Cooperation vital in cyber security, says former Estonian minister

Cyber security has been recognised as being an essential part of national and international security, but this is not the domain of states acting alone, according to Marina Kaljurand, chair of the Global Commission on the Stability of Cyberspace, and former foreign affairs minister for Estonia.

“I would argue that that the state alone cannot be efficient in providing cyber security, which leads to cooperation, which leads to trust,” she told the European Cybersecurity Forum in Krakow.

However, Kaljurand said trust among states, individuals and trust in the future – belief that the future development of societies and economies – depends on a safe and trust worthy cyber space, as does digital transformation.

Evaluating recent developments, Kaljurand said she would like to address the topics of the United Nations, attribution and state practice, offensive capabilities and the multi-stakeholder model.

“Looking at 2017 and 2018, one could argue that states have ‘taken time off’. States are not acting in the United Nations as they were in previous years, with a united group of governmental experts,” she said.

But, on a positive note, Kaljurand said the principles, recommendations and norms of responsible state behaviour that have so far been agreed within the framework of the United Nations Group of Governmental experts (UN GGE) are receiving increasing global approval.

On the topic of state practice and attribution, she said while it appears that not much is happening, recent developments show that progress is made.

“The first time an act was attributed publicly was 2015 when the US attributed the Sony Attack [to North Korea], then came the attribution of DNC [US Democratic National Committee] attacks [to Russia] and WannaCry [to North Korea]. But those were attributions by [a single] state only.

“2018 was a breakthrough when several states attributed cyber attacks. That is what I call ‘state practice’,” she said, noting that the UK’s attribution of NotPetya to Russia was supported by more than 10 other states, including Estonia.

However, Kaljurand noted the absence of support from Germany, France, Italy and other EU states, saying that it took them more than a month to issue an official response.

“But if you look at the document, it is a weak one,” she said, because it merely expressed “concern” without calling out Russia or outlining what would follow. However, Kaljurand said it has to be recognised as the first effort ever to apply the EU’s official cyber diplomacy toolbox.

“It is good to see that there are more political statements supporting attributions,” she said, referring to the most recent attribution of cyber attacks to Russia by the UK and its allies.

In 2016, Australia was the first country to declare they had offensive cyber capabilities, saying they would be used to respond to serious cyber attacks, support major operations and counter offshore cyber events, said Kaljurand, and in November 2017, Nato announced that it had embraced the use of cyber weaponry in Nato operations to deter attacks on members.

“It is not war mongering. It is a preventative action,” she said. “I am very glad that states are finally coming out of the closet and overcome the taboo of discussing things that are really happening.”

Whatever states do should stay within the framework of international law, said Kaljurand. “International law applies to cyber and applies to offensive capabilities. No question. No doubt should be raised about that,” she added.

Turning to the topic of a multi-stakeholder model, Kaljurand could not remember states mentioning “inclusiveness” as many times as they have in the past year.

“As Estonia’s foreign minister, I heard the private sector, industry and civil society complaining that states are not listening to them, that states are not cooperating with them.

“But there has been a shift. I would argue that states are accepting the multi-stakeholder model more and more. Now the question is how to apply it,” she said.

Looking to the future, Kaljurand said states should come together and continue the UN GGE process. “But they have to change the process. If they want the process to be serious and respected, if they want it to be adopted by a wider number of states, [the process] has to be open, transparent and inclusive.”

The challenge for states and governments is to find ways of cooperating so that those who want to contribute will have the chance to be part of the process, said Kaljurand.

“The UN has to lead by example and say that ‘multi-stakeholder’ means all stakeholders: governments, businesses, industry, civil society, academia and the technical community,” she said.

Within the context of the UN, Kaljurand said Western democracies should be much more active in promoting their understanding of the use of information and communication technologies and how technology can change countries in terms of economy, governance, people, education and awareness.

“If we want those countries that have not made up their mind yet on cyber security to follow our lead, we have to reach out much more. We have to talk to them. We have to convince them. We have to win hearts and minds,” she said.

“Let’s cooperate and let’s find trust in cyber security because, as we all say, in cyber security we trust.”