Mika Kerttunen, Adjunct Professor Military Strategy, Finnish National Defence University
Intrusions into a Finnish mental health service provider’s patient database and the Finnish parliament have been condemned by the Speaker of the Parliament and the President of Finland as cyberattacks threatening national security.
Repelling and reducing peacetime cyberattacks requires national resilience and preparation but also international coordination and cooperation. Cosi fan tutte makes the question of cyber espionage particularly problematic.
The romantic view of espionage as harmless activity of some secret agents should be abandoned. The purpose of political espionage (intelligence) is to support political and operative decision-making. The very act of, for example, illegal penetration in information and communication systems, does not necessarily cause destructive effects. However, where espionage is intended to support political and operational decision-making against the target, going against the will and interest of the target state is hostile.
The difference between network based (cyber) espionage and effect-creating operations is a line drawn in sand. After one has penetrated the information systems and gathered data and information, it is easy and tempting to plant destructive malware in these target environments.
Espionage erodes friendly relations and trust between states.
The European Union’s patent solution for international cyber stability consists of sanctions, deterrence and the development of own cyber capabilities. A recent cyber diplomacy non-paper by Estonia, France, Germany, Poland, Portugal and Slovenia comprehensively emphasizes human rights, voluntary non-binding rules of responsible state behaviour in cyberspace and cyber capacity-building. These emphasis points are sent from the muddy trenches of the Western front.
On the other side, Russia and China promote absolute view of state sovereignty and the use of information technology for internal security and the control of the people’s on-line and off-line behaviour.
Yet neither of the camps is willing to restrict network exploitation (cyber espionage).
International community has vividly and for relatively long time debated the parameters of cyberoperations, countermeasures and responses and the right of self-defence. In this discussion, quite surprisingly, no one seems to be interested in the peacetime protection of civilians and the civil society.
Finland should consider promoting and furthering international law and peaceful relations to rein in cyber espionage.
The question is not of prohibiting espionage or defence. We need to decisively draw a line between the tolerable and intolerable state behaviour in cyberspace. We can demand political (public) control of intelligence activities, we can order restrictions to intelligence targets and, based on the exposed incidents, we can start sketching more binding political and normative measures to curb computer network exploitation.
It is in Finland’s power to invite discussion and global diplomacy to pursue shared understanding of the adverse effects of unrestricted cyber espionage. This kind of policy and diplomacy is being desired.
Cynics are quick to remind of the impotence of international law when faced with ‘legitimate’ superpower security interests. Yet, sanctions only increase international contestation and deterrence, and gratefully, do not have a solid foundation in broader European policy and posture. Naïve would be to think that such harsh methods are to improve the world and build shared understanding.
The international and public opinion even slowly turning to restrict peacetime cyber espionage will make it harder, even for the superpowers, to step across the expectations of orderly, peaceful and friendly international relations.
[Originally published in Finnish by Helsingin Sanomat 10 January 2021, available at https://www.hs.fi/mielipide/art-2000007729780.html]