- The digital world is often associated with something highly technical but in fact, digitality plays a significant role in our daily lives. Without cybersecurity, there would be no digital life as we know it.
- We are all responsible for cybersecurity. As cyber permeates every aspect of our lives, cyber defence and the need to defend national sovereignty in cyberspace are becoming hot topics of discussion.
- Catharina Candolin, expert on Cybersecurity at OP Financial Group and Board Member at SSH Communications Security Corporation explains why cybersecurity matters and what cyber defence involves.
Catharina Candolin, cyberspace is a huge and complex concept that people find hard to grasp. Can you explain the connection and interaction between cyberspace and the physical world?
As you said, we are talking about a huge concept that involves many different dimensions. People often regard the digital world as something distant and highly technical, but once we understand the close linkage between our daily activities and digital services, we soon realise it is not that distant after all.
The functions of society, from banking services to logistics and entertainment, are largely based on various technological solutions. Technology is an integral part of our social and professional lives. We communicate in various social media and arrange meetings using a number of digital services. Digital tools enable meetings at short notice and on a tight schedule and decrease the need for travel. Using these tools has become such an inseparable part of our daily lives that we no longer think of them as something very technical.
The physical world provides access to technological solutions that we can use to build an even more sophisticated digital world, but at the same time we use digital services to control the physical world.
Why is cybersecurity so important?
Without cybersecurity, digital life as we know it could not exist.
When the internet was first created, it was designed to withstand a nuclear attack. Cyber threats as we know them today were not foreseen at the time. However, technology often comes with vulnerabilities that can be exploited and make it possible to use technology for purposes other than those originally intended. This offers opportunities for criminals to make money, and for states to promote their own political, economic, and military agendas. Cyber security is the practice of protecting our information and systems against such malicious activities.
Many of society’s critical functions rely on information systems and networks. What are the current threats to infrastructure?
When we talk about critical infrastructure, we usually refer to the power grid, information networks, telecommunications, land, sea and air logistics, health care services, central and local government services, financial services, and the handling of hazardous materials. In other words, critical infrastructure covers the key functions of society. Any disruptions in this chain of operations will have a serious and wide-ranging impact.
From a military perspective, the cyber domain is an operational domain similar to land, sea, air, and space. In order to create impact through cyber operations, the target must be such that it affects the society. And the targets that would affect the functioning of society are the various critical infrastructures. For example, disrupting logistics could cause the containers with food and goods to be stuck in the harbours, thus causing a major food crisis. Disrupting the financial system and hindering people from paying for goods could lead to riots in the streets. Disrupting the electrical power and/or telecommunications infrastructures would also have impact on all other infrastructures.
Cyber operations are not per se restricted to times of war. However, looking at the war in Ukraine, this is the first time that cyber operations are used to this extent as part of conventional warfare, and the critical infrastructures have been targeted. This is most likely to be the new normal in contemporary warfare.
However, the critical infrastructures may be of interest to criminals as well. The financial sector may seem an obvious target, however, other infrastructures have also been exploited, such as the health care system during the pandemic.
What are the current threats to companies?
On a general level, companies face the same threats as the rest of the society, that is, nation-states, criminals, hacktivists, etc. For example, nation-states or criminals may be involved in industrial espionage. Companies may be the subject of extortion through ransomware, or they may be hit by a large-scale denial of service attack that disrupts their operations. Some companies may be targeted for ideological reasons. Some may become a victim through a supply chain attack or be used as a hopping point in a so-called island-hopping attack (where they are part of the supply chain to the intended target). And sadly, some may fall victim to the insider attack, where for example a disgruntled employee wreaks havoc.
Who is responsible for cybersecurity and for maintaining situational awareness?
Everyone has a role to play in ensuring cybersecurity.
The government is responsible for legislation and for providing the mandate and resources to the authorities. Many countries have a National Cyber Security Centre, which typically provides situational awareness, incident response handling, etc. The police typically are responsible for fighting cybercrime, while the armed forces are responsible for national cyber defence, which includes cyber intelligence, offensive capabilities, and defensive capabilities.
The private companies are responsible for their own cyber security, with all that it entails.
Individuals, on the other hand, also have a responsibility. As employees, people are responsible for following company guidelines. And as private citizens, we should all follow some basic rules of cyber hygiene: keeping our devices up to date, not clicking on weird links, not disclosing private information, and so on.
How would you characterise our understanding of cyberthreats? Is there any room for improvement?
Yes, absolutely. We should all have a basic understanding of cyber threats, similar to how we understand threats to our security in the physical world. For example, if a stranger came up to us, asking us to tell them some personal information about ourselves, we would not reply. We would not give our credit cards to this stranger either. So why do we fall for this in the digital world?
Cybersecurity should be incorporated into the school syllabus. For example, children are being taught how to behave in traffic. So why not teach children how to stay safe in the digital world, and what they can do if they run into situations they find weird or threatening?
In addition, parents should understand their responsibility for protecting the privacy of their children. Children have the same right to privacy as anyone else, yet they may not have the same possibilities to decide for themselves. Many parents, for example, like to share pictures and stories of their children on social media, without the consent or understanding of their children. This creates a digital footprint of the children that will follow them for the rest of their lives. We do not know how all this data can be utilized in the future, possibly for malicious purposes.
GDPR is one step on the way to privacy protection. But we still have a long way to go.
You have demanded more discussion about ways of defending Finland’s sovereignty in cyberspace. What do you mean by this, and what actions would it require?
There is a general conception that a cyber attack can be considered an armed attack if the scale and impact are comparable to that of an armed attack. In this case, the state has the right to defend itself.
First of all, this would require attribution, which means that the aggressor is identified and called out. This requires both technical capability and political will.
Second, national situational awareness (including the private sector) is needed to understand the scope of the attack and the measures required to prevent it from escalating.
Third, operational leadership should be defined and exercised.
Fourth, countermeasures need to be considered. They may be anything from diplomacy and sanctions to a kinetic (i.e. armed) response. Some nations even include the possibility to respond with nuclear arms.
Fifth, the legislation should be up to date and understand the nature of cyber operations. The authorities should have the necessary mandate to operate in case of a large-scale cyberattack.
Finally, international collaboration would provide support for a nation under such an attack. That may include better situational awareness, a broader base for sanctions (as they would be more effective when imposed by a group of countries instead of a single country), and in the case of NATO, a possibility to invoke article 5.
The purpose of having the structures listed above in place is to raise the threshold for an aggressor to conduct cyber operations. This would not remove the responsibility of the critical infrastructures to take care of their cyber security, but it would add an extra level of deterrence.
Do you think the EU should strive for technological sovereignty and increase innovation and investment in cyber defence?
I think the EU should adopt a wider approach to technology to address the fact Europe is about to be trampled over by the tech superpowers – China and the United States. This question is larger than just cyber defence.
This begs the question: why? Perhaps because the European Union is made up of several small states. And while we do have many universities and high-quality research, we don’t have something like a Silicon Valley. There are also other structural issues that hold us back. For example, if you come up with a product in one of the states in the US, you can expand to the whole country, whereas in the EU, you still need to consider the legislation in each Member State.
The EU should strive for technological sovereignty and become a global competitor in the field of technology. While Nokia and Ericsson are strong players when it comes to 5G, we need more success stories. The EU should also be able to give birth to companies such as Apple, Microsoft, Amazon etc.
How will Finland’s future NATO membership affect our cybersecurity?
NATO membership will give Finland a seat at the table with other Allies, along with access to information and an opportunity to participate in situational interpretation. We will be part of the NATO intelligence network and thereby privy to intelligence information, warnings, and situational awareness.
NATO defines cyberspace as an operational environment and cyber defence is part of collective defence. This means that article 5 may come into play. This means that we are obliged to support another Ally that has come under attack, or that we may ourselves be the ones requesting support. Therefore, it is so important to have an understanding of what defending the sovereignty of a nation also in cyberspace means, as discussed earlier.
NATO’s investment in industrial cooperation will provide opportunities for Finnish companies to offer their products to NATO; this will further expand our markets and opportunities for joint projects.
New technologies involve new security threats, but at the same time they offer tools for mitigating these threats. What kind of cybersecurity challenges can we expect in the future?
The area of cyber security is like a cat and mouse chase. Once we come up with another solution for cyber security, the malicious party comes up with a solution to circumvent it. This development is ongoing, and it is driven by both state actors and criminals.
Some technologies of interest at the moment are, for example, artificial intelligence and quantum computing. Artificial intelligence and machine learning are being utilized for cyber security solutions; however, it is expected that they will be increasingly used also for offensive cyber operations. Quantum computing, on the other hand, is expected to break many of the cryptographic solutions we rely on today. That also means that encrypted information can be stolen today and decrypted later, when quantum computers have become powerful enough. While some information may have become obsolete, other will not, for example, medical records. That means that we should start to migrate towards quantum secure solutions already as we speak. Fortunately, we have good know-how in Finland when it comes to quantum computing and quantum cryptography. However, it’s not enough to understand the threat, but we should start doing something about it too.