Estonian Defense Minister Jaak Aaviksoo
Cyber Security and the Spreading Challenges
His Excellency Jaak Aaviksoo
CYBER SECURITY IS BOTH A DOMESTIC DANGER AND
Addressing the issue of cyber security is always a challenging task in the sense that it is getting more and more complex every day or even every hour. When we deal with cyber security, new and ever newer issues keep emerging. I will try to focus on just two topics that I will describe later. But before doing so, I would like to say that what I have seen over the last three years since I entered office, barely two weeks before the well-known cyber attack on Estonia in April 2007, has convinced me that virtual reality is becoming more real than reality itself. We are increasingly dependent on virtual events in our practical lives and if we speculate in the manner of science fiction, we can think of what would happen to us if someone that we do not know or see were to completely manipulate the information that we get on the internet and then we would make our decisions—investments, buying or selling things etc—based on that information. Of course, this is impossible for practical reasons but, as a mental exercise, it is very useful.
HOW TO ORGANIZE NATIONALLY AND INTERNATIONALLY FOR CYBER SECURITY
As promised, I will focus on two topics. The first one is the organization of cyber security at the national and international levels using Estonia as an example. The second one is awareness. How will the global community, nation states, and international organizations, as well as companies, agencies, and ministries address the issue of cyber security? I think this is very hard to answer. It is increasingly clear that no single group can solve the problem, not 50% or even 5 to 10% of it. Whenever we want to achieve some success, a lot of cooperation is needed at all possible levels—inter-agency, public private sector, third sector, citizens and the government, international organizations. At the same time, this cooperation also goes along vertical lines—within the ministry of defense, the ministry of interior, the ministry of telecommunications, the ministry of economic affairs, or the ministry of justice. And a number of such agencies must work together in a coordinated way. When things become critical, moreover, the coordination must occur in real time. There is no time available for mobilizing defensive assets. They must be in place at practically all times—or at least it should be possible to switch them on very quickly. Everything has to be ready in advance and under such circumstances, we all know that flawless communication is the most critical asset.
How do we build flawless communication? This is not a purely technical issue. Communication is always between individuals, people, which necessarily requires interpretation, translation, and understanding. My conclusion, based on the practical experience of the cyber attacks against our country and for theoretical reasons as well, is that we must train these people to work together. There must be a network in place of people who are able to communicate with each other without problems. They must know and trust each other, whatever the barriers between them—cross administrative, national, legal or other. It is a very complicated task: It is about human interoperability in real time.
Frankly speaking, we have not been too successful at implementing a national cyber security strategy. Nonetheless, one development is worth mentioning here: The establishment of a voluntary, non-governmental cyber defense league organization. Before explaining what I mean by that, let me first explain Estonia’s defense organization. We have regular troops, a reserve army and we still have conscription. The regular professional army is between 3,000 and 4,000 strong. In case of need, we can add in a few days 25,000 men—reservists who have to be mobilized—to this professional army. In addition, we have a non-governmental paramilitary organization called the Defense League, which is 20,000 strong. It is organized as a military hierarchy for the purpose of territorial defense. These individuals train regularly, and they are motivated to do so. While they are not paid, costs that are directly related to their activities in defense are covered by a government subsidy even though they remain an independent legal entity. Under that umbrella, we have a special unit, called the Cyber Defense League, which is between 100 and 200 people strong. We have selected its members both for their willingness to join and for their professional characteristics and organized them in a military structure. While several legal problems still need to be resolved, the basic idea is that they are volunteering for that obligation and they come from across the whole society—private sector, government sector, independent individuals, entrepreneurs, all kinds of people. The government offers them training possibilities, equips them with the necessary resources and in case of need, can mobilize them for national defense like the reservists in regular military service. I have to say that the willingness of those voluntary cyber defense league members to serve is a huge asset. Their contribution to the common cause of securing the environment is a strategic asset. I would even go further. I do not believe that we could organize those people to work together if that were not a voluntary effort. Ten or maybe twenty times more resources would be required. So this is a good example of addressing the issue of networked cooperation both horizontally and vertically.
THE NEED FOR PUBLIC AWARENESS OF THE CYBER SECURITY THREAT
My second topic concerns awareness. When we think about cyber security, like with every problem, the most complicated task is to find out where the true bottleneck is. There are billions of problems and we cannot solve them all. Usually, if we can find out where the bottleneck is and broaden it a little bit, things start flowing. Where is the bottleneck in cyber security? Although the need for awareness of cyber security has been mentioned many times, at many gatherings and in many formal or less formal documents, I am increasingly convinced that, if it is not the biggest bottleneck, it is at least one of the most important problems we have to solve. Why do I think that? Last year, we had to cut our national budget by 20% in the middle of the fiscal year, which was a hard exercise, but I found that the resources that were allocated under a national cyber security strategy were cut by 80%. What does that mean? It means that the crucial understanding of the need to defend ourselves in cyber space against different threats is missing. The need for awareness and understanding does not occupy an appropriate place in the priorities, if we look at the exponentially growing cyber crime rate or the magnitude of the security threats. This is a problem not only at the political level but at the public administration level as well. But I will leave that question aside for a moment. I believe that a lot of political decision making in our democratic societies is still done according to what people think is morally right or wrong. And there are several reasons for citizens to underestimate the threats in cyber space. Even when citizens have a somewhat mixed attitude towards what is going on in cyber space, they do not consider cyber crime as a true crime. If some hacker can get his hands on a million dollars from a major bank, he will be viewed by some as a public hero rather than as a criminal. Or if a smart guy, the younger the better, finds a way of taking a dollar from each of our pockets, with 1 billion people, this becomes 1 billion dollars. For most people, he is still a smart guy and not a criminal.
Finally, I tend to believe that what people do if they are one-on-one with their computer is not always something they want to tell their friends or wives to know—going to sites, looking at things, or commenting on articles on internet forums. What people tend to do on the internet, they would not necessarily do in a public place. If that is true, it affects how people feel about others doing things on the internet. When there is a moral problem, they do not think that it is necessarily black or white or straightforward. So I think that one of the main efforts that is needed on the political level, but not only on the political level, is to raise public awareness about the nature of the threat in order to protect every single individual. People tend to believe that cyber space is anonymous. It is anonymous only on the surface and we really do not know what may happen to us, just like when I presented earlier the idea of a fictional situation where somebody manipulates all the information flows to our computer. We may take another example which is much more probable. We underestimate how vulnerable we actually will become if all the information that flows in and out of our computer is known to someone. In fact, such information is extremely sensitive, especially when it is all taken together and analyzed in a proper way. We must work on those threats in a more systematic way and try to explain more effectively what is good and what is bad. I will not call it a “safe sex campaign.” But a “safe internet campaign” or a “responsible behavior code” is something that we need badly. Otherwise our efforts, whether technological, political, legal or defensive will not bear fruit.