Policy rather than gee whiz technology paved the way for Estonia to become the world leader cybersecurity
Toomas Hendrik Ilves, the former president of Estonia, was named World Leader in Artificial Intelligence and International Cybersecurity by the Boston Global Forum and the Michael Dukakis Institute for Leadership and Innovation. The award was presented to him at the third annual Global Cybersecurity Day conference held at Harvard University on December 12th 2017.
Pres. Ilves was recognized for fostering his nation’s achievements in developing cyber-defense strategies, and for establishing Estonia’s pre-eminence as a world leader in cyberspace technology, defense and safe Internet access. Indeed, Estonia’s cybersecurity and access principals that focus on assured identity in every transaction have become a model for other nations around the world.
Pres. Ilves, who is currently affiliated with Stanford University, was also recognized for his leadership before the United Nations, calling for greater urgency in combating the climate change, the need for safety of the Internet, and the plight of migrants and refugees – especially children.
A leader in cybersecurity
Recognizing Pres. Ilves for his contributions, Michael Dukakis, chairman of the Boston Global Forum and a former Massachusetts governor, stated, “We believe we are kindred spirits in our pursuit of a world in which we share in the concern for our fellow citizens worldwide. I also believe the Boston Global Forum and the Michael Dukakis Institute for Leadership and Innovation can play a vital role in helping you communicate your message and inspire others by participating with leading thinkers and scholars from Harvard and MIT who share your vision for a clean, safe and transparent Internet.”
During Pres. Ilves’s term term in office, Estonia became a world leader in cybersecurity-related knowledge. The country now ranks highest in Europe and fifth in the world in cybersecurity, according to the 2017 cybersecurity index, compiled by the International Telecommunication Union. The country also hosts the headquarters of the NATO Cooperative Cyber Defense Centre of Excellence.
Also honored for contributing to the advancement of Artificial Intelligence and Cybersecurity was Prof. John Savage who was awarded Distinguished Global Educator for Computer Science and Security on the 50th Anniversary of Brown University’s Computer Science Department.
During his keynote address, Pres. Ilves pointed out that national defense was once based on distance and time, but today, “We are passing the limits of physics in all things digital,” while laws and governmental policies have failed to keep up. He reminded the delegates that 145 million adults recently had all their financial information stolen without intervention by the US government.
“Today 4.2 billion people are online using computers that are 3.5 billion times more powerful than when online communication started out 25 years ago with 3,500 academics who were using BITNET, the 1981 precursor to the modern Internet.”
Protecting its citizens has always been the responsibility of the state and is part of our social contract. “We give up certain rights for protection, but we have been slow to get there in the digital world. When it comes to the cyber world, we are too focused on technology,” rather than policies that will enhance our safety on the Internet.
“Estonia’s cybersecurity technology is not advanced, but we are ahead on implementation,” he said adding, “There is a huge difference between what we do and other countries – our focus was not on the gee whiz technology,” but on implementation of a system that relies on positive identity, which is the foundation of the country’s cybersecurity program. Additionally, all bureaucratic dealings are online and, with assured identity, Estonia has eliminated the need to request personal information repeatedly. Once personal information is on file, Estonian law prohibits any agency from requesting that that information ever again. An Estonian can get his or her birth, obtain a driving license, alloy for a building permit and register for school without having to fill out the same information repeatedly.
This is in sharp contrast to the US. Pres. Ilves joked that even though he lives at the Silicon Valley, the center of advanced technology where Facebook, Google and Tesla are within a one mile radius, “When I went to register my daughter for school I had to bring an electric bill to prove I lived there. It struck me that everything I experienced was identical to the 1950s save for the photocopy.”
He continued, “When Estonia emerged out of the fall of the Soviet Union in 1991, “we were operating with virtually no infrastructure, even the roads built during the Soviet era were for military purposes. By 1995 to 96 [however] all schools were online with computer labs so that all student could have access to computers even though they could not afford to buy them.”
By the late 1990s Estonia determined, “The fundamental problem with cyber security is not knowing who you are talking to. So we started off with a strong identity policy; everyone living in Estonia has a unique chip-based identity card using two factor authentication with end-to-end encryption.” This is more secure than using passwords which can be hacked.
“A state-guaranteed identity program seems to be the main stumbling block for security elsewhere. My argument is that a democratic society, responsible for the safety of the citizens, must make it mandatory to protect them.” Moreover, Estonia’s mandatory digital identity offers numerous benefits, for example, “We don’t use checks in Estonia.”
Decentralized Data Centers
“In Estonia, we could not have a centralized database for economic reasons. Every ministry has its own servers, but everything is connected to everything else including your identity.” Even if someone breaks into the system, the person “is stuck in one room and cannot get into the rest of the system.”
Known as X-Road, this decentralized system is the backbone of e-Estonia. Claim the developers, “It’s the invisible yet crucial environment that allows the nation’s various e-services databases, both in the public and private sector, to link up and operate in harmony. It allows databases to interact, making integrated e-services possible.”
The system is so well integrated that Pres. Ilves claims it streamlines submitting paperwork for various needs to a point where it saves every Estonian 240 working hours a year by not having to fill out tedious forms.
Nearby Finland has joined in implementing such a system along with Panama, Mexico, and Oman.
Pres. Ilves added that, Blockchain technology is used to store personal information to assure the integrity of the data. “I might not like it if someone sees my bank account or blood type, but if they do it is not as bad as changing my financial records or blood type – which cannot be done.”
Estonia further assures the safety of its data by having an extraterritorial server in Luxembourg where the information is duplicated outside its borders. As a result of its legal and policy approach to security, “Estonia is the most cyber secure country in Europe, Russia the most secure in Eurasia and China the most in Asia. Estonia is also the most democratic.”
International Cyber Agreements
Joseph Nye, Harvard University Distinguished Service Professor, Emeritus and former Dean of the Harvard’s Kennedy School of Government explored
ways nations can develop cybersecurity and cyber-attack norms, drawing parallels between cyber and nuclear technology norms, threats and international agreements. “It took two decades to develop norms for nuclear war. We’re now about two decades into cyber depending on how you count.”
Nye recalled that cybersecurity problems emerged in the mid-1990s when web browsers became widely available sparking the “huge benefits and huge vulnerabilities” of cyberspace about two decades ago.
He noted, that with establishing norms to harness the destructive power of nuclear technology, “The first efforts centered around UN treaties.” though “Russia defeated UN-centered efforts after the Cuban missile crisis.”
Nye told some 40 delegates at the World Cybersecurity Day event, that the beginning of real efforts to set norms around nuclear technology, came with test ban treaties, which were essentially focused on environmental concerns over detonating nuclear bombs in the atmosphere. That came in the 1960s. “It wasn’t until the 1970s that SALT (Strategic Arms Limitation Talks) produced something that began to set constraints.”
Turning to cybersecurity, global efforts to limit cyberattacks by states, “especially against critical infrastructure” began in 2015 in a report taken to the UN Group of 20 the world’s most powerful economies made up of 19 nations and the European Union. In 2017, however, they failed to reach consensus due largely to difficulties between the US and Russia. China backed off as well.
Setting cyberspace norms
Nye explained that “a norm is a collective expectation of a group of actors. It is not legally binding, and differs from international law. Norms can also be common practices that develop from collective expected behavior and rules of conduct.”
While large groups of nations have tended to achieve little in terms of establishing norms in cyberspace, bilateral agreements offer promise. “The US and China have very different views on Internet rules regarding [say] freedom of speech. For years the US corporations complained about cyber espionage being undertaken to steal American companies’ intellectual property and giving it to Chinese businesses,” Nye said, recalling that, at first there were denials but the issue became a top priority when the Edward Snowden affair let China off the hook. At that time China totally blocked IP theft.
The US further stated that it would sanction Chinese companies unless their government took a position against stolen IP. Then, with a US-China summit coming up 2015—the US made it clear that if the meeting was to succeed, intellectual property theft, had to stop because of its corrosive impact on fair trade. “Espionage is one thing, but corrupting the trade system is different than stealing other secrets.” What’s more, Internet espionage is, “quick, cheap and you don’t have to worry about your spy getting caught.”
Finally, when XI Jinping and President Obama met in September of 2015, China agreed to no longer acquire intellectual property. “While some IP spying continues on the margins, there has been a discernable reduction since the meeting,” said Nye.
The benefit of bilateral agreements Nye emphasized is, “They don’t stay in a box but become the kernel of the broader game of establishing wider norms,” noting that while broad multi-nation global agreements may have failed, bilateral agreement between states with very different views have succeeded. “Progress may not be made by a large global agreement such as convening 40 states. Finding ways states can negotiate concrete decisions between themselves and broadening them to encompass more nations is a much more plausible approach.”
International Law for Cyberspace
Nazli Choucri, Professor of Political Science, MIT and Director, Global System for Sustainable Development noted that, while it is a long way from norms to international law, it is especially important to recognize the important contributions of the Tallinn [Estonia] Manual 2.0 on International Law Applicable to Cyber Operations for Cyberspace Operations, to current thinking about order in a world of disorder.
When reading the the four part Manual it should come as no surprise that the state and the state system serves as anchor and entry point for the entire initiative.
Part I is on general international law and cyberspace, and begins with Chapter 1 on sovereignty.
Part II focuses on specialized regimes of international law and cyberspace.
Part III is on international peace and security and cyber activities, and
Part IV on the law of armed conflict.
Each Part is divided into Chapter (some of which are further divided into Sections), and each Chapter consists of specific Rules. It is at level of Rules that the substantive materials are framed as explicit directives – points of law.
This approach — presented in the best tradition of linear text –records the meaning of each Rule, Rule by Rule and its connections to other Rules. A document of nearly 600 pages, the Manual amounts to a daunting task for anyone who wishes to understand it in its entirety, or even in its parts.. Further, the text-as-conduit may not do justice to what is clearly a major effort. It is difficult to track salient relationships, mutual dependencies, or reciprocal linkages among directives presented as Rules. For these reasons, researchers at MIT found ways of representing the content of the 600 pages of theManual in several different visual representations that are derived from the text.
The purpose is to understand the architecture underlying the legal frame of the Tallinn Manual. One type of representation consists of network views of the Rules – all 154 of them in one visual form and in one page. And there are many more. No longer are we dealing with rather dry text form of equally dry legal narrative. Rather we are looking at colorful networked representations of how the various Rules connect to each other – and to some extent why. This summary does little justice to process or product. At the same time, however, it points to new ways of understanding the value of 600 pages of text.
Cybersecurity and Executive Order
By definition text undermines attention to feedback, delays, interconnections, cascading effects, indirect impacts and the like – all embedded deep text. This is true for Tallinn Manual 2.0 as it is for responses to Presidential Executive Order (EXORD 2017).
The text-form may be necessary, but it is not sufficient. In fact, it may create barriers to understanding, obscure the full nature of directives, and generate less than optimal results – all of which prevent good results. If there is a summary to be made, it is this Table.
Prof. Derek Reveron of the Naval War College said, “Cybersecurity challenges the way we think about domestic and foreign boundaries. The military looks outward but with cyber threats boundaries have less meaning.”
He added that effectively combating cyber threats can be hampered by “tension between intelligence agencies and Cyber Command which is charged with responding. Cyber Command might be able to attack ISIS in cyberspace, but then the intelligence community will lose assets. Attacks also needs clearance from Congress,” thus delaying action.
“Cybersecurity measures also challenge our idea of what’s public and what’s private,” said Reveron noting that cyberspace is monitored and run by corporate entities that are global not national—companies are more important than governments” in defending cyberspace, he said.
Additionally, it is difficult to isolate malicious cyberattacks to determine their source and privacy and freedom come into play as well when deploying cyber defensive measures outside the US. “In China and Russia, for example, internet freedom is a threat to authoritarianism,” he observed, adding, “Google had to give up some of its values in China that that it has in the US.”
Reveron underscored several practical cyber-defense rules of the road to consider:
- characterize the threshold for action and understand the adversaries’ thresholds for reactions
- to avoid escalation, governments should maintain the monopoly on cyber-attacks not companies
- critical infrastructure attacks will have a local impact, so if the power goes out in Cambridge, we need a connection between local and national responders
- within a country there must be collaboration across all entities—banks, telecom, retailers and the like
- practice comprehensive resilience to prepare municipalities and individual states for cyber attacks
- enhance the cybersecurity of developing countries by making their systems more resilient and their citizens more digitally savvy.
A recent paper on the subject Principles for a Cyber Defense Strategy by Derek S. Reveron, Jacquelyn Schneider, Michael Miner, John Savage, Allan Cytryn, and Tuan Anh Nguyen is available on the Boston Global Forum Website.
During the meeting, Tuan Nguyen introduced the launch of the Artificial Intelligence World Society, an offshoot of the Michael Dukakis Institute for Leadership and Innovation.
Global Cybersecurity Day was created to inspire the shared responsibility of the world’s citizens to protect the Internet’s safety and transparency. As part of this initiative, BGF and the Michael Dukakis Institute for Leadership and Innovation also calls upon citizens of goodwill to follow BGF’s Ethics Code of Conduct for Cyber Peace and Security (ECCC).
Boston Global Forum , a think tank with ties to Harvard University faculty, includes scholars, business leaders and journalists. BGF is chaired by former Massachusetts Gov. Michael Dukakis, a national and international civic leader and BGF’s cofounder As an offshoot of The Boston Global Forum, The Michael Dukakis Institute for Leadership and Innovation (MDI) was born in 2015 with the mission of generating ideas, creating solutions, and deploying initiatives to solve global issues, especially focused on Cybersecurity and Artificial Intelligence.