Putting up walls around Finland's cyberspace
There are different reactions to the revelations of US whistleblower Edward Snowden. Some warn about the erosion of fundamental rights, some file complaints against their own governments or third countries for violations of the law. Yet there are also those that call for better cyber security and pepped up national counterintelligence. A working group led by the Finnish Defense Ministry is currently pondering about how to answer to cyber threats in Finland.
Civil society groups, the industry and technical experts are alarmed and concerned about a potential case of what the chair of the Internet Engineering Task Force, Jari Arkko has described as ‘NSA envy’. At the Finnish Ministry of Transport and Communications, some of the industry’s and civil society’s concerns are shared.
Considering the worldwide discussion on the legitimacy of extensive surveillance powers, it was “surprising even that in Finland we have started to discuss whether we would need more powers for surveillance,” Kirsi Miettinnen, Head of the Internet Services Unit at the Ministry of Transport and Communications wrote in answering questions of Internet Policy Review.
Tight-lipped answers by the Defense Ministry
In a rare instance of unanimity the Electronic Frontier Foundation Finland and the Confederation of Finnish Industries in mid-March 2014 both rang the alarm bells on plans by their intelligence services and the defense authorities. Following the March 2014 publication of an implementation plan for the 2013 pre-Snowden Cyber Security Strategy of the country, a ministerial group under the roof of the Ministry of Defense is discussing additions to existing Finnish legislation for security and intelligence.
“There exists no draft legislation at this point,” Max Arhippainen, Director of Communications at the Ministry, informed us, promising additional information “in due time”. The head of the working group did not get back with answers. The group so far had been “concentrating on evaluating the possible need for legislation,” Arhippainen only explained.
The Finnish Security Intelligence Services (Suojelupoliisi or Supo) who participate in the talks on the other hand in an actual information brochure matter-of-factly stated: “Creating both opportunities for and challenges to counterespionage, the rapid development of technology and communication increases the need for legislative development.” Moreover combating “illegal intelligence” is juxtaposed beside combating terrorism as one key duty of the agency.
“Supo is tasked with preventing undertakings and offences by the intelligence organisation of foreign countries aimed at endangering Finnish governmental or social order or the internal or external security of the State,” the task list continues.
Civil rights groups, industry concerned by an apparent push for the re-nationalisation of cyberspace
Given the closed door deliberations at the ministry, the EU civil rights platform European Digital Rights (EDRi) expressed concerns about the legislative plans that in their opinion could give the Security Intelligence Service, National Bureau of Investigation, Communications Regulatory Authority and Defence Forces “a mandate for a wide surveillance of online communications, including in situations where criminal activity is not suspected.”
The Confederation of Finnish Industries, Greenpeace and a politician of the Green Party in Finland all were quoted to have come out critical against the plans. Kristo Helasvuo, Board member of Electronic Frontier Finland, said: “We can expect to see draft legislation around June and possible decisions in parliament by the end of the year.”
Helasvuo who said it was difficult to follow the process due to the closed-door-policy, pointed out: “My main concern is that we will see a very nationalistic approach to cyber security.” Helasvuo would favour raising cyber security issues to the EU level instead of bolstering national intelligence services and police to break security in a race for competencies with foreign services.
Ministry for Communications warns against losing competitive advantage
The deadline for the work of the joint ministerial working group is 30 June, Kirsi Miettinnen, Head of the Internet Services Unit at the Ministry of Transport and Communications confirmed in a statement to the Internet Policy Review. “This is very challenging, since the topic is exceptionally difficult and has consequences on the whole society,” the official added.
The Ministry of Transport and Communications is another Ministry participating in the closed door working group while requesting more openness in the process. “Our Ministry has a tradition for very open ways to prepare legislation in close cooperation with all the stakeholders and that is what we have demanded from the very beginning. There is still a long way to go, even though there has been some positive developments,” Mietinnen said.
Miettinnen acknowledged the substantive concerns by industry and civil society and pointed to the competitive advantage for the Finnish IT industry: “We very much share those concerns. We find that Finland has a competitive advantage in the post-Snowden world as we do not have legislation that would give powers for mass surveillance to the authorities. This is something we can't afford to lose.”
Organisations also had very good powers to act currently in cases of breaches or threats to information security, Mietinnen wrote. “We most certainly need more skills for each and every organisation - let them be enterprises or public sector organisations - to encrypt their communications and to detect information security threats and breaches. This is certainly very far from developing centralised powers for mass surveillance for one or some intelligence authorities.”
Demands for cyber-security extensions at EU level get more vocal
The call for raising attention and investment in EU cyber security has also gotten a little more vocal. A short summary of the EU's cyber strategy of the Parliamentary Research Service notes that the EU strategy would also be “influenced by the outcome of the European Parliament’s inquiry into the revelations in the wake of the Edward Snowden affair”.
According to the inquiry report, “the EU’s cyber strategy should be extended to cover malicious state behaviour and to strengthen IT security and resilience of IT systems”. Europol's mandate for example should be enhanced, the report asks. ENISA, the European Union Agency for Network and Information Security and, the European standardisation bodies should develop “minimum security and privacy standards and guidelines in order to better protect EU citizens’ personal data and the integrity” by December this year.
There had been calls by several members of the European People's Party in Parliament to add EU counter espionage capacity. But these attempts to catch-up with US, British and other EU national services had not been accepted by the majority.
Certainly for the intelligence community of a smaller member country like Finland there is much to long for, given the considerable funding and staffing of the NSA alone. Supo in its 2013 annual report points to a large raise in counterterrorism funding of 1.6 million Euro, which added up to a 17.7 million 2013 budget. This translated into 16 additional staff members to boost the roster to 220 people. Comparing this to the over 40.000 people and 10.8 billion US Dollar budget of the NSA alone (no black budgets included), can one get envious?