August 6, 2013

Cybersecurity in Estonia: An Interview with Emmet Tuohy

The internet’s virtual world is ever more interconnected with the real world. This is the reason that centers for the study of security also focus their attention on the threats coming from cyberspace. The process of digitizing the processes of the public administration (e-governance) is exposed to possible attacks by internet pirates, while at the same time, sharing sensitive information through the internet could jeopardize the defense of national security. This is the reason that has brought ministries of defense all over Europe to search for particular instruments and strategies aimed at preventing foreseeable attacks to military and intelligence information systems.

05.08.2013, Emmet Tuohy (interviewed by Paolo Sorbello)
First published in Italian by the newspaper L’Indro – The internet’s virtual world is ever more interconnected with the real world. This is the reason that centers for the study of security also focus their attention on the threats coming from cyberspace. The process of digitizing the processes of the public administration (e-governance) is exposed to possible attacks by internet pirates, while at the same time,  sharing sensitive information through the internet could jeopardize the defense of national security. This is the reason that has brought ministries of defense all over Europe to search for particular instruments and strategies aimed at preventing foreseeable attacks to military and intelligence information systems.
The Estonian think-tank International Centre for Defence Studies (ICDS), affiliated with the Estonian Ministry of Defence, has become a platform for the discussion of “cyber questions” in the Baltic region and in cooperation with transatlantic organizations. Its good relationship with the United States and respected position within EU circles has made Estonia a key actor for the advancement of know-how and experience in the security of information technology.
We talked about the topic of cybersecurity and of the role of Estonia with ICDS research fellow Emmet Tuohy in Tallinn. Among other work, he has recently spoken at the Freedom Online conference in Tunis and moderated an event on PRISM in Tallinn.
Why is Estonia such an advanced hub for cybersecurity?
Ironically, Estonia’s advances in information technology—and accordingly, in cybersecurity—are due in part to its lack of advances two decades ago. Faced with crumbling, outmoded, or non-functional Soviet infrastructure, the country gambled early on the emerging Internet and related platforms, largely because, as former government advisor Linnar Piik pointed out, “cynically speaking, we did not have the money” to purchase the analog technology that was standard in the early 90s.
Another major factor is effective government policy, seen most notably in the “Tiger’s Leap” (Tiigrihüpe) program of computing in education.  First proposed by current President Toomas Hendrik Ilves—who was quite taken by his studies of computer programming in high school—in 1996, and developed with Minister of Education and Research Jaak Aaviksoo, the Tiger’s Leap was implemented rapidly. By 1997, fully 97% of Estonian schools had Internet access.  Graduates of these schools moved into the commercial and public sectors, where they helped to turn this leap forward from metaphor into reality in the startups and e-government initiatives that they created.  Many take these skills and contribute directly to Estonian cybersecurity initiatives as part of their voluntary service in the Cyber Unit of Estonia’s Defense League (reserve armed forces).
What happened during the Bronze Soldier crisis?
On May 9, 2007, Estonia was hit by a massive distributed denial-of-service attack from computers located throughout the globe—some of them reportedly “from Russian state servers,” although this has never been conclusively proven. Certainly, it was a highly coordinated set of attacks, relying primarily on a network of compromised machines known as botnets. That night, at 00:01 Moscow time, the attacks struck the servers hosting major Estonian commercial and government websites—causing many to be taken offline.  Precisely twenty-four hours later, as Russia’s Victory Day holiday, came to an end, the attack abruptly ceased.
Although the May 9 botnet attack is the most famous episode of the cyber conflict, it was just the second wave of a digital onslaught that had begun on April 27, the day when Estonia transferred central Tallinn’s Soviet-era Bronze Soldier war memorial to a military cemetery.  As time went on, what were once intermittent strikes soon became more frequent, longer, and better-coordinated assaults. By the first week of May, Estonia was effectively under cybersiege. Public morale suffered, albeit temporarily, as fear and rumor spread behind the virtual siege lines.   “Imagine if you can the psychological effect,” a government official urged interlocutors privately at the time, “when an Estonian tries to pay his bills but can’t, or get the news online but can’t.”
How can a virtual threat affect real life? Could you give an example?
Certainly, cyber threats can affect real life in a variety of ways. To take the example of the 2007 attacks in Estonia, the list of targets was indeed quite extensive, including: the Estonian presidency and its parliament, nearly all government ministries and political parties, three of the six largest news organizations, two of the nation’s biggest banks, and many of its leading communications firms. The effects could have even been life-threatening, as the emergency number used for calling ambulances or the fire service was temporarily inoperative.
As for whether cyber threats—or, to state more clearly, the use of cyber tactics to influence another state’s behavior—fall into the category of soft or hard power, this depends on one’s perspective. In liberal democracies, the Internet tends to be viewed as infrastructure, roughly equivalent to shipping lanes or energy pipelines; from this perspective, disrupting online activity is as much a use of hard power as maritime blockades or natural gas supply interruptions.
For other states, however, the Internet is viewed not as a value-neutral infrastructure network but a channel for spreading information that is or can be harmful to national and public interests.  From this perspective, then, the Internet is a soft-power means of influencing the populations of other states, with online news sites taking the place of the print journals or shortwave radio broadcasts of previous decades.
Who or what is the real present threat to cybersecurity in Europe? What is there to “securitize”? Who is supposed to manage this sector of security? Is there a need for governments to collaborate with private companies domestically and with international organizations at large?
Although the possibility of sustained interstate cyber conflict gets the most attention, the biggest threats—and their targets—lie outside the public sector. Undeniably, the largest threats to cybersecurity in Europe (and elsewhere) at the moment are criminals (whether individuals or organized networks). Companies are faced with daily incursions that range from vandalism to virtual bank robbery or other fraud and, notably, to intellectual property theft. By the latter, we’re not talking about individuals downloading songs or movies, but serious attempts to undermine the whole system of research and development. Businesses that have invested millions or billions of euro in new products can lose this in a moment if their research is stolen. As President Ilves has described it, “The innovator loses his investment, your country loses the tax revenue, and someone else reaps the profits. This is piracy. Pure and simple.”
The threat isn’t limited to the private sector, of course. Governments and individuals also depend on the security and integrity of their communications networks, and as we’ve seen earlier there can be real dangers to human lives if first response capabilities are disrupted. (Moreover, the state of the art has increased quite considerably since 2007; thanks to the spread of so-called SCADA systems that control important parts of critical infrastructure such as dams or pipelines, these physical infrastructures are also now at risk of cyberattack.) So any effective response must include partnerships within—between the private, public, and nonprofit sectors—and among states.
Is there international cooperation on the issue? What are the actions that NATO is taking to counter this cyber threat? What role does Estonia envision playing?
Although there have been some initiatives especially on the UN level, effective international cooperation has yet to emerge on cybersecurity. I argue that the main reason lies in the essential clash of values outlined above, between those that see the Internet as a neutral venue where freedom of expression should be respected, and those that see it as a means by which harmful or dangerous content can spread within their borders. This division is reflected over the failed attempt by some countries last December to redraft the International Telecommunications Union treaty to make this decades-old IGO the primary body for Internet governance. Estonia has played a critical role in the opposition to this move, thanks to its firm commitment to transparency and openness (the ITU generally operates behind closed doors) as well as to freedom of expression online. (Next year, Estonia will host the annual conference of the Freedom Online Coalition, a group of states that share similar principles.)
As for NATO: over the past decade and a half, the alliance has made great strides forward in designing and implementing responses to cyber threats. In terms of specific actions, NATO’s current cyber structure consists of three organizations. First is the NCIRC TC (NATO Computer Incident Response Capability Technical Center), which monitors and defends NATO’s own information networks against cyberattacks. Second is the CDMA (Cyber Defense Management Authority), which directs and manages operational capabilities among Alliance members, while the third, the Tallinn-based CCDCOE (Cooperative Cyber Defense Center of Excellence), is charged with developing long-term strategy and doctrine. There are still tensions within the Alliance between states that believe that NATO should focus primarily on protecting its own systems and otherwise play only a coordinating role (such as France), and those like Estonia that argue for a more integrated approach.
Is there a common way for the European Union to deal with cyber issues at the highest level? Is there a mismatch between the speed of legislation and the pace of the development of technologies and threats?
Although it got a later start than NATO, the EU is now beginning to take cyber issues more seriously—its recent cyber security strategy is an example. Yet, there is considerable difference among member states as to how cyber security is—or should be—addressed. The scale of this divide can be seen in the varying responses to one simple question: where does responsibility for cyber security lie within government? Some states assign it to their ministries of defense, others to ministries of the interior/of justice, and still others to specialized inter-ministerial groups reporting directly to the head of government. (In Estonia, the Information Systems Authority is part of the Ministry of Economic Affairs and Communications, and has a more integrated area of responsibility that includes managing the state portal and operating government IT systems as well as maintaining cyber security.)
As for crafting legislation in the context of advancing technology, it’s safe to say that the latter will always outpace the former. This isn’t necessarily a bad thing; governments can hinder innovation and creativity if they impose, say, security regulations before their full impact can be known. The challenge is instead to create governmental structures that will continue to operate effectively even as the shape of the technological landscape changes. Finding and improving such flexible leadership models is a key challenge for all states—including Estonia—in the short- to medium-term future.
What is the reaction of Estonian officials to the dilemma ‘freedom vs security’? Did their judgement change after the PRISM scandal?
Estonia has always placed a strong emphasis on data protection and privacy. While it does not share the same precise concerns as seen in for example Germany, the Estonian approach to this dilemma has long come down firmly on the side of personal freedom. For example, the country has some of the strongest freedom of information provisions anywhere in the world: upon a citizen’s request, government agencies—even law-enforcement and security bodies—must disclose the records they hold on the person.
This judgment has not substantially changed after the PRISM program came to light. While Estonia’s public reaction was fairly muted—Estonia has long valued its close partnership with the United States—there is no doubt that Estonian government officials made their misgivings quite clear to their American counterparts in private.  Without focusing specifically on the content of Edward Snowden’s revelations, Estonia has also moved to minimize the impact on its data privacy of other countries’ intelligence operations—as we can see by President Ilves’ recent call to focus on developing Europe’s own data “cloud.”

Filed under: CommentaryTagged with: