Paris '07 Workshop
Cyber-Defense: Estonia's Recent Experience of this Unnoticed Third World War
His Excellency Jaak Aaviksoo
|His Excellency Jaak Aaviksoo, Minister of Defense of Estonia.|
"...cyber-defense will not work if there are national or international judicial gaps. The choice...is not to
change our way of life or stop developing technology that makes our world a better place,
but to effectively stop those who... attack our way of life by abusing that technology."
Thank you for inviting me to speak here today on a topic that in my opinion deserves more attention than it has gotten, specifically, the topic of this panel, “Cyber-Defense: The Unnoticed Third World War.” I believe this topic reflects the reality of today. Whereas conventional threats have more or less stayed the same, a new and potentially more menacing type of activity has arisen that so far has not been given much consideration. One could even say that it has been deliberately isolated in cyber-space and dealt with only on the margins—until events in cyber-space made us pause and re-think the issue’s impact on our security.
CYBER-ATTACKS IN ESTONIA
As you may know, Estonia recently was hit by a politically motivated cyber-campaign that targeted government, industry,
and private sites using a wide array of offensive techniques. Though it is
difficult to identify the persons, groups, or organizations behind the attacks,
we do know that most of the attacks were carried out not only by amateurs with
primitive methods, but also by highly skilled cyber-attack specialists with
significant resources. The attacks were not only protests against the Estonian
government, but also large-scale, well-coordinated, and targeted actions that
took place at the same time as political, economic, and media events. In our
minds, what took place was cyber-warfare and cyber-terrorism.
Estonia is one of the most wired countries in the world. Roughly 60% of the population use the Internet every day and over 97% of all bank transactions are done online. Indeed, the Internet has become a common channel through which people pay their taxes and even vote in local as well as general elections. Hence, e-services and access to the Internet are integral parts of our society. The unprecedented cyber-attacks that occurred can thus be defined as attacks against the Estonian way of life. It is clear that if we had not applied timely countermeasures the situation could have turned much worse and posed a significant risk to our national security.
In essence, the cyber-attacks against Estonia
demonstrated that the Internet is a battlefield of the 21st century,
and our increasing global dependence on the Internet, online services, and our
critical information infrastructure is making us more vulnerable. As
demonstrated by the events in
Cyber-domains thus present a paradox—the more wired you are, the more attractive you are as a target, because the potential damage is greater. Even those countries that are technologically well advanced are vulnerable to cyber-attacks—complete safety simply does not exist. Of course, one could say that human lives are not at stake in cyber-attacks, but when you imagine a situation in which basic everyday needs are denied, for example, traffic systems are hacked and emergency numbers are unusable, you can see that human lives can be very much at stake.
ADDRESSING THE ISSUES OF THE 21st-CENTURY BATTLEFIELDAs we try to come to grips with this new 21st-century battlefield, certain aspects immediately stand out:
1. Dealing with cyber-defense in general, it is worth asking ourselves whether it would serve our common purpose
better to start acknowledging the impact of cyber-defense on our civilian as
well as our military affairs. I think we all agree that our military
command and control, ISR, and precision strike capability rely on ensured
access to the electronic spectrum. It is also clear that losing freedom of
action in cyber-space is not an option. At the end of the day, all the data in
our national or international neural networks is relatively useless unless it
can be protected.
In Brussels, NATO defense ministers agreed that urgent work is needed to enhance our ability to protect information systems of critical importance to the Alliance. I think this is definitely a step in the right direction.
2. When tackling a problem that is international in nature, such as cyber-defense, more rather than less cooperation is the only way to deal with it. Estonia is a small country, open, transparent, and cooperative, and it was our transparency and eagerness to cooperate that enabled us to mobilize quickly and minimize the cyber-attack damage.
3. The need for a legal framework. Closely tied to the aspect of cooperation is perhaps the toughest issue—that of a legal framework. All of us should ask ourselves, Do we as nations, but also as allies and partners, possess all the required judicial instruments? Do we have a proper legal code that defines a cyber-attack in detail? Do we know where cyber-crime stops and terrorism or war begins? Should NATO, for example, safeguard and defend not only its communications and information systems but also some critical national physical infrastructures? And what of collective defense when cyber-war is being carried out against one of the Allies?
As you can see, I don’t have many answers yet, but if we do not start answering these hard questions soon, we will not be able to deal with the future effectively. As we try to draw the right conclusions for the way ahead, it would serve us well to look to the past, because the nature of cyber-defense is not that different from another field of endeavor, specifically, sea faring.
The European Long-Term Vision that was agreed to in 2006 puts it well—it sees cyber-space as a new common environment that states and the same way for centuries, because the sea had and still has an international character and is a place where trade and international communication are conducted. In addition, two of the main problems of cyber-space are the enormous degree of anonymity among the players and its ever-expanding nature. We are asking now, How can we handle that? How can we make sure that the communication lines between suppliers and customers are protected? These are the same questions that were asked before the Information Age regarding the communication lines at the sea.
Because this workshop is being held in Paris, I would like to take the opportunity to remind you of the Paris Declaration Respecting Maritime Law that dates from April I6, 1856. This short piece of paper called the signatories to abolish privateering, which basically was seen as state-sponsored piracy. The declaration represented the first multilateral attempt to codify in peacetime rules that were to be applicable in the event of war. Though it had holes in it, the declaration established maritime law among the major powers of Europe.
Now, once again in Paris, we need another universal convention, this one against cyber-crimes, be they state or non-state in origin. That is because cyber-defense will not work if there are national or international judicial gaps. The choice we must make is not to change our way of life or stop developing technology that makes our world a better place, but to effectively stop those who want to attack our way of life by abusing that technology.