Finland’s National Coalition-led right-wing government is planning to accelerate the pace of artificial intelligence (AI) security-based innovations that are aimed to strengthen the country’s defences against the rising occurrence of cyber attacks directed at state and private organisations.
The proposals, which are currently being cost-appraised by the Ministry of Finance for inclusion in the 2024 national budget, are expected to increase Finland’s spending on improving cyber security defences by 30% from its 2023 level to €280m in 2024. The exact spending on cyber defence, and the portion allocated to cyber AI, will be revealed once the government finalises the 2024 budget in October.
The general framework for prime minister Petteri Orpo’s proposed government initiatives on enhancing national security will closely align to the findings and recommendations of a detailed analytic report on AI threats.
The Security threat of AI-enabled cyberattacks (STAIC) report was jointly produced by the state transport and communications agency Traficom in collaboration with the National Emergency Supply Agency (NESA/Huoltovarmuuskeskuksen) and WithSecure, one of Finland’s leading private operators in the cyber security space.
NESA, a central government organisation operating under the Ministry of Economic Affairs and Employment, serves as the Finnish state’s principal expert agency in providing planning and operations related to the maintenance and development of national security of supply.
Funded by Traficom, the STAIC report recommends scaled-up state and private investments to advance innovations in the cyber defence. The fundamental focus of the innovation, the report suggests, should be invested in developments that help strengthen state and corporate security while preventing adversaries from gaining an advantage with AI-enabled cyber attacks.
The STAIC report estimates that cyber attackers will, over the next five to six years, be able to develop AI tools capable of autonomously finding vulnerabilities in IT systems, as well as supporting the planning and execution of attack campaigns that employ stealth to evade defences.
Sophisticated tools
Moreover, the report forecasts that cyber criminals will also develop more sophisticated tools to mine and collect information from compromised systems, especially open-source intelligence, said Andy Patel, an AI research analyst at WithSecure.
“While AI-generated content has been used for social engineering purposes, AI techniques designed to direct campaigns, perform attack steps or control malware logic have still not been observed in the wild,” he said. “These techniques will be the first to be developed by well-resourced, highly skilled adversaries, such as nation-state groups.”
Once AI techniques are developed by adversaries, some are likely to trickle down to less skilled “cyber domain opponents” and become more prevalent in the threat landscape.
Social engineering applications
The STAIC report describes the current flow of cyber attack events using AI as “very rare and limited to social engineering applications” such as impersonating specific and random individuals, or employed for data analysis in back-end systems. It describes target identification, social engineering and impersonation as “today’s most imminent AI-enabled threats”, which can be expected to evolve further in the short to medium term in both number and sophistication.
The need to reinforce Finland’s national cyber defences at corporate and state levels is necessitated by developing trends in AI technologies, skills and tools that will render AI more available and affordable to lone and organised criminals in this domain, said Sauli Pahlman, the deputy director general at the National Cyber Security Centre (NCSC).
“In a world where it’s already possible to have a conversation with AI, it’s very plausible that we will soon see criminals running online scams using this technology. As AI technologies, skills and tools become more easily available in coming years, this will incentivise attackers to make use of AI to perpetrate cyber attacks.”
Forward-looking research conducted by the NCSC indicates that even if AI does not lead to entirely new types of attacks in the short to medium term, AI can and will be used to increase the number of cyber threats. The rapid advances in AI will likely create new opportunities for the automation of attacks, social engineering and information gathering, Pahlman added.
Future capital investments in Finland ’s AI defences will need to address the challenges posed by cyber attackers’ use of maturing AI tools. Defenders will be required to adapt and evolve to apply new techniques to counter AI-based phishing that routinely utilises synthesised content and spoofing biometric authentication systems.
Defenders, state and corporate, will also need to strengthen their use of non-technical services, such as intelligence sharing, resourcing and security awareness training to manage the threat of AI-driven attacks, said Samuel Marchal, a senior scientist at WithSecure.
“Security on a national level isn’t seeing the same level of investment or advancements as many other AI applications,” he said. “This could eventually lead to attackers gaining an upper hand. Although legitimate organisations, developers and researchers follow privacy regulations and local laws, attackers don’t. If national policy-makers expect the development of safe, reliable and ethical AI-based technologies, they will need to consider how to secure that vision in relation to AI-enabled threats.”
The current debate around AI in Finland is predominantly concentrated on benefits for business and industry, in addition to personal data information privacy issues.
A survey released in August by the Foundation for Municipal Development (Kaks), an independent non-profit organisation that funds national and regional research programmes, found that Finns are generally divided “down the middle” over the perceived benefits and risks of AI.
The poll was conducted by Kantar Public in June among a survey group of 1,000 voting-age adults.
Some 62% of respondents in the survey said AI would likely boost the overall efficiency of industrial production. Just over half believed AI has the potential to bolster work productivity. On the downside, 49% of respondents expressed adverse views about AI, raising concerns the technology could have a negative impact on job security, the quality of customer services and access to accurate information.
In formulating new policies around AI security, the Finnish government has started to reach out to the country’s pivotal technology research organisations. These include the recently established Innovation Practitioners Community (IPC), which was formed in May 2023. The IPC, which will function as an international peer network for innovation leaders and professionals, is positioned to play an important role in shaping government policies connected to innovation knowledge enhancement and national AI security.
“Finnish companies have traditionally succeeded through strong engineering expertise,” said IPC chairman Antero Kivikoski. “The IPC will push open dialogue with business managers and owners to demonstrate how investing in innovation can strengthen their offerings in product and service development, and benefit their companies and society.”