- Reset + PDFPrint

President of the Republic Opening speech at CyCon 2017

31.05.2017

Dear CyCon audience,

The use of ICT technologies has made societies and organizations more connected. However, it has also introduced new vulnerabilities and threats to public institutions, critical services and private entities.

This April marked the tenth anniversary of the cyber-attacks that hit Estonia in 2007. In 2007, several Estonian private and public e-services faced malicious cyber operations. These coordinated attacks focused the international community's attention on the severe risks posed by the increasing reliance of states and their populations on cyberspace. In retrospect, these were fairly mild and simple DDOS attacks. Far less damaging than what has followed. Yet it was the first time one could apply the Clausewitzean dictum in cyber space: war is the continuation of policy by other means.

Ten years on, it is clear that the decision made by Estonia not to withdraw, but stay and fight for the security of our cyberspace was the right one. We have high-functioning e-government infrastructure, reliable digital identity, a system of security measures that is obligatory for all government authorities, and a central system for monitoring, resolving and reporting cyber security incidents.

The most important element of protection is, of course, common understanding that protection can never be guaranteed technically, in system, on background. Finally it comes down to cyber hygiene of human beings. Also, we must understand that cyber-attacks are something which is here to stay, but that it does not mean honest societies must steer clear of benefitting from technological advances. Quite to the contrary – we must speed up offer of public goods through cyber space, not to abandon it to the bad guys. We do protect our street space – we never accept to withdraw. It should not be different in cyberspace.

What threats do we face, what sorts of risks must be considered, and how to protect ourselves better? Year 2016 will be remembered for a number of unprecedented cyber incidents around the world. We saw one country attempt to influence the electoral process in another country. We saw how Wanna-cry exploited the fact that people do not update what they use, therefore demonstrating we are not yet using protective gear we have. Most people act in cyber space as recklessly as those driving on highways without seatbelts fastened. We saw how the Internet of Things was exploited to attack core services of the internet, the effects of which transcended national and continental borders.

The number of devices connected to the internet is already many times larger than the number of devices we would traditionally call computers. The IoT has led to a new kind of risk that neither manufacturers nor users anticipated. No specific cyber security requirements and standards exist for devices on the IoT. The whole sector has developed so rapidly that market regulators have not kept up with the development of the technology. As a result, the approach to the threats from devices on the IoT has been reactive rather than preventive: the focus is on minimizing and eliminating consequences of the incidents. Large-scale DDoS attacks that rely on IoT devices are a potential threat to countries as well as to the basic internet infrastructure itself.

Vital services are increasingly cyber-dependent. On the basis of worldwide events in 2016, the ever higher impact of cyber incidents could be seen mainly in the energy, healthcare, financial services and transport sectors. Two attacks on the energy system structures in Ukraine a year apart marked a sea change. A year ago, crippling of the energy system was considered an extraordinary occurrence, but in 2016, hazardous cyber vulnerabilities were a topic in very advanced, stable countries as well. Of course, not all attacks reflect the geopolitical interests of a specific country. But the established pattern is that tensions between countries also finds expression in cyberspace.

What to do? What measures are we thinking we can take in E-Estonia? Information systems are an integral part of the Estonian state. Estonian laws presume the existence of access to registers. Estonian state has a digital backbone that supports all the rest. All digital services must function smoothly if state and society are to function in the manner that people are accustomed to. Thus the digital state must be able to keep up with the changing expectations. People want their state to be digital, but also to be secure.

Estonia proceeds from the principle of security by design. This general principle for development also pertains to updates developed due to technological advances. It is all the time applied to the foundations of the Estonian digital society, such as solutions for the electronic identity used for authentication (eID) and the state information systems data exchange layer, X-road.

A trusted electronic identity is becoming more and more important in digital society: it is extremely important that we know with certainty who is who in the electronic world. Estonia has been a trailblazer in the field of electronic identity and we have often been cited as a model worth following.

We all know by now that authentication by password alone can no longer be considered secure. In Estonia, state systems and e-services that use ID-card- and mobile- ID-based authentication systems are well-secured by physical component and two passwords. Compared to the rest of the world, this makes it extremely complicated and costly to access data from Estonia’s government and bank services, and reduces the attractiveness of these services as a target for criminals.

Major global service providers such as Google, Facebook and Microsoft have successfully launched two-factor authentication and its use rose significantly in 2016. This indicates that all developed states now absolutely must follow Estonia, Google, Facebook and Microsoft, if they do not want to lose attention of their own citizens. Every citizen of any developed country is more and more attached to services offered by private sector over internet.

I have a question: Why trust a state which is not able to release its citizens from visiting government offices, if every shopkeeper manages to release people from physically presenting themselves in the shops? That is the question governments must ask themselves today, if they have not yet so done.

In Europe, countries should be right now in the middle of implementation of what is called eIDAS – regulation on electronic identification and trust services for electronic transactions in the internal market. By September 2018, EU Member States are to accept each other’s eIDs mutually. For this to happen – and thus for there to be more security for EU citizens and residents – EU countries have to pick up the pace in implementation of eIDAS. That means start notifying their national eID schemes, for example. But we also actually need countries to take strong eIDs into use in the first place still, too. Not everyone is there, yet.

One more note on the two-factor authentication. It is no magic wand just by itself, of course. As the crypto algorithms age, as the underlying protocol of text-message or phone-call communications was just recently broken – countries like Estonia and the Googles and Facebooks and others always have to continue working to upgrade the strength of factors themselves.

All the challenges, which we resolve technically, or face and yet cannot resolve, must also have a legal solution. Tallinn Manual 2.0 is by far one of the most comprehensive analyses of international law applicable to cyber operations. For liberal democracies that respect the rule of law, international law undoubtedly shapes and bounds governments' activities.

International law applies in cyber space. At a time when the actions of unscrupulous states and violent extremist groups continue to threaten peace and security internationally, it is even more important that such actions are countered with a strong commitment to existing international law and the values that it represents.

Cyber Operations have become an integral part of international relations – the recent launch of the Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations is a practical handbook for state legal advisers of how to deal with these issues.

Most of the latest incidents where interference by state actors has been suspected have been below the threshold of using force, as it is defined in the Charter of United Nations. They are so-called peacetime operations. That is the sphere where Tallinn Manual 2.0 has concentrated its efforts. No other initiative in the world carries so comprehensive overview of many different experts from various countries.

It is now best be used by states trying to create their national positions on applying international law in cyber space. Government advisors can give legal opinion on different attacks and how they might be analysed, based on the law existing for the analogue sphere. Tallinn Manual can be of great help in this task.

As always, when we are discussing security, states must decide the threshold for their action. Where will be their red lines? Already defining these red lines would act as cyber domain deterrent. It would also add to the transparency of the cyber domain if States where to define what their respective thresholds are, in order to guarantee both internet security and freedom of use at the same time. We do not want to give up our freedoms in cyber space either.

As you know, Estonia will take over EU Council Presidency soon. Our Presidency has a strong digital agenda. We must make sure we maintain cyber space for the white powers and not abandon it to the dark forces. The future of the world will be digital. A prosperous and sustainable Europe embraces technological transformation by boldly seizing the opportunities offered by this trend. At the same time, rapid change and new technologies always create vulnerabilities: our task will be to balance these risks and benefits fairly.

Technological innovation in itself is not the endgame, but a tool that can make the lives of people, companies and governments easier. This is why for us, using smart IT solutions is a thread that runs through the entire presidency – the EU is a complex entity and we should use every opportunity to make its functioning more efficient and easier to understand.

In the same way, the free movement of data is something that concerns all European policies and fundamental freedoms. We need to find ways to ensure that the data is used in a secure way for our individual and collective benefit.

80% of EU citizens are now online. In this context, it seems pointless to ask why we should think and act digitally; rather it’s a question of how to do it. We do not want to bore our friends and colleagues in Europe with stories of e-Estonia, but instead hope that our experience in this field can help and inspire. We recognise different societies face very different challenges while going digital. With our experience, we can provide some answers and point to a few potential caveats, but we must and will not call on others to do exactly as we do. EU is a union of different nation states and every state is also a culture. That culture must be preserved while going digital, because people expect it.

E-residency, declaring taxes online in just five minutes or digital prescriptions aren’t just nice things to present at conferences, but real-life solutions that benefit both people and the state. It means time saved and trees left growing. Anything digital is often thought of in the framework of economy and efficiency – indeed we estimate we save 2% of our GDP by just signing everything and anything digitally, but digital tools are also there when we want to speak to our families, look for a job, listen to music or operate a wheelchair.

Our EU Council presidency will focus on the establishment of a Digital Single Market, increased use of e-solutions and data as well as on the development of cross-border e-services. We think Europe is ready for a change in gear, for creating a common modern, accessible and secure electronic environment. An environment where people can shop online cross borders or interact with their government or between themselves with ease and without fear.

That is why progress on cybersecurity will be one of the pillars of our EU Council Presidency core programme. We need to focus on facilitating the strategic discussions among Member States on the road ahead – as we expect to have EU Cybersecurity Strategy on the table by autumn. We will work to make the Network Information Security (NIS) directive effectively work, for example, by leading the work of cooperation formats envisioned there.

We will also lead discussions on the proper institutional set-up on EU level, for example, by negotiations on the ENISA mandate in Council. Last but not least – we will do concrete actions to boost the cyber resilience of Europe, like holding a tabletop exercise for defence ministers or compiling a guidebook on how to react to cyber incidents on EU level. That will be quite a programme for 6 months.

We also need to establish a European certification scheme, especially for staying safe in IoT world. Elaborating a European Union cybersecurity certification scheme avoids having to certify companies in each Member State of the EU with different methods and evaluation criteria. But no system, standard or certification will help unless we can also teach people to take care of the hygiene aspects while online.

Learning by doing has been so far acceptable, but the more dependent everyday life has become of internet related services, the more cautious and conscious of the risks our people must be. Here I see the greatest field of co-operation between EU and NATO – the distribution of knowledge for civil society, in less military terms than we use in cyber domain.

Now, finally, my friends, allow me to say how much I appreciate the whole CyCon team!

CyCon is unparalleled in its multidisciplinary approach in bringing together representatives from the government, military and industry to address legal, technology and strategy perspectives and exchange ideas on the complex topic of cyber conflict.

I hereby recognise the excellent work of the NATO CCD COE in preparations for this event. Thank you for making us all safer and offering an option which allows to embrace opportunities provided by technology, explaining people the risks linked to it and through this global demystification effort making sure both states and private actors feel they can trust cyberspace no less than analogue sphere.