Dear ladies and gentlemen, experts and guests.
It is my honour to welcome you here in Tallinn in this international security conference that is probably the only outreach activity on cyber issues in the context of the EU new global strategy. We need to make it worth-while!
Over the years, cyber affairs and issues have become highly political and increasingly strategic. There are so many cyber meetings, cyber summits; it’s like in every ten minutes someone is meeting on cyber. Some of the meetings are very helpful, and some of them perhaps not. But it does show a level of attention that we haven’t had.
When in the past countries have been mostly focused on developing their own internal structures as well as organizations, and international cooperation was mostly reserved for the more capable countries and multinational organizations, then today most of us are willing to recognize that international cooperation is not just necessary and important – it is inevitable and unavoidable. To put it another way: safeguarding one’s own house is important; but it is even better to live in a safe community that can work together to mitigate threats.
In 2007 Estonia became one of the first countries in the world to experience how an ICT-dependent lifestyle can be attacked in support of political agendas. In 2008, cyber tools were used for the first time in support of a direct military campaign in Georgia. In Ukraine, low-level cyber hostilities have been taking place since the onset of the crisis. At this point we have all probably come to understand that there will be a cyber-dimension to every future conflict. Therefore, it is of particular importance that the EU Global Strategy realistically reflects the EU security environment, including the most recent changes in the past years. It should help to align Member States politically and be a tool for maintaining our unity on external policy and security matters.
In the field of cyber diplomacy, I am pleased to see that the EEAS has really stepped up in last years and worked hard to mainstream cyber issues into Common Foreign and Security Policy.
The EU Cybersecurity Strategy and the EU Cyber Defence Policy Framework were adopted in 2013. Last year the Member States adopted the Council Conclusions on Cyber Diplomacy, which sets the major policy guidelines on further efforts of the EU in its international cyber policy. I am glad to see that there are regular staff-to-staff consultations with NATO on these issues, and close relations with other international organisations. As well, development cooperation is high on the agenda, and efforts are underway to introduce minimum legal framework and training to address cybercrime, and fight cyber threats outside the EU.
So, the good news is that there seems to be a general understanding that when it comes to ICTs and cyberspace, we are dealing with an “ecosystem” in where everything is interconnected. It functions as a whole; and it must be defended as a whole.
However, the biggest disagreement both nationally and internationally is not what the outcome ought to be but how to get there.
That brings me to the reason we are here today –an EU Global Strategy on Foreign and Security Policy that should guide the Union through an increasingly connected, contested and complex world.
Let me elaborate a little on the topics we find important to underline in the EU Global Strategy concerning cyber security:
First of all, the fact is, that cyber-attacks are here to stay, and destined to evolve and transform as long as we use the Internet. To orient in and adapt to the new circumstances, we continuously need to build up and improve the resilience of our systems.
Cyber security needs to be mainstreamed to all sectors of societies; cyber security cannot and should not be a responsibility of just some allocated institutions.
It is vital that governments take the role of both the protectors and the exploiters of technology. It is the role of governments to protect the national economic environment, critical infrastructure, as well as private and public users.
It is AS important that the private sector will focus all the necessary resources on information security and risk management. The focus will need to move from pure protection of our information technology networks, to also protecting our operational technology. Where generated data is stored, and how it is aggregated, is becoming increasingly relevant when evaluating risks.
In EU level sharing information is crucial. Especially in case of similar cyber threats targeting critical infrastructure in several European nations simultaneously. Managing these threats currently looks like inventing the same wheel in each country that is under a similar cyber-attack.
We also need to combine information sharing with intelligence-led analysis to help to determine the political context of cyber-attacks. This will help us to go further with the issue of attribution.
Increasing cyber threats also call for more innovative approach to cybersecurity.
The Cyber Defence Unit of the Estonian Defence League, or the ‘Estonian Cyber Defence League’ as it is widely referred to, can be an example of innovative model for the involvement of volunteers – both from the public and private sector, in national cyber defence.
Membership in the Cyber Defence Unit is strictly on a voluntary basis and comprised of experts from across the board. It is a great facility for us to test different ideas and solutions, most importantly; however, in times of crises, to make sure we have the best assets to counter any attacks.
To test and develop our defence, our personnel, systems and structures, we conduct and participate in a number of national and coalition exercises. Large scale international cyber exercises such as Locked Shields, Baltic Ghost and Cyber Coalition are just some examples organised with the assistance of the NATO Cooperative Cyber Defence Centre of Excellence and using the facilities of the Estonian National Cyber Range.
Given NATO’s central role in ensuring Europe’s security, we continually need to work to improve the EU-NATO co-operation. As well, cyber security needs to be given full attention in EU civilian missions and military operations.
In addition to working on more resilient governance structures capable of effectively responding to cyber incidents, the international community must also continue working on global cybersecurity norms – and the EU Global Strategy should reflect this.
ICTs are not a gateway to endless anonymous risk and hostility. Cyberspace is not a lawless domain. It is important to keep this in mind when we begin to consider our response and counter-measures to the numerous cyber threats we face.
Since 1998, interested states have discussed the issue of the applicability of international law to the development and use of ICTs and ‘cyber security’ in different venues. Over the years this dialogue has become increasingly politicized.
Nevertheless, there have been major achievements during the past ten years in developing a consensus on the application of international law with regards to the state use of ICTs, in particular by the UN Group of Governmental Experts.
We have all agreed that international law applies to the cyber sphere, now we have to agree on how.
This can and should be a gradual process, where we examine existing norms, both international law and politically binding instruments, to find common ground on some basic questions that concern us all. This is an area where scholars and experts can make a substantive contribution to the dialogue going on at the government level.
Despite the obvious challenges that cyberspace brings to the application of legal concepts, we call on states to define and implement responsible behaviour regarding not just international cyber peace and security, but also for the social and economic benefits that ICTs bring.
With the recent adoption of the Sustainable Development Goals at the 70th United Nations General Assembly, it has been widely acknowledged that ICTs, particularly the spread of broadband coverage, will be absolutely crucial for achieving the SDGs.
Together with ensuring that people have the skills and freedom to use that connectivity productively, it will play a central role in accelerating data collection and measuring progress on the SDGs, as well as, enable governments to improve their decision-making competences and delivery of critical services.
Therefore, both the benefits and mitigation of risk require us to reach out.
We have to get serious about reaping the digital dividends and establishing relationships with countries that can help us develop even further in our chosen and preferred way of life through the use of ICT’s.
The development of every country, including in the field of ICTs, has to be based on the promotion and protection of human rights.
Over the past years we have faced increased disproportionate blocking and filtering mechanisms by states on the Internet.
The EU has to remain committed to the principle that the same rights apply equally offline and online. The EU has to actively promote the value of the existence of free and secure Internet, including free flow of information and work towards the protection and promotion of the respect of human rights, all over the world in its dialogue with partners.
Respect for human rights and fundamental freedoms and security online are complementary concepts.
Lately there are also more and more concerns that the Internet is in some danger of splintering or breaking up into loosely coupled islands of connectivity.
Movement in the direction of national segmentation could entail, inter alia, establishing barriers that impede Internet technical functions, or block the flow of information and e-commerce over the infrastructure.
Unfortunately, pressure and trends in this direction do exist; it’s our responsibility to keep the counter-pressures.
We should never forget that the success of the Internet has been based on its global and interoperable nature governed by multi-stakeholder process.
The challenges and solutions related to ICTs are interconnected and global, as are these technologies.
Our dependence on the societal and governmental functions of these advanced but inherently vulnerable technologies will only deepen at a national level and expand globally. It is therefore paramount to design and implement strategies for cooperative and cross-border cyber security.
Let me stress one more time how delighted I am with the increased inclusion of Member States as well as the academia and think tanks in the EU Global Strategy process.
What we need now is really the engagement of all of you, making sure that we keep our eyes on the prize – an ambitious EU Global Strategy that also takes us forward building a secure and resilient cyberspace for our citizens, businesses and governments.