Ilves at CyCon 2018: 'Cyber NATO' coalition of liberal democracies needed
As reported on ERR yesterday, 30 May, former Estonian President Toomas Hendrik Ilves, speaking at NATO's Cooperative Cyber Defence Centre of Excellence (CCDOE) is 10th annual cyber security conference CyCon 2018 in Tallinn, called for an organized union of liberal democracies in order to combat cyber threats globally.
Here we reproduce Mr. Ilves speech in its entirety.
''The digital era, with all of its benefits, has profoundly changed the security environment of liberal democracies. We face potential destruction of national infrastructures and militaries in ways unimaginable a quarter of a century ago.
Even the electoral process in a number of democracies has come under severe threat, with attempts to alter outcomes in a number of elections in the past two years. The response should be a new 'Cyber NATO,' a coalition of liberal democracies, but not bounded or restricted by geography in the way NATO is today, which can better respond to the ubiquity of threats. This will be difficult to achieve, yet the alternatives are worse.
These new threats can affect anyone. Just one Russian cyber-operation, APT28 or 'Fancy Bear,' has so far attacked the servers of ministries, political parties, candidates and think tanks in the US, Germany, the Netherlands Sweden, Ukraine, Italy, and France and indeed even the servers of the International Association of Athletics Federations responsible for anti-doping monitoring.
Military communications have also been targeted.
Yet APT28 is but one of numerous groups from Russia alone. Nor is Russia the only authoritarian government seeking to increase its advantage through cyber operations. It is also clear that Iran has carried out its own offensive cyber-operations. Chinese groups, primarily those affiliated with the People's Liberation Army, have targeted militaries as well as intellectual property in companies the world over.
In other words, the digital age has also ushered in an era of new security threats, perhaps previously imaginable but not seen until the past decade.
Governments, meanwhile, have been slow to respond; multilateral organizations such as NATO and the EU have been even slower. Meanwhile international organizations such as the UN have failed even to broker a treaty arrangement to prevent the use of digital weapons.
Instead, responses to these threats have remained national. While groups such as APT 28 or 29 have been identified in a number of European countries as well as the US, each country has faced them alone. NATO has not developed a unified response.
Indeed what we call 'cyber' remains stuck in the intelligence domain. Nations are loath to share. I recall how when Estonia reported discovering a worm-type virus, the response from NATO was, "oh, you too?"
From blocking to hacking
Virtually every history of what is now known as 'cyber-war' or 'cyber-warfare' begins with an account of an attack on Estonia ten years ago. In 2007, this country's governmental, banking, and news media servers were paralyzed with 'distributed denial-of-service' or DDOS attacks. People's access to virtually all major online and digitally-based services was blocked.
Cyber-attacks have a far longer history of course, but until then, they were generally carried out for espionage, not to damage adversaries or make a political point. This case was different: it was overt and public. It was digital warfare, what might have been described by [Prussian general and military theorist] Carl Paul von Clausewitz, as 'the continuation of policy by other means,' and meant as punishment for the Estonian government's decision to move a Soviet-era statue from the centre of the capital.
Since 2007, overt cyber-warfare and the continuation of policy by other means has proliferated and in ever more virulent form: blanking out regions preceding bombing in conflict zones with DDOS attacks (Georgia, 2008); crashing electrical grids (Ukraine 2016, 2017); private companies (Sony 2015); hacking into parliaments (the German Bundestag 2015 and 2106); political think tanks and parties before major elections (the US Democratic and Republican National Committees 2015-16 as well as German political parties' think tanks), presidential campaigns (Hillary Clinton 2016, Emmanuel Macron, 2017), government ministries (Dutch ministries, Italy's Foreign office 2016-17, the US Departments of State and Defence)...
In one especially egregious case, records of 23 million employees of the US Federal government were stolen in what is known as the 'office of personnel management hack'. Recent testimony and leaks in the US report about attempts by an external, foreign power to delete or alter voter data in 21 (or possibly as many as 39 states) in the run up to the US presidential elections. These represent merely the attacks admitted to by the victims, not those which have gone unreported.
Shutting down a country
A decade ago, the idea of a major cyber-attack was strictly hypothetical. Indeed NATO was originally rather sceptical about the attack on Estonia in 2007. Since the recognition of politically motivated DDOS attacks and their paralyzing impact, the focus of cyber-security has shifted to more elaborate possibilities: the use of malware to shut down or blow up critical infrastructure, including electricity and communication networks, water supplies, and even traffic light systems in major cities. This goes beyond DDOS and requires 'hacking,' as we know the term―breaking into servers or a computer system, not merely blocking access as in DDOS. Indeed the vulnerability of critical infrastructure became a primary concern of governments and the private sector.
These kinds of cyber-attacks could mean shutting down a country, or its military, rendering it unable to oppose a conventional attack. In 2010 the Stuxnet worm, which spun Iranian plutonium-enriching centrifuges out of control, warned us of the power of cyber to do serious damage to physical systems.
Leon Panetta, US Secretary of Defence from 2011 to 2013, warned in 2012 of the potential of a 'cyber Pearl Harbor.' Subsequent events such as the shutting down of a Ukrainian power plant in 2016 and again this year through cyber operations showed that such concerns were hardly unwarranted. The Mirai DDOS attack, Wannacry and Not Petya ransomware and just a week ago the report by the FBI of some half a million compromised routers only indicate the increasing power of cyber to disrupt.
At the same time it is worth noting that one can do considerable damage to national security and the private sector without disabling infrastructure; the hack of Sony and of the Office of Personnel Management in which the records of up to 23 million past and present federal employees are good examples of an extremely dangerous breach that endangers a country's national security or its commerce.
From these examples, we can see that "cyber attacks" as a term is a catch-all, spanning a range of activities from attacks that can destroy a nation's critical infrastructure on the extreme side to subtler attacks: hacking politicians, leaking compromising information, and jeopardizing election integrity.
Recognition of threats in the digital world has been slow in coming, although the US and others foresaw potential threats as far back as the early 1990s. In security policy circles, it wasn't until as recently as 2011 that the Munich Security Conference, the West's premier forum of security policy makers, held its first panel on cyber security.
All of these concerns have fallen under the broad rubric of symmetrical warfare. Whatever they did to you, once you figured out who 'they' were, you could do back to them. Cyber attacks were treated as lying within the realm of traditional warfare; it was but a new domain. The US in 2010 declared cyber the fifth domain of warfare, after land, sea, air, and space. NATO declared cyber its fourth domain last year. Moreover, the US Department of Defence has explicitly said that a cyber-attack need not be met in the cyber-domain; a kinetic response to a digital one is viable too.
While NATO has acknowledged the potential threats of cyber and propaganda, it has done little operationally. NATO did set up a Centre of Excellence in Cyber Security in Tallinn, Estonia, and later a similar Centre for Strategic Communication in Riga, Latvia. Yet even within the alliance, there has been little cooperation; these centres are restricted to dealing with attacks on the 'O' in NATO, ie. the organization, not its individual allies.
Elections under attack
It has been only a year since a broader consensus emerged among intelligence agencies and security policy experts that electoral processes themselves have come under attack. Manipulations have included "doxing" or publishing materials obtained through hacking as seen in the case of Hillary Clinton and Emmanuel Macron. Such tactics have been bolstered by manufacturing fake news on an industrial scale and propagating these through 'bots' or robot accounts on social media. Gaining currency, these have been propagated by real users, willing and even unwitting accomplices. One study showed that in the three months leading up to the US election, some 8.7 million fake news stories were called up by users on Facebook but only 7.3 million genuine stories. More worrisome is the prospect of manipulations through hacking into unsecured voting machines and by potentially altering or deleting voter data.
Indeed, the propagation of fake news stories need not be tied to elections and no longer is. Instead they can simply be used in an attempt to sway public opinion. The #Syriahoax hashtag, alleging Syria's use of chemical weapons in Spring 2017 was a Western hoax, spread virally on Twitter via bots. Fake news regarding NATO troop assignments in Eastern Europe have become commonplace.
In the French election campaign in Spring 2017, bots and fake news accounts spread lies and scurrilous 'facts' about one candidate, Emmanuel Macron, while leaving his primary opponent, Marine Le Pen, untouched.
A new threat landscape
As the past several years in this new digital age have shown, the threat landscape facing democracies has dramatically changed, ranging from traditional threats such as destruction or incapacitation of critical infrastructure to what may be termed 'soft' threats, eg. the manipulation of electoral democracy and public opinion. Two fundamental differences from pre-digital threats have emerged:
First, geography or physical distance, a key determinant of security since the beginning of the history of conflict, has become irrelevant. For as long as humans have been in conflict, proximity to threats or hostile actors was a primary motivator in security policy. NATO is the North Atlantic Treaty Organization for a reason: it is a defence organization of liberal democracies in a geographical space, constrained inter alia by tank logistics, bomber ranges, the placement of troops.
Countries traditionally have invaded or been attacked by neighbours, not by adversaries from far away. Indeed, until the age of intercontinental ballistic missiles, distance from threats was the greatest source of security and proximity the greatest vulnerability.
This is no longer true. Digital threats do not recognize distance. One is just as vulnerable half the globe away as from next door to an adversary. If the term force in conflict overlapped with its definition in physics, mass times acceleration or distance divided by time squared, then distance has been eliminated, while time has become infinitesimal.
This is why, in the digital age, the earlier basis of alliances, be they NATO or Sparta's Peloponnesian League, weakens or even disappears. Everyone is equally vulnerable to attack, regardless of borders or of physical distance. Cyber is a tool that can be used to attack anywhere.
Secondly, in the digital era, liberal democracies are far more vulnerable than before to asymmetric attacks from autocratic states. Propaganda, fake news, disinformation are all as old as the Trojan Horse, yet most of what was considered disinformation as late as the 20th Century had little effect. In the pre-digital age, disinformation could not easily be propagated. Fake news could not swamp and overwhelm the news media. Voting rolls could not be breached on a massive scale and across many election districts.
Moreover, only liberal democracies are fundamentally vulnerable to attacks and manipulations of the electoral process. Authoritarian governments need not fear external manipulations of electoral processes as these are manipulated by those in power anyway. While it would be difficult to imagine a liberal democracy employing the same methods against Russia as the Russians used in the US and French presidential elections, attempting to do so simply would have no effect. To have an effect, one needs that the adversary has freedom of expression and holds free and fair elections to effect.
From a security policy perspective, however, the possibilities of using digital manipulations can be quite attractive to an adversary. Why bother with military interventions or attacks (even military style digital attacks for that matter), if it suffices to use digital means to get a candidate or even a political party into office that will do your bidding or at least follow a policy line favourable to you? Certainly a Le Pen in France promising to leave NATO or the defeat of Angela Merkel in the 2017 German elections would have done more to disrupt European policy toward Russia than any kind of military action.
An alliance of democracies
In light of these developments in this age of 'cyber', democracies need to think beyond the hitherto geographical bounds of security. We need to rethink our security. In addition to those already in existence, we need a new form of defence organization, a non-geographical but strictly criteria-based organization to defend democracies―countries that genuinely are democracies as defined by free and fair elections, the rule of law, and the guarantee of fundamental rights and freedoms.
This idea is not new, yet proposals pre-dating the digital era were guided more by a philosophical approach than hard security concerns. In different contexts, both Madeleine Albright and John McCain at the turn of the century proposed the creation of a community or league of democracies. Neither proposal went far at the time. The threats to democracies twenty years ago, however, were not of the type described here; neither proposal was based on security concerns. Today, every liberal democracy is vulnerable.
Another potential seed whence to grow genuine security co-operation is the CCDCOE here in Tallinn, already extended beyond NATOs borders: It is, yes, affiliated with NATO yet also includes three 'neutral' EU members, Finland, Sweden and Austria. And it is moving far beyond the trans-Atlantic space. Membership for Japan and Australia is also in the pipeline. Membership, however, requires strict adherence to rule of law, free and fair and contested elections.
I would, however, go even further: the liberal democratic order needs to collaborate in this realm. The threats we have become aware of will not go away. Indeed they have been growing in force. Moreover, we are witnessing a global backlash against integration, openness. Illiberal populists are on the rise, promising to dismantle those same structures that have guaranteed peace and security since World War II, the European Union and NATO.
Those of us who do not want to give up on the world we have been building for 70 years also need to concede this and recognize the new attack vectors we face.
Alternatively we can strive to integrate further, to better stand against these new threats. Integration between countries today means opening up our countries – our data flows, for example; we need to trust each others' businesses and technologies. We need to share our information, our knowledge. Ultimately we can imagine exchange and interoperability of e-government services. Or develop altogether new, uniquely cyber-era defence capabilities.
Jared Cohen, president of Jigsaw (formerly Google Ideas) has suggested that those with greater capacity in machine learning, for example, can offer AI-based cyber-defence to those with lesser capabilities, while those under attack would offer the data they glean from the attack to further improve the AI. Opportunities for new forms of defence abound.
Could such an organization do the job in facing this new threat? Why not consider a cyber-defence and security pact for the genuine democracies of the world. After all, Australia, Japan, Uruguay, and Chile, all rated as free democracies by Freedom House, are just as vulnerable as NATO allies such as the United States, Germany, or my own country, Estonia.
Russia and China are not engaged in this kind of openness – their vision of the world is one where there is a national cyberspace, with censorship, central control. It is a model, but not one that any of our societies individually want, or that we collectively want.
Of course, not saying that you can only trade between democracies is silly – but that we can go furthest with countries we trust with on a deep level, whose systems can be open to each other – and that is with democracies.
Finally ‒ let's retain some optimism. People in the traditional democracies are down today on democracy. Look at the G20… there are lots of developing democracies there ‒ Argentina, Brazil, India, Indonesia, Mexico. The community of democracies isn't just for self-defence ‒ it's also a signal to the world ‒ that there is a community of values that isn't just 'western', that it's global and that it can defend your society.
The prospects for safeguarding democracies in the digital era through such a pact are probably better now than even a year ago. Nonetheless, until this is taken up by the governments of major countries, both in NATO and outside the Alliance, liberal democracies will be ever more vulnerable to the new threats of the 21st century''.
Editor: Andrew Whyte