Estonia’s efforts to raise awareness of the need for an all-encompassing cyber security policy initially seemed like a lone voice crying in the wilderness, but a few years on, Estonia finds itself among the world’s leading cyber experts.
At the level of European Union institutions, it has been – and still is – difficult to achieve a breakthrough in regard to immediate awareness of the problem, to say nothing of coordinated actions. The European Commission has very many different agencies dealing with the digital world and, accordingly, the various aspects of the cyber sphere, and these agencies all have different points of departure and powers. Similarly to national agencies, they are not very wont to cooperate with each other, as collaboration is all too often seen as coming at the price of one’s own piece of the pie. A serious problem is the fact that very few experts have a full overview of the EU’s activities in the cyber field or would be able to construct a framework for the EU’s cyber strategy.
Similarly to the lack of a comprehensive view in the European Commission, the European Parliament also lacks a uniform approach to cyber issues spanning all committees. Even though it has dealt with attacks against information systems and the cyber aspects of the EU’s internal security, committee initiatives and reports have been viewed as separate units. Such a situation causes additional difficulties in determining what has already been done and how it has been formulated; on the other hand, it results in additional pressure to include in the report in progress all of the potential aspects in the cyber sphere.
Only in early 2012 was a decision reached: the Subcommittee on Security and Defence is to draw up a comprehensive report on EU cyber security and defence topics, based on the Common Security and Defence Policy framework. Considering my own contribution of several years in emphasizing the importance of the cyber sphere in today’s world and the need to develop the EU’s responses to the cyber world, the preparation of the report was entrusted to me.
The central problem for both the European Union and the world at large is the lack of standard definitions. This means that in practice, each country has a different definition of the cyber world concepts, ascribing different weights to them. Thus the EU’s foreign service finds itself face to face with the following problem: in relations with third countries, it would be essential to discuss cyber security matters as well, but insofar as the EU lacks consolidated terminology and vision in this field, this cannot be done at the diplomatic level. The same goes for relations with NATO and the US. In some practical fields – for instance, in the fight against organized crime – it is easier to find common ground, but in the case of larger agreements, decisions bog down due to the lack of definitions. The reason lies in the complexity of the subject, as well as in the different views member states have of the cyber world. Member states fall into two main groups: in one, cyber issues are in the jurisdiction of the interior ministry while in the other they are in the purview of the defence ministry. There are also countries that have not reached a specific decision as to who should deal with the issues and to what extent. In autumn 2012, the European Defence Agency released a study providing an overview of the state of cyber security related problems and how they are administered in different member states.
Today all 27 member states have national-level groups that deal with data security incidents and a similar group has been set up at the EU level. It is important to ensure these groups operate with a rapid response time so that these potential risks and attacks can be countered in as short a time as possible or even anticipated and pre-empted.
A cause for concern is that in spite of the strong urging of the European Commission, only ten member states have developed national cyber security strategies. Such a situation is a fairly dramatic reflection of the deficient and inconsistent understanding of the seriousness and breadth of the cyber threats. The continuing economic downturn promotes pessimism – there is not much hope of member states investing larger amounts into high tech studies related to this topic.
David Anselmi, a Microsoft senior manger of investigations in the company s Digital Crimes Unit, walks out of the DCU lab there Wednesday, Sept. 12, 2012, in Redmond, Wash. Documents unsealed Thursday by a federal court in Virginia describe a new front in a legal campaign against cybercrime being waged by Microsoft. The company says evidence shows cybercriminals are now looking for opportunities to inject malicious software and code into counterfeit versions of computer operating systems even before the machines are wrapped in plastic and sold to unsuspecting customers. Photo: Scanpix
In this situation it is extremely important that there exist an all-encompassing strategy on cyber security and defence at the EU level. Both EU institutions and member states must understand that cyber problems are not the future but the present and that we must be ready to resolve problems that arise in the space of a microsecond just as rapidly – in a microsecond. The primary question at the EU level is one of harmonizing definitions, and developing uniform solutions to and policies on cyber issues. In practice as well, EU institutions must be much better prepared. This means, in addition to developing cyber security strategies, the cyber aspect will have to be integrated with risk analysis and crisis management plans.
Dealing with cyber security brought me – somewhat surprisingly but fully logically - back to the basics. That means that along with coordinating high-tech solutions, coordinating institutions and making control plans more effective, the role of the ordinary citizen must not be forgotten. It should start with “cyber health” education, which has to be dealt with early on. Training schoolchildren, adult Internet users and officials systematically in education on elementary cyberspace risks and preventive behaviour is just as important as learning personal hygiene or fire safety rules. It is clear that in a country the size of Estonia, school curricula should include not just computer studies class but “cyber health” where children would learn how to act responsibly in cyberspace and learn to protect themselves against possible dangers. With regard to adults, all state, private and third sector institutions should actively and systematically train their staff. In consulting various experts we always reached the same simple truth: most cyber incidents right now are still at a very primitive level and predominantly preventable – provided that people are aware of what they are doing and have the proper anti-malware systems in place.
A second important need is increasing trust and confidence, which is the precondition for any sort of effective cooperation in the field of cyber security. Trust is needed in mutual relations between states, in relations with EU institutions and member states, and between the public and private sector. A large share of cyber attacks and incidents go unreported. In the case of the private sector, this is due to the fear of losing perceived reliability in the eyes of customers and competitors. And states jealously conceal their expensive technologies and intelligence data. This makes it very difficult to assess risks realistically: the information for making an assessment is limited and uneven. The European Parliament report considers it necessary to develop measures that would allow the private sector rapidly but discretely to convey information on the cyber incidents and to receive assistance. We are calling on the European Commission to oblige member states at some basic level to share their information to exchange information and learn from one another. Solutions employed elsewhere in the world should also be studied and explored.
Personnel work at the Air Force Space Command Network Operations & Security Center at Peterson Air Force Base in Colorado Springs, Colorado in this July 20, 2010 file photo. The U.S. Defense Department unveiled a new U.S. strategy for protecting military computer networks from hackers on July 14, 2011, designating cyberspace as an “operational domain” U.S. forces will be trained to defend. Photo: Scanpix
The cyber environment is in an extremely dynamic state of development and yesterday’s technical solutions need not protect us tomorrow morning. Thus it is extremely important that countries invest into research on cyber security and defence. Member states have taken the obligation to increase the share of their defence budgets allocated to research to two per cent. Today only Sweden has done so, and in some member states the figure is zero.
Without investments and research, Europe will be hopelessly set back in its development, and vulnerable. It would be truly a sad irony if the official plan to make the EU’s economy knowledge-based would not extend to the cyber sphere. These requirements also affect Estonia. A resource that we have in reserve is cooperation potential with the private sector, which is also interested in developing infrastructure and information system security.
The last aspect I will discuss is relations with third countries. It is clear that most of the threats to the EU are initiated from the outside; therefore, it is not enough to increase our own security and defensive capacity, and we also have to develop cooperation with our third-country partners. To keep cyber crime under control, it is extremely important to reach a point where all EU member states and as many third countries as possible ratify the Budapest Convention drafted in the Council of Europe, which nearly 10 years after being adopted under the leadership of an Estonian, Ivar Tallo, remains the most important regulatory document in the field of fighting cybercrime. It is necessary for the EU to include third countries in all negotiations and agreements on cyber aspects. The EU must speak loudly and clearly and be a leader in discussions on the cyber sphere in other international organizations, especially the UN. A good example is relations with the US, with which a joint cyber working group has been formed for interchange of information and developing cooperation possibilities.
In the occasionally complex relations between EU and NATO, it is precisely the cyber field that offers practical opportunity for mutually complementary cooperation. In actuality this cooperation is already taking place in a number of fields, but it must certainly be expanded and deepened, adding political weight to it as well.
Estonia and Estonian politicians must do all they can to aid the EU’s strivings toward rapid solutions to potential cyber problems. The economic crisis and the less than rosy future prospects force us all to seek cooperation and join our forces. I hope that the cyber security strategy being developed by three commissioners (Neelie Kroes, Viviane Reding and Catherine Ashton) will provide realistic solutions to the above-mentioned set of problems and that both EU institutions and member states will promptly realize the importance of the cyber world and take action. A problem than can arise in a microsecond must be resolved just as fast, to keep it from becoming an issue that will take decades and possibly claim human lives.
Tunne Kelam is a Member of European Parliament, Rapporteur on cyber security and defence for the Subcommittee on Security and Defence
