Skip to main content Search
Contact us

50 years of the Helsinki Final Act

In this episode of the DevOps Sauna, Darren Richardson and Pinja Kujala discuss the 50th anniversary of the Helsinki Final Act, its history, and the importance of cybersecurity as a whole.

[Pinja] (0:03 - 0:10)

This is crucial now that we do cooperate with the threat that does not bow to any border controls.

[Darren] (0:14 - 0:22)

Welcome to the DevOps Sauna, the podcast where we deep dive into the world of DevOps, platform engineering, security, and more as we explore the future of development.

[Pinja] (0:22 - 0:32)

Join us as we dive into the heart of DevOps, one story at a time. Whether you're a seasoned practitioner or only starting your DevOps journey, we're happy to welcome you into the DevOps Sauna.

[Darren] (0:38 - 0:42)

Welcome back to the DevOps Sauna. I'm here with Pinja.

[Pinja] (0:42 - 0:44)

Hey there, how are you doing, Darren?

[Darren] (0:44 - 0:49)

Well, we're recording this at 10 o'clock in the morning, so I won't be awake for another hour. How about you?

[Pinja] (0:50 - 0:58)

I'm doing all right. I'm usually an early bird, so I hope that our topic today will get your brain going and perhaps let's see where we get with this.

[Darren] (0:58 - 1:05)

Yeah, let's find out. We've been talking about AI a lot lately, so I think it's time to pivot and talk about something completely different.

[Pinja] (1:05 - 1:06)

What would it be?

[Darren] (1:07 - 1:10)

I think that leads into my favorite topic, security.

[Pinja] (1:11 - 1:31)

Surprise, surprise. Well, all jokes aside, I think this is a really important topic to discuss, and security is something we should pay a lot of attention to at the moment. And this particular topic today that we've chosen is due to a very unusual anniversary that we are hitting this year in 2025.

[Darren] (1:31 - 1:55)

Yep, August 1st 1975 was when the Helsinki Accords, also known as the Helsinki Final Act, was signed. So we're reaching the 50-year anniversary of the Helsinki Accords, and it's important to go back and look at the content of the original Accords for maybe people who don't know what was signed.

[Pinja] (1:55 - 2:49)

And what was the big deal about this, perhaps? Let's take a trip down memory lane here because it's been 50 years. Many people might have heard about this.

I'm a Finnish native myself, and I've always heard about the Helsinki Final Act, or the Helsinki Accords, or Helsinki Declaration for its other name because it was a big deal for us to host the Conference on Security and Cooperation in Europe in 1975. And because it brought together 35 countries, some of them not NATO countries at the time, some of them were to become NATO countries, such as Finland and Sweden. We have the United States, but we also have the Warsaw Pact countries.

So we had the Soviet Union, we got Poland, we also got Hungary, for example. So, bringing in together a big group of countries in the middle of the coldest part of the Cold War to talk about the security in Europe was a big deal.

[Darren] (2:50 - 3:11)

It was actually kind of interesting. The whole aim of the Accords was to improve relations between the Western and Eastern blocs during the Cold War. So to have this happen in Finland, I imagine, was a big thing.

And we say, let's take a walk down memory lane, but at least I wasn't alive for the signing of the Helsinki Accords.

[Pinja] (3:11 - 3:51)

Yeah, neither was I. And I was reading about this in my history books when I was in school. And the big deal, as mentioned, was that coming together as neutral, non-aligned European states, the Warsaw Pact countries, known as the Eastern Bloc as well, and NATO, the Western Bloc, and actually signing this 10-point declaration, which concerned so-called baskets.

The first basket was the security in Europe. They also considered in the other baskets, the economic, scientific, and environmental cooperation, human rights, and fundamental freedoms, but also how to follow up on these things that they just agreed on.

[Darren] (3:51 - 4:45)

Yep. And the four baskets, they're all quite interesting. But the thing I think we need to focus on today is the first, which basically had four key points and it was sovereign equality and respect for rights.

So, all states should be equal and respect sovereignty. Non-intervention in internal affairs, which is kind of self-explanatory. The inviolability of frontiers so that the post-World War II European borders are recognized as permanent and inviolable.

And then the peaceful settlement of disputes. So, as you can see, in 1975, this was kind of progressive and kind of quite advanced, I would say. And now, 50 years later, obviously, we've seen some issues with this.

I think the big problem, Pinja, you were telling me was that this was not a treaty. It was just a kind of agreement. Exactly.

[Pinja] (4:46 - 5:18)

Yeah. As it says, it's not a legally binding treaty of any kind. We always talk about the spirit of Helsinki.

And in later years, there have been discussions, is it still in the spirit of the Helsinki Accords? Is it still in the Helsinki spirits? But now, if we think about what our world looks like nowadays, the world is not the same, of course.

It's been 50 years since 1975. Things have changed. Technology has changed.

And also the relationships between the countries have changed. So perhaps the lines have become more blurred in this sense.

[Darren] (5:19 - 5:40)

Yeah. It's the big question that I think is asked in every cybersecurity conference, which is how do you define and delimit borders in cybersecurity? Because I think there have been several attempts and several approaches.

But I think it's fair to say that globally, no one is policing the Internet.

[Pinja] (5:40 - 5:58)

Because we're in this first basket and the Helsinki Accords, which concern the security in Europe, we have the declaration of non-intervention in international affairs. Where do we draw the line in terms of cybersecurity here that we should not intervene in the internal or external affairs of other countries?

[Darren] (5:59 - 6:52)

And I actually, I'd like to take credit for the idea of this 50-year anniversary update, but it's actually something I heard in Helsinki in, I think, cybersecurity Nordic, I want to say in 2021, there was Dr. Eneken Tikk talking about the idea that maybe it's time to update the Helsinki Accords to start looking at Internet sovereignty. So I think we should talk about that because, as you mentioned, things have changed. In the past just 20 years, we've had, I think we started to see state-level attacks.

There were cyber attacks against Estonia infrastructure in 2007, which I think most experts agree was the dawn of state-sponsored cyber attacks. And obviously, we were in no place to police them at the time. But strangely, I don't think that's changed.

[Pinja] (6:53 - 7:22)

No. If we move back to the future towards the present day a little bit more, there is the Stuxnet attack on the Iranian centrifuges in the early 2000s. It was first uncovered in 2010, but it has been speculated to have been in development since at least 2005.

So that was one. Then we move on to the 2010s, for example, the 2014 Ukraine cyber attack, which was a prelude to invasion, and that would happen again in 2022.

[Darren] (7:23 - 8:22)

Yeah, I think if we talk about Stuxnet, that we have to acknowledge is the first time that cyber attack had physical consequences, because what they were doing were basically using Stuxnet to override the programmable controllers of the centrifuges and causing them to spin too fast and basically destroy themselves because of the huge pressure required for centrifuges. So it was like the first cyber attack or the first large-scale cyber attack with physical consequences. And as you say, the preludes to the invasions of Ukraine had cyber attacks.

We've also seen in Israel or in the Middle East last year where we had the pagers and radios with explosives being detonated. So we're now seeing the massively blurred lines between physical and cyberspace, and we don't really have much in the way of defense or policing for this.

[Pinja] (8:22 - 8:58)

And this has been discussed many times, especially in the UN. The UN has acknowledged that there is a new threat that has not been discussed. And also in the NHS, the National Healthcare System, and in the UK, they had an article come out where they listed cyber attacks against healthcare, and those were also posted by the UN.

So, the cyber attacks on healthcare, which is now a global threat that should not be ignored. So there is a kind need to discuss this topic, also recognized by the international organizations.

[Darren] (8:59 - 11:00)

Yep. The UN, as of November last year, there was a guy called Tedros Ghebreyesus, I believe. I probably butchered his name, but he had a very interesting thing to say, which was just as viruses don't respect borders, nor do cyber attacks.

And went on to say international cooperation is therefore essential. And there have actually been some interesting steps towards that. So last year, we had the EU's NIS2, and coming up in a couple of years, we have the deadline date for the CRA, the Cyber Resiliency Act.

And one of the things included in this, and also actually in the new version of ISO 27000, the 2022 version, each of them call for threat intelligence and sharing and cooperation. So it's been kind of the posture for cybersecurity for a long time now to turtle up and hunker down and not share anything and not talk about anything, not discuss anything. Even when we, to this day, receive notifications of vulnerable components, they are as generic as possible to ensure that no one, the attackers, can't replicate them because obviously, there's a delay effect, you get a new software update, you have to find someone to install that software update, it can go a while.

And if the attackers are faster, then you have exploited systems. And that makes sense in a way. But similarly, for example, some of the vendors we work with have these pre-release things where they will send to Eficode as a partner, information of a vulnerability before it's public so that we have a chance to fix the systems we host.

So it's kind of this closed cooperation. And yeah, it's kind of difficult, because the more people you include, the more likely someone is a hostile actor. But I think this shift towards open communication and discussion is becoming more and more critical.

[Pinja] (11:00 - 11:47)

This reminds me of the situation the whole world was in five years ago in terms of healthcare, when COVID-19 hit the whole world. And as I said before, Darren, viruses do not respect borders, and neither did this one. Of course, there were different mutations along the way.

But nonetheless, the pandemic hit the whole world, it impacted our economy. And we have to come together as the whole global united people to actually get the resolution for this, to stop the spreading, find the cure, find the way to get the vaccinations out as fast as possible. So why would this be any different?

And we can also think about this in terms of if we compare physical safety, physical security, do we compare then this to perhaps this the cyber security as well?

[Darren] (11:47 - 13:26)

Yeah, I think you're absolutely right. But there are other sides to the COVID aspect that we need to discuss there because it's like, there was the same thing, there was misinformation coming from various sides of the world about its effectiveness, about its transmissibility, you had statistics about the impact being skewed by various countries. And again, it's just that we started doing better when we started cooperating when everyone was trying to pretend it was not going to have an impact on the economy and just continue to allow international travel and not enforce lockdowns.

Yeah, there were huge problems. So it's this spirit of cooperation that I like to think is going to be the way forward. And that's actually what was struck up in the original Helsinki Accords.

As you say, it wasn't binding, it was these countries who had stood at opposite ends during the Cold War, coming together and kind of agreeing on how to cooperate with each other, at least when it came to Europe, when it came to the European landmass, if not in other directions. So, this spirit of cooperation is critical. And currently, we're trying to build that, at least in Europe, for cyber security.

NIS2, I think it's NIS2, requires every country to have a national cyber security center, whose job is to distribute information internally in that country and to cooperate with the centers for other countries. But that's a thing that's happening. And it will be good if the rest of the world, where these aren't in place, started taking that as a framework.

[Pinja] (13:27 - 13:42)

Yeah, many times other countries actually take on what the European Union is working on. And as you say, this is crucial now that we do cooperate with the threat that does not bow to any border controls, for example, if we take that as the metaphor here.

[Darren] (13:43 - 14:09)

Yeah. And it's important to say it's not just the EU. I mean, I'm not actually sure anymore, because it was that the White House put out the executive order on improving cyber security.

If you navigate to the White House page of that now, it gives you a 404 error. So, I'm not sure what's going on with that one at the moment. But I think there is an understanding and discussion that this is something that needs to occur.

[Pinja] (14:09 - 15:04)

It does. And the executive order on cyber security that was signed by the Biden administration was a big thing for many of the European companies as well last year, because they trade with the companies and the public sector in the US. So this was a mandatory requirement if they did not want to either lose their business or get fined as they proceeded with non-compliant toolchains, for example.

So this was one aspect that we from Eficode saw when we started helping some of our customers in building compliance towards the executive order on cybersecurity. So there will be these new things. We, of course, see what is ahead of us.

With a short span to some aspects, NIS2 implementation will be to follow up. But we don't seem to have the same spirit yet as we had in the Helsinki Accords for cyber security.

[Darren] (15:04 - 17:04)

No, I agree. And I think the big problem is this disparity we have in how cyber security cyber crimes are policed. So currently, the policing for cyber crimes is very sparse and very difficult.

The people who are punished most often are individuals. It's very rare that cyber crime groups are caught. And I don't know of an instance where any state-level actions have been specifically singled out and targeted.

And I feel like that's the key here. We can't just talk about Europe when it comes to the internet. The internet is globally connected.

And I personally believe that it should be the responsibility of each country to police the actions coming out of their networks. And if they cannot or will not, then simply removing those connections, like setting huge block lists of IP addresses associated with those areas. And this is complicated.

It would change the space of the internet because VPNs, for example, can easily be used to switch countries, as we all know, for getting access to content that Netflix doesn't want us to see. So, all of a sudden, it would be incumbent on the VPN providers to be able to be answerable to the government to say there aren't any connections from these places that are launching attacks. And that becomes complicated because a lot of these VPN providers are actually what we call logless VPNs, which are specifically designed not to keep logs, not to have any accountability, and to be fully private.

So there's a kind of difficulty there. But until accountability is possible online, policing attacks online is always going to be extremely complicated and practically impossible.

[Pinja] (17:04 - 17:54)

I was thinking this from the victim state perspective because usually, they're the ones who want to have this solved. They want to see justice, but we don't have the international community and international agreements in place, for example. And as you say, with VPNs, the aspect right now is privacy, right?

And we have talked about this before when we were talking about the AI agents in social media, for example, and the verifiability of one's identity or internet, right? So the privacy aspect is still really big when we go online, but we don't have those international requirements and international agreements in place. And as you say, the countries do not have the need and the requirement to police their own traffic and the behavior before letting somebody connect to the global network.

[Darren] (17:54 - 18:58)

Yeah. And I think a lot of this is just how slow legislation is. For example, if we look at the post-World War II legislation that appeared regarding actual physical warfare, where it became a war crime to, for example, have soldiers disguised as civilians, which makes perfect sense, that is illegal and should be.

And yet the equivalent of that online, which is a VPN of having your operatives disguised as operatives for another country, is not policed in any way. It's not forbidden in any way. There's nothing to stop anyone from pretending to be an actor from another country.

They don't even need VPNs. They can just set up infrastructure in that country. There are all kinds of hosting providers.

They can just rent out machines as they need. So we just, we don't have the rule set. And that's why it will be important to revisit the Helsinki Final Act 50 years later and set up a cybersecurity rule set to go along with the borders-based rules that existed before.

[Pinja] (18:59 - 19:41)

One could argue that the original Helsinki Accords already could include cybersecurity. So for example, the borders. And one could argue that this is in the ignorance of the spirit of the Helsinki Accords.

But like 50 years ago, we did not have the thing called the global internet, and we did not have the cybersecurity access we do nowadays. So as we discussed before, the world looked completely different at the time. But what is the sovereignty of each state?

What is the inviolability of each of the state borders? Can we now also argue that this should also include already known cybersecurity acts and attacks? But how can we state that out loud?

Who do we need to get into the table to get that going?

[Darren] (19:42 - 20:23)

Yeah, I mean, I think we could argue that if, as you say, people were obeying the spirit of the Accords. But the reason, in my opinion, why these kinds of laws take so long to push out is because no one obeys the spirit of any rule set. They hire massive legal teams to find every loophole they can.

So, everything needs to be ironed out in the clearest possible language so that no one can find the loophole. And, like, I think the idea of the spirit of law, the spirit of law is dead. We have to use the word of law because the past 50 years have demonstrated that that's how our society sees things.

If there are loopholes, they will be found and they will be exploited.

[Pinja] (20:24 - 20:33)

I fully agree with that. And until we get a full blown conversation on this in a global setting, this will continue going on, I would say.

[Darren] (20:33 - 21:02)

Yeah. And as the lines blur between physical and cyberspace, these attacks are just going to get worse as technology, smart technology in particular, gets closer and closer to people and their privacy and their information and closer to healthcare, to critical infrastructure, to policing and law enforcement. The effect of these attacks is just going to get worse and worse until laws are in place to prevent it.

[Pinja] (21:02 - 21:26)

Yeah, because I think in this context, it's also worth discussing the impact of the cyber attacks and the evaluation of the severity of these attacks. Because let's say we can have a cybersecurity act towards a national governmental website, for example, or we can have it against the national healthcare when it actually will impact the health and physical safety and security of people in that country.

[Darren] (21:27 - 21:59)

Yep. It's a case of whether there's been a human toll yet, and the toll of human lives is debatable. I personally lean towards yes, given that cyber attacks are being used as preludes to invasions, but this will only increase.

And yeah, attacking a website is like tearing down a poster, no one cares. But attacking health services, attacking critical infrastructure, these are the things that are just going to have a deeper and deeper impact on our lives.

[Pinja] (21:59 - 22:23)

Yeah. And just considering the legislative measures that we've seen in the past couple of years, we talked about the NIS2, the CRA is coming, the US executive order on cybersecurity, but until all the entities involved, whether we consider them hostile or friendly, but until everybody's on board and everybody's willing to polish their own attempts to disrupt, these are just half measures, right?

[Darren] (22:23 - 22:39)

Exactly. Yeah. We need everyone on board because you can't draw borders around parts of the internet as much as we would like to.

It's simply not been possible and is unlikely to be possible. So, instead, everyone needs to agree.

[Pinja] (22:40 - 23:02)

Yes. And I'm very happy to see that the discussions on this have now been brought up in the UN, which has the countries around the world represented, but we shall see how the 50th anniversary of the Helsinki Accords will play, will the UN, for example, take note of the anniversary and perhaps its significance to the new rules that need to be put in place.

[Darren] (23:03 - 23:12)

Let's hope so. But that's all we have for you today in the DevOps Sauna. Thank you for joining us and thank you for being here to discuss this kind of doomsday-ery topic with me, Pinja.

[Pinja] (23:12 - 23:13)

Thank you, Darren. Thank you, everybody.

[Darren] (23:14 - 23:16)

We hope you join us next time. Bye. Bye.

[Pinja] (23:20 - 23:22)

We'll now tell you a little bit about who we are.

[Darren] (23:23 - 23:25)

I'm Darren Richardson, Security consultant at Eficode.

[Pinja] (23:26 - 23:30)

I'm Pinja Kujala. I specialize in Agile and portfolio management topics at Eficode.

[Darren] (23:31 - 23:33)

Thanks for tuning in. We'll catch you next time.

[Pinja] (23:33 - 23:41)

And remember, if you like what you hear, please like, rate, and subscribe on your favorite podcast platform. It means the world to us.

Published:

DevOpsSauna SessionsSecurity