Toomas Hendrik Ilves, Former Estonia President, was honored his nation’s cybersecurity model

Former Estonian president, Toomas Hendrik Ilves, was named World Leader in Artificial Intelligence and International Cybersecurity by the Boston Global Forum and the Michael Dukakis Institute for Leadership and Innovation, at the third annual Global Cybersecurity Day conference held at Harvard University on December 12th 2017.

Pres. Ilves was recognized for fostering his nation’s achievements in developing cyber-defense strategies for all nations, and for establishing Estonia’s pre-eminence as a world leader in cyberspace technology, defense and safe Internet access. Indeed, Estonia’s cyber security and access principals that focus on assured identity in every transaction have become a model for other nations around the world

Pres. Ilves, who is currently affiliated with Stanford University, was also recognized for his leadership before the United Nations, calling for greater urgency in combating the climate change, the need for safety of the Internet, and the plight of migrants and refugees – especially children.

 A leader in cybersecurity

Recognizing Pres. Ilves for his contributions, Michael Dukakis, chairman of the Boston Global Forum and a former Massachusetts governor, stated, “We believe we are kindred spirits in our pursuit of a world in which we share in the concern for our fellow citizens worldwide. I also believe the Boston Global Forum and the Michael Dukakis Institute for Leadership and Innovation can play a vital role in helping you to communicate your message and inspire others by participating with leading thinkers and scholars from Harvard and MIT who share your vision for a clean, safe and transparent Internet.”

During Pres. Ilves’s term as the Estonian president, his country became a world leader in cybersecurity-related knowledge. Estonia now ranks highest in Europe and fifth in the world in cybersecurity, according to the 2017 cybersecurity index, compiled by the International Telecommunication Union. The country also hosts the headquarters of the NATO Cooperative Cyber Defense Centre of Excellence.

Also honored for contributing to the advancement of Artificial Intelligence and Cybersecurity was Prof. John Savage who was awarded Distinguished Global Educator for Computer Science and Security on the 50 Anniversary of the Brown University Computer Science Department.

During his keynote address, Pres. Ilves pointed out that national defense was once based on distance and time, but today, “We are passing the limits of physics in all things digital,” while laws and governmental policies have failed to keep up. He reminded the delegates that 145 million adults recently had all their financial information stolen without intervention by the US government.

“Today 4.2 billion people are online using computers that are 3.5 billion times more powerful than when online communication started out 25 years ago with 3,500 academics who were using BITNET, the 1981 precursor to the modern Internet.”

Protecting its citizens has always been the responsibility of the state and is part of our social contract. “We give up certain rights for protection, but we have been slow to get there in the digital world. When it comes to the cyber world, we are too focused on technology,” instead of policies that will enhance our safety on the Internet.

“Estonia’s cybersecurity technology is not advanced, but we are ahead on implementation,” he said adding, “There is a huge difference between what we do and other countries – our focus was not on the gee whiz technology.”  but rather implementation of a system that relies on positive identity, which is the foundation of the country’s cybersecurity program. Additionally, all bureaucratic dealings are online and, with assured identity, Estonia has eliminated the need to request personal information repeatedly. Once personal information is on file, Estonian law prohibits any agency from requesting that that information ever again. An Estonian can get a driving license, building permit and register for school without having to fill out the same information repeatedly.

This is in sharp contrast to the US. Pres. Ilves joked that even though he lives at the Silicon Valley, the center of advanced technology where Facebook, Google and Tesla are within a one mile radius, “When I went to register my daughter for school I had to bring an electric bill to prove I lived there. It struck me that everything I experienced was identical to the 1950s save for the photocopy.”

He continued, “When Estonia emerged out of the fall of the Soviet Union in 1991, “we were operating with virtually no infrastructure, even the roads built during the Soviet era were for military purposes. By 1995 to 96 [however] all schools were online with labs so that all student could have access to computers even though they could not afford to buy them.”

By the late 1990s Estonia determined, “The fundamental problem with cyber security is not knowing who you are talking to. So, we started off with a strong identity policy; everyone living in Estonia has a unique chip-based identity card using two factor authentication with end-to-end encryption.” This is more secure than using passwords which can be hacked.

“A state-guaranteed identity program seems to be the main stumbling block for security elsewhere. My argument is that a democratic society, responsible for the safety of the citizens, must make it mandatory to protect them.” Moreover, Estonia’s mandatory digital identity offers numerous benefits, for example, “We don’t use checks in Estonia.”

Decentralized Data Centers

“In Estonia, we could not have a centralized database for economic reasons. Every ministry had its own servers, but everything is connected to everything else including your identity.” Even if someone breaks into the system, the person “is stuck in one room and cannot get into the rest of the system.”

Known as X-Road,  this decentralized system is the backbone of e-Estonia. Claim the developers, “It’s the invisible yet crucial environment that allows the nation’s various e-services databases, both in the public and private sector, to link up and operate in harmony. It allows databases to interact, making integrated e-services possible.”

The system is so well integrated that Pres. Ilves claims it streamlines submitting paperwork for various needs to a point where it saves every Estonian 240 working hours a year by not having to fill out tedious forms.

Nearby Finland has joined in implementing such a system along with – Panama, Mexican, and Oman.

Pres. Ilves added that, Blockchain technology is to store personal information to assure the integrity of the data. “I might not like it if someone sees my bank account or blood type, but if they do it is not as bad as changing my financial records or blood type – which cannot be done.”

Estonia further assures the safety of its data by having an extraterritorial server in Luxembourg where the information is duplicated outside its borders.As a result of its legal and policy approach to security, “Estonia is the most cyber secure country in Europe, Russia the most secure in Eurasia and China the most in Asia. Estonia is also the most democratic.”

International Cyber Agreements

Joseph Nye, Harvard University Distinguished Service Professor, Emeritus and former Dean of the Harvard’s Kennedy School of Government explored
waysnations can develop cybersecurity and cyber-attack norms, often drawing parallels between cyber and nuclear technology, norms, threats and international agreements. “It took two decades to develop norms for nuclear war. We are now about two decades on cyber depending on how you count.”

Nye recalled that cybersecurity problems emerged in the mid-1990s when web browsers became widely available sparking the “huge benefits and huge vulnerabilities” of cyberspace about two decades ago.

He noted, that with establishing norms to harness the destructive power of nuclear technology, “The first efforts centered around UN treaties.” through “Russia defeated UN-centered efforts after the Cuban missile crisis.”

Nye told some 40 delegates at the World Cybersecurity day event, that the beginning of real efforts to set norms around nuclear technology, came with test ban treaties, which were essentially focused on environmental concerns over detonating nuclear bombs in the atmosphere came in the 1960s.  “It wasn’t until the 70s that SALT (Strategic Arms Limitation Talks) produced something that began to set constraints.”

Turning to cybersecurity, global efforts to limit cyberattacks by states, “especially against critical infrastructure” began in 2015 in a report taken to the UN Group of 20 of the world’s most powerful economies; 19 nations and the European Union. In 2017, however, they failed to reach consensus due largely to difficulties between the US and Russian and China backed off as well.

Setting cyberspace norms

Nye explained that “a norm is a collective expectation of a group of actors.  It is not legally binding, and differs from international law. Norms can also be common practices that develop from collective expected behavior and rules of conduct.”

While large groups of nations have tended to achieve little in terms of establishing norms in cyberspace, bilateral agreements offer promise. “The US and China have very different views on internet rules regarding [say] freedom of speech. For years the US corporations complained about cyber espionage being undertaken to steal American companies’ intellectual property and giving it to Chinese businesses,” Nye said, recalling that, at first there were denials but the issue became a top priority when the Edward Snowden affair let China off the hook. At that time China totally blocked IP theft.

The US further stated that it would sanction Chinese companies unless their government took position against stolen IP. Then, with a US-China summit coming up 2015—the US made it clear that if the meeting was to succeed, intellectual property theft, had to stop because of its corrosive impact on fair trade. “Espionage is one thing, but corrupting the trade system is different than stealing other secrets.” What’s more, Internet espionage is, “quick, cheap and you don’t have to worry about your spy getting caught.”

Finally, when XI Jinping and President Obama met in September of 2015, China agreed to no longer acquire intellectual property.” While some IP spying continues on the margins, there has been a discernable reduction since the meeting.

The benefit of bilateral agreements Nye emphasized is that, “They don’t stay in a box but become the kernel of the broader game of establishing wider norms,” noting that while broad multi-nation global agreements may have failed, bilateral agreement between states with very different views have succeeded.

“Progress may not be made by a large global agreement such as convening 40 states. Finding ways states can negotiate concrete decisions between themselves and broadening them to encompass more nations is a much more plausible approach”

Other avenues to cyber defense

Prof. Derek Reveron of the Naval War College noted that, “Cybersecurity challenges the way we think about domestic and foreign boundaries. The military looks outward but with cyber threats boundaries have less meaning.”

He added that effectively combating cyber threats can be hampered by, “tension between intelligence agencies and Cyber Command which is charged with responding. Cyber Command might be able to attack ISIS in cyberspace, but then the intelligence community will lose assets. Attacks also needs clearance from Congress.”

“Cybersecurity measures also challenge our idea of what’s public and what’s private,” said Reveron noting that cyberspace is monitored and run by corporate entities that are global not national—companies more important than governments,” in defending cyberspace, he said.

Additionally, it is difficult to isolate malicious cyberattacks to determine their source and privacy and freedom come into play as well when it comes to cyber defensive measures outside the US. “In China and Russia, for example, internet freedom is a threat to authoritarianism,” he observed, noting, “Google had to give up some of the values in China that that it has in the US.”

Reveron underscored several practical cyber-defense rules of the road to consider:

  1. characterize the threshold for action and understand the adversaries’ thresholds for reactions
  2. to avoid escalation, governments should maintain the monopoly on cyber-attacks not companies
  3. critical infrastructure attacks will have a local impact. If the power goes out in Cambridge, we need a connection between local and national responders
  4. within a country there must be collaboration across all entities—banks, telecom, retailers and the like
  5. practice comprehensive resilience to prepare municipalities and individual states for cyber attacks
  6. enhance the cybersecurity of developing countries by making their systems more resilient and their citizens more digitally savvy.

A recent paper on the subject Principles for a Cyber Defense Strategy by  Derek S. Reveron, Jacquelyn Schneider, Michael Miner, John Savage, Allan Cytryn, and Tuan Anh Nguyen is available on the Boston Global Forum Website.

During the meeting, Tuan Nguyen introduced the launch of the Artificial Intelligence World Society, and offshoot of the Michael Dukakis Institute for Leadership and Innovation.

Global Cybersecurity Day was created to inspire the shared responsibility of the world’s citizens to protect the Internet’s safety and transparency. As part of this initiative, BGF and the Michael Dukakis Institute for Leadership and Innovation also calls upon citizens of goodwill to follow BGF’s Ethics Code of Conduct for Cyber Peace and Security (ECCC).

Boston Global Forum a think tank, with ties to Harvard University faculty includes scholars, business leaders and journalists, and is chaired by former Massachusetts Gov. Michael Dukakis, a national and international civic leader and BGF’s cofounder As an offshoot of The Boston Global Forum, The Michael Dukakis Institute for Leadership and Innovation (MDI) was born in 2015 with the mission of generating ideas, creating solutions, and deploying initiatives to solve global issues, especially focused on Cybersecurity and Artificial Intelligence