Cybersecurity will inevitably gain in importance in the near future with increased digitalisation and the development of the Internet of Things (IoT). The security of electronic communications and networks will be of vital importance to the operation of societies. This is why it is important to know where Finland stands in terms of cybersecurity competence. Do we have a head start, or are we lagging behind – or perhaps becoming a global forerunner? Or were we formerly on the top of the game, but are now losing our position?
Finland’s cybersecurity strategy was published in January 2013, stating that “By 2016, Finland will be a global pioneer in cyber threat preparedness and in managing the disturbances caused by these threats.” According to the strategy, Finland’s strengths include strong expertise, a long tradition of close public-private cooperation as well as inter-sectoral collaboration.
However, public discussion of the topic paints a slightly contradictory picture. On the one hand, the view is that Finland truly is leading the way: Finland has done well in many international ICT comparisons in areas such as network health. For example, Finland gained a shared eighth position among 194 countries in the Global cybersecurity Index of 2014. However, there were 22 countries ahead of us, because many countries share positions in the index. The global success of a few Finnish companies has also promoted our profile in the sector, and our traditionally strong competence in ICT is also reflected in the security sector.
On the other hand, recent news has cast doubt on our competence, such as a leak of classified information from the Finnish Foreign Ministry and the denial of service attacks that hit banks at the turn of the year. It has been also suggested that it is only a matter of time before we see a significant cyber-attack on public infrastructure in Finland.
Cybersecurity has strong links to our national security in terms of emergency supply and our national security. But there are also important business considerations, because the sector is growing globally and, as with other countries, Finland would like to see it become an increasingly important business area. The question of where we stand in terms of our cybersecurity competence is even more pressing in a global context. Many countries are putting significant resources into both cybersecurity and the preconditions of related business development. For example, the recently established Hague Security Delta in the Netherlands has become the largest security cluster in Europe and a significant cybersecurity cluster. Estonia has also emerged as a poster child for cybersecurity. It is very important to know where we stand in international comparison.
VTT’s and Cyberlab Ltd’s research project Cybersecurity competencies in Finland: Present state and roadmap for the future studies these questions. It is the first broad and comprehensive analysis of cybersecurity competencies in Finland. Special emphasis is placed on the state of cybersecurity-related research, development and innovation competencies in Finland as well as competence bottlenecks and shortages.
Research, development and innovation in the area is carried out by Finnish businesses, universities and polytechnics as well as research institutes. Considering the size of our population, Finland has a relatively large number of cybersecurity companies.
However, cybersecurity-related research only accounts for a small portion of our total research volume. In a small country, top expertise is also on a very thin ground. In terms of research, it is also important to remember that cybersecurity is a multi-disciplinary research area. Cybersecurity-related research takes place in many research fields, such as IT, mathematics, information systems science, cognitive science, management research and behavioural sciences. For the future development of the research field, what is important is its relation to the underlying basic sciences, i.e. how cybersecurity research is positioned in relation to them. It is also striking that the sector seemingly lacks a strategic vision on the development of its education and research. It is also very clear that very little genuinely multi-disciplinary research takes place in the area of cybersecurity in Finland.
To meet the objective of Finland’s cybersecurity strategy, we obviously need extensive cooperation in order to promote the sector. Cooperation is of special importance in research and innovation, and even more so in a small country where it is not possible to compete in terms of research volume and resources. Co-operation is required in particular between companies, universities and polytechnics and research institutes. On the other hand, considering our national security and emergency supply, it is also important that the public sector has good connections to research and business parties. A dialogue ensures that the research and education sector is aware of our national needs in terms of cybersecurity and also that our public sector stays up-to-date in terms of research views and current results.
In general terms, good cooperation between different sectors has been considered to be one of Finland’s strengths. In recent years, cooperation between cybersecurity organisations has been promoted by e.g. Strategic Centres for Science, Technology and Innovation (SHOKs) and the Finnish Information Security Cluster (FISC) established by major Finnish information security companies. In terms of cooperation, we also benefit from the fact that, in a small country, the number of players is limited and people tend to know each other already. However, according to the survey conducted by the Cybersecurity competencies in Finland project, research organisations do not appear as particularly strong contributors to companies’ innovation efforts. Private-sector and public-sector customers are by far the most important group of collaborators for companies, while the role of universities, polytechnics and research institutes is significantly less important. One explanation for this may be that since most of the companies in the sector are service providers, cooperation with research organisations may be less relevant to them. On the other hand, it may also indicate that cooperation methods and culture are not yet well developed.
According to our findings, there is no systematic cybersecurity-related interaction between the public sector and research organisations. We should seriously consider whether it would be worthwhile establishing a forum to ensure communication and enforcing interaction between them.
It is important to note the significant role of public-sector customers in the innovation efforts of companies. As the purchaser of products and services, the public sector plays an important role in cybersecurity. This raises the following question: to what extent have public procurements been used to promote or support the development of and, in particular, innovations in cybersecurity? It could be stated further development of public procurement has a great potential impact on the development of cybersecurity.
Stronger cooperation and public procurement that support the future development of the sector would bring us a lot closer of meeting the objective of Finland’s cybersecurity strategy!