Cyber security capability and the case of Finland

Many countries are building their national cyber security capabilities. They are defining what they mean by cyber security in their national strategy documents. The common theme from all of these varying definitions, however, is that cyber security is fundamental to both protecting government secrets and enabling national defense, in addition to protecting the critical infrastructure that permeate and drive the 21st century global economy. The development of cyber security capabilities is a complex matter. Whether at the nation state level, or in an enterprise, various factors need to be taken into consideration. A layered approach can provide more comprehensive coverage than single, disparate solutions. The measurements of security postures and progress over time are important elements to strengthening policies, evaluating risks and anticipating future scenarios. Different cybersecurity indices have been published in the past few years, yet not all measure the same capabilities. According to International Telecommunication Union (ITU) Cyber security is not an end unto itself; cyber security must be understood as a means to an end. The goal should be to build confidence and trust that critical information infrastructure would work reliably and continue to support national interests even when under attack. Therefore the focus of national cyber security strategies should be on the threats most likely to disrupt vital functions of society. Digitalization and information societies are ever evolving and new cyber threats continue to be devised. In this progress, cyber security must form an integral and indivisible part of the nation's security process. Countries need to be aware of their current capability level in cyber security and at the same time identify areas where cybersecurity needs to be enhanced. It can be said that cyber security is a constant "arms race" between countries, but also between the security community and the hostile hackers. Today's high-profile cybersecurity incidents have underlined the crucial importance of strengthening cyber resilience in general, as well as the protection of critical infrastructure from cyber threats in all countries. In order to achieve these goals, public and private stakeholders need to be equipped with the capacity to effectively prevent, mitigate and respond to cyber-attacks and incidents. Resilience stands for the continuation of operations even when society faces a severe disturbance in its security environment, the capability to recover quickly from the shock, and the ability to either remount the temporarily halted functions or re-engineer them. How should one measure the maturity of national cyber security? Agreed international standards which can measure the level of national cyber capability, are not available. While nations are developing the cyber capabilities to operate in the cyber realm, measuring national cyber capabilities remains problematic. However, several different organizations have made their own analyses of the national cyber security capabilities, but especially measuring military cyber capabilities is challenging because of information classification. Countries prefer to be secretive about their military cyber capabilities. Another challenge in measuring national cyber capabilities relates to the ubiquity and dual-use nature of computing and cyber tools, the stealth and immediacy of cyber operations and uncertainty over the responsibilities of civilian and military organizations (International Institute for Strategic Studies 2014). In this paper we use DOTMLPF-II as a research framework. We analyze the cyber security capability using the DOTMLPF-II components: Doctrine, Organization, Training, Materiel, Leadership, Personnel, Facilities, Interoperability and Information. DOTMLPF-II analysis is the first step in building the national cyber security capability building. It determines necessary recommendations which are required to fill a capability gap identified in the analysis. As empirical material we use the reports and studies of European Union, BSA Software Alliance, Global Cybersecurity Index of the International Telecommunication Union and ABI Research, and Microsoft Intelligence report. On the basis of DOTMLPF-II cyber security capability modelling we analyze the national cyber security capability in Finland based on the reports mentioned above.