TALLINN – The Committee of Permanent Representatives at the Council of the European Union (COREPER) has approved the EU’s IT agency eu-LISA, located in Tallinn, as the seat of the EU cross-border data exchange channel e-CODEX.
“The fact that e-CODEX will be located in Estonia is very welcome, as the digitalization of the field of justice is one of the priorities of this government,” Estonia’s Justice Minister Maris Lauri said according to spokespeople.
“The decision is also significant in the sense that this platform will allow for easier and more convenient exchange of data with different member states in both civil and criminal matters. This, in turn, will bring legal possibilities closer to citizens, businesses, lawyers and public officials,” the minister said.
The further development and management of the system will take place at eu-LISA in Estonia. This will lead to the expansion of eu-LISA in Tallinn, including the creation of additional posts.
On June 2 this year, COREPER, which prepares the work of the EU Council, adopted a general approach regarding e-CODEX. On Thursday, the position was clearly changed to indicate that e-CODEX will be located at the Tallinn-based eu-LISA, which is an EU agency established to manage IT systems in the fields of internal affairs and justice. The decision will be followed by trilogue negotiations in the European Parliament.
TALLINN, Jul 23, BNS – The Committee of Permanent Representatives at the Council of the European Union (COREPER) has approved the EU’s IT agency eu-LISA, located in Tallinn, as the seat of the EU cross-border data exchange channel e-CODEX.
“The fact that e-CODEX will be located in Estonia is very welcome, as the digitalization of the field of justice is one of the priorities of this government,” Estonia’s Justice Minister Maris Lauri said according to spokespeople.
“The decision is also significant in the sense that this platform will allow for easier and more convenient exchange of data with different member states in both civil and criminal matters. This, in turn, will bring legal possibilities closer to citizens, businesses, lawyers and public officials,” the minister said.
The further development and management of the system will take place at eu-LISA in Estonia. This will lead to the expansion of eu-LISA in Tallinn, including the creation of additional posts.
On June 2 this year, COREPER, which prepares the work of the EU Council, adopted a general approach regarding e-CODEX. On Thursday, the position was clearly changed to indicate that e-CODEX will be located at the Tallinn-based eu-LISA, which is an EU agency established to manage IT systems in the fields of internal affairs and justice. The decision will be followed by trilogue negotiations in the European Parliament.
The past few months have introduced a dramatic change in global circumstances. Many companies have been forced to pivot and adapt their previous activities to the “new normality,” and rapid innovation has entered the scene in response to the crisis. For some, however, previously ongoing projects suddenly reached a whole new level of value and relevance.
Cybernetica, the Estonian company behind the Unified Exchange Platform (UXP) that sustains a wide array of Estonia’s e-health services, had been pursuing international projects for secure health data exchange even before COVID-19. These included their project TOGETHER for PPE Readiness and other projects for international data exchange of personal medical information, based on the UXP technology. The company has now accelerated their development process, as the importance of trusted and rapid data sharing has suddenly skyrocketed.
Shifting priorities in light of an emergency
“When we started with our project TOGETHER for PPE Readiness, back in September 2019, we had no idea that we will face the situation we have in the world right now in the near future,” notes Meril Vaht, Project Manager and Systems Analyst at Cybernetica. As the aim of the project is to share Personal Protective Equipment (PPE) (masks, gloves, gowns, etc.) data regionally and nationally in the USA for better emergency preparedness, the importance of this undertaking has now increased significantly.
“The system we are building allows trusted data exchange between hospitals, in order to improve their ability to manage PPE inventory,” Vaht explains. “Using the UXP technology, federal and state level organisations are provided access to a set of services that digitally maintain inventory data as well as purchasing and delivery data for the sites that manage stocks of PPE.” The solution provides nearly real-time data, which ensures greater efficiency in PPE distribution during surge demands – such as disease pandemics and other emergencies. It is therefore exactly the kind of solution we would benefit from right now.
Photo provided by Cybernetica
The initial plan saw the end of the project’s first phase, dedicated to testing purposes only, in September 2020. Now that global priorities have undergone dramatic shifts, the company has accelerated the development process. The first three organisations are set to go live by the end of the first phase.
Importance of cross-border data exchange
Cybernetica’s second project on secure exchange of personal medical data touches upon another important consideration that came to the spotlight in the past few months – if an emergency hits an individual when they are abroad, how can we ensure they get the help they need? One possible response to this question is well highlighted in the proof-of-concept project Cybernetica successfully completed in March this year, in collaboration with NTT DATA Corporation and NTT DATA Italy.
“The proof-of-concept focused on a scenario where a hospital acquired the data of a Japanese person, who was receiving medical treatment in the EU, from the patient’s medical records in Japan,” Vaht explains. “In addition to providing better treatment while abroad, seamless and appropriate treatment is available for the patient upon returning to Japan.”
Systems like this support improved communication between doctors, enhanced control over health data records stored in standardised format, and better decision-making and treatment plans. In light of the current crisis, we are also talking about better accessibility, improved possibilities for better data analysis, and so on.
Mitigating risks and safeguarding privacy
In light of the hurried development of new solutions under crisis mode, many have voiced loud concerns surrounding privacy and the potential pitfalls that could occur with accelerated processes. Nonetheless, Vaht assures that despite faster decision-making, critical analysis in the development process is definitely not pushed aside but rather prioritised even more.
The promise of privacy is indeed present in every aspect of Cybernetica’s technologies. When it comes to GDPR compliance, Vaht notes that there are of course many factors to take into account. From the perspective of the implemented technology, the UXP provides technical measures that take care of the security of the interaction between the information systems of one or more organisations.
Due to UXP’s distributed architecture, the UXP members communicate directly with each other and exchange only specified data. The data exchange between organisations is authenticated and encrypted and the service provider can control access to the services. Furthermore, all the messages are signed and timestamped, which prevents misuse of sensitive data.
However, Vaht also notes that the UXP technology covers only one part of the GDPR compliant data exchange. “It is important to keep in mind that the organisation which implements the UXP has to adjust its privacy policy with appropriate requirements of the GDPR. Additionally, the organisation must prove that it has implemented end-user authentication and access control procedures that are compliant with the security requirements.”
Digitalisation can no longer be escaped
Vaht agrees with many observers from Estonia and around the world, that by now there is no doubt this pandemic will push the world towards greater digitalisation. With increased data access and connectivity, we nonetheless have to be mindful of the associated risks. Privacy of digital data and trusted data exchange are therefore going to keep moving further into the spotlight.
“Providing the means to audit and trace back information to its single origins, enables a truly connected and secure world despite the physical distance.”
So, what’s next for Cybernetica?
When it comes to secure data exchange, Vaht says they are hopeful to see a growing number of international projects, in healthcare as well as in other fields in the future. “We are looking to contribute to greater digital accessibility to data and vital services and to that becoming part of the ‘new normality’ for both the public and private sector.”
________________
Today, e-governance and e-services have become a necessity in every country. e-Estonia Briefing Centre – the gateway to Estonian expertise in e-governance, invites you to connect with the Estonian IT companies directly responsible for the successful functioning of the e-state even during a pandemic. Get in touch with us to set up your custom virtual programme with the best partners you could get: business.e-estonia@eas.ee
Estonia and United States have started a cooperation to build a joint platform for sharing cyber threat intelligence between the two countries. The system will be developed by Cybernetica and procured by the Estonian Centre for Defence Investment according to a framework contract signed by the two parties at the end of last year.
The cooperation is based on a joint R&D cooperation agreement between the United States Department of Defense and the Estonian Ministry of Defence, signed in 2016, whereas the collaboration was initiated already in 2014 with the US Air Force Research Laboratory (USAFRL) with the idea of automating data exchange for cyber threats proposed.
“The goal is to develop an automised cyber threat intelligence system between the US and Estonian defence forces, tailored to the specific needs of the two nations to enhance the cyber defence capabilities of the two parties. Regular exchange of threat intelligence between actors is one of the core principles of cyber defence today,” said Kusti Salm, Director General of the Estonian Centre for Defence Investment.
While the system will initially be used by Estonia and the United States, the parties are exploring possibilities to introduce the new capabilities to other allies.
According to Oliver Väärtnõu, CEO of Cybernetica, this is a historic milestone between the collaboration of the two nations. “This is the first-ever joint capability developed in the cyber domain between the two countries. We are proud that Cybernetica has the possibility to take part in this collaboration and that our experiences in creating state-of-the-art technologies in the domains of secure data exchange, situational awareness, privacy and information security is given tremendous recognition. We thank our partners both in the United States and Estonia for continued trust in Cybernetica for delivering critical systems,” he added.
Nobody wants to imagine the worst-case scenario, but victory loves preparation. So, try to picture a situation where a cyber-attack, natural disaster or even war would compromise the functioning of a state – all these are considerable threats also to countries that have a less advanced digital infrastructure than Estonia. How to make sure that all crucial citizen and governance-related data is safe in situations like these? This is where the data embassy comes in.
Storing data outside our borders
Estonia is the first country in the world to establish a data embassy. It may sound futuristic, but it actually just means a secure data centre. In essence it’s an embassy without an ambassador and it’s located at a secure facility outside Estonia. While it has the highest security level for data centres, it’s not an embassy in the traditional diplomatic sense – it is something completely new under international law.
What’s inside?
As mentioned, it’s really just a data centre – on the visual side just imagine racks of servers. From the database side, ten strategically important datasets will be backed up into the data embassy. They currently are (in no particular order): e-file (court system), treasury information system, e-land registry, taxable person’s registry, business registry, population registry, State Gazette, identity documents registry, land cadastral registry, national pension insurance registry.
Want to know more? We’ve prepared a handy factsheet on the data embassy. You’ll find more factsheets on different e-Estonia topics in our Toolkit.
Josh “Juku” Gold is a research assistant at Citizen Lab, and a 2019 visiting fellow at The Hague Program for Cyber Norms. His bachelor’s thesis (University of Toronto) investigated the 2007 cyberattacks against Estonia and their legacy. Josh is Estonian-Canadian.
How and why does Estonia have so much influence in building international cybersecurity norms?
If you are reading this article, or familiar with e-Estonia, it is likely that you know something about Estonia’s bold and successful digital innovation. You may be aware that—as is necessary for a society reliant on digital technology—Estonia is also very focused on cybersecurity. Yet this focus is not only on ensuring its own national cybersecurity at home. Instead, especially since 2007, Estonia has held a prominent role in leading international cybersecurity efforts – particularly those focused on establishing rules for behaviour in cyberspace.
Punching above its weight: Estonia’s prominence in cyberspace governance
Estonia has been at the centre of global cybersecurity discussions and action since at least 2008. That year saw the establishment of the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn. The Centre is essentially a military think-tank that leads the world in crafting cyber defence solutions through a multinational, interdisciplinary analysis of various cyber issues. As of 2018, the CCDCOE is responsible for identifying and coordinating education and training solutions in cyber defence for all NATO bodies across the Alliance. Today, the CCDCOE comprises 25 states and more are lined up to join, including NATO partner states Japan and Australia.
The Centre is best known for its Tallinn Manual process, a non-binding, academic study on how international law applies to cyber conflicts and cyber warfare. It is the most authoritative and comprehensive of its kind, and is continuously developed by the CCDCOE with input from nearly 50 states.
Estonia is also deeply involved in global efforts focused on security in cyberspace. Most prominent of these is the United Nations Group of Governmental Experts (UN GGE), which has met five times since 2004 to deliberate on developments in information and communications technology (ICT) in the context of international security. Although the size of the GGE is very limited, from 15 members in 2004 to 25 members today, Estonia has been selected to this group for its past four iterations and will be represented at its upcoming set of meetings this year.
Estonia is home to the e-Governance Academy, a non-profit think tank and consultancy that has worked with over 200 organisations and trained more than 5,500 officials in 130 countries on e-government, e-democracy, and cybersecurity solutions.
Upon its founding in 2012, eu-LISA—the EU’s Agency for the Operational Management of Large-Scale IT Systems—has been located in Tallinn.
In October 2018, a speech by then-US Secretary of Defence James Mattis revealed for the first time that Estonia would join the US as one of just four other countries to offer NATO national cyber capabilities to help fight in cyberspace, if necessary.
In June 2019, Estonia was elected for the first time as a non-permanent member of the UN Security Council, which Estonia’s ministers and President say they will use to further action and spread knowledge on cybersecurity and digital governance.
From 2014-2019, former Estonian prime minister Andrus Ansip was in charge of the EU’s Digital Single Market, which among other things deals with security, privacy, and general coordination of the EU’s digitalisation. Upon Ansip’s departure, Estonian bureaucrat Juhan Lepassaar was elected among 80 candidates to become executive director of ENISA, the EU’s cybersecurity agency.
The list goes on and on.
But why is this so? How did Estonia get here, and why do other countries value Estonian opinion? And why should Estonia spend so much effort on this when it has so many other things to worry about?
Learning From Experience
The answer is directly related to Estonia’s experience with cyberattacks in 2007, policy decisions then, and steps forward since.
In spring 2007, during a time of heightened tension between Estonia and Russia, Estonian online services came under a barrage of cyber attacks of varying intensity and sophistication. They continued for three weeks. Luckily—and surprisingly to some Western observers—Estonia was quite successful in defending against the attacks, and direct damage was minimal. But the implications were huge; the attacks demonstrated the risks of political events extending into cyberspace, and the social threat posed by large-scale disruption of the public internet. This was emblematic of the future of war, and a wake-up call for all nations.
And nations did wake up. The NATO CCDCOE, which Estonia had pushed for since 2004, was quickly established. Estonia became one of the world’s first countries to release a National Cyber Security Strategy (2008-2013); essentially a ‘lessons learned’ from its 2007 experience. Other states studied this document closely and it went on to inform NATO and other states’ doctrine.
That Estonian leaders decided to be transparent during and after the attacks brought great dividends. Estonia declassified almost all information about the attacks, turning the country into the global case study for cyber conflict while also, through its openness, maintaining trust of its citizens using e-services.
Small States Need International Rules And Cooperation
Estonia is now one of just a small handful of states globally to have released a third generation National Cyber Security Strategy (2019-2022). Notable throughout all three of these cyber security strategies is a focus on the global nature of threats in cyberspace and the need for international, multilateral action.
To stay at the forefront of digital governance and continue developing its digital society, Estonia must remain a leader in security. As stated in its 2019 Cyber Security Strategy, “For Estonia, cybersecurity does not mean protecting technological solutions; it means protecting digital society and the way of life as a whole.”
Moreover, as a small state, Estonia is particularly reliant on international rules. By setting the agenda and developing norms, Estonia brings countries together to agree on rules for cyberspace, thus working directly in Estonia’s big-picture security interests. A stable, rules-based cyberspace is of critical interest to a digital society like Estonia, which is among the most vulnerable to cyber threats. As is discussed in a recent article by Liisi Adamson and Zine Homburger, Estonia has become a global entrepreneur and pioneer of cyber norms.
What Doesn’t Kill You Makes You Stronger
The 2007 cyberattacks have proven to be a blessing in disguise. Estonia’s successful defence against those attacks, combined with openness, have given Estonia international legitimacy and credibility, thereby allowing it a seat at the grown-ups’ table.
As it advances its digital society and tries new things, Estonia remains something of a digital experiment; an incubator and testing grounds. New technologies and their applications bring new challenges, ensuring that Estonian policymakers stay a few clicks ahead of most of their foreign peers. So long as Estonia’s digital society remains innovative, effective and secure, it can continue to have influence and punch above its weight.
How does the police address cybercrime at a time when more and more of our everyday actions take place in cyberspace? We talked to Oskar Gross, Head of the Cyber Crime Unit at the Estonian Police and Border Guard Board to find out exactly what cybercrime entails, how it’s fought and how we can protect ourselves.
What is the function of the Cyber Crime Unit? How is it positioned relative to other organisations dealing with cybercrime and cyber security?
The Cybercrime Unit (C3) in the Central Criminal Police has two main goals. Firstly, we collect, manage and analyse information about biggest cyber threats and actors. Secondly, we take relevant action based on the former. From time to time we also work on the aspects of prevention, legislation etc.
The biggest difference when compared to other organisations is our monopoly of force, which means that we are successful when we attribute crimes and catch criminals. However, we cannot carry out this fight alone – in our criminal cases, much of the evidence is digital. Thus, cooperation with cyber security companies and other organisations is vital for us. Moreover, this applies to both scenarios, when we ask for information during criminal proceedings and when cyber security companies, CERTs or other organisations, discover something suspicious.
Prevention is also very important in this field, especially when it comes to young people, who might show curiosity towards the dark side of the internet. It is important to direct people back to the legal (and also very exciting) side of the cyber, before it is too late. Some countries in the world have started implementing interesting ideas for rehabilitation. In the coming years, we must also do the same.
The Cyber Crime Unit was established around three years ago. What changes and continuities have you seen in cybercrime trends during this time?
The most obvious aspect is the exponential growth of devices connected to the internet, which creates a wider spectrum of vulnerabilities and ways to use malicious tools against people. From the criminal environment point of view, it seems that the entry barrier has become lower and less computer skills are needed to start committing cybercrimes. One of the reasons for this is that quite a large part of the cybercrime environment has turned into a service-based economy. For example, in order to do a DDOS attack against a Minecraft server, instead of first infecting 1000 computers and then ordering them to make huge amount of requests against the server, you can instead go to a website, copy and paste the domain/IP address to a text field, pay the cost in cryptocurrency and press “play”. Some websites might even offer you free trials. This extends to many services, from infecting machines to money laundering services etc.
There are many discussions how cybercrime is a low-risk high-reward type of crime. Criminals, who in the past have focused on “traditional” types of crimes, might also become interested in cybercrime. As the world moves towards digitalisation, we see that the cyber component has a bigger role also in other types of crimes.
I think it is important not to mystify the cyber realm. It is very simple to make people feel they are not in control and that is a problem with mystifying the internet. We should remember that cybercrime is not something that “just happens”, but there are real people behind these events. People do have control online. Cyber-attacks may seem like a technological mystery, however, they have more to do with being inattentive. Mystification is what makes us think of the internet as a technological chaos, rather than see it for what it really is – a group of people online.
It might also be one of the reasons people tend to believe things they read online, which they would never believe in real life (e.g., an elderly wealthy person has 50 million to spare because their safe is full and they just need somebody to give the money to). If something sounds too good to be true, it probably is not.
Translating crime from the “real” world to the virtual space, what are the differences and similarities in protecting people from harm?
Investigation techniques are slightly different, however, cybercrime investigations involve much more criminal police work than people would imagine.
One of the differences is that in the real world the harm is rarely repairable. For example, physical violence cannot be undone, whereas in cybercrime it is possible to undo the harm in some instances. The No More Ransom Projects aims to provide tools to decrypt files, which have been encrypted with ransomware. A good example where harm can almost be undone.
It is possible to protect people from cyber-crime with preventive work, the same way we do about threats in the “real world”. We advise people not to click on suspicious links the same way we advise everybody to lock their door before leaving.
From the perspective of the police force, what is currently the greatest challenge in tackling cybercrime?
Anonymity is the name of the game in cybercrime. Most probably, one of the biggest challenges is connected to the aforementioned service-based economic model. Namely, for services the anonymity model is often built in and thus it makes it more complicated to investigate separate incidents.
Another challenge is of course hiring – as Estonia is very IT driven country and the sector is big with many opportunities. It is challenging to find people for our technical team. We deal with very versatile topics and each person in the tech unit needs to have quite a large spectrum of skills.
People have been deemed the weakest link in cyber security. What piece of advice would you give regarding cyber behaviour to minimise the threats they pose on themselves and their organisations?
I have always liked the comparison that reasonably safe cyber behaviour is similar to minimising infections in the real world – as we know 80% of the infections can be avoided by simply washing hands regularly. In computer security, unfortunately, it is not only one thing you have to do but many. Important things to remember:
• Use strong, unique passwords and two-factor authentication (if possible) • When offered, always update software • Use antivirus • Make backups regularly • If something looks too good to be true, it probably is
If you follow this advice, you are probably better protected than most people.
How can people’s cyber behaviour be improved through top-down approaches? What kind of prevention initiatives have proven the most effective?
Prevention campaigns definitely work and I am quite sure people perceive threats of the internet much better each day. For instance, even my grandmother forwards me different scam emails which promise great riches.
It is hard to say which initiatives are most effective – the problem of measuring this boils down to estimating the growth of the crimes committed on the internet and then analysing the dynamics of how many people fall victim. I think notification campaigns are always important, but in the future we hope to look into more tailor-made campaigns, where the targets of the messages are carefully chosen. For example, in preventing falling victim to the business email compromise scam, last winter we notified board members of Estonian companies. We received mixed feedback about the campaign, but the amount of notifications to our tip line about BEC frauds increased. The campaign was not perfectly executed, but next time we are smarter.
Few fields generate divisive trends internationally as much as the cybersphere. With the emergence of information society and its establishment reaching full maturity, advantages come together with risks.
As the digital becomes more and more positively pervasive in our everyday existence, malicious actors also have the chance to exploit eventual weaknesses of vulnerable cyber subjects to shake the stability of our democracies at their very core. Developing strategies and antibodies against such threats become fundamental not only to shield the society on the outside but also to strengthen our own digital way of life.
Introductions should not be necessary in this case, but sometimes we can let pride prevail. Heli Tiirmaa-Klaar is the Ambassador-at-Large for Cyber Security at the Estonian Ministry of Foreign Affairs. Over ten years of high-level experience in cyber-affairs on her side, including positions at NATO and the EU, made her one of POLITICO’s game changers likely to shape our world in 2019.
In a world that sees alliances and blocs realign along specific patterns, Ambassador Tiirmaa-Klaar can help us collect our thoughts and get a grasp of what awaits advanced democracies this year. When big political actors join the playground, there’s always a lot at stake.
Heli Tiirmaa-Klaar, Estonia’s Ambassador at Large for Cyber Security
When it comes to cyberspace regulation, Western powers seem to head towards a certain direction, other countries to another. Are we witnessing the emergence of a new, cyber cold war?
I would not say that there is a new cyber cold war emerging. However, it is true that, when it comes to global cyber issues, countries often project their existing political views to this relatively new field. Authoritarian countries promote government control over the free Internet, and democratic countries would like to see an open and free cyberspace with free flow of information. It is clear that the conventional power dynamics from the last century are still visible. However, we are seeing many emerging powers in the global arena that are making the polarisation less clear. This is also illustrated by the fact that many nations see the value of the open cyberspace for their social and economic development, indicating a clear interest in making their voice heard, as well as their willingness to contribute to the global discussions on cyber issues.
What are the main threats that states and democracies see ahead, today, to their cybersecurity?
There are many issue-areas that states are currently working to solve. Since 2016, election security, disinformation and large-scale cyber operations have shifted the focus of what states are now trying to regulate in cyberspace. The common denominator is the fact that we need to assure that state actors know that what they are doing in the cyberspace is taken seriously and, in case their actions and intentions could be considered harmful to other states, that there is a clear response. Therefore, many states have already developed – or are in the process of developing – robust attribution and response mechanisms.
Since cybersecurity breaches can have serious consequences, the response to the perpetrator should aim at reducing the possibility of occurrence of any among such actions, which is why the response mechanisms should not only be limited to cyber means but also include political steps.
Additionally, cybercrime is a growing concern, particularly in light of the recent large-scale cybercrime cases, such as NotPetya and WannaCry. Although the two named incidents have been attributed to state actors, cybercrime on a smaller scale can also be a threatcoming from non-state actors. This is the primary reason why the EU is constantly advocating the recognition of the Convention on Cybercrime, as well as the establishment of domestic cybercrime legislation in countries where the current legislative system would be powerless against cybercrime.
With the elections to renew the European Parliament in spring this year, do you feel like European countries need to increase the level of readiness towards cyber threats?
The upcoming European Parliament elections in May this year will definitely bring election security and, within it, internet-enabled election meddling into the limelight. The key elements of concern also addressed by the European Commission already in September 2018 included preparedness for online manipulation. This is why greater transparencyin online political advertisements is needed. At the same time, awareness of the micro-level of news consumers is necessary.
In some of the previous elections in the EU, and also outside the Union, we have witnessed some scandalous stories emerging only shortly before the elections. Any signs that look out of the ordinary should be treated cautiously. Now more than ever people need to use common sense when coming across stories online from unverified sources.
On the other hand, the strong suit of the European Parliament elections is the fragmentation of the election structure – it is more difficult to influence elections in the EU as a whole because each member state requires a different approach, although the potential threat against some of the key member states is always there and greater than in others.
Estonia has witnessed already what it means to experience a cyberattack (2007). Is this a chance for us to establish or reaffirm our position internationally at the forefront of the fight, legal and technical, for safer cyberspace?
The 2007 cyberattacks were the turning point for Estonia’s internal cybersecurity policy development. Although we had set up our own national Computer Emergency Response Team (CERT) already in 2006, the events indicated many of the key elements that had to be either built up or improved significantly. Does the fact that we have contributed to improving our systems set us before other countries in the field? I believe that somewhat yes.
We have developed hugely since 2007 and due to our relatively small and dynamic digital ecosystem, it has been easy to keep our systems up to date and running even at times of some global large-scale cyber ransom cases. Which, however, did not affect Estonian organizations and this shows our strong effort to prevent cyber disruptions has been successful.
Some of our domestic structures have been constantly modified according to the changing threat environment. We have adopted the third generation Cybersecurity Strategy for 2019-2022 that is focusing on increasing the technological and organizational capacities throughout our entire digital ecosystem. We have already a list of elements that are being improved not for the first time and we are glad to share the experience with countries that are in the starting point with their own cybersecurity developments.
Let’s end on a lighter note: how does it feel to be included in Politico’s Class of 2019 among next year’s doers?
POLITICO’s news came as a very positive surprise to me. 2018 ended with an exceptionally busy period that has hopefully paved the way forward for our plans for this year. Cybersecurity isnot an issue that will go away, but only grow in importance. We’ll need to make sure existing international law is applied in cyberspace and the norms of responsible behaviour for countries are clear and rigorously upheld.
Changes at the helm of the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE). Col. Jaak Tarien, previously Commander of the Estonian Air Force from August 2012 through July 2018, is the new head of the Centre of Excellence in Tallinn. As former Director Merle Maigre leaves the office, Col. Tarien wants to make sure that continuity and further developments are granted in the coming period of activities.
Dealing with cyber threats that our democracies and nations face has been one of the talking points also during last year’s Tallinn Digital Summit – sign that European leaders are well aware of the necessity to protect the digital way of life or our paths to a fully digital society. Estonia is a striking example in this sense: not only we are considered the most advanced digital society in the world, but we’ve also been the first recipients of a large-scale politically motivated cyber attack directed to a country in 2007.
One year ago, we sat down with professor Jarno Limnéll to get to know more about the state-of-the-art in cyber security at a European level. Newly appointed Col. Jaak Tarientakes us a step forward, explaining the duties and action plans of the NATO CCDCOE in providing core, critical expertise and training to Member States and Allies on how to keep our cyber sphere safe.
Col. Jaak Tarien, Director of the NATO CCDCOE
Col.Tarien, you have just this new high-level position in Tallinn. Someone could think that the NATO CCDCOE is an operational unit, but things are quite different: how did it all start, and what are the main activities of the Centre?
The NATO Cooperative Cyber Defence Centre of Excellence in Tallinn, and the relevance of the cyber domain in our daily lives, have both evolved rapidly in the last ten years. Estonia proposed to create a cyber defence hub that could be included in the network of NATO’s Centre of Excellence already when it joined NATO, in 2004. At the time, however, the entire topic of cyber attacks on a nation and their connections to NATO were an unexplored area. We could say that nations didn’t take cyber defence seriously enough back then. The first politically motivated cyber attacks on Estonia, in spring 2007, changed the perspective of many countries and of the Alliance – a wave of DDoS attacks on various governmental, media, banking, and other sites, acted as a wake-up call and accelerated the process of establishing the CCDCOE in 2008. In ten years, we have grown from 7 founding members to a 21-nations-strong cyber defence hub with prominent world-known flagships, and several more nations lined up to join our community.
Our core mission and unique role are to foster cooperation among member states and to offer an interdisciplinary approach to the most relevant issues in cyber defence. We conduct research, trainings, and exercises in four core areas – technology, strategy, operations, and law.
We bring together researchers, analysts and trainers from the military, government, academia and industry. As a think-thank-type of organization, our mandate is to come up with new innovative approaches and to raise awareness and share this new knowledge in cutting-edge training and exercises. We’re not to be considered as an operational unit, indeed: we do not defend any networks nor act as a rapid response team when trouble strikes.
Does this change represent a new challenge for you too, in relation to your previous experience in the military and defence field? What are your goals as a Director of the Centre?
My experience as the Commander of Estonian Air Force has prepared me quite well to work with smart and dedicated people, who are in high demand both in the public and private sector. It is challenging to involve and keep motivated highly qualified cyber experts, but fortunately the unique tasks and projects carried out at CCDCOE have brought together an exceptional team. The demand for high-quality research, training, and exercises based on the most prominent trends in the cyber sphere is growing. My aim at CCDCOE is to continue the good work done over the past years, strengthen ties with the defence industry, and to develop further best practices and tools useful to the militaries of our member nations. Cyber defence skills should be elementary for military service in all ranks and domains.
The vision is to make the Tallinn CCDCOE one of the main points of reference when it comes to talks about cyber defense and security. What kind of expertise does the Centre already offer to its affiliated Member States?
CCDCOE has earned recognition in the international cyber community with three main flagships.
We are home to the Tallinn Manual 2.0, the most comprehensive guide for policy advisors and legal experts on how International Law applies to cyber operations carried out between and against states and state actors. It’s invaluable analysis by an international group of renowned scholars published in 2017, and it keeps inspiring both academic research and state practice. The Tallinn Manual process continues with a legal, technical, strategic and operational assessment of cyber scenarios with an aim to publish a practical reference material for Cyber Commands
Every spring we organize Locked Shields, an international cyber defense exercise offering complex technical live-fire challenges in the world. The annual sessions enable cyber security experts to enhance their skills in defending national IT systems and critical infrastructure under real-time attacks. The focus is on realistic scenarios, cutting-edge technologies, and simulating the entire complexity of a massive cyber incident – including strategic decision-making, legal and communication aspects. More than 1000 cyber experts from 30 nations took part in Locked Shields 2018, the exercise involves around 4000 virtualized systems and more than 2500 various attacks altogether
We organize an annual international conference on Cyber Conflict, addressing the most relevant issues concerning the international cyber defense community. CyCon has become a community-building event for cyber security professionals, adhering to the highest standards of academic research and bringing to Tallinn around 600 decision-makers, opinion-leaders, top military brass, law and technology experts, from the governments, military, academia and industry representatives from about 50 countries. Notable keynote speakers included: H.E. Kersti Kaljulaid, the President of Estonia; Alex Stamos, Chief Security Officer of Facebook; Dr Antonio Missiroli, NATO Assistant Secretary General on Emerging Security Challenges; Thomas Dullien, Staff Software Engineer at Google Zero, and many others distinguished experts. In 2019 the 11th CyCon will take place from 28 to 31 May on the theme “Silent Battle”. For the third year, this time on November 14th-15th, the Army Cyber Institute at West Point organizes CyCon U.S. in Washington D.C., in collaboration with CCDCOE. CyCon U.S. complements and broadens the reach of CyCon by promoting multidisciplinary cyber initiatives and furthering research and cooperation on cyber threats and opportunities.
What are, right now, the main types of cyber threats that our society and nations are exposed to? Are we ready to effectively respond to them?
Technologies and threats in cyber space are in constant change, our dependence on a digital lifestyle recognizes no geographical borders, nor it draws differences between civilian and military, private and public domains – any technology or system is a potential target for cyber attacks. While businesses and the industry might be more concerned with cyber crime and espionage for economic gains, nations and international organizations such as NATO are dealing with the growing threats from state actors in cyber space. Some of these attacks are becoming more complex, better coordinated and financed. For example the attempts to influence elections, serious data breaches – such as the hacking of the US Office of Personnel Management (OPM), that revealed a data breach targeting the records of as many as four million people. A growing concern for nations is potential targeted attacks aimed at our critical infrastructure – power supplies, clean water, emergency communications, and other vital services functioning properly. This is why Locked Shields in 2018 also focused on the protection of some of these key systems.
An assessment of the readiness against cyber threats of Estonia, and of the Member States that joined the Centre: keeping in mind the national differences, could unity make the cut in a new type of warfare?
The systems running our critical infrastructure and other modern services are in constant development, we have to test and drill our resilience and defense strategy on a regular basis. Our cyber defenders have to keep learning and practicing cooperation with Allies on a regular basis too.
estoniadigital.wordpress.com 