Erka Koivunen, Head of Unit, Computer Emergency Response Team, Finnish Communications Regulatory Authority (http://www.cert.fi)
What is it that makes Finnish networks so safe? A couple of things comes to mind, and then one unavoidable conclusion.
First, the capability to detect needs to be complemented with the ability to take action. CERT-FI has tasked itself with concretely reaching out and finding factual technical information about malicious events taking place in Finland, out of Finland, or towards Finland. As it turns out, there are a plethora of community-driven projects gauging the level of malicious activity all over the internet: honeynets, darknets, log repositories, automated malware analysis tools, and others. What’s common for the majority of them is that the findings just sit in databases, with nobody trying to get rid of the troublemakers. Most of the projects are just dying to send the reports out to someone who would take care of finding the compromised ICT systems and helping the victims. Our automated tool, CERT-FI Autoreporter, downloads these reports en masse, anonymises the sources, determines the responsible Finnish network admins, and proceeds to let them know about the breaches, so they can take action.
Second, the lifetime of the malware infections and security breaches needs to be cut down. The general attitude among Finnish network admins is that it’s in their own and their customers’ interests to act quickly once the reports hit their desks. It saves helpdesk costs, cuts down the amount of malicious traffic, and helps increase customer confidence. As a result, the infected computers get treated fast or risk losing connectivity. Botnet controllers and malware distribution sites have proven to have a hard time staying online in Finnish networks.
Third, the positive regulative atmosphere regarding sensible information security…. There are clear and pragmatic provisions in Finnish legislation granting network admits the right (and at times an obligation) to defend their networks and interconnected IT systems against breaches of technical information security…. The rules start with administrative engagement: appointing responsible network security admits and the so-called abuse helpdesks to handle complaints is mandatory. The more technical stuff includes provisions such as exercising what we call “address hygiene” in core networks (e.g., filtering spoofed and source-routed packets) and restricting broadband subscribers’ ability to send spam or participate in denial-of-service attacks. There are also a requirement for ISPs to inform their subscribers about the possible dangers of the Internet and ways to mitigate them. As a side effect, this has greatly boosted the purchase of security software by private consumers.
As a result of all this, the number of “malicious” events in Finnish networks hasn’t exceeded the growth of the connected users in the past couple of years. Needless to say, we need to be constantly vigilant and adapt our posture to the changes in the security landscape. This will require some excellent navigation skills in the future, we know.
Ah, the Unavoidable Conclusion I mentioned earlier. While we acknowledge that the Finnish networks appear to be clean, at the same time we understand that this doesn’t necessarily make Finland any better prepared for a possible cyber attack than anyone else. We are just less likely to cause headaches for everybody else. In this sense, the description of Earth in the [Douglas Adams] book The Hitchhiker’s Guide to the Galaxy fits Finland quite nicely as well: “Mostly Harmless.”