Rome '08 Workshop
Dealing with Cyber-Attacks: A Global Challenge?
His Excellency Jaak Aaviksoo
Estonian Defense Minister
A little more than 10 years ago I lived much more of an academic than a political life. I was asked by the then-government to join in as a non-political cabinet member and to become the minister for education and research. One of the projects I launched was computerizing and networking all Estonian schools, so that every school boy and girl would have access to the Internet. Some critics said that there were not only good things on the Internet but bad ones as well, but I was reluctant to believe that this would be a major threat. The project was completed by 1999, which was pretty early on both a European and a global scale. Now I am responsible for fighting all the threats that can come from the Internet, which come along with all the good things.
I am going to share my views on this subject with slightly more of a political than a technical or a defense-related emphasis. Before doing so, however, I would like to reflect on the things that I have heard during the last three days and also give a bit of background on my presentation.
HOW GLOBAL IS THE THREAT OF CYBER-ATTACKS?
Throughout our deliberations I have been asking how global our threat assessments are. Havent our perceptions been limited to the Euro-Atlantic space? The answer to that question is up in the air, but my asking it is appropriate, because, as was said at the beginning of this workshop, the meaning of the word security is having no fear, and fear is much more a subconscious feeling than the result of some rational argument. I think a lot of what we do in defense, at least on the political level, is very much related to our perception of threats, to what our fears are based upon, and that some of the problems we face in global as well as regional security and defense policies are sometimes diversions of these perceptions. We perceive the threats differentlysome as real, some as less realand that creates a number of problems and misunderstandings.
In that regard, and with the somewhat Euro-Atlantic perception of global threats, it was very enlightening to listen to the contributions of Munir Akram from Pakistan and a number of other people who gave some insights into how they feel and what their perceptions of the threats aremaybe not the global threats but the very real national and regional threats. If we could create a network of those threats and have a map of the perceptions of those threats, we might be more successful in solving at least some of them.
I do believe that cyber-threats are generically global, and it is thus very appropriate to address this threat in a workshop on global security. Cyber-threats can emerge from anywhere in the world, and they can hit you in milliseconds anywhere in the world. It is hard to imagine something more global than cyber-threats; if you use a computer or a PDA such threats will address you directly, but cyber-attacks can influence you in indirect ways as well. And again perception is important; some of us may be annoyed when a large amount of spam mail or viruses invades our systems or we have a program that will not start, and some of us may have countrywide networks go down.
ADDRESSING THE DIVERGENCE IN THREAT PERCEPTION
As we learned in Estonia, and as some other countries have learned, both government and non-government institutions can come under unfriendly attacks with different objectives. If we ask, What is the national perception of a possible cyber- threat? Will there be a coherent understanding of the extent to which such a threat is shared by different agencies and government offices? I think the picture would be blurred, which is characteristic of the modern security environment at large. This divergence in threat perception is the biggest problem I see. If you ask defense or foreign affairs professionals where they feel national security threats lie and compare their answer to that of ordinary politicians and their constituents, you will see quite a large gap. I dont think we will be able to address all of the problems unless we can bridge that gap.
Do we lack the resources to implement the Comprehensive Approach, whether or not everybody agrees to exactly what it is? No, we do not. I believe there are enough resources in the hands of the international community to follow the Comprehensive Approach. Therefore, cant we raise enough resources to solve some security-related issues? Dont we have enough resources? I think we do despite the fact that there are small gaps, because these can be breached provided the political will is there. In a way, the further we go from our borders, the greater the problem becomes, because we cannot consolidate political will. This inability, I believe, is directly related to the fact that we perceive the threats differently, within countries, between countries, in the Euro-Atlantic space, and across the Atlantic. And that is one of the reasons why we have not been able to perform as well as we might wish.
That is also why, when I was asked, Minister, do you think that the gap between the words and the deeds of President Karzai regarding corruption is greater or smaller than the gap between the words and deeds of the international community on a comprehensive and coordinated approach? I failed to give a good answer. I gave an answer as a politician, but I was not satisfied with it. The need to concentrate political will applies to a number of modern security issues, including cyber-defense. One of our major problems is trying to achieve this concentration in order to breach the perception gap and to decide how big a threat cyber-attacks truly are.
Are cyber-threats global threats? Yes, they arethere is no doubt. Are they real or imaginary? I believe that they will be real threats in the next several years to come, with a medium-level threat probability. Are we united in our perception of these threats? Regarding the military, politicians, and administrations internationally, the most probable answer is not yet.
OUR VULNERABILITY TO AND THE EFFECTS OF CYBER-THREATS
How vulnerable are we to these threats? As has been said twice at this conference, an interesting characteristic of the Internet is that the democratic international community believes that the Internet provides open access to information, that it is the best instrument for undermining totalitarian systems, and that some countries have not only put limitations on but even plan to punish people who make use of the Internet. That is all true. But I think that all governments have not been able to efficiently use the possibilities the Internet offers against totalitarian regimes that use thousands of Internet sites to successfully spread their ideologies. So we must keep this fundamentally asymmetric characteristic of the Internet in mind whenever we address the question of how vulnerable we are.
Is it probable that threats from the Internet can cause casualties or kinetic effects? There is a very low probability of this. I know that several staged attacks have taken place to try to hack into some critical infrastructure, but they have usually failed at an early stage. In addition, the threat of an infrastructure being put out of order for considerable amounts of time so that the economy and social or public order is affected is low to medium.
Where I think we are more vulnerable is the integrity of our information systems. Most probably, our classified information systems are much better protected than large public or semi-public information systems, but when you think about how many people rely on public information systems in their decision making, it is a serious threat that could have an enormous impact. We need to remember that cyber-threats can have great effects on the hearts and minds of our people. Their ability to spread terror or at least to destabilize was efficiently proved in Estonia more than a year ago, and I estimate that there is a medium to high probability that the same kind of thing will happen again in the near future. Even more probable, however, is encountering the ongoing ideological pressure of totalitarian regimes whenever you spend 30 minutes looking at what is on the Internet.
COOPERATING AGAINST CYBER-THREATS
Now let me talk a bit from a somewhat political point of view. After the attacks in Estonia, my country started to compile a national cyber-defense strategy. This involves technology that we can develop and use to invent more complicated systems and critical infrastructures, which is a national responsibility on the political level. But I think we have to do more in the area of legislation on both the national and international levels. The fact that we have the Council of Europe Conventional Cyber Crime document, which has been ratified by a little less than 40 countries, is clearly a great step forward, but it is insufficient, not only in coverage but in depth of penetration. Nevertheless, I invite all countries to move ahead with that concept since territorial coverage is of fundamental importance.
In the area of international cooperation, there clearly has not been enough; whenever you want to disrupt a cyber-attack, you immediately run into activities that have to have international support, and if the legal framework is not in place, we have problems. Even if friendly help is provided there is always the possibility of infringing on third-party interest. In that respect I am glad that we recently signed a memorandum of understanding to start a cooperative Cyber-Defense Center of Excellence, which should be fully operational by the end of 2008. It is very much in line with NATOs cyber- defense policy that states that cyber-defense is first and foremost a national responsibility and that, secondly, cooperative cyber-defense builds on national capabilities.
If we want to solve the problems of cyber-security, then we have to speak about the policing of cyber-space. What do we mean by this? Whenever there is policing, individual rights are infringed upon, and this is always a high-profile political issue. So how can we enforce traffic rules? Can we impose hardware and software on the Internet? What should the proportions be regarding the expenditure limits of private companies and private individuals compared to public security interest? And who is responsible for enforcing the rules? What are legitimate means for counter-attacking even when we are able to identify the possible intruder? Since most attacks are globally distributed, there is a legitimacy problem. To what extent will we be willing to tolerate infringement of national rules when there is a possible target in a third country? And last, as is usual in crime prevention, do we develop only reactive measures or do we devise and develop active cyber-crime prevention measures, including intelligence and other means?
There are a lot of politically sensitive issues up in the air. Some of them are being solved on national levels and a few on the international level. But clearly there must be a lot more political engagement and discussion to build on public awareness of the seriousness of cyber-threats. That is why I am making it my mission to share my experience with cyber-attacks after being a strong proponent of a free Internet for many years before that event. I am still a proponent of a free Internet, there is no doubt about that, but I have seen the problems and I want to make the international public aware that we need to do something with that wonderful instrument if we want the Internet to be the friendly Internet.