Russian cyber attacks on Estonia were a wake-up call for the country, said Merle Maigre, executive Vice President for Government Relations, CybExer Technologies and former director at NATO Cooperative Cyber Defense Center of Excellence in Tallinn, Estonia.
They were a clear demonstration that cyber attacks were as malign as the physical ones. This prompted a discussion on cybersecurity in Estonia. Here is what one of the world’s most digitized nations learned since then:
- Any technology is a potential target for an attack. Digital governments are often regarded as cost-savings venues, but the truth is that they become more vulnerable. That’s why the more digitized you make things, the more you need to invest in cybersecurity, and it can’t be only delegated to the IT department. Everybody needs to be educated in cybersecurity. Investments into digital innovation must go hand in hand with commitments to cybersecurity, especially – training the workforce, and educating the population, starting from the age when kids get a smartphone.Notably, Estonia is so serious about this that it has a cyberhygiene requirement for state officials: they need to pass a mandatory test which maps their risk behavior in cyberspace.
- Cyber attacks increasingly originate from state actors. Traditionally, businesses were afraid of cyber interference for espionage. But it’s not clear that nations growingly are the source of cyber attacks and finance hackers which target the critical infrastructure of other countries and gather intelligence. One thing that can counter this is maintaining that international law applies in cyberspace. “We don’t need to invent new laws, but need to think how the current international law extends to cyber,” said Ms Maigre. This is the reason why the NATO Cooperative Cyber Defense Centre of Excellence which she headed created the Tallinn manual, so far the most comprehensive guide on interpreting and applying international law in cyberspace. In her words, this manual provides a roadmap to making states accountable and defending ourselves within the framework of international law.
- Elections are especially at risk. And digital solutions are no more secure than paper ones. Cyberhygiene, cyberawareness, and cyber capacity building is needed for both election officials and candidates.
The United Kingdom
It is now ten years since the UK started to change its approach to cybersecurity, driven by the attacks on Eastern Europe, said Henry Collis, Deputy Director for Security and Defence Projects in the Prime Minister’s Office and Cabinet Office Communications Team.[quote style=”boxed” float=”left”]Our mantra: skills, not tools.[/quote] Over this time, the UK’s approach has evolutionized into a “Fusion doctrine” which uses cybersecurity with other tools to deliver security objectives together with sanctions and diplomacy, strategic communication. According to Mr. Collis, it brings together levers of influence, economic levers, and hard security elements coordinated by a National Security Secretariat.
The UK launched its first cybersecurity strategy in 2011, and the second one in 2015, with 1.9 billion pounds allocated. It is centered around 3 D’s: defend, deter, develop.
In Mr. Collin’s words, the root of their success was in improving their governance and overcoming the state inertia. This took a long time, and was focused around three considerations: coordination, cooperation, capability.
Collaboration. As it is now in Ukraine, the United Kingdom started out with a mess of overlapping government institutions and responsibilities.
[quote style=”boxed” float=”left”]Finding the technological solutions isn’t the challenge, it’s building the trust for effective cooperation[/quote]Cooperation means working better beyond government, extensive working with the cybersector. This needs to be done at scale, with direct industry engagement, to be working with those who hold the greatest risk, with prioritized sectors of the economy.
“There was a time when we saw what was happening in Eastern Europe, but nothing was done because capabilities and responsibilities were distributed around different government departments and it took time rallying them together and creating a senior responsible officer at a senior level in government who was responsible for writing and delivering our first strategy. But to be effective in any government, you need to have a mandate. That’s why we created a cybersecurity program to encourage collaboration, to fund interdepartment activities which would normally fall between the cracks.
We were talking to nations which had created their own national cybersecurity centers and we created one as well. That launched in 2016; it had dealt with 1,100 attacks on its 2nd birthday, most of which were attributed to hostile state actors. We now have a public face which goes on TV and explains to your grandmother that she should update her antivirus,” said Mr. Collin.
For this, the UK government created an online platform called Threat-o-Matic, which allows firms to share information on threats anonymously, without fear of financial or reputational loss. The reason was that firms were reluctant to share information and patching information so that it could be done at scale across the whole economy.
“Build trust to allow anonymous profiles to share information and to become more resilient as a result. That’s a simple fix, but that’s representative for the type of hurdle that needs to be overcome for this sort of cooperation. Finding the technological solutions isn’t the challenge, it’s building the trust for effective cooperation,” stressed Mr. Collin.
Capability. According to Henry Collis, the great technological solutions already exist, but the problem is having the right people to select the right tool and use it in the right way:
“Long-term, enduring capability at an age of rapid technology means having the right people, not having the right things. Our mantra: skills, not tools. The technology to defend against cyberattacks isn’t expensive. But having the right people to select the right tool and use it in the right way – for this, we need a comprehensive approach across government. Something that depends on the department of education. You need to prescribe a set of education across all parts of the curriculum, so that they can start building skills at an early age. University funds need to create master’s programs in cybersecurity.”
Poland, the EU, NATO
According to Mr. Szczygiel, the problem with deterring cyber operations is that the malicious activities are conducted by state and nonstate actors, by proxies on behalf of states, which makes them difficult to attribute. This uncertainty can paralyze an effective response and poses a kind of dilemma in international relations, where persistent cyberoperations bluf the line between peace and war are blurred.
Nevertheless, attribution even with a below-than-perfect level of certainty, or the “name and shame” approach, can discourage future cyberoperations and end the sense of impunity in cyberspace.
“We have to impose certain costs of malicious cyberbehaviour, manifest our intentions regarding malicious acts. For example: last October, public attribution was conducted through statements of UK government and The Netherlands and joined by 20 countries, which clearly attributed a number of cyberoperations to the GRU. This is important because these statements were publicly supported by NATO and EU leaders,” said Mr. Szczygiel
He said the EU is coming closer to adopting sanctions for cyberattacks.
“The October EU Council tasked the External Action service to propose draft instrument regarding sanctions, usng the usual instrument of EU to respond within the framework of a common foreign security policy. The novelty of the situation is that for the first time we are going to have a general instrument we will be able to use against any type of cyberattacks in the future.
These possibilities were envisaged in the cyberdiplomacy toolbox endorsed by the EU Council in 2017. We are practically implementing those measures. And this is a kind of breakthrough in the thinking of the EU, that we have to clearly state to the potential aggressors what the costs will be.
An important aspect is EU-NATO cooperation:
There is a high degree of complementarity, but efforts should not be doubled. There needs to be clear division of labor: NATO developed its defense policy in recent years, so we have quite a substantial legacy on the side of NATO. In 2014, NATO declared that cyberattacks would trigger Article 5 related to collective defense; now in Warsaw, NATO leaders designated cyberspace as the fifth domain in NATO operations, among land, sea, air, and space.
Examples of practical implementation include the creation of a new cyberoperation command center and the concept of NATO cyber rapid reaction teams. However,
” It’s not enough to create cyber structures, cyber commands, or cyberarmy. In itself, the availability of those cybercapabilities are not sufficient. States must develop legal framework to control cyber operations, especially those of an offensive nature.
For NATO policy makers, an important dilemma is how to ensure credible cyberdeterrence. It’s more challenging than traditional and nuclear deterrence, as cyberattacks are difficult to attribute to specific actors. Policy makers have to formulate a cyberwarfare doctrine to which states can adhere.”