermore, the co-operation and the US presence in the region will in part secure Baltic Sea submarine cables and provide additional security for other parts of critical infrastructure, such as communications in the region. US cooperation with Baltic countries is also likely to strengthen the cyber security of wider European energy networks.
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15.
https://www.nytimes.com/2019/06/15/us/politics/ trump-cyber-russia-grid.html https://www.nytimes.com/2019/06/17/world/europe/ russia-us-cyberwar-grid.html https://www.cpomagazine.com/cyber-security/us-cybercommand-signals-more-aggressive-approach-involvingpersistent-engagement-ahead-of-2020-election/ https://www.dni.gov/files/ODNI/documents/2019-ATA-SFR--SSCI.pdf https://www.wired.com/story/russian-hackers-attackukraine/ https://www.fifthdomain.com/civilian/dhs/2020/01/03/ theyre-going-to-want-bloodshed-5-ways-iran-couldretaliate-in-cyberspace/ https://www.fifthdomain.com/civilian/dhs/2020/01/07/ dhs-cyber-agency-releases-advisory-on-iranianthreats/ https://www.cisa.gov/sites/default/files/publications/ CISA-Insights-Increased-Geopolitical-Tensions-andThreats-S508C.pdf https://www.bbc.com/news/technology-49125853. https://www.zdnet.com/article/ransomware-incidentleaves-some-johannesburg-residents-withoutelectricity/ https://www.washingtonpost.com/politics/2019/11/04/ an-indian-nuclear-power-plant-suffered-cyberattackheres-what-you-need-know/ https://www.economist.com/ asia/2019/11/01/a-cyber-attack-on-an-indian-nuclearplant-raises-worrying-questions https://www.zdnet.com/article/employees-connectnuclear-plant-to-the-internet-so-they-can-minecryptocurrency/ https://www.cyberscoop.com/us-baltic-states-gridcybersecurity-agreement/ https://www.fifthdomain.com/dod/2019/11/11/two-yearsin-how-has-a-new-strategy-changed-cyber-operations/
1. The current geopolitical tensions are increasingly visible also in cyber domain. Global superpowers, and smaller powers trying to punch above their weight, are active in trying to secure their dominance and foothold in cyber domain. Maintaining a persistent access to foreign critical infrastructure is seen as one way of influencing the adversary’s risk calculations and deterring them from making drastic moves. At the same time, defending own infrastructure from adversaries plays an increasingly important role and demands wide co-operation between countries, but also between governments and private sector. 2. Second and third order effects of attacks, ransomware attacks included, may be surprising. Malfunctioning payment and procurement systems may cause for example regional blackouts, even if core systems like controls for production and distribution would continue to be intact and functional. Similarly, attacks against financial systems, or logistics controls, may have systemic ripple effects across the globe, as was exemplified by NotPetya case as well. 3. Critical infrastructure protection continues to be plagued by old-fashioned security thinking, and bad security culture and cyber hygiene. Unfortunately, this also includes high-value critical installations such as nuclear power plants. Adversarial access to non-critical parts of the installation may enable their access also to the critical parts, either through sophisticated means of attack, or by simple mistakes or short cuts taken in network designs and their operation.
CYBERWATCH
FINLAND | 45
CYBERSECURITY MANAGEMENT DRAWS ON AN UP-TO-DATE CYBERSECURITY POLICY text: PERTTI KUOKKANEN Senior Advisor
Today AI based applications support people in current world more and more, also in cyber environment. Dealing with privacy, digital ethics and security challenges generated by AI, the Internet of Things (IoT), and other evolving technologies will become critical to maintain trust and avoid legal entanglements. Establish governance principles, policies, best practices and technology architectures to increase transparency and trust regarding data and the use of AI.
T
he vulnerabilities of modern societies are the main targets of cyber activities. Strategic level analysis, reports and discussion on how cyber events affect and how to respond to them are needed. How to solve and communicate this? Anticipatory management responds to the changes, weakening predictability of cyber events and shortened planning of the current operational environment. Thinking is focused on the creation of potential solution alternatives and purposeful selection between them. It gives also food for communication. KEEP THE CYBERSECURITY IN AN ORGANISATION’S FOCUS
Cybersecurity is a central part of organizational security. With the aid of cybersecurity policy, management specifies the objectives, responsibilities and operating guidelines of cybersecurity. The formulation of cybersecurity is directed by the purpose and strategy 46 | CYBERWATCH FINLAND
of an organisation’s activities, risk analysis, laws and regulations. Cybersecurity is a target by every state to create a trusted and protected cyber environment for the hole society. Cyber security is about maintaining the confidentiality, integrity, and availability of information, hardware, networks, software, and users throughout their lifecycles. Cyber security consists of collaboration between administrators and users and takes into account the impact of the cyber environment on the physical world. A top-down approach should be followed when implementing cybersecurity. According to such an approach, the roles and responsibilities regarding information security are prearranged and enforced by an IT authority level that carries more authority than the level below. Sufficient level of cybersecurity is a necessary prerequisite for the continuity and credibility of operations. The significance of cybersecurity has been continually
increasing in the management of organizations and in ensuring their operating ability as well as in maintaining disturbance-free and efficient operations. Cybersecurity can be viewed at different levels of management. Strategic management is people and policy focused (management). Tactical management is security process and standards focused (development). Operational management is technology and procedure focused (maintenance & monitoring). USE STRUCTURAL APPROACH TO MANAGEMENT
Today, it is necessary that broad technology decisions and policies with regard to enterprise wide management of information systems security are made at the top managerial level. Cybersecurity management must be arranged so that the set objectives are in the right proportion to an organization’s overall security and so that
they support the various security objectives in strategies. Security is often part of the management functions of senior management, while cybersecurity is one of its subareas, but other organizational approaches are also possible. An organization should be structured in such a way that security is closely related to auditing, with the security function reporting directly to management. Implementation and monitoring (evaluation/auditing) should be operationally differentiated. Cybersecurity management draws on an up-to-date cybersecurity policy. In an organization, cybersecurity takes shape in the form of, for example, regular risk assessment and management measures, determining the information security level of new systems and attending to it throughout the entire life cycle of the system. The enterprise architecture is the basis for the execution of the cyber management process and allows the traceability of dependencies and the propagation of security relevant information. In cybersecurity, more consistent and interoperable operating instructions are needed more than in other functions. Instructions can be divided into general, organization-specific, and special instructions covering some restricted area. Organization-specific instructions outline dedicated cybersecurity practices so that they are suitable for an organization’s own operating practices and processes. Cybersecurity operating procedures are included as part of the organization’s normal operating processes, which are properly documented and covered by clear instructions. REPORT AND ANALYSE A FEEDBACK
Cybersecurity monitoring includes reporting on the security situation and level as well as on anomalies and incidents. Monitoring and reporting of the organization’s cybersecurity are part of performance management and it is discussed in performance target negotiations on an annual basis. Cybersecurity must be monitored continuously and actively. Monitoring is planned so that human resources are directed to the most significant areas in terms of security, such as the most important processes, information systems, data warehouses, and compliance with information security instructions. The reporting of cybersecurity incidents should follow a bottom-up approach. This
implies that all authority levels should provide information regarding security incidents directly to their appointed manager, in other words to an authority level that is one level up. For example, if a user detects a virus on his/her computer, he/she must immediately inform the Information Security Management level, who will handle the incident accordingly. The Information Security Management level, in turn, will report all security incidents to the next authority level. This approach will ensure that all information security situations and incidents are reported to the top level, which has the authority to change the information security policies or procedures if necessary. COMMIT TO FRAMEWORK OF CYBERSECURITY OPERATIONS MANAGEMENT
It is widely accepted that cybersecurity management guidelines play an important role in managing and certifying security in organizations. They are generic or universal in scope and thus they do not pay enough attention to the differences between organizations and their security requirements. The guidelines were validated by appeal to common practice and authority and this process is likely to be fallible. Organizational performance relies on effective processes and usable data. The activity is a supported IT infrastructure that must be reliable and utilized. An essential element of effectiveness is the organization’s cybersecurity and its successful management. Cybersecurity management is therefore part of all management activity. In addition to the management, attending to cybersecurity is part of the responsibilities of everyone employed by an organisation. Only the commitment of management to the development of cybersecurity will enable the achievement of targets set for an organization’s activities. The results follow features of governance models and security components models, combining these approaches to general operations management of an organization. COMMUNICATE PROACTIVELY
By anticipating the changes occurring in the cyber environment, an organization aspires to adjust to them in advance. In unstable conditions, the behaviour of various factors of both the environment and the organizati-
on is unpredictable. As an organization prepares to develop, it must recognize the organization’s internal changes, and the environment’s dynamic and non-continuous changes. The ability to quickly combine available information and use it to form the correct situation picture and gain the necessary understanding to make a decision are basic requirements for success in one’s own operations. The correct timing of decision-making in the management process makes it possible to reach significant operational advantages and benefit in terms of the environment. The correct timing of decision-making is always gauged in relation to events in the surrounding environment and estimates of how they will develop. The proactive communication of decision-making has an important role in a situation of change. As an organisation changes, a proactive decision provides a basis for change and makes it easier to see the reasons behind the change. The decision-maker must ensure that everyone is informed about a decision and is ready to implement it. The implementing party needs feedback from the decision-maker to learn whether the implementation supports the decision. In communication, dialogue is used to ensure that objectives are met. From the decision-maker’s point of view, the cyber environment’s communication can be either dissipative or integrative, or possibly both. The decision-maker is not necessarily in active interaction with the environment. In these cases, some of the information coming in from the environment is interpreted by the decision-maker and may thus be unconfirmed. The information is unclear or may lack contributory factors and their values, meaning that options and decisions are prepared in a state of uncertainty. There is a clear role for a double function in anticipatory decision-making. Integrative communication is emphasised in a decision’s implementation, whereas dissipative communication refers to an environment’s communication to an organisation and enables the creation of disorder, or it could be the product of failed implementation. In a dynamic cyber situation, particular attention must be paid to the contents of a communication’s integrative message. The environment’s uncertainty and the dissipative interpretations that support it must be taken into consideration in the message’s content. CYBERWATCH
FINLAND | 47
CYBER SECURITY IN HELSINKI CITY: FROM AUTHORITY TO ENABLER
An innovation company for the City of Helsinki, Forum Virium aims to build Helsinki into the most functional smart city in the world. This is done in collaboration with companies, the scientific community and residents. We want to future-proof the city and do this by providing a testbed for innovative solutions. In particular innovations that help reach the goal of carbon neutrality by 2035. Many of our approximately 40 projects relate to data, IoT, behaviour change and, notably, smart mobility. AUTONOMOUS TRANSPORT AS A CHANGEMAKER IN A SMART CITY
As a smart city, we are constantly on the lookout for mobility solutions to keep the city liveable and accessible. Part of Helsinki’s official strategy is to focus on demand-driven transport and to promote new mobility technologies. Autonomous transportation projects are an important part of the work of Forum Virium’s Smart Mobility team. Within this field, the focus is on drones and
48 | CYBERWATCH FINLAND
on self-driving shuttle buses, due to the contribution they are expected to make to a more efficient supply system, and more attractive public transport respectively. Of course also here, Helsinki city’s CO2 neutrality goals are a key driver of our work. CYBER SECURITY IN OUR PROJECTS: AUTONOMOUS SHUTTLE BUSES
Forum Virium has been involved in shared autonomous transport projects since 2015, by doing tests, together with companies, in increasingly challenging environments. Cyber security is at the heart of such systems: autonomous shuttles employ a combination of high-tech sensors and innovative algorithms to detect and respond to their surroundings, including radar, LIDAR, GPS and computer vision. For cities and transport authorities it is vital that they are as safe as possible, as they are used for public transport. In the ongoing large FABULOS project, consortia from Finland, Estonia and Norway pilot their turnkey prototype solutions in five European cities in 2020. The companies
carry the responsibility of providing a safe and secure system. In this Pre-Commercial Procurement, the so-called international Buyers Group (consisting of four cities, a Ministry and a public transport operator) have set certain functional requirements. The remote operations and the control room management of their robotbus fleets have to be rigorously tested and validated against cyber attacks. The system is to be subjected to a hacking attack by an external organisation with proper credentials, in order to verify that the system has sufficient protection both in the physical and virtual interfaces. In addition, we encourage the Consortia to set up a bug bounty system and to subject the system to a hackathon-type of event. Remote operation and fleet management systems must pass external validation for cyber safety by guidelines of National Cyber Security Authorities. CYBER SECURITY IN OUR PROJECTS: DRONES
Forum Virium Helsinki has already been a partner or closely linked to drone related
SMART CITIES
text: HEIDI HEINONEN and RENSKE MARTIJNSE-HARTIKKA Forum Virium Helsinki, Smart Mobility Team
Carbon neutral drone solutions in Southern Finland is funded by the European regional development fund and will go on until the end of 2021.
projects like New Solutions in City Logistics or Aviapolis Liikennelabra during the last couple of years. Nevertheless, the first only drone focused project Carbon neutral drone solutions in Southern Finland started last September at Forum Virium Helsinki and one month later it was presented in the 1st drone congress in Finland organised by Cyberwatch Finland. The main objective of the project is to pilot and promote carbon neutral and emissions-free drone services for the purposes of logistics, remote security, and environmental control, and develop them into new forms of business to replace combustion engine forms of mobility and transport. Just as with self-driving shuttle buses, the key elements of such services are built firmly around security aspects. Especially the autonomous and BVLOS (beyond visual line of sight) flights conducted in a reserved airspace need to be secured against any kind of cyber risks so that the drone is under control during the whole flight and can be taken down by the control centre at any
moment without causing any damage to people or surroundings. Nevertheless, the most serious risk would be a case where a hacker gets into the drone’s navigation system and takes control of it. Firstly, it could cause serious damage if crashed purposely to a crowd or building, and secondly, the content it carries could fall into the wrong hands. According to the content, that could be also data, the consequences could be more or less serious. Other cybersecurity issues within the civil drone industry are for example geofencing and U-space. Geofencing is supposed to prevent drones from flying in forbidden no-drone zones but it seems not to be 100% reliable. The so-called U-space airspace that is currently under development consists of a set of digital services and is therefore also highly related to security issues. Once in use, the U-space will make possible autonomous drones to fly in the same low altitude airspace together with other aircraft as it will enable the sharing of flight management
information between different users. In order to be reliable it needs to answer to the highest cyber security requirements. KNOWLEDGE-BUILDING FOR SAFE AND SMART CITIES
For cities, being public authorities, it is always “safety first” for innovations. Especially ones that involve AI, algorithms and sensors. Companies that we work with need to prove that operations in our city, among our residents, are secure. Setting these standards is a difficult task, not least because of the lack of knowledge among many city stakeholders on topics such as cyber security in (autonomous) mobility. Therefore, close cooperation with companies and research institutes is crucial. Information exchange, increasing our expertise and building an ecosystem of knowledgeable partners in the field of cyber security in autonomous mobility is what we strive to do. Testing and piloting are the best way of doing this and are therefore at the heart of the work of Forum Virium Helsinki.
CYBERWATCH
FINLAND | 49
WHEN INTELLIGENCE COMES INTO PLAY,
CYBER SECURITY IS IN DANGER OF BEING FORGOTTEN text: JUKKA VIITASAARI Partner, Cyberwatch
Finland
Even though the current viral epidemic has stopped the movement of the world; people, goods, information and capital will continue to have a need and a tendency to move. In the face of motion induced blindness, we can easily be amazed by the new, great innovations, but we do not remember to make them safe for use. However, it would be worthwhile.
S
mart mobility is one of the most profitable input-output targets for cybercriminals. However, it is not a stand-alone factor, but is closely linked to larger systems, such as the smart city, or the whole digital lifestyle. In its simplest form, cybercrime does not have to be more complicated than rudimentary email phishing to cause huge financial losses. In June 2019, an employee of the Riviera Beach police station in Florida opened an email attachment. The attachment unleashed a blackmail program that locked up the public transport ticketing system, the city payroll system, all municipal email servers, and even the emergency telephone system. The city council decided to pay for the $ 600,000 Bitcoin ransom demanded by the hacker for the decryption key to regain control of all the data in the systems and of course the system itself.
INTELLIGENCE INVOLVED IN ALL MOVEMENT
The size of the mobility market is globally estimated at approximately 6500 billion euro, or 6.5 trillion euro, in Finland alone around 30 billion euro. Mobility is undergoing 50 | CYBERWATCH FINLAND
a major breakthrough, with the most prominent manifestations in everyday life being the Mobility as a Service (MaaS), lift sharing, taxi market redistribution, an autonomous automotive, telematics, and digitalisation of traffic control systems. However, smart mobility is not present only on land, but also on waterways and airways. Freight and passenger ships sailing the world’s seas are full of data-driven solutions, and all air traffic and their harbour and field operations increasingly incorporate automated and autonomous functions. The whole paradigm of movement will change in the form of autonomous vehicles, new transport solutions, electrification of mobility, new services and the exit from the fossil economy. Mobility is an integral part of present day life and is particularly deeply connected to the services and activities of an urban smart city. These include seamless transport chains for people, services and data, data-driven mobility services and traffic control systems, fuel-efficient solutions, and optimised logistics solutions for ports, airports, and
The whole paradigm of movement will change in the form of autonomous vehicles, new transport solutions, electrification of mobility, new services and the exit from the fossil economy.
railways. The latest forms of smart mobility are autonomous land, sea and air drones. Intelligent solutions are based on data accumulated from different sensors in databases and utilised by software applications over data networks. On top of this, service processes that communicate with each other will be automated to the greatest extent. As a result of this development, vehicles are becoming digital platforms that utilise pre-automated service processes in full measure. The current state of the art technology is considered to be the Connected Automated Vehicle (CAV). At the forefront of services development there are new service models that package existing services into easy-to-use packages, such as Mobility as a Service (MaaS). CAV vehicles connect to the Internet via peer-to-peer or direct Internet access, sense their environment in real-time through various sensors, cameras and radars, and communicate with each other and with the infrastructure of the environment. EVERYTHING IS CONNECTED TO THE INTERNET
Researchers have developed a concept, the Internet of Vehicles (IoV), in which automated systems communicate with each other at four levels of telecommunication: \ \ \ \
V2S - Vehicle to Sensor V2V - Vehicle to Vehicle V2R - Vehicle to Roadside V2I - Vehicle to Internet
V2S networks are short-range connections in which in-vehicle sensors communicate with the Electronic Control Unit (ECU) and, for example, adjust the brakes. V2R communication tracks the communication between the vehicle and the surrounding infrastructure, such as traffic lights and the speed of other traffic. In V2I the vehicle is directly connected to the Internet via a cellular base station, providing the driver with information, for example, on the traffic ahead, other services (restaurants, gas stations, etc), and information on the vehicle’s location. In V2V, vehicles communicate with each other, for example, about their speed and their relative position. Smart mobility plays a key role - good and bad - in information networks, not only on the Internet, but especially in mobile and satellite networks. 5G technology will build a significant amount of services that are not yet visible and many of them will be based on satellite positioning information. In addition, terrestrial robots will be progressively controlled by satellites. Google and Facebook, among others, are developing a new global Internet network based on low-orbit satellites, upper-atmosphere balloons and solar-powered airplanes. Currently, almost all intelligent telecommunication devices are global, serial products that require a telecommunications connection to work. Smooth communications require global wired and wireless standards and interfaces that are considered in the product design. Cyber-criminals also know this. In particular, LTE and 5G connections are planned to be used for communication between automobiles. Car CYBERWATCH
FINLAND | 51
manufacturers are agreeing on common protocols that will be taken into account in the development of 5G networks, as well as the rapid growth of IoT-enabled wireless sensors, audio-visual utility and entertainment content.
According to statistics compiled by American Upstream Security, the number of cyber attacks on smart mobility are growing rapidly. For example, the following cases have been reported in recent months - the list is endless:
CYBER SECURITY IS IN DANGER OF BEING
\ Several false accounts were found in a Russian car-sharing service \ A serious encryption algorithm programming error was found on a remote control used by major automakers \ An open source app made by amateurs was able to paralyse the car manufacturer’s official app and take over the car \ Hackers managed to hijack a car and change the readings on the dashboard \ Hackers accelerated a hijacked car at high speed without the driver being able to do anything \ A malicious program injected into a gas station meter captured users’ credit card information \ A person who rented a car noticed after weeks that he could continue to monitor and control the movement of his rental car \ A hacker tricked Google Maps navigation and built a virtual traffic jam \ Hackers paralysed a German auto parts manufacturer with a denial of service attack \ A hacker radar app was able to track the movement of a Tesla \ A device installed on a car’s CAN channel dropped the odometer readings \ Hackers offered a CAN channel burglary program for dozens of car brands online \ Hackers broke into the car’s camera system and modified the image that is captured \ Hackers broke into the satellite signal of autonomous cars and steered them into a ditch \ A malware paralysed police cars’ laptops and dropped them off the net \ Hacked Lime scooters began to make sexual suggestions to their users \ A Chicago car-sharing app was collapsed and a hundred cars disappeared in one day.
FORGOTTEN
Where money, people and innovation are in motion, there are also spies and criminals. It goes without saying that this also applies to smart mobility solutions. Mobility machinery generates massive amounts of new data that is needed to improve mobility performance, user experience, and security. Therefore, manufacturers monitor vehicle and driver behaviour, equipment utilisation, maintenance and upkeep, routing, etc. The data collected by the systems is the most valuable asset of intelligent telecommunication solutions. The collected data is stored on multiple servers located in different locations, maintained by multiple subcontractors in the private and public sectors, and used as a raw material for machine learning in teaching new algorithms. This requires a large degree of unanimity and a tangled web of agreements between the different actors. Data is collected mainly through wireless networks, which makes it easy to intercept and seize information. If successful, the system will be easily paralysed. Particularly vulnerable are the smallest network-connected sensors, which have hardly any security enhancing components. MaaS systems are also vulnerable because the services they provide are based on open sensor data provided by service providers and the cyber security capabilities of the weakest link in the service chain. AUTOMOBILES ARE VULNERABLE
In practice, there are three break-in routes into cars: \ Bluetooth, Wi-Fi and OBD2 channels near the car \ The public internet, that hackers can use to break into a service provider’s cloud service and into multiple cars at once \ Through a service app to the cloud and then to the cars.
Mobility machinery generates massive amounts of new data that is needed to improve mobility performance, user experience, and security.
52 | CYBERWATCH FINLAND
Like other platform services, the data collected and owned by car manufacturers are in their own, unlimited use. In addition, the data generated by the use of the car can be linked to the registrar’s information about the owner or renter of the car. If the information falls into the hands of criminals, the damage could multiply.
The digital footprint of a person’s work and leisure is rapidly dispersed across databases and is exposed to identity theft, among other things. Information about renting a car, bike, or scooter is stored in the cloud, as well as ticket and other e-commerce purchases, a person’s mobile phone location and other location information. All of this allows for smooth services and user experience, but also exposes users to high cyber risks. Numerous small data leaks accumulate information into mega-databases, which combined, offer extensive information on user-specific profiles. CYBER SECURITY MUST BE MANAGED
Security awareness is now only making its way into digital services and solutions. We have started talking about the concept of “security by design”, where security has been taken into account right from the product’s development stage: in software development by following the best practices in programming, utilising authentication and certification solutions, and conducting regular stress tests
on products and services. However, this procedure is still in its early stages. Smart mobility, like many other parts of the data-driven society, is an ecosystem of many actors, including product design, production, maintenance and services. To be as watertight as possible, the entire ecosystem should take into account the same high-quality and meticulous cyber security culture. A holistic approach from component manufacturing to mobility services is required. After all this, the question remains, how is all this orchestrated so that people’s mode of operation shifts permanently and a careful cyber security culture is ingrained in the organisation? Without an up-to-date cyber security strategy based on the right situational awareness it will be impossible to achieve a good result. The operation of the whole depends on the technology, people and processes moving in the same direction. The key question is how to enable secure digital services and a digital society, as it is, overall, what we are all trying to achieve.
Smart mobility, like many other parts of the data-driven society, is an ecosystem of many actors, including product design, production, maintenance and services. To be as watertight as possible, the entire ecosystem should take into account the same high-quality and meticulous cyber security culture. A holistic approach from component manufacturing to mobility services is required.
CYBERWATCH
FINLAND | 53
EYE FROM THE SKY:
DRONES AND URBAN SECURITY text: Dr. ANTTI PERTTULA Principal Lecturer, Systems Engineering Head of Aircraft Engineering Studies Tampere University of Applied Sciences Dr. MARKUS AHO Principal Lecturer, Industrial Technology Intelligent Machines Tampere University of Applied Sciences
In many smart cities’ visions, drones have several crucial duties including logistics and security monitoring. Unfortunately, many technology applications exploiting drones have also their questionable side. Drones can be used for good and bad purposes. How drones can benefit our urban live? Can they also decrease security, and how to cope with this? We will address these important questions in this article. HISTORY OF DRONES
Flying drones have a long history. Probably the earliest one, Kettering Bug, was developed by US Army during the First World War in 1918. It can be defined as an aerial torpedo, a forerunner of present-day cruise missiles. It was able to reach targets
up to 120 km and it flew at 80 kilometers per hour (Cornelisse, 2002, U.S. Air Force Publication). Before airplanes, balloons were used to carry out military actions remotely. In 1859, Austrians attracted Venice by pilotless balloons loaded with bombs.
Since then, the drone business has expanded hugely. Currently, sales of flying drones has reached two billion euros in a year and the amount is expected to double in five years. In addition, it has been predicted that the drone services market would reach 20 billion in 2022 (MarketWatch
Venice balloon bombs (Prof. Jurij Drushnin, Monash University) and Kettering Bug (the National Museum of the USAF)
54 | CYBERWATCH FINLAND
Smallest Drone Ever (Hd Wallpaper Regimage, 2019) and Northrop Grumann X-47B (Military Machine, 2020)
2019). In military sector, these numbers are many times larger. One of the most expensive drones is Northrop Grumann X-47B with estimated price tag of USD 405 million (Military Machine, 2020). Drones are an integral part of modern warfare and currently most of the military operations utilize drones. The sizes of drones vary a lot, the largest one being bigger than Airbus A320 passenger airplane and smallest ones only some millimeter long. DRONES IN SMART CITY
There are many possible applications for drones in urban areas. Especially, drones offer excellent platform for city logistics and many kinds of sensors. The raising trend is to use low carbon solutions for mail and packet delivery in centers of smart cities. Drone logistics provides one solution and if done autonomously, it can also save labour costs and increase security. Large logistics related companies, such as DHL, Google, Amazon and UPS, have already shown their strategies for drone logistics. In 2019, UPS was the first company to receive from US aviation authority (FAA) a permission for autonomous commercial cargo transportation in ‘beyond visual line of sight conditions’ (BVLOS). At Tampere University of Applied Sciences, we have got a permission from Finnish civil aviation authority (CAA), Traficom, to carry out BVLOS flights in Tampere area for research purposes. City of Tampere in Finland, aims for innovative and sustainable smart city solutions and, among others, has provided specific test site for new drone related experiments. Drones can be used in several sensoring purposes, such as air quality and traffic congestions monitoring, and collecting data from activities of single or groups of people. Drones can quickly transport many kinds of sensors to areas, where immediate measurements are needed. The data can then be transmitted online, e.g., to Fire, Search and Rescue and Police organization. By drone, one can also inspect the conditions of infrastructure and mechanical failures in high buildings, such as antenna masts, bridges and chimneys, and measure heath losses and check assembly’s quality for buildings. SAFETY CONCERNS IN URBAN AREAS
In urban areas, buildings and other infrastructures are close and drones operate in people’s normal living environment. People are physically present there and apply many kinds of communication and data transfer systems, becoming more and more wireless. Same time, drone operations are based on wireless data transfer. The signal transmitting channel
needs enough capacity to serve also the peak load situations with many simultaneous channel users. The coming 5G network may help here. However, there is always possibility to interfere or even block the communication system by just increasing RF noise. For this purpose, illegal jammers can be bought online cheaply. Drones are equipped with several sensors and cameras, which can cause privacy concerns. Commercial drones are built using normal consumer grade components, which are not as reliable as components in normal aircrafts. Similarly, there is not back-up systems for critical functions, such as energy sources, motors and propellers. One significant safety risk is the drone pilot. The pilot may not have enough understanding about the physical or technical constrains of drones and experience of the severe weather conditions. DRONES AS THREATS
Drones have several sensors, antennas and cameras, which make them very useful spying devices. They can fly over physical barriers and can reach high buildings and antenna masts. Drones can capture data from WIFI hot spots, disrupt networks, carry explosives and guns. There are also cases, where drones have been used to carry illegal ware and for smuggling goods between countries. If a drone would hit on airplanes, it could destroy parts of fuselage, wings or blades in jet engines and the whole aircraft finally. Small drones are difficult to detect, because they have low acoustic and thermal signatures and low-power RF transmitters. Thus, for radar, they look like birds, and air traffic control radars ignore birds. DECREASING DRONE RISKS
In digital trust, appropriate IT security practice is important, including checking unauthorized access points and making sure the SW updates come from a reliable partner. Transferred control data between drones and transmitter should be encrypted. Almost all drones are carrying cameras. They can look through windows without closed window blinds, which detect and disrupt drones’ views. Make “What-if ”-scenarios when needed: What could drone see through the window like managing director’s laptop display? Drone pilot should understand when he or she has full control of drone. How to prevent an attacker hijacking the controls? If something strange happens, for example, if the positioning or control signal are jammed, the drone should land autonomously. Data transmitting channel should have enough band-with, low latency and enough speed; new 5G CYBERWATCH
FINLAND | 55
ISIS jihadis planning a drone bomb attacks on England fans at Russia World Cup (The Sun 1 Apr 2018)
system may help with these issues. Drones should be designed only by highly qualified persons, who understand the reliability and stability of components and mechanical structures; know the critical functions to be duplicated; and can manage external and internal mechanical, electrical and RF interferences, including EMC. In urban areas, drones should fly only through pre-defined flying paths, which will not be located directly above people. ATTACK TO DRONES
There are several possible levels of attack. The whole drone can be taken in control from its normal planned use mission. It is possible to interfere the flight control computer’s internal processes or data transfer channel between the drone and controlling station. In addition, it is possible to change the navigation data by interfering navigation antennas and as mentioned earlier, all RF signals can be blocked completely by jammers. Also, artificial
CONCLUSION
Intelligence (AI) can be used to attack drones. AI type of malware can let drone operate normally until a precise target is located. Target can be identified by facial recognition or other means from kilometers away. After identifying the target, AI takes over the control and commands the drone to complete the forced task. Sometimes, the malware is almost impossible to be found among the normal drone’s SW. Marc Ph. Stoecklin from IBM says: “DeepLocker can leverage several attributes to identify its target, including visual, audio, geolocation and system-level features. As it is virtually impossible to exhaustively enumerate all possible trigger conditions for the AI model, this method would make it extremely challenging for malware analysts to reverse engineer the neural network and recover the mission-critical secrets, including the attack payload and the specifics of the target.”
manufactures, DJI and Parrot, have a geofencing software, which prevent drone flies over airports or other restricted areas. However, geofencing in Parrot’s drones, can be turned off. In addition, one can build a drone without any geofencing hardware or software and block the drone GPS signals. Also hacking SW is available. In some cases, guns deploying nets, birds of prey (“Eagles trained to take down drones” -BBC News 8.3.2016) and lasers are used to take drones down. However, in urban areas and in airports, it is difficult to use lasers, jammers or a sniper to shoot a drone down. To jam the signals is possible, but illegal in the major part of the West. Fortunately, also other techniques exist to take over and capture or land drones (refer, e.g., Sensofusion).
ANTIDRONE MEASURES
The off-the-shelf drones of the largest
Drones are entering our everyday lives, also in cities. They are very good and flexible for certain applications and save money and environment. However, we need to understand also the risks they may have because of unreliable components, unprofessional pilots, weather conditions or simply if someone or AI takes over the control and misuse them. Fortunately, there are many actions to decrease the risks, the hardest one being to force drones to land immediately On the one hand, the accelerated digitalization has increased drone related research, technological development and many new practical applications for smart cities. On the other hand, further research and policymaking is needed fast to find and deploy drone technologies and practices safely.
56 | CYBERWATCH FINLAND
FUTURIST’S PICK OF THE MONTH
COVID-19 – THE WORLD AFTER How will the world after Coronavirus like? Different, but still the same.
look
text: MAX STUCKI S e n i o r F oresight Analyst at Futures Platform
The COVID-19 has shaken the lives of everyone, but the crisis will be overcome. However, economic, political and social changes are unavoidable. For this reason, it is important to anticipate the world after Coronavirus to ease the recovery.
ECONOMIC AND GEOPOLITICAL CONSEQUENCES
Economically speaking, Corona will have expedited and deepened the expected economic downturn in many countries. Politically, the outbreak showed that countries first and foremost are looking after their own security and well-being, hence decreasing trust in the various multinational organisations and pacts. Socially, however, the COVID-19 will have showed us that as societies, we still can absorb shocks. This is an important lesson that needs to be relearned by every
generation. The world after is a place where China will most likely have proved that it can shoulder the weight of global leadership, at least by giving an example. The trust in the ability of the USA to act, on the other hand, will have been further eroded. The global pandemic may have shown to way to curb the climate change; people can live without unnecessary travelling, even the holiday kind. At the same time, in the world after Coronavirus, nations should have learned that they cannot worry only CYBERWATCH
FINLAND | 57
about one thing at the time. Several complex issues need to be dealt with simultaneously and a rapidly emerging crisis should not change the larger picture of priorities, like climate change. RECOVERY – REPATRIATE AND LOCALISE Also, as the normal times have returned, there will be increased discussions about repatriating vital supply chains, e.g., of the medical industry. Local production and all related technologies will have gained speed. The post-Corona world will have learned a lot more about the value of factual reporting. However, at the same time, the governments are more aware of the need to manage public’s perceptions. Harder measures to curb fake news and foreign information operations will become a standard procedure both during normal and crisis times. In time, a new normal will have been reached. Even though a strong memory of the crisis will persist, the world will have changed less than one might think. There will be more pressure on governments to prepare for future
emergencies and demands for better leadership. Even though there will be economic hardship, the business conditions will eventually become better. This is not thanks to increased goodwill, altruism or rebuild international relations. Rather, as always in history, the very human desire for gain will force the path of history back to its old tracks. THE NEED TO KEEP ANTICIPATING THE UNLIKELY
The COVID-19 outbreak will also have, once again, proved the need for preparing for various scenarios. Plans anticipating pandemics, or other changes, are not drawn up in vain, even though at the moment of their making that may be the prevailing feeling. The world is a dynamic place; it necessitates foresight and future preparedness. What are your next steps in preparing the world after COVID-19?
Access “The World After COVID-19” -foresight radar for free at www.futuresplatform.com and identify the opportunities the world after the pandemia can offer for your organisation.
READY FOR
THE WORLD AFTER? Harness the emerging opportunities with Futures Platform. www.futuresplatform.com
Communication security for remote working Due to COVID-19 remote working and online communications are increasing. As we all know, this also boosts cyber threats like phishing, ransomware, spyware, APT threats and targeted end point eavesdropping. Protecting critical information is all the time more and more important. Conference services are suffering security vulnerabilities and weak encryption. Common mobile phone and computer communication applications and services are insecure and most of the Operating Systems lack sufficient security. Firewalls are not anymore protecting remote workers, when they are not connected in office infra. VPN connections leak all meta data out, which is fuel for attackers and network intelligence. Most VPN solutions will be blocked in areas where network monitoring is part of normal communication control.
Privecall TX – digital sovereignty and secure communication for your benefit Privecall TX is a next generation mobile device with clean hardware design to meet the highest security requirements for mobile computing and communication. Privecall TX is designed to run only secure communication which makes it immune to any rogue application or operating system influence. TX is fully open Linux with 100% documented hardware – no third party untrusted hardware or software elements i included. It is suitable for all business and operation critical communication purposes for enterprises and organisation in critical business segments, where protecting information is top priority.
Privecall TX specifications • Basic communication features: voice calls, chat, document transfer • Additional features: encryption tunnel with no meta data (postVPN), works also at areas under heavy network monitoring • Handheld mobile device • I.MX6 Quad processor • Memory: 1GB RAM, 8GB EMMC • Connectivity: Wifi and Ethernet • Battery life time up to 8 hrs • Made in Finland Security features: • Typical hardware and OS attack vectors eliminated • Typical application attack vectors eliminated • Typical cryptographic attack vectors eliminated • Hardened Linux based PriveOS Operating System • Multi-Party Protocol based meta data free next generation encryption engine • No critical meta data revealed, identities protected
You can find more information about Privecall TX and our other services on our website: www.xxlsec.com
Laajalahdentie 23, 00330 Helsinki, Finland
XXLSEC is part of MPC Alliance - www.mpcalliance.org
CYBER SECURITY NORDIC
If you are in IT or cyber security
this is the key meeting place for you. And CEO! If you go to
ONE event this year,
make it this one!
CY SE
7–8 October 2020
Messukeskus Helsinki, Finland THE MOST SIGNIFICANT EVENT
OF CYBER SECURITY SOLUTIONS IN NORTHERN EUROPE
NO
Cyber Security Nordic is held for the fourth time in Messukeskus Helsinki. The event is divided into exhibition, conference and meeting area.
Cyber Security Nordic is targeted to CEOs, business decision makers, security and risk management expert and security managers.
Seminar topics:
Politics of Cyber Security
Economy of Cyber Security Reality of Cyber Security
cybersecuritynordic.com
Future of Cyber Security
Do you want to reach your current and future customers at the event? Participation is made easy by offering a ready-made package for the partners. See packages and info cybersecuritynordic.com or take contact Ms. Sarita Virta sarita.virta@messukeskus.com
Conference participation fee: 2 days € 495 + vat.24 % (until 31 August) 2 days € 695 + vat.24 % (from 1 September) 1 day ticket € 495 + vat.24 %
Organizers
