- Reset + Print

At the European Defence Agency Annual Conference in Brussels

23.11.2017

I know that I am the last firewall between you and lunchtime, so let me get straight down to business. There are three issues that I deem important and want to share with you: the importance of cyber hygiene for all our citizens, the importance of truly understanding cyber security for all decision-makers, and the role that the European Defence Agency could play in all of this.

There is probably no need to stress the importance of cyber security to anyone in this room. However, I am not equally sure that this sense of importance and urgency is shared by most people outside this conference venue. It is crucial to move from cyber defence to cyber hygiene, as technology will not help us against the human factor.

Take, for example, the e-mail hack of the US Democratic National Convention in 2016. Whatever we might think of who was behind the operation or how much influence the incident had on the US presidential election results, the fact seems to be that it was largely made possible by hacking the accounts of Hillary Clinton’s campaign chairman John Podesta. It was not an elaborate technical operation, but rather a very simple phishing act: someone posed as Google Mail and fooled both Mr Podesta and his IT-support staff into giving them his passwords. This, combined with not having a two-factor authentication, caused one of the most talked-about e-mail hacks of recent years. And it shows, among other things, how little people adhere to basic cyber hygiene and what the consequences might be.

Of course, we should never blame the victim – it’s just the overall bulk or cycle of a problem. And it will remain a problem as long as ‘password’, ‘12345’, and ‘qwerty’ continue to be most popular passwords. I’m also quite sure that there are at least a couple of people in this room who might actually have something similar as their own passwords.

Therefore, along with all the fancy initiatives, cyber defence programmes, and new institutions that we create, we must not forget that the human factor and a lack of basic cyber hygiene will continue to cause security breaches and incidents in the future. I do acknowledge that enforcing cyber hygiene is mainly a matter for Member States, but European Union can surely be a backer of and contributor to projects that raise awareness of the issue. I am sure that every Member State is currently doing something in this field. However, we need an enhanced message from all of us to our citizens. Given the importance of the topic, I believe it would be very practical to learn from each other and also share the best practices, which have helped to raise societies’ levels of cyber hygiene.

The WannaCry ransomware incident made us sharply aware of the importance of cyber hygiene: though global in nature, it only affected a handful of computers in Estonia, probably because we have higher level of cyber hygiene. This, in turn, is primarily because we have a higher dependence rate on digital services. Thus, cyber hygiene can be taught to people. And it seems we do a reasonably good job at it. On the other hand, when we talk to our people about normal hygiene, we have much worse communication problems. It seems it’s easier to teach cyber hygiene than simply washing your hands.

Now to my second point: decision-makers’ awareness and understanding of cyber security issues. Most modern-day politicians admit that cyber is important. They speak the language and there is genuine political support behind many cyber defence initiatives. However, large-scale cyber-attacks do not hit our systems often enough for decision-makers to always be involved on the political level: it is mostly on a smaller scale and usually on the level of technical experts and civil servants making the decisions. And we think this is a good way to move forward, day by day. On the other hand, it doesn’t prepare politicians for if something really happens.

In this regard, I am very glad that during the Estonian Presidency, EU CYBRID 2017 – a strategic table-top cyber defence exercise – was organised by the Estonian Ministry of Defence in cooperation with the European Defence Agency. It was the first such type of exercise to involve the EU defence ministers, with the NATO Secretary General as an observer. Among many other valuable lessons, EU CYBRID 2017 showed that although decision-makers on the political level would be the first to react and make decisions in the case of a cyber-attack, their understanding, knowledge, and awareness of the nature of cyber incidents still leaves much to be desired. However, I am not critical: it was the first time such an exercise was held and our ministers want to hold more, both on the Member State and the EU levels.

We in Estonia recently had, I wouldn’t call it a digital failure, but a digital difficulty, with our ID cards. It was nothing we caused ourselves, but was forced upon us internationally. And we learned a lot. We learned that these kinds of very severe incidents, which did affect half of the Estonian population, can, in fact, be overcome with all systems still functioning. And even more importantly, we noticed that analogue technology was not an alternative for our people. They refused to accept it as an alternative. They firmly wanted to continue using e-services.

They demanded the government repair the car while it was being driven. This is something worth sharing, as it shows how dependant societies are and will be in the future. We will need to be ready to react to the unthinkable. We don’t know when it will happen or what will be happening, but we need to be prepared to communicate how people should react over the course of the very first minutes.

Holding one-off exercises would not be a sustainable way forward, as the cyber domain is evolving as we speak. A decision-making process exercised today may be not relevant tomorrow. As political decision-makers boost their own awareness, there is also an inevitable need to discuss aspects that are politically sensitive. This includes attribution. It is a technical point at first glance, but a political decision by the end of the day. It also includes choosing between offensive and defensive actions. These are, of course, all for Member States to decide. Nevertheless, they must not only be discussed, but also exercised at a strategic level. Our strategic thinking must be harmonised.

Ladies and gentlemen!

This brings me back to the role the European Defence Agency should play in all of this. As you know, the Commission has also been very active in pushing cyber issues, and I am glad that the General Affairs Council adopted its conclusions on cyber security last Monday. This will, along with the Commission’s cyber package, most certainly give cyber-security issues a totally new impetus for years to come. I do not wish to go into the details and various projects that these documents foresee happening, but generally, it is clear that a great deal of focus and resources will be allocated to cyber issues.

I strongly believe that in this situation, the European Defence Agency should continue the successful projects it has conducted so far and complement the Commission’s projects without unnecessary duplication. For example, I believe that the EDA should concentrate its efforts on education, training, and strategic level exercises. These are the fields, whether we like it or not, where the Member States have probably the biggest shortfalls and, at the same time, the willingness to increase cooperation at the European level. We must also consider how the EDA’s cyber activities can contribute to the European Defence Industrial Development Programme and the Permanent Structured Cooperation, as well as vice versa.

Dear participants!

As a final note, I would like to remind you all about the rapid pace at which the cyber landscape, and therefore also challenges it poses, is changing. I wish you success in handling the unknown and updating your passwords.

2017 marks the 10th anniversary of three significant events for the cyber world. In April 2007, Estonia became the first state to be hit by a politically-motivated and orchestrated cyber-attack. Technically, we now see similar cyber-attacks daily.

Less remembered, at least in Estonia, but perhaps even more important was the introduction of the world’s first smartphone in June 2007 by Apple. And the so-called Aurora Generator Test of March 2007 by the Idaho National Laboratory, which proved that a cyber-attack can be used to destroy parts of an electric grid.

The last ten years have shown us how smartphones, with all their opportunities and risks, have become an everyday commodity across the globe. Cyber-attacks against states are certainly not everyday occurrences, but they are also nothing that surprising or novel anymore. Cyber-attacks against real and physical infrastructure, be it against Ukraine’s electricity grid in 2015 or Iranian nuclear centrifuges in 2009 – they are now a reality.

These developments might seem fast, but only when compared, for example, to the many decades it took for gunpowder to become a ubiquitous tool of warfare. In the cyber field, the tempo of change is increasing by the day. Take, for example, AlphaGo Zero, which is basically an artificial intelligence version of the ancient Chinese strategy board game Go. Developed this year by a Google-owned company, it took for the system three days to defeat a human contestant, 21 days to beat an older version of itself, and 40 days to basically exceed all previous versions. It is therefore likely a serious step towards artificial intelligence, which could lead us to some pretty sci-fi scenarios in maybe only three years.

These examples, among others, demonstrate that the pace of change is becoming so fast that we cannot be ready for all eventualities. Artificial intelligence is the biggest eventuality we will see. But we should be ready, regardless. Whenever I wonder whether we are moving fast or slow and trying to force necessary decision-making and common understandings to transpire at a breathless pace, I always think back to a century ago. How few technological developments really went out the window then because they were replaced by something new! I wish you all the best of luck in 21st-century cyber defence and cyber hygiene. The former is meaningless unless it maintains a necessary level of the latter.

Thank you for listening!