Finland has established a national organisation to appraise domestic communications network security concerns and evaluate vulnerabilities to attacks from the cyber domain.
The Network Security Advisory Board (NSAB) will engage with state agencies, corporations and municipalities as a national resource for those that require external expertise to improve network security and bolster defences against cyber threats. It will offer state and municipal organisations the capacity to implement improved security, integrate security technologies, and better monitor cyber risks and threats to communications networks.
It was launched with a specific timeframe and mission which includes addressing key cyber security issues identified by the Finnish government, and is set to conclude in June 2022. The NSAB’s activation followed on from the ratification of the Finnish Act on Electronic Communications Services, which became law in January 2021.
“In forming the NSAB, our objective is to strengthen the broad social importance of cyber security and cooperation across important sectors,” said Timo Harakka, Finland’s transport and communications minister. “The prerequisite for economic success is national security, and Finland’s advanced approach continues to attract widespread international interest.”
For Finland, the establishment of the NSAB is in direct response to the European Union’s joint risk assessment report on the security of 5G networks (JRAR-5GN) published in October 2019. The coordinated joint risk initiative was launched during Finland’s rotating six-month presidency of the Council of the European Union, which ended on 31 December 2019.
The JRAR-5GN was endorsed by member states, the European Commission (EC) and the European Agency for Cybersecurity. The EU 27-backed project represented the completion of a major step in the EC’s push for a common EU approach to improved cyber defence strategies and the security of 5G networks.
Private sector input in the NSAB is reflected in its board and backers. These include telecommunications companies Elisa, Telia Finland and DNA, along with the Finnish Federation for Communications and Teleinformatics (FiCom), which functions as the main lobbying organisation for the ICT industry in Finland.
The core membership of the NSAB comprises representatives from the foreign affairs, transport and communications, defence, interior, economic affairs, and finance ministries. Officials from Suomen Erillisverkot and the Finnish security and intelligence service SUPO also sit on the NSAB. Suomen Erillisverkot operates as the Finnish State’s primary supplier of ICT and network security services to public authorities.
The timing of the roll-out of the NSAB was influenced by a current EU Commission proposal to update the Network and Information Systems Security Directive (NIS Directive). This aims to strengthen the range and scope of cyber security and data protection tools available to member states in a changing cyber environment.
A central feature of the NIS Directive is to encourage EU organisations and member states to develop their national cyber security capabilities, preparedness and risk management systems. This scaling-up of risk, threat and defence capacities is taking place against the backdrop of a sharp rise in ever-more sophisticated attacks on critical IT and digital networks from the cyber domain.
The NIS Directive incorporates a deepening in cooperation and harmonisation of processes and rules, reporting, and information exchange across the EU’s 27 member states. The heightened levels of cross-border collaboration envisaged in the NIS Directive involve shared obligations coupled with common regulations, approaches and practices in support of national cyber security strategies.
Nordic governments, especially since 2018, have urged the EU to deliver the NIS Directive under a clear regulatory framework that enables member countries to effectively deal with prevailing and next-generation cyber security risks and threats using robust cross-border collaborative mechanisms.
Constructive actions
Constructive actions, whether implemented at an EU or national government level, are key to building and operating IT networks with a greater deal of cyber security efficacy, said Kalle Luukkainen, director general of Finland’s National Cyber Security Centre.
“From our perspective it would be valuable to involve the top management in more companies in securing their IT network operations,” said Luukkainen. “In practical situations, operating models extend across organisational boundaries in a partner network. In Finland, we have networked exceptionally well with organisations and people on cyber security issues.”
During its EU Presidency, Finland advocated for the development of more efficient reporting and an exchange of information systems to better manage risks, threats and attacks from bad actors in the cyber domain targeting critical public and private IT networks.
The Finnish government also championed closer cooperation on cyber security between EU 27 states, in addition to backing new powers that would allow law enforcement agencies to obtain information on cyber security breaches linked with criminal activities.
New measures to reinforce the implementation of Finland’s Digital Society Project are underway. The government has released increased capital investment funding to boost information security and develop the foundations for a fully functioning digital society.