- Reset + Print

Keynote speech at the European Defence Agency Annual Conference "Security in the digital age: the added value of European cooperation"

23.11.2017

Dear Mister Domecq, ladies and gentlemen,

I know that I am the last firewall between you and lunchtime, therefore let me get down to business right away. There are three issues that I deem important and want to share with you – the importance of cyber hygiene for all our citizens, the importance of really understanding cyber security for all the decision-makers, and the role that the European Defence Agency could have in all of this.

There is probably no need to stress to anybody in this room the importance of cyber security. But I am not equally sure that this sense of importance and urgency is shared by most people outside this conference venue. Very important to move form cyber defence to cyberhygiene, technology will not help us against human factor.

Take, for example, the case of the e-mail hack of the US Democratic National Convention of 2016. Whatever we might think of who was behind this operation or how much influence this incident had on the US presidential election results, the fact seems to be, that it was largely made possible by hacking the accounts of Clinton's campaign chairman John Podesta. It was not an elaborate technical operation, but rather a very simple phishing operation. Meaning that somebody posed as Google Mail and fooled both Mister Podesta and his IT-support people to giving his passwords. This, combined with not having a two-factor authentication, caused one of the most talked-about e-mail hacks of the last years. And shows – among other things – how little people adhere to basic cyber hygiene and what the consequences might be.

Of course we should never blame the victim, it's just the overall amount or cycle of a problem. And it will continue to be a problem as long as people use "password", "12345" or "qwerty" continue to be most popular passwords. And I am also quite sure that there is at least a couple of people in this room who might actually share the same kind of passwords.

Therefore – along all the fancy initiatives, cyber defence programs and new institutions that we create, we must not forget that the human factor and basic cyber hygiene continue to be things that will cause security breaches and incidents also in the future. I do admit that enforcing cyber hygiene is mainly a matter for Member States, but European Union can surely be in this matter a backer and contributor to awareness raising projects. And I am sure that every Member State is doing something in this field. But enhanced message from all of us to our citizens is needed. Given importance of the topic I believe that it would be very practical to learn from each other and also share the best practices, which have helped to raise the level of cyberhygiene in societies.

We know it important because in Estonia the Wannacry test, it was a global test, but we had any attacks in Estonia, probably because we have higher level of cyberhygiene. And we have it because we have a higher dependence rate on digital services. So it can be taught to people. And it seems we do a reasonably good job. On the other hand when we talk normal hygiene with our people, then we have much worse communication problems. It seems that it is easier to teach cyberhygiene then to wash your hands.

Now to my second point – the awareness and understanding of the decision-makers on cyber security issues. Most contemporary politicians do admit that cyber is important, they speak the language etc., there is genuine political support behind many cyber defence initiatives. But large scale cyber attacks do not hit our systems that often that decision-makers on the political level would be always involved – it is mostly lower scale, usually rather the technical and civil servant level that is making the decisions. And we think it is a good way to move forward day by day. On the other hand it doesn't prepare the politicians if something really happens.

In this regard I am very glad that during the Estonian Presidency EU CYBRID 2017 – a strategic table-top cyber defence exercise – was organized in September by the Estonian Ministry of Defence in cooperation with the European Defence Agency. It was the first such kind of exercise to involve EU defence ministers, with the NATO Secretary General as an observer. Conclusions for EU and NATO. And among many other valuable lessons EU CYBRID 2017 showed that although political level decision-makers would be in the case of a cyber attack the first ones to react and make decisions, their understanding, knowledge and awareness of the nature of cyber incidents is still much to be desired. I am not critical, first time and our ministers want more, to make these exercises regularly both on the Member State and EU level.

We in Estonia recently had, I wouldn't call it a digital failure but a digital difficulty, with ID cards. Nothing we did ourselves, but was forced on us internationally. And we learned a lot. That actually this kind of very severe incidents, which did effect half of the Estonian population, could overcome with system functioning. And what was even more important, we noticed that for our people the alternative was not analog. They refused to accept an analog as an alternative. They definitely wanted to continue to use the internet services.

They demanded that government has to repair a car while it was driving. And this is something worth sharing and it shows how dependant the societies are, will be in the future and you will need to be ready to react to unthinkable. You don't know when it happens and what happens, yet you need to be ready to communicate it to people during the first minutes it happens, how they should react.

Having a one-off exercise would not be a sustainable way forward as cyber domain evolves as we speak. A decision-making process exercised today may be not relevant tomorrow. As political decision-makers raise their awareness, there is also an inevitable need to discuss aspects that are politically sensitive. This includes attribution. A technical point at the first glance, but a political decision by the end of the day. It also includes making a choice between offensive and defensive actions. These all are, of course, for Member States to decide, but nevertheless need to be not only to discussed, but also exercised at strategical level. Harmonise strategic thinking

Ladies and gentlemen,

This brings me back to the role the European Defence Agency should play in all of this. As you all know, the Commission has also been very active in pushing cyber issues and I am glad that on Monday the General Affairs Council adopted its conclusions on cyber security. This will, along with the Commission´s cyber package, most certainly give totally new impetus on cyber security issues for the years to come. I do not want to go into not go into the details and different projects that these documents foresee, but on the general level it is obvious that a lot of emphasis and resources will be allocated.

I strongly do believe that in this situation the European Defence Agency should continue with the successful projects it has conducted so far and should complement the projects of the Commission without unnecessary duplication. For example, I believe that EDA should concentrate its efforts on education, training and strategic level exercises, because those are the fields – whether we like it or not – where the Member States have probably the biggest shortfalls and at the same time willingness to do more cooperation at the European level. We must also think on how EDA's cyber activities would contribute to the European Defence Industrial Development Programme and the Permanent Structured Cooperation, and vice versa.

Dear participants,

As a final note I would like to remind everybody about the pace of how quickly the cyber landscape, and therefore also the challenges are changing. Wish you success in dealing with the unknown and update you passwords.

2017 marks the 10th anniversary of three significant events for the cyber world. In April 2007 Estonia became the first state to be hit by a politically motivated and orchestrated cyber attack. Technically we have those cyer attacks now daily.

Less remembered – at least in Estonia – but maybe even more important is the introduction of the world's first smartphone in June 2007 by Apple. And the so-called Aurora Generator Test of March 2007 by the Idaho National Laboratory, which proved that a cyber attack can be used to destroy parts of the electric grid.

The last 10 years have shown us how smartphones – with its possibilities and risks – have become an everyday commodity across the globe. Cyber attacks against states are certainly not everyday occurrences, but also nothing that are that surprising or novel anymore. Cyber attacks against real and physical infrastructure – either against Ukraine's electricity grid in 2015 or against Iranian nuclear centrifuges in 2009 – they are a reality.

These kinds of developments might seem fast – but only when compared, for example, for the many decades it took for the gunpowder to become a ubiquitous tool of warfare. In the cyber field the tempo of change is gathering by the day. Take, for example, AlphaGo Zero, which is basically an artificial intelligence version of the ancient Chinese strategy board-game Go. Developed this year by a Google-owned company, it took for the system 3 days to win a human contestant, 21 days to beat an older version of itself and 40 days to basically exceed all the previous versions. It's therefore probably a serious next step towards artificial intelligence. Which could lead us to some pretty sci-fi scenarios of maybe three years only.

These examples, among other things, probably demonstrate that the pace of changes is getting so fast that we cannot be ready for all eventualities, artificial intelligence is the biggest eventuality we will see. But we should be. And when I think whether we moving quickly or slow and trying to force a necessary speed decision making and common understanding I always think back a century and how few technological developments really went out of the window because really they were completely replaced with something new. I wish you all a best of luck in 21st century cyber defence and cyber hygiene. Cyber defence is meaningless unless it follows a necessary level of cyber hygiene.

Thank you for listening!