Network surveillance will not improve information security

Ministry of Transport and Communications
Publication date 6.8.2014 16.01
News item
Krista Kiuru, Minister of Education and Communications of Finland (Photo: Finnish Government)
Krista Kiuru, Minister of Education and Communications of Finland (Photo: Finnish Government)

Finland will lose an important competitive asset if steps are taken to deliberately weaken our tight data protection.In the beginning of July the Finnish Ministry for Foreign Affairs and the Finnish Security Intelligence Service revealed more information about cyber espionage targeted at the Foreign Ministry. After this there has been a public debate about how to better protect against such cyber attacks in Finland.

Unfortunately the debate has again been marked by the security authorities' ambition for extensive network surveillance. The Ministry for Foreign Affairs aims to improve information security, and this only marginally links with the surveillance needs of the police and the Defence Forces.

Finland wants to be the leader in cyber security and digital economy. We want Finland's reputation to attract international investors now and in future. This competitive edge could easily be lost, if the current high standard in protection of privacy and confidential communications was deliberately lowered.

Cyber espionage targeted at the Foreign Ministry taught us that much more attention needs to be paid to information security. However, the power of Internet lies in its decentralised nature, which is also the most efficient way to develop information security.

The ability of both public and private organisations to keep their messages secret and detect possible irregularities in electronic communications must be improved. By means of more efficient information security the Foreign Ministry has already been able to deflect new cyber attacks.

Our current legislation provides every company and organisation with an opportunity to efficiently analyse outgoing network traffic and carry out other measures necessary to safeguard information security. So the problem in information security does not lie in legislation but in companies' and organisations' failure to make adequate use of the opportunities provided by law.

Finding a competent authority does not pose any difficulties either. The National Cyber Security Centre has been in operation under the Finnish Communications Regulatory Authority since the beginning of this year. Its responsibilities include preventing, detecting and solving information security breaches and informing of significant threats.

The Cyber Security Centre and the National Emergency Supply Agency have created a detection and warning system of information security breaches to protect companies and government authorities that are critical in terms of national security of supply.

It is exactly the development of the detection and warning system that should play an important role in efforts to better protect ourselves against cyber attacks and other information security threats.

Network surveillance provides information, not information security. It seems that the development of the security authorities' surveillance mandate is more about acquiring new information by means of mass intelligence gathering than about information security or cyber security.

The Finnish Defence Forces say that they are only interested in information outside Finland, not in surveillance of Finnish Internet users. This is where network surveillance is of no help because its opportunities are limited to the Finnish borders. The Internet as a phenomenon is global but the data needs to travel through cables located inside Finnish borders if Finnish authorities were to have any control over it.

Furthermore, network surveillance is inefficient. After the revelations by Edward Snowden encryption of communications has significantly increased. It can be made so strong that no authorities in any country have enough resources to undo it.

When all major operators, such as states and large companies efficiently encrypt their communications, network surveillance could only cover communications between private people and small and medium-sized enterprises. And this is exactly the type of communications that security authorities say is of no interest to them. So I cannot but wonder to which purpose surveillance would actually be needed.

Cyber security will not be improved by introducing inefficient and outdated solutions. Finland's expertise and potential in the information security sector must not be wasted for the purpose of imitating others. Instead, we must firmly hold to those assets that our reputation as the model country of data protection has made possible.

Krista Kiuru
Minister of Education and Communications of Finland