Our country has a virtuous record in punching above its weight in digital development. The field of cybersecurity makes no exception, as Estonia has since long ago proved to be a valuable global pioneer in the best practices for a safe cyberspace.
The news is that now, with the creation of the Department for Cyber Diplomacy, we can more actively improve international cooperation on the matter. Headed by Ambassador-at-Large for Cyber Security Heli Tiirmaa-Klaar, the unit falls under the jurisdiction of the Ministry of Foreign Affairs. The timing is right, as Estonia will also be among the non-permanent members of the UN Security Council for the next two years.
In this interview, Ambassador Tiirmaa-Klaar outlines the challenges awaiting the new department. Together, we must work to shield our countries from international cyber threats increasingly faster, constantly better.
What is cyber diplomacy and what kind of priorities will the new dedicated Ministry of Foreign Affairs department have?
Almost everything in our economy and society relies on digital infrastructure in some shape or form. This also entails new risks and new questions for international relations. Let’s assume that one country exploits vulnerabilities in the critical infrastructure of another country’s cyberspace. How would you find out, and how can you attribute that attack? How does international law apply? What are the best and proportional response measures?
Cyber diplomacy deals with those questions. It has mainly to do with state behaviour in the cyberspace and their compliance with cyber norms, trust-building measures and existing international law. Several cooperation formats have been established in this field at the UN, the OSCE, the EU, NATO, the Council of Europe, the OECD and other international organisations.
The new Department for Cyber Diplomacy, housed at the Ministry of Foreign Affairs, has started operating this autumn. Its staff of advisers comprises of officials from the Ministry of Foreign Affairs, who have already previously worked on various aspects of cyber diplomacy. The department will:
- contribute to sectoral discussions in international organisations;
- promote bilateral and multilateral relations;
- supervise development cooperation in the cyber field and participate in formats related to internet freedom.
The development of cooperation in the field of cyber security figures as well among the department’s tasks. A large number of international delegations from all over the world visit Tallinn every year with the aim to get familiar with Estonia’s cybersecurity scenery, and the new department helps focus on it even more.
What is currently the most pressing issue in terms of cyber diplomacy around the world?
There are many interlinked issues, which all go some way in determining the future of the internet. But the core issue right now is the discussion on existing international law and how to apply it in the cyberspace.
There is no need to create parallel laws for the cyberspace. Just as states must behave responsibly on land, at sea, in air, they must do so in the cyberspace too. It is yet another domain on which we are increasingly relying, and that carries its own new set of complexities. That is why it is important to agree that existing international law applies in the cyberspace, and actually make sure that – if someone behaves maliciously – there are appropriate consequences.
President Kaljulaid recently said in an interview that “it doesn’t pay off” to attribute cyber attacks. What is your take on this?
Estonia is experiencing thousands of small cyber incidents every year. It would be impossible to attribute each and every incident that is technically and politically not relevant. However, attribution plays a very important role in trying to change irresponsible state behaviour. Particularly, it applies when malicious cyber operations are of persistent nature and originate from a nation state. It is important to hold states accountable for their actions. We need to deter, prevent and respond to significant cyber incidents.
Public attribution and messaging are tools for deterring and responding to such behaviour, but also for raising the wider awareness of our societies. Public attribution allows states to send clear messages and shape expectations that malicious cyber operations will not be tolerated, and warn the general public of the seriousness of cyberspace intrusions. In 2018, Estonia supported the like-minded attribution on NotPetya, Wannacry and on GU/GRU operations against multiple organisations, including the Organisation for the Prohibition of Chemical Weapons.
The third Estonian Cyber Security Strategy for the period 2019–2022 has set out to develop national attribution procedures. On 24 January 2019 the Estonian Government adopted guidelines for the attribution of malicious cyber operations. The guidelines create a national framework for attributing activities and ascribe a role to all relevant stakeholders. The guidelines for attribution describe the procedure to offer operational information and contextual analysis for political decision-making on attribution. Each attribution is assessed individually and on a case-by-case basis according to its impact, scale, and other factors. A working group with participants from all relevant ministries and agencies has been established to address the issues related to attribution.
How is the department’s work connected to Estonia’s recent election to the UN Security Council as a non-permanent member?
The department will assist the UN Security Council team on issues related to emerging threats, and on questions related to international law’s applicability to them. Our key message is that all states must hold up international law and implement norms of responsible state behaviour. These have been established by UN First Committee Groups of Governmental Experts in their reports in 2010, 2013, and 2015.
What kind of opportunities does the UN seat offer to Estonia to reaffirm our leadership internationally in cybersecurity?
While cybersecurity is not officially part of the main agenda of the UN Security Council, it is increasingly understood that technology plays an important role in promoting peace and security in the modern world. We hope to put Estonia’s extensive expertise and our strong values in this field to good use in various matters on conflict prevention.
Based on current concerns at both the national and international level, on which aspects of cybersecurity can Estonia become a valuable ally?
Estonia has a good network of international partners whom we value very highly. Our outreach to small and medium-sized states has been very helpful in raising awareness on cybersecurity issues and solutions through international law’s applicability to the cyberspace, as well as for the recognition of international norms and confidence building measures.
One of our external priorities has also been to strengthen the fight against cybercrime and introduce the European Council Convention on Cybercrime (also known as the Budapest Convention). By 2019, the Convention raised over 60 signatories, and the number is constantly growing. Estonia also supports relevant capacity building programs to fight cybercrime and strengthen the digital infrastructures in developing and transition countries.