On May 28, military, intelligence and diplomatic leaders from 47 countries and five continents gathered at the swanky Swissotel hotel, in the center of Tallinn, for the 11th International Conference on Cyber Conflict — also known as CyCon2019.
At the event, organized by The NATO Cooperative Cyber Defence Centre of Excellence, 645 participants listened to 105 speakers and attended 30 workshops and sessions where 29 academic papers were presented.
The main take-away was simple — cyberspace is an unwieldy, relatively uncharted domain that can only be harnessed by collective understanding.
The conference was held in Estonia because it is globally recognized as the leading authority on cyber security. It survived a devastating Russian government cyberattack in 2007 with the help of its friends and allies and because of a decision it made years before.
“Estonia was very smart,” said Elizabeth Horst, the U.S. charge d’affaires to Estonia. “In the early days of its independence, it realized that while it might not have a lot of resources, it could go digital quickly, which would be both a money-saving measure and also a way to combat corruption.”
Being highly skilled on digital platforms, the country was able to restore all of its systems, harden them and then show the rest of the world how to survive a Russian cyberattack.
“Bit by bit, program by program,” said Horst, “they introduced a lot of digital services. And as a result, they built up a lot of expertise, which they have consolidated into a couple of different sectors.”
One of them is Estonia’s E-governance academy. More than 100 official delegations from around the world come to Estonia each year to see how they digitize health care and other essential government functions. One of its crown jewels is income tax filing: It can be done on a mobile platform in literally less time than it takes to brush your teeth.
“Estonians will tell you it takes about three minutes on their phones,” said Horst, who added, “They laugh when I tell them how long it takes me to gather my documents to file my taxes.”
All of Estonia’s efforts are driven by the urgency of living next to Russia, which is seen by many in the intelligence and defense communities as aggressive and willing to use unconventional methods to achieve its foreign policy goals.
Sitting in a spacious, ground floor reception room, on a dreary, Monday, May 27, Paul Teesalu, the undersecretary for political affairs in the foreign ministry of Estonia, said in an interview that transatlantic unity is important because of Russia’s aggressive behavior.
Teesalu, who has broad diplomatic experience across Europe and in Africa, suggested that transatlantic unity drives almost every element of his country’s political activities.
“Estonia’s foreign policy, first of all, is to safeguard the independent sovereignty of the republic. And we feel the best way to do it is to have strong bonds of alliance with friends and partners — strong trans-Atlantic unity — between Europe and the U.S. and the European Union.”
He said that approach is working.
Referring to sanctions against Russia for the annexation of Crimea in Ukraine, he said, “We have been quite united, in fact surprisingly good, at keeping up our unity, when you think of the common responsibility to which we have agreed within the European Union — we have kept them already five years.”
Estonia is only twice the size of New Jersey and has only 1.3 million people; it needs more than sanctions to protect itself. So it’s developed a comprehensive strategy to defend, grow and project.
“Lots of it is related to the development of IT, new media, social media,” Teesalu said, noting the recent surge in media manipulation during political campaigns around the world. But the most critical element of Estonia’s foreign policy strategy is cyber — so much so that it has named a diplomat to lead its cyber security efforts.
‘You can’t see algorithms’
“We, the diplomats, are not looking at cyber space from the technical angle but the strategic angle,” said Heli Tiirmaa-Klaar, Estonia’s ambassador-at-large for cyber security, in an interview.
She pointed out, “Everybody has noticed that cyber space is a new domain of both civilian and military activities.” As a result, “The diplomats are now talking about what kind of behavior is allowed or not allowed by the governments in cyberspace.”
In other, better established domains, there are clear rules of the road that include how a nation’s capabilities are used, when they are used, when to refrain from using them.
“The same set of rules need to be established in cyberspace,” said Tiirmaa-Klaar. But it’s not clear whether cyberspace, a very nebulous realm, can be governed in the same way.
“You can see ships, aircraft and tanks, but you can’t see algorithms,” said Adm. Manfred Neilson, NATO’s deputy supreme allied commander transformation, which is based in Norfolk, Virginia.
Neilson, from the German Navy, was a featured speaker at CyCon2019. In an interview after his remarks, he said it will be hard to govern a seemingly infinite domain such as cyber. “We are focused on processes, procedures, law framework and all these things; but the development of cyber is incredible, especially outside the military.”
Neilson concurred with Tiirmaa-Klaar that the cyber domain weaves together both civilian and military operations. However, he made two critical observations: “We have to understand that you can’t separate military and civilian cyber, and cyber will have much more impact on civilian life than on military life.”
To prove his point, he referred to the massive ransomware attack that shut down more than a dozen hospitals in the U.K. in early May. “You can execute a silent war without using kinetics, which has a lot of impact on people’s minds and the society. And that’s important to understand,” Neilson said.
Considering that cyberattacks, which are often transnational, can be launched silently from anywhere, at any time, with no warning and leave no trace, international norms are being formulated.
“We are having discussions at the United Nations level and the global level about what kind of norms should govern state behavior in cyberspace,” said Tiirmaa-Klaar.
She said those norms include “What kind of confidence building measures we should have, and how we should follow international law — because this domain can’t be an ungoverned domain. It has to have a set of rules.”
When asked where that process stands, she said, “We are in the beginning of the beginning.”