Kyberansojen ja -harhautuksien 101 (lyhyt versio)

Monet ottavat matkoille mukaan ylimääräisen valelompakon, jonka sisään he laittavat sopivasti käteistä rahaa tai vaikkapa pelkkiä ostoskuitteja. Oikean rahapussin voi pitää piilossa vaatteiden alla ja valekukkaron laittaa laukkuun tai taskuun. Toiset kiinnittävät lompakkonsa vaatteisiin esimerkiksi metalliketjuilla tai lisäävät lompakkoon laitteen, jolla kadonneen lompakon voi etsiä myöhemmin.

Ansoitettujen valerahapussien idean voi siirtää myös digitaaliseen tietokoneiden maailmaan. Digitaalisuus mahdollistaa kuitenkin paljon enemmän!

Voimme yhdellä napin painalluksella täyttää kaikki halutut olemassa olevat tai eri vaatekerroksiin samalla ommellut uudet taskut lukuisilla valelompakoilla ja vastaavasti ne halutulla sisällöllä. Sisällöksi voidaan laittaa jotain uskomatonta, mitä niissä ei normaalisti koskaan olisi tai ne voi täyttää niin isolla määrällä rahaa, että niiden siirtämiseen tarvittaisiin iso rekka-auto.

Digitaalisessa maailmassa voimme varmistua siitä, etteivät kukkaroihimme kiinnitetyt ketjut tartu vahingossa minnekään. Meitä saattaa myös kiinnostaa miten, missä, milloin ja miksi oikea tai valerahapussimme varastettiin, kuka sen varasti ja missä se tällä hetkellä sijaitsee, mutta myös se, miten, milloin ja mihin sen sisältämää oikeaa tai valheellista sisältöä käytetään tai yritetään käyttää.

Digitaalisessa maailmassa esimerkin vaatteet, taskut, ketjut, lompakot ja niiden sisältö voivat olla mitä tahansa, vain mielikuvituksen on rajana! Ansat ja harhautukset ovat yksi monista hauskoista VTT:n kyberturvallisuuden tutkimusalueista!

Lisää kyberturvallisuudesta: 

vtt.fi/cybersecurity
vttresearch.com/services/digital-society/cyber-security
VTT Cyber Security Services Presents: A short movie about the good guys 
Teemu Väisänen VTT
Teemu Väisänen
Research Scientist, VTT
teemu.vaisanen(a)vtt.fi

 

Etätodennus lisää luottamusta kriittisiin infrastruktuureihin

Kun keräät esimerkiksi lämpötilamittauksia esineiden internetistä (engl. Internet of Things, IoT), haluat olla varma siitä että kyseiset mittaukset ovat tuoreita. Lisäksi niiden tulee olla lähtöisin kalibroiduista ja peukaloimattomista sensoreista. Sensorien eheyden varmistaminen muodostuu entistä tärkeämmäksi IoT-laitteita vastaan suunnattujen hyökkäysten yleistyessä. IoT-laitteita myös hyödynnetään bottiverkkojen solmuina, kuten kävi Mirai-tapauksessa. Etätodennus (engl. remote attestation) on mekanismi systeemin sisäisen tilan mittaamiseen. Se raportoi tuoreen tilatiedon etävarmentajalle eheyden todentamiseksi.

Koko yhteiskunta on tulossa entistä riippuvaisemmaksi erilaisista hajautetuista järjestelmistä. Etätodennusta voidaan soveltaa kriittisten infrastruktuurien eheyden suojaamiseksi. Mitä kriittisempi järjestelmä, sitä tärkeämpää etätodennus on. Esimerkiksi energiantuotanto ja –jakelu, maksujärjestelmät sekä sotilaalliset verkostot ovat erittäin kriittisiä ja asianmukaisten todennusjärjestelmien tulisi olla kunnossa. Tällaisten hajautettujen järjestelmien laitteet voivat sijaita laajalla maantieteellisellä alueella, jolloin niitä tulee suojata hyökkäyksiltä sekä verkosta, että fyysisestä maailmasta. Tämä ei aina ole helppoa.

Sovelluksia ja teknologioita

Etätodennusta käytetään tyypillisesti lisätarkistuksena ennen pääsyä tarjottavaan palveluun. Esimerkiksi yritykset voivat pakottaa kannettavan tietokoneen vastaanottamaan ohjelmistopäivityksiä karanteeniverkossa ennen päästämistä ensisijaiseen langattomaan verkkoonsa. Pilvipalveluissa voi hyödyntää etätodennusta todistamaan, että virtuaalikone on asennettu asianmukaisesti ja luottamuksellisia laskentatehtäviä ajetaan asiaan tarkoitetulla erityisalueella (engl. enclave). Lisäksi etätodennusta voi käyttää kuten virus­skannausta verkon laitteiden eheyden tarkastamiseen. Kaikki nämä rutiinit luovat turvallisempia toimintaympäristöjä.

Tyypillisiä todennusmekanismeja, -protokollia ja -arkkitehtuureja ovat esimerkiksi:

  • Eristetyt ajonaikaiset ympäristöt mittausten turvaamiseksi ja allekirjoitetun eheysraportin tarjoamiseksi, kuten Trusted Platform Module (TPM), Intel Software Guard Extensions (SGX) ja ARM TrustZone
  • Mittausmekanismit – käynnistysvaihe ja käyttäjätila, kuten Integrity Measurement Architecture (IMA)
  • Etätodennusprotokolla, kuten Open Cloud Integrity Technology (OpenCIT)

Ongelmia ja rajoituksia

Kuten mikään paradigma, etätodennuskaan ei ole täydellinen ratkaisu. Sillä on omat haasteensa kuten ajantasaiset valkoiset listat. Listojen ylläpitäminen on mahdollista sulautetuissa järjestelmissä kuten IoT-laitteissa, jotka on suunniteltu toteuttamaan vain rajallisen määrän tehtäviä. Täysveristen tietokoneiden tapauksessa puolestaan valkoisten listojen ylläpitäminen tulee erittäin haastavaksi, koska asennettuja ohjelmistoja ja ohjelmistopäivityksiä on paljon.

Toinen haittapuoli etätodennuksessa on keskittyminen pääasiassa suoritettaviin tiedostoihin niiden latausvaiheessa. Etätodennus ei auta enää hyökkäyksissä, jotka hyödyntävät ajonaikaisia haavoittuvuuksia kuten puskurin ylivuotovirheitä. Onneksi hyökkääjät kuitenkin jättävät haittaohjelmia asennellessaan jälkiä ja etätodennusmenetelmillä niitä voidaan myöhemmin seurata.

VTT_Cybersecurity

Kuva 1. Etätodennusprotokolla välittää eheysvarmistetut mittaustiedot verifioijalle.

Lopuksi

Etätodennusta voidaan hyödyntää verkon laitteiden eheyden varmistamiseksi. Sitä tulisi soveltaa verkoissa, jotka tarvitsevat normaalia parempaa tietoturvaa, erityisesti kriittisissä infrastruktuureissa.

Lataa ilmainen raporttimme kyberturvallisuudesta ja opi turvaamaan oma organisaatiosi ja varautumaan tietoturvaongelmia vastaan.

MarkkuKylanpaa

 

Markku Kylänpää
Senior Scientist, VTT
markku.kylanpaa(a)vtt.fi

 

Lisätietoja

Lee-Thorp A., “Attestation in Trusted Computing: Challenges and Potential Solutions”, Royal Holloway Series, http://cdn.ttgtmedia.com/searchSecurityUK/downloads/RHUL_Thorp_­v2­.­pdf .

Kylänpää M., Rantala A., “Remote Attestation for Embedded Systems”, In: Security of Industrial Control Systems and Cyber Physical Systems. CyberICS

Remote attestation adds trust to critical infrastructures

When collecting measurements (e.g. temperature) from the Internet of Things (IoT), you want to make sure that those measurements are fresh and originate from calibrated and untampered sensor nodes. Integrity verification of sensor nodes is becoming more critical as attacks against IoT devices have become more common and also utilized in large botnets (e.g. the Mirai case). Remote attestation is a mechanism of measuring internal state of the system. It reports fresh state information to a remote verifier that can use this information to verify the node’s integrity.

The whole society is becoming more and more dependent on various distributed networked systems. Remote attestation could be applied to protect integrity of critical infrastructures. The more critical the infrastructure, the more important remote attestation becomes. For example energy systems, payment networks, and the military domain are very critical and proper attestation mechanisms should be in place. Such systems contain many networked nodes that are distributed to large geographic area. Guaranteeing both online and physical security of the networked nodes can be challenging.

Applications and technologies

Remote attestation is typically used as an additional check before permitting access to the provided service. Companies may request attestation before allowing laptops to their wireless networks, forcing software updates in a quarantine network. Cloud-based services can utilize attestation to prove that the virtual machine has been set up correctly and there may be dedicated enclave that is used to run confidential computing tasks. Attestation mechanisms can also be used like virus scanners to perform local health check for network nodes. All these routines create more secure environment to operate in.

Common attestation technologies, protocols, and architectures include:

  • Isolated execution environment to protect measurements and to provide signed integrity report (e.g. Trusted Platform Module (TPM), Intel Software Guard Extensions (SGX), ARM TrustZone).
  • Measurement mechanisms – boot phase and userspace (e.g. Integrity Measurement Architecture (IMA)).
  • Remote attestation protocol (e.g. Open Cloud Integrity Technology (OpenCIT))

Problems and limitations

Like any other paradigm, remote attestation is no silver bullet either. It has its drawbacks such as keeping an up to date whitelist. It is somewhat doable in embedded systems such as IoT devices, which are aimed to perform a limited amount of operations. In the case of full-fledged computers, instead, maintaining a whitelist of all relevant configurations becomes very complex, because of large number of installed applications and software updates.

Another downside of remote attestation is that it concentrates mainly on the executable files, not on the runtime vulnerabilities such as buffer overflows. However, even though remote attestation is not able to identify runtime attacks, attackers often leave behind traces when installing malware components and attestation measuring mechanisms are capable of tracking those.

VTT_Cybersecurity
Figure 1. Remote attestation protocol transfers integrity protected measurements to the verifier

Conclusions

Remote attestation can be used to provide integrity verification for network endpoints. The concept should be used in networks that require additional security, like systems that are part of critical infrastructures.

Download our free report on cyber security and learn how to protect your organization and defend against security incidents.

MarkkuKylanpaa
Markku Kylänpää
Senior Scientist, VTT
markku.kylanpaa(a)vtt.fi
Tel +358 207 226035

More information:

Lee-Thorp A., “Attestation in Trusted Computing: Challenges and Potential Solutions”, Royal Holloway Series, http://cdn.ttgtmedia.com/searchSecurityUK/downloads/RHUL_Thorp_­v2­.­pdf .

Kylänpää M., Rantala A., “Remote Attestation for Embedded Systems”, In: Security of Industrial Control Systems and Cyber Physical Systems. CyberICS 2015, WOS-CPS 2015. Lecture Notes in Computer Science, vol 9588. Springer, 2016.

Learning about information security – the hard way or through anticipation and practice?

Information security is an increasingly important part of the lives of both private individuals and companies and organisations. You can learn secure practices and ways to minimise threats in many ways. However, it is important to consider what you would need to learn and how you can best learn those particular matters.Kyberturva

The least you can do is learn from your own mistakes. When an information security threat is realised, it is important that, once the dust has settled, you analyse the situation. You can then draw conclusions from this analysis and improve your contingency planning in the future. Unfortunately, often such learning experiences become costly (technical repairs, penalty charges, claims for damages, trials) and awkward (reputation) for companies. The forthcoming EU General Data Protection Regulation (GDPR) may further increase the price of such lessons.

Learning from mistakes made by others is often cheaper and far less stressful. Therefore, it is important to follow media coverage related to information security within your sector and collect additional information on interesting cases and cases that best coincide with your own operations. It is also advisable to go through such coverage more extensively with the persons or parties who might have the most to learn from the cases.

Generally speaking, an organisation’s activities should be based on rational risk analysis and the measures to be applied to the most important or biggest identified risks, where threats related to information security are only part of the overall picture. The measures needed may include technical and financial measures, and steps related to the organisation’s processes. Even in a major organisation, the information security may depend on the actions of an individual IT system user. Basic information security skills belong to everyone, and they may not yet be part of general knowledge, but they certainly will be in the future. When the foundations are in order, each organisation can build its own information security guidelines and practices on top of them.

Training is useful, but it must not be the only way of trying to address information security threats. In a well-functioning information security system, technical tools support the users, help them operate correctly, and are capable of containing damage when a user makes a mistake. Despite all training, mistakes do happen – that is only human. This is good to acknowledge at all levels of the organisation. Many companies consider cyber threats a serious problem for themselves, but very few of them have provided sufficient training to their employees or practised how to operate under an imagined cyberattack situation.

This is clearly problematic, because practising is an important part of learning. Without training and practice, it may be difficult for the employees to understand why any cyberattacks would be targeted against them, what kind of attacks could be launched against companies through the mistakes they might make, and what kind of consequences these might have for the company. As realistic practising as possible is one of the best ways of learning operating models that best serve your own needs as well as those of your organisation, and to find potential weaknesses before the damage is done. Persons at every level of an organisation should practise against cyber threats.

Naturally, the content of training and practising is different for people working at different levels of the organisation, and therefore a wide range of training is provided. The courses and exercises may focus on a single theme only, such as how to limit the amount of data in public services that can be used for attacks or how to detect social manipulation. They can also teach the use of technical monitoring tools of various systems or how to conduct digital criminal investigation. Training can be given in the form of lectures or it can be hands-on training at the keyboard. In the exercises, the teaching is not always targeted to the staff of a single organisation only, but people can also practice communication both within organisations and with external actors, and cooperation between different organisations. This may include communication with information security companies, customers, partners and National Cyber Security Centre Finland of the Finnish Communications Regulatory Authority (FICORA). The largest exercises may involve several countries and organisations operating in them.

Of course, no kind of training can guarantee 100% functional protection against different attacks. And no technology can prevent all cyber threats. However, a staff with good basic skills provides better protection against many attacks, and people who have practised handling of crisis situations are better capable of managing the consequences of a possible serious data breach than an organisation that has not made any such preparations. It is important that you keep the level of your organisation’s competence and contingency planning at a sufficient level in the changing threat environment. You should also learn these things by practising them in advance rather than the hard way after a major crisis.

Download our new cyber security report for free and get acquainted with how companies can raise their cyber security level and protect themselves against cyber threats.  Kimmo Halunen VTT

Kimmo Halunen
Senior Scientist
Twitter: @khalunen 

Teemu Väisänen VTT

Teemu Väisänen
Research Scientist

When the cyber weather forecast gets gloomy, everyone should get prepared

Cyber security

In the modern society computers are embedded everywhere and automation affects our daily lives in several ways. Networked computers control even the most critical infrastructures such as electricity, water distribution, and traffic. Our dependency on these networks also bring risks: we are more vulnerable than ever to cyber attacks. At worst cyber threats spreading via computer networks could weaken or even cripple our society.

In order to maintain cyber safety, professionals of various industry domains should get diverse training. Learning new skills enables preventing potential cyber attacks. It also helps to detect spying attempts toward critical corporations and civic functions.

Dark clouds hanging from the cyber sky

Cyber weather is revealed for example via active alerts on the Finnish Communications Regulatory Authority’s web site. Cyber weather is said to be unstable for example when following warnings are in effect:

  • denial of service attacks
  • blackmailing malware
  • infected office files
  • spying attempts
  • hoax and scam messages

Ultimately it is up to the skills of stakeholders in charge of infrastructure services, whether the citizens get their electricity, clean water, fuel, heating, groceries, medicine, and other vital commodities regardless of the current cyber weather.

That being said, everyone should get personally prepared. In unstable cyber weather you shouldn’t trust even the messages coming from known business partners. MS Office attachments from a familiar company can contain Powershell commands added by an attacker. In such case even the high-quality security procedures of your company do not necessarily warn you.

Hopefully the thunder and the rain will quietly pass you by. After the threats have been investigated and neutralized, you can start to trust your business partners again.

Uncertainty is the new normal

We are already living in a constant threat of communication malfunctions and cyber security threats. Uncertainty has become the new normal. Only the ones who take this seriously are safe. It is risky to trust those who don’t care about security.

The infrastructure takes daily hits from cyber spying. Motives for spying vary: crippling computer networks, infiltrating electricity network control systems, blackmailing hospital personnel, or breaking into real estate remote management systems.

After spying attempts it becomes possible to actually enter the critical systems. Even the most secure systems can be hacked, if enough time and resources are available. Bad guys have the most modern attacking tools and services at their disposal, especially if the target is financially interesting enough for blackmailing.

The attacks are also tailored to match security systems and processes of the target. Focused attacks take advantage of any procedures bypassing the company’s firewalls. They can utilize for example employees’ privately used devices.

Better safe than sorry

Investing in cyber security skill development should be applied on all levels. Naturally the stakeholders of our most critical infrastructures and their know-how play a key role. However, it is necessary to ensure enough resources for various officials and support co-operation between them. Also the parliament should understand the widely spread security issues.

When the topics are as severe as mentioned in this blog post, it does not hurt to get prepared for the worst. In the case of a serious cyber attack breaking through our protective layers, what would happen and what should we do? Pre-emptive planning is in the core. For example:

  • carrying out cyber security testing for industrial systems
  • investing in critical backup systems
  • identifying and preventing illegal spying and attacks
  • countermeasure training and management

The weakest link can cause all protective layers to tumble. That is why development and pre-emptive actions must take place on all fronts. In any weather conditions, better safe than sorry.

Download our free report on cyber security and learn how to protect your organisation and defend against security incidents.

Pasi Ahonen VTT

Pasi Ahonen
Principal Scientist

Calling all companies – how do you choose an information security service?

Cyber-crime is rampant; denial of service attacks and extortion malware are proliferating online. Is your protection in good shape, are your electronic devices protected?

Cyber security

Cyber ​​security weaknesses and the resulting problems are affecting both the digital environment and the real world. Trust in many current systems is weakening. Various kinds of attacks are commonplace online and, unless they are directly affected, individual users often find it difficult to understand the impacts of such attacks. Chains of indirect impacts are particularly difficult to grasp.

Information warfare seeks to have an impact at grassroots level (e.g. AI applications that support smartphone users) as well as on a larger scale, such as during elections. Information leaks are very often due to hidden vulnerabilities in systems, which are exploited by various hackers. Such information can be used in various ways, depending on the aims of the attacker: financial interests, espionage, whistle-blowing or engaging in smear campaigns. Systems are paralysed by denial of service attacks on a daily basis, and criminals use a range of malware to extort money from victims.

Anticipating our actions by combining data

Privacy has also been compromised, because both the private and public sectors have woken up to the potential of online interaction. The gathering and use of data are everyday activities in the modern world and enable a range of wonderful applications that make our everyday lives easier. The downside is that individual scraps of data can be combined to form a highly accurate picture of us and strongly anticipate our future actions. Such data could be used to manipulate us in terms of marketing or voting behaviour, for example.

Future development will propel us into a world where various appliances interact with each other and the internet. While this will increase business activity, which is the main idea behind it, it will also create many more opportunities for attackers. A foretaste of this has already been provided by large-scale denial of service attacks. These have exploited poorly protected online devices such as surveillance cameras, creating huge amounts of abusive traffic at the victim’s expense.

In addition, a range of extortion malware is targeted at individuals and businesses. Victims are often inclined to pay up, given the increasing value of data and its availability in critical environments such as hospitals.

What can we do?

Consumers should demand better security. Unfortunately, it is extremely difficult for consumers to obtain information on the security of devices and software. Problems are often only revealed in retrospect, when it is too late to have ‘buyer’s regret’.

Technology developers should become aware of the importance of information security. Devices and software should be designed, developed and tested with sufficient thoroughness from the information security perspective. Although complete security is unachievable, attackers should not be presented with easy targets. On the other hand, choosing just the right service and product for your own use can be difficult.

Many questions are raised by the adoption of information security and technology, and it is not always clear whether such questions meet with a more emotional or rational reaction. From the Finnish and European perspective, it is particularly interesting that under 10% of European organisations opt for a European service.

Together with our expert network and information security partners, we have decided to explore the criteria that businesses use when choosing security services and technologies. Participate in our survey which will be released in early April and give us your opinion – we will update the link to survey here. We will organise an informative but relaxed feedback session for respondents in the Helsinki metropolitan area, possibly on 8 June (the date will be confirmed when we launch the survey).

Update, 10 May 2017: you find the survey here.

Kimmo Halunen VTT

Kimmo Halunen, Senior Scientist
Twitter: @khalunen

Pekka Savolainen VTT

Pekka Savolainen, Principal Scientist

Is Finland a forerunner in cybersecurity competence?

Cybersecurity will inevitably gain in importance in the near future with increased digitalisation and the development of the Internet of Things (IoT). The security of electronic communications and networks will be of vital importance to the operation of societies. This is why it is important to know where Finland stands in terms of cybersecurity competence. Do we have a head start, or are we lagging behind – or perhaps becoming a global forerunner? Or were we formerly on the top of the game, but are now losing our position?

Finland’s cybersecurity strategy was published in January 2013, stating that “By 2016, Finland will be a global pioneer in cyber threat preparedness and in managing the disturbances caused by these threats.” According to the strategy, Finland’s strengths include strong expertise, a long tradition of close public-private cooperation as well as inter-sectoral collaboration.

However, public discussion of the topic paints a slightly contradictory picture. On the one hand, the view is that Finland truly is leading the way: Finland has done well in many international ICT comparisons in areas such as network health. For example, Finland gained a shared eighth position among 194 countries in the Global cybersecurity Index of 2014. However, there were 22 countries ahead of us, because many countries share positions in the index. The global success of a few Finnish companies has also promoted our profile in the sector, and our traditionally strong competence in ICT is also reflected in the security sector.

On the other hand, recent news has cast doubt on our competence, such as a leak of classified information from the Finnish Foreign Ministry and the denial of service attacks that hit banks at the turn of the year. It has been also suggested that it is only a matter of time before we see a significant cyber-attack on public infrastructure in Finland.

Cybersecurity has strong links to our national security in terms of emergency supply and our national security. But there are also important business considerations, because the sector is growing globally and, as with other countries, Finland would like to see it become an increasingly important business area.  The question of where we stand in terms of our cybersecurity competence is even more pressing in a global context. Many countries are putting significant resources into both cybersecurity and the preconditions of related business development. For example, the recently established Hague Security Delta in the Netherlands has become the largest security cluster in Europe and a significant cybersecurity cluster. Estonia has also emerged as a poster child for cybersecurity. It is very important to know where we stand in international comparison.

VTT’s and Cyberlab Ltd’s research project Cybersecurity competencies in Finland: Present state and roadmap for the future studies these questions. It is the first broad and comprehensive analysis of cybersecurity competencies in Finland. Special emphasis is placed on the state of cybersecurity-related research, development and innovation competencies in Finland as well as competence bottlenecks and shortages.

Research, development and innovation in the area is carried out by Finnish businesses, universities and polytechnics as well as research institutes. Considering the size of our population, Finland has a relatively large number of cybersecurity companies.

However, cybersecurity-related research only accounts for a small portion of our total research volume. In a small country, top expertise is also on a very thin ground. In terms of research, it is also important to remember that cybersecurity is a multi-disciplinary research area. Cybersecurity-related research takes place in many research fields, such as IT, mathematics, information systems science, cognitive science, management research and behavioural sciences. For the future development of the research field, what is important is its relation to the underlying basic sciences, i.e. how cybersecurity research is positioned in relation to them. It is also striking that the sector seemingly lacks a strategic vision on the development of its education and research. It is also very clear that very little genuinely multi-disciplinary research takes place in the area of cybersecurity in Finland.

To meet the objective of Finland’s cybersecurity strategy, we obviously need extensive cooperation in order to promote the sector. Cooperation is of special importance in research and innovation, and even more so in a small country where it is not possible to compete in terms of research volume and resources. Co-operation is required in particular between companies, universities and polytechnics and research institutes. On the other hand, considering our national security and emergency supply, it is also important that the public sector has good connections to research and business parties. A dialogue ensures that the research and education sector is aware of our national needs in terms of cybersecurity and also that our public sector stays up-to-date in terms of research views and current results.

In general terms, good cooperation between different sectors has been considered to be one of  Finland’s strengths. In recent years, cooperation between cybersecurity organisations has been promoted by e.g. Strategic Centres for Science, Technology and Innovation (SHOKs) and the Finnish Information Security Cluster (FISC) established by major Finnish information security companies. In terms of cooperation, we also benefit from the fact that, in a small country, the number of players is limited and people tend to know each other already. However, according to the survey conducted by the Cybersecurity competencies in Finland project, research organisations do not appear as particularly strong contributors to companies’ innovation efforts. Private-sector and public-sector customers are by far the most important group of collaborators for companies, while the role of universities, polytechnics and research institutes is significantly less important. One explanation for this may be that since most of the companies in the sector are service providers, cooperation with research organisations may be less relevant to them. On the other hand, it may also indicate that cooperation methods and culture are not yet well developed.

According to our findings, there is no systematic cybersecurity-related interaction between the public sector and research organisations. We should seriously consider whether it would be worthwhile establishing a forum to ensure communication and enforcing interaction between them.

It is important to note the significant role of public-sector customers in the innovation efforts of companies. As the purchaser of products and services, the public sector plays an important role in cybersecurity. This raises the following question: to what extent have public procurements been used to promote or support the development of and, in particular, innovations in cybersecurity? It could be stated further development of public procurement has a great potential impact on the development of cybersecurity.

Stronger cooperation and public procurement that support the future development of the sector would bring us a lot closer of meeting the objective of Finland’s cybersecurity strategy!

 

Antti Pelkonen

Senior Scientist