Few fields generate divisive trends internationally as much as the cybersphere. With the emergence of information society and its establishment reaching full maturity, advantages come together with risks.
As the digital becomes more and more positively pervasive in our everyday existence, malicious actors also have the chance to exploit eventual weaknesses of vulnerable cyber subjects to shake the stability of our democracies at their very core. Developing strategies and antibodies against such threats become fundamental not only to shield the society on the outside but also to strengthen our own digital way of life.
Introductions should not be necessary in this case, but sometimes we can let pride prevail. Heli Tiirmaa-Klaar is the Ambassador-at-Large for Cyber Security at the Estonian Ministry of Foreign Affairs. Over ten years of high-level experience in cyber-affairs on her side, including positions at NATO and the EU, made her one of POLITICO’s game changers likely to shape our world in 2019.
In a world that sees alliances and blocs realign along specific patterns, Ambassador Tiirmaa-Klaar can help us collect our thoughts and get a grasp of what awaits advanced democracies this year. When big political actors join the playground, there’s always a lot at stake.
Heli Tiirmaa-Klaar, Estonia’s Ambassador at Large for Cyber Security
When it comes to cyberspace regulation, Western powers seem to head towards a certain direction, other countries to another. Are we witnessing the emergence of a new, cyber cold war?
I would not say that there is a new cyber cold war emerging. However, it is true that, when it comes to global cyber issues, countries often project their existing political views to this relatively new field. Authoritarian countries promote government control over the free Internet, and democratic countries would like to see an open and free cyberspace with free flow of information. It is clear that the conventional power dynamics from the last century are still visible. However, we are seeing many emerging powers in the global arena that are making the polarisation less clear. This is also illustrated by the fact that many nations see the value of the open cyberspace for their social and economic development, indicating a clear interest in making their voice heard, as well as their willingness to contribute to the global discussions on cyber issues.
What are the main threats that states and democracies see ahead, today, to their cybersecurity?
There are many issue-areas that states are currently working to solve. Since 2016, election security, disinformation and large-scale cyber operations have shifted the focus of what states are now trying to regulate in cyberspace. The common denominator is the fact that we need to assure that state actors know that what they are doing in the cyberspace is taken seriously and, in case their actions and intentions could be considered harmful to other states, that there is a clear response. Therefore, many states have already developed – or are in the process of developing – robust attribution and response mechanisms.
Since cybersecurity breaches can have serious consequences, the response to the perpetrator should aim at reducing the possibility of occurrence of any among such actions, which is why the response mechanisms should not only be limited to cyber means but also include political steps.
Additionally, cybercrime is a growing concern, particularly in light of the recent large-scale cybercrime cases, such as NotPetya and WannaCry. Although the two named incidents have been attributed to state actors, cybercrime on a smaller scale can also be a threat coming from non-state actors. This is the primary reason why the EU is constantly advocating the recognition of the Convention on Cybercrime, as well as the establishment of domestic cybercrime legislation in countries where the current legislative system would be powerless against cybercrime.
With the elections to renew the European Parliament in spring this year, do you feel like European countries need to increase the level of readiness towards cyber threats?
The upcoming European Parliament elections in May this year will definitely bring election security and, within it, internet-enabled election meddling into the limelight. The key elements of concern also addressed by the European Commission already in September 2018 included preparedness for online manipulation. This is why greater transparency in online political advertisements is needed. At the same time, awareness of the micro-level of news consumers is necessary.
In some of the previous elections in the EU, and also outside the Union, we have witnessed some scandalous stories emerging only shortly before the elections. Any signs that look out of the ordinary should be treated cautiously. Now more than ever people need to use common sense when coming across stories online from unverified sources.
On the other hand, the strong suit of the European Parliament elections is the fragmentation of the election structure – it is more difficult to influence elections in the EU as a whole because each member state requires a different approach, although the potential threat against some of the key member states is always there and greater than in others.
Estonia has witnessed already what it means to experience a cyberattack (2007). Is this a chance for us to establish or reaffirm our position internationally at the forefront of the fight, legal and technical, for safer cyberspace?
The 2007 cyberattacks were the turning point for Estonia’s internal cybersecurity policy development. Although we had set up our own national Computer Emergency Response Team (CERT) already in 2006, the events indicated many of the key elements that had to be either built up or improved significantly. Does the fact that we have contributed to improving our systems set us before other countries in the field? I believe that somewhat yes.
We have developed hugely since 2007 and due to our relatively small and dynamic digital ecosystem, it has been easy to keep our systems up to date and running even at times of some global large-scale cyber ransom cases. Which, however, did not affect Estonian organizations and this shows our strong effort to prevent cyber disruptions has been successful.
Some of our domestic structures have been constantly modified according to the changing threat environment. We have adopted the third generation Cybersecurity Strategy for 2019-2022 that is focusing on increasing the technological and organizational capacities throughout our entire digital ecosystem. We have already a list of elements that are being improved not for the first time and we are glad to share the experience with countries that are in the starting point with their own cybersecurity developments.
Let’s end on a lighter note: how does it feel to be included in Politico’s Class of 2019 among next year’s doers?
POLITICO’s news came as a very positive surprise to me. 2018 ended with an exceptionally busy period that has hopefully paved the way forward for our plans for this year. Cybersecurity is not an issue that will go away, but only grow in importance. We’ll need to make sure existing international law is applied in cyberspace and the norms of responsible behaviour for countries are clear and rigorously upheld.