Whereas conventional threats have more or less stayed the same, a new and potentially more menacing type of activity has arisen that has so far not been given much consideration. One could even say that it has deliberately been isolated to the so-called cyber space and dealt with only on the margins. At least, until events in cyber space itself make us pause and re-think its impact on our security.
As you might know Estonia recently fell under a politically motivated offensive cyber campaign. The cyber attacks targeted government, industry, as well as private sites while using a wide array of offensive techniques.
Though it is difficult to exactly identify persons, groups or organizations behind the attacks we do know that most of the attacks were carried out not only by amateurs with primitive methods, but also by highly skilled cyber attack specialists with significant resources. Specifically, the attacks in the campaign consisted not only of protests against the Estonian Government, but also of large scale, well coordinated and targeted actions that appeared synchronously with events in the media, the political and the economical arena. In all, what took place was according to our interpretation cyber warfare and cyber terrorism.
Ladies and Gentleman,
Estonia is one of the most wired countries in the world. Roughly 60 percent of the population is everyday Internet users and over 97% of all bank transactions are done on-line. Indeed, Internet has become a common channel through which people pay their taxes and even vote in local as well as general elections. Hence, e-services and access to Internet already is an integral part of our society. The aim of cyber attacks as well as its unprecedented size can thus be defined as an attack against an Estonian way of life. It is clear that without having applied timely and imminent countermeasures the situation could have turned much worse and posed a significant risk to our national security.
In essence, cyber attacks against Estonia demonstrated that Internet already is a perfect battlefield of the 21st of century. Our globally increasing dependence on Internet, on-line services and on critical information infrastructure makes us all also more vulnerable. As demonstrated by events in Tallinn, an effective political propaganda can motivate a significant number of people to launch a massive cyber attack almost instantly thus inflicting potential damage to critical information infrastructure even in case of ad hoc and amateur level attacks.
Cyber domain thus presents a paradox – with exceptions, the more wired you are the more attractive you are as a target because the potential damage is bigger. Even those countries that are technologically well-advanced are vulnerable to cyber attacks and 100% safety simply does not exist. Of course, one could say that human lives are not at stake. But let us be creative and try to imagine a situation where our basic everyday needs are denied – traffic systems hacked and in parallel, emergency numbers broken down. Human lives are very much at stake.
So, as we try to come to grips with this new battlefield there are certain aspects that in my opinion immediately stand out.
First is the issue of dealing with cyber defense, in general. It is worth to ask ourselves whether it would not serve our common purpose better to start acknowledging the impact of cyber defense on our civilian as well as military affairs more clearly. I think we all agree that our military command and control, ISR and precision strike capability rely on ensured access to the electronic spectrum. It is also clear that losing the freedom of action in the cyberspace domain is not an option. At the end of the day, all the data in our national or international neural networks is relatively useless unless it can be protected.
Yesterday, NATO defense ministers in Brussels commonly agreed that urgent work is needed to enhance the ability to protect information systems of critical importance to the Alliance. I think that this is definitely a step towards a right direction.
Second, Estonia is a small country, open, transparent and cooperative. It was our transparency and eagerness to cooperate that enabled us to mobilize quickly and minimize the damage. Thus, when tackling a problem that is international in nature such as cyber defense, more rather than less cooperation is the only way to deal with it.
Closely tied to the previous aspect of cooperation is perhaps the toughest issue - that of legal framework. We should all ask ourselves – do we as nations but also as allies and partners possess all the required judicial instruments? Do we have a proper legal code that defines the cyber attacks in detail – where does cyber crime stop and terrorism or war begin? Should NATO, for example, safeguard and defend not only
its communications and information systems but also some national critical physical infrastructures? And what to make of collective defense in case of cyber war against one of the allies?
As you see, I don’t have many answers at this moment, but I fear that if do not start answering these hard questions soon, we will not be able to deal with future effectively.
Ladies and Gentleman,
As we try to draw the right conclusion for way ahead it would serve us well to look in the past. Namely, the nature of cyber defense is not that different from another field of endeavor. Specifically, sea faring.
European Long Term Vision, agreed upon last year, puts it well as it sees the cyber space as a new common environment that states and organizations aspire to access and control. And not surprisingly, it used to be the same with the sea as it had and still has an international character where trade and international communication are conducted.
It is true that the main problems of the cyber space lie with the enormous degree of anonymity among the players and with its ever-expanding nature. So, how can we correspond to that? How can we make sure that the communication lines between the suppliers and customers are protected? Was not that the same question regarding the communication lines at the sea for centuries before our age?
As we are in Paris today, I would use the opportunity and remind you the Paris Declaration Respecting Maritime Law from 16th of April 1856. This short piece of paper called the signatories to abolish privateering, which basically was seen as state-sponsored piracy. It represented the first multilateral attempt to codify in times of peace rules, which were to be applicable in the event of war. Though it had holes in it, it still established maritime law among major powers of Europe.
Coming back to today’s Paris, I would say that similarly to the past we need a universal convention against cyber crimes, be they state- or non-state originated. For, cyber defence will not work if there are national or international judicial gaps in it.
In sum, the choice we have is not to change our way of life or stop developing technology that makes our world a better place to live, it is to effectively stop those that want to attack our way of life by abusing that technology.
Check against delivery!