Estonia needs a new high-level spokesperson in the cyber field.
In April and May, Estonia celebrated the tenth anniversary of the Bronze Night cyber-attacks of 2007. Indeed, “celebrated” is the right word, because the brief fear caused by the denial-of-service attacks was soon replaced by consecutive victories in foreign policy. In the ten years since, the NATO Cooperative Cyber Defence Centre of Excellence has been established in Tallinn, and representatives of 20 countries currently work there; Estonians have been appointed to several prestigious positions in the cyber field and, often motivated specifically by cyber security, Estonian bilateral and multilateral relations have strengthened all the way from Japan to the islands of the Caribbean.
In foreign policy, Estonia has at least two very clear motives for being a member of the club of cyber states. First, we are more vulnerable to cyber-attack due to the state’s and society’s ever-growing dependence on digital solutions. Thus, Estonia has an increased interest in developing and agreeing international behavioural models to protect our digital way of life. Second, the prominent role of Estonia in cyber issues helps to develop a good reputation for the country that spills over to other fields of foreign policy.
Cyber-attacks committed by foreign states may endanger the national security of Estonia in several ways. Estonia’s Emergency Act lists dozens of vital services, of which most can be disrupted by cyber-attacks, from the functioning of the electricity and gas supply to processing emergency accident messages and the functioning of payment services. In Estonia, there is an additional risk due to greater dependence on the services of the information society. It is not hard to imagine how cyber-attacks against X-Road, e-Tax, Digital Prescription or e-Land Register, for example, could cause significant failures in the workings of society. Furthermore, since we consider attacks originating from Russia to be the most likely in Estonia, we can imagine a scenario in which the Russian-speaking population is frightened by misinformation circulating in cyberspace, thereby causing internal instability and unrest.
Agreements between states on the required and prohibited conduct in cyberspace have an important role in preventing cyber-attacks. In general, such norms of conduct are divided into two categories: mandatory, i.e. rules imposed by international law, and recommended, i.e. behavioural models that are adhered to when circumstances permit. Such directives are especially valuable to a small state such as Estonia that lacks effective measures to deter the cyber-attacks of a potential adversary and which is almost completely dependent in that regard on the economic and military capabilities of its allies. Hence, it is important from the Estonian standpoint that it be included in the development of conduct norms and that Estonian interests are reflected in the agreements.
Since 2007, Estonia has always had its place at the negotiating table. Its reputation in cyber issues is so good that Estonia has always been elected to the UN group of national experts—to which, in its last three compositions, representatives of 15, 20 and 25 countries respectively have been selected but a significantly larger number of candidates aspire to be a member. One can speculate that behind the unprecedented decision to prefer Estonia over other states—even more so because it is customary to vary the states participating in such formats1—is the fact that, in this group, Estonia is represented by Marina Kaljurand. She is a reliable ally for Western states because her statements reflect shared democratic values. Even the so-called opposing camp respects Kaljurand, because she is not seen as a mere mouthpiece of the United States or other superpowers, but as an independent thinker who, in the search for compromise, may make certain concessions in the West’s demands.
Three of Estonia’s main spokespersons in the cyber field—Marina Kaljurand, Toomas Hendrik Ilves and Taavi Rõivas—moved on from previous positions, so Estonia must inevitably look for their successor. Without a proficient and convincing salesperson, Estonia’s position at the forefront of resolving cyber issues cannot be guaranteed. Since the IT field is close to Ilves’ heart, Estonia also indirectly benefits from and is recognised politically due to his talks as an opinion leader at Stanford University. Kaljurand, however, leads a newly established international commission that aims to develop suggestions on guaranteeing stability in cyberspace and avoiding conflicts between states. This is probably one of the most important initiatives of cyber norms in recent years, resulting in the guaranteed continuing representation of Estonia in the cyber field through Kaljurand.
On the other hand, it must be borne in mind that neither Ilves’ nor Kaljurand’s personal dedication to cyber security eliminates the need to find a new official high-level representative for Estonia on cyber issues. Considering its vulnerability to cyber-attack, cyber security must remain a strategic priority for Estonia. To ensure its interests, including continuous participation in the development of national codes of conduct, are recognised internationally, either a member of the government or the head of state has to take on this responsibility. Whilst people outside the field may look at IT issues with a puzzled gaze, fearing their complexity, they should not be discouraged. Kaljurand and, for example, Sven Sakkov, the director of the NATO Cooperative Cyber Defence Centre of Excellence, managed to familiarise themselves with the main topics in the field in a relatively short time, so the spokesperson on cyber issues does not need to have a long-term professional background in the field. As an alternative, Estonia could consider appointing a “cyber ambassador”, following the example of Australia. The task of the Australian Ambassador for Cyber Affairs, appointed at the end of last year, is to represent the country and to stand up for its sectoral strategic interests in international engagement.
In addition to a national spokesperson, Estonia must also continue to understand the cyber security field in depth and develop it. In other words, form alone is not enough; substance has at least the same importance. In that respect, Estonia can largely rely on the NATO Cooperative Cyber Defence Centre of Excellence in Tallinn. Under the leadership of this organisation in particular, the Tallinn Manual2 was developed, which helps states to understand how international law regulates cyber operations. The Tallinn Manual describes opportunities for how international law allows a state to protect itself, should it become the target of a cyber-attack. However, when a country itself plans to conduct cyber operations, the state’s legal advisers are able to evaluate with the help of the book whether the proposed operations are permitted under international law, and they can review the conditions with which the activities must comply. Notwithstanding that the Tallinn Manual was developed under the auspices of the NATO centre rather than an Estonian research institution, and that only one of its 19 authors is Estonian, Estonia has benefited indirectly in terms of image thanks to the book’s title.
In order to lead the development of the cyber field on the international level in the future, Estonia must develop a long-term vision and action plan. The fact that it is vulnerable to cyber-attack as an information society does not automatically mean that Estonia has influence at the negotiating table. The NATO centre will remain in Tallinn; for the next couple of years, Kaljurand will lead the operation of the international commission, and Ilves will continue tweeting. However, the first of these initiatives is not just an Estonian affair but, rather, a joint undertaking between allies, and Kaljurand and Ilves’ activities reflect not the vision of the state but their own personal interests and ambitions. So what does Estonia wish to accomplish in the cyber field from now on, and how can cyber issues promote the country’s broader strategic interests? These are questions that neither politicians nor officials can overlook if Estonia wishes to maintain a long-term leading role in cyber issues.
It is not worth being part of the cyber elite just because Estonia’s voice has been heard in regulating the cyber field. It presents a significantly greater opportunity for image management in the course of which Estonia can present itself as a state with a vision, initiative and credibility that can perform the role of an opinion leader. Advantages originating from the positive image also transfer to other fields of foreign policy that are important for Estonia. Why not aspire to a status similar to the United Kingdom in external communication, where it generally does not matter which particular individual represents the country—he or she will be listened to attentively, because they represent a country that always has reasoned, substantial, cohesive and easily comprehensible positions. Thus, Estonia’s credibility no longer depends so much on the spokespersons, even if they have charming personalities like Kaljurand or Ilves, but it is attributed to the country’s representative merely due to the fact that the person sits at the table behind a sign that says “Estonia.
1 Pursuant to the regulations of the General Assembly of the United Nations, groups of national experts are established on the basis of “equitable geographical distribution”. See, e.g., UN General Assembly Resolution 70/237 of 30 December 2015, paragraph 5. However, permanent members of the UN Security Council have a guaranteed membership in the group of experts.
2 Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, editor-in-chief Michael N. Schmitt, Cambridge University Press, 2017. www.cambridge.org/ee/academic/subjects/law/humanit… .
This article was published in ICDS Diplomaatia magazine.