Sitra’s statement on Finland’s cybersecurity strategy

Sitra has responded to a request from the Ministry of Transport and Communications for a statement on the government resolution on Finland’s cybersecurity strategy. The resolution outlines Finland’s cybersecurity objectives for 2024–2035 to meet the requirements of the EU’s Cybersecurity Directive (NIS2).   

Finland’s cybersecurity strategy has been reformed in accordance with Petteri Orpo’s Government Programme to reflect the changed operating environment. The reform of the cybersecurity strategy has paid attention to the requirements of the NIS2 Directive for the national cybersecurity strategy, as well as other related key strategy and reporting drafting and other EU and NATO strategies and programmes.  

Sitra’s main comments  

Sitra pays special attention to the clarification of cybersecurity and cyber defence, preparing for the development of disruptive technologies and improving cooperation between authorities.  

• Sitra proposes that development proposals should mention the ensuring of cooperation between the central government, the private sector and other strategy drafting under preparation to clarify Finland’s position in cybersecurity and cyber defence.   

• Finland should prepare for the threats and opportunities presented by new disruptive technologies such as quantum computing, artificial intelligence, semiconductors, high-performance computing, 6G and the development of space technology.  

• Finland should invest in proactive cooperation as part of the development of cooperation between authorities. Finland should harmonise international cooperation by minimising the structural factors limiting strategic management and concentrating strategic coordination relevant to international cooperation in the National Cyber Security Office.  

• Finland should identify the communicator responsible for the available EU and international funding opportunities, as well as the party responsible for strengthening cyber capabilities and digital and artificial intelligence literacy.   

• Finland should enhance cyber defence competence as part of its comprehensive defence, also taking interdependencies between technologies into account.   

General comments on Finland’s draft cybersecurity strategy  

Sitra supports the development of Finland’s cybersecurity strategy but emphasises the clarification of roles, the strategic allocation of resources and the strengthening of international cooperation. In this way, Finland’s cybersecurity can be raised to a new level, and future challenges can be met effectively. The strategy should more clearly indicate and name the parties responsible for implementing the strategy and their duties.  

Sitra examined the draft strategy based on the objectives set in it and assessed whether the pillars and implementation recommendations for the sub-areas corresponded to the national targets set for the goal state of cybersecurity. The sub-areas or pillars outlined to promote the national cybersecurity goal state are worthy of support in themselves, but Sitra wishes to comment on the selected focus areas.   

Besides its additions to the content of the strategy, Sitra proposes that roles should be clarified, competence enhanced, the importance of critical technologies noted, and concrete actions taken to support the national and international cooperation model.   

Competence must be enhanced in various ways  

The enhancing of skills broadly at different levels of society is a worthy goal, which requires that interdependencies between different technologies must be identified. Finnish cybersecurity competence should be ensured not only through education, training and teaching but also at all levels of society and the labour market, especially among influencers and decision-makers.   

To support policymakers, a comprehensive understanding of international cooperation and EU information and technology policy needs to be strengthened, as cybersecurity is part of this. An innovative cybersecurity ecosystem and the promotion of business competitiveness through the use of disruptive technologies require decision-maker-level insight and leadership in critical technologies and EU information and technology policy.   

Despite its high level of expertise, Finland faces the challenge of a low level of commercialisation in critical technologies. Finland needs a strategy to support the cyber ecosystem and to realise the opportunities of the cybersecurity industry. To promote this goal, it should introduce a national defence course in technology focused on information and technology policy to familiarise societal decision-makers with strategic issues relevant to critical technologies and the EU’s information and technology policy. Finland should also identify the means by which it can secure its position in the intensified competition in the field of information and technology policy.   

International and EU funding opportunities must be communicated to businesses  

In addition to concrete actions, the competitiveness of businesses must be ensured through sufficient communication so that they can benefit from the international cooperation and funding opportunities offered by the EU and NATO. With regard to the use of international funding opportunities, Sitra welcomes that the strategy takes note of the fact that participation also benefits Finland and Finnish actors because it makes them better known.   

For example, the NATO Innovation Fund (NIF) is an actor separate from NATO and NATO’s DIANA Accelerator Programme. However, the NATO DIANA Accelerator Programme and participation in it also offer visibility in terms of the NIF. 

The NIF, in turn, identifies itself as a deep technology fund rather than a defence industry fund, investing in high-level science and technology growth companies with the potential to strengthen defence, security and resilience. The scope of the NIF can be considered broad and consistent with Finland’s overall security thinking. NIF investments are designed to promote collective safety and well-being and may target energy, materials science, artificial intelligence and data, computing power, autonomy, quantum computing, biotechnology or space.   

Critical technologies need to be taken into account more comprehensively   

Sitra notes that the draft cybersecurity strategy does not mention the strengthening of economic security, i.e. societal reliability and competitiveness, alongside societal resilience. Economic security should be added to the strategy as one of the objectives to be promoted by strategically investing in disruptive technologies that are also key for cybersecurity, such as artificial intelligence, quantum and high-performance computing, new generations of mobile networks (5G and 6G), semiconductors and biotechnology.   

To ensure cybersecurity and harnessing the potential of disruptive technologies, it is very important that the strategy takes more comprehensive account of critical technologies. The draft strategy lists only artificial intelligence, quantum technology and new generations of mobile networks, and this list is inadequate.   

Sitra proposes that the focus areas to be added to Finland’s cybersecurity strategy include interdependencies, a pilot of a national defence course in technology, economic security and cognitive influence.   

In terms of the cybersecurity ecosystem, it is important to note other national strategies under preparation, such as the industrial policy strategy, the quantum technology strategy and the semiconductor strategy. It is crucial to ensure collaboration between the drafting of these strategies to achieve the cybersecurity objectives.  

Sitra supports the strengthening of competence broadly at different levels of society, especially among decision-makers. Decision-makers should be provided with comprehensive knowledge of EU and international information and technology policies.   

Finland needs a strategy to support the cybersecurity ecosystem so that it can make use of the opportunities of the cybersecurity industry and compete for international talent. In this context, a national defence course focusing on information and technology policy for decision-makers would be important.  

To promote cyber hygiene and improve citizens’ cybersecurity skills, digital information literacy and AI literacy must be enhanced. This means addressing the threats posed by AI-generated disinformation, as well as strengthening cognitive influence recognition skills.  

Economic security should be included as a national objective in the cybersecurity strategy. This requires strategic support for key disruptive technologies such as artificial intelligence, quantum technology, 5G/6G networks, semiconductors and biotechnology. Ensuring competence is important both for preparedness and for the growth of Finnish cybersecurity companies.  

Strategic approach to international activities as part of proactive cooperation  

Sitra also emphasises the importance of the strategic international cooperation. The funding and cooperation opportunities offered by the EU and NATO must be fully seized. Adequate resource allocation and support for decision-makers’ expertise are key factors for the success of the cybersecurity strategy. At the same time, the competences and roles of different actors must be taken into account to effectively achieve the objectives of national and international cooperation.  

Sitra’s more detailed views on strengthening the EU’s technology capability and the future direction of the European data strategy are summarised in the Sitra working paper published in January 2024.  

Sitra issued its statement on Finland’s cybersecurity strategy on 8 August 2024.