For several years now many countries have increasingly come to see cyber-espionage as both a serious economic issue as well as a national security threat. The latest US intelligence threat assessment ranks foreign cyber-attacks as the top threat. Even if the exact financial impact of cyber-espionage is hard to know, we estimate that it is strategic to national economy and power in many western countries. Business is unable to defend its valuable information from sophisticated and large scale cyber-espionage. The breach of Sony Pictures Entertainment is the most recent example – and more are expected. Cyber-space has blurred the roles and relationships between the public and private sector.
But how can a free country protect its business sector from cyber-espionage, while maintaining freedom, prosperity and the rule of law?
Israel and Finland are two small democracies with high levels of research and development expenditure, strong technological know-how and exceptional public-private-partnerships. Their governments recognise the severe conceptual, political, ethical, legal and financial challenges of national cyber-security, but do tackle the issues.
The Israeli government has enforced its Critical Infrastructure Protection arrangement since 2002, a policy in which both private and public entities share responsibility to implement tailored professional cyber-security requirements. However as cyber-space expanded, the majority of the society and economy were left unattended. The 2010 National Cyber Initiative review resulted in the current Israeli cyber strategy. National rather than sectorial cyber-security is now the Israeli focus, with major policy and organisational changes currently in motion.
In February this year the government adopted a new arrangement for cyber-defence of the civilian sector and established the new National Cyber Security Authority to defend the civilian sphere. The NCSA architecture is minimising the tensions between the situational awareness needs and basic freedom concerns such as privacy, to enhance its national cyber-security efforts. The democratic legislative process is used to better integrate the capabilities of the intelligence community with public open sources into the national effort and will complement technical efforts to reach feasible national cybersecurity.
In the Finnish model for a cyber-secured society, the role of the government has been given considerable emphasis to guarantee the development of a favorable atmosphere through infrastructure, legislation, and accessibility for all. Finland has a very long tradition of public-private partnerships and a comprehensive approach to security is being also applied to cyber-security. The arrangements of comprehensive security are defined in a Government resolution which defines the principles of ensuring the vital functions, such as the population´s income security and capacity to function as a society.
The Cyber Security Strategy process (a strategy and implementation programme with 74 items) is an element in the implementation of the Security Strategy for Society. Cyber security arrangements in Finland follow the division of duties between the authorities, businesses and organisations, in accordance with statutes and agreed cooperation arrangements. Finland has created a special detection and alert system between government and private companies to increase cyber-awareness and better tackle cyber-espionage. Via this system the Finnish National Cyber Security Centre last year issued more than 600 red alerts which flagged malware targeting the nation´s most critical companies.
Designing cooperation between the government and privately owned corporations remains a major challenge. There are five main guidelines that Israel and Finland believe they can give other nations based on their experience.
Cyber-espionage is strategic issue since information is the most valuable asset in modern nations. A nation can lose its national economic, political and military competitive advantage if critical information is stolen. Governments must put cyber-espionage at the top of their security agenda and make clear policies as to how they treat the issue nationally and internationally.
The democratic policy-making process is the only acceptable way to balance national cyber-security with basic freedoms in an open society. Governments should create an open and monitored legislation when creating the guidelines for preventing cyber-espionage with concrete measures.
The market and IT-security industry have crucial roles in defending from cyber-espionage – but cannot succeed on their own. The government must protect private companies against cyber-espionage and by doing that openly it will raise cyber-deterrence against spies.
Strong, agile and sincere public-private partnership helps achieving the situational awareness necessary to tackle cyber-espionage. Relaxing legal obstacles reinforces information sharing, within the country and with friendly nations. Tackling cyber-espionage is a model example of the importance of the comprehensive security approach. Each actor, whether an individual, a business or an administration, is responsible for its preparedness against cyber-espionage.
The human is the strongest link in cyber-security when they know what to do; smaller countries can be “giants” in the cyber-domain. Interdisciplinary education for the cyber-security workforce is the key to innovative approaches and solutions which are vital to prevent sophisticated cyber-espionage.
The main duty of a nation state is to provide security and welfare to its citizens. In order to provide security the nation must have a credible policy and actions against cyber-espionage. The United States and other countries could look closer at the experience of Israel and Finland for inspiration.
Contributed by Lior Tabansky, Department of Political Science and the Blavatnik Interdisciplinary Cyber Research Center, Tel Aviv University, Israel
Jarno Limnéll, Professor of cyber security, Aalto University, Finland