Finland cyber security vision is that (a) vital functions of society are protected against cyber threat in all situations, (b) citizens, authorities & businesses can use & benefit from a secure cyber environment and (c) Finland will be a global forerunner in cyber security at 2016.
I tweeted about five minute cyber strategy a while ago. With that I mean guidelines any security professional worth his salt would suggest in five minutes: better situational awareness, better public-private-partnership, cyber incident handling capability, more education and research.
Finland cyber security strategy has the following 10 guidelines:
- Create an efficient collaborative model between the authorities and other actors for the purpose of advancing national cyber security and cyber defence.
- Improve comprehensive cyber security situation awareness among the key actors that participate in securing the vital functions of society.
- Maintain and improve the abilities of businesses and organisations critical to the vital functions of society as regards detecting and repelling cyber threats and disturbances that jeopardise any vital function and their recovery capabilities as part of the continuity management of the business community.
- Make certain that the police have sufficient capabilities to prevent,expose and solve cybercrime.
- The Finnish Defence Forces will create a comprehensive cyber defence capability for their statutory tasks.
- Strengthen national cyber security through active and efficient participation in the activities of international organisations and collaborative fora that are critical to cyber security.
- Improve the cyber expertise and awareness of all societal actors.
- Secure the preconditions for the implementation of effective cyber security measures through national legislation.
- Assign cyber security related tasks, service models and common cyber security management standards to the authorities and actors in the business community.
- The implementation of the Strategy and its completion will be monitored.
This is a good start, but I must say I expected more and not least because of long time used for the strategy creation.
Few things I would have liked to see in the strategy:
- Linkage between information security, IT security and cyber security. It would help to demystify cyber security and help to understand that we have lots of know-how and expertise already.
- Concrete goals and action plan. Now the strategy has too high-level suggestions and actions will be defined separately. It will take even more time to start the real work. Also metrics to measure progress and success is yet to be defined.
- Stronger business involvement. The strategy workgroup consisted mostly of authorities and had only a minor business representation. Everyone admits that most of the critical infrastructure is in the hands of private businesses, but still the strategy seems to focus on Government functions.
- Collaboration between authorities and businesses must be two-way. Traditionally authorities expect information flow from businesses to authorities, but it's equally important for businesses to understand the full situational picture.
- Government security and preparedness responsibilities are scattered around different ministries. It would have been great to see a change where one ministry would be responsible of cyber security.
The strategy originally had two parts. The first part is the actual strategy and recommendations, the second part has background information and explanations. Only the first part is officially accepted and the second part didn't get the official status. Reason being (according to news) that the background document suggest a need of "offensive cyber capabilities" and that raised some concerns.
There certainly has been lots of talk and speculation around national cyber security strategy. Expectations were high and I'm sure we will see lots of comments, articles & blogs analyzing the strategy.
As always with security, it's a business enabler. Cyber security is not an exception. We absolutely need security measures and awareness in order to use cyber environment safely.
There's a long road ahead to make the vision to come true. We should start with demystifying cyber security.
[Added strategy word cloud 24.1.13.]
There's a long road ahead to make the vision to come true. We should start with demystifying cyber security.
[Added strategy word cloud 24.1.13.]
[Added 25.1.13]
The second part of strategy document - so called background memo - is now published. Unfortunately in Finnish only. My original comment about offensive capabilities were based on draft document and newspaper articles about approval process. That part of text was changed and now it only mentions cyber capabilities in general. I changed my original text based on this.
[Added 26.1.13]
Here are for my Finnish-speaking readers links to word clouds of Finnish version of the cyber strategy and the strategy background memo.
