Evolving Technology and Growing Dependence
In recent years, the development of cyber defence has been shaped by two major trends. The first derives from technology and its role in today’s society. The complexity of the digital environment has increased due to rapid and multidirectional technological development, thereby also diversifying the vectors and targets of cyber threats. New technologies and solutions—mobile devices and the Internet of Things, cloud computing, biometrics, machine learning and artificial intelligence, self-driving vehicles, the emergence of quantum computing—create new opportunities. However, technology is never perfect; any technological system, service or innovation is ultimately vulnerable. Nobody has a full understanding of the risks that accompany digital products, services and forms of enterprise.
Global openness in turn increases the scale of dependence on technology. The same software, hardware and platforms are used all over the world. The same security vulnerabilities affect millions, sometimes billions, of devices and users. Such a mass market offers an enticing opportunity for criminals, and hostile countries, to find the weak spots and exploit them.1 The WannaCry and NotPetya cyber attack campaigns of 2017—the latter also inflicting damage on some Estonian companies—were just like that, directed indiscriminately against unsecured devices. The worldwide damage caused by both campaigns extended to billions: healthcare institutions, vital infrastructure and a string of well-known companies all over the world were among the victims.2
Similarly, the security vulnerability that threatened Estonia’s national digital identity system last autumn affected at least a billion chips worldwide, in use in secure cryptoprocessors of computers, encryption tools used for e-mail security and for accessing virtual private networks (VPN), national identification documents, and payment cards. The ROCA security vulnerability showed us vividly and up close how extensive the impact of a potential cyber incident is to a society dependent on technology.
Our society has digitalised to an extent where we no longer can afford the option of doing only half of the equation and only choose the benefits of digitalisation. Threats are not “the dark side” of digitalisation; they are an organic part of the package. The role of technology in our everyday life has reached a level where cyber security is no longer simply the sum of protecting technological solutions. For Estonia, cyber security means the protection of our digital society and way of life as a whole. We need a comprehensive approach.
Thought experiments about alternatives to a digital society are intellectually interesting, but unproductive in reality. The generation born in Estonia at the turn of the millennium who have recently come of age have no experience of an “analogue society”. We do not have a good alternative to a digital society. Thus, we do not have an alternative to investing in security, either. Resources must be found and talent developed, and we must concentrate on leadership and formulate a long-term vision. The questions about how to protect the lifestyle to which we are accustomed will not vanish anywhere and answers to them develop with how and where the ingenuity of people expands.
State-sponsored Cyber Attacks
The second distinct tendency of recent years is the readiness and skill of states opposing Western liberal democracies, like Russia, China, North Korea and Iran, in using cyber attacks for political purposes—both by attacking democratic processes (typically election campaigns) and by trying to gain control over a target country’s energy infrastructure or communications networks, that is the society’s economic and social backbone.3 Increasingly—and this was also shown by the WannaCry and NotPetya incidents—states have the necessary capability, motivation, consistency and time to carry out cyber attacks, and do not refrain from putting these to use.
Confrontation between states in cyberspace takes many forms, from hijacking data traffic or hacking a simple e-mail exchange to attacking democratic processes and complicated industrial control systems. A cyber attack for the purpose of a pure demonstration of force is rare;4 usually, cyber attacks are combined, as an enabler and an amplifier, with other purposes, such as intelligence and information operations, for the benefit of a greater cause.5
Cyber attacks have come to remain as a part of international conflicts.
The Increasing Importance of Cyber Security in NATO
NATO admitted ten years ago that a confrontation between states might involve a cyber dimension, beginning to develop a cyber defence policy after Estonia was hit by cyber attacks in 2007. In 2010, NATO acknowledged in its new Strategic Concept that cyber attacks represented a security threat to modern societies.6
At the Wales Summit of 2014, NATO recognised that international law applies in cyberspace and declared that, since the impact of a cyber attack could be as harmful to modern societies as a conventional attack, cyber defence was a part of NATO’s collective defence mandate.7
NATO’s Warsaw Summit in 2016 resulted in a declaration recognising that cyberspace has evolved into a separate domain of military operations, in which the Alliance “must defend itself as effectively as it does in the air, on land, and at sea”.8 Subsequently, a roadmap was agreed that included the drafting of a NATO cyber operations doctrine, as well as the development of military cyber capabilities. In February 2018, NATO defence ministers decided to establish the Cyberspace Operations Centre as part of NATO’s SHAPE command structure, with the aim of integrating the Allies’ cyber capabilities into NATO military operations planning. Procedures have been established so the Allies can voluntarily contribute to NATO’s cyber operations.
During NATO’s most recent summit in July 2018 allies affirmed, for the first time, their determination “to employ the full range of capabilities, including cyber, to deter, defend against and to counter the full spectrum of cyber threats.” This “full range” of cyber capabilities means that both defensive and offensive capabilities can be deployed by NATO, in line with its defensive mandate and in accordance with international law.
What is Happening in Other Allied Countries ?
Estonia is no longer the lone canary in a coalmine in understanding that society is thoroughly dependent on the functioning of the digital environment. The United States, as a superpower, is far ahead of others in the development of cyber capabilities, having understood long ago the importance of cyber operations at the level of power structures. The US does not blink at making investment in cyber security. This reflects in by far the largest cyber defence budget, as well as investment in human talent and strategic directions, which have resulted in the US having the best threat picture, offensive capabilites and elaborate strategies. With an executive order by president Trump in May 2017, the modernisation of federal networks and ICT infrastructure, protection of critical infrastructure, national deterrence strategy and development of workforce were set out “in order to ensure that the United States maintains a long-term cybersecurity advantage”.9 As of today, the initial tasks have been delivered. As president Trump recently asserted, the US will not hesitate to use cyber weapons if necessary.10
Since 2016 the United Kingdom has consolidated the management of cyber security under the National Cyber Security Centre that coordinates the UK government’s countermeasures against cyber incidents. In 2017, the UK took a leading role in attributing cyber attacks and expressing state-level positions about permitted and prohibited conduct in cyberspace.11
France’s attitude towards cyberthreats as credible danger has been influenced by the personal experience of Emmanuel Macron, whose presidential campaign fell victim to cyber attacks. Mounir Mahjoubi, who was responsible for Macron’s digital campaign and is now the Secretary of State for Digital Affairs, has engaged in robust action in the comprehensive management of the field, including in cyber defence. In February 2018, France’s cyber defence strategy was reviewed and a clear vision for the future developed, describing how the country would defend itself against cyber attacks and specifying France’s positions on matters regarding international law.12 For France, strategic autonomy in matters of security and defence is very important, which also means investing in developing its cyber capabilities.
The Netherlands has played an active role in discussing international law in cyberspace. With the 2011 Dutch Cyber Warfare Report, the Netherlands implied that a cyber attack can be considered an “armed attack” if it leads to a serious disruption with long-lasting consequences. For instance, if a cyber attack targets the entire financial system or prevents the government from carrying out essential tasks such as policing or taxation, it would qualify as an armed attack, and would thus trigger a state’s right to defend itself.13 The 2018 Dutch Cyber Security Agenda also has specific plans behind the vision: in the next four years the Netherlands plans to invest 95 million euros in the security of the Internet of Things, the expansion of the National Cyber Security Centre, and public awareness campaigns.14 Among other things, the Netherlands values cyber diplomacy and is sending “cyber diplomats” to Washington, Beijing, Moscow, Brussels and Geneva this year.
The Czech Republic has likewise focused on bolstering its cyber capability in recent years. In 2017, the National Cyber Security Centre was brought under the authority of the prime minister with a strengthened mandate. It is planned to increase the staff tenfold to 400 employees by 2025.15 In addition, they invest in research and development. That such conscious investment has tangible benefit is illustrated not least by the fact that the ROCA cryptographic vulnerability impacting inter alia Estonia’s ID card was discovered by a research group of a Czech university.
Concerned for Estonia
Estonia has long been an innovator—the introducer and first applier of new cyber security concepts—and thereby an international pioneer in digital and cyber security issues. Its top-five position in the International Telecommunication Union’s (ITU) Global Cybersecurity Index is an indicator of Estonia’s international standing. Our allies respect the competence of Estonia’s Information System Authority and our national security institutions. The NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn is known and recognised internationally.
For Estonia this is not merely a matter of reputation and an attractive business environment; it has a direct security dimension and carries particular significance for national security. Our partnerships with world’s leading cyber nations form an essential part of our cyber security. These relationships rely on the competence we have to offer. Thanks to this, we get top-level capabilities and information in return—and in cyber security, information exchange is the alpha and omega and everything in between.
We are credible and influential in matters where we have done our homework well. Mere slogans will not take us far—a competent partner recognises their emptiness and loses trust. Our substantial approach to cyber defence has attributed great significance to Estonia’s voice thus far. However, this will not carry on by its own, without further effort and resources. Estonia’s credibility and attractiveness as an international partner are not self-evident, nor can they be taken for granted. It is time to take an honest look in the mirror. As Sven Sakkov, the director of the International Centre for Defence and Security recently noted: “The howling gap between the attention we pay to agriculture versus the IT sector on a policy shaping level is clear and obvious”.16
The timing is right. Estonia currently has several reasons to critically reassess its vision around cyber security and defence. We have recent lessons learned from last year’s ID card crisis.17 A new cyber security strategy is about to be adopted. The political parties are preparing their election programmes for next spring; elections for the European Parliament also lie ahead. It is therefore the right time to draw relevant conclusions for ourselves in view of global developments and build a vision for the digital domain.
Our concern is that, in a situation where, perhaps more than any other field, the truism of a chain being only as strong as its weakest link, Estonia’s cyber security lacks cohesion. There are different components with different levels of readiness, but the domain as a whole lacks ownership, leadership and responsibility. The mandate of the Ministry of Economic Affairs and Communications as the coordinator of the field—one among equals—is not sufficient for that. The Government’s Cyber Security Council meets regularly, reports on progress and discusses problems. However, there is no overall owner of the cyber security field with a clear mandate. There is no national-level responsibility to take cyber security seriously, without plans being thrown out of the window when institutional resources get tight, whether in terms of funds or people. Somebody needs to have authority at the political decision-making level. Cyber and digital matters must be represented in the government by a strong political voice. And that person should also take up the roles previously held by Marina Kaljurand and Toomas Hendrik Ilves on the international scene. Estonia needs comprehensive management and development of digital architecture, which integrally includes cyber security.
Value of the NATO Cooperative Cyber Defence Centre of Excellence for Estonia
The CCDCOE in Tallinn is an international NATO-accredited centre of excellence that carries out cyber defence-related research, training and exercises. Over the course of past ten years, the number of member countries has grown from an initial seven to 21; Australia and Japan are to join soon, among others. In this way, the centre connects a trusted community of likeminded states who wish to share information and expertise in cyber security.
The centre employs around 50 people, about half of them Estonian. The experts come from a variety of backgrounds including technological, military and government. The strength and uniqueness of the centre lies precisely in its international and multidisciplinary approach.
The centre’s best-known projects are the world’s largest and comprehensive cyber defence exercise Locked Shields, the annual cyber conference CyCon, and the Tallinn Manual, which looks at cyber operations in the context of international law.18 The centre supports NATO in various activities, from providing analyses of cyber security trends and threats to training and doctrine. The advice provided by the centre is valued and taken into consideration by NATO members and others. The CCDCOE has evolved into an important junction of cyber knowledge and discussions on international cyber security.
Estonia has invested significant resources and competence to the centre through its defence budget. What does Estonia gain from this? Initially, the CCDCOE held value to Estonia already by the fact of the presence of NATO personnel on Estonian soil. But this was probably more relevant before the arrival of “real” NATO allied forces in the Baltic states in 2014. So how can CCDCOE add value for Estonia today?
As we know well, “what is difficult in training will become easy in battle”. The CCDCOE organises training exercises that are increasingly valued. The centre has world class competence in how to carry out large-scale cyber exercises on the technical as well as strategic level and how to combine them. As the primary user of NATO’s cyber range, the centre has a modern environment administered by the Estonian Defence Forces at its disposal where exercises can be carried out—and the centre in turn contributes expertise to the further development of the cyber range.
In August this year, the Estonian Defence Forces Cyber Command was inaugurated. The task of the new command, among other things, is to improve the Defence Forces’ understanding and awareness of cyberspace. As the command’s chief of staff, Major Silver Andre, noted, there is “still a lot to do in terms of cyber warfare so as to reach a satisfactory level of operational capability in cyberspace”.19 In this, the Cyber Command can collaborate with the CCDCOE to analyse and learn from member states’ experiences and measures implemented by them.
The centre is an acknowledged facilitator of strategic discussions—both publicly at the CyCon conference and behind closed doors in NATO’s corridors. This year, CyCon brought to Estonia discussions on social media attacks, artificial intelligence and quantum computing.20 In the NATO corridors, the centre’s researchers introduced the military, technical and strategic nuances of cyber defence to the North Atlantic Council years before the Alliance recognised cyberspace as a separate domain. The Tallinn Manual, prepared upon the invitation and support of the centre, is considered the first comprehensive discussion of international law governing state behaviour in cyber operations. Realising this ambition brings increasing amounts of cyber knowledge and skills to Estonia and helps to maintain Estonia’s high reputation in cyber-related matters.
The centre conducts studies and analyses of future perspectives, both independently and at the request of member countries, that for various reasons (limited resources due to size is a common constraint) don’t fit the focus of direct policy development or the action plans of government agencies busy with pressing tasks. The CCDCOE can call on the interdisciplinary competence of its staff and access to experts of various countries in its work.
Last but not least, the CCDCOE gathers world-class know-how on cyber security to Tallinn. This allows Estonian experts to gain an international outlet and audience for their activity. In the context of Estonia, the centre is a unique workplace that enables people to work in an international environment and combine research with solving practical cyber security-related matters of key importance without leaving one’s homeland. It is an attractive career choice for those military officers and civilians who wish to advance and complement their expertise in cyber defence. And a more active use of the centre’s cyber defence competence supports the furthering of Estonia’s comprehensive national defence.
In order to develop more effective deterrence and be able to respond to cyber attacks, we need to ensure that likeminded countries have a coherent assessment of the threat environment, are able to effectively defend the digital services provided to their citizens, and have working crisis management procedures that incorporate civil-military cooperation. The NATO CCDCOE in Tallinn strengthens Estonia’s efforts in furthering such a cyber community of nations with shared values.
This article represents the authors’ personal opinions.
_____
1 On this topic, see Kaur Virunurm’s essay on the impact of monoculture to security in the EISA’s “Annual Cyber Security Assessment 2018”. https://www.ria.ee/sites/default/files/content-editors/kuberturve/ria-csa-2018.pdf, p. 39.
2 In the course of the two global attacks, targets included the UK’s healthcare system, Deutsche Bahn, a number of Ukraine’s vital infrastructure companies and a range of well-known industrial companies all over the world: Renault, Spain’s telecoms giant Telefonica, FedEx’s European subsidiary TNT Express and Danish shipping company Maersk. The latter had to reinstall almost its entire information system to recover from the attack. https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/
3 In this instance, the cyber attacks against Ukrainian power stations that interrupted power supply in December 2015 and 2016 were of great importance. Similar attacks, the consequences of which were less dramatic for various reasons (better architecture, more effective defence, the attacker’s purpose) have been reported by Lithuania, Norway, the UK and the US. The incident at Estonia’s Viru Keemia Grupp in 2016, which was reported in the EISA’s Annual Cyber Security Assessment for 2017, is an example of the same pattern. https://www.ria.ee/sites/default/files/content-editors/kuberturve/ria_csa_2017.pdf, p. 24.
4 The cyber attacks of 2007 against Estonia are among the few that appear as a case of demonstration of force; in later cases, cyber attacks have, with increasing consistently, been a component of a larger campaign . This holds true for the Russo-Georgian War of 2008 and the various cyber attacks launched against Ukraine from 2013, not to mention the later attacks during elections.
5 Cyber attacks against democratic processes are a separate and vast topic. An increasing number of examples includes the presidential elections in the United States (2016) and France (2017), the 2016 Brexit campaign in the UK, the German general elections of 2017, and the referendum in Catalonia in the same year. Cyber attacks and cyber security in the context of elections is explored in detail by Liisa Past (see https://www.ria.ee/public/RIA/ECJ_Volume3.Issue3_Extract_past.pdf). She was also an expert driving the compilation of a manual for EU election security, published recently under EU’s Cooperation Group of the Network and Information Security (NIS) Directive. ; see https://www.ria.ee/en/news/european-union-members-share-advice-cyber-security-elections.html.
6 https://www.nato.int/cps/en/natohq/topics_82705.htm.
7 https://www.nato.int/cps/en/natohq/official_texts_112964.htm, para 72.
8 https://www.nato.int/cps/ic/natohq/official_texts_133169.htm, para 70.
11 We recommend reading the UK Attorney General’s speech at Chatham House on 23 May 2018 (available at https://www.gov.uk/government/speeches/cyber-and-international-law-in-the-21st-century)
12 https://www.cfr.org/blog/three-takeaways-french-cyber-defense-review
13 Report by the Dutch Advisory Council on International Affairs and Advisory Committee on Issues of Public International Law. Cyber Warfare, No. 77, AIV/No. 22, CAVV, December 2011. https://aiv-advies.nl/download/da5c7827-87f5-451a-a7fe-0aacb8d302c3.pdf
14 “National Cyber Security Agenda. A cyber secure Netherlands”. https://ccdcoe.org/sites/default/files/documents/NCSA.pdf
15 https://www.scmagazineuk.com/czechs-build-new-cyber security-hq/article/1475590
16 https://arvamus.postimees.ee/6134735/sven-sakkov-hundihupe-tulevikku (Estonian only)
17 https://www.ria.ee/public/PKI/ID-kaardi_oppetunnid.pdf
18 See the Tallinn Manual on International Law Applicable to Cyber Operations. Available at https://www.cambridge.org/core/books/tallinn-manual-on-the-international-law-applicable-to-cyber warfare/50C5BFF166A7FED75B4EA643AC677DAE or https://ccdcoe.org/tallinn-manual.html.
19 http://forte.delfi.ee/news/militaaria/ajakirjast-sodur-kubersojatandril-oleme-me-pideva-runnaku-all?id=80864415 (Estonian only)
20 https://www.youtube.com/user/natoccdcoe/playlists.
Opinions
Hannes Krause, RIA
Kadri and Merle provide a good overview of what is happening in the cyber field right now and highlight the developments in NATO based on their experience. At the same time, one notices that they haven’t even touched upon the European Union, which would have been worth mentioning. Why? Primarily because, given the realities of the cyber field, it pays not to underestimate the regulatory, economic and diplomatic potential of the EU as the precondition for the (cyber) deterrence NATO offers. This shouldn’t diminish the importance of NATO as the guarantor of deterrence in the eyes of anyone.
The picture of the Estonian state that appears between the lines of this article is honest; in the cybersphere of today, we do not hold the global position we had 10 years ago. The subject has not been the political centre of attention for years, and has remained at the mercy of departmental processing. No wonder: praise from abroad regarding digital and cyber matters over the years has had a somewhat lulling effect on all of us. In this respect, the authors pose the justified question of whether we have succeeded in using all the knowledge the NATO Cyber Defence Centre of Excellence has on offer to our benefit as a nation. For example, in Tallinn we have been organising the coolest live-fire cyber exercise on NATO’s cyber-training field created by Estonia and based on Estonian companies’ work and skills for 10 years. But when are we going to organise a similar exercise aimed at increasing the cyber security of our own state and service providers, and use all the infrastructure and skills we have in Estonia?
Piret Pernik, ICDS
The authors of the article, experts in cyber security, are concerned that Estonia does not have “an owner, leadership and responsibility” in the field of cyber defence. They think that tasking the Ministry of Economic Affairs and Communications with coordinating the field is not enough. It is nothing new to be worried about the poor strategic planning and management, organisation and realisation of—as well as the lack of financial investments in—information and communications technology (ICT) and cyber security. Five years ago, a policy analysis by ICDS researchers found that the management and coordination of cyber security was inadequate and recommended strengthening it, specifying the roles and tasks of all related parties, prioritising cyber security at the political level and creating an “owner” for the field.1 In the meantime, Estonia has grown even more reliant on cyber space, while cyber dangers as well as the vulnerability of hardware and software have also grown. Many experts find that, in order to develop ICT systems and make them safer, funding for the field must be substantially increased—among other things, this was brought out in the Estonian Information System Authority’s (ISA) Annual Cyber Security Assessment, published in the spring of 2018. The whole of the European Union proceeds from the principle that security and privacy conditions must be considered immediately in developing digital products and services. As the logic of the market doesn’t support investing in security, the state must intervene with regulations and other measures.
Political and administrative structures tend to depend on historical cultural values, but specific institutional architecture is also related to the nation’s needs and possibilities—for example, big countries usually have more human resources and money than small ones. In Estonia, the organisation of public administration has historically been decentralised—each ministry shapes its policy independently and the Government Office doesn’t have more power than other ministries. However, it does have a strong mandate for policy coordination. All fields operate on their own and the issue of “strong vertical silos” in Estonian public administration was criticised in a 2011 OECD analysis.2 The Ministry of Economic Affairs and Communications has no role concerning the shaping of a national cyber-security policy under statutes or laws.3 If the responsible institution—i.e. the owner of the field—has not been specified unambiguously and clearly, comprehensive administration is difficult.
When we look at cyber-defence management and organisation in other countries, we see that the institutional structure is different, but many democratic countries have a minister of digital affairs and/or cyber security (e.g. France) in the prime minister’s office or a centre (Czech Republic, Israel, UK) that may be tasked with both shaping policy and preventing cyber incidents and coordinating their resolution. The Finnish prime minister’s office prepared a report on the strategic management of cyber security and cyber security as a part of comprehensive national defence in Finland in the spring of 2018.4 The analysis compared various models of the strategic management, organisation and implementation of cyber security—in the current system, shaping cyber-security policy is led by the ministry of finance—as well as alternative solutions, e.g. establishing an independent leader, unit, centre or government institution for the field.5 In Estonia as in Finland, cyber security forms part of comprehensive national defence. We should also apply a knowledge-based approach to governance in Estonia and consider whether the strategic management of ICT and cyber security should be focused under one institution or remain separate, and explore the best management models before creating a new administrative structure. If it is decided to create a new ICT and cyber-security ministry as a result of this analysis, solutions for recruiting and maintaining competent employees should be put in place, since the shortage of ICT and cyber-security experts is growing ever more acute, in both the public and private sectors.
_____
1 Piret Pernik and Emmet Tuohy, “Cyber Space in Estonia: Greater Security, Greater Challenges”. http://icds.ee/cyber-space-in-estonia-greater-security-greater-challenges/
2 OECD, “Estonia: Towards a Single Government approach”, p. 115. Public Governance Reviews. https://riigikantselei.ee/sites/default/files/content-editors/Failid/oecd_public_governance_review_estonia_full_report.pdf
3 The main task of the Ministry of Economic Affairs and Communications in cyber security is to organise the continuous operation of vital services in its area of government. Statutes of the Ministry of Economic Affairs and Communications Approved 23 October 2002 No. 323, section 12. https://www.riigiteataja.ee/akt/12934222?leiaKehtiv
4 In English the relevant terms are “whole-of-government” (the state as a comprehensive approach) and “whole-of-nation” (society as a comprehensive approach), as well as “comprehensive security and defence”.
5 Martti Lehto et al., “Kyberturvallisuuden strateginen johtaminen Suomessa”. Valtioneuvoston kanslia, 29 March 2018. http://julkaisut.valtioneuvosto.fi/bitstream/handle/10024/160717/28-2018-Kyberturvallisuuden%20strateginen%20johtaminen.pdf
This article was published in ICDS Diplomaatia magazine.