Cyberattacks continue to rise and more, albeit not enough, attention is being given to the threats posed by cyberattackers. The United States is vulnerable in many ways, including the energy grid, which comprises 160,000 miles of high-voltage lines, millions of miles of distribution lines and thousands of generators and transformers. Experts say it would be difficult to harden such a structure against a deliberate attack and that power could be lost for weeks or even months, causing regional chaos for which we aren’t prepared. We interviewed Jarno Limnell, cybersecurity director for Stonesoft Corp., about the threats facing the U.S. and the world and what can be done about them.
Limnell’s background and education in Helsinki, Finland, including working as a lecturer of strategy at the Department of Strategic and Defence Studies at National Defence University, cements his resumé as a spokesperson on cybersecurity issues.
Question: Why has cybersecurity not been given more attention?
Answer: That is an excellent question because I have been traveling quite a lot around Europe and having very interesting discussions on these issues with security experts, the media and governments.
During many of those discussions, we have been together thinking about why cybersecurity was not a strong theme in your elections. And one European point of view is that, in many ways, European countries are actually following very carefully your cybersecurity policy and what you have already done and are using your solutions in cyberpolicy as a guide for their own policies.
Where do the main cyberthreats come from?
It is not always about the capabilities. There has to be intention to use those capabilities, and I think the same logic goes to the cyberdomain as it goes for the physical world and thinking about who has the main intentions to harm your society.
At this moment I would say that the threat comes from Iran and possible terrorist groups. But at the same [time], I have to say when we are so concentrated on cyberwar problems, I would announce strongly that thinking about the security of the U.S., the main threats in the cyberdomain are cybercrime and cyberespionage, especially espionage against your country. That is very evident and something China is doing very strongly at this moment. All the nations are dealing with the same issue against each other, but I think China is the main source concerning cyberespionage. When talking about cybercrime, Russia is the main opponent at this point.
What about an attack on the infrastructure of the U.S. power grid?
I don’t want to cause too much fear or put too much emphasis on this threat, but I have to be honest, especially referring to my research background. If I would like to harm your nation, I would not use any physical power. I would use cyberweapons against your critical infrastructure, affecting your power grids, for example, and transportation systems. The U.S. has become much more dependent on the functionality of the digital world, which I call cyberdomain and cybersecurity, everything in the physical world nowadays is controlled digitally.
If I wanted to harm your society, I would take your electricity and water away for a while. And I think from a military point of view, this raises a new question because usually when we are talking about war, it is between armies fighting in the air and on the sea and so on. But when I think about cybersecurity and the possible targets, they are not military, they are against critical infrastructure because you are so dependent on it.
Because of this, it is very important to raise the concept of resilience. When I think of my own country’s security from a comprehensive point of view, the main thing that Finland has as a strength is the resilience of the whole society, meaning whatever the threat is and however badly Finland society would be harmed, damaged or even paralyzed, we have other options to work and continue to function and plans and the capabilities to re-establish our systems.
You have to have resilience, meaning whatever happens, you’re not paralyzed. You [must] have other systems to continue, so whatever happens you can continue functioning. You have to show the attacker that, if you are attacking us, we don’t paralyze, we have the resilience. And secondly, we will find you, wherever you are attacking from.
And you must have offensive cybercapabilities. This is a very sensitive issue. For example, in France, there is no discussion at all on this and the same goes for Finland. You must give others the feeling that you have the offensive cyberabilities, and if you are attacked, when you locate your enemy, you are ready to use your offensive capabilities.
How do you develop that resilience?
That is something we are thinking about a lot these days. When I think about the future of security, especially defense, we have so many different threats you can’t be prepared against them all. The main starting point is to build and strengthen your resilience.
That starts mentally — thinking that whatever happens you don’t paralyze. Many times I have used this as an example: We had a very bad storm last winter and my house almost ran out of water and electricity for three days. So there were no lights, no heating, no water to use in the whole area. We were not able to get money from the banks for gas, and we couldn’t go to the store because it was closed. People panicked.
They didn’t have fireplaces in their homes; they were 100 percent reliant on electricity for heat, and when the electricity went off it got cold. But many of my neighbors moved on the second day to other cities in order to have electricity. I think this is a good example of resilience, that whatever happens, you have to be prepared for different situations and you must have the options to build your resilience.