Spe c i a l
m e d i a
o f
s t r a t e g i c
c y b e r
s e c u r i t y
STRATEGIC CYBER LEADERSHIP IS NEEDED
M A G A Z INE
HOW TO PRIORITIZE SECURITY?
TO ADDRESS CURRENT SECURITY CHALLENGES
An
2021/3
overview of Russia’s electronic warfare
CHINA’S CYBER POLICIES
CONTENT 2021/3
3
10
30
CyberwatchMagazine
Strategic cyber leadership is needed to address current security challenges
Hybrid work comes – and a few questions to ponder with it
Cyber security challenges of shopping centers
Special media of strategic cyber security
5
14
35
How to prioritize security?
The Password Problem – reason for majority of cyber attacks
PUBLISHER Cyberwatch Finland Huopalahdentie 24, 00350 Helsinki Finland www.cyberwatchfinland.fi
5 Insights from the payment processing industry
7 China’s Cyber Policies
17
Blockchain’s potential in the realm of cybersecurity
37 Iron for EU’s cyber diplomacy
An overview of Russia’s electronic warfare
46
27
Quarterly review
Changing tides of Belarus: towards regional destabilisation?
PRODUCER AND COMMERCIAL COOPERATION Executive Producer Kirsi Toppari kirsi@cyberwatchfinland.fi Commercial cooperation Cyberwatch Finland team office@cyberwatchfinland.fi LAYOUT Atte Kalke, Vitale atte@vitale.fi ILLUSTRATIONS Shutterstock ISSN 2490-0753 (print) ISSN 2490-0761 (web) PRINT HOUSE Scanseri, Finland
Editorial
STRATEGIC CYBER LEADERSHIP IS NEEDED TO ADDRESS CURRENT SECURITY CHALLENGES // Aapo Cederberg
C
as a technical problem, or a challenge related to the use of the internet. Of course, that is also the case, but mainly it is a strategic phenomenon that, if poorly managed, can destabilise the entire organisation’s existence. Globally, every 11 seconds a ransomware attack takes place. Cybersecurity Ventures, a research company, predicts that this year cybercrime will become the world's third largest "national economy" after the U.S. and China. We can say that cyber-crime has become and industry that is increasingly run in a way like a global enterprise. As of 2005, 34 nations are suspected of supporting a criminal cyberoperations. The most significant cyber operators are China, Russia, Iran, and North Korea, which are behind almost 80% of the worldwide state sponsored cyber attacks. Almost 50 hacker groups tied to the Russian government are known, 35 of which are included in the most dangerous category, namely the APT groups. China also has some of the strongest global hacker groups. APT groups supported by the Iran and North Korea are purely for the use of the government. We are therefore forced to recognise that this is a strategic phenomenon. The causes of cyber operations are very much political, and the knock-on effects support political goals, or the objectives of activists and terrorists. Cyber world is like a barometer of global politics. The question arises as to what is the reason for all of this and why cyber operations are so profitable? The simple explanation is digitalisation. The global economy, production facilities, energy production, supply chains and logistics, as well as the lives of each of us, are increasingly dependent on digital infrastructures and services. Cybercrime is today's piracy and state cyber operations are YBERSECURITY IS MOSTLY PERCEIVED
today's asymmetric warfare. Cyber operations are the spearhead of hybrid warfare and part of global information warfare. The target can be every state, company and person, and global interdependencies will cause nasty surprises. It goes without saying, that a strategic phenomenon in this category requires strategic leadership, both by the state and by companies and organisations, without forgetting the roles of UN and the EU. In Finland at the cliff of Suomenlinna aptly reads: “Afterlife, stand here on your own floor and do not trust the help of a alien”. This historical fact is still relevant for every Finnish company and organisation in building their strategic cyber management and leadership. The question is what kind of action is needed? Strategic cyber management and leadership can be defined in accordance with the general principles of management and leadership. I have summarised it in eight very simple sub-packages. They are the fundamental pillars upon which strategic management and leadership must be built on. FUNDAMENTAL PILLARS OF STRATEGIC CYBER MANAGEMENT AND LEADERSHIP:
Comprehensive and reliable cyber situational awareness of senior management Reliable and credible cyber risk analysis and risk management system Agile cyber preparedness and continuity management plan Well-trained and practiced crisis management organisation Appropriate cyber training for all personnel The right and innovative cyber technology choices A properly allocated cyber budget Flexible and ever-evolving cyber culture CYBERWATCH
FINLAND
|
3
These fundamental pillars clearly demonstrate that cybersecurity must be on the agenda of higher management and an integral part of the day-to-day management and leadership of every company and organisation. Responsibility is indivisible and management must have adequate cyber risk literacy at all times. This does not mean that everyone must be a technical expert, but a holistic understanding of the cyber world creates good conditions for management and timely decision making. Investing in cyber management will certainly pay for itself through better competitiveness and staff satisfaction. With technology, we can solve less than half of the ever-growing challenges of cyber and digital security. People come first, a responsible employer invests in cyber skills and digital skills that we all need in our daily lives as well. After Corona, we are moving to a hybrid work model where some employees are permanently working remotely, and some are in the workplace. Flexibility and secure working methods and tools are needed. Now, if ever, is the right time to invest in cyber management
AAPO CEDERBERG Managing Director and Founder of Cyberwatch Finland Chairman of Cyber Security Committee of World UAV Federation (WUAVF)
4
|
CYBERWATCH
FINLAND
and create a flexible and reliable cyber culture for every company and organization. Cyber security arises from small actions that form a strong and well-functioning ecosystem. In this way, we safeguard the operating conditions, competitiveness, and well-being of all of us. There is a tremendous force for change in sustainable cyber culture. The government cannot tackle all cyber-attacks, its priority task is to secure the critical services and vital functions of our society. Therefore, improved strategic cyber leadership is also needed at the state level. Cooperation and the preparedness and resources of society as a whole are needed. Everyone must take care of their part of cyber security. The pandemic has clearly shown that crisis management needs to be improved. As such, an excellent overall security model is not enough if the leadership is flawed. The country is being defended not only on land, sea, and air, but even more so in a world of bits in cyberspace. Our digital independence is challenged every day.
How to prioritize security? Insights from the payment processing industry // Monika Liikamaa
W
hen it comes to compliance and security, no other industry is as strictly regulated as the financial industry – especially when working with payment processing like we at Enfuce do. That’s the playground I have been in for the last 20 years. During all these years, I’ve learned to love the regulated and controlled environment. In payment processing, we’re handling sensitive data about people and their payments. When you are dealing with money you need to be aware of the negative side, involving money laundering, human trafficking and terrorist funding. That’s why the strict regulations are more than justified.
When systematic, industry-wide regulations that require compliance and security are missing, many industries rely on self-monitoring and following best practices. Unfortunately, the lack of these regulations often leads to industries falling behind. I’m certain that companies are not neglecting security and compliance factors on purpose. They have a lack of knowledge and understanding. For these companies, security is not a priority unless it has to be. Yet, regulation is a great way to make it one. Security not being a priority for every company highlights the fact that we should share
For Enfuce, compliance and security are hygiene factors. If we do not operate in a compliant way, I can quit my job on the spot.
CYBERWATCH
FINLAND
|
5
our knowledge across industries. The financial industry is a great benchmark and place to learn for many others. BUILD, MAINTAIN, AUDIT AND REPEAT
Enfuce was the first company in the world who took payment processing to the public cloud. That was already years ago and I still hear arguments suggesting that the cloud is not a safe place to store sensitive or toxic data. It is true that the security and compliance of on-premise solutions or the cloud shouldn’t be taken as a given. Security is all about how you build your solution, how you maintain it and the way you audit it. I often compare this to building a house. First, you create a building plan that includes for instance house strength calculations. This plan then needs to be approved by an external party before you can start the building process. When the house is complete, you constantly keep maintaining it. This brings me to my greatest piece of advice: having a mindset we at Enfuce call compliance and above. It is a principle we have had from the beginning. So, when you are building a solution, make sure that it is secure also in the future as your business grows. Circling back to the house analogy – you don’t want to build a house where you find indoor air problems after a few years or realize that it’s way too small right after completing it.
COMPLIANT AND SECURE SERVICES DO NOT MEAN BAD USER EXPERIENCE
One often-heard story is about security and how it leads to bad user experience. When we think about paying, only a few people like it. Consumers want to make their payments fun and effortless. One good example is Klarna. People keep using it when shopping online even though it is not based on strong customer authentication, which increases the risk of misuse. It just feels so effortless. It’s easy to explain a bad user experience with security, but I see that as laziness. Technology is never the issue. The challenge is organizational silos and poor management. When I was working as a CIO, I wasn’t interested in the end-user experience. My performance was measured in other KPIs. I’m sure that in the future we will see plenty of user-friendly, effortless, and secure payment services. Enfuce and I will stay at the forefront of this development.
ABOUT ENFUCE
Enfuce offers payment, open banking and sustainability services to banks, fintechs, financial operators, and merchants. By combining industry expertise, innovative technology, and compliance, they are delivering long-term and scalable solutions quickly and securely. Established in 2016, Enfuce currently employs 70+ driven professionals in the Nordics and has 13 million end users on their platform.
MONIKA LIIKAMAA Monika Liikamaa is a Cofounder, CEO and Chair of Nordic payment service provider Enfuce. Monika’s visionary thinking and her 20+ years of experience in the fast-paced payment industry has enabled Enfuce to integrate services for its customers in record time.
6
|
CYBERWATCH
FINLAND
China’s Cyber Policies // Juha A. Vuori Professor of International Politics Tampere University
T
he People’s Republic of China can be counted among the top three in the great power deployment of cyber capabilities both in their military strategies and intelligence activities. China’s brand in cyber espionage has been the gathering of industrial and other economically viable information for the benefit of China’s
military complex and other branches of industry. China’s policy in this regard has been seen as shifting since around the mid-2010s though. This change coincided with the revelation of severe weaknesses in the cyber security of China’s cyber operations in the form of the Mandiant report and the Snowden leaks. These prompted president
CYBERWATCH
FINLAND
|
7
Xi Jinping to produce a cyber strategy for China and set cyber defence as its own branch of the People’s Liberation Army among the large scale military restructuring he oversaw. There have also been legislative reforms that have had a bearing on China’s cyber policies both domestically and internationally. These have included legislation regarding cybersecurity and terrorism.
Overall, China’s cyber strategy serves three types of aims. First are the military defence and offence capabilities of the PLA in the cyber realm.
China’s military doctrine has emphasized the informatization of warfare already since the 2000s where integrated network electronic warfare denotes what generally is labelled cyber war. This has been supplemented with the inclusion of asymmetric and hybrid forms of waging war. Unlike Russia though, China is not actively engaged in any military conflicts despite having had some border skirmishes with India and expanding its position in the South China Sea. The PLA’s Strategic Support Force has been tasked with developing China’s offensive cyber capacities, and for defending China’s military and state assets.
The second task of China’s cyber strategy is economic.
While representatives of the US has admitted that it engages in industrial espionage, they also claim that such information is not used for the benefit of US companies but merely as national security intelligence. In China though, where even the PLA has been engaged in economic activities, industrial espionage has been used
8
|
CYBERWATCH
FINLAND
to develop state industries and to directly benefit particular companies. Xi’s line has been to reduce this role in the strategy though: as long as China’s industries rely on intelligence gathering for their development, they will always lag behind. Xi’s goal is to make China a cyber power and a leader in many fields of technology, which has meant that this role has been reduced.
The third task in the strategy is to guarantee the domestic security situation.
This has meant the development of the world’s most efficient surveillance and dataveillance system directed China’s own citizens. These systems that deploy facial recognition and wide scale censorship activity target both potential violent terrorist activities and political dissidence. While China is connected to the world-wide internet, it also has the capacity to isolate China and prevent most of its netizens from accessing information freely. These systems are in place to guarantee the security of the Communist Party, but they have also made online China doubly vulnerable. As citizens cannot be allowed to have secure communication without the potential for intervention, Chinese citizens and small businesses have very low levels of cyber security systems in place. Chinese cybersecurity education, industry, and culture are all underdeveloped. This has made China very vulnerable to international cyber-attacks and espionage too. In addition to these three main missions China also engages in cyber intelligence gathering. Reducing the industrial espionage role of China’s cyber missions has meant an increase in political intelligence gathering. This is also evident in what China affiliated APT groups have
publicly been identified as doing. This shift can be viewed as a normalization of China’s cyber activities and a maturation of China’s great power politics. While China’s brand is shifting away from economic espionage, it still largely avoids the use of damaging cyber capacities beyond displaying its potential for such capabilities. China so called soft power has been evaluated as fairly weak compared to the potential its culture represents. This is also reflected in how China’s misinformation campaigns have been conducted. While China has established Chinese media outlets internationally and also produces content for international consumption, the effectiveness of its information campaigns does not compare well with those of Russia. Furthermore, the brunt of such activities takes place in East Asia and along the Belt and Road rather than the US or Europe. Internationally, China is a proponent of internet sovereignty and the establishment of a new international treaty that would codify the conduct of cyber operations. This places China closer to Russia and directly against the position of the US that supports the application of pre-existing international law into the field of networked information spaces. Like in its overall international politics, China is against the militarization of such networks and promotes the view that states should respect the sovereignty of others and not interfere in their internal affairs. This view leaves the conduct of nondamaging intelligence gathering and low level interference such as DNS attacks in place. When China’s cyber policies are viewed in the context of its overall foreign policy lines and the nature of its political order they appear consistent and in line with both. Even though China has been forced into a trade war with the US and is expanding its hold in the South China Sea, China still aims to keep itself off the acute security agenda of other major powers. China’s domestic policies make China vulnerable to outside cyber assaults both due to its underdeveloped cyber security culture and the ever widening dependence on electronic activities in the everyday. This vulnerability means that China will avoid escalating its cyber operations beyond interference and espionage in peacetime.
JUHA VUORI Juha A. Vuori is Professor of International Politics at Tampere University and adjunct professor of World Politics at the University of Helsinki. Before that he was a professor of World/International Politics at the University of Helsinki and the University of Turku. Vuori has published widely on China’s politics of security and is the principal investigator of the Academy of Finland consortium Security in China. His other research interests include securitization theory, visual security studies, and nuclear weapons related issues. Vuori is former president of both the Finnish International Studies Association and the Finnish Peace Research Association, and the current treasurer of the European International Studies Association.
FURTHER READING: Austin, Greg (2018): Cybersecurity in China: The next wake. Cham: Springer. Davis, Elizabeth Van Wie (2021): Shadow warfare: Cyberwar policy in the United States, Russia, and China. New York: Rowman & Littlefield. Paltemaa, Lauri & Vuori, Juha A. (2009): Regime Transition and the Chinese Politics of Technology – From Mass Science to the Controlled Internet. Asian Journal of Political Science 17(1): 1–23. Paltemaa, Lauri & Vuori, Juha A. & Mattlin, Mikael & Katajisto, Jouko (2020): Meta-information censorship and the creation of the Chinanet Bubble. Information, Communication and Society 23(14): 2064–2080. Vuori, Juha A. & Paltemaa, Lauri (2015): The Lexicon of Fear: Chinese Internet Control Practice in Sina Weibo Microblog Censorship. Surveillance & Society 13(3/4): 400-421. CYBERWATCH
FINLAND
|
9
HYBRID WORK COMES - and a few questions to ponder with it // Leena Nyman
T
he global coronavirus pandemic accelerated digitalisation in the way we worked like never before. It would have taken considerably longer to carry out a similar development through management. Now the coronavirus pandemic forced companies and employees to find new coronavirus-safe ways of working almost overnight. Finland only thrives by catching up on post-corona growth and in this international race we must progress fast. Finland has strengths in providing the world with solutions to the challenges of a digital and carbon-neutral world. The Confederation of Finnish Industries (EK) was the first to set up an innovation project called Digital Game Changers in the coronavirus spring,
10
|
CYBERWATCH
FINLAND
in which pioneering companies looked at the business impacts of accelerated digitalisation. One of the most active working groups in the project focused on changes in work and management in the new digital age. Cybersecurity was also at the heart of the review - without functional cybersecurity, there is no business either. The working group was led by Arto Räty, a long-term business influencer at Fortum. It is in the interests of the whole of Finland that Finnish companies can catch up on the growth market that opens with the corona exit on a broad front. The SME sector has a lot to win in digitalisation. That is why the best practices identified in the Digital Game Changers project are being distributed to the business field so that more and more companies can become the pioneers.
One concrete outcome of the project is the report 'Digital working life and cybersecurity'. The report makes recommendations to four target groups: management, decision-makers, employees, and the education sector. These groups were chosen because a digitalising world of work requires everyone to work together. Without corporate management's understanding and strategic management, new ways of working and cybersecurity will not become the foundation of the organisation. Decisionmakers again play a key role in helping to create structures that support digitalisation and contributing to the digitalisation of public services through their decisions. No company can survive without the valuable input of employees, and
employees can support the digitalisation process by learning new digital skills and supporting cultural change in organisations. The changed working life also affects the skills needed, which also challenges the education sector. What kind of skills companies and working life need in the future is a question that everyone is currently thinking about answers to. In the report, pioneers outline digitalising working life through five main themes. These are: 1. cultural change achieved through leadership, 2. new disruptive and agile business models, 3. continuous in-service training and retraining of staff, 4. innovations and cooperation in ecosystems, and 5. technology and infrastructure.
CYBERWATCH
FINLAND
|
11
Here are some picks from our key observations: Digital working life and cybersecurity are crucial enablers of business and therefore need to be at the forefront of corporate strategy discussions and operations. A company cannot be truly digitised without always leading digitalisation from the top management level through the entire organisation. Leadership is otherwise emphasised in digitalising working life and places new demands on leadership and pays more attention to emotional leadership as well. Hybrid and remote working also require local flexibility, which will inevitably affect labour law in the future. Concultant work in particular is in transition. The training should focus more on continuous learning, which should be implemented agilely and customer-oriented at all stages of the working life. The link between education and business life is more important than ever in the midst of change! Learning new things will happen more and more at work in the future, and it will be a systematic and goal-oriented process. Hybrid work plays a key role in an organisational culture that promotes innovation, networking, and information sharing. This can be supported by the creation of an encouraging culture that introduces new tools to stimulate innovation and is supported by regular and effective pulse meetings. Throughout the board, cybersecurity is at the heart of our success in leading, working and doing business in the new digital age. Without functional cybersecurity, there is no business either. That is why cybersecurity is at the heart of the company's strategy.
Digital Game Changers project checklists for corporate management Checklist for switching to hybrid work: Creating principles for hybrid work Setting roles and responsibilities Determining the times and places of remote working Meeting policies and accessibility Security, including cyber security Wellbeing Engage teams and employees into development work Draw up concrete checklists. Train managers to lead hybrid work. Prepare to learn from experiences and adapt to changing situations. Remember to share information and maintain communication! Checklist for cybersecurity management: Create comprehensive and reliable cyber security awareness Ensure adequate capacity for cyber risk assessment and management Build an agile cyber preparedness and continuity plan Create well-trained cyber crisis management competence Build superior cyber competence in the human sector Procure superior cyber technologies – make smart choices Allocate an adequate cyber budget Build an agile and comprehensive cyber culture.
Hopefully, the observations, conclusions, and tools of the Digital Game Changers project will benefit as many companies as possible. Let's continue to strengthen Finnish pioneering spirit! LEENA NYMAN LEENA NYMAN, ADVISER, DIGITALIZATION, CONFEDERATION OF FINNISH INDUSTRIES EK Leena Nyman works with promoting digitalization at the Confederation of Finnish Industries EK. She is also the product owner of Covid Digital Game Changers Task Force that was founded for forerunners to find new solutions on how to tackle challenges caused by the Covid pandemic and the fast digitalization. Leena is currently a Board member of the Foundation for Aalto University Science and Technology. She has previously also worked at the Economic Policy department at EK as an Adviser. Before her EK career Leena worked with Customer Insight at Kärkimedia and Yle.
12
|
CYBERWATCH
FINLAND
Enfuse tähän?
AWARENESS OF THE CYBER WORLD IS A KEY TO BETTER CYBER SECURITY
Cyberwatch Finland
www.cyberwatchfinland.fi CYBERWATCH
FINLAND
|
13
THE PASSWORD PROBLEM – reason for majority of cyber attacks // Arimo Koivisto
H
ow much do you love your passwords? How many passwords do you have and are you sure you do not reuse the same password in several accounts? How do you securely store all those passwords and how often do you update them? How do you avoid phishing and frauds which aim to steal your password and username? Passwords truly are problematic for many reasons. They are painful to use, and they do not offer sufficient security. This is a significant problem; According to the Verizon Data Breach Investigations Report, over 70% of employees reuse passwords at work and 81% of all data breaches are successful because attackers can leverage stolen or weak passwords. This typically allows attackers to breach the system or inject ransomware etc. Passwords are a 60-year-old invention. Phishing attacks are something we are all familiar with. They are more and more sophisticated and as consumers and organisations we must protect ourselves from these attacks. Typically, we must be extremely careful when login into a service and take extra efforts to maintain password security. This requires effort to 14
|
CYBERWATCH
FINLAND
train people to be careful with their passwords and logins. Passwords are painful to use and typical second factor code like SMS code makes the login process even more compilated. This is called legacy Multi Factor Authentication (MFA), which relies on two different passwords, the main password and second one-time-password (OTP) like the one you receive by SMS. Many organisations have deployed legacy MFA which is a good first step. There are already many attack methods against passwords and OTPs. Many banks suffer phishing attacks where attackers try to steal both bank customer´s passwords and OTPs via false login windows. Also, Microsoft accounts are very popular among cyber criminals, and they try to make you login to false Microsoft services to steal your credentials. Several global data breaches and ransomware attacks were successful because of passwords. The list is very long: Solarwinds, Twitter, Marriot, Colonial Pipeline, Zoom etc. Also, we cannot forget how many consumer services and their user information has been stolen, the
main stolen information is user credentials and credit card details. During 2020 more than 20bn credentials have been stolen and many of them end up on the darkweb for sale. Cybersecurity might already be at the agenda of the boards and executives, and the easiest way to protect company infrastructure and data is to take better care of user identities and login credentials. Given the number of breaches in the news today where passwords were at the root of the problem, many companies are now exploring the benefits of a secure passwordless future. Secure passwordless logins not only bring cost efficiencies and a more frictionless user login experience into the organization but deliver the security that is necessary in the post-pandemic world, when many millions of workers may continue working remotely. Deploying VPNs and virus protection is just not enough anymore. Especially business critical cloud applications hosted by third party service providers are important to protect with passwordless authentication. PASSWORDLESS SOLUTION – THE FIDO APPROACH
Phishing attacks are successful since passwords are something which can be stolen. In passwordless approach the password is replaced with an asymmetric public private key encryption (PKI), and typically biometrics like user fingerprint or faceID. This makes phishing and other kind of Man-In-The-Middle attacks useless. Passwordless solutions are also very efficient when combating against ransomware attacks. Passwordless solutions are promoted by FIDO Alliance, fidoalliance.org, which is an open industry association with a focused mission: the authentication standards used to help reduce the world´s over-reliance on passwords. FIDO Alliance have created open technology standards which the biggest technology companies like Microsoft, Google, and Apple support. This means FIDO is and will be an industry standard globally for secure authentication. PASSWORDLESS HAS SEVERAL MAJOR BENEFITS: 1 It eliminates phishing attacks, and it enables users to
login much easier way. The traditional password is a shared secret known by the user and the service. In FIDO approach this is replaced with asymmetric cryptography (PKI) which makes phishing impossible. 2 Also, when combining this cryptography with
biometrics we have an easy to use and phishing resistant “password” which you do not have to store in your mind, update frequently, be worried if end up stolen. 99,9% of all attacks against user accounts can be eliminated.
3 Passwordless login also saves workforce time since
login is 2/3 faster than with legacy methods. Typically, people use 24-48hrs in a year with just passwords logins. 4 Passwordless reduces IT-support cost significantly.
20-50% of the IT-support costs are due to passwords in those organisations who do not use self-services for the purpose. Lots of security and usability benefits. In passwordless solutions login into computers or applications will happen typically with a security key or mobile phone. Both approaches support biometric recognition, and this is the future of authentication. FIDO alliance and all alliance members predictive passwords will finally be replaced during the 21st century. The change has now started in many organisations. ADAPTATION OF PASSWORDLESS AND FIDO STANDARDS
Microsoft has finalised early 2021 extensive support for passwordless login for all Microsoft cloud users. Many passwordless technologies are Microsoft certified and compliant with Microsoft Azure ecosystem. A FIDO security key is a physical USB or NFC device typically with a fingerprint reader. You can carry it easily in your normal keyring. In Microsoft passwordless environment, FIDO key is your “password” and you do not have to ever again renew, remember passwords, or use separate authenticators etc when logging into Microsoft Windows laptop or other MS resources. This is a typical scenario for passwordless usage. Mobile phones can also work as security keys and users can login to computers and applications with mobile facial recognition. Since 2017, when Google introduced cryptographic FIDO security keys to their 85 000 employee accounts the phishing in the company neutralised. Since then, none of Google´s employees have reported any account take over. Another great example of FIDOs security approach. Enterprises and organisations use a lot of money and resources on monitoring user identities and login attempts. With FIDOs approach many risks can be eliminated and create cost efficiency also at the monitoring side. Passwordless is a proactive security method, you eliminate certain significant risks completely. Passwordless authentication is also Zero Trust Architecture compliant solution, which means users are always verified in a strong way. FIDO technology also meets PSD2 requirements, which is the European Union Payment Services Directive, and many banks are also implementing CYBERWATCH
FINLAND
|
15
FIDO to meet future requirements. FIDO’s approach ensures Secure Customer Authentication (SCA), which is the next target for banks in EU. Another FIDO example from the Finance sector is Bank of America which started implementing FIDO for example to their workforce. Also, Mastercard has created FIDO technology-based card-less consumer payment solutions in the US. All this means they do not have to worry about stolen credentials anymore like with traditional credit cards. In Finland and may other countries we see on a weekly basis different kinds of phishing attacks where attackers try to steal consumers´ web bank credentials with false login windows. All banks who rely on shared secrets like passwords and one-time-passwords are still under these attacks and in risk. Only passwordless approach can stop this kind of security problems. Rakuten is a Japanese internet giant and part of their digital transformation is that they are targeting to eliminate passwords from all their workforce and customers. This huge project will take 4 years. Many major leading organisations are already moving towards passwordless and all major technology vendors
support FIDO approach. The change towards passwordless approach is happening as we speak. SUMMARY
Passwordless is one of the main trends in common cyber security area in the following years since the password problem is well known. Passwordless authentication, by its nature, eliminates the problem of using weak passwords. It also offers benefits to users and organisations. For users, it removes the need to remember or type passwords, leading to better user experience and customer experience. For organisations, there’s no longer a need to store passwords, leading to better security, fewer breaches, and lower support costs. Future is soon hopefully fully passwordless and organisations should start implementing very soon passwordless as a key factor of their security and digitalisation strategy.
ARIMO KOIVISTO Entrepreneur, Cipherpunks Oy Arimo Koivisto is a long-term security and digitalization professional working as entrepreneur at Cipherpunks Oy. He has been working with security issues of over 20 years in different companies and Finnish Defence Forces, and has great experience from international cybersecurity and digitalization markets and actors. Koivisto has understanding and expertism both national security and enterprise level cybersecurity issues, threats, and solutions. “Cybersecurity domain complexity is a global problem where different political motives and technological capabilities mix into mysterious and many times unseen phenomenon. For decision makers it is important to understand how this all affect in our strategic and daily choices in cybersecurity area.”
https://fidoalliance.org Verizon Data Breach Investigations Report 2018 https://aka.ms/dbir2018 Microsoft security blog 2019 https://www.microsoft.com/security/blog/2019/08/20/one-simple-action-you-can-take-to-prevent-99-9-percent-of-account-attacks/ Microsoft Tech Community 2019 https://techcommunity.microsoft.com/t5/azure-active-directory-identity/your-pa-word-doesn-t-matter/ba-p/731984 Hypr corporation 2021 https://hypr.com
16
|
CYBERWATCH
FINLAND
AN OVERVIEW OF RUSSIA’S ELECTRONIC WARFARE // Juha Wihersaari
CYBERWATCH
FINLAND
|
17
Introduction
E
lectronic warfare by the Russian armed forces is still often seen as straightforward communications jamming and, in this case, often precisely as tactical-level communications jamming. However, the potential of electronic warfare has increased significantly as a result of the development of information and communication technologies, and Russia has clearly heeded this. Symmetric countermeasures may be more expensive and more difficult to achieve, which often make it smarter to pursue asymmetrical countermeasures. The war in Georgia in 2008 was also a starting point for the development of electronic warfare in Russia. In this process 1) the number of electronic warfare forces was increased and they were reorganised; 2) a bottom-up integration of the electronic warfare system was initiated, i.e., systems at the tactical and strategic levels; 3) started to develop more capable systems and to modernise the equipment of the electronic warfare forces. The Georgian war also acted as the starting point for the development of Russia’s cyberwarfare capabilities. Another visible milestone was 2017, when the commander of Russia's electronic warfare force, Major General Yuri Lastochkin, estimated that a new battlefield had evolved from information and telecommunications equipment. In his statement, he refers to the new information space that came with smartphones, tablets, and sim cards and Wi-Fi access points to computers. Interestingly, the development of electronic warfare in Russia is linked to the development of cyber warfare. Officially, the cyber force did not exist until the Russian Defence Minister suddenly acknowledged their existence in February 2017. The aforementioned technological advances clearly associated electronic and cyber warfare with a new target, although their angle of entry to the target is different. Following above mentioned interview with Lastochkin, Russia began to compare the impact of an electronic warfare attack with the impact of attack with precision
18
|
CYBERWATCH
FINLAND
guided weapons. This analogy speaks well of the difference in scale between electronic and cyber warfare in Russian thinking. While the blow of electronic warfare can end a battle, the blow of cyber warfare can end a war. In Russia, several authoritative writings on cyber-threat seek the destructive effect of a nuclear attack. In accordance with the Russian military doctrine, the armed forces seek superiority in all dimensions of warfare. In the information dimension of the battlefield they seek superiority especially via electronic warfare. Western experts now estimate that in the next few years, the Russian armed forces would be able to block all civilian, military and satellite communications of the enemy, as well as the use of positioning systems, on the battlefield. Russia's strong investment in electronic warfare, which enables the information superiority of the battlefield, is likely to continue. At the moment, electronic warfare is seen in Russia as the main force multiplier in the battle field of next generation of wars, and none of the military operations are even considered to conduct without electronic warfare. A 2018 statement by the Commander of the Russian Electronic Warfare Corps underlines the point: "In the near future, electronic warfare troops will determine the fate of all military operations". As the importance of electronic warfare grows, it is planned to be the fifth branch in the land forces and for electronic warfare force had already in 2017 been created their own military batch, honorary march, recruitment system, etc. A clear sign that the Russian military leadership believes that the development of electronic warfare forces has been successful and that this career is continuing is Major General Lastochkin, who has led the development phase. He took over as the commander of the Russian electronic warfare forces as early as 2014 while serving as a colonel and exceptionally will continue in the same position still in 2021.
1
Official Definition
THE CORNERSTONE OF RUSSIAN electronic warfare review is its official definition, which can be found on the website of the General Staff of Russia. According to it, “Electronic warfare means 1) influencing enemy command, communication and intelligence systems with electronic radiation (electronic jamming), the purpose of which is to change the quality of the information moving in these systems; 2) protecting one's own systems from similar actions by the enemy; and 3) by changing the propagation conditions of radio waves (environmental conditions). The core elements of electronic warfare include electronic jamming and electronic protection, which affect the electromagnetic field (radio waves) and electronic equipment and systems. Radio jamming can be carried out with active or passive devices. The former includes devices that emit electronic radiation, such as radio or jamming transmitters. The latter are reflected (re-radiated) by devices such as dipole or angle reflectors. “Modern electronic warfare encompasses the measures and actions needed to 1) reduce the command of enemy forces and weapon systems; 2) to maintain the command of its own forces and the effective use of weapons systems. In order to achieve the above objectives, 1) have to create chaos to enemy command and weapon systems, communication and reconnaissance systems by changing
2
the quality of information input, the speed of information processes and the parameters and characteristics of electronic devices; 2) to protect own command, communication and reconnaissance systems from chaos and the electronic signals of weapons, equipment, military targets and forces from technical intelligence of the enemy and thus guarantee the qualitative requirements for information and information processes required by automatic command, communication and reconnaissance systems and guarantee quality of electronic devices. ” “In electronic warfare, the chaos of enemy systems is carried out according to a carefully planned plan by targeting the appropriate type of radiation to the enemy’s electronic devices, information-sending and receiving channels, and targeting specific technical and programmatic actions (malware) at enemy computers. Your own command, communication and intelligence systems are protected from similar actions by the enemy and from accidental interference from your own system. Necessary information is protected by covering up your own objects and / or confusing the enemy about their true nature. The targets of electronic warfare include information carriers (different waveforms and the frequencies they use), the frequency bands they use, and electronic devices and systems. For this reason, electronic warfare is an integral part of information warfare, its technical basis.”
Objective and Targets
IN THE RUSSIAN MILITARY SCIENCE DEBATE, the most important task of electronic warfare is a slightly more detailed breakdown of the above, and the task is to bring the enemy's operational and weapons systems command system into chaos by limiting their ability to gather intelligence and use weapons systems. Chaos can be done traditionally by preventing access to information from command posts and electronic devices through jamming , but also by delaying access to information, producing false information, causing information interruptions, distorting databases, and destroying information. The latter can be done by destroying the electronic circuits of devices emitting radio waves or by using special programs that affect software and databases. Management systems are still the primary focus, but their order of importance has changed. In an interview in April 2021, Lastochkin specifically outlines the fight against precision guided weapon systems as the main task of electronic warfare and makes no mention of operational command systems at all. No doubt they are still next in
order of priority. However, he stressed the importance of combating precision guided weapons, as their use is emphasised in the doctrines of potential adversaries. In line with this new policy, most of the new electronic warfare systems have therefore been targeted at countering precision guided weapons of potential adversaries. He specifies the tasks when talking about electronic warfare forces. Their mission is 1) to electronically destroy enemy systems; (2) systematically prevent enemy signal intelligence from collecting (target) data; (3) electronically protect your own forces. The definition of Lastochkin does not differ in substance from the definition of the General Staff, but merely clarifies it. The demand to combat precision guided weapons obviously comes from the “Strategy of Active Defense” launched by the Chief of General Staff, General Valery Gerasimov, in the spring of 2019, at the core of which is to combat the growing threat of enemy precision guided weapons. Electronic destruction is also a new wording that also covers the use of an EMP weapon. CYBERWATCH
FINLAND
|
19
3 Leadership IN MAY 2017,
Lieutenant Colonel Oleg Nikitin published in the Russian general staff magazine called Vojennaja Mysl where he estimated that in the core of future military operations will be destruction of the opponent's information structures, and this is where the electronic warfare force plays a significant role. To achieve this, an electronic warfare decision making support system must be developed to model the enemy's command system, determine the critical information flows associated with it, and build on this to plan for the chaos of the opponent's command and weapon systems. The decision support system must identify the operational, information and radio electronic situation at baseline and, as a result of an overall assessment of these, determine the allocation of resources for electronic warfare and other weapons to achieve the goal. Determining the information situation involves the need for information (receipt, processing, sorting, and forwarding) of critical items in command and weapon systems. The radio-electronic situation is related to the operational and information situation and assesses the opponent's messaging system vs. the number and characteristics of the electronic warfare equipment in use, the conditions, and the order in which the electronic warfare operations are carried out. It is essential to target a leadership process that quickly lowers an opponent’s fighting ability while weakening it in the long run. In 2019, the commander of the electronic warfare forces also assigned the main task of electronic warfare to prevent the operation of the information systems of enemy command systems by disrupting the communication channels between them. In an interview with the commander in 2021, he said that artificial intelligence has played an important role in strengthening the decisionmaking system for electronic warfare. Artificial intelligence- based systems are in place at all levels of the organisation of electronic warfare, from company to brigade. The development of artificial intelligence-based decisionmaking support systems continues to be fierce, and the aim is to develop a decision-making support system for electronic warfare regiments, battalion, and companies, leaving only the implementation and control of tasks for man. Based on the commander's interview, it is easy to see that the decision support system described by Nikitin in 2015 is in place and under active development. In the United States the Center for Naval Analyzes published in 20
|
CYBERWATCH
FINLAND
May 2021 report, which warns that Russia is moving faster than expected in adopting artificial intelligence supported systems. This is in accordance with Lastochkin’s interview. In his interview this year, Lastochkin stressed that while nothing will change the centralised leadership of electronic warfare regiments, battalions, and companies operationally, technically the command system will evolve. At present, the command system of electronic warfare forces operates through the connections of the Russian fixed telecommunications network and makes use of all the services of the telecommunications system. Such operating model significantly increases the combat resilience and operational usability of electronic warfare systems and makes it more difficult for adversaries to collect intelligence of them. The first news coverage concerning the armed forces taking advantage of the fixed telecommunications network is from as early as summer 2016. In order to reduce the accuracy of cruise missiles, jamming systems targeted at GPS systems began to be used through a fixed telecommunications network. Five years later, the use of a fixed telecommunications network, at least in the command and control of electronic warfare forces, is likely to be a basic operating model covering the whole of Russia. In 2015, the Commander of the Electronic Warfare Forces decided that electronic warfare can be used alone or with fire support units and special operation forces to achieve information supremacy or in an information operation to protect one's own system from enemy technical signal intelligence. In 2017, the commander said that electronic warfare will be integrated into the reconnaissance-fire complex to provide it with the most real-time target situation information possible. In the same year, it was announced that Russia was planning to integrate electronic warfare information collection into the common information space of the armed forces to improve the effectiveness of the command and control of operations. Both announcements made in 2017 are obviously related to the same issue. In 2019, Major General Sergei Klindukhov, Chief of Staff of the Eastern Military District, said in an interview that the new systems of electronic warfare are mobile and can be used remotely or in accordance with a specific predetermined program. As examples, Klindukhov cited jamming systems that can prevent the use of a control signal from your opponent's drones and limit their ability to transmit image or video data from a target. As another example, he mentioned the mobile system of Motorized Infantry Brigades' Electronic Warfare Company. Klindukhov’s statement suggests that in addition to investing in mobility, the integration of electronic warfare systems into the reconnaissance-fire-strike complex has progressed and at least some of the systems have been integrated.
4 Organisation The development of electronic warfare, which began most significantly in 2008, has been seen in the Army, where the number of electronic warfare troops increased significantly in addition to qualitative development. In other branches of defence, the development has been largely qualitative, rather than an increase in the number of troops. In the Army, (1) electronic warfare brigade has been formed in each military district ; 2) electronic warfare battalion has probably been formed in each army and army corps; (3) electronic warfare company has been formed in each motorised infantry brigade and division. The change was implemented from 2009 and was also completed for the Armies' electronic warfare battalion, possibly during 2020. There are a total of 12 armies and one army corps in the Russian Army, all of which are estimated to have established or will establish an electronic warfare battalion. There are approximately 40 brigades and divisions in total in the Army and each of them has an electronic warfare company. The Northern Fleet's army brigade also includes an electronic warfare company . The electronic warfare platoons of Airborne Brigades and Divisions (eight in total) have been upgraded to companies by the end of 2016 and were simultaneously equipped with new equipment. The equipment in these electronic warfare companies differs from companies of Mechanised Infantry Brigades and Divisions in its emphasis on tactical electronic surveillance rather than jamming.
The land-based electronic warfare elements of the Russian Navy include five electronic warfare centres, formed since 2009 based on naval electronic warfare regiments. Each centre consists of at least two electronic warfare battalions and possibly a separate electronic warfare company. One battalion is responsible for strategic tasks and the other tactical. Each fleet's organisation includes a separate electronic warfare centre, except for the Pacific Fleet, whose organisation includes two centers. The Caspian flotilla does not include any electronic warfare elements. In addition to the land-based electronic warfare troops, the vessels, of course, have their own massive electronic warfare systems. The Air and Air Defence Armies of the Aerospace Forces each have a separate electronic warfare battalion, which are integrated with the Air Defence Division. There is an air and air defence army operating in each military district (respectively) and it is estimated that there are also five separate electronic warfare battalions in the Aerospace Forces. In addition to land-based troops, aircrafts of course have their own electronic warfare systems. As far as the Air Force is concerned, the same assumption applies for the Navy. According to the findings, there were no changes in the orbat of the electronic warfare troops, and the news published about the Electronic Warfare Battalions are likely to be related to the new equipment that Russia has wanted to report on or from
ASSESMENT OF A TYPICAL MILITARY DISTRICT OF ELECTRONIC MILITARY FORCESQUANTITATIVE DEVELOPMENTS In the Year 2009
In the Year 2020 Military disctrict staff Naval staff Air And Air Defence army staff Army staff Motorised Infantry Brigades (Respectively)
ATTENTION! The brigade used to have an electronic warfare platoon and now has a company. The battalions are for order of magnitude only
CYBERWATCH
FINLAND
|
21
which information has otherwise become public. The Air Force's equipment most likely have been state-of-the-art, and its modernisation came to light last. In addition to the ground component, the Russian Electronic Warfare Force includes an airborne component. The airborne electronic warfare component under control of the General Staff of Russian Armed Forces is organised into the Electronic Warfare Aviation Division of the Transport Air Regiment located in the Central Military District. Each military district is assessed to have a electronic warfare squadron operating on the platform of the Mi-8 helicopter, organised in the Mi-8 regiments of the Army Air Force. Helicopter departments used for electronic warfare are likely to be under control of electronic warfare brigades in the military district. In addition to electronic warfare, the Russian armed forces have the Technical Surveillance Forces i.e. electromagnetic dispersed radiation monitoring forces tasked with preventing enemy technical reconnaissance. The second task of these forces has been frequency control, in other words, preventing unintentional interference with own frequencies. Initially, these Technical Surveillance Forces were only in strategic missile and space forces, but with the development of electronic warfare they are in all
5
System development
In May 2017, a paper on strategies for developing electronic warfare was published in Vojennaja Mysl. According to the researchers, electronic warfare systems should be developed in accordance with three strategies: (1) The traditional development strategy means developing the systems already in use to become better and more efficient; (2) An innovative strategy means the development of new generation systems, for example through artificial intelligence; (3) A breakthrough strategy means the development of systems based on completely new technologies. The overall development of electronic warfare must be a thoughtful set of all three strategies, with priorities depending on the situation. In a high-threat situation, the focus is on the traditional, in an ambiguous situation, the focus can be shifted to an innovative strategy, and in a deep state of peace, it is possible to focus on a breakthrough strategy. The equipping of electronic warfare forces with new equipment began in 2012 and by 2017 70 % of the Army 's electronic warfare equipment was new. Electronic warfare is clearly highly prioritised, as a similar goal for other equipment of other arms and branches was not to be achieved until 2020. A significant part of the renewed equipment had been clearly developed in accordance with the traditional strategy by modernising the equipment in 22
forces. With the proliferation of smartphones and tablets, information security (INFOSEC) has become a new task for Technical Surveillance Forces, in which role they are responsible to the organisation responsible for the protection of state secrets. However, the main responsibility of INFOSEC belongs most likely to the Technical Surveillance Forces. Leading the development of electronic warfare has been reorganized under the command of Lastochkin. Technical development and related technical research are led by the Electronic Warfare Forces Military Committee established in 2015. Electronic warfare officers will be trained under the authority of the Air Force Academy at the Electronic Warfare Research Institute established in 2016. Electronic warfare operators of all arms and branches are trained in the Electronic Warfare Training Centre. In 2015, a science company focusing on research into electronic warfare techniques and systems was established under the centre. In the science companies talented university students can do their military service. There are currently 19 science companies, eight of which explore new innovative technologies. In this way, efforts are made to support the innovative development strategy and perhaps even the breakthrough strategy set out below.
|
CYBERWATCH
FINLAND
use. According to Russian terminology, these were 3.5 generation systems. Since 2015, 4 and 4.5 generation systems have been introduced. The priorities for developing the systems available to the Electronic Warfare Forces have changed every year. In 2014, the Commander of the Electronic Warfare Forces determined the development target as the ability to destroy the enemy's electronic devices and disrupt computers in command systems. In 2016, the development of training simulators by 2018 was the most important target for development. In 2017, Electronic Warfare Forces had to develop EMP weapons and jamming software to bring chaos to the enemy leadership and weapons systems. In its most recent interview in April 2021, Lastochkin also logically identifies the paralyzing of navigation and target retrieval systems for potential opponents as a clear focus for development. In the summer of 2020, news broke that Russia had tested an EMP weapon with a range of 10 km. Western experts estimated that EMP weapon with that range could be in use by Russian Electronic Warfare Forces by 2025. These changes in the commander's guidelines should not lead to the conclusion that traditional elements of electronic warfare will not be developed at the same time. However, they show very well the priorities of recent years. Clearly, the most important thing is to be able to destroy
electronic components of your opponent's (weapon) systems, to influence the functioning of your opponent's management systems information systems, and to train more diversely and effectively. It is a good idea to weigh the development priorities for development against the electronic warfare strategies mentioned earlier. In 2015, a team of three officers wrote an interesting article in Vojennaja Mysl about the development and use of electronic warfare. According to them, the real performance of electronic warfare must be concealed from the enemy and used to the full effect under the disguise of surprise. This view is directly from the textbook written by Aleksandr Svechin, perhaps the most well-known and respected strategist who served in the Red Army, who is
6
studied diligently at the General Staff Academy of Russian Armed Forces. (Svetshin stressed that the actual performance of strategic weapons had to be carefully concealed from its own politicians as well.) The group's view fits well with development strategies, and there is no contradiction to the fact that even new electronic warfare systems are being tested in Ukraine and Syria. On the contrary, they must be tested in a real or as real combat situation as possible, so that they can develop the best possible combat techniques and tactics, in some respects even operational art. Russia's arsenal of electronic warfare may well be judged to include surprising capabilities and/ or tactics that are planned to be used in a mass manner only in the event of a war.
Development of Equipment
In 2017, Lastochkin referred to the strategic air-to-land electronic warfare -a capability on which a foundation is being established. At the end of his interview in 2021, Lastochkin mentions in his last sentence a land and air based electronic warfare system that corresponds to similar systems in leading Western countries The most significant missing component is the air component corresponding to the West. The statement correlates with the knowledge that a new generation electronic warfare aircraft is due for test use by 2025. Lastochkin raised the issue of the very acute fight against drones in his interviews for the first time in 2017, when he mentioned electronic warfare as an effective method against them as well. The statement suggests that there is experience in combating drones and that the experience gained in Ukraine and Syria has been valuable. In 2021, Lastotshkin was asked about the War in the Nagorno-Karabakh, referring to Russia's ability to electronic warfare to combat Turkish-made Bayraktar drones. He did not directly take a position on the device in question, but he stressed that drones are very dependent on many communication links to land organisation and navigation system, all of which can be jammed.
Of course, traditional concealment and maskirovka has not been forgotten in the field of electronic warfare. In 2014, Lastotshkin announced the goal of developing a continuously improved electronic fake environment to distract adversary and technology to prevent and jam the collection of electronic parameters. In an interview five years later, Lastochkin already underlined the fulfilment of the targets by saying that weapons systems have been fitted with systems to make it more difficult to detect and collect signal data and to prevent the use of precision guided weapons. Protecting one's own actions from reconnaissance is important on the battlefield, but even more so in peacetime. This was made aware in Russia in 2017 by smartphones and computer-connected sim cards and Wi-Fi base stations, and a force for technical control was organised in all forces. In an interview in 2017, Lastotshkin emphasized that the Zaslon-REB system, which is part of these troops' equipment, can protect the Russian General Staff building by blocking all known mobile frequencies and signal protocols. Two years later, he said electronic warfare systems were also able to protect most important own objects from airborne or spaceborne intelligence and also enable the missile defence of these objects.
7 Space There are currently five dimensions of warfare. In addition to the traditional land, sea and aerial dimensions, there is, of course, an information dimension in which Russia is pursuing a dominant position on the battlefield. The fifth dimension is space, which for decades has had signal and intelligence satellites in support of military operations, but not open military action by common accord. Now Russia has clearly begun to seek military superiority also in space.
Russia's electronic warfare forces already have modern jamming systems in servise to prevent the operation of satellites in the enemy's communications, radar, and navigation systems. In the summer of 2020, news broke that Russia had tested a new land based EMP weapon that could destroy an enemy satellite in space at distance of hundreds of kilometres. In addition to land-based systems, Russia is developing a space-based electronic warfare capability. In this context, CYBERWATCH
FINLAND
|
23
Major General Lastochkin in 2018 spoke of Russia's ability to jam any single object anywhere in the world, as well as in space. Jamming missions located near borders are successful from the ground or from a drone, but global jamming capabilities can only be achieved from space, to which the statement clearly refers to. In April 2021, the Secure World Foundation, which observes the peaceful use of space, published its annual report assessing that Russia may already have grouped satellites capable of destroying its enemies’ satellites by means of electronic warfare. In the summer of 2020, the US Department of Defense expressed concern that Russia may have satellites armed with nuclear bombs ready in space, the electromagnetic pulse
8
Training and Practice
The training of Russian Electronic Warfare Forces has been significantly enhanced since the middle of the last decade and now simulators allow for training from operator to electronic warfare brigade. In the first phase, starting in 2015, electronic warfare companies began to get simulators that allow training on the entire scale from operator to company commander. In 2017, the commander of the Electronic Warfare Forces already said that the training time of the operators had doubled – to which simulators undoubtedly accounted for a large proportion. In the second phase, by the end of 2018, an electronic warfare combat training area with simulators was created. It is capable of organising combat exercises for the electronic warfare companies, battalions and brigades. The Electronic Warfare Forces combat exercises have been on the rise. In August 2016, the first "Elektron 2016" military exercise was held jointly by the electronic warfare troops of all branches of the Armed Forces. Nothing like this had happened since 1979. The latest of the military districts' electronic warfare brigades had been completed by the end of 2015, and the exercise most likely have specifically tested the combat readiness and cooperation of the military district's electronic warfare brigades. International cooperation between electronic warfare forces began in 2015-2016. As a first step, Belarusian electronic warfare units participated in the Elektronnyi rubezh competition in Russia in August 2015. It may have been a test of the performance of the new electronic warfare companies through competition and a 'foreign performance measuring tool'. Belarusian electronic warfare units also participated in the Elektron-2016 exercise the following year. The intro of the strategic Zapad-2017 military exercise, in May 2017, Russian and
24
generated by could destroy several US satellites at once. In addition to the threat of electronic warfare on satellites, a report published in January 2021 by the US National EMP Task Force on National and Homeland Security assessed that Russia is prepared for Blackout Warfare and would also have an EMP weapon capable of being fired into space by a missile to destroy all electronics from the main part of the US, i.e., to cause Blackout. If you extend the traditional battle zone to cover the entire territory of your opponent, then this weapon is also part of electronic warfare. On the other hand, the scale of the attack, as otherwise defined, would be a cyber-attack.
|
CYBERWATCH
FINLAND
Belarusian electronic warfare forces held a joint exercise that will probably have tested the cooperation of the Western military district and Belarusian electronic warfare troops. The last time a similar joint exercise took place was sometime in the 1980s. The joint exercise clearly suggests that Belarus also is on a technically equivalent level of electronic warfare systems. The strategic "Zapad 2017" military exercise, on the other hand, was the first exercise in which Electronic Warfare Forces participated fully as part of the whole. The exercise tested the capability of Russian air defence to counter an air raid on Russian heartland and, at the same time, first tested the effectiveness of electronic warfare by the military district as part of the overall defence. The participation of electronic warfare forces in strategic exercises has continued from now on, and the exercises have seen a rise in numbers. In 2020, according to its commander, the Electronic Warfare Corps conducted more than 2,000 tactical, operative, and strategic level exercises. In addition to simulator and combat exercises, Russian electronic warfare forces have gained extensive combat experience in eastern Ukraine and Syria, in addition to testing the systems. In the former, the activities are probably focused on the Army's systems and in the latter on the air force's systems. Since 2014, efforts have been made to increase the readiness of troops for training and experience, including electronic warfare. At present, each military district and the Northern Fleet are on standby with certain electronic warfare units that are in minute-class readiness to repel enemy attacks. Since the beginning of 2018 regular standby updates to the full extent have been started during peacetime.
9 Conclusions
E
lectronic warfare in Russia has been elevated to an element of kinetic influence and, in some respects, even the element above it. On the battlefield, electronic warfare is aligned as the basis for
information warfare, and if the "conquest of space" succeeds, then Russia will probably try to develop it into a global attack capability such as cyber warfare.
THE DEVELOPMENT OF RUSSIAS ELECTRONIC WARFARE CAPABILITIES (ESTIMATE) 2018- Standing QRA duty 2018- Elso-brigade simulator 20172015-
Strategic Exercises
Personnel training program
2015- Elso research- ja development organisation War experience: East-Ukraine, Syria 3,5-systems
4,5-systems
New Equipment
Organisational changes 2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
East-Ukrainian war 2014Georgian war 2008
Syrian operation 2015-
As the picture above shows, Russian electronic warfare has been actively developed for over 10 years. According to some Western estimates, even frighteningly actively. When you read the annual interviews with the Commander of Electronic Warfare Forces, you can see that their tasks have been carried out quite well. Similarly, Russia’s military debate provides clues as to what Russia is trying to achieve. The most significant new threats of electronic warfare currently come from Russia's attempt to space armament, develop an EMP weapon and exploit the use of artificial intelligence in various systems. The latter is a clear priority in Russia in all sectors, so any potential resource will undoubtedly be made available. Whether Russia can achieve its ambitious targets with the resources at its disposal is another matter. In the United States, however, there have been increasing warnings about the development of Electronic Warfare in Russia on the aforementioned issues.
Russian electronic warfare forces have an advantage over their enemies, as Russia is constantly able to test its systems in battle in Syria and eastern Ukraine. The more modern the systems the opponent has, the better. Troops with combat experience are always better placed against inexperienced opponents. Russia's and western assessments of the effectiveness of Russia's electronic warfare systems when comparing the battles of various crisis hotspots, it should be remembered that it is in Russia's interests to report on maximum performance. Western authorities, on the other hand, would be making a very big mistake by admitting that Russian electronic warfare is effective against their targets. For this reason, for example, the information obtained from the battle between drones from the Nagorno-Karabakh war and electronic warfare should always be treated with caution with regard to the statements made by both sides and to try to verify this from a wide range of sources.
CYBERWATCH
FINLAND
|
25
JUHA WIHERSAARI Colonel (ret.), Juha Wihersaari is Doctoral Researcher and Member of the Russia Research Group at the Finnish National Defence University. He has a General Staff Officer’s Degree from year 1993 and he served in the Finnish Defence Forces until 2015. Wihersaari’s military experience includes positions mainly in Military Intelligence, where he served 26 years. During his career Wihersaari served two times as Defence Attache: the first time in the Eastern Europe (inc. Ukraine) and the second time in the Middle East (inc. Turkey). He also served five years as the Director of the Finnish Signal Intelligence. Since 2016 Wihersaari has been the owner and the Director of JITINT, small Intelligence and Security Company. His Doctoral Research is focused on Hybrid Warfare in the Russian Art of War: “Hybridisodankäynti venäläisessä sotataidossa”.
SOURCES OFFICIAL DOCUMENTS AND WEBSITES Kremenetskyi, Borys: Hybrid Warfare in Ukraine - EW domain, Briefing, Defence and Air Attache, Embassy of Ukraine to the UK, 2019 Research studies Boulègue, Mathieu & Polyakova, Alina: The Evolution of Russian Hybrid Warfare: Executive Summary, CEPA, 29.1.2021, https://cepa.org/theevolution-of-russian-hybrid-warfare-introduction/ McDermott, Roger N.: Russia's Electronic Warfare Capabilities to 2025 - Challenging NATO in the Electromagnetic Spectrum, Report, International Centre for Defence and Security, Ministry of Defence, Tallin, September 2017, https://euagenda.eu/upload/publications/untitled135826-ea.pdf Thomas, Timothy: Russia’s Electronic Warfare Force: Blending Concepts with Capabilities, Center for Technology and National Security, MITRE, September, 2020, https://www.mitre.org/sites/default/files/publications/pr-19-2714-russias-electronic-warfare-force-blending-concepts-withcapabilities.pdf ARTICLES Adamczyk, Ed: Russia has a cyber army, defense minister acknowledges, UPI, 23.2.2017, https://www.upi.com/Top_News/WorldNews/2017/02/23/Russia-has-a-cyber-army-defense-minister-acknowledges/2421487871815/ Dura, Maksimilian: Electronic Warfare: Russian Response to the NATO’s Advantage, Defence24, 5.5.2017, https://www.defence24.com/ electronic-warfare-russian-response-to-the-natos-advantage-analysis Godh, Chelsea: New reports detail ongoing space threats, and Russia is raising concerns, Space.com, 2.4.2021, https://www.space.com/newreport-russia-china-anti-satellite-space-threat Russia tested a electromagnetic pulse cannon capable of shooting down satellites, Bulgarian Military, 20.7.2020, https://bulgarianmilitary. com/2020/07/20/russia-tested-a-electromagnetic-pulse-cannon-capable-of-shooting-down-satellites/ Eversden, Andrew: A warning to DoD: Russia advances quicker than expected on AI, battlefield tech, C4ISRNET, 24.5.2021, https://www. c4isrnet.com/artificial-intelligence/2021/05/24/a-warning-to-dod-russia-advances-quicker-than-expected-on-ai-battlefield-tech/ Kallberg, Jan E. & Hamilton, Stephen S. & Sherburne, Matthew G.: Electronic Warfare In The Suwalki Gap: Facing The Russian ‘Accompli Attack’ – Analysis, Eurasia Review, 1.5.2020, https://www.eurasiareview.com/01052020-electronic-warfare-in-the-suwalki-gap-facing-the-russianaccompli-attack-analysis/ McDermott, Roger N.: Russia’s Armed Forces Test and Refine Electronic Warfare Capability, Eurasia Daily Monitor, Volume: 17 Issue: 59, 29.4.2020, https://jamestown.org/program/russias-armed-forces-test-and-refine-electronic-warfare-capability/ Pry, Peter: Have Russia And China Already 'Militarized' Space?, Real Clear Defence, 16.7.2020, https://www.realcleardefense.com/ articles/2020/07/16/have_russia_and_china_already_militarized_space_115469.html Sukhankin, Sergey: Russian ‘Cyber Troops’: A Weapon of Aggression, Eurasia Daily Monitor Volume: 14 Issue: 63, May 11, 2017, https:// jamestown.org/program/russian-cyber-troops-weapon-aggression/ Swindoll, Jeffrey: Russia has developed a “super-electromagnetic pulse” weapon, China close behind, DISRN, 30.1.2021, https://disrn.com/ news/us-official-russia-has-super-emp-weapon-china-leapfrogs-us-development Varfolomeeva, Anna: Signaling strength: Russia’s real Syria success is electronic warfare against the US, The Defence Post, 1.5.2018, https:// www.thedefensepost.com/2018/05/01/russia-syria-electronic-warfare/ Ласточкин, Юрий: Ни дня без помех, Радиоэлектронная борьба ведется строго по науке, Военно-промысленный курьер, 24.4.2017, https://vpk-news.ru/articles/30428 Тихонов, Александр: Войска, разящие без шума, Красная Звезда, 14.4.2021, http://redstar.ru/vojska-razyashhie-bez-shuma/ Internet-websites Russia Integrates Military Capabilities into Civil Communications Infrastructure, OE Watch, The Foreign Military Studies Office, US Army Training and Doctrine Command G-2, September, 2016 Russian Military Forces, Interactive Map, Rondeli Foundation, https://www.gfsis.org/maps/russian-military-forces Electromagnetic Interference with Space Systems, Space Security Index 2020, November, 2020, https://spacesecurityindex.org/2020/11/ electromagnetic-interference-with-space-systems/ В подразделения РЭБ Восточного военного округа поступят компьютерные тренажеры «Магний-РЭБ», Стратегия, Новый оборонный заказ, 2015, https://dfnc.ru/ c110-novosti-3/v-podrazdeleniya-reb-vostochnogo-voennogo-okruga-postupyat-kompyuternye-trenazhery-magnij-reb/ Войска радиоэлектронной борьбы ВС РФ, Военно-технический сборник Бастион, http://bastion-karpenko.ru/army-electronic-rf/ Ласточкин Юрий Илларионович, Руководство, Министерство обороны Российской Федерации, https://structure.mil.ru/management/ details.htm?id=10750759@morfHeroes Научные роты, Призывникам, Министерство обороны Российской Федерации, https://recrut.mil.ru/for_recruits/research_company/ companies.htm Открыт отбор в научные роты, Московский государственный технический университет имени Н.Э.Бауман, https://bmstu.ru/mstu/news/news.html?newsid=7482 Радиоэлектронная борьба (РЭБ), Словари, Министерство обороны Российской Федерации, https://encyclopedia.mil.ru/encyclopedia/ dictionary/details.htm?id=14416@morfDictionary
26
|
CYBERWATCH
FINLAND
CHANGING TIDES OF BELARUS: towards regional destabilisation? // Timo Hellenberg
CYBERWATCH
FINLAND
|
27
W
hen Lukashenko visited Sochi on 14 September 2020 as a guest of president Putin, Minsk started to be “couched” by Kremlin, the subject became an object. As a result of the Sochi visit, Lukashenko received a pledge of EUR 1.5 billion in quick loans to help Minsk re-finance its current debt, as well as a promise from Moscow to support the armed forces should the situation get worse. On Monday 9 August, Alexander Lukashenko spoke for hours at the first anniversary of the disputed election that extended his decades-long rule by defending his victory. He was accusing his opponents of plotting a “coup” during the August 9 2020 election which gave Luhashenko a sixth term in office. He stated that he won the last year´s presidential election fairly while protecting his country against a violent extremist upheaval. Belarus has since launched a systemic and progressive multiple influencing (hybrid) against her neighbouring countries. For instance, Lithuania, neighbour of Belarus and the member state of the European Union and member of the NATO, is currently facing a migration flow that has suddenly begun through Belarus and at the instigation of the country’s authoritarian Lukashenko. More than 4,000 illegal migrants have already entered Lithuania in a short time via Belarus, most of whom have been flown to Minsk first as “tourists” from either Iraq or Turkey. So, question remains, whether Lithuania is now facing a hybrid influencing from foreign powers which was the case at the Finnish border in late 2015 and early 2016? The difference with the recent asylum seeker crisis between Finland and Russia is that the Belarusian border authorities do not allow asylum seekers to use official border crossings. Instead, people are deliberately directed to cross the national border from anywhere through forests. According to Lithuania and Poland, countries were selected as a priority for migrant crisis pressure because they have granted diplomatic status and asylum to many opposition figures, such as Lukashenko’s main opponent, Svyatlana Tsihanouskaya, in Vilnius. In Brussels, Tsikhanouskaya received on 15.12.2020 among other democratic leaders Sakharov Prize for Freedom of Thought. At the ceremony, she spoke of political prisoners and victims of repression and called on the world to support Belarus. She also forwarded a letter to Věra Jourová, Vice-Chair of the Committee on Values and Transparency, proposing that GUBOPIK (the Belarusian Interior Ministry’s Main Directorate for Combating Organized Crime and Corruption) and OMON be recognized as terrorist organizations. The
28
|
CYBERWATCH
FINLAND
document was signed by 50,000 Belarusians. Brussels has been active in rhetorically condemning violence, criminal charges and the torture of protesters, but there have been no major steps in terms of sanctions. The first packages of sanctions from the West blacklisted Lukashenko and dozens of officials, and Tsikhanouskaya’s actions greatly influenced the adoption of the third package of sanctions against Belarusian units. The list included 29 individuals and seven companies involved in repression against Belarussians. The two main European banks, the EBRD and the EIB, have suspended all operations in the country, with the exception of ongoing projects. The sectoral sanctions are not yet in the EU’s range of options, as they are feared to make Belarus increasingly dependent on Russian energy supplies. In this chess game, Russia takes the winnings from the West in all volumes of foreign trade, in the amount of foreign investment, in security and military cooperation, in cultural and information visibility. The West can mainly provide humanitarian support to the opposition, continue to cooperate with civil society in ongoing projects, and develop more cooperation in the scientific and cultural sectors. The World Bank is showing direction here, opening up new project applications for the development of the education sector. United Kingdom imposed sanctions on Belarus´s potash and petroleum products on 9 August, while Canada and USA joining soon with similar actions. The EU has now otherwise channelled funds previously directed to Minsk to support civil society. The Baltic countries and Poland have liberalized visa processing for the country’s opposition leaders, who have not yet been imprisoned in their home country and receive virtually all opposition leaders who want to flee their country. Germany, which until now has been silent, is embarking on large-scale civic-level interaction projects. Published data on the draft state budget for 2021 revealed that Belarus is aiming at increasing defence and law enforcement spending by about 12 percent compared to 2020. Meanwhile, inflation in 2020 is likely to exceed the 7% and the Belarusian ruble has devalued by 16%. So in reality, national defence spending has declined significantly this year. The Department of Defence’s plans to purchase four additional Su-30SM fighters have been halted. At the same time, the authorities are not optimistic that they can improve the economic situation in the coming year. Disputes over the price of energy sold to Belarus have also intensified. In the early part of President Biden’s administration, the east-west political zero-sum game for Belarus is likely to intensify. New game rules will be tested and old coalition
structures will come under pressure. The crisis of Belarus and its opposition´s neutrality aspirations will bring up pent-up political passions. At the same time, it threatens to take Ukraine, unnoticed, backwards from peaceful development. From big power capitals these issues are and will be set up together, not apart from each other. Russia and Belarus armed forces have carried out joint exercises on regular base during the year long upheaval in Minsk. These exercises will reach their climax on 10 September when large scale military exercise called Zapad21 (“West” in Russian) will be launched. Konstantin von Eggert has summarized: probably the most significant trend has been a creeping absorption of the Belarus State Security Committee by Russia´s State Security Service (FSB).
With the possible deepening and widening of the crisis in Belarus, the West should also prepare for the gloomy scenario. Zapad21 begins the very same day 10.9. when the Peace Treaty of Nystad marks 300 years. This Treaty ended the Great Northern War (1700–1721). In the peace treaty of Nystad 1721 the kingdom of Sweden lost its territories (Estonia, Livonia and Ingria) in the eastern side of the Baltic Sea as well as the areas of Finnish Karelia, the city of Wiborg included. Historical curtains are here when Belarus is now heading from hybrid crisis towards regional destabilisation, while Zapad21 exercise starting at the NordicBaltic doorsteps. In the worst case, it could continue to mutate into a great power conflict, if the importance of Belarus is downplayed in the West and reciprocally perceived in Moscow as a question of prestige.
TIMO HELLENBERG Timo Hellenberg, (Dr.Pol. Sc., M.Sc.Econ.) is a CEO and founder of Hellenberg International Ltd and CEO of Hellenberg HK Limited. He has served as a Special Adviser (EU and Foreign Affairs) to Prime Minister. He has 25 years of academic and crisis management researcher incl. at the United Nations (DRD). Timo´s recent assignments include: Project Director: Poseidon – Preventing Terrorism (2007-2008, EU DG JHL), Project Director: Aether – Air Passenger Transport Security in Case of CBRN Threat by Terrorists (2009-2011, EU DG JHL), Project Partner: Analysis of Civil Security Systems in Europe (2012-2014, DG Enterprise), Project Partner: Project Mappers – Mobile Applications for Emergency Response and Support (2013-2015, Civil Protection Directorate), Project Partner: RAIN – Risk Analysis of Infrastructure Networks of Extreme Weather Events (2014-2017, FP7), Project Consultant: Critical Infrastructure Resilience Index (2016, Finnish Ministry of Defence, MATINE), Project Partner: Towards an Arctic Business Possibilities Strategy (2016-2017, Government Council of Finland), Co-organiser: Standing Working Group of Experts from the United States and Russia; “Workshop on the convergence of violent extremism and radiological security” Helsinki (Dec. 2018, NAS), Project Partner: Mall-CBRN, Creation of CBRNE protection system for large area shopping malls (2019-2021, ISFP), Project Partner Crispro Knowledge Network (2020-2022, DG ECHO), Project Partner: Prosperes – Protection System for large gatherings of People in Religious Sites (2021-2023, ISFP). He is a board member of the Paasikivi Society (since 2003-); Board member of the Geopolitical Society of Finland (2015-); Member of the Finnish-Russian Scientific and Technical Committee (1997-); Member of the European Security Research and Innovation Forum (ESRIF); Founder of the CIVPRO Civil Protection Network, Board Member of the Baltic Civil Defence Network (2020-), Senior Expert at the International Market Analysis (Washington DC) (2015-), Member of the Advisory Board of the Cyberwatch Oy Ltd (2018-).
CYBERWATCH
FINLAND
|
29
Cyber security challenges of shopping centers // Aapo Cederberg
30
|
CYBERWATCH
FINLAND
I
n early July 2021 the ransomware attack of the rEvil group against Kaseya forced over 500 Swedish Coop stores to remain closed. Coop was not a direct target of the attack but suffered collateral damage through one of its software service providers. As seen, cyberthreats, direct or indirect, are increasingly shaping the operational environment of commercial services. This article will examine the cyber and hybrid threats faced by contemporary commercial activities when operating in shopping centers. The operating environment of shopping centers is characterized by a multitude of hybrid and cyber threats. As is the case in terms of physical threats, the main cyber threats remain crime and vandalism. Cybercrime are operations motivated by economic gain. These crimes come in different shapes and sizes; from credit card skimmers to ransomware attacks and from identity theft to copyright infringement. On the other hand, vandalism operations are conducted as a result of ideological motivations or individuals seeking entertainment. These threats are harder to handle as they are more difficult to predict. When considering the cybersecurity of shopping centers against these threats, a two-tier approach is relevant. The first level covers the security of each enterprise acting within the shopping center. These individual vendors must take appropriate precautions in order to ensure their cybersecurity against these threats. Notwithstanding, shopping centers where their companies are located have obligations to provide a base level of cybersecurity against these potential threats. In other words,
somebody must look the shopping center holistically as one ecosystem. Prior to the pandemic, the shopping centers enjoyed steady success as a location for many people to do their shopping as well as a place for gathering for events. Particularly in less urban areas and suburbs, malls played an integral role in society. At the heart of significance was the multitude of retail and services provided at these locations. Shopping centers provide companies with high levels of foot traffic and are an enticing location for them to conduct business. Notwithstanding, they have seen a decline in their popularity due to increased digitalization. The growing popularity of online shopping has driven consumers to remain home and order their shopping through the internet. This effect has been exacerbated by movement restrictions due to pandemic. Despite decreasing numbers of visitors lately, shopping centers remain highly dense population centers. As such they remain a prime target for hybrid and cyber threats. There are three main cyberthreats that shopping centers need to focused: cybercrime, cyber vandalism, and hybrid operations. All three pose significant threats to different sectors of the shopping centers and society at large. Comprehensive hybrid and cyber risk assessment is urgently needed. For criminals the cyberworld has become an invaluable tool for developing their operations. Cybercrime has become the third largest industry in world economy as of 2020 and is seeing an even greater increase due to the pandemic. Cybercrime
CYBERWATCH
FINLAND
|
31
carries benefits over traditional crime: lower chances of getting caught, ease of conducting the operations, as well as larger payoffs. Like traditional crime, there is a plethora of possibilities when considering cybercrime operations. Criminals are able to put into use many different cyber capabilities such as identity theft, ransomware, and hacking. The operations that criminals put into force can act as passive income such as credit card phishing. On the other hand, some criminals may not be actively conducting crime against retail outlets but rather facilitating others by obtaining large amounts of information through data leaks. Moreover, as a result of the growth of cryptocurrencies, it is easier for criminals to remain undetected and receive financial compensation. For this kind of cybercrime, the likeliest target is the stores themselves. Through intrusions into the retailers themselves, criminals are able to obtain the largest financial gain; capitalizing on the disjoint defense effort of vendors being able to repeatedly attack. On the other hand, these attacks would not impact the entire ecosystem of the shopping center. Furthermore, cybercriminals are often seeking fast financial compensation and the disruptions are unlikely to last for long periods. Cyber vandals are motivated by ideology rather than financial gain. In these cases, individuals, not affiliated with governments or criminal organizations, use cyber tools to cause harm without economic gain. Through their actions they seek to limit the visibility of ideologies that contrast theirs. In the case of shopping centers these opinions are most probably anti-capitalist or anti-establishment, however, there has been an increase in nationalistic cyber vandalism. The cyber tools vandals use vary from crude to very sophisticated and the size of operations vary from small to loosely organized large attacks. Without a clear standard for motivations, it is difficult to predict different attacks. In many cases, the intention of vandals is not originally malicious and stems from interests in how deep they can penetrate cyber systems. With numerous people stuck at home due to the pandemic, these actors could cause potential problems for shopping centers. Although a gray area, many vandals do not recognize the illegal nature for their actions and remain on the wrong side of the law. It is through these operations that the most long-term impacts will be seen. Without a financial gain, the attacker is most likely looking for a lasting impact on the operations of the shopping center. Moreover, these attacks are expected to occur towards the entire infrastructure of the shopping center as this would cause the largest impact. 32
|
CYBERWATCH
FINLAND
States create and exploit weaknesses in other states through means in what is often called hybrid influencing. The goals range from election meddling to inciting lawlessness in order to destabilize state structures and society. The cyber domain has revolutionized how states are able to impact their target societies through e.g. cyber-attacks on critical infrastructure. As a part of population centers, it is likely that shopping malls may act as a target for hybrid operations. Moreover, even if they are not the main target, there may be collateral damage from attacks on other critical infrastructures such as water and energy. Russia's hybrid warfare strategy increasingly includes an attempt to achieve a deterrent effect asymmetrically through cyber weapons, whereas in the earlier stages of warfare development it was carried out using kinetic methods such as conventional armed forces. Cybercriminals are also often used as proxies in Hybrid operations, which makes it more difficult to create a reliable situation awareness. The impact of modern cyber weapons on the armed forces, industry, transport and the lives of citizens is already estimated to be close to that of a nuclear weapon. According to a well-known Russian security company, all cyber warfare efforts aim to disrupt the information systems of the enemy's economic and financial institutions and state organisations, as well as disrupt the daily life of the entire state. In connection with the latter, the primary aim is to disrupt areas that are important for the viability of the population centres and the functioning of society, such as drinking and sewage systems, electricity distribution systems, and communication and transport connections. While this is an indication of the threats that Russia faces, it can also characterise the way in which Russia operates. In other words shopping centres are attractive targets in many ways and also spectacular information impacts can be achieved. The targets of cyber operations are round the entire society. All vital functions of the society must be secured also from hybrid and cyber threats. The challenge is growing, and the threat and risk landscape is getting more complex. Comprehensive security approach is needed and improved collaboration with critical stakeholders of society is the key to success. In the case of shopping centres, two different kinds of cyber security need to be considered: the defence of the retailers within the mall and the shopping centres themselves. For individual retailers, they can tailor their cyber capabilities as they require. For these organisations, con-
ducting cyber risk analysis is the first steppingstone in developing an effective defence strategy. By detecting weak points, retailers are able to protect themselves from localized attacks and reduce their impacts. It is most likely that these attacks will come from criminals seeking financial gain. Moreover, as stores within the shopping centre are unconnected the impacts of cyber-attacks are limited to the stores that are targeted. However, retailers still remain vulnerable to attacks against the shopping centre. For the shopping centre as a whole, protecting the physical building is pivotal. As a part of critical infrastructure and a location of population centres it is a likely location of hybrid influencing or cyber vandalism. The cyber defences of a shopping centre can be considered similarly to traditional security units. By protecting processes that are vital to its operation shopping centres can ensure that it does not become the target of cyber operations and a level of widescale protection.
Notwithstanding, developing cyber defences in order to protect the entire shopping centres is costly and should be accounted for in rents. In conclusion, shopping centres face a plethora of cyber domain threats. Hybrid influencing as well as cybercrime and vandalism are the main threats and should shape the defence frameworks. In order to defend against these threats, a base level of defence must be provided by the shopping centres themselves in order to ensure the safety of the base infrastructure. It is the responsibility of shopping centres to allow retailers to access shoppers. In addition to the basic defence, each retailer must have their own tailored cyber defences to protect their vital operations. In creating this, organizations must consider their own needs for protection. Last but not least the work force must be well trained to make sure that the adequate cyber competences are in place and to minimize the possible insider threat.
AAPO CEDERBERG Mr Aapo Cederberg, CEO, Cyberwatch Finland Aapo Cederberg is an experienced cyber security strategist and analyst with unique strategic level international expertise and understanding of hybrid threats. His comprehensive experience in strategic management gives him unique insight in the complexities of the cyber world. He has extensive first-hand knowledge of military defense. Aapo’s credentials include among others: Lead author for the first Finnish Cyber Security Strategy. Associate Fellow of the Global Fellowship Initiative at the Geneva Centre of Security Policy (GCSP). Chairman of the Committee of Word UAV Federation (WUAVF). Secretary General for the Security Committee of Finland for six years. Head of Strategic Planning and Forecasting at the Finnish Ministry of Defense. CEO and founder of Cyberwatch Finland – a firm focused on helping decision-makers to establish a holistic cyber strategy, to build situational awareness, and to take steps to ensure cyber resilience.
CYBERWATCH
FINLAND
|
33
Introducing Cyberwatch Finland´s junior analysts Leo Taalas
BLOCKCHAIN’S POTENTIAL IN THE REALM OF CYBERSECURITY // Leo Taalas
// Leo Taalas
S
ince its conception, there has been lots of hype around the blockchain technologies. Recently, there has emergence of practical solutions and applications that have significant potential in terms of cyber security: Validating identities; immutability and encryption; and the securing of IoT remain the largest promises of blockchain for the future of cyber security. The first advantage that can be derived from using blockchain technologies is the ability to validate identities. In these cases, it is important to clarify the distinction between validating and identifying; the former refers to ensuring that a party is who they say they are while identifying makes this public information. Currently a third of
ransomware attacks and over half of intrusions into information systems occur due to password hacks. Blockchain technologies provide a possible solution. Through non-custodial logins, passwords are no longer controlled by a central entity; by replacing these passwords with public and private keychains, it is still possible for the former entity to verify the identity of the person logging in without storing a large mass of confidential passwords that can be obtained by hackers. This truly passwordless technology is currently being attempted to be employed by companies such as REMME and Edge. Blockchain could be applied in this direction beyond the scope of the private sector. There are numerous possibilities for governance: validating
CYBERWATCH
FINLAND
|
35
the identity of citizens while maintaining anonymity could facilitate voting processes or protect critical infrastructure from unlicensed entry. Secondly, immutability and encryption prove to be an advantageous quality for cyber security. The different consensus protocols of blockchain have pushed blockchain to the forefront on secure data storage. Through these mandatory checks it is nearly impossible for a foreign entity to modify information stored in the blockchain; Hackers would need to modify 51% of the nodes at once to be able to change the information store. The immutability of this information is integral for cybersecurity as it can used to ensure the integrity of information. However, this also has drawbacks. The immutability encompasses all and even the correct entities cannot change entries once on the blockchain. Despite the fact that blockchain is known for its public blockchains and the transparency and decentralization that follows; Private blockchains provide a larger possibility for cyber security. Utilizing private keys where the public was used before allows for the users related to the transaction to be connected through updates to their ledgers still leveraging the encryption provided. Third parties related to the transaction receive information on a “need to know basis.” This has been the premise of the Hyperledger project of the Linux group. As of current a large threat in the cybersphere has been supply chain attacks and utilizing this method of information sharing could reduce the attack surfaces between contractors and main entities.
Lastly, blockchain has great implications for cybersecurity in the realm of IoT security. The technology provided by blockchain would enable for the devices used to obtain masses of data to be validated. Users could certify that the information being used within models comes from the respective device through “device identity protocols”. IBM Watson Platform has worked towards detecting tampered data by utilizing the concepts of immutability, transparency, auditability, data encryption & operational resilience. Transparency is a large factor when it comes to IoT devices and blockchain seeks to facilitate this. Moreover, in order to gain access to applications and services, IoT devices must verify their identity. Blockchain could be employed in this area similarly to the case of non-custodial log ins. This would prevent unwanted entry onto IoT networks and limit false data from being propagated. Another direction that blockchain allows for IoT devices is autonomy. Through smart contracts devices are able to maintain their own integrity and maintenance. This would remove the need for human interaction and would increase the number of IoT devices that could feasibly be managed. In conclusion, the promise of blockchain is bearing fruit in cyber security. Successes in validating identities; immutability and encryption; and the securing of IoT is tangible proof of blockchains applicability to cyber security. However, it is likely that with the development of blockchain related technologies we will see further applications to cyber security.
LEO TAALAS Junior analyst, Cyberwatch Finland Leo is currently studying at Università Commerciale Luigi Bocconi, in Milan and is due to graduate in 2023. He is completing an Economics, Management and Computer Science BSc. In addition to Milan, he has lived in Vienna, New York, and Rome where he completed the IB diploma. Leo is passionate about technology and design.
This blog is also published in the web magazine of the Bocconi Blockchain Cryptocurrencies Association https://www.bocconiblockchain.com/post/blockchain-s-potential-in-the-realm-of-cybersecurity 36
|
CYBERWATCH
FINLAND
Introducing Cyberwatch Finland´s junior analysts Veikko Markkanen
IRON FOR EU’S CYBER DIPLOMACY // Veikko Markkanen
CYBERWATCH
FINLAND
|
37
T
he Cold War seems to be going on and not just as a part of history, when looking at the current situation of international cyber politics. While the EU’s diplomat-in-chief Josep Borrel Fontelles finds multilateralism to be the solution, the concept amounts to nothing if the main actors in cyberspace have no common ground. The dialogue continues but is heavily influenced by the great powers contestation. We are running out of time to address this. When technology advances in leaps and bounds, politics cannot lag behind. If the EU is truly committed to advancing international security and stability, it is high time to act accordingly. DOES THE EU HAVE WHAT IT TAKES TO LEAD?
Interviewing Josep Borrel has led Patryk Pawlak to ask whether the EU has what it takes to lead? Can it lead if it is not already the leader in development of these technologies it now tries to supress? The answer is yes. As Mr. Borrell has indicated, it is certainly worth recognizing the EU’s potential, and as things stand not only the EU can, but it must take the lead in advancing solutions to cyber issues. Ever deteriorating relations between great powers, leave only the EU capable of this. While the west and the east are taking their own routes, our European way has unique pull for both sides. A powerful actor who, despite our western connection, bows to neither direction yet able to sustain communications both ways. A setting perfect for progressive dialogue and action. The question then, is how do we take the lead? It would be disastrous to lose relations to either or any direction. However, we have some leverage of our own. The EU is a formidable diplomatic and economic power of its own right. The diplomat-in-chief accordingly emphasized the need to speak the “language of power”. The ability to make autonomous decisions is the EU’s greatest tool in making change. In this light, the EU could play the role of a facilitator without marking any new boundaries. In addition, with the recent change of power in the US we might go a long way without problematic issues. Regrettably, Mr. Borrell does not endorse using this capacity in more aggressive manner. On the other hand, China is investing in Europe in such manner that we are within reason to expect cooperation, that is trade, commerce, and diplomatic dialogue to continue. Their need to stay a part of the western market zone is great. If the US does not open its doors, it could prove a beneficial tool for the EU during negotiations. The most challenging view arises from Russia. As Mr. Borrell stated, Russia is the least likely to cooperate. In other words, they want to play by their own rules, often leading in disturbance among other states. If we 38
|
CYBERWATCH
FINLAND
were able to turn actors like the private sector, the US and/or China to our side though, Russian interest for true cooperation would increase. Intellectual property within a unified cyberspace, even if it consists of just us, the EU and one of the actors above is far greater than any of the great powers alone. This at least, is fortunate for us since their unilateral view protects us from facing dangerous cooperation between powerful states, aimed against our call for regulation. As Borrell and Pawlak discussed, all cooperation is based on goals that align. So, the best way for us to utilize this is by making sure our actions enable economic growth and ensure human rights. It is very hard to attack the EU if we are able to promote these concepts. For example, European Council sanctions from last June against actors involved in cyberattacks were definitely a step towards the right direction. THE GROWING RESPONSIBILITY OF EU
International politics is in a stalemate with the cyber world. One of the main building blocks: the UN’s structure is being twisted in a battle of the great powers contestation. In addition to the failing of creating binding norms cyber wise, silence has become another great issue. States refuse to start or participate in an open and problemsolving dialogue as that would mean to admit to the problems. If they think they have an advantage, they see no reason to act. Thus, the notations of non-binding and voluntary are frequently expressed. Notwithstanding, they hold close to no value in solving our problems. For crisis situations, this lack of clarity tends to only further complicate matters. This is alarming, but there is hope. Aude Géryn and François Delerue consider a possible beacon of light, in regard to the UN, in their article: A New UN Path to Cyber Stability. The advocates of cybersecurity and stability have put together an idea about a new Programme of Action: For advancing responsible state behaviour in cyberspace (PoA). The potential here lies in levelling the playing field. Old unions such as the Group of Governmental Experts (GGE) and the Open-Ended Working Group (OEWG) have not yielded results, despite demanding commitment and draining resources. The polarity is too great for the major powers and their respective camps to work together. As an alternative, if we had their approvals for the new PoA initiative, much of the drawn-out tension would ease. Dialogue on the matter would not be as much dictated by existing issues between great powers. From the EU’s perspective, the PoA would provide valuable information about the states ongoing positions
regarding the topics of the program. For example, if we were to regulate in a similar manner following the implementation of the GGE-borne voluntary norm of: “States should not knowingly allow their territory to be used for internationally wrongful acts using cyber domain”, to the more politically binding framework the new PoA aspires to build, our move has already been approved, to some degree, by those who did so for the PoA. Value is added through those who did not approve the original initiative as well, since refusal calls for explanation, leading in much needed attention on the actual conflicts. The issue here, lies in timing. If it is taken seriously, the PoA is likely to be discussed at the next UN General Assembly and that does not bode well for its future. As long as member-states are not willing to lose their “edge”, the UN is not capable to take on these matters. Regrettably, this is the current state of affairs. It is good to take note that none of the major powers sponsors the idea yet. Gery believes that this is a threat as well as it’s an opportunity. For the program to have a positive impact, it truly needs to find common ground. For example, if China got a hold of the reigns, it could twist the program to serve its own agenda, while driving the west out of the deal. For this and every other program, depicting why they would work nonaligned is critical. All in all, for the UN to reach any concrete decisions takes too long. Fortunately, the EU has much more agency in these matters. Within, despite our slow start, the EU is waking to the growing threats from cyberspace. A Germany led joint non-paper focusing on protecting and reinforcing Europe’s digital sovereignty, is one such act. Still, while many of its points are appropriate, it lacks initiative. The next steps cannot be reviewing the non-paper, it needs to be implemented according to its message.
ACTIONS TO TAKE FOR EU
At this point we have touched the subject of responsibility that falls on the EU, the reasons behind it, guiding frameworks and some key points to consider when taking action. These in mind, we can focus on something concrete for the area of interest, that the EU would be correct to start working on immediately. First our take on the US Clean network program. Intrinsically valuable for the EU, should we endorse it from a neutral standpoint. Network traffic from untrusted sources cannot pass through either side. While the EU takes this stance, China needs some reassurance that we are not working towards cutting it off the western grid. On the other hand, the US requires a validation that the world needs more cooperation. Removing sources of potentially harmful data from the grid before they become threats is pivotal, but for the EU, taking sides due to prejudice adopted from our companions undermines our diplomatic efforts. Here as well, balance can be achieved. Robert Knake’s article, What’s Wrong With The Clean Network Initiative? presents some interesting pointers regarding the movement, such as a digital trade zone instead of the mass censure of China. The trade zone or the like, we would be correct to show interest in, could opt for credibility rather than “clean”, valuing the freedom of internet, shared privacy protections and strengthened mechanisms for cross-border cybercrime. In other words, require member states to meet these commitments. Over time the digital trade zone could prove to be too large of a market for the Chinese government or other individual states to ignore, Knake argues. This way, economic methods can be used to put significant pressure on states to change their ways.
CYBERWATCH
FINLAND
|
39
The current version of the clean network program called for a response from China and this was the Global initiative on data security. A very general initiative calling states to work together, while aiming to counter the censure presented by the clean network. The issue here lies in the concept of multilateralism turning into what it has become in the setting of the UN. It is an idea dominated by great powers, where small actors are left by the wayside. With threats to its sovereignty, the EU needs to stay cautious of this movement. A second area to work on is cooperation in countering and identifying cyber crime. By opening borders with trusted partners to gain access and resources to act against unlawful actors the EU could develop its capabilities as well as enforce trust in cyberspace. Certainly, many actors are afraid of revealing their cyber capabilities, but in time, supporting see through tactics in sectors where everyone can agree would prove beneficial. One very present theme where cooperation is needed, would be the handling of data. The non-paper led by Germany had an insightful take on this. “Regarding access to digital evidence, the EU and its Member states recognize the importance of encryption to protect important data. Now what is needed, is a lawful way to access digital evidence concerning malicious cyber activities.” Not an easy task to take on. The key here could be our perception of the digital information. Data is something to be viewed by who owns it, not by its location. Therefore, instead of risking too strict regulation, it would be possible to bring in a third party organisation to act as a middle-man for all parties, being the individuals, the private-, and the public sectors. This way of organizing should focus on gathering trusted and skilled individuals from different countries, which would enable smooth cooperation between participating states. The exchange of data through the “neutral zone” would still be secured by heavy resources, but not controlled by governments. Instead of the current trend of having all the information shared, only the parts
40
|
CYBERWATCH
FINLAND
that matter would be passed on as products. Rest would optimally be secured by international law and with that remain out of governmental control. This paradigm is built on the three main pillars: law, politics, and technical understanding. The third area of improvement is the EU’s view on international law. In February 2015, the Council of the EU strongly encouraged all members to support the western view of the applicability of international law in cyberspace. Troubling since current laws, especially in peace time, are not precise/unambiguous enough for agreement on how they can be applied to cover issues in cyber context. Furthermore, we are limited by a lack of precedent regarding this matter. This is because when the law leaves too much room for states to operate, it can be manipulated. States such as the US, Russia and China are fully capable of utilizing the unclarity of law in situations which would logically require considerably more strict consequences. For example, mass surveillance or the increasing use of APT groups as means for hybrid warfare. Following the damage and potential harm caused, the focus here as well, should be placed on data. The law condemns attacks on civilian objects, but can data be considered under this umbrella term? It has no physical structure, yet the influence is far greater than that of many physical objects. As prime target for unethical operations, more needs to be done to protect it. Conversation around this issue is restricted. Hollis, Vila and Rakhlina-Powsner offer good insight on this in their article Elaborating International Law for Cyberspace. States do support the idea of updates, but that is the extent of the argument. Even states that have been on the receiving end of “unlawful” actions are hesitant to accuse anyone per international law. Gatherings focusing on cybercrime are few and those regarding international peace and safety in cyber context are next to none. As such, applying international law in cyberspace strongly depends on customary law. To approach the issue, hosting
meetings focusing solely on cyber context of peace and security, could prove beneficial. Creating precedent is another area of potential improvement. As we start applying international law within the EU’s own jurisdiction more actively, the dominant view of distrust among the UN member states, leading to state silence, might change. One more area to work on. The private sector holds a significant role within the cyberspace yet, the current GGE-borne view provides states the mandate of cyber safety and security. An actor with such amount of concrete power and resources is far too influentialnot to be included within the decision-making process. This is particularly true when the decisions involve it regardless of its presence. One might argue for the Global Tech Panel, but it lacks authority. Elsewhere the fear of tech giants is not helping either. Is the private sector not at fault then? The US vs. Google case among many, remains an clear indication that there is still lacklustre efforts from majority of organisations. However, it can still be noted that states are equally at fault regarding many of the claims made. While both actors abuse data with little regard for ethics, it is useless to point fingers. This, on the current scale is possible only due to regulation falling further behind development. Essentially, the scale of ground level knowledge within the private sector is vast, and the knowledge of politics does not fall short. Moreover, they face every decision we make; enabling them to rid the pressure coming from states, or at least allow measures to act against it. So what is to be done? A possible solution is making it mandatory for the private sector to elect representatives much like in politics. Participating in international politics as more than just a side character brings the sector much needed responsibility to act more discreet as well as an opportunity to grow. The private sector can be ally of the EU and presents a plethora of opportunities.
IT’S TIME THEN
With President Biden looking to draw red lines in protecting critical infrastructure against cyber-attacks, timing is great for the EU to look for alignments according to these principles. Going forward as we currently do will only lead to more serious and irresponsible sate behaviour. Technology is progressing in ways that left unregulated, stomping human rights cannot be avoided. The course is far from ideal, but with joint effort it is possible to make change. Looking for true cooperation where possible, as well as leading with insight and morale are keys, how the EU can reach concrete results in stabilizing cyberspace. Fortunately, the EU has always worked towards creating more secure environment for our society to prosper in. This includes the cyber context. All it needs now, is to focus this effort accordingly.
VEIKKO MARKKANEN Veikko Markkanen, Junior analyst, Cyberwatch Finland Veikko is currently studying at University of Jyväskylä. He is completing BSc in Computer Science and aims to graduate with MSc in Cyber Security by 2025. With his passion to writing, Veikko’s skills in analytical thinking and pedagogy have already seen interest by respected players in the fields of strategic cyber security and international cyber politics.
CYBERWATCH
FINLAND
|
41
Cyberwatch Finland
A PASSION F OR A SAFE CYBE R W O R L D
W
e provide a situational picture and analysis of the ever-changing operating environment as a foundation for and the development of cyber security of critical services and infrastructure.
We conduct a cyber risk analysis and use modern methods to support your organisation’s comprehensive risk management, including the implications of cyber security. You will also receive tailored and cost-effective solutions, for instance, for staff training and the implementation of the most effective practices and new technology. Through our international network of experts, we bring forth the best specialists and technologies in the industry to support your cyber strategy. Working together, we can create a cyber culture that minimises risks and strengthens your organisation’s resilience to crises. Cyberwatch Finland strengthens the resilience of your organisation and helps prevent costly cyber disasters
B E N E F I TS AND COMP E T I T I V E A D V A N T A G E S : Improved situational awareness is the basis for better decision-making. Our clients can establish a holistic cyber security strategy, build situational awareness across the organisation, and take the necessary measures to build cyber resilience. We provide a comprehensive roadmap for a realistic cyber culture and cyber hygiene for your entire organisation. Our experts have the ability to interpret and present complex cyber world phenomena and developments in an easy-to-understand format, utilising the latest technology, easily adaptable methods, and various media formats. Our mission is to secure the functions of critical infrastructure as well as protect your organisation´s most valuable assets. We guide you to a solid cyber security culture that strengthens your organisation’s resilience to crises and reduces business risks. We provide a holistic understanding of the interdependence of people, practices and technology, and their development opportunities. We rely on the model of continuous improvement and boldly look for new business models.
COMPANY Cyberwatch Finland´s strategic-level international expertise is based on experience and an extensive network of experts. Our mission is to be our clients most trusted partner. Therefore we are constantly looking for the best ways to create a steady strategic cyber security roadmaps to ensure your cyber security to the highest possible level.
Cyberwatch Finland Cyberwatch Finland Oy • Huopalahdentie 24, 00350 HELSINKI FINLAND www.cyberwatchfinland.fi
Cyberwatch Finland F O R M U L ATING A DEP E N D A B L E C Y B E R S E C U R I TY WITH A C O M P R E H E N S I V E A P P R O A CH Strategic cyber expertise requires a holistic view and understanding of the interdependencies of people, practices and technology, and the opportunities for development that they offer. Skilful cyber management in a digital operating environment requires reliable strategic cyber situational awareness and a cyber risk analysis tailored for you needs.
With the use of roadmaps, designed to create a safer corporate culture, we train executive teams and governments to develop their as a part of comprehensive crisis management, overall security and to ensure future competitiveness. Cyberwatch Finland strengthens the resilience of your organisation and helps prevent costly cyber disasters.
O UR SERVICES Cyber security strategies, risk analysis and roadmaps We develop cyber security strategies, risk analyses and roadmaps for cities and municipalities, states, companies and organisations aimed at a safer corporate culture, based on extensive strategic expertise and experiences.
SCA N M E
The end result of well-executed strategy planning, and implementation is resilience: an organisation’s stronger crisis resilience and defence against cyber attacks.
Strategic situational awareness to support management and decision-making A cyber security risk assessment is done to help determine your organisation’s capabilities and limitations in detecting, preventing and responding to the evolving cyber threats.
SCA N M E
Our expert reviews, offer compact analyses of the most significant incidents in cyberspace, providing an extensive view of the background, cause and effect of each incident.
S C AN M E
Modern education with e-learning and hybrid-learning methodologies As a conceptual service, we produce monthly reviews, tailored seminars, webinars, games, workshops, podcasts and learning development solutions by utilising the latest technology and an international network of experts.
S C AN M E
Cyberwatch forensic-services
Risk analysis is a key tool in facilitating your cyber security planning. Together, we begin by identifying risks, threats in your operating environment and vulnerabilities in your own organisation in order to be able to define the value and likelihood of the risk.
Cyberwatch Forensic assists companies S C AN M E and other organisations in preventing, detecting, and responding fraud, compliance violations, and other misconducts. We offer you independent expertise, a clear operating model, and the level of support you want. With our long and extensive experience, we can help you reduce fraud and corruption risks and support in investigating internal or external misconducts. We also offer you a full-service whistleblowing channel.
Strategic analysis and reports of the cyber world On the basis of a comprehensive strategy, a concrete roadmap and capacity building plan will be created. It defines how cyber security should be managed and how people should be trained, what technologies and best practices are needed, as well as all the other necessary practical actions and resourcing.
AI-powered analysis and information services based on our expertise
Innovative and unique cyber security technologies SCA N M E
We support our customers in building resilient critical infrastructure through services and technical solutions that meet the cybersecurity requirements at the highest level in the fastchanging world.
SCAN ME
Cyberwatch Finland
QUARTERLY REVIEW
46
|
CYBERWATCH
FINLAND
Q2 2021
CONTENT 1. Country-analysis – Sweden 4 2. Cyber security of smart properties 6 3. Drone cyber protection and use in cyber-attacks 9 4. Cooperation between states and cyber proxies 12
In the second quarterly report of the year, we will address five topics. The neighbouring nation Sweden who is regarded highly on an international level for their cyber capabilities especially in intelligence will be considered next in the country-analysis. Sweden’s intelligence legislation has enabled technical cyber intelligence decades before Finland. Due to an extensive cyber training, skilled resources are available on the labour market. Instead, the responsibilities of national cyber defence are scattered and, to improve the situation, Sweden has set up its own cybersecurity centre this year. The operation and security of properties are increasingly dependent of information technology. Modern buildings consist of several safety and automated systems that are controlled via internet connections. Incorporating the safety and automated systems to the internet they are made vulnerable to cyber-attacks. Almost half of the smart properties are subjected to at least one cyber-attack a year. The responsibility of cyber security for smart properties are often decentralised to several actors which is why cyber security should be considered as a whole during the construction phase. The use of drones has increased rapidly, and they are used to implement services for the private and public sector. As their uses increases so does the attention of cyber criminals. The cyber security of drones should pay particular attention to wireless connections and locations as they can be subjected to interference. Drones can be used in cyber attacks on targets that have been physically isolated and whose computer networks are not connected to the public network. From the start of 2023, drone identification will become easier as remote identification will become mandatory. For centuries, nations have been using surrogates or proxies for military operations. During this millennium, the use of proxies has also expanded to the cyber operation environment. In recent years, debates about the use of proxies have only focused exclusively on the cooperation between nations and cyber criminals. However, the concept of proxy has recently expanded to legal proxy, such as private companies, paramilitary organisations, or even university students. The use of proxies will approach professional subcontracting in the future. The use of proxy should be goal-oriented and systematic, and rules of the game for action should be established through cybersecurity strategies. In accordance with the Russian military doctrine, armed forces seek superiority in all dimensions of warfare and the information dimension on the battlefield is sought out using electronic warfare. Western experts today estimate that the Russian armed forces would already be able to block all civilian, military and satellite connections of the enemy on the battlefield in the next few years, as well as the use of positioning systems.
CYBERWATCH
FINLAND
|
47
1. COUNTRY-ANALYSIS – SWEDEN 1. Sweden has a long tradition of cyber intelligence, which has been made possible by national intelligence legislation since 2008. Sweden has been developing its cyber intelligence capabilities on a long-term basis and will remain at an internationally high level in this area in the near future. 2. Cyber security training is on the rise. Master’s programs in cyber security can be found in several Swedish higher education institutions. A special cyber soldier training program will be launched in the Swedish defence forces next year. Sweden's position as one of the leading countries in digitalisation development will be strengthened thanks to comprehensive cybersecurity training. 3. The responsibilities for coordinating and implementing cybersecurity have been decentralised to different agencies and clear national leadership is lacking. Efforts are being made to improve the situation through the National Cyber Security Centre, which has started and will be completed by 2025. 4. Sweden's main cyber threat comes from Russia. Recent serious data breaches have been traced back to Russian intelligence and the groups it supports. Swedish high-tech companies, for example in fighter jet and telecommunications projects, are exposed to an exceptionally high risk of cyber espionage in the near future.
S
weden's cyber intelligence capabilities have traditionally been high at international level. Sweden has cooperated on a long-term basis with Western intelligence organisations within the framework of the so-called fourteen eyes cooperation agreement. In addition to the so-called five eyes countries, the United States, Canada, Australia, New Zealand, and the United Kingdom with an additional nine European countries. From these points of view, in Sweden the FRA also known as Försvarets Radioanstal is the leading signal intelligence organisation that has committed long-term in the construction of the nation’s cyber intelligence capabilities in this millennium. The development work has also been facilitated by national intelligence legislation, which has a lead of more than ten years on the development of Finnish intelligence legislation. 48
|
CYBERWATCH
FINLAND
In 2008, the Swedish Parliament passed the so-called 'eavesdropping law' by a narrow majority, which enabled the FRA to monitor data and telephone communication through Sweden. At the same time, it was reported that the FRA had at the time acquired the fifth most powerful supercomputer in the world for monitoring computer networks and telephone traffic. Since then, in 2013, when the Finnish Ministry for Foreign Affairs fell victim to a hacking, the hint of the hacking came from the Swedes, when we were still completely unaware of the espionage of a foreign state in the ministry's information network. Cybersecurity training is on the rise in Sweden. Swedish universities have numerous master's programmes in cybersecurity, and training is also offered at lower levels of education. In 2022, the Swedish army will launch a new training programme for cyber soldiers for conscripts, the contents of which have been implemented in cooperation with the Royal Swedish University of Technology. This spring, the Swedish Army's cybersecurity team also gave a good display of their expertise in NATO's annual Locked Shields cybersecurity competition, where the Swedish team brought home the first prize. Despite its good expertise in cybersecurity, Sweden is falling behind many other European countries in organising and leading national cybersecurity activities. In Sweden, the implementation and maintenance of cybersecurity mainly involves four authorities, none of which currently play a coordinating and leading role in the implementation and management of cybersecurity. The Swedish Defence Forces are responsible for military cyber defence, security police SÄPO for civilian cyber intelligence, FRA for military cyber intelligence and the Swedish Social Protection and Preparedness Agency MSB (Myndigheten för samhällsskydd och beredskap) maintains the national CERT function. Sweden's first cybersecurity strategy was published in 2017 and has not taken a clear line on how to manage cybersecurity at national level either. The strategy describes different cooperation models between public administrations and business actors, but practical coordination and leadership have been lacking in strategies. At the end of last year, Swedish Defence Minister Peter Hultqvist announced the establishment of the National Cyber Security Center (NCSC). Implementation will begin in the current year and the Centre is due to be fully operational by 2025. A total of approximately EUR 50 million has been earmarked for implementation, spread over a five-year period. The Swedish Defence Forces and FRA are mainly responsible for the implementation, but SÄPO and MSB are also involved in the project. This will finally give Sweden its own cybersecurity centre, which has been in operation in other Nordic countries for several years. Over the past few years, Sweden has been a victim of serious cyberattacks, it is believed that Russia or the cybercriminal groups it supports are behind it. The Russian-backed Fancy Bear and Cozy Bear groups have been traced back as the perpetrators of several recent data breaches. In April, SÄPO reported on a data breach against the Swedish National Association of Athletics Federations, which resulted in athletes' health data being published on the Internet. The data breach has been compared with the Finnish Vastaamo case in terms of its severity. Another serious data breach occurred last autumn when data from customer projects at Gunnebo, a Swedish security company, was published on the DarkNet. The information included detailed descriptions of the security systems installed by Gunnebo, for example, in banks and government buildings. Sweden feels that the state cyber threat from Russia is its most significant risk factor for cybersecurity. The data breaches described above are part of cyber-influencing that undermines trust in society and the ability of business to protect its activities from cyberattacks. Swedish companies are also involved in the development of high-quality military technology in areas such as fighter jet projects and telecommunications systems. Such activities are subject to a significant threat of cyber espionage, which may be based not only on state actors but also on cybercriminal groups driven by commercial interests. REFRENCES: Säkerhetspolisen: Cybersäkerhet i Sverige – Hot, metoder, brister och beroenden - https://www.sakerhetspolisen.se/download/18.f2735ce171767402ba202/1591164566288/Rapport-Cybersakerhet-Hot-Metoder-Brister.pdf Årsrapport 2020, Blicken på en omvärld i förändring, FRA. National Cyber Security Strategy (Skr. 2016/17:213), Ministry of Justice, Sweden. https://www.sakerhetspolisen.se/ovrigt/pressrum/cybersakerhetscenter.html https://www.forsvarsmakten.se/sv/var-verksamhet/det-har-gor-forsvarsmakten/cyberforsvar/ https://ccdcoe.org/news/2021/sweden-scored-highest-at-the-cyber-defence-exercise-locked-shields-2021/ https://www.svt.se/sport/idrott/rysk-cyberattack-for-att-svartmala-svenska-idrottare
CYBERWATCH
FINLAND
|
49
2. CYBER SECURITY OF SMART PROPERTIES 1. The conditions, safety and operations of real estate are increasingly controlled by information technology. Modern buildings include numerous safety and automation systems that are managed through internet connections. Connecting security and automation systems to the internet exposes them to cyberattacks. 2. In recent years, there have been numerous successful cyberattacks on public properties. The targets have been both the property itself and its automation systems, as well as the paralysing of safety systems to facilitate intrusion into the property. 3. The property owner's and tenants' own information systems form a challenging whole in terms of cybersecurity. The safety of wireless smart devices for consumer use is not always at the same level as for professional devices, which makes it difficult to manage the overall safety of the property. 4. Smart real estate systems are more connected and transparent than in industry. The best security measures are hardening of equipment and systems, as well as protection of connections between devices with high-quality encryption methods. 5. The overall responsibility for cybersecurity must be taken under control already during the construction phase. Too often, the parties involved in property management are not even aware of all the cyber vulnerabilities that threaten the property, which also makes it difficult to protect the property.
50
|
CYBERWATCH
FINLAND
S
ociety and its infrastructure are rapidly networking. This has also happened to real estate. Building owners want to reduce costs by optimising energy consumption. In addition, the comfort of employees and customers staying in the property is a competitive factor, and the aim is to implement the conditions that support comfort optimally. The property is heated or cooled only when and where it is necessary Functionality requires the use of more versatile heating and ventilation systems. The system's sensors communicate in real time and receive control commands from the control system continuously. Control is often implemented independently of location, which in practice means that the management of systems is implemented using internet connections. Property security is also managed and monitored through the use of information technology. The doors open and close with the help of electronic locks, and the same system is used to the control people’s access to different parts of the property. People moving around the building are monitored using recording camera systems. The burglar protection system raises the alarm if unauthorised access roads are opened, or the system detects movement in areas of the property where there should not be any. Access control, camera surveillance and burglar protection systems are increasingly offered as a cloud service rather than a local IT infrastructure. According to the information security company Kaspersky, 40% of smart properties in the UK were hit by at least one cyber-attack in 2019. Of course, only a small number of companies are successful, and even these cases are only reported in the news when the attack has caused severe damage, or it has targeted personal data. In 2018, a Dutch pharmacy cooling systems in the refrigeration facility used to store medicine was paralysed in a cyber-attack over the internet. This was the result of a former pharmacy employee who wanted revenge for the wrongful treatment they felt they received from their employer. The perpetrator took advantage of a username and password in their possession as it had not been disabled after the termination of their employment. A couple of years earlier in Lappeenranta, an apartment building cooled down due to a denial-of-service attack on the heating system, and in Austria, hotel residents remained in their rooms after a cyber-attack had taken down the central locking system on hotel doors. Cyber-attacks can also target smart properties as part of other crime. Recording camera systems can be shut down by a denial-of-service attack, and access control and burglar alarm systems can be confused with malware placed on the server. Once security systems have been eliminated through a cyber-attack, physical intrusion into the property will be greatly facilitated. In the case of security systems, in particular camera systems, a cyberattack may be aimed at spying or gathering personal data. In March this year, there was widespread news in the United States of a cyberattack on camera systems, in which cybercriminals gained access to 150,000 surveillance cameras at different locations. The attack targeted a company that maintains a CCTV system, allowing access to a massive repository of recordings. Numerous hospitals, schools and government agencies were targeted, as well as tesla car factories, for example, from private operators. This recent case serves as a good example of a cyber threat to smart properties when security systems have been acquired in a decentralised manner as a cloud service. Not all systems for managing the safety and conditions of a property are controlled by the owner of the property. The tenant who controls part of the property can install their own systems on their area. Such systems are installed to meet the tenant's individual needs, such as controlling lighting, household appliances and comfort devices. Product development cycles for wireless consumer smart devices are fast and getting products on the market may require developers to compromise on their safety. According to a recent American study, there are currently around 100 million IoT sensors in place on the market with a serious cybersecurity vulnerability. Most of the vulnerable IoT sensors are installed on consumer devices. Since real estate information systems are largely automation systems, it would be easy to think that their security is handled in the same way as in industrial automation systems. However, building automation systems differ from similar systems in the industry. Real estate systems are more networked than in industry and several systems are in constant interaction with each other. For example, air conditioning, heating, and lighting systems often communicate with each other to achieve optimal conditions. In addition, real estate systems operate in a more open environment than industrial systems. For example, wireless LAN used by shopping centre systems is accessible to numerous customers. Similar industrial networks are often in a closed factory area or building, where a much narrower group of outside people can physically reach. There are major differences in the cyber capabilities of smart property security systems and the first step in this regard would be to choose a reliable hardware and software vendor. Particular attention should be paid to the quality of encryption methods for device-to-device communication. Wireless connections such as WLAN and especially
CYBERWATCH
FINLAND
|
51
Bluetooth allow insecure connections to be implemented if the devices do not support strong enough encryption, or the security features are incorrectly configured. IoT devices often use default passwords printed on the case of the device, which must be remembered to be changed before commissioning. Device control systems and server user management and its processes should be properly organised to ensure that passwords, for example, are strong enough and only have the required number of user accounts. All of these are basic tasks of cybersecurity, but unfortunately, they are often left without sufficient attention in connection with property control, automation, and security systems. Poorly secured servers are easy to hack into and access system user accounts, as well as weak passwords. According to various sources, there were numerous cases on Darknet in 2020 selling user IDs and passwords of real estate security systems to criminals interested in them. Several parties participate in the design, construction, commissioning and use of the property itself. Cybersecurity is involved at all stages with varying contributions from different parties and often without coordination. In addition, solutions affecting cybersecurity are implemented in parallel without assessing their interdependencies. The design, tendering, installation, commissioning, and maintenance of smart property IT solutions should be arranged in such a way that, from the beginning of the life cycle of a smart property, cybersecurity is considered as a whole. This allows the components of cybersecurity to be considered as a comprehensive entity and to ensure high-quality cyber defence of smart properties. REFERENCES: Krishnan & al. Security Considerations for IoT in Smart Buildings, 2017. IEEE International Conference on Computational Intelligence and Computing Research Santos & al. Leveraging Operational Technology and the Internet of Things to Attack Smart Buildings, 2019. Journal of Network and Computer Applications. https://www.fmindustry.com/en/2020/best_practice/48770/Protecting-Smart-Buildings-from-Cyber-Attacks-smart-buildings-cyber-security-best-practice-Cyber-Security-Smart-Facilities.htm https://www.cpomagazine.com/cyber-security/new-kaspersky-report-suggests-4-in-10-smart-buildings-at-risk-of-cyber-attack/ https://www.bbc.com/news/technology-56342525 https://www.bloomberg.com/news/articles/2021-03-09/hackers-expose-tesla-jails-in-breach-of-150-000-security-cams https://www.wired.com/story/namewreck-iot-vulnerabilities-tcpip-millions-devices/
3. DRONE CYBER PROTECTION AND USE IN CYBER-ATTACKS 1. The use of drones is rapidly increasing, and they are carrying out increased services in the commercial, or public administration. As the use of drone systems increases, they become an ever more attractive target to cyber criminals. 2. Drone systems are information systems, and they are subject to the same cyber threats as any other system. Specific threats to drones are GPS spoofing, hijacking the drone, and crippling its operation through radio frequency interference. 3. Drones can also be used as a tool for a cyberattack. Drones can pose a particular threat to targets that are physically isolated and use wireless networks, or IoT technology. 4. The identification of drones will become easier from the beginning of 2023, when a remote identification system becomes mandatory. Thanks to the system, anyone can identify an airborne drone and drones flying without a tag are illegal. Restricting or blocking drone operations is an activity under the Aviation Act and is only possible for authorities.
52
|
CYBERWATCH
FINLAND
T
he number of drones has grown rapidly both in Finland and around the world. According to the new aviation regulations governing drone operations, drones and their users must be registered by local authorities, such as Traficom in Finland. According to Traficom's estimate, there are approximately 50,000 drones in Finland, of which about one-tenth were registered last year. The number of registrations is growing rapidly this year, as it became mandatory for enthusiasts from the beginning of the year. According to statistics, there are about one million registered drones in the United States, about a third of which are in commercial use. Drones can be used for a variety of purposes, the most common of which are aerial photography and measurement services in different application areas. In addition, drones are currently used on a small scale for freight transport services. Authorities use drones for various surveillance and reconnaissance missions. Pure recreational use is also a significant part of drone operations. According to EU aviation regulations, drones are divided into three categories. The open class includes most drones. Their weight does not exceed 25 kg with the load and the maximum flight altitude is 120 meters. Drones in the specific category are already significantly larger and are usually used for commercial transport services. The Certified category is practically equivalent to that of a manned aviation airline. Only drones weighing less than 250 grams are exempt from registration. The more important the role drones gain in commercial, or public government applications, the more attractive the target of drone systems becomes in the eyes of a cyber attacker. In the future, drones may even be part of critical infrastructure if, for example, transports that are important for security of supply are carried out through drone services. As a concept, the drone has expanded from a single drone to a system of flying devices. The old term UAV, or Unmanned Aerial Vehicle, is now officially the Unmanned Aerial System (UAS). Because drone systems are practically flying wireless information systems, they are under the same cyber threats as other wireless information systems. Drone systems can be hacked, a drone can be hijacked in the middle of a flight mission, systems can be disabled by a denial-ofservice attack, or malware and the system can be distracted by changing the spatial data in use by means of a GPS spoofing attack. Vulnerabilities in the drone system are usually analyzed using the so-called STRIDE method (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Escalation of Privileges). The most common attack on drone systems is spoofing. It feeds incorrect GPS data into the system, causing the drone to fly to the wrong place, or follows the wrong route. With the help of a spoofing attack, the drone can also be hijacked during flight. The second most common is a denial-of-service attack, for example, by interfering with the radio signal between the control system and the flying devices, which paralyses the operation of the drone system. As with other information systems, drone system manufacturers are constantly developing methods to combat cyberattacks. The control connections are protected by strong encryption and authentication, when the connection is
CYBERWATCH
FINLAND
|
53
lost, the drone can fly back to the point of departure, and cryptographic algorithms are used to identify the authenticity of the GPS signal. In addition, wireless control connections are implemented using frequency hopping technology instead of point frequencies, making them more resilient to radio frequency interference. The cybersecurity of drone swarms highlights accurate positioning technology because drones fly in the same formation close to each other. In the flock, the accuracy requirement for positioning is in centimetres, and instead of one drone, the base station must be connected to IoT sensors of dozens, or even hundreds, of drones. The accuracy requirement and the volume of communications make positioning a key risk factor for drone swarms, which is also of interest to a potential cyber attacker. Swiss technology company U-blox, which also has product development operations in Finland, has patented technology using different positioning technologies for the use of swarms of drones. According to the company, the solutions have also used advanced technology to prevent harassment and falsification of positioning data. Drones can also be used for cyberattacks. The drone itself is not exactly a new cyber threat but provides an easily mobile platform for the actual instrument of cyberattack. The greatest benefit of drones is therefore in situations where the success of a cyberattack requires a physically short distance from the target. This is particularly the case for wireless networks installed in, for example, power plants, military bases, or industrial production facilities, where the area is often fenced and physical access to the site is otherwise difficult. The drone can be used to inquire about wireless networks in the area, paralyse networks using a jamming device placed in a drone, or set up a fake access point on the network that listens to network traffic. In addition, the aerial photography capability of drones can be used to identify vulnerabilities in the target, or to plan subsequent physical intrusion. Another area of application is to bring different sensors close to the target. For example, a drone can be used to bring a small computer for cyber espionage to a wireless network and retrieve it at the end of espionage. Devices manufactured for this purpose are sold on the black market with Raspberry Pi technology. In addition, the drone can be used to bring external IoT sensors to targets using industrial automation to collect data from the target area via Bluetooth and RFID interfaces, or to use sensors for a cyberattack. For example, a smartphone can be attacked via a Bluetooth sensor instead of a conventional network connection. Drones have also been used to identify individuals using facial recognition software placed in the drone's camera system. Line and qr codes can also be read in an isolated environment when the reader can be brought by drone close enough to the target. Several different methods have been developed for detecting and combating unlicensed drones. In addition to visual and auditory observations, drones can be detected by monitoring radio frequency control traffic, or by radar surveillance. Listening to radio frequencies can be practiced by anyone, but distinguishing drone control traffic from other radio frequency radiation requires in-depth professionalism, or hobby. A mandatory remote identification system is coming from the beginning of 2023 to identify drones. In it, the drone constantly sends its own tag, which is readable by anyone using a suitable antenna and smartphone app. The feature is technically defusable, but the drone will then become illegal in the same way as if license plates were removed from a car. There are numerous ways to combat unlicensed drones, but as a rule, influencing and combating the movement of drones is an activity under the Aviation Act that is only permitted for authorities in specified situations. So, you should not restrict, or block, a drone flight on your own. The most common method limiting the movement of drones is the electronic fenced or geofencing of the area. By decision of the authorities, air operations may be restricted, for example, in government, health care, or industrial protection areas programmed into drone control systems, so that they do not fly into restricted areas. This restriction can also be illegally lifted by modifications to the drone system. In addition, the authorities can use control systems to disable the drone and, if necessary, to drop it. Even more sophisticated control systems have been made for military use to destroy individual drones and large swarms of drones. REFERENCES: https://www.droneinfo.fi/fi https://www.faa.gov/uas/resources/by_the_numbers/ https://www.forbes.com/sites/forbestechcouncil/2021/02/25/cybersecurity-and-dronesa-threat-from-above/ https://www.army.mil/article/224284/new_cyber_enabled_system_provides_a_key_countermeasure_to_drone_threats https://www.kaspersky.com/resource-center/threats/can-drones-be-hacked https://www.u-blox.com/en/casestudies/drone-navigation-high-precision-rtk-gnss-technology Vuorenmaa, T. Luvattomien dronejen torjunta. Tampereen yliopisto, 2019. Ly, B & Ly,R. Cybersecurity in unmanned aerial vehicles. Journal of Cyber Security Technology, 5:2 (120-137), 2021. Best, K et al. How to analyze the cyber threat from drones. RAND Corporation, 2020.
54
|
CYBERWATCH
FINLAND
4. COOPERATION BETWEEN STATES AND CYBER PROXIES 1. States use substitutes, i.e., proxies, mainly for offensive activities. Proxy makes it possible to mask the origins of the activity and may have some better know-how to carry out an attack than the state's own cyber forces. 2. Cybercriminals have been used as proxy, especially in corrupt countries. Not only criminals, but also national defence organisations and companies can act as proxies. The use of so-called legal proxies is increasing in the future, especially in western countries. 3. The use of proxy agencies in cyber influence will be more professional in the future, and a network of private sector subcontractors will be formed around the operations. The use of legal proxy measures should be considered in the cybersecurity strategy and principles and objectives should be established for the operation.
F
or centuries, states have used various surrogates, i.e., proxy players, in different areas of warfare. Non-government proxies can be roughly divided into two categories. The first category represents a more traditional use case and includes mercenary directly involved; in which case the military action is carried out by a private military group instead of a state army. The second category includes groups operating in the target country, usually in order of social order, or seeking revolution, which receive external support from countries opposed to the current regime. Activities in the latter category were particularly lively during the Cold War in the second half of the 1990s and have experienced a new rise in the 21st century as one form of hybrid influence. States use proxies to conduct offensive cyber operations. There are two main reasons for using a proxy. The first factor is to exploit the so-called attribution problem. The traces of a cyberattack are reasonably easy to hide in such a way that even if the suspicion of the perpetrator of the attack is strong, the link cannot be fully established. The attribution problem provides protection for hybrid influence through cyberattack, where at least partial concealment of the origin of the activity. The unclear situation gives the hybrid influencer a head starts in performing other functions. Another factor is the know-how needed for an attack, which the state's own cyber forces may not have to the extent that of the proxy. Many states have managed to recruit top-notch talent to their cyber corps, but a significant part of the know-how can be found in the private sector. Proxy can be ordered to complete a cyberattack and all its steps, or, for example, just install malware on the target system, after which the client plans and implements the follow-up to the attack. Proxy is currently primarily used for one-off targeted strikes in situations where the activity is at least partially obscured and the skills suitable for the task are more readily available from the proxy than from their own personnel. Because of the offensive activity, the use of proxy, until now, has been regarded merely as criminal, or at the very least disapproving. However, cyber-influencing has become a daily phenomenon between states that every cyberCYBERWATCH
FINLAND
|
55
superpower practice towards other countries. Recently, attempts have been made to create common rules for cyber influence. The first concrete signs of this were seen in June at a meeting between the Presidents of Russia and the United States, where Biden presented Putin with a list of targets for which Russia is not allowed to conduct cyberattacks on. Proxy's definition of cyber influence has recently expanded. According to American cyber researcher Tim Maurer, the proxy may not be a criminal group, but could also be, for example, a paramilitary organisation or, say, a permanent, or temporary group of experts formed from university students. The primary motive of these factions to serve their country in the form of a cyber proxy is not economic, but more ideological reasons. India, China, and Pakistan have used this type of proxy in their operations. The UN Human Rights Unit sees the use of cyber-proxys also expanding into defence activities. An example of this is a national defence organisation called Kaitseliit in our southern neighbour, Estonia, and its cyber unit. Kaitseliit's cyber unit originated after a strong usability attack by Russia in 2007 and its main objective is to protect Estonia's critical infrastructure from cyberattacks. Voluntary organisations such as Kaitseliit are in numerous different countries, and their use for cyber activities is also on the rise. Maurer defines the relationship between states and proxy in three categories. In the delegation relationship, the proxy is strictly controlled by the state, and support for the action comes mainly from the state. Delegation relationships are used especially in western countries, where cooperation resembles normal subcontracting. In this case, the proxy receives an agreed reward for the actions it has taken. Delegate-based proxies are usually legitimate cyber companies that may not have an ideological relationship with the mandated state. Orchestration refers to the coordination of one or more loosely organized proxy activities, in which case the state does not give specific instructions for the task, but the vision and goals of the action are agreed on in general terms. The previously mentioned paramilitary groups and the use of students are examples of orchestrating. In this case, the state and proxy generally also share a common ideological background. The third form of the proxy relationship, sanctioning, is only used in the case of cybercriminals. In it, the state gives the proxy freedom to act in criminal activity if the proxy does favours for the state. In a way, therefore, the State will turn a blind eye to the crimes committed by the proxy if they remain within predetermined limits and may also partly directly finance the proxy's activities. Such a proxy relationship has been common in countries such as Russia and North Korea. The use of proxy agencies in cyber influence will become more professional and a network of private sector subcontractors will be formed around the operations. In most cases, a delegate relationship is established between the state and the proxy is increasingly a private, legitimate company instead of cybercriminals. The share of paramilitaries and other ideological groups among proxy groups remains unchanged, or slightly increases. In addition to traditional shooting exercises, national defence organisations organise cyber-military exercises and are determined to develop their expertise in this area. Legitimate proxies can significantly strengthen states' cyber capabilities if they are used systematically as part of other cyber activities. Cyber-influencing is the only area of warfare where proxy can have better performance in some respects than the military itself. The proxy should be understood broadly as part of a government subcontracting network, and not just as a collaboration with criminal groups. Proper use of proxy rights must also be possible in the rule of law without any link to criminal groups. For this reason, the principles of using proxy in cyber-influencing should also be recorded into the following cybersecurity strategies. REFERENCES: Maurer, T. Cyber Mercenaries – The State, Hackers and Power. 2018. Swed, O & Burland, D. Cyber Mercenaries: Review of the Cyber and Intelligence PMSC Market. United Nations Human Rights. 2021. https://www.reuters.com/technology/biden-tells-putin-certain-cyber-attacks-should-be-off-limits-2021-06-16/
56
|
CYBERWATCH
FINLAND
KVARTAALIKATSAUS Q2/2021 SISÄLLYS 1. Maa-analyysi – Ruotsi 4 2. Älykiinteistöjen kyberturvallisuus 6 3. Dronen kybersuojaus ja käyttö kyberhyökkäyksessä 9 4. Valtioiden ja kyber-proxyjen yhteistyö 12 Erikoisraporttina Katsaus Venäjän elektronisen sodankäyntiin
14
Vuoden toisessa kvartaalikatsauksessa käsittelemme viittä aihetta. Maa-analyysin vuorossa on
naapurimaa Ruotsi, jonka kyberkyvykkyys erityisesti tiedustelun alueella on kansainvälisesti korkealla tasolla. Ruotsin tiedustelulainsäädäntö on mahdollistanut teknisen kybertiedustelun jo kymmenkunta vuotta ennen Suomea. Laajan kyberkoulutuksen ansiosta osaavia resursseja on työmarkkinoiden käytettävissä. Sen sijaan kansallisen kyberpuolustuksen vastuut ovat hajallaan ja tilanteen parantamiseksi Ruotsi on perustanut tänä vuonna oman kyberturvallisuuskeskuksen. Kiinteistöjen toiminta ja turvallisuus ovat kasvavasti riippuvaisia tietotekniikasta. Nykyaikaiset rakennukset sisältävät lukuisia turvallisuus- ja automaatiojärjestelmiä, joita hallitaan internet-yhteyksien avulla. Turvallisuus- ja automaatiojärjestelmien liittäminen internetiin altistaa ne myös kyberhyökkäyksille. Lähes puoleen kaikista niin sanotuista älykiinteistöistä kohdistuu vähintään yksi kyberhyökkäys vuodessa. Vastuu älykiinteistöjen kyberturvallisuudesta on usein hajautettu useille toimijoille, minkä vuoksi kyberturvallisuus tulisikin huomioida yhtenä kokonaisuutena jo rakennusvaiheessa. Dronejen käyttö on lisääntynyt nopeasti ja niiden avulla toteutetaan erilaisia palveluja yksityiselle ja julkiselle sektorille. Käytön lisääntyessä niihin kohdistuu myös kyberrikollisten mielenkiinto. Dronejen kyberturvallisuudessa tulee erityisesti huomioida langattomat yhteydet ja paikantaminen, joihin voi kohdistua häirintää. Droneja voidaan käyttää myös kyberhyökkäyksen välineenä kohteissa, jotka on fyysisesti eristetty ja joiden tietoverkot eivät ole kytkeytyneet julkisiin verkkoihin. Dronejen tunnistaminen helpottuu vuoden 2023 alusta lukien, kun kaikille avoin etätunnistusjärjestelmä tulee pakolliseksi. Valtiot ovat käyttäneet jo vuosisatojen ajan sijaistoimijoita eli proxyjä sotilaallisiin operaatioihin. Tällä vuosituhannella proxyjen käyttö on laajentunut myös kyberoperaatioihin. Viime vuosina keskustelu proxyjen käytöstä on keskittynyt lähes pelkästään valtioiden ja kyberrikollisten väliseen yhteistyöhön. Proxyn käsite on kuitenkin viime aikoina laajentunut laillisiin proxyihin, joita voivat olla esimerkiksi yksityiset yritykset, puolisotilaalliset järjestöt, tai vaikkapa yliopistojen opiskelijat. Proxyjen käyttö lähestyy tulevaisuudessa ammattimaista alihankintaa. Proxyjen käytön tulisi olla tavoitteellista ja suunnitelmallista ja pelisäännöt toiminnalle tulisi luoda kyberturvallisuuden strategioiden kautta. Venäjän sotilasdoktriinin mukaisesti asevoimat tavoittelevat ylivoima-asemaa kaikissa sodankäynnin ulottuvuuksissa ja taistelukentän informaatioulottuvuudessa sitä tavoitellaan nimenomaan elektronisen sodankäynnin keinoin. Länsimaiset asiantuntijat arvioivat nykyään, että Venäjän asevoimat pystyisivät jo lähivuosina estämään taistelualueella vihollisen kaikki siviili-, sotilas- ja satelliittiyhteydet, sekä paikantamisjärjestelmien käytön.
CYBERWATCH
FINLAND
|
57
1. MAA-ANALYYSI – RUOTSI 1. Ruotsilla on pitkät perinteet kybertiedustelussa, jonka kansallinen tiedustelulainsäädäntö on mahdollistanut vuodesta 2008 lähtien. Ruotsi on kehittänyt kybertiedustelun kykyjään pitkäjänteisesti ja pysyy lähitulevaisuudessakin tällä alueella kansainvälisesti korkealla tasolla. 2. Kyberturvallisuuden koulutus on vahvassa nosteessa. Kyberturvallisuuden maisteriohjelmia löytyy useista ruotsalaisista korkeakouluista. Ruotsin puolustusvoimissa käynnistyy ensi vuonna erityinen kybersotilaan koulutusohjelma. Ruotsin asema digitalisaatiokehityksen yhtenä kärkimaana vahvistuu kattavan kyberturvallisuuskoulutuksen ansiosta. 3. Kyberturvallisuuden koordinointi- ja toteutusvastuut on hajautettu eri virastoille ja selkeä kansallinen johtajuus puuttuu. Tilannetta yritetään parantaa kansallisen kyberturvallisuuskeskuksen avulla, jonka perustaminen on aloitettu ja viedään loppuun vuoteen 2025 mennessä. 4. Ruotsin keskeisin kyberuhka tulee Venäjältä. Viimeaikaiset vakavat tietomurrot on jäljitetty Venäjän tiedustelupalveluun ja sen tukemiin ryhmiin. Ruotsalaisiin korkean teknologian yrityksiin esimerkiksi hävittäjä- ja tietoliikennehankkeissa kohdistuu lähitulevaisuudessa poikkeuksellisen suuri kybervakoilun uhka.
R
uotsin kybertiedustelun kyvyt ovat perinteisesti olleet korkealla kansainvälisellä tasolla. Ruotsi on tehnyt pitkäjänteistä yhteistyötä länsimaisten tiedustelu organisaatioiden kanssa niin sanotun fourteen eyes -yhteistyösopimuksen puitteissa. Siihen kuuluu niin sanottujen five eyes -maiden eli Yhdysvaltojen, Kanadan, Australian, Uuden Seelannin ja Iso-Britannian lisäksi yhdeksän Euroopan maata. Näistä lähtökohdista Ruotsin signaalitiedustelua johtava FRA eli Försvarets Radioanstalt on pitkäjänteisesti rakentanut maan kybertiedustelukyvykkyyttä tällä vuosituhannella. Kehitystyötä on myös helpottanut kansallinen tiedustelulainsäädäntö, jolla on yli kymmenen vuoden etumatka suomalaiseen tiedustelulainsäädännön kehitykseen. Vuonna 2008 Ruotsin eduskunnassa hyväksyttiin niukalla enemmistöllä niin sanottu ”salakuuntelulaki”, mikä mahdollisti FRA:lle Ruotsin kautta kulkevan tieto- ja puhelinliikenteen seurannan. Samaan aikaan uutisoitiin FRA:n hankkineen siihen aikaan maailman viidenneksi tehokkaimman supertietokoneen tietoverkkojen ja 58
|
CYBERWATCH
FINLAND
puhelinliikenteen seurantaan. Sittemmin vuonna 2013, kun Suomen ulkoministeriö joutui tietomurron uhriksi, vinkki murtautumisesta tuli juuri ruotsalaisilta, kun meillä oltiin vielä täysin tietämättömiä vieraan valtion vakoilusta ministeriön tietoverkossa. Kyberturvallisuuden koulutus on Ruotsissa vahvassa nosteessa. Ruotsalaisista yliopistoista löytyy lukuisia kyberturvallisuuden maisteriohjelmia ja koulutusta tarjotaan myös alemmilla oppiasteilla. Ruotsin armeija käynnistää vuonna 2022 uuden, varusmiehille tarkoitetun kybersotilaan koulutusohjelman, jonka sisältö on toteutettu yhteistyössä Ruotsin kuninkaallisen teknillisen korkeakoulun kanssa. Ruotsin armeijan kyberturvatiimi antoi myös tänä keväänä hyvän näytön osaamisestaan Naton vuosittain järjestämässä Locked Shields -kyberturvallisuuden kilpailussa, jossa ruotsalaistiimi korjasi kotiin ensimmäisen palkinnon. Hyvästä kyberturvallisuuden osaamisesta huolimatta Ruotsi on monia muita Euroopan maita jäljessä kansallisen kyberturvallisuustoiminnan organisoinnissa ja keskittämisessä. Ruotsissa kyberturvallisuuden toteutukseen ja ylläpitoon osallistuu pääasiassa neljä viranomaista, joista kenelläkään ei tällä hetkellä ole kyberturvallisuuden kokonaisuutta koordinoivaa ja johtavaa roolia. Ruotsin puolustusvoimat vastaa sotilaallisesta kyberpuolustuksesta, turvallisuuspoliisi SÄPO siviilisektorin kybertiedustelusta, FRA sotilaallisesta kybertiedustelusta ja Ruotsin yhteiskuntasuojelu- ja valmiusvirasto MSB (Myndigheten för samhällsskydd och beredskap) ylläpitää kansallista CERT-toimintoa. Ruotsin ensimmäinen kyberturvallisuusstrategia julkaistiin vuonna 2017 ja siinäkään ei ole otettu selkeää linjausta kyberturvallisuuden johtamiseksi kansallisella tasolla. Strategia kuvaa erilaisia yhteistyömalleja julkishallinnon ja liike-elämän toimijoiden kesken, mutta käytännön koordinaatio ja johtajuus ovat strategioista puuttuneet. Viime vuoden lopulla Ruotsin puolustusministeri Peter Hultqvist ilmoitti kansallisen kyberturvakeskuksen NCSC:n (National Cyber Security Center) perustamisesta. Toteutus alkaa kuluvana vuonna ja keskuksen on määrä olla täydessä valmiudessa vuoteen 2025 mennessä. Rahaa toteutukseen on varattu yhteensä noin 50 miljoonaa euroa viiden vuoden ajalle jaettuna. Toteutusvastuu on pääosin Ruotsin puolustusvoimilla ja FRA:lla, mutta mukana hankkeessa ovat myös SÄPO ja MSB. Näin Ruotsikin saa vihdoin oman kyberturvallisuuskeskuksensa, jollainen muissa Pohjoismaissa on ollut toiminnassa jo useita vuosia. Ruotsi on viime vuosien aikana kärsinyt vakavista kyberhyökkäyksistä, joiden takana arvioidaan olevan erityisesti Venäjä, tai sen tukemat kyberrikollisten
ryhmittymät. Venäjän tukemat Fancy Bear- ja Cozy Bear -ryhmät on jäljitetty useiden viimeaikaisten tietomurtojen tekijöiksi. Huhtikuussa SÄPO uutisoi Ruotsin valtakunnalliseen urheiluliittoon kohdistuneesta tietomurrosta, jonka tuloksena urheilijoiden terveystietoja julkaistiin internetissä. Tietomurtoa on verrattu vakavuudeltaan kotimaiseen Vastaamon tapaukseen. Toinen vakava tietomurto tapahtui viime syksynä, kun ruotsalaisen turvallisuusyritys Gunnebon asiakasprojektien tietoja julkaistiin DarkNetissä. Tiedot sisälsivät yksityiskohtaisia kuvauksia Gunnebon asentamista turvallisuusjärjestelmistä esi merkiksi pankkeihin ja valtion rakennuksiin.
Ruotsi kokee Venäjältä tulevan valtiollisen kyberuhan sen merkittävimmäksi kyberturvallisuuden riskitekijäksi. Edellä kuvatut tietomurrot ovat osa kybervaikuttamista, jonka avulla heikennetään luottamusta yhteiskuntaan ja liike-elämän kykyyn suojata toimintaansa kyberhyökkäyksiltä. Ruotsalaiset yritykset ovat lisäksi mukana korkea tasoisen sotilasteknologian kehittämisessä esimerkiksi hävittäjähankkeiden ja tietoliikennejärjestelmien alueella. Tällaiseen toimintaan kohdistuu merkittävä kybervakoilun uhka, jonka lähteenä voi olla valtiollisten toimijoiden lisäksi kaupallisten intressien ajamat kyberrikollisten ryhmät.
L Ä HTEITÄ: Säkerhetspolisen: Cybersäkerhet i Sverige – Hot, metoder, brister och beroenden - https://www.sakerhetspolisen.se/download/18.f2735ce171767402ba202/1591164566288/Rapport-Cybersakerhet-Hot-Metoder-Brister.pdf Årsrapport 2020, Blicken på en omvärld i förändring, FRA. National Cyber Security Strategy (Skr. 2016/17:213), Ministry of Justice, Sweden. https://www.sakerhetspolisen.se/ovrigt/pressrum/cybersakerhetscenter.html https://www.forsvarsmakten.se/sv/var-verksamhet/det-har-gor-forsvarsmakten/cyberforsvar/ https://ccdcoe.org/news/2021/sweden-scored-highest-at-the-cyber-defence-exercise-locked-shields-2021/ https://www.svt.se/sport/idrott/rysk-cyberattack-for-att-svartmala-svenska-idrottare
2. ÄLYKIINTEISTÖJEN KYBERTURVALLISUUS 1. Kiinteistöjen olosuhteita, turvallisuutta ja toimintaa ohjataan entistä enemmän tietotekniikan avulla. Nykyaikaiset rakennukset sisältävät lukuisia turvallisuus- ja automaatiojärjestelmiä, joita hallitaan internet-yhteyksien avulla. Turvallisuus- ja automaatiojärjestelmien liittäminen internetiin altistaa ne kyberhyökkäyksille. 2. Viime vuosina on tehty lukuisia onnistuneita kyberhyökkäyksiä julkisiin kiinteistöihin. Kohteina ovat olleet sekä itse kiinteistö ja sen automaatiojärjestelmät, että turvallisuusjärjestelmien lamauttaminen kiinteistöön tunkeutumisen helpottamiseksi. 3. Kiinteistön omistajan ja vuokralaisten omat tietojärjestelmät muodostavat kyberturvallisuuden kannalta haastavan kokonaisuuden. Kuluttajakäyttöön tarkoitettujen langattomien älylaitteiden turvallisuus ei aina ole samalla tasolla kuin ammattitason laitteissa, mikä vaikeuttaa kiinteistön kokonaisturvallisuuden hallintaa.
4. Älykiinteistöjen järjestelmät ovat verkottuneempia ja avoimempia kuin teollisuudessa. Parhaat suojauskeinot ovat laitteiden ja järjestelmien koventaminen, sekä laitteiden välisten yhteyksien suojaus laadukkailla salausmenetelmillä. 5. Kyberturvallisuuden kokonaisvastuu tulee ottaa hallintaan jo rakennusvaiheessa. Liian usein kiinteistön hallintaan osallistuvat osapuolet eivät ole edes tietoisia kaikista kiinteistöä uhkaavista kyberhaavoittuvuuksista, mikä vaikeuttaa myös kiinteistön kybersuojausta.
Y
hteiskunta ja sen perusrakenteet verkottuvat nopeasti. Näin on tapahtunut myös kiinteistöille. Rakennusten omistajat haluavat vähentää kustannuksia optimoimalla energiankulutusta. Lisäksi kiinteistössä oleskelevien työntekijöiden ja asiakkaiden viihtyvyys on kilpailutekijä ja viihtyvyyttä tukevat olosuhteet halutaan toteuttaa optimaalisesti. Kiinteistöä lämmitetään, tai jäähdytetään vain silloin ja niiltä osin, kuin se on tarpeellista. Toiminnallisuus edellyttää entistä moni puolisempien lämmitys- ja ilmavaihtojärjestelmien käyttöä. Järjestelmän sensorit kommunikoivat reaaliajassa ja saavat ohjauskäskyjä hallintajärjestelmältä jatkuvasti. Ohjaus on usein toteutettu paikkariippumattomasti, mikä käytännössä tarkoittaa sitä, että ainoa kustannustehokas hallintayhteys täytyy toteuttaa internetin yli. CYBERWATCH
FINLAND
|
59
Myös kiinteistöjen turvallisuutta hallitaan ja valvotaan tietotekniikan avulla. Ovet aukeavat ja sulkeutuvat sähkölukkojen avulla ja samalla järjestelmällä kontrolloidaan henkilöiden pääsyä kiinteistön eri osiin. Rakennuksessa liikkuvia henkilöitä valvotaan tallentavien kamerajärjestelmien avulla. Murtosuojausjärjestelmä tekee hälytyksen, jos kulkuteitä avataan luvattomasti, tai järjestelmä havaitsee liikettä kiinteistössä silloin, kun siellä ei pitäisi olla ketään. Kulunvalvonnan, kameravalvonnan ja murto suojauksen järjestelmiä tarjotaan entistä useammin pilvipalveluna paikallisen IT-infrastruktuurin sijaan. Tietoturvayhtiö Kasperskyn mukaan 40% Iso-Britannian älykiinteistöistä joutui ainakin yhden kyberhyökkäyksen kohteeksi vuonna 2019. Toki vain pieni osa yrityksistä on onnistuneita ja näistäkin tapauksista uutisoidaan vain silloin, kun hyökkäys on aiheuttanut merkittävää vahinkoa, tai se on kohdistunut henkilötietoihin. Vuonna 2018 hollantilaisessa apteekissa lääkkeiden kylmäsäilytystilojen jäähdytysjärjestelmät lamautettiin internetin yli tapahtuneessa kyberhyökkäyksessä. Kyseessä oli apteekin entinen työntekijä, joka halusi kostaa työnantajalleen vääräksi kokemaansa kohtelua. Hyökkääjä käytti hyväkseen hallussaan olevaa käyttäjätunnusta ja salasanaa, joita ei ollut poistettu käytöstä työsuhteen päätyttyä. Pari vuotta aiemmin Lappeenrannassa kerrostalo jäähtyi lämmitysjärjestelmään kohdistuneen palvelunestohyökkäyksen vuoksi ja Itävallassa hotellin asukkaat jäivät huoneisiinsa, kun kyberhyökkäys oli kaatanut hotellin ovien keskuslukitusjärjestelmän. Kyberhyökkäykset voivat kohdistua älykkäisiin kiinteistöihin myös osana muuta rikollisuutta. Tallentavat kamerajärjestelmät voidaan sammuttaa palvelunesto hyökkäyksellä ja kulunvalvonta- sekä murtohälytys järjestelmien toiminta sekoittaa palvelimeen sijoitetulla haittaohjelmalla. Kun turvallisuusjärjestelmät on voitu eliminoida kyberhyökkäyksen avulla, fyysinen tunkeutuminen kiinteistöön helpottuu huomattavasti. Turvallisuusjärjestelmien ja erityisesti kamerajärjestelmien yhteydessä kyberhyökkäyksen tarkoituksena voi olla vakoilu, tai henkilötietojen anastaminen. Tämän vuoden maaliskuussa Yhdysvalloissa uutisoitiin laajasti kamerajärjestelmiin kohdistunut kyberhyökkäys, jonka yhteydessä kyberrikolliset saivat pääsyn 150 000:een eri kohteissa olevaan valvontakameraan. Hyökkäys kohdistui kameravalvontajärjestelmää ylläpitävään yritykseen, mikä mahdollisti pääsyn massiiviseen tallenteiden tietovarastoon. Kohteena oli lukuisia sairaaloita, kouluja ja valtion virastoja, sekä yksityisistä toimijoista esimerkiksi Teslan autotehtaat. Tämä tuore tapaus toimii hyvänä esimerkkinä älykiinteistöihin kohdistuvasta kyberuhkasta silloin, kun turvallisuusjärjestelmät on hankittu hajautetusti pilvipalveluna. Kaikki kiinteistön turvallisuuden ja olosuhteiden hallintaan tarkoitetut järjestelmät eivät ole kiinteistön 60
|
CYBERWATCH
FINLAND
omistajan hallinnassa. Kiinteistön osaa hallitseva vuokralainen voi asentaa alueelleen omia järjestelmiä. Tällaisia järjestelmiä asennetaan vuokralaisen yksilöllisten tarpeiden täyttämiseen, kuten esimerkiksi valaistuksen, kodinkoneiden ja mukavuuslaitteiden ohjaamiseen. Kuluttajakäyttöön tarkoitettujen langattomien älylaitteiden tuotekehityssyklit ovat nopeita ja tuotteiden saaminen markkinoille voi vaatia tinkimistä niiden turvallisuudesta. Tuoreen amerikkalaisen tutkimuksen mukaan markkinoilla on tällä hetkellä käytössä noin 100 miljoonaa IoT-sensoria, joissa on vakava kyberturvallisuutta uhkaava haavoittuvuus. Suurin osa haavoittuvista IoT-sensoreista on asennettu kuluttajakäyttöön tarkoitettuihin laitteisiin. Koska kiinteistöjen tietojärjestelmät ovat pitkälti automaatiojärjestelmiä, olisi helppoa ajatella, että niiden turvallisuus hoidetaan samalla tavalla kuin teollisuuden automaatiojärjestelmissä. Kiinteistöjen automaatiojärjestelmät eroavat kuitenkin teollisuuden vastaavista järjestelmistä. Kiinteistöjen järjestelmät ovat verkottuneempia kuin teollisuudessa ja useat järjestelmät ovat keskenään jatkuvassa vuorovaikutuksessa. Esimerkiksi ilmastointi-, lämmitys ja valaistusjärjestelmät usein kommunikoivat keskenään optimaalisten olosuhteiden saavuttamiseksi. Lisäksi kiinteistöjen järjestelmät toimivat avoimemmassa ympäristössä, kuin teollisuuden järjestelmät. Esimerkiksi ostoskeskuksen järjestelmien käyttämät langattomat lähiverkot ovat lukuisten asiakkaiden ulottuvilla. Teollisuuden vastaavat verkot ovat usein suljetulla tehdasalueella tai -rakennuksessa, minne fyysisesti pääsee huomattavasti suppeampi ulkopuolisten ihmisten joukko. Älykiinteistöjen turvallisuusjärjestelmien kyberominaisuuksissa on suuria eroja ja tältä osin ensimmäinen toimenpide olisi valita luotettava laite- ja ohjelmistotoimittaja. Erityistä huomiota tulee kiinnittää laitteiden väliseen kommunikointiin tarkoitettujen salausmenetelmien laatuun. Langattomat yhteydet kuten wlan ja erityisesti bluetooth mahdollistavat turvattomien yhteyksien toteutuksen, mikäli laitteet eivät tue riittävän vahvaa salausta, tai suojausominaisuudet on konfiguroitu väärin. IoT-laitteissa käytetään usein laitteen kuoreen painettuja oletussalasanoja, jotka tulee muistaa vaihtaa ennen käyttöönottoa. Laitteiden ohjausjärjestelmien ja palvelinten käyttäjähallinta ja sen prosessit tulee järjestää asianmukaisesti, jotta esimerkiksi salasanat olisivat riittävän vahvoja ja järjestelmissä olisi vain tarvittava määrä käyttäjätilejä. Kaikki nämä ovat kyberturvallisuuden perustehtäviä, jotka kuitenkin jäävät kiinteistöjen ohjaus-, automaatio- ja turvallisuusjärjestelmien yhteydessä valitettavan usein ilman riittävää huomiota. Huonosti suojattuihin palvelimiin on helppo murtautua ja päästä käsiksi järjestelmän käyttäjä tileihin, sekä heikkoihin salasanoihin. Eri lähteiden mukaan Darknetissä oli vuonna 2020 lukuisia tapauksia,
joissa myytiin kiinteistöjen turvallisuusjärjestelmien käyttäjätunnuksia ja salasanoja niistä kiinnostuneille rikollisille. Kiinteistön suunnitteluun, rakentamiseen, käyttöön ottoon ja itse käyttöön osallistuu useita osapuolia. Kyberturvallisuus on mukana kaikissa vaiheissa eri osapuolten toimesta vaihtelevalla panoksella ja usein ilman koordinointia. Lisäksi kyberturvallisuuteen vaikuttavia ratkaisuja toteutetaan rinnakkain ilman niiden keskinäisriippuvuuksien arviointia.
Älykiinteistön tietoteknisten ratkaisujen suunnittelu, kilpailutus, asentaminen, käyttöönotto ja ylläpito tulisi järjestää siten, että älykiinteistön elinkaaren alusta asti kyberturvallisuus huomioidaan yhtenä kokonaisuutena. Näin voidaan huomioida kyberturvallisuuden komponentit laajana kokonaisuutena ja varmistaa älykiinteistöjen laadukas kyberpuolustus.
L Ä HTEITÄ: Krishnan & al. Security Considerations for IoT in Smart Buildings, 2017. IEEE International Conference on Computational Intelligence and Computing Research Santos & al. Leveraging Operational Technology and the Internet of Things to Attack Smart Buildings, 2019. Journal of Network and Computer Applications. https://www.fmindustry.com/en/2020/best_practice/48770/Protecting-Smart-Buildings-from-Cyber-Attacks-smart-buildings-cyber-security-best-practice-Cyber-Security-Smart-Facilities.htm https://www.cpomagazine.com/cyber-security/new-kaspersky-report-suggests-4-in-10-smart-buildings-at-risk-of-cyber-attack/ https://www.bbc.com/news/technology-56342525 https://www.bloomberg.com/news/articles/2021-03-09/hackers-expose-tesla-jails-in-breach-of-150-000-security-cams https://www.wired.com/story/namewreck-iot-vulnerabilities-tcpip-millions-devices/
3. DRONEN KYBERSUOJAUS JA KÄYTTÖ KYBERHYÖKKÄYKSESSÄ 1. Dronejen käyttö lisääntyy nopeasti ja niiden avulla toteutetaan entistä useampia kaupallisia, tai julkishallinnon palveluja. Dronejärjestelmien käytön lisääntyessä ne muodostavat houkuttelevan kohteen kyberrikollisille. 2. Dronejärjestelmät ovat tietojärjestelmiä ja niihin kohdistuvat samat kyberuhkat kuin muihinkin järjestelmiin. Droneihin kohdistuvia erityisiä uhkia ovat GPS-signaalin väärentäminen, dronen kaappaaminen, sekä sen toiminnan lamauttaminen radiotaajuisen häirinnän avulla 3. Droneja voi käyttää myös kyberhyökkäyksen välineenä. Erityisen uhkatekijän dronet voivat muodostaa kohteille, jotka ovat fyysisesti eristettyjä ja joissa on käytössä langattomia verkkoja, tai IoT-teknologiaa. 4. Dronejen tunnistaminen helpottuu vuoden 2023 alusta lähtien, kun etätunnistusjärjestelmä tulee pakolliseksi. Järjestelmän ansiosta kuka tahansa voi tunnistaa ilmassa lentävän dronen ja ilman tunnistetta lentävät dronet ovat laittomia. Dronetoiminnan rajoittaminen, tai estäminen on ilmailulain alaista toimintaa ja mahdollista vain viranomaisille.
D
ronejen määrä on kasvanut nopeasti sekä Suomessa että maailmalla. Uusien drone-toimintaa säätelevien ilmailumääräysten mukaan dronet ja niiden käyttäjät on rekisteröitävä paikallisen viranomaisten toimesta, jollainen Suomessa on Traficom. Suomessa on Traficomin arvion mukaan noin 50 000 dronea, joista viime vuonna oli rekisteröity noin kymmenesosa. Rekisteröintien määrä kasvaa tänä vuonna nopeasti, kun vuoden alusta se tuli pakolliseksi myös harrastajille. Yhdysvalloissa on tilastojen mukaan noin miljoona rekisteröityä dronea, joista noin kolmannes on kaupallisessa käytössä. Droneja voi käyttää lukuisiin eri tarkoituksiin, joista yleisimpiä on ilmakuvaus- ja mittauspalvelut eri sovellusalueilla. Lisäksi tällä hetkellä droneja käytetään pienimuotoisesti tavaraliikenteen palveluihin. Viranomaiset käyttävät droneja erilaisiin valvonta- ja tiedustelutehtäviin. Myös puhdas harrastuskäyttö on merkittävä osa dronetoimintaa. EU:n ilmailumääräysten mukaan dronet jaetaan kolmeen luokkaan. Avoimeen luokkaan (open) kuuluu suurin osa droneista. Niiden paino on kuorman kanssa enintään 25 kg ja suurin lentokorkeus 120 metriä. Erityiseen luokkaan (specific) kuuluvat dronet ovat jo huomattavasti suurempia ja niitä käytetään yleensä kaupallisiin kuljetuspalveluihin. Certified-kategoria vastaa käytännössä miehitetyn ilmailun lentoyhtiön toimintaa. Luokkien
CYBERWATCH
FINLAND
|
61
ulkopuolella ja rekisteröinnistä vapautettuja ovat vain alle 250 grammaa painavat dronet. Mitä tärkeämmän aseman dronet saavat kaupallisissa, tai julkishallinnon sovelluksissa, sitä houkuttelevampi kohde dronejärjestelmistä tulee kyberhyökkääjän silmissä. Tulevaisuudessa dronet voivat olla jopa osa kriittistä infrastruktuuria, jos esimerkiksi huoltovarmuuden kannalta tärkeitä kuljetuksia toteutetaan dronepalvelujen avulla. Drone on käsitteenä laajentunut yksittäisestä lennokista lentävien laitteiden järjestelmäksi. Vanha termi UAV eli Unmanned Aerial Vehicle on nykyisin virallisesti UAS eli Unmanned Aerial System. Koska dronejärjestelmät ovat käytännössä lentäviä langattomia tietojärjestelmiä, ovat ne samojen kyberuhkien piirissä kuin muutkin langattomat tietojärjestelmät. Dronejärjestelmiin voidaan murtautua, drone voidaan kaapata kesken lentotehtävän, järjestelmät voidaan lamauttaa palvelunestohyökkäyksellä, tai haittaohjelmalla ja järjestelmää voidaan harhauttaa muuttamalla käytössä olevaa paikkatietoa GPS spoofing -hyökkäyksen avulla. Dronejärjestelmän haavoittuvuuksia analysoidaan yleensä niin sanotun STRIDE-metodin avulla (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Escalation of Privileges). Yleisin dronejärjestelmiin kohdistuva hyökkäys on harhautus eli spoofing. Siinä järjestelmään syötetään väärää GPS-tietoa, jolloin drone lentää väärään paikkaan, tai seuraa väärää reittiä. Spoofing-hyökkäyksen avulla drone voidaan myös kaapata lennon aikana. Toiseksi yleisin on palvelunestohyökkäys esimerkiksi häiritsemällä radiosignaalia ohjausjärjestelmän ja lentävien laitteiden välillä, jolloin dronejärjestelmän toiminta lamaantuu. Kuten muissakin tietojärjestelmissä, myös dronejärjestelmien valmistajat kehittävät jatkuvasti kyberhyökkäyksiä torjuvia menetelmiä. Ohjausyhteydet suojataan vahvalla salauksella ja autentikoinnilla, yhteyden katketessa drone osaa lentää takaisin lähtöpaikkaan ja GPS-signaalin aitouden tunnistamiseen käytetään kryptografisia algoritmeja. Lisäksi langattomat ohjausyhteydet toteutetaan pistetaajuuksien sijaan taajuushyppelytekniikalla, jolloin ne sietävät paremmin radiotaajuisia häiriöitä. Droneparvien (drone swarms) kyberturvallisuudessa korostuu tarkka paikannustekniikka, koska dronet lentävät samassa muodostelmassa lähellä toisiaan. Parvessa paikannuksen tarkkuusvaatimus on vähintään senttimetriluokkaa ja yhden dronen sijasta tukiaseman tulee olla yhteydessä kymmenien, tai jopa satojen dronejen IoT-sensoreihin. Tarkkuusvaatimus ja tietoliikenteen volyymi tekevät paikannuksesta droneparvien keskeisen riskitekijän, joka kiinnostaa myös mahdollista kyberhyökkääjää. Sveitsiläinen teknologiayhtiö U-blox, jolla on tuote kehitystoimintaa myös Suomessa, on patentoinut eri paikannustekniikoita hyödyntävää teknologiaa droneparvien 62
|
CYBERWATCH
FINLAND
käyttöön. Yhtiön mukaan ratkaisuissa on käytetty myös edistyksellistä teknologiaa häirinnän ja paikannusdatan väärennyksen estämiseen. Droneja voidaan käyttää myös kyberhyökkäyksiin. Drone itsessään ei ole varsinaisesti uusi kyberuhka, vaan se tarjoaa helposti liikuteltavan alustan varsinaiselle kyberhyökkäyksen välineelle. Dronejen suurin hyöty on siis tilanteissa, joissa kyberhyökkäyksen onnistuminen edellyttää fyysisesti lyhyttä etäisyyttä kohteeseen. Tällainen tilanne on erityisesti langattomissa verkoissa, jotka on asennettu esimerkiksi voimalaitoksiin, sotilastukikohtiin, tai teollisuuden tuotantolaitoksiin, joiden maa-alueet on usein aidattu ja fyysinen pääsy kohteen lähelle on muuten vaikeaa. Dronen avulla voidaan tiedustella alueella olevia langattomia verkkoja, lamaannuttaa verkot droneen sijoitetun häirintälaitteen avulla, tai perustaa verkkoon valetukiasema, joka kuuntelee verkon tietoliikennettä. Lisäksi dronejen ilmakuvauskykyä voi käyttää kohteen haavoittuvuuksien tunnistamiseen, tai myöhemmin tapahtuvan fyysisen tunkeutumisen suunnitteluun. Toinen käyttöalue on erilaisten sensorien tuominen kohteen läheisyyteen. Dronella voidaan tuoda esimerkiksi langattomaan verkkoon kybervakoiluun tarkoitettu pieni tietokone ja hakea se pois vakoilun päättyessä. Pimeillä markkinoilla myydään tähän tarkoitukseen valmistettuja laitteita Raspberry Pi -teknologialla toteutettuna. Lisäksi dronella voidaan tuoda teollisuusautomaatiota käyttäviin kohteisiin ulkopuolisia IoT-sensoreita, joiden tarkoituksena on kerätä dataa kohdealueelta bluetooth- ja rfid-rajapintojen kautta, tai käyttää sensoreita kyberhyökkäykseen. Esimerkiksi älypuhelimeen voidaan hyökätä bluetooth-sensorin kautta tavanomaisen verkkoyhteyden sijasta. Droneja on käytetty myös henkilöiden tunnistamiseen dronen kamerajärjestelmään sijoitetun kasvontunnistusohjelmiston avulla. Myös viiva- ja qr-koodeja voidaan lukea eristetyssä ympäristössä, kun lukija voidaan tuoda dronella riittävän lähelle kohdetta. Luvattomien dronejen havaitsemiseen ja torjuntaan on kehitetty useita eri menetelmiä. Droneja voi havaita visuaalisten ja kuulohavaintojen lisäksi monitoroimalla radiotaajuista ohjausliikennettä, tai tutkavalvonnan avulla. Radiotaajuuksien kuuntelua voi harjoittaa kuka tahansa, mutta dronejen ohjausliikenteen erottaminen muun radiotaajuisen säteilyn joukosta edellyttää syvällistä ammattitaitoa, tai harrastuneisuutta. Dronejen tunnistamiseen on vuoden 2023 alusta tulossa pakollinen etätunnistusjärjestelmä. Siinä drone lähettää jatkuvasti omaa tunnistettaan, mikä on kenen tahansa luettavissa sopivan antennin ja älypuhelinsovelluksen avulla. Ominaisuus on teknisesti purettavissa, mutta silloin dronesta tulee laiton samaan tapaan kuin jos autosta otettaisiin rekisterikilvet pois. Luvattomien dronejen torjuntakeinoja on lukuisia, mutta pääsääntöisesti dronejen liikkumiseen vaikuttaminen
ja torjunta on ilmailulain alaista toimintaa, joka on sallittu vain viranomaisille erikseen määritellyissä tilanteissa. Dronen lentoa ei siis pidä omin päin lähteä rajoittamaan, tai estämään. Yleisin dronejen liikkuvuutta rajoittava menetelmä on alueen elektroninen aitaaminen eli geofencing. Viranomaisten päätöksellä voidaan lentotoimintaa rajoittaa esimerkiksi viranomaisten, terveydenhuollon, tai teollisuuden
suoja-alueilla, jotka ohjelmoidaan dronejen ohjaus järjestelmiin, jolloin ne eivät lennä rajoitusalueille. Tämäkin rajoitus on laittomasti purettavissa dronejärjestelmään tehtävillä muutoksilla. Viranomaiset voivat lisäksi käyttää torjuntajärjestelmiä, joiden avulla voi lamauttaa dronen toiminnan ja saada sen tarvittaessa pudotettua. Sotilaskäyttöön on tehty vielä järeämpiä torjuntajärjestelmiä, joiden avulla voidaan tuhota yksittäisiä droneja ja myös isoja droneparvia.
L Ä HTEITÄ: https://www.droneinfo.fi/fi https://www.faa.gov/uas/resources/by_the_numbers/ https://www.forbes.com/sites/forbestechcouncil/2021/02/25/cybersecurity-and-dronesa-threat-from-above/ https://www.army.mil/article/224284/new_cyber_enabled_system_provides_a_key_countermeasure_to_drone_threats https://www.kaspersky.com/resource-center/threats/can-drones-be-hacked https://www.u-blox.com/en/casestudies/drone-navigation-high-precision-rtk-gnss-technology Vuorenmaa, T. Luvattomien dronejen torjunta. Tampereen yliopisto, 2019. Ly, B & Ly,R. Cybersecurity in unmanned aerial vehicles. Journal of Cyber Security Technology, 5:2 (120-137), 2021. Best, K et al. How to analyze the cyber threat from drones. RAND Corporation, 2020.
4. VALTIOIDEN JA KYBER-PROXYJEN YHTEISTYÖ 1. Valtiot käyttävä sijaistoimijoita eli proxyjä lähinnä hyökkäykselliseen toimintaan. Proxyn avulla on mahdollista peittää toiminnan alkuperää ja sillä voi olla osin parempi tietotaito hyökkäyksen suorittamiseksi kuin valtion omilla kybervoimilla. 2. Kyberrikollisia on käytetty proxyinä erityisesti korruptoituneissa maissa. Rikollisten lisäksi myös maanpuolustusjärjestöt ja yritykset voivat toimia proxyinä. Niin sanottujen laillisten proxyjen käyttö lisääntyy tulevaisuudessa erityisesti länsimaissa. 3. Proxyjen käyttö kybervaikuttamisessa on tulevaisuudessa entistä ammattimaisempaa ja toiminnan ympärille tulee muodostumaan yksityisen sektorin alihankkijaverkosto. Laillisten proxyjen käyttö tulisi huomioida kyberturvallisuusstrategiassa ja luoda toiminnalle periaatteet ja tavoitteet.
V
altiot ovat jo vuosisatoja käyttäneet erilaisia sijaistoimijoita eli proxyjä sodankäynnin eri alueilla. Ei-valtiolliset proxyt voidaan jakaa karkeasti kahteen luokkaan. Ensimmäinen luokka edustaa perinteisempää käyttötapausta ja siihen kuuluvat suoraan toimintaan osallistuvat palkkasotilaat, jolloin sotilaallisen toimen
suorittaa valtiollisen armeijan sijasta yksityinen sotilaallinen ryhmä. Toiseen luokkaan kuuluvat kohdevaltiossa toimivat, yleensä yhteiskuntajärjestyksen muutosta, tai vallankumousta tavoittelevat ryhmittymät, jotka saavat ulkopuolista tukea nykyhallintoa vastustavien valtioiden taholta. Jälkimmäiseen luokkaan kuuluva toiminta oli erityisen vilkasta kylmän sodan aikana 1990-luvun toisella puoliskolla ja se on kokenut uuden nousun 2000-luvulla yhtenä hybridivaikuttamisen muotona. Valtiot käyttävät proxyjä erityisesti hyökkäyksellisten kyberoperaatioiden toteuttamiseen. Proxyjen käyttöön on kaksi keskeistä syytä. Ensimmäinen tekijä on niin sanotun attribuutio-ongelman hyödyntäminen. Kyberhyökkäyksen jäljet on kohtuullisen helppo peittää siten, että vaikka epäilys hyökkäyksen tekijään olisikin vahva, yhteyttä ei pystytä aukottomasti osoittamaan. Attribuutio-ongelma antaa suojaa kyberhyökkäyksen avulla tapahtuvalle hybridivaikuttamiselle, jossa keskeistä on toiminnan alkuperän ainakin osittainen salaaminen. Epäselvä tilanne antaa hybridivaikuttajalle etumatkaa muiden toimintojen suorittamiseen. Toinen tekijä on hyökkäykseen tarvittava tietotaito, jota valtion omilla kyberjoukoilla ei välttämättä ole siinä määrin kuin proxyillä. Monet valtiot ovat onnistuneet rekrytoimaan huippuluokan osaajia kyberjoukkoihinsa, mutta merkittävä osa tietotaidosta löytyy yksityiseltä CYBERWATCH
FINLAND
|
63
sektorilta. Proxyltä voidaan tilata koko kyberhyökkäys ja sen kaikki vaiheet, tai esimerkiksi vain haittaohjelman asentaminen kohdejärjestelmään, jonka jälkeen toimeksiantaja suunnittelee ja toteuttaa hyökkäyksen jatkovaiheet. Proxyjä käytetään tällä hetkellä ensisijaisesti kertaluonteisiin täsmäiskuihin tilanteissa, joissa toiminta halutaan ainakin osin peittää ja tehtävään sopiva osaaminen on helpommin saatavissa proxyltä, kuin omalta henkilöstöltä. Hyökkäyksellisen toiminnan vuoksi proxyjen käyttöä on tähän asti pidetty pelkästään rikollisena, tai vähintäänkin paheksuttavana toimintana. Kybervaikuttamisesta on kuitenkin tullut jokapäiväinen ilmiö valtioiden välillä, jota jokainen kybersuurvalta harjoittaa toisia valtioita kohtaan. Kybervaikuttamiselle on viime aikoina yritetty luoda yhteisiä pelisääntöjä. Tästä nähtiin ensimmäisiä konkreettisia merkkejä kesäkuussa Venäjän ja Yhdysvaltojen presidenttien tapaamisessa, jossa Biden esitti Putinille listan kohteista, mihin Venäjällä ei ole lupa suunnata kyberhyökkäyksiä. Proxyn määritelmä kybervaikuttamisessa on viime aikoina laajentunut. Amerikkalaisen kybertutkija Tim Maurerin mukaan proxy ei välttämättä ole rikollisryhmä, vaan se voi olla myös esimerkiksi puolisotilaallinen järjestö tai vaikkapa yliopiston opiskelijoista muodostettu pysyvä, tai tilapäinen asiantuntijajoukko. Näiden ryhmittymien ensisijainen motiivi palvella maataan kyber-proxyn muodossa ei ole taloudellinen, vaan taustalla ovat enemmän ideologiset syyt. Erityisesti Intia, Kiina ja Pakistan ovat käyttäneet kyseisen tyyppisiä proxyjä operaatioissaan. YK:n ihmisoikeusyksikkö (UN Human Rights) näkee kyber-proxyjen käytön laajentuvan myös puolustukselliseen toimintaan. Tästä esimerkkinä on eteläisen naapurimme Viron Kaitseliit-niminen maanpuolustusjärjestö ja sen kyberyksikkö. Kaitseliitin kyberyksikkö sai alkunsa Venäjän vuonna 2007 suorittaman voimakkaan käytettävyyshyökkäyksen jälkeen ja sen päätavoitteena on suojata Viron kriittistä infrastruktuuria kyberhyökkäyksiltä. Kaitseliitin kaltaisia vapaaehtoisorganisaatioita on lukuisissa eri maissa ja niiden hyödyntäminen myös kybertoimintaan on kasvussa. Maurer määrittelee valtioiden ja proxyjen välisen suhteen kolmeen luokkaan. Delegaatiosuhteessa (delegation) proxy on tiukasti valtion ohjauksessa ja tuki toiminnalle tulee pääosin valtiolta. Delegaatiosuhteita käytetään erityisesti länsimaissa, joissa yhteistyö muistuttaa normaalia
alihankintaa. Tällöin proxy saa sovitun palkkion tekemistään toimenpiteistä. Delegaatiosuhteessa toimivat proxyt ovat yleensä laillisia kyberalan yrityksiä, joilla ei välttämättä ole ideologista suhdetta toimeksiannon tehneeseen valtioon. Orkesterointi (orchestration) tarkoittaa yhden, tai useamman löyhästi organisoidun proxyn toiminnan koordinointia, jolloin valtio ei anna tehtävään täsmällisiä ohjeita, vaan toiminnan visiosta ja päämääristä sovitaan yleisellä tasolla. Aiemmin mainitut puolisotilaalliset ryhmittymät ja opiskelijoiden käyttö ovat esimerkkejä orkesteroinnista. Tässä tapauksessa valtio ja proxy jakavat yleensä myös yhteisen ideologiataustan. Kolmas proxysuhteen muoto, sanctioning, on käytössä pelkästään kyberrikollisten tapauksessa. Siinä valtio antaa proxylle vapauden sen rikolliseen toimintaan, jos proxy tekee vastapalveluksia valtiolle. Valtio siis tavallaan sulkee silmänsä proxyn tekemiltä rikoksilta, jos ne pysyvät ennalta sovituissa rajoissa ja saattaa myös osin suoraan rahoittaa proxyn toimintaa. Tällainen proxysuhde on ollut yleinen esimerkiksi Venäjällä ja Pohjois-Koreassa. Proxyjen käyttö kybervaikuttamisessa kehittyy entistä ammattimaisemmaksi ja toiminnan ympärille tulee muodostumaan yksityisen sektorin alihankkijaverkosto. Valtion ja proxyn välille muodostuu useimmiten delegaatiosuhde ja proxynä toimii entistä useammin yksityinen, laillinen yritys kyberrikollisten sijasta. Puolisotilaallisten ja muiden ideologisten ryhmittymien osuus proxyjen joukossa säilyy entisellään, tai hieman kasvaa. Perinteisten ampumaharjoitusten lisäksi maanpuolustusorganisaatiot järjestävät kybersotaharjoituksia ja kehittävät määrätietoisesti osaamistaan tällä alueella. Lailliset proxyt voivat merkittävästi vahvistaa valtioiden kyberkyvykkyyttä, jos niitä käytetään suunnitelmallisesti osana muuta kybertoimintaa. Kybervaikuttaminen on ainoa sodankäynnin alue, jossa proxyillä voi olla joiltain osin parempi suorituskyky, kuin itse armeijalla. Proxy tulee käsittää laajasti osana viranomaisten alihankintaverkostoa, eikä ainoastaan yhteistyönä rikollisryhmien kanssa. Proxyjen asianmukainen käyttö tulee olla mahdollista myös oikeus valtioissa ilman kytköksiä rikollisryhmiin. Tästä syystä periaatteet proxyjen hyödyntämisestä kybervaikuttamisessa tulisi kirjata myös seuraaviin kyberturvallisuusstrategioihin.
L Ä HTEITÄ: Maurer, T. Cyber Mercenaries – The State, Hackers and Power. 2018. Swed, O & Burland, D. Cyber Mercenaries: Review of the Cyber and Intelligence PMSC Market. United Nations Human Rights. 2021. https://www.reuters.com/technology/biden-tells-putin-certain-cyber-attacks-should-be-off-limits-2021-06-16/
64
|
CYBERWATCH
FINLAND
VENÄJÄN ELEKTRONISEN SODANKÄYNNIN KYKY KASVAA 1. Venäjän sotilasdoktriinin mukaisesti asevoimat tavoittelevat ylivoima-asemaa kaikissa sodankäynnin ulottuvuuksissa ja taistelukentän informaatioulottuvuudessa sitä tavoitellaan nimenomaan elektronisen sodankäynnin keinoin. 2. Elektronisen sodankäynnin ydinelementteihin kuuluu elektroninen häirintä ja elektroninen suojaaminen, joissa vaikuttamisen kohteena ovat sähkömagneettinen kenttä (radioaallot), sekä elektroniset laitteet ja järjestelmät. 3. Maasta toimivien järjestelmien lisäksi Venäjä kehittää avaruudessa toimivaa elektronisen sodankäynnin kykyä. Tavoitteena on kyky häiritä mitä tahansa yksittäistä kohdetta missä päin maailmaa tahansa ja myös avaruudessa. 4. Venäjän ja länsimaiden arvioita Venäjän elektronisen sodankäynnin järjestelmien tehokkuudesta eri kriisipesäkkeiden taisteluissa verrattaessa on syytä muistaa, että Venäjän intresseissä on kertoa maksimaalisesta suorituskyvystä ja luoda siten haluamansa pelotevaikutus.
V
enäjän asevoimien elektroninen sodankäynti mielletään vieläkin usein suoraviivaiseksi viestiyhteyksien häirinnäksi ja siinäkin monesti nimenomaan taktisen tason viestiyhteyksien häirinnäksi. Elektronisen sodankäynnin potentiaali on kuitenkin tieto- ja viestintäteknologian kehityksen myötä noussut merkittävästi ja Venäjä on selkeästi panostanut siihen. Vuonna 2017 Venäjän elektronisen sodankäynnin joukkojen komentaja, kenraalimajuri Yuri Lastochkin antoi haastattelun, jossa hän arvioi informaatiosta ja televiestivälineistä kehittyneen uuden taistelukentän. Lausunnollaan hän viittaa älypuhelimien, tablettien ja tietokoneisiin liitettävien sim-korttien ja wiFi-tukiasemien myötä syntyneeseen uuteen informaatioavaruuteen. Mielenkiintoisesti Venäjän elektronisen sodankäynnin kehittäminen linkittyy kybersodankäynnin kehittämiseen. Virallisesti kyberjoukkoja ei ollut olemassa ennen kuin Venäjän puolustusministeri yllättäen tunnusti niiden olemassaolon helmikuussa 2017. Lastochkinin haastattelun myötä elektronisen sodankäynnin iskun vaikutusta ryhdyttiin Venäjällä vertaamaan täsmäaseiskun vaikutuksiin. Tämä vertaus kertoo hyvin mittakaavaeron elektronisen ja kybersodankäynnin välillä
venäläisessä ajattelussa. Kun elektronisen sodankäynnin iskulla voidaan ratkaista taistelu, kybersodankäynnin iskulla voidaan ratkaista koko sota. Venäjällä useissa arvovaltaisissakin kirjotuksissa kyberiskulla tavoitellaan ydiniskun tuhovaikutusta. Venäjän sotilasdoktriinin mukaisesti asevoimat tavoittelevat ylivoima-asemaa kaikissa sodankäynnin ulottuvuuksissa ja taistelukentän informaatioulottuvuudessa sitä tavoitellaan nimenomaan elektronisen sodankäynnin keinoin. Länsimaiset asiantuntijat arvioivat nykyään, että Venäjän asevoimat pystyisivät jo lähivuosina estämään taistelualueella vihollisen kaikki siviili-, sotilas- ja satelliittiyhteydet sekä paikantamisjärjestelmien käytön. Venäläisen elektronisen sodankäynnin tarkastelun kivijalka on sen virallinen määritelmä, joka löytyy Venäjän yleisesikunnan sivustolta. Sen mukaan Elektronisella sodankäynnillä tarkoitetaan 1) vaikuttamista vihollisen johtamis-, viesti- ja tiedustelujärjestelmiin elektronisella säteilyllä (elektronisella häirinnällä), jonka tavoitteena on muuttaa näissä järjestelmissä liikkuvan tiedon laatua; 2) omien järjestelmien suojaamista vihollisen vastaavilta toimilta; sekä 3) muuttamalla radioaaltojen etenemisolosuhteita (ympäristöolosuhteita). Elektronisen sodankäynnin ydinelementteihin kuuluu elektroninen häirintä ja elektroninen suojaaminen, joissa vaikuttamisen kohteena ovat sähkömagneettinen kenttä (radioaallot), sekä elektroniset laitteet ja järjestelmät. Radiohäirintä voidaan toteuttaa aktiivisilla, tai passiivisilla laitteilla. Ensin mainittuihin kuuluvat elektronista säteilyä tuottavat laitteet, kuten esimerkiksi radio- tai häirintälähettimet. Jälkimmäisiin säteilyä heijastavat (uudelleen säteilevät) laitteet, kuten esimerkiksi dipoli-, tai kulmaheijastimet. Nykyaikainen elektroninen sodankäynti käsittää ne toimenpiteet ja toiminnan, joita tarvitaan 1) vihollisen joukkojen johtamisen ja asejärjestelmien toiminnan heikentämiseen; 2) omien joukkojen johtamisen ja asejärjestelmien tehokkaan käytön ylläpitämiseen. Edellä mainittujen tavoitteiden saavuttamiseksi tulee 1) saattaa kaaokseen vihollisen johtamiseen ja asejärjestelmiin liittyvät johtamisjärjestelmät, viesti- ja tiedustelujärjestelmät muuttamalla niissä liikkuvan informaation laatua, informaatioprosessien nopeutta, sekä elektronisten laitteiden parametreja ja ominaisuuksia; 2) suojata omien johtamis-, viesti- ja tiedustelujärjestelmien joutuminen kaaokseen, sekä aseiden, kaluston, sotilaallisten kohteiden ja joukkojen toimintaan liittyvät tiedot vihollisen tekniseltä tiedustelulta ja näin taata automaattisen johtamisjärjestelmän, viesti- ja tiedustelujärjestelmän CYBERWATCH
FINLAND
|
65
edellyttämät laadulliset vaatimukset tiedolle ja tietoprosesseille, sekä taata elektronisten laitteiden ominaisuuksien säilyminen. Elektronisessa sodassa vihollisen järjestelmien saattaminen kaaokseen toteutetaan etukäteen tarkkaan suunnitelman mukaisesti kohdentamalla sopivan tyyppistä säteilyä vihollisen elektronisiin laitteisiin, informaatiota lähettäviin ja vastaanottaviin kanaviin, sekä kohdentamalla vihollisen tietokoneisiin erityisiä teknisiä ja ohjelmallisia toimia (haittaohjelmia). Kaaokseen saattaminen voidaan tehdä perinteisesti estämällä johtamispaikkojen ja elektronisten laitteiden tiedonsaanti häirinnällä, mutta myös viivästyttämällä tiedon saantia, tuottamalla valeinformaatiota, aiheuttamalla informaatiokatkoja, vääristämällä tietokantoja ja tuhoamalla informaatiota. Viimeksi mainittu voidaan tehdä tuhoamalla radioaaltoja säteilevien laitteiden elektroniset piirit, tai käyttämällä erikoisohjelmia, joilla vaikutetaan ohjelmistoihin ja tietokantoihin. Omat johtamis-, viesti- ja tiedustelujärjestelmät suojataan vastaavilta vihollisen toimilta, sekä oman järjestelmän vahingossa aiheuttamalta häirinnältä. Tarpeelliset tiedot suojataan peittämällä omat kohteet ja/tai hämäämällä vihollinen niiden todellisesta luonteesta. Elektronisen sodankäynnin kohteisiin kuuluu informaatiota sisältävät kantoaallot (eri aaltomuodot ja niiden käyttämät taajuudet), niiden käyttämät taajuusalueet, sekä elektroniset laitteet ja järjestelmät. Tämän takia elektroninen sodankäynti on oleellinen osa informaatiosodan käyntiä. Johtamisjärjestelmät ovat edelleen pääkohteita, mutta niiden tärkeysjärjestys on muuttunut. Huhtikuussa 2021 antamassaan haastattelussa Lastochkin linjaa nimenomaan täsmäasejärjestelmien torjunnan elektronisen sodankäynnin tärkeimmäksi tehtäväksi, eikä mainitse lainkaan operatiivisia johtamisjärjestelmiä. Epäilemättä ne ovat edelleen tärkeysjärjestyksessä seuraavana. Hän painotti kuitenkin täsmäaseiden torjunnan merkitystä, koska niiden käyttö korostuu potentiaalisten vastustajien doktriineissa. Tämän uuden linjauksen mukaisesti pääosa uusista elektronisen sodankäynnin järjestelmistä on siis kohdennettu potentiaalisten vastustajien täsmäaseiden torjumiseen.
L Ä HTEET Wihersaari Juha 17.6.2021 Katsaus Venäjän elektroniseen sodan käyntiin. Katsaus kokonaisuudessaan julkaistaan Cyberwatch Finland magazinessa 3/2021.
66
|
CYBERWATCH
FINLAND
Lastotskinin määritelmä ei sisällöllisesti poikkea yleis esikunnan määritelmästä, vaan ainoastaan tarkentaa sitä. Vaatimus torjua täsmäaseet tulee ilmiselvästi yleisesikunnan päällikön, kenraali Valeri Gerasimovin keväällä 2019 lanseeraamasta ”Aktiivisen puolustuksen” –strategiasta, jonka ytimessä on pyrkiä torjumaan vihollisen täsmäaseiden kasvanut uhka. Elektronisesti tuhoaminen on myös uusi sanamuoto, joka kattaa myös emp-aseen käytön. Sodankäynnissä puhutaan tällä hetkellä viidestä ulottuvuudesta. Perinteisten maa-, meri ja ilmaulottuvuuden lisäksi on tietenkin informaatioulottuvuus, jossa Venäjä tavoittelee dominoivaa asemaa taistelukentällä. Viides ulottuvuus on avaruus, jossa on jo vuosikymmeniä ollut sotilaallista toimintaa tukevia viesti- ja tiedustelusatelliitteja, mutta ei yhteisellä sopimuksella sotilaallista toimintaa. Venäjä on selkeästi ryhtynyt tavoittelemaan sotilaallista ylivoima-asemaa avaruudessa. Maasta toimivien järjestelmien lisäksi Venäjä kehittää avaruudessa toimivaa elektronisen sodankäynnin kykyä. Tähän liittyen kenraalimajuri Lastochkin kertoi vuonna 2018 Venäjän kyvystä häiritä mitä tahansa yksittäistä kohdetta missä päin maailmaa tahansa, sekä myös avaruudessa. Rajanläheiset häirintätehtävät onnistuvat hyvin maasta tai lennokista, mutta globaali häirintäkyky voidaan saavuttaa vain avaruudesta. Satelliitteihin kohdistuvan elektronisen sodankäynnin uhkan lisäksi tammikuussa 2021 valmistunut Yhdysvaltojen kansallisen EMP-työryhmän (EMP Task Force on National and Homeland Security) raportti arvioi, että Venäjällä olisi myös ohjuksella avaruuteen ammuttava emp-ase, jolla voidaan tuhota kaikki elektroniikka pääosasta Yhdysvaltoja ts. pimentää se kokonaan. Jos laajentaa perinteisen taistelualueen kattamaan koko vastustajan alueen, niin tämäkin ase kuuluu elektroniseen sodankäyntiin. Toisaalta iskun laajuuden mukaan määriteltynä, kyseessä olisi kyberisku. Elektroninen sodankäynti on Venäjällä nostettu kineettisen vaikuttamisen veroiseksi elementiksi ja joissain suhteissa jopa sen edellä olevaksi elementiksi. Taistelukentällä elektroninen sodankäynti on linjattu informaatiosodankäynnin perustaksi ja mikäli "avaruuden valloitus" onnistuu, niin Venäjä pyrkinee kehittämään siitä kybersodankäynnin kaltaisen globaalin hyökkäyskyvyn.
Kyber- ja digiturvallisuudesta huolehtiminen on osa yrityksen vastuullista toimintaa. Yritysjohto on tunnistanut kyberrikollisuuden yhdeksi suurimmista liiketoiminnan kehitystä uhkaavaksi tekijäksi. Kyberturvallisuuden osaamisen kehittämisellä ja tietoisuuden lisäämisellä on mahdollista muuttaa uhkamaailma mahdollisuuksien maailmaksi. Menestyksen avaimet löytyvät ymmärryksestä, tiedosta ja tehokkaasta johtamisesta. Miksi johdon ja johtoryhmien täytyy ymmärtää kyber turvallisuuden merkitys, pystyäkseen johtamaan yritystään tulevaisuuden haasteissa? • • •
Kilpailukyvyn ja kriisinsietokyvyn parantamiseksi Riskien vähentämiseksi Luodakseen kyvykkyyttä parempaan johtamiseen digitalisoituvassa toimintaympäristössä
Oikea ja luotettava tieto kybermaailman tapahtumista ja niiden seurannaisvaikutuksista luo oikeanlaisen strategi sen tilannekuvan, jolla muodostetaan vankka perusta kyberturvallisuudelle. Kyberturvallisuuden alati muuttuva maailma vaatii taitojen jatkuvaa kehittämistä. Parempi tilannekuva ja koulutus auttavat organisaa tioita valmistautumaan ja suojautumaan jatkuvasti muuttuvilta kyber- ja hybridiuhkilta. Kyberturvallisuuskoulutus ei ole enää välttämätön paha. Se on olennainen osa jokaisen organisaation strategiaa, jolla turvataan yrityksen tulevaisuus.
Yrit ysjohto sa a oman k y b e r t u r va t u t k i n t o n s a Yritysten johtoryhmät ja esimiehet saavat ensimmäisen valtakunnallisen kyberkoulutusohjelmansa syksyllä, kun Cyberwatch Finlandin ja Management Institute of Finland MIF Oy:n uusi ohjelma käynnistyy lokakuussa 2021.
Koulutuksen päätavoitteena on kasvattaa yritysjohdon ymmärrystä organisaationsa nykyisestä kyberturvavalmiu desta ja haasteista sekä laatimaan käytännön suunnitelmat tulevaisuuden kyberuhkien minimoimiseen. Koulutuksen aikana opit kyberturvallisuuden perus teet ja sen vaikutukset liiketoimintaympäristöösi. Kerromme mistä kyberturvallisuus syntyy ja mitä on kyberjohtaminen. Kuinka kyberturvallisuus tuodaan osaksi yrityksen liiketoimintastrategiaa ja miten kyberhygienia ja
enkilöstöä motivoiva kyberkulttuuri rakentaa parempaa h kokonaisturvallisuutta. Kerromme miksi oikea-aikainen ja sisältöinen viestintä on kriisitilanteessa kaiken keskiössä. Yksi syy kuilun johdon ja tietoturva-asiantuntijoiden välille syntymiseen johtuu yhteisen kielen, yhteisten tavoitteiden ja yhdessä sovitun mittariston määrittelemisen puutteesta.
Kerromme, miten kyberriskien hallinnan avulla pystyt määrittelemään, mitä haavoittuvuuksia yrityksenne kohtaa ja miten suojautua tämän päivän hyökkäyksiltä. Kerromme mitä johdon ja johtoryhmien tulisi osata kysyä ja vaatia tietoturva-asiantuntijoiltaan. Kerromme, kuinka kyberkyvykkyyttä rakennetaan ja miten kaikki opit viedään toimiviksi käytännöiksi. Hanki lisää tietoa tukemaan kyberturvallisuuden integrointia liiketoimintaympäristöösi. Kenelle johtamisen ja yritysjohtamisen tutkinto soveltuu? Johtamisen ja yritysjohtamisen erikoisammattitutkinto/ Cyber Master sopii henkilöille, joilla on mahdollisuus päättää ja/tai kehittää organisaation tietoturvaa ja v iedä ideoita eteenpäin sovellettavaksi. Koulutus on tarkoitettu ensisijaisesti organisaation johtoryhmässä toimiville henkilöille Erikoisammattitutkinto Koulutuksen aikana suoritetaan Johtamisen ja yritys johtamisen erikoisammattitutkinto. Tutkinnon avulla koulutuksen opit viedään suoraan käytäntöön. Aikataulu Toteutusaika: 12.10.2021–31.12.2022 Paikka: Helsinki, Koulutuskampus sekä verkkokoulutus Hakuaika on käynnissä ja jatkuu 26.9.2021 saakka. Hinta: Koulutus voidaan toteuttaa oppisopimus koulutuksena, jolloin opiskelijamaksu määräytyy k unkin alueen koulutuksen järjestäjän käytännön mukaan. MIF auttaa oppisopimusten haussa. Lisätietoa kurssista Tutkinto ja muut käytännön kysymykset: Anders Starck, anders.starck@mif.fi, p. 040 504 4446 Kybersisältöön liittyvät kysymykset: Pertti Jalasvirta, pertti@cyberwatchfinland.fi p.0400 556 724 Oppisopimukseen liittyvät kysymykset: Päivikki Romero-Gotor, paivikki.romero@mif.fi, p. 041 466 6059
CYBERWATCH
FINLAND
|
67
Today’s continuing increase in the use of digital technologies have made cybersecurity innovation one of the most important element of all businesses. This upward trend is unlikely to change. Solving today’s problems is not enough, and therefore it is now a perfect moment to look to the future. 13.00 Madam Ambassador Hagit Ben-Yaakov – Opening remarks 13:05 Aapo Cederberg – Opening remarks and the introductions of the speakers Madam Ambassador Hagit Ben-Yaakov
Aapo Cederberg
13:15 Keynote 1: Dr. Dalit Ken-Dror Feldman – The social and legal implications of cyber innovation: Deep fake as a case study 13:30 Panel Discussion: Cyber innovations and Deep fake – fun and scary at the same time Panelists: Mr. Rami Efrati Dr. Martti Lehto Mr. Kimmo Rousku
Mr. Rami Efrati
13:50 Keynote 2: Mr. Gilad Goldshtein – Future Cyber Challenges and Solutions, Rafael – Advanced defence systems Ltd Dr. Dalit Ken-Dror Feldman
14:10 Panel Discussion: The next generation cyber defence Panelists: Mr. Rami Efrati Dr. Martti Lehto Mr. Kimmo Rousku
Dr. Martti Lehto
14:30 Aapo Cederberg concluding remarks
Mr. Gilad Goldshtein 68
|
CYBERWATCH
Mr. Kimmo Rousku FINLAND
Hellenberg International has 25 years record in assisting public and private clients in critical infrastructure protection and crisis management related projects. Our senior team has been contracted by the European Commission (DG Home Affairs, DG Enterprise, DG ECHO etc.), the United Nations, the Ministry of Defence of Finland and the NATO.
We have been serving major international corporations such as AVSECO, SAAB, MTR, Airbus, Finnair and Siemens. We have been interacting with the US State Department, the US Ministry of Energy, Rosatom, the Singapore Civil Defence Force and many others.
www.hellenberg.org
CYBERWATCH
Your Your employees employees can stop stop
99%
FINLAND | 67
of ofall all online online attacks attacks
Make them them your your strongest strongestlink link https://hygiene.badrap.io/watch/ https://hygiene.badrap.io/watch/
We think cyber. We talk business. We provide security. Gain transparency on your IT and OT/ICS security MSFPartners.com assessment approach The Cybersecurity Maturity Assessment makes cybersecurity measurable – not only for today (static), but over time (dynamic).
Red Team Attack • What is it? Practical security test from an attacker’s point of view: Real-life test of how far an attacker would get in the current cybersecurity environment. • What does it test? Effectiveness and responsiveness of security measures (technology, processes and staff).
Security Maturity Assessment • What is it? Interview-based and holistic assessment of the security posture, usually based on a cybersecurity framework. • What does it test? Governance, risk management, organisation, roles & responsibilities, processes, technical cybersecurity measures and tools.
Holistic Security Assessment
Vulnerability Scan • What is it? Automated scan of the computer environment for known weaknesses (i.e. security holes). • What does it test? Infrastructure, network and applications. Scan is being done from inside of the company.
Breach Assessment • What is it? Real-life detection of successful hacking activities. Verify whether attackers have already got a foothold in the company. • What does it test? Scan for both traces of previous attacks and current suspicious network traffic with the help of software sensors.
© MSFPartners 2020
Our well structured and tailored security maturity assessment for IT and OT/ICS will not only reveal the cybersecurity gaps to be addressed, but also delivers detailed recommendations how to sustainably improve the security controls Work package
Actions
Deliverables
© MSFPartners 2020
Risk- & Threat Analysis
• Analyse crown jewels from a business point of view • Analyse threat actors & potential impact on the enterprise
Assessment
Definition & prioritisation of measures
• Review of existing policies, controls and processes. • Interviews with key staff
• Analysis of all findings
• Report
• Report
• Report
• Workshop with Senior Management
• Workshop with Senior Management
• Workshop with Senior Management
• Compile prioritized action list (recommendations)
www.msfpartners.com
Remediation program
• Work out actionable remediation program with company’s key resources
• Program and project plans • Required resources (financials & staff)
Seite 3
When excel isn´t enough anymore!
4Ks ERM - software for comprehensive and centralized risk management.
4Ks toimisto@4ks.fi
www.4ks.fi
CYBER SECURITY NORDIC
12–13 Oct 2021
Messukeskus Helsinki Finland
IDENTIFY GROWTH OPPORTUNITIES AND IMPROVE COMPETITIVENESS Cyber Security Nordic solves digital challenges for companies and administrations by studying the new normal of digital security with keynote speeches, case examples and discussions. The event to attend for top executives, leading decision-makers and government officials. Meet, network and learn. Organized now for the first time as a hybrid event, CSN21 provides the possibility to participate on site at Messukeskus or online. Event program to be released soon. Stay tuned! cybersecuritynordic.com
C S
N
