Text by Shaun Waterman
NATO’s newest pending member has lived in the shadow of its increasingly aggressive Russian neighbor for two centuries. Finland offers a model of how a Western democracy can harden its vital industries against cyberattacks while resisting hybrid conflict and information operations, but can other countries follow suit?
HELSINKI — When the Finnish team won the world’s biggest multinational cyber wargame earlier this year, it underlined what infosec insiders have long admired about this small Nordic nation, precariously perched on the Western shoulder of the Russian Bear.
The Finns are pretty good at cybersecurity.
Not just the technology — though the country is the birthplace of the Linux operating system and SSH Secure Shell — but the policy: Figuring out the complex relationships between government agencies and private sector infrastructure owners needed to secure the networks of an advanced industrial democracy. And now that the Russian invasion of Ukraine has reversed three quarters of a century of Nordic neutrality, driving both Finland and its neighbor Sweden to opt for NATO membership, the country has been thrust into the global security spotlight.
This week, the 30-nation alliance formally approved an “accession protocol” for the two aspiring member states. The protocol still must be ratified by the legislative bodies of all the existing members, including the U.S. Congress, before their membership is finalized.
“Russia’s attack on Ukraine has changed our security environment completely,” Prime Minister Sanna Marin told a recent European summit. “There’s no going back.”
On a recent trip to Helsinki sponsored by Finnish cybersecurity firm WithSecure, former government officials, scholars and cybersecurity experts told README Finland could be a model not just of how to secure nationally vital IT networks, but also on how to combat information and hybrid warfare operations of the type Russia has been wielding so deftly for decades against its democratic adversaries.
Finland formally adopted a whole-of-society approach to its security in 2010, said retired Col. Aapo Cederberg, who led the team that drafted the strategy. Its roots are in the Cold War-era concept of “total defense,” he explained.
“In times of war or other crisis, the whole nation can be mobilized,” said Cederberg. “It’s a great approach for cybersecurity because it relies on the resources and capacity of the whole country,” including the private sector companies that own and operate the IT networks and the media platforms where cyber and hybrid conflicts are fought.
That emphasis on communication was the secret to the Finns’ success at the annual Locked Shields cyber exercise staged at the NATO Cooperative Cyber Defense Center of Excellence (CCDCOE) in Tallinn, Estonia in April, according to Adrian Venables, a senior researcher at the Tallinn University of Technology.
“Being able to communicate and manage effectively within the team is as important as the technical skills of the team members,” said Venables, who helped design the exercise. “The best teams are more holistic and cohesive. And they’re able to defend their systems more effectively, and move resources to where they’re most needed as the scenario develops, and the threat posture of the adversary changes.”
The Locked Shields victory has highlighted what some are calling the Finnish model of cybersecurity — one based on mobilizing everyone to help protect critical networks.
The Finnish approach
Cybersecurity, as U.S. officials often note, is a team sport. What Finnish cyber leaders say they’ve figured out is the team org chart, those sticky and conflictual relationships between government and private sector; among law, regulation and best practice; and among the military, intelligence agencies and domestic law enforcement. That complex set of dependencies and authorities must somehow be balanced to best manage risks from foreign hackers, cyber warriors and online spies.
The Finnish model of “whole-of-society security” is suited to cybersecurity, explained Mikko Hyppönen, a veteran white-hat hacker and chief research officer of WithSecure. It is based on the idea that, in times of crisis, private sector companies, civil society organizations, and local governments fall into line behind the national authorities, providing a force multiplier. In the cyber domain, securing vital networks in a Western democratic capitalist country means getting the private sector to do the work, because they own the infrastructure.
“Leaders in Finnish companies understand their responsibility for defending the country,” Hyppönen told README. “They understand that it doesn’t come free, they understand that companies have to do their part, they understand that there might be costs involved.”
He highlighted Finland‘s national defense courses, which bring together lawmakers, top company executives and officials from the country’s military and law enforcement agencies several times a year.
“For a week or two, a group of 40 or so go off and plays wargames, tabletop exercises where you game out responses to various kinds of attacks,” said Hyppönen, who has taken part in previous years.
By the end of the exercise, the C-level executives understand the importance of their role in securing the country.
“All of this translates to public private partnerships [in cybersecurity] which work,” he said.
Cederberg, who now helms a cybersecurity consultancy, said the whole-of-society approach — also known as “comprehensive security” — makes a virtue out of a necessity for Finland.
He called it “a poor man’s security concept.”
“Look at the map,” he said. With an 830-mile-long border with Russia and a population of just 5.5 million, Finland can’t afford a standing military large enough to deter a Russian attack. Its military is just 23,000 strong. But the universal male draft and regular refresher training means the country can field 280,000 personnel — including a few thousand female volunteers — at short notice.
For the 1,500 companies that own and operate Finland’s critical capabilities — from banking and healthcare to transportation and energy — each has “a planning cell” to train for their role in a national level crisis, said Cederberg. Those trainings are coordinated by the National Emergency Supply Agency, or NESA, and its public-private partnership council, the National Emergency Supply Organization, or NESO, whose responsibilities stretch far beyond cybersecurity and domestic crises.
For instance, Finns also need to be ready to deal with supply chain shocks from outside the country, explained Markus Holmgren, a research fellow at the Finnish Institute of International Affairs.
“Because Finland is a small nation, our critical supply chains, in basically all sectors, extend far outside of our borders,” he said. “And often that means that preparedness cannot consist of responding quickly to solve the root cause. Instead, we have to diversify and reroute our supply chains, so that we’re prepared for disruptions that cannot be quickly solved.”
While NESA and NESO provide operational planning, policy coordination rests with the Security Committee — a multi-agency oversight body that advises policymakers.
Cederberg was secretary general of the committee from 2007 to 2013. “The politicians are not very eager to be advised,” he recalled.
The committee produced a new national security strategy, based on the whole-of-society approach, in 2010. It added a cyber strategy in 2013 that distributes responsibilities for cyber defense across the government.
Cederberg differentiated Finland’s integrated approach from the American model: “We don’t have like in the U.S. your Cyber Command and there’s a lot of power under the Cyber Command.” In Finland, he said, authority is more dispersed: “So our Cyber Command is actually the whole government, and every minister is having their own role and their capacities.”
Indeed, one potential downside of the Finnish cybersecurity model, according to Holmgren, is that this dispersal of authorities means there “isn’t really one person in charge comprehensively, below the level of the Prime Minister” herself.
At a day-to-day operational level, the National Cybersecurity Center under the Finnish Transport and Communications Agency provides the connective tissue between government agencies and a dozen or more vital industry sectors, according to Cederberg. Many private companies are required by regulation to report attacks and other network anomalies.
Cederberg said in his role as a private consultant to foreign governments, he is often asked to try to guide the implementation of a whole-of-society approach to cybersecurity.
“We are seen as neutral,” he said. “Sorry to say, they don’t want the U.S. system, they don’t want the Chinese system. There is not any European(-wide) solution as yet, but then they might turn to us and say, ‘Okay, you might be in a position to help because you don’t have any political intentions.’”
Succeeding in hybrid conflicts
Finland was a territory of the Swedish empire for hundreds of years until the beginning of the 19th century. Today, Sweden is one of Finland’s closest allies, and its embassy dominates the front of Helsinki’s harbor-side market square.
In 1809, Finland was seized from Sweden by Russia in the final war of an on-again, off-again conflict between the two empires that spanned six centuries . It eventually became an autonomous Grand Duchy under the Russian Empire. During the chaos of the Bolshevik revolution in 1917, Finns declared themselves independent — and promptly had to fight the first in a series of wars with Russia to maintain that independence. Yet at the center of Helsinki’s Senate Square stands a statue of Tsar Alexander II — the 19th century Russian imperial leader who’s celebrated as a reformer who laid the seeds of Finnish self-rule.
Finland’s complicated historic relationship with Russia has made it a test bed for hybrid conflict as its much larger neighbor has sought to interfere in its internal affairs, honing the sort of information operations the Kremlin ran against America in 2016.
“We had to find ways to fight their information manipulation,” said Cederberg. “So we had to find ways to inform our population about the stories they are telling. They are fake news, real fake, they are rubbish.”
One important component of this focus on media literacy is the NESO media pool. Finland’s Mediapooli “provides media companies with a forum for cooperation where companies and relevant authorities seek solutions together on mass communication security,” according to a study by the European Parliament. The forum promotes best practices for ensuring continuity of operations for media organizations and provides training for identifying and countering disinformation.
Finland’s experience countering Russian information and hybrid warfare operations is well understood amongst its EU partners. It’s no accident that the European Center of Excellence for Countering Hybrid Threats is based in Helsinki, the group’s head of international relations, Rasmus Hindrén, told README.
“It’s about history. It’s about culture, it’s about shared experiences,” Hindrén said. “And there are these shared experiences in Finland, about living next door to Russia.”
Even through the years of neutrality, Finnish society enjoyed “a relatively clear threat perception,” said Hindrén, “which led to a shared understanding of the threats, and consequently a strong willingness to defend the country.”
Is Finland unique?
But is that shared understanding something that other NATO countries could replicate?
The relative homogeneity of Finnish society helps inoculate it against hybrid operations, said Hindrén. The country enjoys “a good level of social cohesion and a [high level of] trust in authorities,” he explained, but those factors were the outcome of policy choices. “That has also been fostered, very deliberately, with various tools, like the education system and the conscription system.”
All of that reduces the social divisions that Russian information operations seek to exacerbate, according to retired British military intelligence officer Col. Philip Ingram. Russians “want to try and influence the way people are thinking, find fractures in political and economic relationships and put their disinformation knife in the crack and just wiggle it to make it bigger,” Ingram told README.
There’s one final, uniquely Finnish, characteristic that helps protect the country from information operations, said Hindrén: The language.
“The Finnish language is notoriously difficult” to learn, he explained, “So it would be hard for a non-native language speaker to find good ways, for instance, in social media, of trying to convince the Finnish public of something,” he said, especially if they’re using bots that have so far been “relatively easy to see through.”
Nonetheless, Hindrén said he believes Finland can be a model for both NATO and EU partners .
The Center of Excellence for Countering Hybrid Threats was established, in part, to “see whether some of these Finnish experiences might be valid in other contexts as well,” he said.
Not everyone is convinced. Hyppönen, for one, remains doubtful that the U.S. can summon the sense of urgency required to make Finland’s model work across the Atlantic.
“The United States doesn’t face an existential threat,” he said, “You’re not fighting for your survival. We are. Both my grandfathers fought the Russians, I did military service. It’s a different scenario here.”
This article was originally published by the README
Follow Shaun Waterman
We’re on social media and we’d love you to give us a follow! You can catch us on LinkedIn and Twitter by using hashtags #cyberwatchFI #CyberCatchFI
Photo by Jonik Wikimedia