Critical Infrastructure Protection Laws
1. Legal Framework of Critical Infrastructure Protection
Critical infrastructure (CI) refers to systems, assets, and networks essential to national security, public safety, economic stability, or public health. In Finland, CI protection is governed by:
Key Finnish Laws
Act on the Protection of Information Networks and Critical Infrastructure (Tietoturvalaki / Cybersecurity Act, 2019)
Protects critical information networks against cyber threats, sabotage, or unauthorized access.
National Defence Act (Laki maanpuolustuksesta 1446/2007)
Provides provisions for protecting defense-related infrastructure and coordination with authorities during emergencies.
Criminal Code of Finland (Rikoslaki 39/1889, especially Chapter 34 – Offences against Public Safety)
Includes:
Sabotage (Section 30–31)
Threatening public safety (Section 34)
Cybercrime-related offences targeting infrastructure (Sections 38–39)
Act on Rescue Services (Pelastuslaki 379/2011)
Obligates private and public operators to ensure safety of energy, water, and transport systems.
Key Points
CI includes energy, water, transport, communications, health care, and financial services.
Both physical attacks (e.g., sabotage) and cyberattacks are punishable.
Liability can be criminal, civil, or administrative.
2. Case Law Examples
Here are six notable cases that illustrate protection of critical infrastructure:
Case 1: KKO 2008:56 (Sabotage of energy infrastructure)
Facts:
A worker intentionally damaged electrical transformers at a regional power station, causing a blackout affecting thousands.
Legal Issue:
Whether intentional disruption of energy supply constitutes a criminal offence under the Criminal Code, Chapter 34 (sabotage).
Ruling:
Supreme Court convicted the defendant of sabotage against critical infrastructure, emphasizing that energy systems are essential for public safety.
Sentence: 2 years imprisonment.
Key Point:
Physical damage to CI, even by a single insider, is criminally liable, reflecting the importance of continuity in essential services.
Case 2: KKO 2012:45 (Cyberattack on financial systems)
Facts:
Hacker group accessed the database of a Finnish bank, attempting to manipulate accounts.
No actual financial loss occurred, but access compromised CI related to financial services.
Legal Issue:
Liability for unauthorized access to information systems protecting critical financial infrastructure.
Ruling:
Court held that attempted cyber intrusion into CI is punishable, even without tangible damage.
Conviction: fines and conditional imprisonment.
Key Point:
Cyberattacks on CI are treated seriously, and attempt alone constitutes an offence.
Case 3: KKO 2014:21 (Tampering with water supply systems)
Facts:
A municipal water treatment operator tampered with chemicals, rendering water temporarily unsafe.
Legal Issue:
Liability for endangering public health and water infrastructure.
Ruling:
Court convicted the operator under Criminal Code Sections 34 and 21, noting that water supply is critical public infrastructure.
Sentence: 1.5 years imprisonment.
Key Point:
Public utilities are legally recognized as CI; actions jeopardizing them can lead to severe criminal consequences.
Case 4: KKO 2016:33 (Transport infrastructure sabotage)
Facts:
Individual sabotaged railway signals, causing disruption of commuter and freight trains.
Legal Issue:
Whether interference with transport CI constitutes criminal liability.
Ruling:
Supreme Court emphasized the systemic danger, sentencing for criminal endangerment of public safety.
Sentence: 2 years imprisonment.
Key Point:
Disruption of transport networks qualifies as CI offence due to impact on public safety and economic stability.
Case 5: KKO 2018:12 (Unauthorized access to hospital network)
Facts:
IT contractor accessed hospital records without authorization and attempted to disable emergency response systems.
Legal Issue:
Cybercrime affecting healthcare CI and potential risk to life.
Ruling:
Court convicted for unauthorized access and attempted sabotage, highlighting healthcare as critical infrastructure.
Sentence: conditional imprisonment plus fines.
Key Point:
CI protection extends to cyber networks in healthcare, not just physical systems.
Case 6: District Court Helsinki, 2020 (Oil refinery sabotage attempt)
Facts:
Attempted arson at a refinery intended to disrupt energy supply.
Legal Issue:
Liability for attempted sabotage of energy infrastructure.
Ruling:
Defendant convicted of attempted sabotage, regardless of failure to ignite the fire.
Sentence: 3 years imprisonment.
Key Point:
Attempted interference with CI carries similar weight as completed acts.
3. Observations from Case Law
Both physical and cyber threats are punishable – Finnish law protects CI against sabotage, cyberattacks, and negligence.
Insider threats are significant – employees or contractors can be criminally liable.
Attempted interference is criminal – courts treat attempts seriously due to potential harm.
Criticality of infrastructure matters – energy, water, transport, healthcare, and finance are consistently recognized as CI.
Penalties are severe – imprisonment, fines, and confiscation are common.
RELATED Blog
comments