How Estonia is helping to shape cyber resilience


Published on

Ahead of Cyber Defence and Network Security 2012, we spoke with Heli Tiirmaa-Klaar, Senior Advisor to the Undersecretary at the Estonian MoD, about the pioneering work that Estonia has contributed to global cyber security measures. Heli provides insight into the progress being made in regards to developing cyber policy, an integrated CERT team, and the underlying issue of improving cyber forensics to ensure future accuracy when it comes to identifying the source of a network attack.

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

How Estonia is helping to shape cyber resilience

  1. 1. How Estonia is helping to shape cyber resilience Ahead of Cyber Defence and Network Security 2012, we spoke with Heli Tiirmaa- Klaar, Senior Advisor to the Undersecretary at the Estonian MoD, about the pioneering work that Estonia has contributed to global cyber security measures. Heli provides insight into the progress being made in regards to developing cyber policy, an integrated CERT team, and the underlying issue of improving cyber forensics to ensure future accuracy when it comes to identifying the source of a network attack.Defence IQ: Heli, welcome to the session.HTK: Thank you. Hello.Defence IQ: We appreciate your time. It is, I would say, vital to have inputfrom a representative from Estonia, given its recent experience and its work inthe cyber domain. Well get to that in just a moment, but first lets start with aslightly broader look at Europe, as a whole. Now, youre a Policy Maker, andtraditionally the European Union has had no firm policy for dealing with cyberattacks. Can I ask, why is it taking so long for this to come about?HTK: Well, in order to answer the question, you probably have to listen tosome lessons about how the European Union is built up. The European Unionhas many different policy areas that already have initiatives in the cybersecurity field, notably to fight cyber crime, and a new legislation there, whichis now proposed. Then we will have some more initiatives from criticalinformation infrastructure protection, and right now the European Union hasthe policy on critical information infrastructure protection, and also thenetwork and information security field is covered by the European Union.There is an agency, ENISA (European Network and Information SecurityAgency), that takes care of the information security issues for member statesand for the institutions. The new European CERT (Computer EmergencyResponse Team) will be formed soon, and so lets just say the European Unionis a very large organisation, and it probably just takes time, in such a largeorganisation, to mobilise the attention and resources – but once it ismobilised, it will hopefully be very efficient.Defence IQ: Yes, and it’s obviously not an area that you would want to rush. Iimagine theres no concrete timeline for that completion?
  2. 2. “Its everywhere. HTK: Well, yes, and then there is the new And in order to get the European Internal Action Service, which is a very new institution still, and probably it just full picture of what is takes some time before all the players in the going on, international European Union find their own specific role in coordination and cyber field, and once they have found it, cooperation is the key.” they start to coordinate it and so we will have some results maybe in a few years’ time.Defence IQ: Well, well actually be speaking directly with that action servicevery soon, in this podcast series. Now, just moving on from there, withoutgoing into detail over the events in Estonia back in 2007 – as its well-troddenground – lets simply look at the aftermath, if we can. What were the lessons,Heli, taken from this incident, and how has Estonia since emerged as apioneer in the realm of cyber defence?HTK: Well, the first lesson, probably, for all countries was that no country canreally these days fight alone. So in order to be efficient you should have vastcoordination networks – international coordination networks. Internationalorganisations should have their networks in other international organisations,and the information in cyber threats is not only in one domain. It’s not only incyber crime. Its not only in military services. It’s not only in police. Itseverywhere. And in order to get the full picture of what is going on,international coordination and cooperation is the key. So that’s one lesson.And the other lesson of course is that in one nation, the nation has to have avery viable cyber security system, with public/private partnership, withnecessary policies and organisation, and with necessary interagencycoordination.So all those elements have been strengthened, in Estonia, and this has beenmy direct responsibility in the last three years, to advance that system, and Imhappy that it’s been done.Defence IQ: So Estonia has shone a light on this need, and youre saying thatprogress has been made, but do you believe that it will take a similar largescale incident in those other nations, for international forces to move as swiftlywith their own national cyber policies, or their cyber procurements, or indeedtheir cyber countermeasures?HTK: I think some nations already have been doing quite many usefulefforts, and it’s just sometimes the issue of the size of the country, and also thedifferent institutions in different larger countries have very clear mandates,and it’s sometimes hard to coordinate who is doing what, and it takes justtime before they get their act together. But I think there is a learning curveprobably for every nation in cyber… lets say cyber defence or a cybersecurity system… and every nation probably will reach that point of maturityat some point. Just in some smaller nations it’s easier to reach it early, and inlarger nations, it take more effort and political attention and resources as well,because the targets are not only the governmental sites, or not only the
  3. 3. military. It’s civilian national infrastructure; its everybody, basically. So themore targets you have in a nation, the more work you need to do, and thenit’s about the awareness process, its about the interagency coordination,and how the political elite of the country is seeing the issue, and whether itpays attention to this issue or not, so it’s still very varying in Europe, I would say.Defence IQ: Yes, thats a good point, and it does raise that issue of the levelof seriousness that cyber attacks can pose. On that note, do you think its timeto begin treating cyber attacks in the same way that we would perhaps treatconventional attacks on a nation’s soil? I understand that Estonia has beenone of the most vocal on this subject, so aside to the official stance, whatshould we be considering when we look at this argument?HTK: Cyber attacks can be dangerous, but most of the cyber attacks arenuisance or disruption, and it depends very much on the nature of the cyberattacks, what we talk about and the consequences. If the consequences ofcyber attacks are serious enough, it could trigger very serious politicalresponse, but no country in the world has predetermined the response so far,and no country in the world has said that cyber attacks can trigger armedattack response definitely. So I think this strategic ambiguity, how the attackswill be responded, should remain, in order to deter some of the terrorist groupsand some of the non-state actors to go over certain borders. But the hope isthat the rational actors, the nation states, the players in the internationalarena, actually know what they are doing if they employ the cyber tools, andfor that we have international law that could be employed, in order to restrictnation states to launch very serious cyber attacks against other nation states.We have the rules of engagement in war, we have the law of armed conflict.So these laws have to apply also in case of cyber conflict, in order to restrictthe unlawful launch of attacks in cyber space.Additionally we should build these norms for arrangements and mechanismsin the international arena, notably confidence-building measures, forinstance, that would reduce risk and create transparency between thecountries. We could also think of developing general norms of behaviour fornation states in cyberspace, to have a type of ‘soft law’, what isrecommended and what is not recommended. Because of the real timeattribution issue in cyberspace, its hard to set a new cyber law.We have actually one very good cyber law existing, which is the ‘Council ofEurope Convention on Cyber Crime.’ This is more a law enforcement focuseddocument, but it sets the very clear principles on what a country itself has todo in order to fight with organised cyber crime, and how the penalties haveto be applied, and then how international cooperation should be carried outin investigating cyber incidents. So all these instruments, actually, what wealready have in international law, should be applied. Plus there should beadditional confidence building measures in order to enhance the possibility ofperception of states in crisis situation, because the risk is that some non-stateactors would appear to be attacking another state, and could be masked[to appear as] as state actors – and for that reason you should have somearrangements between the states how we can reduce that kind ofmisperception threat in very serious cyber conflicts.
  4. 4. Defence IQ: You raised several excellent points there, but probably the onethere at the end, which I imagine is even more of an issue than measuring theseriousness of a threat is in the identification of the source of that threat. Howwould we perhaps begin to make proper steps towards those arrangements,as you called them, in determining the source of an attack, whether its stateor non-state? Is there a way that we canphysically do it? And would that be the “What we actuallylynchpin problem thats underlying this whole need is awarenesspuzzle? raising... 80% of theHTK: Yes, it’s possible to do it, but it’s not breaches inpossible to do it in real time. This is very sure. organisations comeIt’s possible to track the traces of a cyber from humanattack later on, after the incident. But in negligence, not fromorder to respond in real time, or in a short outside attackers.”time, sometimes this short time response isalso needed. So then the identity of theattacker could be hidden, and therefore, well, in order to diminish the risk ofmisattributing the attack, we should have those more political measures. Butas for the attribution issue, I think that this is not a mystery, and itsoverestimated, and we, in the area of counter-terrorism, have the principlethat the country is responsible for investigating and cooperating, in order totrack down terrorist activity on its territory. In cyberspace we could apply thesame kind of logic that we have to take the nation states first to beresponsible for all sorts of malicious cyber activity on the territory, and with thisnation state responsibility, we can go on setting some norms, how nationstates have to be investigating the cyber incidents, how they have to build upthe law enforcement capabilities, and how they have to progress in theircyberspace monitoring and forensics and analysis capabilities. This is kind of alaw enforcement issue in the end, not so much military, actually, because thecyber actors, most of them are in the civilian domain. Either they aresometimes used by the countries, or they carry out some state sponsoredactivities, but they are still, in majority, in the civilian domain right now.Defence IQ: I see. It will be interesting to see whether the development ofthe cyber forensics field will evolve in the same sort of way that weve seenthe conventional criminal forensics evolve, throughout the 20th century. Iimagine there’ll be a lot more emphasis on that, and well see someinteresting things come of it soon.To move on, Id like to ask, just going back, right to the start of the discussion,where you mentioned the combined CERT initiative currently looking to bedeveloped this year, I believe. Can I ask how is that intended to impact thecurrent pre-existing CERT teams within the EU, or indeed any other cybercommand currently involved in this domain?HTK: Yes. EU CERT is supposed to be guarding the EU’s own institutions. It’snot the CERT for the whole of Europe, so every country still has to have itsnational CERT, and these national CERTs in each European country actuallyare coordinating with each other already. They are having exercises, and any
  5. 5. European network and information security agency is taking care of this panEuropean exercise initiative with national EU CERTs or CERTs from the EUcountries.So the CERTs for EU institutions themselves are just needed in order to protectthe information possessed by those [specific] EU institutions themselves. Sothats long overdue!Defence IQ: We will keep an eye on that as it develops.Its recommended that we develop offensive cyber capabilities in order tofully round out our cyber defence, at least in the words of some of the expertsthat weve spoken to recently. What are the policy or legal implicationsinherent to this theoretical approach?HTK: The offensive cyber capabilities are kind of buzzwords or catchwords,and it’s probably also promoted by defence industry that we need reallythose offensive capabilities. In fact, what we actually need maybe more isawareness raising and prevention of cyber problems. You might be awarethat 80% of the breaches in organisations come from human negligence, notfrom outside attackers.Defence IQ: Right.HTK: So there are much more serious issues with, lets say, organisationalcyber security than the attackers from outside. It’s just that those serious issuesdon’t get headlines. Like somebody who had been negligent doesn’t make agood headline. If somebody had attacked an organisation it makes a goodheadline. So therefore I think it’s much more complex issue, and it would bewrong to think that if we only had more offensive capabilities, the issues willbe solved. Its not like the conventional military issue. Its much more complex.Therefore I don’t… I am not a believer…Defence IQ: Youre not a proponent?HTK: … that offensive capabilities will solve all the issues. No, they don’tsolve the issue. They might help something, in general, maybe a strategicpicture, but as for the national level cyber security, you need a lot moreattention going to preventive side.Defence IQ: Yes. Change from within, in other words.HTK: Yes.Defence IQ: Okay. As were looking towards India, obviously another non-EUally, now beginning to develop and enhance their cyber resiliencecapabilities, how do you anticipate that this will affect Estonia or the EU, orindeed the global cyber domain? Will there be, would you say, many newchallenges to face with this rapid increase of militarised investment?
  6. 6. HTK: Well as I said, you cannot militarise it. The domain cannot be militarisedbecause its not meant to be a military domain. Its being militarised becauseof the side effects of not having security built in, in the cyber domain. This isthe issue that we have in the cyber domain.In aviation we have security built in, but in cyber we don’t, and lets say theindustry doesn’t help either much because the software, which is developed,seems to be pretty weak, full of vulnerabilities, and so probably we will havemany checks going on in the future.As for the countries outside Europe, and what they are doing, if they raisedtheir own resilience, and if they enhanced their own capabilities, especiallylaw enforcement capabilities, to take responsibility on what is going on, ontheir cyber, and in their cyber space, on their territory, this is a great help forall the world, because the cyber crime that comes from the countries, whichdo not have advanced law enforcement capabilities and legislation is themost serious threat – not the militarised cyberspace, but those, lets say onorganised crime civilian actors that that use the territories, which cannotgovern themselves, in order to launch attacks towards European countries orNorth America. So this is the major problem, not the nation states havingsome military capabilities. And nation states supposedly are more rational,and they don’t use these capabilities unless there is a political reason, butcyber crime guys, they are around, and they use every opportunity to attackbanks and economic actors, in order to make money. So this is the realproblem there.Defence IQ: Okay, well, in those efforts to foster partnerships and to continueto maintain the real dialogue on the issues, were very much looking forwardto seeing you at the cyber defence series, Heli. Thank you very much for yourinput today.HTK: Thank you.Defence IQ: Thank you.Cyber Defence and Network Security 2012 takes place in London this comingJanuary. More information and booking forms Email: Tel: +44 (0) 207 368 9334