NATO membership strengthens Finland’s cyber defence

From a digital perspective, Finland’s NATO membership is a continuation of the European Union’s intensifying common cyber policy. The EU will continue to play a clear role in developing cyber security.

However, the EU’s role in cyber defence, as in other areas of national security, is highly limited. NATO membership would also allow for greater support and cooperation on cyber defence issues. NATO membership is not expected to bring any legislative changes around cyber security.

Attention to crisis management and practical processes

In recent years, the European Union has passed a significant amount of legislation regarding cyber security. The latest are the NIS2 and CER directives related to the EU’s network and information security and to social resilience regarding critical services.

In terms of regulation, the legislation is in order and is continuing to be updated. Finland still needs to ensure clear models of responsibility, cooperation and leadership at the national level. Regarding the EU sanctions related to the war of aggression launched by Russia, the responsibility for implementation was placed on the member states, which, in turn, had difficulties finding a competent national authority. Fortunately, an administrative regulation was finally issued regarding the media restrictions of the sixth sanctions package. The division of responsibilities between the EU and the member states and between different sectors of government at the national level creates a need for coordination.

Another good example of shared responsibility is the implementation of the CER Directive mentioned above, which is the responsibility of the Ministry of the Interior, while the implementation of the NIS2 directive is the responsibility of the Ministry of Transport and Communications. It is obvious that cooperation between the different silos must work well so that the business field is not ultimately offered vague, contradictory and possibly even overlapping instructions.

Strengthening the cooperation between the private and public sectors must remain at the heart of cyber preparedness. Telecoms companies, as operators of critical infrastructure, have the opportunity and the willingness to bring their expertise and contribution to securing the maintenance of society. Cooperation between public administration and business is a rational use of the resources of a small nation and, in many respects, more than just talk in Finland. Let us also focus on private/public cooperation in the future.

The development of cyber security and national guidelines for cyber preparedness must not become an obstacle

The successful cooperation between Microsoft and the Ukrainian government will hopefully be explored several times in the analyses of Russia’s war of aggression. Just hours before Russia launched its attack on Ukraine, Microsoft identified new attacks on Ukraine’s digital infrastructure. Hyper-scaled cloud computing services played a key role in combating the attacks.

Regulatory simplification is a commonly repeated mantra both in the European Union and at national levels. Regarding cloud computing services, Finland has managed to do exactly the opposite. In Finland, three sets of guidelines exist for classifying data for public sector services. In all of these, the information is classified into two different security categories. Unfortunately, the guidelines for appliers and parties acquiring services are not very transparent on what applies to what.

There is also a need to go through the critical points of security of supply so that, if necessary, companies understand the needs and the authorities have an idea of how to implement practical measures. These practical measures might include the obligation for national roaming or the prioritisation of network traffic.

At worst, playing it safe will become an obstacle to the effective utilisation of new and cyber-safe technology.

Concerns about cyberattacks continue

Concerns about the growing cyber threat throughout the early part of the year have, so far, not materialised. The forecasts for the current year are full of concerns. For the time being, vulnerabilities and attacks will be detected as usual, thanks to continuous monitoring, cooperation and expertise. Telecoms operators are constantly preparing for various cyber threats. The current situation builds on the systematic work of the previous years. Security is not built overnight, and we cannot afford to be careless.