As businesses and consumers move online and the number of connected devices grows, so do the opportunities for cyber crime. This has not gone unnoticed in the Nordic countries.
Cyber security is now a central part of political decision-making and strategy in Finland, Sweden, Norway and Denmark, according to Jarno Limnéll, professor of cyber security at Finland’s Aalto University and vice-president of Insta Group.
“Cyber attacks in all the Nordic countries have grown both in number and sophistication,” he said.
According to security company FireEye, cyber threats are increasing across the Nordic region, with the highest share of advanced persistent threats (APTs) and malware alerts observed in Norway (47%), followed by Denmark (36%), Sweden (14%) and Finland (3%).
FireEye put the large variations down to differences in each nation’s core businesses, such as Norway’s large oil and energy sector. Notably, this industry was exposed to a major attack in 2014 when 50 oil companies were hacked and 250 others warned of the threat. The perpetrators used malware which installed when opening an email attachment to access company data.
But FireEye emphasised that all Nordic countries have been exposed to severe threats. The company also noted a rise in opportunistic cyber attacks in the Nordics, which are financially motivated and use sophisticated tools previously associated only with advanced attacks.
Who to trust?
FireEye also highlighted the increase in state-sponsored threat actors and cyber criminals targeting Nordic governments and industries. The aims of these attacks vary from accessing state secrets and gaining political influence to stealing intellectual property.
It is a trend also recognised by Insta Group’s Limnéll. “From a threat perspective, especially governmental cyber espionage, the Nordics have become an increasingly attractive target,” he said.
“It is military espionage, but first of all it’s targeted at the political decision-making system and the Nordic innovation industry, such as technology, healthcare, etc. Cyber espionage is the biggest challenge facing today’s innovative Nordic societies.”
There is a significant recent example. In 2014, the Finnish Ministry of Foreign Affairs admitted it had been exposed to cyber espionage, not once, but twice, and potentially for years.
The perpetrators – who still remain unidentified, with foreign state actors suspected – targeted the ministry’s internal communications network and were able to access what the ministry calls lower-level information. Both breaches used spyware software to send information from the ministry’s network to foreign servers.
While estimates exist, it is hard to find exact numbers on the extent of cyber attacks in Nordic countries since many cases are kept behind closed doors. Not many companies want to openly admit they have experienced a security breach – and they are rarely required to do so.
More worryingly, many attacks still go unnoticed. In a recent study, KPMG inspected the network traffic of 10 large Finnish companies for undetected threats and revealed almost half of the companies had already been breached.
Furthermore, in half the companies, user devices had been exposed to malware traffic, despite having traditional security controls in place. Although the study group was small, it does draw attention to the fact that companies are not always aware they are being exposed to malicious activity.
“The third level [of cyber attacks] is the one we just don’t know about,” said Limnéll. “When we talk about cyber espionage, the most effective spyware could be on my phone or your phone at any moment, but we wouldn’t know about it.”
Without precise numbers for cyber attacks, it is hard to calculate their effect. However, a report by McAfee and the Center for Strategic and International Studies estimated the annual cost of cyber crime to the global economy to be around $400bn already.
Norway is the only Nordic country highlighted in the report, which estimated the cost of cyber crime to be 0.64% of the country’s GDP. This puts Norway on par with the US and significantly higher than the UK (0.16%) and the EU as a whole (0.41%).
Increasing cyber awareness
While many cyber attacks go unnoticed, others are more public than ever before. Edward Snowden’s revelations, the Heartbleed vulnerability and recently the Ashley Madison hack have attracted media attention globally.
Companies are not always aware they are being exposed to malicious activity
While the level of cyber security protection still varies greatly by company, Limnéll believes Nordic companies are increasingly prepared. They have also taken note from their US counterparts and started to include security-specific roles on their executive board.
“What is also clearly increasing is understanding the need for training,” said Limnéll. “The saying goes in this industry, ‘professionals don’t attack technology, but people’ because it is so much easier. Digital and information security skills will be basic skills in business life.”
This attitude is echoed in a recent survey of around 700 Finnish companies, carried out by the Helsinki Region Chamber of Commerce, which revealed 34% all companies and 53% of large companies consider internal threats the biggest risk to cyber security.
This is a justifiable concern. In 2013, Norwegian telecommunications provider Telenor was hit by a large cyber espionage campaign where the attackers used phishing emails which seemingly came from trusted sources. The hackers were able to trick unnamed executives into downloading malware designed to steal log-in credentials, emails and personal and commercial data.
More recently, in August 2015, Finnish international crane manufacturer Konecranes admitted identity theft was part of a scam which tricked a subsidiary to make unwarranted payments of up to €17.2m.
Government to the rescue
The potential of cyber attacks to cause chaos throughout society has also raised the attention of governments. All Nordic countries have either completed or are working on a national cyber security strategy and, in recent years, they have increased the number of departments, research institutes and police units dedicated to cyber security.
“The public-private partnership works a lot better in Finland and the other Nordic countries than in the US and, from what I have understood, in the UK as well,” said Jari Pirhonen, a board member of the international Information Security Forum and security director at Samlink.
“[This is because] Finland is small and everybody knows everybody in the information security circles. It is easy for government officials and representatives of private companies to sit around the same table and discuss these issues.”
Furthermore, co-operation doesn’t stop on a national level. In late 2014, Denmark, Finland, Norway and Sweden approved the development of common cyber defence strategies and extended their approach to include industrial infrastructure as well as military systems. The collaboration covers information sharing and enhanced security procedures.
“The Nordics increasingly share [cyber security] problems and challenges with each other and what has been detected, so others can learn from it,” said Limnéll. “As it’s increasingly challenging to know what is happening on digital networks, the more we have governments sharing the situational picture, the more it increases safety for everybody.”