Implementation Programme for Finland’s Cyber Security ... · Implementation Programme for Finland’s Cyber Security Strategy for 20172020 5 Security Strategy in January 2016. The

Suomen kyberturvallisuusstrategian

toimeenpano-ohjelma vuosille 2017–2020

Implementation Programme for Finland’s Cyber Security Strategy for 2017–2020

2

Table of Contents

Introduction .......................................................................................................4

Content of the Implementation Programme 2017–2020 ......................................7

The strategic guidelines of cyber security preparedness are: ...............................7

1) Leadership will ensure that the Cyber Security Vision is achieved ........... 8

2) Society’svitaldigitalisedfunctionswillbeassured .................................... 8

3) Thecybercompetenceofcitizens,thebusinesscommunityand thepublicsectorwillcontributesecuritytodigitalisation ......................... 8

I Leadership will ensure that the Cyber Security Vision is achieved ................11

1) Strategicleadershipwillbedefined .......................................................... 11

2) The leadership model for state cyber security will be established and organised ........................................................................................... 11

3) Thepublicadministration’smajorcyberincidentmanagement modelwillbeimplementedandactive ..................................................... 11

4) Thepublicadministration’sstrategicinformationandcyber securityguidelineswillbeconfirmed ....................................................... 12

5) Finlandwillactivelyandeffectivelyparticipateininternational cybersecuritycooperation ...................................................................... 12

6) Finland’scybersecurityforumwillprovideacollaborative platformforthepublicadministration,thebusinesscommunity and the academia .................................................................................... 13

7) InstrumentsformonitoringtheprogressoftheImplementation Programme will be established ................................................................. 13

8) Thepreconditionsforinfluencingthecyberdomainwillbesecured ....... 13

9) Theprovisionofsufficientandrelevantinformationtothestate leadershipasregardscounteringthreatstonationalsecuritywill be assured ................................................................................................. 14

10) Thepreconditionsoffightingcybercrimewillbeassured ....................... 14

11) Legislationoninformationsecurityanddataprotectionwillbe clarifiedandamended,andtheEU’sgeneraldataprotection regulationswillbeenactedinnationallegislation .................................... 14

Implementation Programme for Finland’s Cyber Security Strategy for 2017–2020

3

II Society’s vital digitalised functions will be safeguarded ................................15

12) Thedigitalservicesofthepublicsectorandtheneededinfrastructure, indispensableforthevitalfunctionsofsociety,willbeidentifiedand under control ........................................................................................... 15

13) Thecontinuityoffunctionalprocessesaswellasinformationandcyber securitywillbeassuredinthehealth,socialservicesandregional government reform .................................................................................. 15

14) TheGovernmentwillhaveaccesstosolutionsandservicesfor telecommunications,informationmanagementaswellas preparednessandreadinessmanagementinallsecuritysituations ........ 16

15) Theintegrity,availabilityandconfidentialityofcriticalbasicregisters andinformationresourceswillbeassuredinallsecuritysituations ........ 16

16) Electricitysupplymanagementandpowerdistributiontosociety’s keytargetswillbeassuredtothesufficientlevel ..................................... 17

17) Cybersecuritywillimproveamongbusinessescriticaltothe security of supply ..................................................................................... 17

18) Dataprotectionandcyberandinformationsecurityforelections will be studied ........................................................................................... 18

19) Thepreparednessarrangementsanddisruptionmanagementof systemsandprocessesassociatedwithtaxation,budgetproposals, the state’s funding and payments will be improved ................................. 18

20) Alimitednationalcybersecurityauditwithwhichorganisations can make certain that they achieve the minimum security level will be prepared ........................................................................................ 19

III Cyber competence among citizens, the business community and the public sector will contribute security to digitalisation...................................20

21) A secure growth environment will be created for digital business ........... 20

22) Training and exercises will be planned and carried out ........................... 21

4 The Security Committee

Introduction

Finland’sfirstCyberSecurityStrategywaspublishedon24January2013intheformofaGovernmentResolution.Itdefinedthecentralobjectivesandpoliciesformeetingchallengesinthecyberdomainandforsecuringitsfunctioning.TheStrategydescribedthevisionandstrategicpolicysettingsofcybersecurityandnotedthatanimplemen-tationprogrammewasneededtoexecutethestrategicpolicysettingsandachievethedesired end state of the Cyber Security Strategy Vision. On 11 March 2014 the Security CommitteeadoptedthefirstImplementationProgrammeandsincethenhasregularlyevaluatedtherealisationoftheProgramme.

ThenewImplementationProgrammefor2017–2020addressesthedevelopmentofcybersecuritywithintheservicecomplexcomprisingthestate,counties,municipali-ties,thebusinesssectorandthethirdsectorinwhichtheindividualcitizenisthecus-tomer. The business community provides most digital services and their cyber security throughinternationalservicecomplexesandnetworks.

SincethepublicationoftheCyberSecurityStrategytheoperatingenvironmentofthecyberdomainhaschangedasa resultofnewserviceproductionmodelsand tech-nologies and the new threats directed at them. According to the February 2017 Gov-ernmentresearchproject“Finland’scybersecurity:thepresentstate,visionandtheactionsneededtoachievethevision”(later:Finland’scybersecurityreport2017),themost noteworthy cyber threat trends in recent years have been the growth of ran-somware,theexploitationofvulnerabilities,threatsagainstdevicesaswellashackingbusinessoperationsorbreachesofpersonaldata.Also,hoaxes,phishing,denial-of-ser-viceattacksandtargetedattacksarestillrelevantthreats.Themostattackedbranchesparticularlyincludethehealthsector,manufacturingandproduction,bankingandfi-nancing,thepublicadministrationaswellasthetransportandhaulagesector.Wewilllikelyseeincreasinglysophisticatedcyber-attacksandmoreleaksofinformationinthefuture.Thevolumeofdevicesconnectedtothenetworkisincreasing,whichmeansthatfutureattackerswillgainavastamountofnewtargets inconjunctionwiththeexpansion of the Internet of Things.

Moreover,Finland’scybersecurityreport2017statedthat‘eventhoughinrecentyearsFinlandhasbettergraspedthepoliticalnatureofmattersinthecyberdomainandtheneedforpoliticalawarenessinreachingtheCyberSecurityVision,thestrengtheningofpoliticalcommitmentcanstillbeconsideredasagoal.Politicalcommitmentisalsoaboutpromotingand communicating thenational ambition (Cyber SecurityVision)internationally’.AccordingtothereportFinland’sinternationalactionincyberrelat-edmattersneedsfurtherstrengthening: ‘Finlandneedstoprepareadistinct“cyberagenda”,i.e.publiclydeclarethegoalsitaimstoadvanceininternationalcooperation’.

Onthebasisofevaluationsprovidedbyadministrativebranches,thebusinesscom-munity,theacademiaandNGOstheSecretariatoftheSecurityCommitteepreparedanassessmentontheprogressoftheImplementationProgrammeforFinland’sCyber

5Implementation Programme for Finland’s Cyber Security Strategy for 2017–2020

SecurityStrategyinJanuary2016.Theassessmentemphasisedtheneedtodevelopstrategicmanagementmodelsforcybersecurity.On14March2016,onthebasisoftheassessment,theSecurityCommitteedecidedtoupdatetheImplementationPro-grammeforFinland’sCyberSecurityStrategyasanexpressionofthenationalambition.Theambitionwillbedemonstratedthroughleadershipandbyre-allocatingresources.

ThefirstImplementationProgrammeforFinland’sCyberSecurityStrategy,adoptedin2014,comprisedaltogether74measuresassignedtoministriesand,partly,toindivid-ualactors.Theassessmentidentifiedsignificantimpactsresultingfromthefollowingmeasures:

• TheGovernmentSecurityNetwork(TUVE)projectandthedevelopmentofsector-independentICTtasks,

• TheNationalCyberSecurityCentreestablishedattheFinnishCommunicationsRegulatoryAuthority(FICORA)andthedevelopmentofassociatedCERTactivities,

• TheDevelopmentProjectfortheCentralGovernment24/7InformationSecurityOperations(SecICT)andtherelatedimprovementofmonitoringandwarning,

• TheDevelopmentProjectforJyväskyläSecurityTechnology(JYVSECTEC),and• CybersecuritycoursesorganisedbytheNationalDefenceTrainingAssociationof

Finland.

Asa consequenceofdigitalisationand the requiredchangemanagement,businessintelligence,artificial intelligence, robotisationandthe InternetofThings,cyberse-curityalsoplaysanincreasinglyimportantroleinsecuringsociety’svitalfunctionsinthenationalandinternationaloperatingenvironment.Digitalisationisacross-cuttingthemeoftheGovernmentProgrammeanditisbeingimplementedinseveraldifferentprojects.ThePublicSectorICTunitattheMinistryofFinanceisresponsibleforimple-mentingtheGovernmentProgramme’skeyproject“Publicserviceswillbedigitalised”.Inthiscontextcybersecurityisviewedasanenablerofdigitalisation;itmustbebuiltintoallactionandservices.Thiswillbeaccomplishedbyimplementingtwoofthenineprinciplesofdigitalisation:“Wewillbuildeasy-to-useandsecureservices”and“Wewillalsoserveincaseofdisruptions”.

AccordingtothevisionoftheoftheInformationSecurityStrategyforFinland,pub-lishedbytheMinistryofTransportandCommunications in2016, ‘theworld’smosttrusted digital business comes from Finland’. Finland is viewed as being in a good posi-tiontobecomeknownasacompetent,successfulandreliablecountrywhereitissafetotakeholdoftheopportunitiesbroughtaboutbydigitalisation.Bydeveloping,offer-ingandtestingnewmodelsofbusinessservicesandincomegenerationthatarebasedontheutilisationofdigitalinformation,itispossibletofosterandaccelerateeconomicgrowth.Itisestimatedthatthiswillrequiretrustinthenewservices,businessmodelsand market actors as well as there being a strong grip on the development of informa-tionsecurityexpertiseandmarketdevelopment.


Owingtoglobalisationanddigitalisation,Finland’ssecurityenvironmenthasrapidlytransformed.Alongwiththechangesinthesecurityandoperatingenvironmentna-tionalthreats,suchasphenomenaandundertakingsassociatedwithespionageandterrorism,areincreasinglyoccurringinnetworks.Thischangealsocallsfortheauthor-itiestohavepowersthatextendtothecyberdomain.Asaconsequenceofthenewsit-uationFinland,too,hasstartedpreparingintelligencelegislationintheadministrativebranches of the Ministry of the Interior and the Ministry of Defence.

The Implementation Programme for 2017–2020 was compiled from recommenda-tionsforactiongatheredduringthedraftingprocess.Recommendationsweregath-ered through a targeted request to ministries and government agencies and by arrang-inginterviewsanddiscussionswiththescientificandresearchcommunity,thepublicadministrationandthebusinesscommunity.ThepreparationfortheImplementationProgramme took into account the strategy documents adopted as Government Reso-lutionsaswellasotherstrategydocumentsand,whenpossible,otherstrategydocu-mentsbeingpreparedduringthetimeofthedraftingprocess,suchastheupdatingoftheSecurityStrategyforSociety.Theselectioncriteriafortheactionitemswerethatthey promote the achievement of the Vision and comply with the strategic guidelines. Theselectionemphasisedthestandpointofeffectiveness,highlightingtheindividualasacustomerofpublicservices,securingthevitalfunctionsandcooperationamongthepublicsector,thebusinesscommunityandthescientificandresearchcommuni-ty.TheImplementationProgrammegatherstogetherthepublicsector’swide-rangingandsignificantinternalprojectsandactionsthataimtoimproveinformationandcy-ber security which are to be implemented together with the business community and NGOs.Italsobringsthemintothepublicviewascoherentandproperlydelegatedpro-cesses.WhentheprojectsandactionsareincludedintheImplementationProgrammeit is possible to regularlymonitor andmeasure their progress,whichalsoprovidesabetteroverall situationpictureof cyber securitydevelopment.Themeasurementmethodsmustbecontinuallydeveloped,especiallyasregardsmonitoringthequalityofactions.Inadditiontothefar-reachingmeasuresselectedfortheImplementationProgramme cyber security is also constantly being improved through other adminis-trativebranch-specificactionsaswellasbytheworkassociatedwithdevelopingcyberandinformationsecurityandcontinuitymanagement.

TheImplementationProgrammeisevaluatedandmeasuredannuallyand,inthatcon-text,measurescanbechanged,addedorremoved.TheupdatingoftheImplemen-tationProgrammehasbepreparedinaworkinggroupchairedbyPenttiOlin,SeniorAdvisor,SecretariatoftheSecurityCommitteeandTuijaKuusisto,SecurityManager,AdjunctProfessor,MinistryofFinance,KimmoRousku,GeneralSecretaryofVAHTI,MinistryofFinance,RauliPaananen,DeputyDirector,FinnishCommunicationsReg-ulatoryAuthority (FICORA), andNadjaNevaste,Advisor, Secretariat of the SecurityCommitteeasmembers.


Content of the Implementation Programme 2017–2020

Finland’sCyberSecurityStrategydefinestheCyberSecurityVisionaswellastenstra-tegicguidelinesaccordingtowhichthenationalcybersecuritywillbedeveloped.Ac-cordingtotheVision:

• Finlandcansecureitsvitalfunctionsagainstcyberthreatsinallsituations.• Citizens,theauthoritiesandbusinessescaneffectivelyutiliseasafecyber

domainandthecompetencearisingfromcybersecuritymeasures,bothnationallyandinternationally.

• By2016,Finlandistheglobalforerunnerincyberthreatpreparednessandinmanaging the disturbances caused by these threats.

Asregardsthethirditemofthevision,thegoalsetfor2016willnowbecomeastand-inggoal: Finlandwill be theglobal forerunner in cyber threatpreparednessand inmanagingthedisruptionscausedbythem.

AccordingtoavailableinternationalcomparisonsandevaluationsFinlandisatpresentamong the top ten countries in terms of cyber security preparedness and the progress ofitsimplementation.

Thestrategicguidelinesofcybersecuritypreparednessare:

1. Createanefficientcollaborativemodelbetweentheauthoritiesandotheractorsforthepurposeofadvancingnationalcybersecurityandcyberdefence.

2. Improvecomprehensivecybersecuritysituationawarenessamongthekeyac-torsthatparticipateinsecuringthevitalfunctionsofsociety.

3. Maintainandimprovetheabilitiesofbusinessesandorganisationscriticaltothevitalfunctionsofsocietyasregardsdetectingandrepellingcyberthreatsanddisturbancesthatjeopardiseanyvitalfunction,alongwiththeirrecoverycapa-bilities,aspartofthecontinuitymanagementofthebusinesscommunity.

4. Makecertainthatthepolicehavesufficientcapabilitiestoprevent,exposeandsolvecybercrimeandthosethatbenefitfromit.

5. The Finnish Defence Forces will create a comprehensive cyber defence capability for their statutory tasks.


6. Strengthennationalcybersecuritythroughactiveandefficientparticipationintheactivitiesofinternationalorganisationsandcollaborativeforathatarecriticalto cyber security.

7. Improvethecyberexpertiseandawarenessofallsocietalactors.

8. Securethepreconditionsfortheimplementationofeffectivecybersecuritymea-suresthroughnationallegislation.

9. Assigncybersecurityrelatedtasks,servicemodelsandcommoncybersecuritymanagementstandardstotheauthoritiesandactorsinthebusinesscommunity.

10. TheimplementationoftheStrategyanditscompletionwillbemonitored.

TheImplementationProgrammeisdividedintothreetopicswhichaddressthefollowingissues:

1) Leadership will ensure that the Cyber Security Vision is achieved Whatkindofmanagementandsteeringstructures,modelsandlegislationshouldbecreatedtoachievetheCyberSecurityVision?Whatkindofmodelsforcompilinganddisseminatingjointsituationalawarenessamongthepublicadministration,thebusi-nesscommunityandNGOsshouldbeestablishedanddeveloped?

2) Society’s vital digitalised functions will be assured Whatkindoffar-reachingadministrativeandtechnologicalactionsareneededtore-tainconfidenceinthecyberdomaininnormalconditions,duringdisruptionsinnormalconditionsandemergencyconditions?

3) The cyber competence of citizens, the business community and the public sector will contribute security to digitalisation What kindof curricula fordevelopingexpertise shouldbeavailable to citizens, thebusiness community and thepublic administration?Whowill provide the curriculaandgeneratescientificinformation?


ThefollowingmatrixdescribestheactionitemsoftheImplementationProgramme,comply-ing with the strategic guidelines. They are grouped along the lines of the Programme’s three topics.

Action/Guideline 1 2 3 4 5 6 7 8 9 10

1 Strategicleadershipwillbedefined x x x x x

2 The leadership model for state cyber security will be established and organised

x x x

3 Thepublicadministration’smajorcybersecurityincidentmanagementmodelwillbeimplementedandactive

x x x x x x

4 Thepublicadministration’sstrategicinformationandcybersecu-rityguidelineswillbeconfirmed

x x x

5 Finlandwillactivelyandeffectivelyparticipateininternationalcy-bersecuritycooperation

x x x

6 Finland’scybersecurityforumwillprovideacollaborativeplatformforthepublicadministration,thebusinesscommunityand the academia

x x x x x

7 InstrumentsformonitoringtheprogressoftheImplementationProgramme will be established

x x

8 Thepreconditionsforinfluencingthecyberdomainwillbesecured

x

9 Theprovisionofsufficientandrelevantinformationtothestateleadershipasregardscounteringthreatstonationalsecuritywillbe assured

x x x x

10 Thepreconditionsoffightingcybercrimewillbeassured x

11 Legislation on information security and data protectionwill beclarifiedandamended,andtheEU’sgeneraldataprotectionreg-ulationswillbeenactedinnationallegislation

x

12 The digital services of the public sector and the needed infra-structure,indispensableforthevitalfunctionsofsociety,willbeidentifiedandundercontrol

x x x x x


Action/Guideline 1 2 3 4 5 6 7 8 9 10

13 Thecontinuityoffunctionalprocessesaswellasinformationandcybersecuritywillbeassuredinthehealth,socialservicesandregional government reform

x x

14 TheGovernmentwill have access to solutions and services fortelecommunications, information management as well as pre-parednessandreadinessmanagementinallsecuritysituations

x x x x x

15 Theintegrityandavailabilityofcriticalbasicregistersandinfor-mationresourceswillbeassuredinallsecuritysituations

x

16 Electricity supplymanagement and power distribution to soci-ety’skeytargetswillbeassuredtothesufficientlevel

x

17 Cybersecuritywill improveamongbusinessescriticaltothese-curity of supply

x

18 Dataprotectionandcyberandinformationsecurityforelectionswill be studied

x x

19 Thepreparednessarrangementsanddisruptionmanagementofsystemsandprocessesassociatedwithtaxation,budgetpropos-als,thestate’sfundingandpaymentswillbeimproved

x x x

20 Alimitednationalcybersecurityauditwithwhichorganisationscan make certain that they achieve the minimum security level will be prepared

x x

21 A secure growth environment will be created for digital business x x x x x x x x

22 Training and exercises will be planned and carried out x x x x


I Leadership will ensure that the Cyber Security Vision is achieved

Finland’scybersecurityreport2017statesthat:‘Theresearchstronglyhighlightedtheambiguity and lack of comprehensive cyber security which encompasses and amal-gamatesthedifferentcyberfunctionsofthewholeofsociety.Inconclusion,itcanbesaid thatclarifyingandstrengtheningstrategicmanagement isessential inorder toensure the achievement of Finland’s Cyber Security Vision.’

1) Strategic leadership will be defined

Associated with strategic guidelines: 1,4,5,6,9

Responsibility: Secretariat of the Security Committee, Prime Minister’s Office, Ministry of Finance and other required actors

Implement a project which defines the clarification and strengthening of strategicmanagementincybersecurity.Theprojectwillalsotakeintoaccounttherealisationofthecrisismanagementmodelduringinformationsecurityincidents.

2) The leadership model for state cyber security will be established and organised

Associated with strategic guidelines:1,2,3

Responsibility: Ministry of Finance

The Ministry of Finance will create a new framework for the central government’s cybersecuritymanagementaspartoftheimplementationoftheFinancialAdministration2020Project.

3) The public administration’s major cyber incident management model will be imple-mented and active

Associated with strategic guidelines: 1,2,3,4,5,9

Responsibility: Ministry of Finance, Ministry of Transport and Communications, Government ICT Centre (Valtori)

Finland’scybersecurityreport2017statesthat:‘InrecentyearsFinlandhasdevelopedacybersecuritysituationpictureaswellasanexchangeofinformationcompiledbydifferentactors.However,improvingtheexchangeofinformationanddetectionarestillareasofcybersecurityinwhichFinlandneedstoimprove.Itisalsoimportanttoactivelydisseminate,forexample,situationalawarenessonidentifiedvulnerabilitiesamongdifferentactors,andtoconfidentiallyreportpossibledatabreachessoastoprevent similar data breaches elsewhere in society.’

Valtori,ledbytheMinistryofFinanceandworkingtogetherwiththeMinistryofTrans-portandCommunications,FICORAandotheractors,willplana furtheroperational


versionofanintersectoralvirtualincidentresponseteam(VIRT).Itwillincludeade-scriptionofinformationflowsandoperatingprocessesbetweenthepublicadministra-tionandthebusinesscommunityduringsignificantinformationsecurityincidentsandinformationsecuritydeviationsinvolvingthecentralgovernment.Aresearchprojectfordevelopingthecybersituationpictureandanalysiscapabilitywillbeimplemented.

Asregardsactorsthatdonothavetheobligationtonotifyofviolationsof informa-tionsecuritypursuanttothedirectiveonnetworkandinformationsecurity(NIS),theMinistryofFinancewillensure thatministries,administrativebranchesandservicecentresaswellascountiesandmunicipalities,andthebusinessesownedby them,willnotifyofany informationsecurity incidentsand informationsecuritydeviationsinvolvingthepublicadministrationtoFICORA.Theobligationtonotifymustbeinclud-ed in contracts signed with subcontractors. The Ministry of Finance will provide more detailedguidelinesontheobligation. Inaddition,contractuallybasedpreparednessarrangements with the private sector will be implemented.

4) The public administration’s strategic information and cyber security guidelines will be confirmed



TheMinistryofFinancewillappointtheGovernmentInformationSecurityManagementBoard(VAHTI)forthe2017–2019period.VAHTIwillhandleandharmoniseallessentialstrategicpolicyguidelinesofinformationsecurityforthepublicadministration.More-over,theMinistryofFinancewillassesstheneedforandthepossibilitiesofreviewingthepresentinformationsecuritylegislation.VAHTIwillsubmitannualprogressreports.

5) Finland will actively and effectively participate in international cyber security cooperation


Responsibility: Ministry for Foreign Affairs and other ministries within their administrative branches

FinlandwillactivelyinfluencethehandlingofinternationalcybersecurityissueswithinthescopeoftheEU,theUN,theOSCE,NATO,theOECD,theCouncilofEuropeandotherkeyorganisations,aswellasbilaterally.TheMinistryforForeignAffairshasthekeyroleinidentifyingforeignandsecuritypolicyaspectsinquestionsassociatedwiththe cyber domain.

Foritspart,theMinistryforForeignAffairscoordinatesFinland’spositionsininterna-tionalforumsonmattersinvolvingthecyberdomain.TheMinistryforForeignAffairswillalsohelpadvancetheinternationalprospectsofFinnishcybersecuritycompaniesaspartofexportpromotionandinternationalisation.


6) Finland’s cyber security forum will provide a collaborative platform for the public administration, the business community and the academia

Associated with strategic guidelines:1,2,6,9,10

Responsibility: Secretariat of the Security Committee

Finland’scybersecurityforumstrivestoimprovecooperationandexchangeofinfor-mationamongthescientificandresearchcommunity,thepublicadministration,busi-nesses andNGOs. The forummonitors theprogressof theCyber Security StrategyandthisImplementationProgrammeandevaluatestheirup-to-datedness.InadditiontothemembersoftheSecurityCommittee,theforumwillinviteprofessorsofcybersecurityaswellasCEOsandpresidentsofNGOstoitsevents.TheforumwillreceivereportsontheprogressoftheImplementationProgramme,Finland’scybersecuritysituationandtheresultsofresearchprojects.

7) Instruments for monitoring the progress of the Implementation Programme will be established

Associated with strategic guidelines:9,10

Responsibility: Secretariat of the Security Committee and the Ministry of Finance

Theimplementationofcybersecurityisbeingmonitoredthroughpresentlyexistingin-struments.TheSecretariatoftheSecurityCommitteeandtheMinistryofFinancewillcarryoutaresearchprojecttocreateanupdatedmaturitymodelandinstrumentationfor the purpose of monitoring the status of Finland’s cyber security and the achieve-mentof thegoalsof this ImplementationProgramme.Thematuritymodelandtheinstruments will be used to provide regular reports on the status of the Programme to theSecurityCommittee,theGovernment,thecybersecurityforumandotherstake-holders.TheImplementationProgrammewillbeevaluatedannuallyandinthatcon-textmeasurescanbechanged,addedorremoved.

8) The preconditions for influencing the cyber domain will be secured

Associated with strategic guideline:5

Responsibility: Ministry of Defence, Ministry of the Interior

In accordance with the Cyber Security Strategy the Defence Forces will develop and maintain a comprehensive cyber defence capability for their statutory tasks. This also includesacyber-attackcapability.TheMinistryofDefence,togetherwithotherrele-vantstakeholders,willdeterminetheprocessassociatedwiththecyber-attackcapabil-ity.Amongotherthings,theprocessentailspowers,practicesassociatedwithexecu-tiveassistance,methodsforcooperatingacrossadministrativebranches,theexchangeofinformationamongdifferentauthorities,linesofauthorityandlegalmandates.


9) The provision of sufficient and relevant information to the state leadership as regards countering threats to national security will be assured

Associated with strategic guidelines:1,2,5,8

Responsibility: Ministry of the Interior, Ministry of Defence, Ministry for Foreign Affairs

Inordertomeetthechangesbroughtonbydigitalisationlegislationmustbereviewedsoastomakeitpossibleforthenationalsecurityauthoritiestosatisfactorilycarryouttheirstatutorytasks.AGovernmentproposalonnewintelligencelegislationinFinlandispresentlybeingprepared.Thepurposeofthe legislation istomake itpossibletobetterrespondtochanges inthesecurityenvironmentandtonewkindsofthreatsagainst Finland.

TheMinistryofDefence,togetherwiththeMinistryoftheInteriorandtheMinistryofJustice,willcontinuedraftinglegislativeproposalsforintelligenceinaccordancewiththe Government’s guidelines.

10) The preconditions of fighting cybercrime will be assured


Responsibility: The Police and other authorities

TheMinistryofthe Interiorwillseeto itthatthepoliceandotherauthoritieshavesufficientcapabilitiestoprevent,exposeandsolvecybercrime.Thesituationpictureofcybercrimeandtheexchangeofinformationwillbedevelopedtoimprovetheau-thorities’jointsituationalawarenessandtoguaranteebetterpreparednessforactorsintheprivatesector.Moreover,thepolicewilldevelopthehandlingandanalysisofdigital evidence by means of a quality programme.

11) Legislation on information security and data protection will be clarified and amend-ed, and the EU’s general data protection regulations will be enacted in national legislation


Responsibility: Ministry of Justice, other ministries

TheMinistryofJustice,togetherwithotherministries,willincorporateEuropeannet-workandinformationsecuritydirectivesintonationallaw.Eachorganisationwillim-plementtherequirementsoflegislativeamendmentsinitsaction.


II Society’s vital digitalised functions will be safeguarded

Finland’scybersecurityreport2017statesthat‘TheFinnishnetworkedinformationsocietymustbetteridentifytargetsthataffectvitalfunctionsandcriticalinfrastructureand, inparticular, identify the critical servicesand functions thatare indispensabletothemandthestakeholdersthatrelyonthesecriticalservicesandfunctions.Theidentificationofcriticalstakeholdersandfunctions in thecyberdomainalsoentailstheconsiderationof“cyberself-sufficiency”,i.e.securingasufficientautonomousca-pabilityformaintainingthecriticalinfrastructures.Legislativereviewisanimportantsubtopic in developing and strengthening state cyber security.’

12) The digital services of the public sector and the needed infrastructure, indispens-able for the vital functions of society, will be identified and under control


Responsibility: Ministry of Finance, Government ICT Centre Valtori, other service centres and businesses providing services to the public administration

TheMinistryofFinancewilldeterminetheneedfor legislativeamendmentsonthecentral government’s shared new digital services and associated technologies. The Ministry of Finance will guide the Government ICT Centre Valtori to implement a con-trolsystemcontainingdescriptionsofthedigitalservicesandtheinterdependencieswhichare inevitablyneededforthevital functionsofsociety.Thesedigitalservicesareincludedinthenationalcriticalinfrastructure.Therelevantpartnersinthevaluechainslinkingthepublicadministrationandthebusinesscommunitywillbeidentifiedandthesecurityoffunctionalprocesseswillbeguaranteed.Criticalservicesandinter-facesthattheservicesrelyonwillbeidentified.

Aresearchprojectondescribingthecriticalinfrastructureandcyberself-sufficiencyasanelementofnationalcyberresiliencenecessaryforsociety’svitalpubicserviceswillbe carried out.

13) The continuity of functional processes as well as information and cyber security will be assured in the health, social services and regional government reform

Associated with strategic guidelines: 3,9

Responsibility: Ministry of Social Affairs and Health, Ministry of Finance, Ministry of Interior, other ministries, counties

Asaresultofthehealth,socialservicesandregionalgovernmentreform,countiesandserviceutilitiesownedbythemaswellasthecompaniesthatprovideservices,commu-nities,foundationsandmunicipalservicesformanecosystem.Itscontinuedfunctioning,informationandcybersecurityincluded,isessentialtothecounties’customers/citizens.


Counties,aswellastheministrieswithintheiradministrativebranches,arerespon-sibleforcontinuitymanagementaswellastheinformationandcybersecurityoftheservices they provide and the ICT services they use. This will be achieved through statutory measures and in accordance with the guidelines provided by the Ministry of SocialAffairsandHealth,theMinistryofInterior,theMinistryofFinanceandtheotherministriesthatsteerthecounties.

Furthermore,theadministrativebranchoftheMinistryofSocialAffairsandHealthisplanning to carry out an extensive study of the present state of cyber security and the requiredfurthermeasuresfrom2017onwards.Also,nationalguidelinesforthepre-parednessandcontinuitymanagementofsocialwelfareandhealthwillbeestablishedduring2017–18.

14) The Government will have access to solutions and services for telecommunications, information management as well as preparedness and readiness management in all security situations


Responsibility: Prime Minister’s Office

ThePrimeMinister’sOfficewillharmoniseandimplementtheGovernment’ssolutionsandservicesassociatedwithpreparednessmanagement,thecontinuityofwhichwillbe guaranteed, as applicable, for all security situations.Ministrieswill have accessto a joint terminal device solution in the Government network that will also beavailableduringdisruptions andemergency conditions. Separate solutions, suchastherestrictedinformationnetworkofthecentralgovernmentauthority,willbeusedforpreparednessandformaterialsrequiringhighprotectionlevels.

15) The integrity, availability and confidentiality of critical basic registers and informa-tion resources will be assured in all security situations


Responsibility: Ministry of Finance, Population Register Centre, Ministry of Agriculture and Forestry, National Land Survey of Finland and Finnish Patent and Registration Office

TheMinistryofFinancewilldetermineandtogetherwiththecompetentorganisationsanalysetheintegrityandavailabilityofinformationresourcesinallsecuritysituations.The assessment will take into account the availability of data and the required technol-ogyaswellastherequiredencryptionofclassifiedinformation.Thegoalistoensureaccesstokeyinformationresourcesandtheirintegritytoallorganisationsincompli-ancewiththeclassificationcriteria.


16) Electricity supply management and power distribution to society’s key targets will be assured to the sufficient level


Responsibility: Ministry of Economic Affairs and Employment

Inaccordancewith theenergyandclimatestrategy,a sufficient levelof securityofelectricitysupplyatthenationallevelwillbeensured.Thejointcriteriaforprioritisingcustomersasregardspowerdistributionduringdisruptionswillbedetermined,takingespeciallyintoaccountthegrowthofincreasinglyICTcriticalsystems.

17) Cyber security will improve among businesses critical to the security of supply


Responsibility: National Emergency Supply Agency

TheNationalEmergencySupplyAgency (NESA)managesandallocatesresources totheCYBER2020programmewhichimprovescybersecurityamongbusinessescriticaltothesecurityofsupply.TheprogrammeamalgamatesallactionsofNESAintheareaofcybersecurityandcreatespermanentstructuresfordevelopingandsupportingcy-bersecurityinthelongterm.CYBER2020willcommitkeycybersecurityexpertorgan-isationstothecoordinationandimplementationoftheprogrammeinthelongterm.From2016–2020NESAwillallocateapproximatelyEUR20millionand10person-yearsto launching theprogrammeand to thefirstdevelopmentprojects tobefinanced.ThisincludestheresourcesthatarealreadyearmarkedtotheNationalCyberSecurityCentreFinland(NCSC-FI)atFICORA.

Moreover,aspartoftheprogrammeNESAwillsupportaprojecttocreateacyberse-curityglossaryusingtheprinciplesofterminology.Thegoaloftheprojectistoidentifythecontentassignedtothemostimportantinformationandcybersecurityconcepts,tobuildaglossaryoftheterms,andprovidetherequiredrecommendationsforusingthe terminology.

Specialattentionmustbepaidtoharmonisingtheothermeasuresthatsupplementthecybersecurityofcompaniesandtheauthorities’cybersecuritydevelopment,andtocybersecurityintheenergysector.NESAwillalsogeneratereportsonthegoals,actionsandresultsoftheCYBER2020programmeaspartoftheImplementationPro-gramme’sannualreportingandmonitoring.


18) Data protection and cyber and information security for elections will be studied


Responsibility: Ministry of Justice

The SipiläGovernment has outlined that electronic votingwill be introduced in allelectionsinFinlandasanalternativetotraditionalballotvoting.TheMinistryofJusticewillcommissionafeasibilitystudyoninternetvotingingeneralelectionsandappointaworkinggrouptoprepareareportonthepossibilitiesofintroducingonlinevotinginFinland.Thereportwillconsidertheintroductionofinternetvoting,technologicaloptions,costsandimpactsontheelectionsystem.Thegoalistocompletethereportbytheendof2017.Thereportmustpayparticularattentiontoinformationsecurityandcybersecurityinelections.

19) The preparedness arrangements and disruption management of systems and processes associated with taxation, budget proposals, the state’s funding and pay-ments will be improved

Associated with strategic guidelines: 2,3,9


Thecontinuityofdigitalprocessesusedintaxationaswellasthepreparationofthegeneralgovernmentfiscalplan,spending limitsandthebudget,andsupporting ICTsystemsaswellastheavailabilityofinformationneededintheprocesseswillbeas-suredinallsecuritysituationsandatallworkplaces.Whenitcomestothestate’sfund-ingandpayments,cooperationandpreparednessmanagementwillbestrengthenedandthepreconditionsfortheeffectivemanagementofdisruptionswillbeimproved.

a) Thecapabilitytomonitorandcountercyber-attacksandcybercrimeagainstthestate’s funding and payments processes and systems will be improved.

Responsibility: Ministry of Finance, Ministry of Interior, State Treasury, Finnish Government Shared Services Centre for Finance and HR (Palkeet)

TheStateTreasurywillconductapreliminarystudy(2016–2017)ondevelopingcyberresilience for the state’s funding and payments processes. A more detailed proposal will be prepared in 2017 on the basis of the results as regards developing the required administrativeandtechnologicalfunctionsfordifferentactorsandprocesses.


b) The preparedness of electronic processes and ancillary ICT systems needed in taxationwillactivelybedeveloped.

Associated with strategic guidelines: 2,3,9

Responsibility: Ministry of Finance, Tax Administration

TheTaxAdministrationwillplanandexecutethedevelopmentofpreparednessexper-tiseforelectronicprocessesandancillaryICTsystems.

20) A limited national cyber security audit with which organisations can make certain that they achieve the minimum security level will be prepared


Responsibility: JAMK University of Applied Sciences

The FINCSC (FinnishCyber Security Certificate) operatingmodel, built in theCyberScheme Pilot in Finland at the JAMK (Jyväskylä) University of Applied Sciences, isparticularlydesignedforSMEcybersecurityassessmentandaccreditationandfurtherdevelopment. The introduction of the model will be promoted and supported bymeansofnationalaction.


III Cyber competence among citizens, the business community and the public sector will contribute security to digitalisationFinland’scybersecurityreport2017statesthat‘Cybersecurityistheenablerofdigi-talisation.FinlandhasstronginternationaltrustcapitalanditisessentialtoutilisethistrustandFinnishcyberexpertise.Withoutcredibleprivate-sectorbusinessinthisfieldFinland cannot be a forerunner in cyber security. In order to achieve the Cyber Security Visionsignificantextrainvestmentsinresourcesareneeded,forexampletostrength-entheactivityoftheNationalCyberSecurityCentre.’

21) A secure growth environment will be created for digital business

Associated with strategic guidelines: 1,2,3,4,6,7,8,9

Responsibility: Ministry of Transport and Communication and other ministries

Aspartofthe2015actionplanfortheimplementationoftheStrategicGovernmentProgramme,theInformationSecurityStrategyforFinland,adoptedbytheMinistryofSocialAffairsandHealth,willbeimplementedtoboostconfidenceintheinternetanddigitalpractices.

TheInformationSecurityStrategyemphasisesbettercompetitivenessandexportpromotion,thedevelopmentoftheEU’sdigitalsinglemarket,strengtheningthepro-tectionofprivacyandotherbasicrights,andfosteringinnovation.TheStrategyaimstoachieveachangewhichresultsininbuiltsecurityfeaturesinsystems,terminaldevicesandservices.TheStrategyalsoobligestheauthoritiestohelpcommunitiesandcitizenstoimprovetheirinformationsecurity.

AspartofimplementingtheInformationSecurityStrategythefollowingmeasures,amongothers,willbeseento:

• EnactingtheEUNetworkandInformationSecurityDirectivenationally.TheMinistryofTransportandCommunicationshassetupaworkinggrouptoassesstheadequacyofpresentprovisionsandthepossibleneedforlegislativeamend-mentsforeachbranchofthedirective’sscopeofapplication.

• ImprovingthefunctioningoftheNationalCyberSecurityCentreFinland(NCSC-FI)atFICORA:MaintainacybersecuritysituationpicturethroughtheexchangeofinformationbasedontrustamongFICORA,companiesandothercommuni-ties.


22) Training and exercises will be planned and carried out

Finland’scybersecurity report2017states that ‘Generalawarenessandknowledgeof thebasicelementsofcyberand informationsecurityareconsidered tobebasicciviccompetencesinthepresent-daydigitalisedinformationsocietyinFinland.Gen-eralawarenessofthebasicelementsofcybersecurityandincorporatingthemintoeveryone’sdailyroutinemustbeactivelyimprovedinFinland.Thetrainingofexpertsrequires better coordinationbetween the fragmented education and research thatexistsamongeducationalestablishmentsaswellasextendingresearchevenwider.’

a) The competence of the public administration’s information and cyber securitypersonnel will be improved


Responsibility: Secretariat of the Security Committee, Ministry of Finance

TheSecretariatoftheSecurityCommitteewillmonitortheeffectivenessofcybersecu-rityexercisesinconjunctionwiththeannualprogressreportsontheImplementationProgramme.

TheMinistryofFinance,aspartoftheVAHTIactivities,willplanandexecuteprojectsandservicesforimprovingthepublicservants’competenceininformationandcybersecurity.TheMinistryofFinance,togetherwiththeotherauthorities,willdeterminetherequiredlevelofself-sufficiencyincryptology.

b) Citizenswillhavebetterinformationandcybersecurityskills

Associated with strategic guidelines: 7

Responsibility: National Defence Training Association of Finland, Finnish Association for the Welfare of Older People

TheNationalDefenceTrainingAssociationofFinlandwill annuallyorganiseacybersecuritycurriculumwhichconsistsofbasiccoursesopentoallcitizensaswellascon-tinuingeducationandspecialtrainingforprofessionals.

TheFinnishAssociationfortheWelfareofOlderPeoplewillcreateanationalpeer-to-peerlearningmodelintendedforseniorcitizensandextendittothosethatneedit.Thismodelwillmaintainanddisseminategeneral learningmethodson informationtechnologyfortheagedonanationwidebasis.Oneofitssyllabiwillfocusoninforma-tionsecurityandcyberissuessothatolderpeoplecansafelycarryoutonlinetrans-actions(telemedicine,pharmacy,onlinebanking,etc),andthatinterestine-services,aswellasanawarenessoftheirassociatedrisks,wouldincreaseamongtheelderly.


c) Anationalinformationandcybersecurityweekwillbeorganisedannually


Responsibility: Confederation of Finnish Industries, Ministry of Finance, Secretariat of the Security Committee

The Confederation of Finnish Industries together with the Ministry of Finance,companies and the Secretariat of the Security Committee will organise a nationalinformationand cyber securityweekeveryOctoberaspartof theEuropeanCyberSecurity Month (ECSM). During the week information and cyber security will becommunicated to citizens, companies and the public administration by means ofinformationplugsandevents.Theweekwillculminateinthenationalinformationandcyber security day.

d) Basicskillsincybersecurityandthedigitalenvironment–generaleducationandprofessional training will progress


Responsibility: Ministry of Education and Culture, Finnish National Agency for Education

Asapartofmultiliteracies,teachers’continuingeducationwilldevelopandadvancecontentsassociatedwithinformationandcybersecurity.ByproducingsupplementarymaterialstheFinnishNationalAgencyforEducationwilladvancemultiliteraciesaswellasthebasicskillsofinformationandcybersecurity.

e) Cybersecurityresearchwillimprovecollaborationamongtheauthorities,researchorganisationsandthebusinesscommunity


Responsibility: Secretariat of the Security Committee

Finland’s cyber security report 2017 states that further research is needed at least on thefollowingtopics:strategicmanagementofcybersecurityinFinland(actions1and2); thedevelopmentof a cyber security situationpictureandanalysis skills (action3);andthedefinitionofthevitalfunctionsofsociety,criticalinfrastructureandcyberself-sufficiencyaspartofnationalcyberresilience(action12).

Cybersecurityresearchdemandsasituationpictureandcoordination.TheSecretariatoftheSecurityCommittee,togetherwithotherstakeholders,willconstructamodelforresearchcooperation.


PreparationgroupfortheImplementationProgramme:NadjaNevaste,RauliPaananen,PenttiOlin,TuijaKuusistoandKimmoRousku.

www.turvallisuuskomitea.fi/en

Documents

Implementation Programme for Finland’s Cyber Security ... · Implementation Programme for Finland’s Cyber Security Strategy for 20172020 5 Security Strategy in January 2016. The