A wave of cyber attacks – a so-called cyber tsunami – could have the effect of crippling power grids, banks and even healthcare services in Finland. But according to researchers Martti Lehto and Jarno Limnell, no one actually has strategic responsibility for coordinating defences in the event of a large-scale cyber incursion affecting critical systems.
The researchers penned a report following a detailed review of strategic leadership in Finland in relation to managing a massive cyber attack.
They found that Finland possesses a great deal of cyber security expertise, as it is currently home to a new EU hybrid threat centre, as a number of private cyber security firms.
However the authors noted in the event of a serious cyber security breach, there is no state actor responsible for coordinating responses involving public authorities, private companies and affected organisations.
Planning needed to prevent a cyber tsunami
So far, Finland’s cyber defences have not been seriously tested in a situation where critical functions and systems have been compromised by a cyber shock.
The researchers spoke of the risk of a “cyber tsunami” and called for Finland to develop a strategic plan to head off the potential fallout from such a situation.
“If there was a serious cyber attach today, then responsibility would probably fall to the authority or ministry whose accountability is closest,” Limnell said.
“But unfortunately, unpleasant situations may arise when you have not decided who is responsible, who has authority and how the process should go forward. This responsibility [question] is important especially if there are serious disruptions and exceptional circumstances,” he added.
Who acts when the power grid is down? In any operating environment, defenders must work against the clock.
“It is already a challenge and it is going to be even more so in the future. Before humanity is developing technology faster than ever before in our history, this creates threats and risks that we cannot see in advance. It is therefore important to have competent cyber security leadership,” the researcher added.
One example of strategic leadership is a decision on which social functions to prioritise if a major attack on the power grid compromises electricity supplies.
“The energy sector is critical in our society. Finland is highly dependent on electricity. The finance sector is also fully digitised and has a central role. Health care is another. If the digital functions in health care do not function, it can have a major impact on destabilising Finland,” Limnell commented.
Responsibility should be close to the PM
The report points out that states should designate strategic responsibility for cyber defence in the same way that they have strategies for air defence as well as naval and ground forces.
The report itself lays out five different models for organizing responsibility for cyber defence work. It notes that the new hybrid threat centre has a central role to play, but stresses that strategic responsibility for cyber defence should be as close as possible to the prime minister.
“Compared to several other countries, we can strategic responsibility is often closest to the highest political leadership. These are such important strategic decisions that the government must be close,” Limnell concluded.