A female leader in the cybersecurity field, or in tech at large actually, is still as rare as rain in the Sahara desert. Liisa Past has been making her way up in that world rather impressively, though. In our big interview, we talked about election tampering, i-Voting & North Korean literature.
Liisa’s career has taken her from heading comms at the NATO Cyber Defence Centre and leading research at the Estonian Information System Authority to being the Chief National Cyber Risk Officer of the Estonian Government Office. After a public service career, Liisa has now joined the R&D-intensive ICT company Cybernetica as their Head of Cyber Security Business Development.
Your background is in communications. How did that switch to cyber happen?
I loved strategic communications in the innovation, defense, and human rights realms where I needed to learn the content of what we were saying. I believe my strength was the ability to map where communications can add value. It also applied to the non-profit and defense world – I was the one who came to the table and asked: “Good idea, but what’s the business case?”
I applied for the NATO Cooperative Cyber Defence Centre of Excellence directorate position in a completely “cold” manner by sending my CV. Their HR at the time called back to make sure that I knew what it was. “Are you aware you will be joining the Estonian Defense Forces? Is this exciting enough for you?” I replied that I could and will only say no to a specific offer. I am wondering till today what was that about? Poor self-image? Perhaps it was. At the time, the organization’s presentations started with the disclaimer of what they were NOT – we are not NATO, we are not the Allies, we just have some ideas here…This was the first thing to change.
The Centre’s role as a knowledge hub, the ability to think freely is its strength. The NATO CCD COE can look beyond the horizon and focus on the pressing or impactful. That shift in organizational identity has fortunately stuck.
I was very excited to work there every day. It was such an engaging, ideal environment to focus on while the organization grew significantly – from half a dozen countries in 2007 to close to 30 today.
The NATO Cyber Defence Centre is being used quite a lot in the Estonian national PR, too. Its existence adds certain credibility to the country. But what does it mean for us?
NATO has quite a few centers of excellence. They are a part of NATO’s post-Cold War transformation of the strategic commands. The Alliance’s strength lies in the values it defends and the consensus-based decision-making process.
The NATO centres of excellence have more agility and flexibility to work on emerging issues and look around the corner. They are not a part of the chain of command, but NATO accredits them.
In essence, the centres are expert communities, think-tanks, training centres. Being a pioneer in all things digital, Estonia started campaigning for the Cyber Defence Centre in 2006 already.
And then, “luckily,” the 2007 cyber-attacks happened.
The coordinated cyber attacks integrated into wider political operations against Estonia were a wake-up call to many others. After that, the centre in Estonia received the accreditation relatively quickly because other countries’ political will was suddenly there, also.
Why did you decide to move on from the NATO Cyber Defence Centre?
I have two criteria when working on something. 1. Oh, that is so interesting! and 2. Can I make it better?
At that time, the Information System Authority’s (RIA) Director-General, Taimar Peterkop, the current Secretary of State, had begun to invest in RIA’s analytical capacity.
Usually, the space between technical security and decision-making has often not been populated. The tech crowd has been free to operate because their field is so over-mystified. “It’s technical = too complicated!” The decision-makers have not intervened much.
That approach no longer works in a society where every asset of life depends on digital solutions. These silos for law, policy, and technology cannot exist separately.
You are quite correct. It IS a world with complicated tech. How do you keep yourself on top of things? How do you make sense of it all? It’s not like these savvy cybersecurity techies have become all of a sudden more willing to explain what they do.
Well, the burden cannot be on the engineers either. In technology today, security, in particular, communication is the number one skill. Those responsible for communications have to be equal sparring partners to those in management and technology while interweaving them for the public. You should not be afraid to ask questions and cannot accept “it is technical” as an answer.
Ecosystem thinking, which is Estonia’s greatest strength, has helped me the most. You don’t need to think about any particular technical service or technical system. Instead, I’m thinking about the benefits: Why are we doing this?
Also, working with dedicated, clever, like-minded people helps. That indeed was the case at the Estonian Information System Authority and it came out especially during the so-called ID-card crisis when security flaws were discovered in the chip firmware. Everyone worked hard for the common goal – how do we sustain this whole ecosystem that relies on secure digital identity. It is not eID for the sake of eID, but that all the services where it is used for function properly.
At the same time, we had the local government elections coming up, so there was no point in concentrating on the blame-game.
It still went to court, though.
Naturally, the vendor should be responsible for the promises made in the contract. However, it was never “it is their fault, and we’re walking away.” All the involved parties in Estonia worked very hard for a solution.
I think the photo of the first press conference gives a good idea of how collaborative it was – you had the Prime Minister, two directors-general, and the responsible ministers all behind one table, ready to provide answers. This aggressively transparent and open approach is Estonia’s great strength.
In Estonia, ca 50 startups and a total of 90 companies operate in the cybersecurity field. On the one hand, it shows a growing need. On the other hand, is it probably fashionable to start doing something in the cyber area now?
These two things go hand in hand – infrastructure and security are a natural part and facilitators of innovation. If you do them in retrospect, it will be significantly more expensive and inconvenient – like building a house and adding the windows and doors as well as locks and ventilation later.
But in many countries and companies, this is precisely the case.
Estonia has actually done very well, we saw that in the speedy transition to remote work earlier this year. This shows that both the security culture and infrastructure exist. Of course, there are some hiccups, and the need for investment is apparent becoming clear in some areas.
However, Estonia has fundamental facilitators in place. We have a government-backed secure digital identity and a uniform data exchange mechanism. These two allow anyone to build services and innovate. It’s fascinating to see the development work in both going on in Cybernetica today.
The 2007 attacks prepared us for today way better than other countries. Today, when we are so strongly dependent on supply chains and specific technologies, security becomes especially important.
The 2007 Russian cyberattacks were mainly DoS (denial-of-service attack). But now, it has become much more cunning, and the traces are not even that much hidden. I’m talking about influencing elections – in several countries. And I do not see that this is being effectively fought against?
The attacks in 2007 have never been attributed to the Russian Federation. The attacks’ patterns are in line with the times when people could do something in the time zones of the Russian Federation, and there were posts found in Russian in some hacker forums. But it has never been directly attributed to actors under the control of the Russian Federation. Partly due to the fact that Estonia’s focus during that time was on keeping its services and network up and the impact to a minimum. Gathering evidence wasn’t in focus.
The attacks against elections around the world have been more direct and clearly attributed.
Now there are even better mediums or even facilitators. Facebook is being associated with influencing elections and politics in many countries.
It is a channel that can be used as a tool, yes. But to say that Facebook, or any of the platforms, have directly changed elections would be a bit of a big step.
There are no confirmed cases in Estonia, nor in the United States, of specific cases of falsified votes. These types of attackers have different tactics – they are opportunistic and reactive. I like to describe it as throwing spaghetti to the wall – to see what sticks. This has been the case with Georgia (the country) in 2014 and the 2016 French and American presidential campaigns. The adversary was out to create confusion, suspicion, delegitimize, or even ridicule all the democratic processes. The attackers’ aim is to weaken confidence in society and create polarization or alienation.
The 2016 American presidential campaign has been clearly attributed to the intelligence agencies of the Russian Federation and the people operating in them and there are indictments against Russian intelligence officers.
But nothing comes of it, it is like trying to catch a fish with your bare hands.
Of course, it would be naive to think that Russian intelligence officers will now surrender and stand trial in America. But it matters to stand for rule of law and show that we know what is going on in these networks and we can investigate it. Secondly, we are clearly stating what is unacceptable behavior. Thirdly, these attributions create state practice. Fourthly, attribution is the basis, under international law, for countermeasures and self-defense.
What’s the latest in personal cyber-hygiene? Are we still taping our laptop cameras and mics?
Especially now, where I don’t always work in the office, my laptop has screen and camera covers; the latter is not permanently taped because of Zoom meetings. During more sensitive conversations, I make sure that there are no electronics in the room and no smart-watch on my wrist.
And last, I would like to know who you follow for trusted and innovative cyber-space news? And what was the last book you read and recommend?
Kim Zetter, the journalist and the author of “Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon,” Estonia’s previous President Ilves, Merle Maigre now of the e-Governance Academy, and academic Thomas Rid are on top of their game. I always try to keep an eye on their Twitter feeds and never miss a chance to have a conversation with them in real life. Rid’s books are true readable gems on security.
Keir Giles has a sharp eye for Russia and his “Moscow Rules: What Drives Russia to Confront the West” is an excellent way to explain Russia.
The last book that really moved me was the collection of short stories “The Accusation: Forbidden Stories from Inside North Korea,” which so well shows the control mechanisms of a totalitarian society. The author, named Bandi, is someone who belonged to the North Korean nomenclature and whose identity has been preserved. It is similar to, but lighter, than Solzhenitsyn’s “The Gulag Archipelago” and a little satirical. I read it in one or two evenings. It was a parting gift at my last job, and it came with a dedication that says: it is always worse somewhere.