Finland's Unspoken Offensive Cyber Arsenal, NATO-Grade Deterrence Built in Silence, Democratic Oversight Unclear

• Finnish experts confirm active offensive cyber capabilities exist but are rarely discussed publicly
• Legal authority and oversight mechanisms for deploying offensive cyber tools remain opaque
• Sweden and Norway maintain similar postures, yet no coordinated Nordic offensive cyber framework exists
• Finland's traditionally defensive security culture has not caught up with the reality of its cyber arsenal

Finland possesses offensive cyber capabilities that authorities almost never discuss in public, security experts told Ilta-Sanomat in a rare acknowledgment of a domain the Finnish state prefers to keep quiet. The capacity — which includes active measures to disrupt, degrade, or destroy adversary networks — places Finland alongside larger NATO members that rely on the implicit threat of cyber retaliation to deter attacks on their own infrastructure.

The silence is strategic. Cyber deterrence works on the same logic as nuclear deterrence: an adversary must believe retaliation is possible without knowing exactly what form it would take. Great powers — the United States, the United Kingdom, France — maintain this ambiguity deliberately. Finland, with a population of 5.6 million, now operates in the same space, a fact that would have been difficult to imagine a decade ago but follows logically from the country's NATO accession in 2023 and the persistent cyber pressure from its eastern neighbour.

What makes Finland's case distinctive is the tension between capability and public accountability. Finnish security culture has long been built around territorial defence — conscription, border readiness, civil preparedness. Offensive operations of any kind sit uneasily in that framework. The Puolustusvoimat (Finnish Defence Forces) and the Viestintävirasto (now Traficom's cybersecurity centre) have legal mandates for defensive cyber operations, but the authority to conduct offensive actions — who orders them, under what statute, with what parliamentary oversight — remains opaque. The experts interviewed by Ilta-Sanomat confirmed the existence of these tools but offered little clarity on the chain of command.

The democratic deficit is not unique to Finland. Sweden's Försvarets radioanstalt (FRA), the signals intelligence agency, is widely understood to possess similar capabilities, authorised under a 2009 surveillance law that generated fierce debate at the time but has since faded from public attention. Norway's Etterretningstjenesten (military intelligence service) received expanded cyber authorities in 2020 under a new intelligence law that was challenged in court. In each case, the pattern is the same: capabilities are built first, legal frameworks are retrofitted, and public debate arrives — if it arrives at all — years later.

The more striking gap is between the Nordic countries themselves. Despite decades of defence cooperation formalised through NORDEFCO, and despite all five Nordic states now being NATO members, there is no publicly known coordinated offensive cyber framework among them. Each country appears to be developing its own tools in its own strategic silence. This is an odd posture for nations that share threat assessments, intelligence, and — increasingly — military infrastructure. A joint Nordic cyber command, pooling Finland's technical depth, Sweden's signals intelligence heritage, and Norway's operational experience, would be a force multiplier. Instead, five small countries are building five separate capabilities, presumably with significant duplication.

The question of who authorises a Finnish offensive cyber operation — and whether the Eduskunta (Finnish parliament) is informed before or after the fact — has no public answer. For a country that prides itself on transparent governance and high institutional trust, the gap between what Finland can do in cyberspace and what Finnish citizens know about it is unusually wide. The tools exist. The debate does not.

Sources: Ilta-Sanomat