The small Eastern European country of Estonia is widely considered a leader in cybersecurity and e-governance and is also commonly believed to be the first victim of cyber war in 2007. The Journal of International Affairs talked to Toomas Hendrik Ilves, who recently stepped down as president of Estonia after ten years in office, about cyber threats and opportunities. President Ilves says the more digitized a country is, the more vulnerable it is to cyber attacks, but he believes it is possible to build a credible cyber deterrent.
Estonia is a leader in information technologies, but also a target of cyber warfare. Has the former influenced the latter?
Estonia is known for its good Internet services and high percentage of people using them. Almost all of bank transactions and income tax returns have been done online since 2000, virtually all prescriptions are online, the land registry exists only digitally, and one third of votes in the last several elections were cast online. The highly popular digital signature, given with either an ID card or mobile ID, is legally equivalent to a traditional signature. According to the digital economy and society index, Estonia ranks number one among 28 European countries in e-governance.
This, however, also means that the country is highly dependent on the functioning of these digital services and that cybersecurity is a crucial part of our overall security. We worry first and foremost about civilian and commercial networks. We worry about power grids, traffic control systems, hospitals, banks, financial markets, credit cards, and personal data records. All of these have come under attack; serious or large-scale damage to these in the digital age can have disastrous consequences for our populations and our economies.
Given the robustness of a universal two-factor, highly encrypted ID and the security of a distributed data exchange layer connecting parties, the Estonian system is considered far more secure and less hackable than systems elsewhere.
Nonetheless, in today’s world the more modern and the more digitized you are, the more vulnerable you are. Thus, high dependence on digital services and networked infrastructure makes Estonians more vulnerable than other countries that do not use Internet services in everyday business. At the same time, we are more secure than the majority of countries that use less robust security measures.
Estonia is a small country, but over the years it has built a strong capacity to prevent cyber attacks. Is Estonia more secure today?
Cyber attacks on Estonia do not reach international news for two reasons: our national data are better secured than in most places and we are small. This does not mean that we do not have to prevent attacks and security incidents. As I said before, the more networked and digitally dependent society we have, the more vulnerable we are.
The uncontrolled expansion of Internet demands better preparedness to cope with the new architectures of cyberspace. A large number of cyber incidents can be avoided, or their effects greatly mitigated, if security procedures and implementation measures are applied.
In Estonia, we have invested considerably in cooperation between the public and private sector. The government helps critical infrastructure companies assess and test their information systems, organizes exercises, and has been successful in the creation and support of communities of cybersecurity providers.
Increasingly, raising awareness about cyber threats as well as developing skills and knowledge to use technology safely have become a central aspect of ensuring cybersecurity in Estonia. After all, the technology itself doesn’t create risks—they occur from the malicious, rather than intended, use of technology. The more aware we are about the possibilities of technology, the more we can predict threats and prevent detrimental consequences.
Most of the cyber attacks on Estonia trace back to Russia. How does this affect bilateral relations?
Estonia cannot ignore that we are located next to Russia, which uses aggressive rhetoric, is constantly developing its cyber attack capabilities, and for whom activities directed against other states in cyberspace are merely an instrument to increase its influence and accomplish its objectives. On the other hand, attacks in the cyber domain pay no attention to geography. Politics pays attention to geography, electrons and bits do not.
We are already accustomed to the fact that Estonia’s networks and information systems are regularly mapped and measured to obtain information that would be useful for planning any kind of non-digital large-scale activities against Estonia. In addition to Russia, our cyber threat analyses cannot ignore the need to take into account terrorists and hostile cyber activists. Thus, we need to be aware what is going on in cyberspace worldwide, not only in Russia.
NATO recently recognized cyberspace as a military operational domain. How does this affect Estonia’s security as a NATO member?
I welcome the understanding that cybersecurity has finally reached the attention and awareness of the highest political elite. This announcement recognizes that digital means can be just as effective militarily as kinetic means, or more bluntly that some lines of code can just as effectively knock out a power plant as a missile.
NATO’s main cyber efforts, however, remain focused on the military defense of the organization itself. While recognizing the importance of civilian networks and the risks they face, NATO lacks the legal or policy levers to address these questions directly.
Is it possible to build up a credible cyber deterrent?
Yes, it is. The United States is a positive example in this. NATO as a collective security organization is still working on it. But the Warsaw Summit decisions have laid a good basis. Moreover, it would be naive and simplistic to think that an attack in cyberspace needs to be responded to in cyberspace. Responses are rarely domain restricted.
What are the benefits of digital citizenship, a concept first introduced in Estonia?
The proper term is digital residency, not “citizenship,” as the identity does not give the rights of citizenship (voting, etc.). Some two years ago, the Estonian government began to issue ID cards to non-residents. The idea came from pragmatic everyday problems.
If all Estonians are able to manage their businesses online—make tax declarations, forward annual reports, represent the company online, give digital and legally valid signatures—why should foreigners who do business in Estonia not be able to too? We are a small country, as is our economy. Thus, the government decided to offer better and more modern tools for doing business in and with Estonia for those who are not living in Estonia.
Now not only businessmen, but everyone else who has some personal connection or interest in Estonia, may apply for this universal tool. The e-residency card is used not only for governmental services, but one can use it for various kinds of e-services like Internet banking or signing contracts.
What can other countries learn from Estonia’s experience?
Technology can be a potential disruptor but also a key enabler in economic development. Together with Kaushik Basu, the chief economist of the World Bank, I had the honor to co-chair the advisory council of a report titled “Digital Dividends.”i It outlines the pitfalls of falling behind—when technological advances are not accompanied by necessary reforms, including legislative and educational ones, the digital dividends like inclusion, efficiency, and innovation will not reach us equally.
As the report concludes, Estonia demonstrates that even small and developing or transitioning countries can seize the opportunities the Internet offers by implementing a smart and comprehensive digital development strategy. By building and using digital solutions for decades, people in Estonia have gained valuable experience about how to protect these services and, more generally, how to protect the way of life we have. We believe that cybersecurity is an enabler not an inhibitor.