Working for the central government: Information Security Now - anything but dull pencil-pushing!

Working for the central government is an article series that introduces readers to interesting central government jobs and employees. Central government employers can submit articles to the Valtiolle.fi editorial staff at valtiorekrytoint(at)valtiokonttori.fi. The articles will be published on the Valtiolle.fi website and distributed on Valtiolle.fi social media channels.

Kauto Huopio, Chief Specialist at the Finnish Communications Regulatory Authority, knows by experience that preconceived ideas about working as a public official are groundless. His work has kept him extremely busy for over 15 years now. In this article, Huopio from the National Cyber Security Centre Finland talks about times past but also looks into the future.

A public official's career in the Finnish Communications Regulatory Authority may sound like their worst nightmare for many people out there with nerdy tendencies. CERT activities and the various phenomena of the cyber world have kept Kauto Huopio, Chief Specialist at the National Cyber Security Centre Finland, on the move. Work is anything but dull for this professional of cybersecurity who has had little time for pencil-pushing. He never knows what his working day will bring.

Beginning

Some fifteen years ago, an ex-colleague gave me a tip. The Finnish Communications Regulatory Authority was launching its CERT activities and looking for a person knowledgeable about the Internet for the team. This area had caught my interest. At the time, I was working in KPNQwest’s network operator team, where I had been dealing with security and information security questions.

The tragic events of 9/11 in New York in 2001 were the final push that sent me to a career as a public official in CERT-FI. As the Twin Towers and the nearby buildings were hit by terrorists, few people understood how significant they were for the functioning of telecommunications. The greatest part of the US telecommunications capacity underneath the Atlantic was located in south Manhattan.

After the attacks, new “emergency routing” for the Internet was required, and at that time, friends and competitors were all the same. Thanks to brisk collaboration between international operators, the situation was managed relatively well, but I can never forget these events. Internet, if anything, represents critical infrastructure, and I wanted to be part of protecting it.

Do we have contacts in Argentina?

From the start, it was clear that CERT-FI would have to participate at full steam in close international cooperation. The command and control server of a botnet used for denial-of-service attacks on the Internet could be located in Salo as well as Sao Paolo.

Networking was a lifeline for the CERT actor in a small country. Networking meant – and still means – plenty of travel, meetings and conferences, and a big stack of business cards.

Finland has a great reputation in the information security circles: we look after our own networks and respond to support requests from our colleagues quickly. Investments in cooperation relationships produce a high yield in situations where we need urgent help from our global colleagues.

There are few countries with whose national CERT actors we would not have a functional relationship. In recent years, the cooperation has been closer than ever, especially in the context of monitoring and investigating serious information security threats.

No two days are alike

My own job description includes taking my turn as a situational awareness coordinator. Over the years, it has not been unusual for my working day to divert to a course that I had not expected in the morning. In particular, warnings of serious information security threats get us going immediately. The warnings are published as team work. The team members range from information security experts to communication professionals.

What makes me particularly happy are situations where an organisation subjected to an information security violation has contacted us and we have been able to help. In these cases, the organisation’s management has taken a major step, put their hands up and acknowledged that they need help, or have information that could benefit others. This is a big leap, especially the first time round.

All types of organisations can become victims of information security violations. Contacting the National Cyber Security Centre Finland at the Communications Regulatory Authority and getting to the heart of the matter is so worth it. At the same time, you can assist information security authorities monitoring the situation in identifying new threats.

Great changes

When I joined the organisation, 3G networks, smartphones and mobile use of internet services were nothing but visions of future in engineers’ dreams. The entire current social media has been born in the last ten years. Internet traffic is still growing strongly, especially in the field of video services. Even with my rather vivid imagination, I could not have predicted in 2002 that 15 years later, I would be watching the soccer world championships in HD at my summer house in the middle of Lake Saimaa, using a wireless 4G connection.

Society has started networking at an incredible pace. New services have taken over from old, “manual” methods. The operation of so many organisations almost entirely depends on a well-functioning power supply and network connections. Their preparedness for disruptions, to say nothing about emergencies, is often frighteningly superficial. We are accustomed to, and have perhaps been lulled into believing, that electricity and telecommunications will always there and work well. But how many organisations that depend on well-functioning Internet, for example, have provided for appropriate backup connections?

Healthy suspicion and checking your facts go a long way

The speed of communication is still accelerating, and this means continuous competition for news. We also see this at the National Cyber Security Centre, where the on-call operators are contacted by the media a number of times a week. In particular, I have learned to appreciate journalists who wish to check the facts of their breaking news, even when in a rush. Every now and then I have been forced to nip in the bud a spectacular-sounding scoop. Sorry about that!

In the midst of the flood of new technologies, Finnish Internet users seem to have kept relatively cool heads. Even when surfing the net on their smartphones, they have remembered the basics of information security. They know how to keep their devices up to speed with software updates. You should also not click on all advertising links that you get in your mailbox. Healthy suspicion is a good starting point for many aspects of the Internet.

Finnish networks’ information security status has ranked very highly in many international comparisons. This does not mean that we could drop our guard – not for a second. Even if we keep watching our backs, the rest of the world is ready to attack our networks round the clock.

Concerns over the future of Internet of Things

The Internet of Things (IoT), or connecting devices to the web, is taking its first steps. The information security standards and recommendations for IoT devices are only taking their shape.

The situation gives cause for concern, as clear shortcomings can be found in the basic information security of devices already in the market, or currently being released. The software updates of webcams, for example, are often more complicated than in smartphones that look after their own updates. The large number of the devices makes them attractive and potential tools for denial-of-service attacks, for instance.

In the future, we may encounter some tough challenges in such areas as home automation systems and the first generations of connected cars. However, I can see a faint light at the end of the tunnel. I hope that policy-makers have the courage to get cracking, at least in Europe.

What can we expect in the next 15 years?

I would pay particular attention to protecting online solutions related to energy, water supply and different means of transport among other things, as I believe that we will see the first large-scale cyber accident or attack somewhere in the world. Unfortunately so. It is also likely that cyber operations will be part of warfare, as information war has already become part of government actors’ toolkit, also in times of peace.

In addition to all the doom and gloom, I also see bright sides in the development. I believe that as encryption technologies advance, for example, protecting your privacy will be possible through solutions that will also be available for ordinary citizens. I also believe that the Internet of Things will improve its track record considerably after a few years’ fumbling.

In any case: information security is an extremely interesting field that offers plenty of scope for development and investigation. If you are selecting a field of study, you really can’t go wrong with information security.

Why not join us!

The author is Kauto Huopio, Chief Expert of the National Cyber Security Centre in the Finnish Communications Regulatory Authority.

(The article was published on the Finnish Communications Regulatory Authority's website in February 2017 as part of the Information Security Now theme, in which experienced experts recalled their careers to celebrate Finland’s centenary.)