A COMPREHENSIVE CYBER SECURITY

APPROACH – THE FINNISH MODEL

Author: Aapo Cederberg, CEO and Founder

of Cyberwatch Finland
Table of Content

1. Table of Content

2. Introduction

3. The Cyber World from the Finnish Perspective

4. Cyber as a Game Changer

5. National and International Politics

6. The structure of the strategy and main principles

7. Cyber Security Strategy – Guiding Vision

8. Basic Principles of Cyber Security Management

9. Situational Awareness
9.1 The Tasks of the Cyber Security Centre

10. Legal Basis

11. Education and Awareness of All Societal Actors

12. Fighting Against Cyber Crime

13. Cyber Defence

14. Private Public Partnership (PPP)

15. Critical Infrastructure Protection (CIP)

16. International Cooperation

17. The Cyber Security Strategy Process

17.1 Country Analysis
17.2 Planning
17.3 Decision of the Ambition Level
17.4 Writing the Strategy
17.5 Implementation and the Action plan
17.6 The assessment identified significant impacts resulting from
the following measures

18. Summary
2.Introduction

The Cyber space is evolving quickly and becoming a growing challenge for nations, as well
as the international community. The key question is how to improve the preparedness of
modern societies and how to build new capacities in the cyber space. Knowledge is crucial
for to further development, as the weakest links in the chain are the users, be they
individuals, companies or governments.

Cyber threats are now receiving special attention in national security planning circles. This
is particularly true in countries that face a current or potential adversary with the necessary
capabilities to run hybrid operations. Even further attention should be placed on cyber
security if there are major fault lines among the population that can be taken advantage of
by the aggressor.

Because of the very whole of society nature of cyber threats, preparing for and addressing
them requires strong measures. Multiple countries may enjoy unrivalled power in many of
the areas of cyber security, offensive uses included, but may lack the tools necessary to
identify in a timely manner threats that nimbly cross all the neat categories and carefully
guarded bureaucratic silos. Smaller countries with less power may have potential in some of
the areas of cyber security, such as cyber and information warfare, and key areas of the
critical infrastructure like energy, banking etc.

However, regardless of their size, all countries can shore up their security against cyber
threats. The key in this process is a comprehensive security approach, which aims at
intrasocietal security planning instead of settling with a classic intergovernmental approach.

The comprehensive security approach demands political leadership, as the whole society
should be engaged in security and defensive efforts. This approach needs to be combined
with clearheaded vulnerability analysis to understand the potential pressure points in one’s
own society, access to reliable intelligence, and robust counter-intelligence efforts.
While strong and developed autocratic nations may have an advantage on the offensive
side of cyber operations, all countries regardless of their position in the international order
have an opportunity to organise their cyber security and defences. A credible defensive
posture against cyber threats cannot be based solely on military forces and other security
providers, because the targets can be located anywhere in society depending on each
country’s individual vulnerabilities. Thus, cyber defences must be built as a joint action of all
stakeholders in society, also including representation from civil society and the private
sector. This model is called a comprehensive security approach.

The idea behind a comprehensive security approach is that society’s security does not rest
on the prowess of traditional security providers such as police and military alone, but all the
key sectors of society have been included in the security planning and implementation
process. This whole-of-society aspect of a comprehensive security approach makes the
political leadership particularly important. Including a wide range of society’s players in the
security planning and implementation process aims both at increasing capabilities to
respond to a wide range of threats, such as cyber threats, that cross sectoral boundaries,
and securing the vital functions of society that usually demand tight collaboration between
several sectors. This efficient collaboration allows wide and efficient mobilisation of society’s
resources.

Ensuring the security of society is the key task of every government and the vital functions
of our societies must be secured in all situations. As an information society Finland relies on
information networks and systems and, consequently, is extremely vulnerable to
disturbances which affect their functioning. An international term for this interdependent,
multipurpose electronic data processing environment is the cyber domain.

Society’s growing information intensity, the increase of foreign ownership and outsourcing,
integration between information and communications technologies, the use of open
networks as well as the growing reliance on electricity have set totally new requirements for
securing society’s vital functions in normal conditions, during serious disturbances in normal
conditions and in emergency conditions.
In Finland, the cybersecurity strategy follows the main principles of the National Security
Strategy and the cybersecurity strategy does not change the tasks defined in the Security
Strategy for Society. Those strategies are government resolutions, which means that the
government has the main responsibility to improve cybersecurity arrangements in Finland –
the-Whole-of-Government Approach is applicable also in cybersecurity. All ministries have
their own role and responsibilities. The Security Committee closely cooperates with other
collaborative bodies that coordinate cybersecurity-related issues as part of their duties. The
Cyber Security Centre supports and assists cybersecurity actors within the scope of its
tasking.

The effectiveness of disturbance management will be measured by the successfulness of

the pre-emptive measures. Cyber security arrangements in normal conditions will make or
break the outcome of cyber incidents in emergency conditions. All administrative branches
as well as organisations and companies critical to security of supply are required to make
contingency plans against cyber threats. Companies must include cyber preparedness in
their normal continuity management planning.

Nevertheless, the cyber domain should be an opportunity and a resource. A safe cyber
domain makes it easier for both individuals and businesses to plan and conduct their
activities, which in turn boosts the economic activity. A properly working environment also
improves Finland’s appeal for international investors. In addition to these, cyber security
itself is a relatively new and strengthening business area. In addition to the increasing job
opportunities and tax revenue, society accrues benefits from this strengthening business
sector in many ways. National cyber security is strongly interconnected with the success of
Finnish well-being.
3.The Cyber
World from the
Finnish
Perspective

Including only the headlines that we have seen

during the last years, we have been witnessing
ideologically motivated cyberactivist campaigns
launched by individuals, massive online bank
breaches by cybercriminal gangs, and several
alleged cyberespionage operations conducted by
state actors.

As exemplified by news headlines, the threats

against the cyber domain have increasingly
serious repercussions for individuals,
businesses, and society in general. The
perpetrators are more professional than before
and today the threats even include state actors.
Cyber-attacks can be used as a means of
political and economic pressure; in a crisis
pressure can be exerted as an instrument of
influence alongside traditional means of military
force.

The cyber world consists of an elaborate and

multi-layered worldwide information network
which comprises of ICT networks that are
operated by national security authorities, other
public authorities, the business community,
monitoring and controlling systems of the
industry and critical infrastructure. The
increasingly high-speed global cyber domain is
bringing states, businesses and citizens ever
closer together. While this development has
significantly fostered well-being, it has also
introduced an entirely new set of risks. When IT
equipment and systems are down, the ICT
infrastructure crashes or serious cyber-attacks
occur, they can result in extremely negative
impacts on public services, business life and
administration and, consequently, the viability of
society as a whole.
Cyber-attacks can seriously disrupt or even
paralyse segments of critical infrastructure and
society’s vital functions. The state or an
organisation can be forced to make political,
military or financial concessions. The great
powers equate cyber-attacks with military action
which can be met with any available means.
Thus far cyber operations have been interpreted
as ‘soft measures’, for which reason the
threshold for using them is estimated to be below
that of traditional military operations. The
increasing cyber activism, cybercrime and cyber
espionage denote growing activity among states
and non-state actors.

Consequently, the cyber domain has

transformed the traditional power structure,
providing even small states and non-state actors
with an opportunity to have effectual action. In
cyberspace, it is no longer size and mass that
matter, rather, it is expertise.

The previously described developments in the

cyber domain also impact Finland. Finland is one
of the most developed information societies
whose functioning relies on various electronic
networks and services. Finland has already been
the target of cyber operations where the focus
was on cyber activism, cybercrime and cyber
espionage as well as information manipulation.

The international development and especially the

hybrid influencing in cyberspace increases the
possibilities of new threats being used against
us.

The public administration and the business

community are continually being targeted by
crackers and hackers attempting to exploit
system vulnerabilities. The careful selection and
study of a target only serves as an indication of
the professionalism of the attacks.

Sophisticated malware and techniques are

increasingly used in these attacks.
By exploiting system vulnerabilities, the
openness of the cyber domain makes it possible
to carry out attacks from all over the world.

Such vulnerabilities exist in human action,

organisational processes and the use of ICT
technology. It is very difficult to protect oneself
against complex and sophisticated attacks, and
to identify or locate the perpetrators.
4.Cyber as a
Game Changer

The rise of a highly interconnected world,

involving all walks of life from international
politics and global economy to individual citizens,
has already proven to be a strategic game
changer.
Physical world limitations, including the
structures and principles that support it, are still
in place, but the rules of the cyber domain are
bending the old barriers of time and space, and
changing the structures and the rules of the road.
Thus, it can be said that the unfolding world of
cyber is very different from the physical world as
we know it now.

As always, major changes that can be described

to be nearly tectonic in their nature, will also give
a rise to security challenges that the players in
the security field from individuals to NGOs and
classic security providers such as police and
military need to take into account.
The unfolding new connections,
interdependencies, and ways of operating may
bring along many surprises, particularly to those
clinging on to the old ways of seeing and doing
things.

In addition to the newly shaped operating

environment, the idea of cyber power can also
be considered a global game changer. It can be
argued that cyber brings along new asymmetries
to power politics.
The sheer amount of resources and the size of a
country, or established political and military
alliances, may not be the most decisive factor
when amassing power and applying force in the
cyber domain. It becomes increasingly important
to be able to efficiently tap into the national and
international knowledge pool and get hold of
talented individuals. Highly talented individuals
can be considered potentially the most
dangerous cyber weapon.
An ability to amass cyber power, and an
understanding how to apply it, offers new
possibilities to influence the politics and security
at global, regional, as well as national levels.
Cyber power blurs the traditional concepts of
military and civilian security as it also blurs the
meaning of national borders. The concept of
cyber power is also challenging the traditional
administrative lines within societies by having an
impact on all sectors and functions of modern
societies.

The constant process of developing societies

also makes them increasingly dependent on
digital structures, and thus on the world of cyber.
5.National and
International
Politics

Cyberspace should not be seen only from a

technological perspective, but as phenomena
that has already had and will continue to have an
ever-greater impact throughout our daily lives
and functions of our societies. Thus, cyber
aspects should be included in an increased
manner both in national and international politics.

National policies are of the utmost importance in

building a solid foundation for the establishment
of cyber power and constructing a more cyber-
secure society. While the national political
manoeuvring space may be limited by
international agreements and standards, and
most innovation comes from the private sector,
national policies still provide the strategic
framework for local capability development.

National policies and strategies support

intergovernmental collaboration and the
implementation of educational and industrial
policies. National policies are also necessary to
support security providers in their work by setting
the legal frameworks that define the tools and
mandates for security providers.
Similarly, national policies define the methods
and set the goals for international collaboration.
As the nature of cyberspace is strongly interlinked and international,
it is natural that international politics play a major role in defining its
functions and uses.
While there are various subject matters in which cyber related discussions
take place, such as in respect for intellectual property rights, innovation and
patents; international telecommunications standards; and international law
and norms, what is common is that more international, bilateral, and multi-
stakeholder collaboration is required.

Figure 1; Dimensions of Cyber Security

All collaboration is based on trust and at the moment it appears that genuine
globe-spanning trust in cyber matters is lacking. While this will naturally
slow down processes to achieve truly international consensus e.g. on cyber
norms, it should not limit more rapid advances taking place in unofficial and
official alliances, nor bilateral partnerships.
The goals for these advances are clear: to increase transparency and build
trust among the partners, improve the exchange of information, and to
support finding shared goals and agree on common activities to the set
goals.

As the financial system and unhindered money flows constitute an important

part of the vital functions for both post-industrial and developing economies,
it is within the core interests of the governments to ensure the functioning of
the financial sector and guard it from external attacks. At the same time,
while the global financial system can be seen almost as a global common,
there needs to be punitive mechanisms such as sanctions that target the
cyber side of financial information networks. These mechanisms allow
governments working in collaboration with private organisations to weed out
actors that are misusing the global system for criminal purposes.
6.The
structure of
the strategy
and main
principles

The Government represents the highest level of

cyber security management. The Government is
responsible for providing political guidance and
strategic guidelines for cyber security as well as
for making the required decisions regarding the
resources and prerequisites to be allocated to it.
In the Finnish model each ministry and
administrative branch is responsible for cyber
security and disturbance management within
their mandate.

While the government and its preparedness are

of highest importance, it is noteworthy that cyber
security relies also on the level of preparedness
of society as a whole and its elements, such as
well-educated citizens, thriving world-class
companies, and high-quality research and
development conducted at universities and other
research institutions.
Furthermore, in the highly networked world,
active international collaboration is necessary to
be able to efficiently respond to challenges in the
cyber domain.

The Finnish Cyber Security Strategy defines the

key goals and guidelines, which are used in
responding to threats against the cyber domain
and which ensure its functioning. By following
the Cyber Security Strategy’s guidelines and the
measures required, Finland can manage
deliberate or inadvertent disturbances in the
cyber domain as well as respond to and recover
from them, while ensuring the functioning of
society’s vital functions at all times.
7.Cyber Security
strategy –
Guiding Vision

We believe that as a small, capable, and

collaborative country Finland has excellent
chances of rising to the vanguard of cyber
security. We have an extensive knowledge base
and strong expertise, a long tradition of close
public-private cooperation, built on trust, as well
as intersectoral collaboration.

The vision of Finland’s cyber security strategy

states:
• Finland can secure its vital functions against
cyber threats in all situations.
• Citizens, businesses and the authorities can
effectively utilise a safe and secure cyber
domain, and the competence arising from
cyber security measures, both nationally and
internationally.
• Finland will be one of the global forerunners
in cyber threat preparedness and in managing
the disturbances caused by these threats.

While the vision serves as an overarching long-

term term goal, there is a need for managing
progress also in a shorter term, particularly
because the changes that take place in the
cyber domain are constant, fast and their effects
are difficult to predict.
Cyber threat preparedness, cyber defence, and
national resilience against cyber threats
increasingly require swift, transparent, and well-
coordinated action from all parties in society,
both individually and collectively.
The cyber domain and the nature of threats highlight the importance of a
networked response, which consists of seamless cooperation as well as
efficient and flexible coordination of activities.
A well-coordinated, distributed response increases the resiliency of society
as a whole.

Figure 2; The structure of

a comprehensive strategy

Threats to society’s vital functions and critical infrastructure can emerge

independently, concurrently or as a sequential continuum. Whereas their
escalation varies in speed and endurance, often they make their impact in a
short period of time.
Due to the nature of the cyber domain, it is difficult to predict the causes of
threats, the actors behind them, their exact targets, goals and scope, or the
consequences of their effects. Other risks can also be associated with cyber
threats. For example, terrorist strikes causing physical destruction can also
incorporate various cyber operations.

For the purpose of preparedness planning, it is helpful if the strategy should

include cyber threat models. In the Finnish strategy they are defined as:

• Cyber activism (cyber vandalism, hacktivism)

• Cybercrime
• Cyber espionage
• Cyberterrorism
• Cyber operations: pressure, Low Intensity Conflict (LIC) or cyber warfare
8.Basic
Principles of
Cyber Security
Management

The Government is comprised of the highest

level of cybersecurity management. The Prime
Minister leads the Government and is
responsible for preparing and coordinating the
handling of matters that are the purview of the
Government.
The Government is responsible for providing
political guidance and strategic guidelines for
cyber security, as well as for taking the required
decisions regarding the prerequisites and
resources allocated to it. In line with the basic
principles of the Security Strategy for Society,
the competent authorities are responsible for
disturbance management and associated
contingency planning. Each ministry sees to the
legislative process within its administrative
domain.

As the vulnerability of society increases it is

necessary to be able to rapidly start managing
sudden disturbances in the cyber domain, aka
cyber incidents. Cyber incidents typically have
wide-ranging impacts.
Therefore, it is necessary to provide the broadest
possible intersectoral support to the competent
authorities, when required. Concurrently, in spite
of the disturbances, the viability of society must
be secured in an appropriate manner.
Cyber incident management will follow the rule of law and the existing
division of duties. The same cyber incident management principles that are
used in normal conditions will be applied in emergency conditions.
The authorities’ division of duties and the modi operandi of the cooperative
bodies will remain as they are in normal conditions. Situation management
will be proactive, and the needed resources will be brought online at once.
The competent authority is in charge of operations, supported by
intersectoral cooperative bodies.

Figure 3; Scope of the Cyber Security Strategy

The other authorities, businesses and organisations will participate in the

management of the situation as required. Along with operational activity in
situation management, it is essential to ensure the flow of communication
and provide sufficient information to the state leadership.
Disturbance management will be organised and implemented in accordance
with the Security Strategy for Society.
In line with the strategy, the competent authority launches the action needed
in managing the disturbance, informs the other authorities and actors as
appropriate, and brings in the other actors needed for situation
management.
Cyber incident management encompasses four elements: contingency
planning, compilation of a situation picture, countermeasures and recovery.
9.Situational
Awareness

The decision-making process of the state

leadership and the authorities requires sufficient
situational awareness.
The various actors need to have a reliable, real-
time cyber security situation picture on the state
of society’s vital functions and the disturbances
that are affecting them.

The real-time cyber security situation picture

does not only comprise of information from
technical monitoring and control, it also includes
an analysis that amalgamates observations,
intelligence, other information gathering and
previous lessons-learned.

The National Cyber Security Centre is serving

the authorities, the business community and
other actors in maintaining and developing cyber
security. The NCSC´s arrangements and
services have been implemented as part of the
integrated cyber security strategy action plan.

The primary service of the NCSC will entail the

compilation, maintenance and dissemination of
the situation picture in close cooperation with its
support network.
The Cyber Security Centre was founded by
merging the functions of the present CERT-FI
and the planned GOV-CERT, and by earmarking
the needed additional resources for its operation.

The Centre is supported by a functional network

that encompasses all pertinent authorities,
businesses and other separately designated
actors tasked to prepare and respond to cyber
security violations.

The planning and implementation of this function

have been coordinated with the operations of the
National Cyber Security Centre.
9.1 The Tasks of the Cyber Security
Centre:

• Compile and disseminate the cyber security

situation picture
• Compile and maintain a cyber threat risk
analysis, in conjunction with different
administrative branches and actors
• Support the competent authorities and
actors in the private sector in the
management of widespread cyber incidents
• Intensify cooperation and support the
development of expertise.

The most important service of the Cyber Security

Centre is to compile, maintain and distribute the
cyber security situation picture to those who
need it.
The compilation of the situation picture requires
the ability to collect and analyse relevant
information and to meet the information
requirements of different actors.
The integrated situation picture, compiled by the
Cyber Security Centre and its support network,
comprises of a technical situation picture and an
evaluation of all the consequences of cyber
security violations on the vital functions of
society.

The Cyber Security Centre and other actors are

determining their respective information
requirements. The information on vulnerabilities
provided to network administrators should
become more automatic; whereas, the content of
the situation picture intended for the authorities
and decision-makers will be developed more
towards being an analysis of the consequences
of the effects on society’s vital functions.

Cyber incident damage control is the

responsibility of the authorities and businesses
which the disturbance concerns. The Cyber
Security Centre can support the lead authority in
managing widespread cyber incidents that
concurrently impact many authorities or
businesses.
The Cyber Security Centre generates an overall
cyber security situation assessment built on its
integrated cyber security situation picture. The
purpose of such a briefing is to support the
administrative branches in their cyber
preparedness arrangements and contingency
planning.
The Cyber Security Centre monitors and
analyses cyber threats and, together with its
international partners, generates forecasts on
their consequences in Finland.

In accordance with its monitoring activities, the

threat scenarios of the Security Strategy for
Society, the cyber threat scenario and real-time
national intelligence information, the Cyber
Security Centre alerts businesses and authorities
critical to the vital functions of society with
intelligence concerning new cyber threats to
Finland and heightened cyber threat levels and,
upon request, assists them in contingency
planning.
10.Legal Basis

Cyber security is a new legal phenomenon.

Cyber threats are transboundary by nature. The
actors behind cyber-attacks may vary and are
difficult to identify. Cyber-attack techniques are
versatile, rapidly changing and evolving. Cyber
security concerns all walks of life, administrative
branches and vital functions of society. Basic
rights and human rights guarantee the right to
privacy and confidentiality of communications.
The origin and nature of the cyber threat
determines the body of law that will govern the
cyber incident.

The UN Charter regulates the use of force in

state relations. Apart from self-defence in the
event of an armed attack or participation in
Security Council-mandated military action, the
use of force is forbidden. At present, the
international community is debating whether
cyber-attacks in some situations can rise above
the threshold of an armed attack, as defined in
the UN Charter, justifying a military response by
the affected state. Sovereignty also includes
responsibility. Territory of state cannot be used in
an attack against another state. It must,
therefore, also try to prevent attacks beyond its
national borders perpetrated by private entities.
No rules of engagement exist for cyber
operations.

Pursuant to the Constitution of Finland the public

authorities shall guarantee the observance of
basic rights and liberties, and human rights.
Basic rights must also be guaranteed in
networks. Increased cyber security may improve,
for instance, the protection of the privacy and
property of network users. Well-functioning ICT
networks can also be seen to promote freedom
of speech. A more detailed cyber security-related
regulation can be found in Chapter 34 of the
Criminal Code, the Territorial Surveillance Act,
the Readiness Act, the State of Defence Act and
the Act on the Defence Forces, the
Communications Market Act and the Act on the
Protection of Privacy in Electronic
Communications.
The obligation of the authorities to be prepared
well in all situations, as per the Readiness Act,
also includes the development of cyber
capabilities. The key requirement for invoking
and using the powers of the Readiness Act is
subject to the existence of emergency
conditions, as provided by law.
Pursuant to the justifications of the Act, an attack
(according to the definition of emergency
conditions) comparable to an armed attack may
also mean an attack other than one implemented
with traditional means of force. For instance, it
can entail an attack against IT systems. An
attack can also mean one executed by non-state
actors, if it is so organised and wide-ranging that
it can be likened to an attack carried out by a
state.

Legislation must be developed in such a manner

that it adapts to rapidly changing phenomena in
cyberspace, and makes it possible for the
competent authorities in the different sectors to
discharge their duties in protecting the
sovereignty of the state and the livelihood of the
population, and in defending society’s vital
functions against cyber threats.
Cyber security must be regarded as an integral
element of security. When it comes to the
viability of society it is imperative to find a
suitable balance between legislation and
situational awareness, the responsibilities and
practices of the authorities and the business
community.

A stable cyber security situation, for its part,

creates a lucrative business environment. In
order to repel cyber threats that endanger the
security of the state, possible legislative
restrictions and hurdles, as well as those arising
from international obligations, have been
reviewed. Such restrictions and hurdles also
include obligations related to data protection and
those found to be useful for effective cyber
defence purposes that impede the obtainability,
disclosure and exchange of information between
different authorities and other actors.
 When it comes to assessing information-
gathering and other data processing it has been
figured out that the competent authorities should
be given better possibilities for gathering
information, data processing or being informed of
cyber threats and their sources, while
simultaneously paying attention to basic rights to
privacy and confidentiality in electronic
communications.
With regard to police activities, it is especially
important to obtain the powers for intelligence
gathering and investigation in order to prevent,
identify and fend off cybercrime. The rules on
jurisdiction related to cyber warfare and cyber
intelligence will be clarified and improved in the
near future.
11.Education and
Awareness of
All Societal
Actors

Regarding the importance of cyber security to

society, the goal has been to improve
understanding, competence and skills among the
authorities, the business community and citizens
whilst creating a strong national cluster of cyber
know-how.
Cyber security research has been developed as
part of national top-level research and a strategic
cyber security centre of excellence was
established in already existing structures.
The purpose of the exercises is to improve the
participants’ ability to identify vulnerabilities in
their own activities and systems, and to improve
their skills and train their personnel. Different
sectors regularly test their preparedness when it
comes to managing disturbances in vital
functions.

The most cost-effective way to advance national

cyber security is to improve competence.
Increasing cyber risk awareness among the
authorities, the business community and citizens
will improve everybody’s skills in the
implementation of cyber security measures.
Top-level research in this field has laid the
foundation for developing competence and cyber
security systems. The Finnish education system
is preserving and developing top-level
competence which can be utilised in ensuring
and improving the security of society’s vital
functions in the cyber domain.
The learning requirements for cyber security
have been included in the curricula of basic
education (comprehensive school), vocational
upper secondary education, general upper
secondary education and higher education.
Universities have bolstered the requisites of
basic research, applied research and innovation
in cyber security, while universities of applied
science have improved the preconditions of
product development.
The level of cyber security research has been
raised, and its research conditions have been
improved so that basic and applied research can
continually generate cutting-edge innovation and
scientific breakthroughs. Additional
cyber/information security courses have been
provided by universities and polytechnics. Two
professorships in cyber security have been
established so far and, in the long run, the
number of professors in cyber security will be
increased.
Cybersecurity skill has also been included in
basic military training and special highly skilled
cyber units have been set up. They are also
utilising the competence of the private sector in
their reserve, thanks to the conscription system
of Finland.

Why Skills Matter

Cybercrime is one of the biggest challenges that

humanity will face in the next two decades. Most
of the cyberattacks are utilizing the vulnerabilities
and weaknesses of people. The insider risk has
estimated to be, according the resent studies,
over 60 % of the total cyber risk. It goes without
saying that cyber skills matter.

The most cost-effective cybersecurity method is

education and training. Cybersecurity challenges
cannot be solved only by better technologies, the
cyber skills of your organisation and company is
at least as important. Cyber resilience is always
a compilation of the human factor and
technological solutions as well as the processes
of the whole ecosystem. The interdependences
of the factors are also crucial and should be
considered in the risk assessment processes.
Europe will face a shortage of 350,000
cybersecurity professionals by 2022. There is a
serious shortage in skills when it comes to cyber
security, and the gap between supply and
demand for expertise is widening at an alarming
rate. Although automation and machine learning
will improve efficiency, human expertise, logical
thinking, and creativity will be further valued to
deploy and effectively use new technology, as
well as deter against emerging threats. New
learning methods and e-learning systems are
available, but we are not fully utilising the
opportunities they offer.
One reason is the lack of leadership in
cybersecurity. Cybersecurity skills must be part
of the human resources management and
prioritised as a vital recourse in every sector of
the whole organisation.
There is a historic lack of investment in
education and training. The main set must be
rebooted, cybersecurity training should be part of
all sectors of our modern societies. Digital
devises are an integral part of our everyday life,
therefore everyone needs better awareness of
cybersecurity and understanding of the value of
cyber education in our personal and professional
lives.
National cybersecurity strategies are the
backbone of cybersecurity in the whole society.
Governments must devote resources and include
cybersecurity training programmes to all level of
the national education in schools and
universities.
In modern societies and businesses, the range of
skills needed are becoming broader and broader
(programmers, testers, project managers etc.)
Typically, the IT-sector has outsourced their key
functions and skills rather than built them in-
house. In the future this may change. The critical
functions, services and skill must be in your
possession or confidentiality must be
guaranteed.
Digital independence must broaden from country
level to the private companies and to the
individual level as well. The private sector is
having a more and more critical role in cyber
resilience from the societal perspective.
The cyber risk analysis and better cyber culture
is also boosting our economies. Every step to
improve the cyber resilience of your company is
also improving your competitiveness. Investment
in cybersecurity skills is an investment for the
future. Cyber-attacks are becoming more
diverse, complex, and sophisticated, therefore a
successful cybersecurity ecosystem must be
agile and have the ability to continuously
improve.
The human sector will always be the most
decisive factor in your cybersecurity.
12.Fighting
Against
Cyber Crime

The police must be able to identify and prevent

the planning, financing and directing of terrorist
crime and other crime in networks that endanger
society and to be able to solve the suspected
crimes. Cybercrime has become an extremely
noteworthy sector of crime with its
consequences extending to states, individuals
and businesses alike. IT networks provide an
increasingly lucrative and, regarding the risk-
benefit and damage ratio, ever more attractive
environment for committing crimes that have
financial or terrorist goals. Traditional organised
crime, too, takes advantage of the vulnerabilities
of cyber space. Cyber-attacks can be employed
to endanger society’s critical infrastructure and
carry out terrorist strikes.

In addition to terrorism, traditional crime, such as

fraud, sexual exploitation of children and
industrial espionage, is increasing its presence
in the cyber domain. The police, being the
competent authority in preventing and
investigating crime and forwarding cases to the
prosecutors must improve its cooperation with
the other law enforcement authorities.
Cybercrime is time and again transboundary in
nature and its investigation often demands
international police and judicial cooperation.
Judicial cooperation is needed, among other
things, to obtain evidence or for the extradition of
suspects. It must be ensured that the police
have sufficient powers, competences and rights
to information when it comes to exposing and
preventing cybercrime as well as identifying
criminals operating in cyberspace, and solving
these crimes.
Also, in Finland new legislation is needed in this
regard.
Likewise, it must be ensured that the police have
sufficient powers, competence and rights to
information when it comes to identifying and
preventing the planning, financing and directing
of terrorist crime in networks and other crimes
that endanger society. This also includes
associated propaganda and preparing the
ground for criminal activity, and the capability to
solve the suspected crimes.
The police will establish the competence,
capacity and appropriate legal powers to
exchange information and cooperate with other
law enforcement authorities in preventing,
identifying and solving crimes. As part of
organised crime prevention, the police shall
invest more in cybercrime prevention. The police
have developed a national cyber-crime
prevention centre. In accordance with the order
of the National Police Board, the National
Bureau of Investigation maintains a situation
picture of international and organised crime and
is working closely with the National Cyber
Security Centre.
13.Cyber
Defence

Cyber intelligence, cyber warfare and protection

capabilities together create a cyber defence
capability. The goal has been to customise the
capability so that it will best support the Defence
Forces’ activities in protecting territorial integrity
and national defence.
Cyber defence has been implemented as an
entity which is comprises of the capabilities of
the Defence Forces, other authorities and the
rest of society. A credible capability is achieved
by cooperating with the other authorities,
businesses and universities.

In normal conditions the capability has been

improved by networking, exchanging information
and participating in joint projects, national and
international working groups and exercises. The
basic approach will remain unchanged in
emergency conditions and during disturbances.

Cyber preparedness and threat management is

achieved by maintaining and developing various
defence and counterattack techniques.
Furthermore, an appropriate recovery capability
from cyber-attacks has to be established.

Cyber warfare can be used as an instrument of

political and economic influence, and in a serious
crisis it can be used alongside traditional means
of military force. The Defence Forces will protect
their own systems and networks; they have
created and will maintain cyber intelligence and
cyber warfare capabilities.
The development of these capabilities will be
determined by the associated performance
requirements and available resources. Emerging
cyber threats must be identified early on, and it
must be possible to monitor the phenomena and
events in cyberspace in real time.
This requires a compiled cyber situation picture
to enable early warning and allow for
preparations and the implementation of
measures.
The Defence Forces and the Cyber Security
Centre are cooperating with each other in the
compilation of the cyber situation picture.
Intelligence capabilities yield information on
networks, including their vulnerabilities, and
cyberspace actors, and provide assessments of
their ability to carry out cyber operations. The
goal of cyber intelligence must establish the kind
of situational awareness and intelligence
information that protection and cyber warfare
require.
The national cyber defence capability has been
developed by cooperating with other authorities,
the business community, the scientific
community and other actors. National
coordination, the compilation of an integrated
situation picture and the provision of the requisite
of cooperation demand regularly exchanged
information between the different actors.

International cyber defence cooperation has

been further intensified between the key actors.
Such cooperation is built on bilateral agreements
and multilateral collaboration. The purpose of
international cooperation is to facilitate the
regular exchange of information between
different actors and to develop domestic
capacities and harmonise procedures.
The Defence Forces are providing executive
assistance to the other authorities concerning the
disturbances caused by cyber incidents. If
required, the other authorities will support the
Defence Forces in the implementation of cyber
defence.

The Defence Forces’ capacity to support the

other authorities during cyber incidents has been
improved. The options and powers related to
cyber warfare capabilities have been reviewed.

This review has incorporated the applicability

and adequacy of existing international law and
national regulation, and the requirements of
cyber defence capabilities. Sufficient powers,
competence and the right to information should
be given to the Defence Forces for the
implementation of national defence, executive
assistance, territorial surveillance and crisis
management tasks. New legislation is also
needed in this area.
14.Private Public
Partnership
(PPP)

The private sector has a special role in cyber

security. From the standpoint of continuous
business growth, it is imperative to retain top-
level competence. This will make it possible to
take advantage of the cyber world. Judging by
the needs of the business community, one to two
educational establishments, together, should
retrain at least 10 000 persons in this sector in
2020.

Joint national cyber security exercises are an

important tool in improving the resilience of the
whole society. Lessons learned from cyber
exercises provide concrete information on
securing the vital functions of society, including
the required level of cooperation. In addition,
they provide information on the development
needs required by the strategic tasks of
administrative branches and organisations, and
the complete situation of society’s preparedness
and crisis management capabilities.

Exercises help test the basic principles and modi

operandi of the Cyber Security Strategy; they
also measure the implementation of the Strategy.

Preparedness for emergency conditions and

serious disturbances in normal conditions must
be exercised on a regular basis. This makes it
possible to analyse how well cyber security is
being achieved in Finland and to continually
introduce improvements.
Cyber threats have very short mutation cycles
and, therefore, all national and international
exercises must be frequent and well-organised to
effectively support national cyber security.
Successful cyber exercises call for a systematic
approach and clear lines of authority. The
preparation and implementation of large national
cyber exercises must be coordinated in
accordance with the principles of the Security
Strategy for Society.
The implementation of national cyber security
entails close public-private cooperation.
Businesses and NGOs that are important to
society’s vital functions should be included in
exercises to improve society’s comprehensive
preparedness.

Public and private sector preparedness for cyber

incident management have been trained in
national cyber exercises which test the
preparedness required by cyber incidents
included in the Cyber Security Strategy’s threat
scenarios, and the functioning of management
and cooperation arrangements.
Exercise themes have incorporated topical
challenges caused by changes in the cyber
domain. Participation in international multi-level
exercises significantly support the development
of national cyber security, know-how in the field,
practices, the creation of transnational inter-
authority cooperation and a network of experts.
15.Critical
Infrastructure
Protection
(CIP)

The functioning of the modern and strongly

interconnected global economy is based on an
unhindered access to information, energy, and
financial flows. Unintentional, or in the worst
case, intentional disruptions to these flows
impact negatively not only the states subjected to
the disruptions, but the global order as a whole.
Moreover, as these flows are intertwined,
disrupting one of the flows will have a damaging
effect on the others, potentially leading to a
cascading failure endangering the whole system
dependant on the flows.
Critical infrastructure protection must be included
in every comprehensive cyber security strategy.
In the Finnish strategy the approach is broader
when focusing on securing the vital functions of
society.
There has been a continuous news stream of
cyber-attacks that have included gas pipeline
explosions, a disrupted uranium enrichment
process, destruction of computing equipment
connected to a major energy company, and
stealing the financial information of tens of
millions of individuals and companies. These
cases exemplify the usefulness of the cyber
domain as an avenue for an attack to the soft
underbelly of both societies and private
companies alike to further one’s political,
criminal, or other goals. The successful attacks
and additional vulnerabilities found during
national exercises underline the importance of
protecting critical infrastructure and vital streams
from cyber threats.
Protecting critical infrastructure from cyber
threats is a complicated matter and must be
included in national preparedness planning.
There are always several open questions that
demand to be clarified and solved before cyber
threats can be tackled in an organised and
efficient manner.
Some of the core questions are: what are the
parts of the critical infrastructure that should be
specifically prioritised as super critical
infrastructure; what are the responsibilities of
various actors in the affected space, namely
private sector companies and the governments;
and what are the operating areas and mandates
of national and supranational entities, such as
civilian organisations, the police, military, and
international regulating bodies?
There are two pressing topics in the field of
critical infrastructures (CI). One is to evaluate
and develop methods to adequately identify
cross-sector dependencies and
interdependencies and to highlight the potential
threats and risks associated to those
dependencies.
Situational awareness in this context is one of
the main goals that will enable further
development of risk management and mitigation
strategies as well as continuity planning.
One of the main enabling factors for situational
awareness is an introduction of information
sharing platforms that support both national and
multinational information sharing in the context of
critical infrastructure. Additionally, overcoming
legislative, organizational as well as
technological hurdles is necessary to reach this
goal.
Another important topic is the categorization and
prioritization of the criticality of critical
infrastructure services. Some parts of critical
infrastructures are more critical than others to
maintain services with reasonable quality or are
of special interest in strategic considerations or
national security. Some are even called super
critical.
The risks associated with service failure in these
areas of critical infrastructure are exceptionally
high. In crisis or disaster situations, those are the
services that require special attention to maintain
operations and core functions of society.
Awareness of the criticality as well as
understanding the critical dependencies those
services require for operation is a priority, in
order to identify and develop adequate
measures to have an ability to upkeep
operations and a reasonably functional society in
all situations, including disasters and man-made
crisis.
16.International
Cooperation

The goal of national cyber security – integrated

situation awareness, effective disturbance
management and threat prevention – is
nationally achieved through active cooperation
between different actors.
Due to the wide-ranging nature of cyber security
the importance of international cooperation is
ever more emphasised. The goal of international
cooperation is to exchange information and
experiences, and to learn from best practices to
raise the level of national cyber security.

In the case of Finland, international cyber

security cooperation occurs at several levels and
fora: in the Nordic context, the European
Council, the European Union, and in
international organisations such as NATO, the
OSCE and the UN.

Cyber threats are transboundary threats and,

therefore, they require international cooperation
in various international fora. Such cooperation
provides an opportunity for exchanging
information and learning from the best practices.
Furthermore, it provides benchmarks for the
development of national cyber security as part of
global cyber security and also increases the
interoperability and compatibility of cyber
defence.

Cooperation is implemented between different

organisations and at the international level.
When it comes to organisations, the EU and
NATO are the key cyber security actors for
Finland.
Finland continues its close cooperation with
European cooperative organisations such as the
European Network and Information Security
Agency (ENISA); the European law enforcement
agency Europol; the Body of European
Regulators for Electronic Communications
(BEREC); the European Forum for Member
States (EFMS), which is an intergovernmental
cooperative forum for the protection of Europe’s
critical infrastructure; and the European Public-
Private Partnership for resilience (EP3R,) which
deals with the robustness of ICT systems.

Developing cyber defence cooperation with the

EU Military Staff (EUMS), the European Defence
Agency (EDA) and NATO will continue. NATO
continues to cooperate with its partner countries
in responding to new security challenges,
supporting NATO-led operations and improving
situational awareness.
The Organization for Security and Co-operation
in Europe (OSCE) aims to improve confidence-
building measures for the prevention of cyber
conflicts by increasing transparency, cooperation
and stability. The goal of this cooperation, built
on the OSCE’s comprehensive concept of
security, is to complement the efforts of other
international organisations.
17.The Cyber
Security
Strategy
Process
The goal of the National Cyber Strategy
process is to achieve a continuous
improvement approach which will make it
possible to implement cybersecurity
measures more efficiently and effectively.
The strategy process manifests itself at
several levels and it includes different
phases.
The goal was to create a continuous strategy
process with parts that regularly repeat and
generate continuous improvement.

Strategy process

Political Country
mandate Analysis

Vision Strategy

Implementation
- Action plan
- Managing a Cyber crisis

Cyber resilience of the

Society

Continuous process
Figure4: Phases of the Strategy Process
17.1 Country Analysis

The strategy’s analysis phase defines our own

position, i.e. our state in relation to the operating
environment and its various elements. In the
cyber strategy this translates into an analysis of
the cyber threat environment and identification of
vulnerabilities in society’s vital functions, along
with a risk assessment of the ensuing entirety.
Moreover, one’s own capabilities and
shortcomings should be assessed. The
operating environment analysis should identify
phenomena in cyberspace, assign the necessary
definitions for the strategy and catalogue existing
national cyber security projects, including related
and ancillary projects. Information from other
countries’ cyber security strategies and best
practices most suitable for us have been
obtained through benchmarking. The analysis
resulted in awareness of our standing in both the
national and international cyber domain; it also
provided further grounds for definitions and
reports.

17.2 Planning

The Planning of the cybersecurity vision, national

standards and the cybersecurity concept was
determined in the planning phase. This phase
also considered performance requirements,
available economic resources and competences.
Several options were prepared in regards to
achieving the desired end result.
17.3 Deciding the Level of
Ambition

In the decision-making phase several options were

compared and the option leading to the desired end
result was selected as well as the national ambition
level and the measures it requires. In addition, the
desired cyber capabilities and the measures
required to create them was defined. Based on
country analysis and the possible options, the
Government approved the vision statement which
was guiding the rest of the work.

17.4 Writing the Strategy

The production phase determines the structure of

the Cyber Security Strategy, the way things are
presented, and the concrete goals and
responsibilities of cybersecurity. The production
phase included several iterations in the form of mid-
reviews which ensured that the strategic decisions
appeared in the report. The drafting of the strategy
was completed when it was presented to the
commissioning body and was approved by the
Government.
17.5 Implementation and the
Action Plan

The strategy must be implemented in a

comprehensive manner. For this purpose, an
action plan was created which continuously
maintains the relevance of the strategy process.
In its implementation phase the strategy must be
put into practice by delegating the proposed
action of the strategy at the different levels of
administration and organisations. A
benchmarking and monitoring system for cyber
security maturity must be created for the purpose
of change management, which can then be used
to monitor the success of the process.

In Finland the Security Committee is monitoring

the implementation of the strategy. It is also
preparing an annual report for the Government.
The first Implementation Programme for
Finland’s Cyber Security Strategy, adopted in
2014, comprised of all together 74 measures
assigned to ministries and partly to individual
actors.
17.6 The assessment identified
significant impacts resulting
from the following measures

• The Government Security Network project and

the development of sector-independent ICT
tasks
• The National Cyber Security Centre
established at the Finnish Communications
Regulatory Authority (FICORA) and the
development of associated CERT activities
• The Development Project for the Central
Government 24/7 Information Security
Operations (SecICT) and the related
improvement of monitoring and warning
• The Development Project for Jyväskylä
Security Technology (JYVSECTEC)
• Cyber security courses organised by the
National Defence Training Association of
Finland

The new Implementation Programme for 2017–

2020 addresses the development of
cybersecurity within the service complex
comprising of the state, counties, municipalities,
the business sector and the third sector in which
the individual citizen is the customer. The
business community provides most digital
services and their cybersecurity through
international networks.
Since the publication of the Cyber Security
Strategy the operating environment of the cyber
space has changed because of new service
production models and technologies, and the
new threats directed at them. The
Implementation Programme gathers together the
public sector’s wide-ranging and significant
internal projects and actions that aim to improve
information and cyber security which are to be
implemented together with the business
community and NGOs. It also brings them into
the public view as coherent and properly
delegated processes. When the projects and
actions are included in the Implementation
Programme it is possible to regularly monitor and
measure their progress, which also provides a
better overall situation picture of cyber security
development. The methods of measurement
must be continually developed, especially with
regards to monitoring the quality of actions. In
addition to the far-reaching measures selected
for the Implementation Programme cyber
security is also constantly being improved
through other administrative branch-specific
actions, as well as by the work associated with
developing cyber and information security and
continuity management.
Summary

The cyber space is evolving quickly, it is becoming a growing challenge for nations and the
international community. The key question is how to improve the preparedness of modern societies
and how to build new capacities in cyber space. The functioning of the modern and strongly
interconnected global economy is based on an unhindered access to information, energy, and
financial flows etc. Unintentional, or in the worst case, intentional disruptions to these flows impact
negatively not only the states subjected to the disruptions, but the global order as a whole.
Moreover, as these flows are intertwined, disrupting one of the flows will have a damaging effect on
the others, potentially leading to a cascading failure endangering the whole system dependant on
the flows.

The vulnerabilities of modern societies are the main targets of cyber-attacks. In the cyber context
vulnerability is commonly defined as weaknesses related to information technology. The European
Union Agency for Network and Information Security (ENISA) specifies vulnerability as” The
existence of a weakness, design, or implementation error that can lead to an unexpected,
undesirable event compromising of the security of the computer system, network, application, or
protocol involved”. Merriam-Webster describes vulnerability in more general terms as ”the quality or
state of having little resistance to some outside agent” or ”the state of being left without shelter or
protection against something harmful”.

The security of a modern society underlines the need to define vulnerabilities and risks in all levels
of the whole ecosystem covering people, processes, technology, data, and additionally,
governance, where the prerequisite for success or failure is initially laid down. Identifying the need
for a common understanding of existing threats, regulations, standards, risks and complexities are
essential for securing critical infrastructure and services in the future. It is very much up to the
national authorities to decide who is overlooking the security of critical infrastructures and services.
Comprehensive situational awareness and understanding, as well as a credible and well-trained
action plan are needed to be able to prevent and defend against cyber-attacks.
Summary

Cybercrime has been the trending motivation behind attacks, with hacktivism and cyber espionage
being next major motivations. This trend has also continued this year. It is interesting to note that a
human factor seems to have a much greater role in cyber breaches in industry. This may indicate
problems in security policy compliance, lack of security awareness and training, or simply it may
show how strong the existing organisational culture and attitudes in resisting these changes are in
the private sector. One can even argue that people are the biggest vulnerability and risk in the
critical infrastructure and services ecosystems.

One of the main points is the urgent need for collaboration and
need to have coherent governance across the modern societies
creating circumstances to support a viable and secure platform for
a digital future. It must be clear who is overlooking the cyber
arrangements comprehensively.

People remain the weakest links. There needs to be an appointed

ministry in charge, responsible for cyber security including the
coordination among all the stakeholders in society. An idea of a
sectoral CERTs could be discussed. The most effective method to
improve security is to increase security awareness, education and
training, regular audits, penetration testing with social engineering
to test real-life security practices and processes.

Data is the focal point now and even more in the future in
digitalised societies with an advanced utilization of Big Data and
Artificial Intelligence (AI). This will require a new approach to data
privacy and confidentiality.

Technology and threats keep on developing and only secure-by-

design devices and services should be approved to be used in the
critical areas of society. There will be new cyber-attacks, new
vulnerabilities and threats that are still unknown, which is why a
risk-based approach is needed.

Resilience should be emphasised to be able to prevent and quickly

recover from any kind of reasonable situations, especially cyber-
attacks, even during other major crises or when critical
infrastructure is not fully operating. Despite all countermeasures
being in place there remains a residual risk: insider threats, mainly
based on human errors.
Summary

Cyber risks, threat landscapes and vulnerabilities may seem occasionally overwhelming, but well-
designed cyber security is most of all an enabler of reliable and innovative digital
environments for people and organisations.

Cyber space is a key domain of hybrid war and one could even say that without modern cyber
capabilities a full-scale hybrid war would not be possible. Cyber power is indeed a global game
changer. It brings along new asymmetries to power politics. All aspects of our lives and functions of
our societies will be transformed by all-pervasive and hyper-connected digitalisation.

The building of a more resilient society should not be viewed only as an extra burden for already
economically struggling Western societies; it is also a wonderful opportunity. The structures that
allow a society to respond in an agile manner to hybrid threats also support better understanding
and coping with the complex underlying interrelations that make our modern societies fragile. These
defensive structures also help to make our societies more functional, as decision-making processes
become more transparent and inclusive.
Mr. Aapo Cederberg
is the CEO and
Founder of
Cyberwatch Finland

Aapo Cederberg is an experienced cyber security

strategist and analyst. Aapo have a unique strategic-
level international expertise and understanding of
Hybrid threats. Aapo really understands the
complexity of the cyber world and hybrid warfare as
well as having comprehensive strategic management
skills and experiences. He has also extensive first-
hand knowledge of the military defense. He is one of
the authors of the first Finnish Cyber Security
Strategy.

Aapo is a founder of Cyberwatch Finland with a firm

focus on helping decision- makers to establish a
holistic cyber strategy, to build situational awareness,
and take the necessary steps to ensure cyber
resilience.

Cyberwatch Finland provides strategic analysis and

better situational awareness of the cyber world by
presenting complex cyber world phenomena and
developments in an easy-to-understand format,
utilising the latest technology, easily adaptable
methods, and various media formats.

Mr. Aapo Cederberg´s is also an Associate Fellow of

the Global Fellowship Initiative at the Geneva Centre
of Security Policy (GCSP). Last year he was
appointed as a Chairman Committee of Word UAV
Federation (WUAVF). In 2018 Aapo Cederberg was
awarded with the Cyber Security Nordic prize. Mr.
Cederberg has served as a Secretary General for the
Security Committee of Finland for six years. The
Security Committee provides support, advice and
expertise for the government in comprehensive
security matters and serves as a collaborative
platform for the on-going national efforts related to the
national crisis preparedness. Colonel Cederberg’s
earlier assignments include working as the head of
Strategic Planning and foresight at the Ministry of
Defense Before this he has a long career in Finnish
Defense Forces.
A Passion for a Cyber Safe World

CYBERWATCH
FINLAND
www.cyberwatchfinland.fi