Steering of the Government Security Network

Conclusions and recommendations of the National Audit Office

The purpose of the audit was to determine whether the Government Security Network (TUVE) is steered in a manner that supports successful operations. The audit was conducted in the Ministry of Finance, which is the ministry responsible for the steering of the network. The activities of the Ministry of the Interior and the police and the Finnish Border Guard (which both come under the ministry), the Ministry of Defence, Finnish Defence Forces, Suomen Erillisverkot Oy and its subsidiary Suomen Turvallisuusverkko Oy, ICT Agency HALTIK and the Government ICT Centre Valtori connected with the operations and steering of TUVE were also audited. At the time of the audit, TUVE was still in the starting-up stage, which is planned to last until the end of 2016.

The TUVE operations, as described in the steering structure, were launched without any major problems

The TUVE network became operational on 15 January 2015. The parties that were involved in the operations of the network during its first year were of the opinion that the start of the operations, as described in the steering structure, was successful.

When discussing the Government proposal (HE 54/2013 vp), Parliament had expressed the concern that the complexity of the planned steering structure would cause operational problems. The concern was mainly directed at Suomen Erillisverkot Oy, the company providing the network and infrastructure services, and its subsidiary Suomen Turvallisuusverkko Oy. However, according to the audit findings, the organisational structure of the provider of the network and infrastructure services has not had any major impact on the operations. Furthermore, the situation where the steering of Suomen Erillisverkot Oy is shared by two ministries does not seem to have interfered with the TUVE operations. However, the impression is that having representatives of the two ministries in the Board of Directors of Suomen Turvallisuusverkko Oy has been of little benefit to the network’s operations.

The purpose of the statutory steering structures has been to respond to the objectives of the different parties in connection with the organisation of the operations, which may be contradictory. Few problems have arisen from the steering structures during the starting-up stage. At the same time, however, the service providers and the organisations using TUVE services were of the view that in a small number of cases, too much time was spent on decision-making.

In spring 2015, the Ministry of Finance launched a review of the steering of Suomen Erillisverkot Oy, in which the focus was on the steering of VIRVE (the Government authorities’ radio network). The review can be viewed as necessary and there should also be regular assessments of the steering structures in the future.

More consideration should be given to operational requirements

There are structures in TUVE that allow the organisations using its services to put forward their views and requirements. Economic and technical issues are discussed within the framework of the steering structures. Operational needs are only occasionally reviewed and the reviews are at general level.

According to the audit findings, the persons responsible for the practical aspects of the development and continuity of the services and tasks in the user organisations are only weakly and indirectly connected with the steering of TUVE. There are not yet any workable processes for identifying and understanding operational needs and for dealing with the requirements derived from them. There is a risk that as there are more users, client needs become increasingly diverse and it will become difficult to reconcile them. This may increase costs or cause risks and problems to the operations of the user organisations.

The Ministry of Finance should have workable procedures for maintaining and sharing views of all aspects of the public administration ICT systems, which comprise the central government ICT services independent of specific sectors (TORI), ICT services specific to individual sectors (TOSI) and ICT services in the security network environment (TUVE). The method for assessing central government information system projects and the related consultation procedure of the Ministry of Finance do not meet this requirement in their present form. As more organisations start using TUVE, at least some of them will require both security network services and shared central government data communications services. The user organisations are not necessarily obliged to use the TUVE network in all their operations. A comprehensive view is important because that will help to avoid overlapping and conflicting solutions and operating models.

The acts on TUVE and TORI do not form an entirely seamless entity. The principles set out in the acts are different, which may cause problems to organisations using the services. One major difference concerns service fees. All shared central government information and communications technology services (TORI) and the investments in them must be covered with service fees. At the same time, the TUVE services can be funded with service fees in part or in full or in a centralised manner. Each alternative has its advantages and disadvantages, which must be carefully analysed. The funding of the TUVE network was based on a temporary model. The costs of the TUVE operations were not entirely transparent. The appropriations required for TUVE operations had not been adequately assessed as a whole. The budgetary impacts of the development of new services were poorly known.

The ICT Agency HALTIK, which produces information, communications technology and integration services, will be closed down and its security network tasks and the personnel carrying out the tasks will be transferred to Valtori during 2016. According to the audit findings, the role of Valtori as part of the overall TUVE operations had not been carefully considered. The separation of the operations from other Valtori operations had not been thoroughly planned. The process of integrating the steering of TUVE into Valtori’s steering structures is not yet complete, which may slow down the decision-making concerning the security network operations. Blurred responsibilities may weaken client satisfaction with Valtori’s operations. 3

Steering processes and procedures must be improved

Only a small part of the processes concerning the assessment, steering and monitoring of the TUVE operations had been described or the descriptions were not particularly detailed. Insufficient documentation may make risk management difficult, especially if there are personnel changes in key tasks. The lack of documentation also makes other areas of steering and operations more tied to specific persons and there is also a greater risk of ineffective and overlapping operations.

The Ministry of Finance has not acted in a transparent manner in the steering of TUVE operations. Other TUVE actors were not able to determine how the work on the opinions and regulations in the Ministry of Finance are progressing. Their view was that this has made it more difficult for them to plan their activities.

Stakeholders were provided with information on a case-by-case basis and not in a systematic manner. According to the audit findings, there are no feedback mechanisms for managing the expectations concerning the TUVE operations among different stakeholders. The provision of information should be targeted in accordance with the roles of each stakeholder actor (end user, technical expert, director, etc.). Stakeholders were expected to manage the targeted communications themselves and the process had not been monitored in a coordinated manner.

The risk connected with the TUVE operations were not considered in a comprehensive manner and the user organisations had not been provided enough information on them. All parties involved should be aware that the risks to the security network operations also affect the stakeholders.

There should be changeover to continuous development

The focus in the development of the security network operations has been on ensuring that incomplete requirements are met and on organising the security operations in accordance with the law. Long-term development and its steering have been overshadowed by the launching of the operations. The development process had not been documented. The plans concerning the expansion of the services and the operations were not sufficiently clear or detailed. So far, the focus has been on following the general technological developments relevant to TUVE infrastructure improvements and there has not been any discussion on the development of the shared security network services on the basis of the user organisations’ needs.

There have not yet been any audits certifying a high level of preparedness and security. The risk is that the architecture used does not meet these requirements. There is also a risk that with the appropriations available to them, user organisations are unable to ensure that all TOSI systems will meet the requirements laid down for the security network by the Ministry of Finance. This will lead to a situation where the requirements must be weakened or the user organisations must be allowed to operate in more than one technical environment.

Recommendations of the National Audit Office

The National Audit Office recommends that the Ministry of Finance

1. should ensure that the operational requirements of user organisations are understood and considered in the steering

2. should ensure that there is a close link between the steering of the security network operations and the overall ICT steering in the public administration

3. should make a decision on a more permanent funding model

4. should plan and describe the steering processes.