- Reset + Print

President Kaljulaid at the opening of CyCon

30.05.2018

Ladies and gentlemen, dear guests!

Welcome to Tallinn for CyCon. I am very happy to speak here. And am also a little bit nervous as the whole legacy comes from Toomas Hendrik Ilves, the former President of Estonia, who has made possible for the whole world to understand that this Woodstock-kind of place for cyber is here in Tallinn. Please, let's give a round of applause to President Toomas Hendrik Ilves! Estonia have been strong in the digital world, and Estonians understand better the risks related to digital. This has been indeed largely President Ilves's doing, and the promotion work for Estonia he has been doing for over 15 years, is incredible and I am forever grateful to President Ilves for what he has undertaken and still does undertake.

I also thank thank Merle for this introduction and for organizing this conference. And since the focus of the 10th CyCon is about maximising effects, then I would like to point out the most important take-aways and lessons-learned from these developments that could really be used to do exactly that – to maximise effects in order to keep our societies and citizens safe.

What has changed globally since the last year's conference, is mainly the awareness. I think that the awareness levels on cyber related risks are today much higher than a year ago. Yes, cyber risks and cyber attacks, the attributions that have been made, are all things that were openly talked about, but the last year has brought cyber risks close to normal people. People have started to understand, that a new set of natural laws, if you wish, have been created by evolvement of the technology sphere. People normally know that if you jump out of the window then you fall down. But for some reason people didn't realise that if you are out in the internet then you are visible. Now they understand this much better. And of course, numerous efforts have been made to make companies and governments responsible for keeping their people safe in the cyber sphere, but that alone is not enough. Therefor it must come down to individual action and individual level of cyber hygiene. How you must choose what is visible about you, and how you must also understand that some parts of you, your character, your interests will remain visible in the internet. People just have to learn these new natural laws of the tech sphere. And this is also a great opportunity for all of you who deal daily with cyber risks, because now all of a sudden everybody's is really eager to learn. Now it is your time to make sure that the general benefits from your work will be maximized for the whole society.

The last year in general was a special one for Estonia and we also expected that it will be a very difficult cyber year as well. Because we had first EU Council Presidency, and what better example to make about the Estonian digital state not functioning when the EU Councils were gathering in Estonia. In fact, we didn't face any incidents at all – we only had some capacity issues with the wifi-networks, but that was a self-inflicted wound.

We also had the NATO's Enhanced Forward Presence battle group arriving to Estonia. Again, it was predicted that there will be cyber, stratcom and other hybrid attacks against this very visible international presence in the Baltic states. But actually there was only one case of fake news in Lithuania, which was very quickly solved by the Lithuanian authorities. Which again shows that the whole world has become more resilient – it is possible to put out the truth after false statements.

Of course, we do not know for sure we these events didn't come under heavy attacks last year. Perhaps the adversary had a capacity issue and they were just busy somewhere else. But maybe it was just because we are pretty resilient, since we have learned a lot over the years on how to deal with these issues.

On the other hand we had a really interesting crisis last year related to our digital state. It had nothing to do with attacks, but with the fact that nobody who is using technology controls the whole production chain of technology. As a small state we don't control almost any part of this production chain. And when one billion faulty chips were withdrawn from the market by the chip maker, it appeared that 700 000 of them were actually Estonian ID-card chips. The rest of the chips worked in some other digital environments in some other digital states and peoples ID-cards, although most of them were just in door cards etc. What is interesting is that some other countries shut down their ID-card systems – but nothing happened in the sense that if you shut down an ID-card system without public riots, then you have not yet digitally disrupted your society.

This was the case in other countries. But here in Estonia it was quite clear that we cannot do that. Our people were not ready to go back to paper. The initial reaction of the society to this crisis was that maybe its not that bad? The society read the news, decided that it cannot be this bad because it was too big to believe. And so the society, including the media outlets stabilized near the cliff's edge – but decided to hang on. And this was a clear sign that whatever way you go in solving this crisis, we absolutely have to make sure that there is as little as possible physical need to go to a service point etc. We managed for quite a number of people to patch up their ID-cards over internet. But some people were unable to do that – and then it was very clear to us once more that nowadays we cannot be happy with the situation that if something goes wrong with the digital system then people go back to paper alternative.

Therefor it is quite clear that in the coming years we must spend a lot of money to rewamp our systems, to provide safer alternatives for getting access to the system, and also think whether the whole technical platform of our digital state needs to be taken to a new level, for example by using block-chain. This would be necessary not only to develop services – because the state wants to bne pro-active towards their citizens anyway, and that needs block-chain. But also to continue providing current services.

It seems to me that we have to invest a lot. For years we have said that approximately 2% of GDP is saved only by digital signatures, and we can also say that 6% of our GDP comes from ICT. Otherwise it would be very hard to say that in the coming years we must spend up to 2% of GDP to provide new solutions. We definitely have to make sure we stay ahead of the curve all the time. Is some systems stay in service for too long then some people start trying to brake them just for the fun of it. And sooner or later they also succeed, but we cannot endanger our digital state with these kinds of risks.

Dear listeners,

If we turn to the events that have shaped the cyber conflict environment internationally, then last year in this speech I referred to the WannaCry attack that had just wiped across the globe, bringing a considerable impact with it. But then we had not yet seen what was about to come, as in the end of June we saw NotPetya. Which was made to look like the work of ordinary cyber criminals, but was in fact designed to destroy information and brought global economic loss measurable in billions. In billions, not in millions. And here is something that we, the politicians of the western world, have to think about.

Today we can say that the investigations of both of these destructive campaigns have finished and public attribution has been made by our good friends and Allies, joined also by our government in the case of NotPetya. But strong words will not stop those attacks from happening again. In order to avoid them in the future, we have to change the calculation of governments who either organize the attacks, or just allow them to happen on their digital infrastructure. Cyber should not any more look like an easy weapon anymore and using it should include some considerable risks for the perpetrators as well. In order to achieve that, we have to be ready to use stronger tools than we have been so far using. The governments have to be ready to respond to these attacks, and first and foremost, be ready to call these attacks as violations of international law.

We all know that sanctions are most effective against those who don't have any sanctions affecting them yet. They are also easy to apply, because this level of retaliation is not legally very demanding. There is no need to prove physical damages at the level which could be seriously crippling and thus allowing for stronger countermeasures according to international law. Therefore, we should not overlook the possibility to use political and economic responses, but then they really have to be such that they have a deterring effect.

There should also be measures to support those who are digitally failed, not able to control the attacks from the base of their digital infrastructure, out of lack of resources or out of complacency. For example, if a country is unable to stop somebody from attacking from their infrastructure then they should have a method and means to call upon some international and collective help. And this help should also have clear limits on what can be done and cannot be done. If western world would make it clear by example to third states that allowing cyber campaigns to happen via their digital infrastructure could bring with it political or economic sanctions, we could bring more order into cyberspace. Attribution of cyber attacks and campaigns may be technically challenging, but it's clearly not impossible. And therefore we must make it quite sure that the international community has the ways and means how to react. We know that everytime we attribute something then people will demand proof. But in the cyber world, like in any other international law cases, you don't need to disclose the proof fully.

Talking about maximising effects, then during our EU Council Presidency, 28 Member States agreed to guidelines on how should those political and economic responses to malicious cyber activities be carried out. As the bureaucratic work is done, we as politicians will now have to do the political work and be ready for the political and diplomatic response of EU if any government decides to use cyber attacks against us. And here I am quite happy that in April foreign ministers of EU were able to take the first step to such direction by adopting the Council conclusions on malicious cyber activities. And all this talk about EU's measures is backed up by NATO's decision that Article 5 also applies to cyber attacks, that cyber has turned into a fourth domain of operations, and the policy of strategic ambiguity in regards to the means and ways of response. Because, by the end of the day, this is why EU and NATO were set up in the first place – to maximise the effects of their member states – now also in the cyber domain.

Finally, I would like to touch upon some of the relevant changes over the last year or so that have taken place in regards to the age-old attribution issue. It is true that attributing cyber incidents to states will not be an easy task also in the future. There are also misperceptions in this regard that until recently have held states back. But while the most paralyzing effects have been overcome, I am quite sure that states will no be braver in their actions. But of course, the problem is, that if one, or two or three of us decide to be brave, but there is no strong reaction – even if we have agreed on the tools in the EU, even if we have the international law base for that – then the situation will actually be worse than it is currently. Because previously we didn't now what and how to do, we didn't have a framework for that. Now we have the framework, but if we don't use it then quite soon we will come to the state where the tech-guys will tell us that they don't want to bother themselves with attribution, that it's expensive and without any serious gains. But the gains will be there.

Naming and shaming may seem like a soft measure, especially against countries like Russia and North-Korea who fiercely deny their involvement, make it seem like they have been deeply and unfairly insulted, and demand concrete proof. It's not easy to stand there alone, you have to have quick reaction, such as EU and NATO were demonstrating after the Salisbury incident. Cyber incidents will become terrifying and devastating – if we let them to continue without strong and clear response measures.

Thank you!