Turn your device to view content
Turn your device to view content
Global Cybersecurity Day
Estonian Former President
Toomas Hendrik Ilves

as World Leader
in Cybersecurity
Global Cybersecurity Day
World Leader in Cybersecurity
Global Cybersecurity Day 2017

December 12, 2017
Venue: Loeb House, Harvard University

Scroll to read more

Press release

Estonia’s Past President Toomas Hendrik Ilves will receive the World Leader in Cybersecurity Award for his nation’s achievements in developing cyber-defense strategies for all nations, and for establishing Estonia’s preeminence as a world leader in cyberspace technology, defense and safe access. The presentation will be made at the third annual Global Cybersecurity Day Conference, 8:30 AM-Noon, Tues, Dec. 12, 2017, Loeb House, Harvard University, 17 Quincy street, Cambridge, Massachusetts.
Award President Ilves is being honored for his leadership that resulted in his Estonia becoming a vital member of the world community and for his speeches before the United Nations where he has fostered understanding of the risk of climate change, the need for safety of the Internet, and the plight of migrants and refugees – especially children.

In making the announcement Gov. Michael Dukakis, Chairman of Boston Global Forum, stated, “We believe we are kindred spirits in our pursuit of a world in which we share in the concern for our fellow citizens worldwide.”

He added, “I also believe the Boston Global Forum and the Michael Dukakis Institute for Leadership and Innovation can play a vital role in helping President Ilves continue to communicate his message and inspire others by participating with leading thinkers and scholars from Harvard and MIT who share his vision for a clean, safe and transparent Internet.

Also being honored for contributing to the advancement of Artificial Intelligence and Cybersecurity will be Prof. John Savage as Distinguished Global Educator for Computer Science and Security on the 50th Anniversary of the Brown University’s Computer Science Department.
Global Cybersecurity Day
This year’s conference theme is Cyber-Defense Strategy for a Nation, featuring discussions by noted world authorities:

“Can We Develop Norms to Control Cyber Conflict?”
by Prof. Joseph Nye

“A Cyber-Defense Strategy for a Nation”
by Prof. Nazli Choucri

“Applying Estonia’s Cyber-Defense Strategy Internationally”
by Estonia President Toomas Hendrik Ilves

“Cyber-defense strategy for a nation”: Recommendation of The Boston Global Forum and Michael Dukakis Institute for Leadership and Innovation
by Prof. Derek Reveron

Global Cybersecurity Day was created to inspire the shared responsibility of the world’s citizens to protect the Internet’s safety and transparency.
The Speech The Speech The Speech The Speech The Speech
Global Cybersecurity Day

Former Estonian president, Toomas Hendrik Ilves, was named World Leader in Artificial Intelligence and International Cybersecurity by the Boston Global Forum and the Michael Dukakis Institute for Leadership and Innovation, at the third annual Global Cybersecurity Day conference held at Loeb House, Harvard University on December 12th 2017.

President Ilves was recognized for fostering his nation’s achievements in developing cyber-defense strategies for all nations, and for establishing Estonia’s pre-eminence as a world leader in cyberspace technology, defense and safe Internet access. Indeed, Estonia’s cyber security and access principals that focus on assured identity in every transaction have become a model for other nations around the world.

President Ilves, who is currently affiliated with Stanford University, was also certified for his leadership before the United Nations, calling for greater urgency in combating the climate change, the need for safety of the Internet, and the plight of migrants and refugees – especially children.

Estonia became a world leader in cybersecurity-related knowledge during his term as the Estonian president. This country now ranks the highest in Europe and the fifth in the world in cybersecurity, according to the 2017 cybersecurity index, complied by the International Telecommunication Union. It also hosts the headquarters of the NATO Cooperative Cyber Defense Centre of Excellence.

He became one of the principal global spokespersons for this newly-confident, digital Estonia. Constantly willing on grasp new technology, he also got known as the “Twitter president”, due to his prolific use of the online social networking service, personally tweeting on topics around topics going from international politics to cyber security to the public. Estonia has done something in a new and different way. One of the new developments to look forward to is much-vaunted e-residency project – a state-issued, secure digital identity for non-residents which allows digital authentication and the digital signing of documents.

Due to his championing of the digital society, Ilves has, in recent years, taken on many international advisory roles. President Ilves was the chair of World Economic Forum's Global Agenda Council on Cyber Security from June 2014-to May 2016. Starting from 2016, Ilves co-chaired The World Economic Forum working group The Global Futures Council on Blockchain Technology. After the end of his presidency in October 2016, Ilves was appointed Visiting Fellow at the Center for International Security and Cooperation (CISAC) at Stanford University. During his presidency, Ilves headed the EU Commission's Task Force on E-Health and the EU Commission's Steering Group on Cloud Computing. Along with Kaushik Basu, the former Chief Economist of the World Bank, he co-chaired the editorial advisory board overseeing the World Bank's World Development Report 2016 on Digital Dividends, a major study on the use of digital technology to promote development.

Ilves has also become a well-respected global speaker on cyber issues. In 2017, he received the Reinhard Mohn Prize “Smart Country: Connected. Intelligent. Digital” by the Bertelsmann Stiftung and World Leader in Cybersecurity Award by the Boston Global Forum.
Global Cybersecurity Day


Well, thank you very much. I start off with a two-finger comment on Joe Nye which is just that there is an article in Politico last week about the Russians making an offer to the U.S. on a bilateral treaty which the U.S. rejected. Of course, as a European I would say, yes of course the Russians who have clearly meddled in Germany, the U.K., Spain, Italy, the world agency or World Anti-Doping Agency that it does not really encourage us if there is a bilateral treaty. And we are left out to continue manipulation. But basically the U.S. rejected it because it is kind of asymmetric, because you already know the result of the election. So I mean what's meddling going to do.

Anyway, get to my talk. I am going to start talking about security from a ground up level because I actually think and expand upon that security, as at least in all post enlightenment democracies based its approach on John Locke's model that the individual gives up his Hobbes' right to kill someone else to the state in return for security, be at your local police, your national security agencies, or internationally, in the Army. And what we have done in Estonia is actually put the state at the center of the security. At the same time, just let you think we are kind of deal with it, European governments were probably far less intrusive in people's lives than in the United States. But more broadly I think that we have to rethink of it.

Most aspects of our lives, in looking at living in the digital age basically ever since William Gibson and his dystopian novel "Necromancer," took Norbert Wiener's term "cybernetics" and popularized the prefix "cyber." This prefix is proliferated to almost all spheres of human activity which I think is an indication of how much the digital world has permeated our lives. So we have cyberpunk, cyber crime, cyber hygiene, cyber space, cyber Pearl Harbor, cyber war, cyber security and of course inevitably cyber sex. Rather than be mown as some have the ubiquitous use of the prefix, saying it is meaningless, I actually welcome the ubiquity to emphasize how profoundly our lives and our societies, our nations and indeed almost all human endeavors have come to be depended upon digital communication.

So basically we are into the privacy of emails or our electoral democracy, to our infrastructure, right in apartment sharing, the integrity of our financial system, banking, the ads that we see on social media during electoral campaigns. All of these are subject to manipulation and attack. All of these, with the exception of social media and the sharing economy, also existed before the digital era but they now have all been altered by the free movement of electrons and are in completely different form, which requires us to rethink much of how we do things in all other aspects and realms of human activity.

And this is of course all due to the the increasing power of the silicon chip or so known as Moore's Law which still doubles every year and half even if it's slowing down a bit because we are pushing the limits of physics. But basically the world is nonetheless completely different from the way it was 25 years ago.

While the all things digital have changed beyond belief, government's policies, laws, regulations actually have failed to keep up with this. (Of course we will talk about what the government can do on cybersecurity, cyber governance is. That is very good but on the other hand we actually have not looked at all the rest of life.

We have events such as when 145 five million adults in the United States had all of their financial records stolen. I mean that is probably 80 percent of the adult population. It was completely untouched by government regulation except for the fact probably from sort of old style rules that the management sold their stocks before informing the population that their data had been stolen. We have to come to terms that this is a much broader issue.

And I guess most importantly if we look at the core of our digital security and I'm not talking about the government, the NSA and our electrical infrastructure, but basically what we, all of us, do online started out 35 years ago with a system that worked fine then when there were about 3,500 academics using a network called BitNet where security relied on an email address almost always ending with a top level domain of dot edu. These people generally did not pose a security or criminal threat. Yet today there are 4.2 billion people online. We fear all of these things such as cyber war, cyber crime, docs, emails. But basically what we are dealing with is that since we use BitNet we have had 22 or 23 iterations of Moore's Law, which means that today computers are 8.4 million times more powerful than they were when we started using this system among 3,500 academics. We also have an increase of a roughly the same order of magnitude from 3.5 thousand people using BitNet to 3.5 to 4.2, depending who you ask, billion people online.

We've been very slow to realize this. Say, Joe Nye pointed out in an article 6 years ago, immediately after the Munich Security Conference without naming me, he quoted me, that this is the first time Munich security conference has ever dealt with the issue of cyber security. That was 2011. Up 2011 till the Munich Security Conference, the premier conference on security of the world, had not even a single panel on the issue of cyber security. Now, of course, the Munich Security Conference has an entire separate conference of cyber security. But that just shows how recently this was not considered an issue.

Now what I will try to do today is to try to look at cyber security at three levels, beginning with the individual and then moving on to the state and then finally getting to the international level.

And again to reiterate, my point of view is that security has been the responsibility of the state pre-digital and it remains so today but the state has failed to keep up in general in most places and that this does remain a key aspect of John Locke in the Social Contract where we do give up certain rights in exchange for protection against sort of Hobbes's War of All against All. We have also gotten there in the analog or physical world but we are very slow to get there in the digital world.

Ultimately I would argue that security is a political choice based on policies, laws and driving from those laws and regulations, just as we have in the physical and analog world civilian control of the military as a core concept in democracies, Habeas corpus laws regulating use of guns. Again when we get to digital we are fairly poor in this respect.

When we come to cyber world, I argue, we are too focused on the technology rather than the policies, laws, and regulations.

I would say, specially now knowing the system we have created in Estonia, that actually the technology is not that advanced but we are way ahead of everyone else when it comes to use of digital technology. This is a function of the laws. I should mention here that just this week in The New Yorker you will be able to read probably the best article I have ever read and I think I have read every single English language article that has ever come out on my country and digitization but the best article that has appeared just came out yesterday it's in this week's New Yorker it's written by a guy named Nathan Heller. That describes the way everything works in a very nice way so I do not even get into that.

One thing I should add before I talk about what we do. There is a huge difference in this regard between what we and most countries do. Because our focus has been always on the gee whiz aspects of technology which became clear to me when after 25 years of dealing with digitizing my country. I mean aside the fact that I was a geek once but it is always tough going politically. When I finally finished my term, my dream came true. I was invited to Stanford, the Mecca of innovation in IT. Of course that is where everything is. In a ten mile radius of my office I have the headquarters of Apple, Google, Facebook, Tesla... I mean you keep going on and on. I guess only Microsoft is really missing. And on top of that three miles away from me is Sand Hill Road which basically funds all of this enormous innovation.

When I went to register my daughter to go to school, I had to bring electricity bill to prove that I live there. Then after she had to take an E.S.L. exam because she was going to school in Estonia and she placed out of taking a catch up course and she had to get permission to enter a regular English class. So I had to sign two pieces of paper. I had to deliver one to the school, physically signed paper, and the other one four miles away at the Municipal School District headquarters. When I got there, there was a line of about 20 people. I said I just have piece of paper to drop off here and the last person said we all just have a paper to drop off here but they have to make a photocopy of it. Then suddenly it struck me that in fact everything that I had been experienced in that process, except for the photocopying, was identical to the 1950s. Nothing it had changed, except in the 1960s you started getting photo with Xerox machines in the U.S. school system, so you could actually make a photocopy. I got to say that to illustrate where we are in most countries when it comes to digitization.

We took a different route. I want to by the way mention what it is like to register a car. It usually takes one to two days sometimes three. Unless you buy a new car and the dealership does it for you which I had to finally end up doing.

But what we did in Estonia, just for background, I mean why we did, what you did, which I mean we emerged out of the miasma of the Soviet Union in 1991 or reemerged because we had been independent. In 1938, the last full year before World War, Estonia, and our linguistic cousins across the bay, or the Gulf, had the same GDP per capita. When we became independent again the difference between GDP per capita between our two countries was 13 fold. We were still basically operating with no infrastructure except for military infrastructure; all roads that were built during this Soviet period were for military purposes. So looking at this awful situation, people came up with all kinds of plans. I proposed (since I had been talked in a real fluke and serendipitous event, I learned to program at age 14) why don't we teach kids how to use computers. We embarked upon in 1995-1996 that by 1998-1999 we had all schools online.

Schools had labs which we opened to the public after school hours so that other people could learn to use computers. Keep in mind everyone is poor so they cannot buy computers but they do have access to them. By this time we had gotten this sort of thinking that maybe digitization really is the way to go for the for the country. But we realized somewhere around the late 90s that we could do it differently because ultimately we were worried even then about security and what that meant and we do have a neighbor next to us that is very big and probably very good at causing problems in the digital realm as the US has discovered later on.

So we thought long and hard about what it is that we need to do. One of the things we came to very quickly was the fundamental issue of cyber security for the population is identity. Who are you? We all know the old New Yorker cartoon "On the Internet, no one knows you are a dog,". Actually, the fundamental problem of cyber security is that you do not know who you are talking to, (in fact this is where differs from what I will talk about later on the kinetic world of warfare), you don't even know if he is in your own country that you are talking to who you are talking to.

So what we realized is that we must start off with a strong digital identity and this is what one of the key axioms I would argue for the future of digital security.

Of course that sounds good theoretically. What that meant in policy terms was that in 2001 we offered everyone living in Estonia at that time citizens' permanent residence a unique chip based digital identity card, in that communication was insured with two factor authentication with N2N encryption.

And I said we did this because we realized even then that the primary model of e-mail address plus password is not going to last for long. In fact, today there is no password that cannot be broken in the email plus password paranoia through brute force hacking. If you do not have two factor authentication, you might as well give up and this already means that on most transactions that you do in life in most countries, you cannot be sure of anything.

We did this with a chip card plus a code. I am sure that people are really interested in this. We see in many places today two factor authentication is slowly coming in. Apple also uses it as Google. The problem with two factor authentication is the ways that in most places. For example, at Stanford that has become the norm because of a big hack several years ago. The S7 protocol which governs the communication between mobile phone communications has been hacked, is hackable. In fact the first case of a big hack was the loss of 3 million euros by a German bank this Spring that did use two factor authentication using a mobile phone second factor.

So that was how we started off. We did this on a public-private partnership basis because every interaction has to be authenticated. The verification or certification of each transaction is done by a 50-50 public-private partnership, half paid for by the government, half by a consortium of banks.

The second step was that using a two factor authentication with a highly encrypted public key infrastructure. Encryption meant that we could offer all people living in the country genuine security, or starting from the premise that nothing is complete secure, at least far more secure than the kind of security the most people enjoy in most places.

We have been using until then we found out that the that infinity and produced a full flawed chip, or 2048, we did it fast. I guess unlike most companies in most countries, we actually said we had a problem with the chip. And now we have gone over from our say to an elliptical encryption. As I say that other countries that use the same chip unfortunately have not been very open about it as we were.

Going back to 2001, we did one more step which is actually a key to make creating a functioning digital society in which again most places have not undertaken at all which is that we gave the identity legal efficacy. You can sign legal documents online with this system. That means hooking it up to a national registry. This causes howls of indignation from the Five Eyes countries, also the Anglosphere, the U.K., Canada, the United States, New Zealand Australia, who say we will never have a digital identity, let alone any kind of legal efficacy, which I would find kind of odd because in fact the United States, the U.K., Canada etc all offer passports in which the state says you are you. All we're doing is saying, the state is saying, you are you to enable legal transactions.

Digitally, as opposed to having it in a physical passport, the use of our system and I mean the card in here as a behavioral economics is that we make it mandatory to have a card. You never have to use it but you must have one. Why do we do that? Because uptake rates of digital identities in most countries, or today in Europe, all countries must issue or offer digital identity, the uptake rates are 15 to 25 percent.

The early adopters are the ones who take out a card. We decided we would make it mandatory because no services will develop either in the public sector where different ministries should be developing things or in the private sector which would have an interest in this. They would not do it if they think that 85 percent of the population cannot even use this service. So we have things such as digital prescriptions which are used actually today by 99 percent of the population. You do not ever have a paper prescription; you call your doctor and he will renew your prescription or your doctor writes it in when you go see him. No one takes the effort to develop those kinds of systems unless you have the private sector and the public sector assure that basically everyone can use this.

So this is laying the groundwork for digital society and of course what makes our bank transactions secure instead of what I find here is that it is all card based chip, be it up for mobile phone or your card. We do not have checks in Estonia. I read recently how one system works here is that you can you have electronic banking so you go online, you do something and the bank prints a paper check and then mails it. This is not a digital society, I would argue.

Basically, the state guarantees ID and it seems to be the main stumbling block in most countries for a secure digital society. My argument is this is simply something in a democratic society that if it is responsible for the security of the citizens, it must offer this. I mean you may not want to go the full step that we did, that you make it mandatory, then you basically assume that digital services, at least on the part of the government, will not take off.

I just read last night a perfect example of why a democratic government that wants input from its citizens needs a digital identity in the ongoing debate on net neutrality. The FCC, like many federal agencies, asked people's opinion and got a million fake or bizarre nonexistent comments. Against net neutrality, I don't know how many got in favor of maintaining that neutrality. But unless you can log on and be you as a citizen of the United States commenting on impending regulations then what's the point of asking anyone. In fact, some four hundred thousand of the comments came from Russia. I mean this is not how you run a democracy or at least this is not how you do open government soliciting opinions from your citizens. We have the same system in our country where, on various issues, we ask people's opinion. But you have to do it by saying who you are. If you do not say who you are, there is no point. I do not want to get into issues of anonymity and how crucial that is or may not be and how it would may be ultimately a victim of our lack of cyber security in the cyber realm. Nonetheless I would say that without a secure identity, the functioning of a democracy becomes, I would maintain, stymied.

The second thing we did (just to talk about how we have put security into the system) is designing a very different architecture from what is usually used. Most big countries or most governments have used centralized databases. The OPM hack: 15 million or 23 million U.S. federal government employees including CIA, NSA personnel, including their personal psychological profiles were hacked, as you probably know, two years ago. Does it matter who did it? The fact is that they had all of this stuff easily accessible and in clear text that was not even encrypted. I would find again unconscionable not to mention the kind of hack we saw with Equifax.

What we realized quickly is that we could not have a centralized central database for purely economic reasons. In the late 90s everyone was going after big central servers. We were sort of where we were. We had what we had done: every ministry, every agency, every company had its own servers, often using different systems and also with a great degree of independence, but at least arrogance, there were little fiefdoms. So in trying to figure this problem out, we had some mathematicians of ours came out with a distributed data exchange layer which we call X-road, in which everything is connected to everything through the authentication of your identity. Basically, the idea is that if your identity gives you the wall and the moat of a castle. Once you breach the moat and the wall, you are in and everything is open to you. In our system, if you breach the moat and the wall you are still stuck in a room: one room, one person. You can get something for that one person but you cannot get the rest of citizens.

I would like to play a three-minute video just to give my throat a break and as a little commercial to show how our system works.

"Running a modern state is a data centered endeavor. Ensuring the functioning of the state requires administering very large quantities of data. Estonia lacks a centralized or master database. Data is stored where it is created. Each agency administers its own data separately and data is not duplicated. At the same time state authorities and agencies need data outside their per views in order to function. For example, the police constantly require information from the population registers. Likewise, the unemployment insurance fund depends on information from the health information system. How can authorities securely exchange important data? First the data must be easily accessible by the authorities that are authorized to use it. Second the integrity of the data must be maintained: no third party should be able to make any changes to the data while it is in transit. Third the data must remain confidential during its journey: it must be protected from the eyes of unauthorized parties.

The X-road is a data exchange platform that fulfills all three of these requirements. The X- road makes life simpler for both the state and for the citizens. For example, when a child is born, information about the birth is sent directly from the hospital to the population register. From there it is sent automatically to the health insurance fund so that the child will have health insurance and a family physician. This prevents the creation of excessive paperwork and saves time. The state functions in the background. The X-road helps authorities make work processes more convenient. Many activities can be automated which frees employees to deal with matters that require human involvement. Authorities also do not have to worry about the authenticity of data. They can be confident that data received from the Tax Board definitely originated from the actual tax board. Additionally, the X-road can be used regardless of what technology and authority use this. For the state, the X-road, above all, makes it possible for authorities to efficiently exchange data among themselves. Sensitive information moves securely and the system itself is so resilient that it cannot be easily brought down by those with malicious intentions.

Since the birth of X-road in 2000, the system has operated continuously without interruption. The X-road helps the state see the big picture of how different authorities are connected to one another. In addition, the X-road makes it possible to exchange data not only within the country but also across national borders. That is, of course, if databases and information systems are working properly. The biggest beneficiaries of the X-road are of course the citizens. They enjoy the benefits of a better functioning state and save all of the time they would otherwise spend on submitting papers and forms. How much time? During the time it took you to watch this animation, the X-road saved around 240 working hours in Estonia. Cool"?

Now what this does, among other things, is, in addition to giving you security, it changes the nature of bureaucracy for the first time since it was invented 5 thousand years ago, either in Mesopotamia or China.

Bureaucracy has always been the serial process. If you want the permission to do something, you apply with a piece of paper. The paper goes through one agency to another agency. Think about establishing a business, you have to check if all the board members pay their taxes, someone else check if they pay their alimony, someone else has to check if anyone has ever gone bankrupt. So it just takes quite a long time. This makes a bureaucratic processing parallel. In fact, which beats things up from establishing a business in my country is it takes about fifty minutes because all of those queries are answered simultaneously.

This system also allows for greater transparency and reduction of corruption because basically decisions are made by checking the boxes rather than by having an official who uses his discretion to decide whether you get something that you are entitled to or not. If I want permission to dig hole, I have to apply to my municipality just to make sure there is no water main down there or there is no electrical cable. In a lot of countries if you apply, you know you should get the permission but there is an official there saying "well you will not get it for free". That is, you have to pay in whatever currency.

These kinds of decisions are made automatically. The best result however of this is we have applied a once-only rule, which means that the government not ask you for any information it already has. I mean once you are identified, you no longer have to write your address down again, your telephone number or any of that stuff because this is ALL done online.

And the system has now been adopted from us (we give it away as foreign aid) by a number of countries. This platform is kind of foreign aid on a thumb drive. Finland, probably most prominently, with us now are jointly developing its own open source non-proprietary software. Mexico is adopting it; Panama is taking over; Moldova has had it for a while; Georgia. Countries vary in how much they do this. Oman. We gave it to the Palestinian Authority but they never use it. So it really depends.

But again what this does allow us, from the point of view of the citizen, is to go do things that traditionally have not happened at all. We will as of next year have cross-border interoperability of digital prescriptions so as Finns are coming to Estonia. We get too good a time, we get eight million Finns in a year. If he loses medicine, he can then call or write his doctor in north of the Arctic Circle. The doctor will then remove his prescription. He will take his Finnish ID, plug it into any pharmacy, put in his identifying numbers and he will get his medicine. I proposed this 5 years ago to the Finnish President and next year will be six years since I proposed it. That is how long it takes the technology would probably, as in most cases, take about three days to do all this. Political will, policies, laws and regulations have just taken that long to go anywhere.

Further on digital security and security before I move on to the big picture, the big issue in Europe has, especially since Snowden, been privacy. As privacy is, of course, very important, I would argue this system allows far more privacy than the current system but does require a certain degree of trust which is why we do not have backdoors. If you had backdoors you would no longer have trust and no one uses the system. But the real issue to my mind has been is really data integrity.

I may not like it if someone publishes my bank account or my blood type. If someone changes my blood type or the record of my blood type or someone changes my bank account number or contents, that is a disaster. So what we have done is to put all critical citizen data, health records, property records, law cases (because now they are all digital and you would not want those changed) on the block chain. It is interesting that all public sector is in all our private block chain because as if the public want to take forever to work as with Bitcoin but it's on a private block chain and administered by the government, which then means that you cannot change these data.

The other thing that we have done for security in addition to all of this is that as a small nation that has been invaded about 20 times in the last thousand years, we do worry about our data. Based on the experience of Japan which lost about five percent of its of data in the Fukushima incident, we have now established a data embassy. Applying the Vienna Convention on extraterritoriality of diplomatic representations, we have given our big server diplomatic status. It is in Luxembourg and there will be others so that if we happen to have (I mean we will not have) any bad seismic events most likely, or if I were Greece, I would certainly do something similar. Not a happy place for seismic events but certainly you want to keep your data elsewhere. It is not an issue for the United States. The U.S. is huge and generally has not to worry about all you need or keep your data in several different places but for smaller countries, you probably do need to think about these things.

And the final thing and at the national level of what we do is that we have a prohibition of un-updated software. All you have to do is look at want-to-cry which took down the UK's entire national health service because the UK being too cheap, did not update. For the version of Windows they were using, Microsoft stopped updating in 2009. The UK and Microsoft then made a special deal to keep it up till 2013 but even that time lapsed and then this spring 2017 you had the want-to-cry ransomware which shut down the medical system of a big European country.

We cannot allow that. This is again, I think, a fundamental issue that needs to be dealt with both in the private and the public sector. You cannot have legacy software. In other words, you must think of software as an operating cost, a running cost. Most companies and most countries think of software as a capital investment, right? It is not like a car. It is not as if you bought a car two years ago, you do not need another one for three. You must always keep your software up to date. Or as in the Equifax case when they identified of a vulnerability in February, they did not bother patching it until after they were breached.

I mean if you are not going to get companies to observe that and if governments do not observe that, you are going to have to legislate that. Certainly, in the case of Europe, the application of the new general data protection regulation will force U.S. companies at least in Europe to worry about patching things or what happens to citizens data because the fine is going to be four percent of a company's revenue worldwide, which is no small thing. People may complain and moan about the regulations of the European Union but personally, I think, after Equifax, there's nothing you can say about that. I am more surprised that there has been so little of a citizen outcry on all of this. I am also surprised that all kinds of things such as what happens to data in this country or in a number of European countries and its use, for example, Cambridge's analytic use of data is brought in creating highly targeted, highly granular ads in the last election and probably also in the UK's Brexit referendum. I think that these are all issues that will need to be addressed. They are not political issues. They're not there yet.

I would like to move on just quickly to the to the international part of this. While I agree with Joe on the need for conventions, there is only one convention that works at this point and that is the Budapest convention on cyber crime, recently with the Council of Europe, which is then acceded to by liberal democracies, the U.S., Canada, Mexico, Japan and Australia. They decided to call to Budapest convention because it was no longer a Council of Europe thing.

The problem with that convention, but which may also lead the way to future thinking, is there are a whole host of countries that have not acceded to the Budapest convention, most prominently China, Russia and Belarus. I think Ukraine is somewhere in between because Ukraine, at least up till the end of Yanukovych's regime, was also a primary source of all kind of cyber crime. But rather I direct attention to a fundamental conundrum of cyber security at the international level that we need to address, which is our thinking about security since the first rock by a hominid pre-human hominum was thrown to kill another pre-human hominid, has been kinetic, distance based. Force equals mass times acceleration, meters per second squared. Meters no longer matter in security these days; distance does not matter. All of our security thinking up to the present has been based on the concept of distance, therefore geography. Think about what is the primary security organization that we have, I mean are in it, the North Atlantic Treaty Organization. Countries that share all of the values of the countries of the North Atlantic Treaty Organization such as New Zealand Australia Japan and Uruguay... they are not in the North Atlantic Treaty Organization simply because they're not in the North Atlantic. All the work of the North Atlantic Treaty Organization is based on things such as tank logistics, fighter range, bomber range, troop movement logistics. It is all distance-space. Today, all of the threats have nothing to do with distance: borders are breached without being noticed. On top of that, the threats, I will take just one, APT28, or Fancy Bear, have hacked the Bundestag, hacked the Italian foreign ministry. They have done all kinds of things to the Netherlands, Sweden, Ukraine. Even the World Anti-Doping Agency has been hacked by this one group of probably GRU hackers. It of course did hack the DNC. I should point out here that David Langer at least told me that of the 126 people working at the DNC with access to the DNC server, 124 were actually using two factor authentication, two were not. Guess how the DNC server got hacked!

Anyway the point is that our ways of looking at things in this side in the digital era just have to change. We have to think about security not in terms of geography. We have to realize that the threats can hit all over and perhaps what is at risk are our forms of government, ways of organizing society. Certainly that is the case what we've seen in the last year or so, not only with attempts to derail the US elections but, we know better that, with the Brexit campaign. We know that, in France, Emmanuel Macron's server was hacked. Having learned from the DNC hack, they actually loaded their email server with obvious fakes so that when they were docs, published things that were so obviously fake that it disqualified virtually everything, even what was perhaps potentially embarrassing. Nonetheless I would say that we should learn from these individual actions and think about how we should guarantee our security in the future, think about working together a lot more.

Our own experience with this was not very good. From now on every history, cyber warfare begins with the April-May 2007 attacks on Estonia. They were DoT attacks, which meant our systems were never breached, they were just shut off from people. At the time NATO was loath to admit that this had been going on. Slowly people came around and realized that this was a closet Vicient event, attenuation of policy by other means. Ultimately what we had been asking for years was a center of excellence in Tallinn which produced Tallinn Manual 1 and 2. It was established in my country but even NATO took a while to get there.

It is sort of the traditional model of you know someone breaches the border and then there is the Article Five. Decision made it inact doesn't really hold because in a cyber event, you have problems with the attribution, you don't know what the proper response is. We are just not ready for that or have not been ready for that.

But nonetheless we see the security situation has decreased to such a level that even our democratic systems seem to be under threat. That we have to start thinking in multilateral terms as I mentioned we do have the Budapest convention on cyber crime which kind of maybe gives us an idea of that like-minded nations have agreed that they will work against cyber crime, will give out criminals from their territory. It has been used to great effect in a number of countries where one country identifies a hacker in another country. According to the Budapest convention, they are then extradited.

We see that other areas do not work so well as Joe mentioned. Ungar has failed this year. That's because during the ITU discussions about five years ago, already then a set of like-minded countries, China, Belarus, Russia were basically arguing for what would amount to censorship of the web because their definition of security is of information security, is not devoted to hacking, to hacking other people's infrastructure. It includes freedom of speech and that's clearly something that liberal democracies are not willing to put up with. Another example of fairly successful cooperation that also might lead the way is the possession of the NATO center in Tallinn because while it was originally open only to NATO countries that it is now open to other like-minded nations. Finland is a non-NATO member. Japan basically has asked "we could we join, Is that fine"? It is a long decision making process there but if we are as we have seen with threatening both at the level of infrastructure, at the level of privacy, at the level of of our democratic processes, we will have to develop at least among liberal democracies some kind of defensive mechanisms among them, international cooperation. At this point or until perhaps two weeks ago, there has been no real cooperation within NATO. NATO's idea of cyber security is only to deal with the security of the organization, not the members or the allies but just the organization.

Thinking is moving beyond that but maybe has not gone far enough. I do think we will have to face up to the reality that liberal democracies are under threat, that the mechanisms for attacking liberal democracies are no longer merely kinetic and that we have to start working toward some kind of serious organization for cyber security for liberal democracies that as with the attacks transcend geographical boundaries from New Zealand and Australia to Finland and Estonia, countries will share information. It is going to be a long time cyber information even within NATO as I said. It is more a matter of following the espionage paradigm where you do not share anything as opposed to the interoperability paradigm that you put a U.S. missile under a French Mirage jet. It means in that sense interoperability. In fact, it is one of our experiences when we discovered some malware, we went to NATO and said oh look what we found in NATO said Oh you too to an ally. That is not how you do cyber security, frankly. So I would argue in close with that we do need to think about these things.

I will close with two small points. One of them is that we hear everywhere all this talk about we need backdoors. We have seen the Prime Minister of Australia, the Commissioner of Justice for the European Union, the Minister of Home Affairs in the UK, the U.S. attorney general also argue for backdoors. I do not understand that issue, frankly. Why you would want to do that?

Or maybe because it comes from not understanding technology basically soon as you have a backdoor that becomes the Holy Grail, the Holy Grail for the people because it is one stop shopping. Why would you want to try to hack anyone if there is a hackable key, a backdoor somewhere and we need not think only in terms of smart people hacking a key. We know CIA and NSA have been hacked but you do not even need that. The worst cases of breaches have been insider threat. Scott Sagan just put out a whole collection of insider threats but think about what is one of the worse case than Snowden? No one breached NSA. He was an insider threat. Reality winner that bizarrely named woman who just gave out an NSA document on Russian attempts to hack voting machines. It is an insider job. Now I take not to criticize the United States, so to say. In the European Union, 500 million people, the commissioner for Justice says OK it gets a wish and the wish is to have a backdoor key. Now if I am Vladimir Putin or someone else, I would say OK I do not have to hack anything, I just need the key I can get into everything. And instead of its that of trying to get in there through digital electronics means, I would just find out who the key master is, say I give you two billion euros, eventually you find someone who is going to fall for that.

So let's stay away from backdoor keys. My point in this regard, I should say, that Estonia which the ITU has listed Estonia as the most secure, in terms of cyber security, country in Europe. Russia is the most secure in Eurasia, China is the most secure in Asia. The only difference is that the Freedom House has also rated Estonia as number one in the world in freedom online, which disputes the argument that you need to be repressive in order to have security in cyberspace.

Ultimately everything boils down to my mind to a brilliant essay (it was not that brilliant but the ideas in it were brilliant). It was written 58 years ago, in 1959, by C.P. Snow called "The Two Cultures" which I think was not nearly as relevant when it was published as it is today. C.P. Snow was a physical chemist and a literary novelist who gave the world the term the corridors of power in one of his novels. But he had this great little essay about being at the faculty dining club in his College in Cambridge sitting with the physical chemists, the physicists, the other chemists discussing presumably quantum mechanics and then he would get up after dinner and go drink with the poets and the essayists and the novelists and the Shakespeare scholars. I mean he was the only one who could move between the two tables. The poets and essayists had no clue about physics and the physicists and the chemists could not care less about literature. And he said this is a problem of the university. I would argue today it is a problem of society. Be back then technology did not impinge upon people's lives the way it does now.

Your phone did not tell anyone where you were, it was plugged into the wall. The most you had to do, your greatest, your television could not look at you so despite the sort of all well-being published already ten years earlier but you did not need to put a little thing in front of your computer to keep the computer from looking at you or listening to you. The most you interact with technology perhaps was to set the timing on your distributor cap which is something the most people under 40 do not even know what it is. So it was a different world today: technology impinges upon us everywhere. Yet people do not understand the problem of this. Technologists do not understand the ethical, legal, moral, philosophical basis of a liberal democracy in many cases and the people who are responsible for the legal system do not have a clue about IT.

On the one hand, right after the iPhone came out, with one of the early apps you could find out where you traveled. I downloaded the app and I got this map of where I had been all based on the S7 protocol that says the mobile phone has these big fat lines where I traveled a lot and thinner gray ones where I did not. I showed it to security detail and they said eliminate that immediately. I said:"What is the point?". I mean the data exists, so someone else can have it.

And then again 2014, in the fall, I went to the European Parliament. They have a five-year term. It was half a year after their most recent election I gave a talk about digital stuff, trying to tell them how important it is, that you actually know something about it. And as a kind of show and tell moment I pulled out my mobile phone and I said: "This thing here you all have one". Everyone had one of course.

Thank you so much.
Global Cybersecurity Day
A leader in cybersecurity

Recognizing Pres. Ilves for his contributions, Michael Dukakis, chairman of the Boston Global Forum and a former Massachusetts governor, stated, “We believe we are kindred spirits in our pursuit of a world in which we share in the concern for our fellow citizens worldwide. I also believe the Boston Global Forum and the Michael Dukakis Institute for Leadership and Innovation can play a vital role in helping you communicate your message and inspire others by participating with leading thinkers and scholars from Harvard and MIT who share your vision for a clean, safe and transparent Internet.”

During Pres. Ilves’s term in office, Estonia became a world leader in cybersecurity-related knowledge. The country now ranks the highest in Europe and the fifth in the world in cybersecurity, according to the 2017 cybersecurity index, compiled by the International Telecommunication Union. The country also hosts the headquarters of the NATO Cooperative Cyber Defense Centre of Excellence.

Also honored for contributing to the advancement of Artificial Intelligence and Cybersecurity was Prof. John Savage who was awarded Distinguished Global Educator for Computer Science and Security on the 50th Anniversary of Brown University’s Computer Science Department.

During his keynote address, Pres. Ilves pointed out that national defense was once based on distance and time, but today, “We are pushing the limits of physics in all things digital,” while laws and governmental policies have failed to keep up. He reminded the delegates that 145 million adults recently had all their financial information stolen without intervention by the US government.

“Today 4.2 billion people are online using computers that are 8.4 million times more powerful than when online communication started out 35 years ago with 3500 academics who were using BITNET, the 1981 precursor to the modern Internet.”

Protecting its citizens has always been the responsibility of the state and is part of our social contract. “We give up certain rights for protection, but we have been slow to get there in the digital world. When it comes to the cyber world, we are too focused on technology,” rather than policies that will enhance our safety on the Internet.

“Estonia’s technology is not that advanced but Estonia is way ahead of everyone else when it comes to the usage of digital technology. And this is a function of the laws” he added, “There is a huge difference between what we do and other countries – our focus was not on the gee whiz technology but on implementation of a system that relies on positive identity, which is the foundation of the country’s cybersecurity program.”
Global Cybersecurity Day
Toomas Hendrik Ilves - World leader in Cybersecurity

This is in sharp contrast to the US. Pres. Ilves joked that even though he lives at the Silicon Valley, the center of advanced technology where Facebook, Google and Tesla are within a one-mile radius, “When I went to register my daughter for school I had to bring an electric bill to prove I lived there. It struck me that everything I experienced was identical to the 1950s save for the photocopy.”

He continued, “When Estonia emerged out of the fall of the Soviet Union in 1991, we were operating with virtually no infrastructure, even the roads built during the Soviet era were for military purposes. By 1995 to 96 [however] all schools were online with computer labs so that all students could have access to computers even though they could not afford to buy them.”

By the late 1990s Estonia determined, “The fundamental problem with cyber security is not knowing who you are talking to. So we started off with a strong identity policy: everyone is living in Estonia has a unique chip-based identity card using two-factor authentication with end-to-end encryption.” This is more secure than using passwords which can be hacked.

“A state-guaranteed identity program seems to be the main stumbling block for security elsewhere. My argument is that a democratic society, responsible for the safety of the citizens, must make it mandatory to protect them.” Moreover, Estonia’s mandatory digital identity offers numerous benefits, for example, “We don’t use checks in Estonia.”

In terms of Artificial Intelligence issues, at a round-table discussion about The AI World Society Initiative, Pres. Ilves concerned about responsibility of the company in shredding them jobs or participating in creating new jobs. But it doesn’t mean that machine won’t be able to lead as well as humans are doing and people outside of research tend to be dismissed of machine replicating our own ability.

Scholars thought this is due to the fact that people think there’s something mysterious about intelligence so that it can only exist biological organism. Besides, from their point of view as scientists, information is simply information processing in no law of nature process and that we people can process information as well as machine. They also suggested we should have an optimism rooted in the belief that we have the potential to create amazing future with artificial technology if we really plan and work hard for it.
Global Cybersecurity Day
Up the Estonian coast, a five-lane highway bends with the path of the sea, then breaks inland, leaving cars to follow a thin road toward the houses at the water’s edge. There is a gated community here, but it is not the usual kind. The gate is low—a picket fence—as if to prevent the dunes from riding up into the street. The entrance is blocked by a railroad-crossing arm, not so much to keep out strangers as to make sure they come with intent. Beyond the gate, there is a schoolhouse, and a few homes line a narrow drive. From Tallinn, Estonia’s capital, you arrive dazed: trees trace the highway, and the cars go fast, as if to get in front of something that no one can see.

Within this gated community lives a man, his family, and one vision of the future. Taavi Kotka, who spent four years as Estonia’s chief information officer, is one of the leading public faces of a project known as e-Estonia: a coordinated governmental effort to transform the country from a state into a digital society.

E-Estonia is the most ambitious project in technological statecraft today, for it includes all members of the government, and alters citizens’ daily lives. The normal services that government is involved with—legislation, voting, education, justice, health care, banking, taxes, policing, and so on—have been digitally linked across one platform, wiring up the nation. A lawn outside Kotka’s large house was being trimmed by a small robot, wheeling itself forward and nibbling the grass.

“Everything here is robots,” Kotka said. “Robots here, robots there.” He sometimes felt that the lawnmower had a soul. “At parties, it gets close to people,” he explained.

A curious wind was sucking in a thick fog from the water, and Kotka led me inside. His study was cluttered, with a long table bearing a chessboard and a bowl of foil-wrapped wafer chocolates (a mark of hospitality at Estonian meetings). A four-masted model ship was perched near the window; in the corner was a pile of robot toys.

“We had to set a goal that resonates, large enough for the society to believe in,” Kotka went on.

He is tall with thin blond hair that, kept shaggy, almost conceals its recession. He has the liberated confidence, tinged with irony, of a cardplayer who has won a lot of hands and can afford to lose some chips.

It was during Kotka’s tenure that the e-Estonian goal reached its fruition. Today, citizens can vote from their laptops and challenge parking tickets from home. They do so through the “once only” policy, which dictates that no single piece of information should be entered twice. Instead of having to “prepare” a loan application, applicants have their data—income, debt, savings—pulled from elsewhere in the system. There’s nothing to fill out in doctors’ waiting rooms, because physicians can access their patients’ medical histories. Estonia’s system is keyed to a chip-I.D. card that reduces typically onerous, integrative processes—such as doing taxes—to quick work. “If a couple in love would like to marry, they still have to visit the government location and express their will,” Andrus Kaarelson, a director at the Estonian Information Systems Authority, says. But, apart from transfers of physical property, such as buying a house, all bureaucratic processes can be done online.

Estonia is a Baltic country of 1.3 million people and four million hectares, half of which is forest. Its government presents this digitization as a cost-saving efficiency and an equalizing force. Digitizing processes reportedly saves the state two per cent of its G.D.P. a year in salaries and expenses. Since that’s the same amount it pays to meet the nato threshold for protection (Estonia—which has a notably vexed relationship with Russia—has a comparatively small military), its former President Toomas Hendrik Ilves liked to joke that the country got its national security for free.

Other benefits have followed. “If everything is digital, and location-independent, you can run a borderless country,” Kotka said. In 2014, the government launched a digital “residency” program, which allows logged-in foreigners to partake of some Estonian services, such as banking, as if they were living in the country. Other measures encourage international startups to put down virtual roots; Estonia has the lowest business-tax rates in the European Union, and has become known for liberal regulations around tech research. It is legal to test Level 3 driverless cars (in which a human driver can take control) on all Estonian roads, and the country is planning ahead for Level 5 (cars that take off on their own). “We believe that innovation happens anyway,” Viljar Lubi, Estonia’s deputy secretary for economic development, says. “If we close ourselves off, the innovation happens somewhere else.”

“It makes it so that, if one country is not performing as well as another country, people are going to the one that is performing better—competitive governance is what I’m calling it,” Tim Draper, a venture capitalist at the Silicon Valley firm Draper Fisher Jurvetson and one of Estonia’s leading tech boosters, says. “We’re about to go into a very interesting time where a lot of governments can become virtual.”

Previously, Estonia’s best-known industry was logging, but Skype was built there using mostly local engineers, and countless other startups have sprung from its soil. “It’s not an offshore paradise, but you can capitalize a lot of money,” Thomas Padovani, a Frenchman who co-founded the digital-ad startup Adcash in Estonia, explains. “And the administration is light, all the way.” A light touch does not mean a restricted one, however, and the guiding influence of government is everywhere.

As an engineer, Kotka said, he found the challenge of helping to construct a digital nation too much to resist. “Imagine that it’s your task to build the Golden Gate Bridge,” he said excitedly. “You have to change the whole way of thinking about society.” So far, Estonia is past halfway there.

As an engineer, Kotka said, he found the challenge of helping to construct a digital nation too much to resist. “Imagine that it’s your task to build the Golden Gate Bridge,” he said excitedly. “You have to change the whole way of thinking about society.” So far, Estonia is past halfway there.

“This pin code just starts the whole decryption process,” Piperal explained. “I’ll start with my personal data from the population registry.” She gestured toward a box on the screen. “It has my document numbers, my phone number, my e-mail account. Then there’s real estate, the land registry.” Elsewhere, a box included all of her employment information; another contained her traffic records and her car insurance. She pointed at the tax box. “I have no tax debts; otherwise, that would be there. And I’m finishing a master’s at the Tallinn University of Technology, so here”—she pointed to the education box—“I have my student information. If I buy a ticket, the system can verify, automatically, that I’m a student.” She clicked into the education box, and a detailed view came up, listing her previous degrees.

“My cat is in the pet registry,” Piperal said proudly, pointing again. “We are done with the vaccines.”

Data aren’t centrally held, thus reducing the chance of Equifax-level breaches. Instead, the government’s data platform, X-Road, links individual servers through end-to-end encrypted pathways, letting information live locally. Your dentist’s practice holds its own data; so does your high school and your bank. When a user requests a piece of information, it is delivered like a boat crossing a canal via locks.

Although X-Road is a government platform, it has become, owing to its ubiquity, the network that many major private firms build on, too. Finland, Estonia’s neighbor to the north, recently began using X-Road, which means that certain data—for instance, prescriptions that you’re able to pick up at a local pharmacy—can be linked between the nations. It is easy to imagine a novel internationalism taking shape in this form. Toomas Ilves, Estonia’s former President and a longtime driver of its digitization efforts, is currently a distinguished visiting fellow at Stanford, and says he was shocked at how retrograde U.S. bureaucracy seems even in the heart of Silicon Valley. “It’s like the nineteen-fifties—I had to provide an electrical bill to prove I live here!” he exclaimed. “You can get an iPhone X, but, if you have to register your car, forget it.”

X-Road is appealing due to its rigorous filtering: Piperal’s teachers can enter her grades, but they can’t access her financial history, and even a file that’s accessible to medical specialists can be sealed off from other doctors if Piperal doesn’t want it seen.

“I’ll show you a digital health record,” she said, to explain. “A doctor from here”—a file from one clinic—“can see the research that this doctor”—she pointed to another—“does.” She’d locked a third record, from a female-medicine practice, so that no other doctor would be able to see it. A tenet of the Estonian system is that an individual owns all information recorded about him or her. Every time a doctor (or a border guard, a police officer, a banker, or a minister) glances at any of Piperal’s secure data online, that look is recorded and reported. Peeping at another person’s secure data for no reason is a criminal offense. “In Estonia, we don’t have Big Brother; we have Little Brother,” a local told me. “You can tell him what to do and maybe also beat him up.”

Business and land-registry information is considered public, so Piperal used the system to access the profile of an Estonian politician. “Let’s see his land registry,” she said, pulling up a list of properties. “You can see there are three land plots he has, and this one is located”—she clicked, and a satellite photograph of a sprawling beach house appeared—“on the sea.”

The openness is startling. Finding the business interests of the rich and powerful—a hefty field of journalism in the United States—takes a moment’s research, because every business connection or investment captured in any record in Estonia becomes searchable public information. (An online tool even lets citizens map webs of connection, follow-the-money ityle.) Traffic stops are illegal in the absence of a moving violation, because officers acquire records from a license-plate scan. Polling-place intimidation is a non-issue if people can vote—and then change their votes, up to the deadline—at home, online. And heat is taken off immigration because, in a borderless society, a resident need not even have visited Estonia in order to work and pay taxes under its dominion.

Soon after becoming the C.I.O., in 2013, Taavi Kotka was charged with an unlikely project: expanding Estonia’s population. The motive was predominantly economic. “Countries are like enterprises,” he said. “They want to increase the wealth of their own people.”

Tallinn, a harbor city with a population just over four hundred thousand, does not seem to be on a path toward outsized growth. Not far from the cobbled streets of the hilly Old Town is a business center, where boxy Soviet structures have been supplanted by stylish buildings of a Scandinavian cast. Otherwise, the capital seems pleasantly preserved in time. The coastal daylight is bright and thick, and, when a breeze comes off the Baltic, silver-birch leaves shimmer like chimes. “I came home to a great autumn / to a luminous landscape,” the Estonian poet Jaan Kaplinski wrote decades ago. This much has not changed.

Kotka, however, thought that it was possible to increase the population just by changing how you thought of what a population was. Consider music, he said. Twenty years ago, you bought a CD and played the album through. Now you listen track by track, on demand. “If countries are competing not only on physical talent moving to their country but also on how to get the best virtual talent connected to their country, it becomes a disruption like the one we have seen in the music industry,” he said. “And it’s basically a zero-cost project, because we already have this infrastructure for our own people.”

The program that resulted is called e-residency, and it permits citizens of another country to become residents of Estonia without ever visiting the place. An e-resident has no leg up at the customs desk, but the program allows individuals to tap into Estonia’s digital services from afar.

I applied for Estonian e-residency one recent morning at my apartment, and it took about ten minutes. The application cost a hundred euros, and the hardest part was finding a passport photograph to upload, for my card. After approval, I would pick up my credentials in person, like a passport, at the Estonian Consulate in New York.

This physical task proved to be the main stumbling block, Ott Vatter, the deputy director of e-residency, explained, because consulates were reluctant to expand their workload to include a new document. Mild xenophobia made some Estonians at home wary, too. “Inside Estonia, the mentality is kind of ‘What is the gain, and where is the money?’ ” he said. The physical factor still imposes limitations—only thirty-eight consulates have agreed to issue documents, and they are distributed unevenly. (Estonia has only one embassy in all of Africa.) But the office has made special accommodations for several popular locations. Since there’s no Estonian consulate in San Francisco, the New York consulate flies personnel to California every three months to batch-process Silicon Valley applicants.

“I had a deal that I did with Funderbeam, in Estonia,” Tim Draper, who became Estonia’s second e-resident, told me. “We decided to use a ‘smart contract’—the first ever in a venture deal!” Smart contracts are encoded on a digital ledger and, notably, don’t require an outside administrative authority. It was an appealing prospect, and Draper, with his market investor’s gaze, recognized a new market for élite tech brainpower and capital. “I thought, Wow! Governments are going to have to compete with each other for us,” he said.

So far, twenty-eight thousand people have applied for e-residency, mostly from neighboring countries: Finland and Russia. But Italy and Ukraine follow, and U.K. applications spiked during Brexit. (Many applicants are footloose entrepreneurs or solo venders who want to be based in the E.U.) Because eighty-eight per cent of applicants are men, the United Nations has begun seeking applications for female entrepreneurs in India.

“There are so many companies in the world for whom working across borders is a big hassle and a source of expense,” Siim Sikkut, Estonia’s current C.I.O., says. Today, in Estonia, the weekly e-residency application rate exceeds the birth rate. “We tried to make more babies, but it’s not that easy,” he explained.

With so many businesses abroad, Estonia’s startup-ism hardly leaves an urban trace. I went to visit one of the places it does show: a co-working space, Lift99, in a complex called the Telliskivi Creative City. The Creative City, a former industrial park, is draped with trees and framed by buildings whose peeling exteriors have turned the yellows of a worn-out sponge. There are murals, outdoor sculptures, and bills for coming shows; the space is shaped by communalism and by the spirit of creative unrule. One art work consists of stacked logs labelled with Tallinn startups: Insly, Leapin, Photry, and something called 3D Creationist.

The office manager, Elina Kaarneem, greeted me near the entrance. “Please remove your shoes,” she said. Lift99, which houses thirty-two companies and five freelancers, had industrial windows, with a two-floor open-plan workspace. Both levels also included smaller rooms named for techies who had done business with Estonia. There was a Zennström Room, after Niklas Zennström, the Swedish entrepreneur who co-founded Skype, in Tallinn. There was a Horowitz Room, for the venture capitalist Ben Horowitz, who has invested in Estonian tech. There was also a Tchaikovsky Room, because the composer had a summer house in Estonia and once said something nice about the place.

“This is not the usual co-working space, because we choose every human,” Ragnar Sass, who founded Lift99, exclaimed in the Hemingway Room. Hemingway, too, once said something about Estonia; a version of his pronouncement—“No well-run yacht basin is complete without at least two Estonians”—had been spray-stencilled on the wall, along with his face.

The room was extremely small, with two cushioned benches facing each other. Sass took one; I took the other. “Many times, a miracle can happen if you put talented people in one room,” he said as I tried to keep my knees inside my space. Not far from the Hemingway Room, Barack Obama’s face was also on a wall. Obama Rooms are booths for making cell-phone calls, following something he once said about Estonia. (“I should have called the Estonians when we were setting up our health-care Web site.”) That had been stencilled on the wall as well.

Some of the companies at Lift99 are local startups, but others are international firms seeking an Estonian foothold. In something called the Draper Room, for Tim Draper, I met an Estonian engineer, Margus Maantoa, who was launching the Tallinn branch of the German motion-control company Trinamic. Maantoa shares the room with other companies, and, to avoid disturbing them, we went to the Iceland Room. (Iceland was the first country to recognize Estonian independence.) The seats around the table in the Iceland Room were swings.

I took a swing, and Maantoa took another. He said, “I studied engineering and physics in Sweden, and then, seven years ago, I moved back to Estonia because so much is going on.” He asked whether I wanted to talk with his boss, Michael Randt, at the Trinamic headquarters, in Hamburg, and I said that I did, so he opened his laptop and set up a conference call on Skype. Randt was sitting at a table, peering down at us as if we were a mug of coffee. Tallinn had a great talent pool, he said: “Software companies are absorbing a lot of this labor, but, when it comes to hardware, there are only a few companies around.” He was an e-resident, so opening a Tallinn office was fast.

Maantoa took me upstairs, where he had a laboratory space that looked like a janitor’s closet. Between a water heater and two large air ducts, he had set up a desk with a 3-D printer and a robotic motion-control platform. I walked him back to Draper and looked up another startup, an Estonian company called Ööd, which makes one-room, two-hundred-square-foot huts that you can order prefab. The rooms have floor-to-ceiling windows of one-way glass, climate control, furniture, and lovely wood floors. They come in a truck and are dropped into the countryside.

“Sometimes you want something small, but you don’t want to be in a tent,” Kaspar Kägu, the head of Ööd sales, explained. “You want a shower in the morning and your coffee and a beautiful landscape. Fifty-two per cent of Estonia is covered by forestland, and we’re rather introverted people, so we want to be—uh, not near everybody else.” People of a more sociable disposition could scatter these box homes on their property, he explained, and rent them out on services like Airbnb.

“We like to go to nature—but comfortably,” Andreas Tiik, who founded Ööd with his carpenter brother, Jaak, told me. The company had queued preorders from people in Silicon Valley, who also liked the idea, and was tweaking the design for local markets. “We’re building a sauna in it,” Kägu said.

In the U.S., it is generally assumed that private industry leads innovation. Many ambitious techies I met in Tallinn, though, were leaving industry to go work for the state. “If someone had asked me, three years ago, if I could imagine myself working for the government, I would have said, ‘Fuck no,’ ” Ott Vatter, who had sold his own business, told me. “But I decided that I could go to the U.S. at any point, and work in an average job at a private company. This is so much bigger.”

The bigness is partly inherent in the government’s appetite for large problems. In Tallinn’s courtrooms, judges’ benches are fitted with two monitors, for consulting information during the proceedings, and case files are assembled according to the once-only principle. The police make reports directly into the system; forensic specialists at the scene or in the lab do likewise. Lawyers log on—as do judges, prison wardens, plaintiffs, and defendants, each through his or her portal. The Estonian courts used to be notoriously backlogged, but that is no longer the case.

“No one was able to say whether we should increase the number of courts or increase the number of judges,” Timo Mitt, a manager at Netgroup, which the government hired to build the architecture, told me. Digitizing both streamlined the process and helped identify points of delay. Instead of setting up prisoner transport to trial—fraught with security risks—Estonian courts can teleconference defendants into the courtroom from prison.

For doctors, a remote model has been of even greater use. One afternoon, I stopped at the North Estonia Medical Center, a hospital in the southwest of Tallinn, and met a doctor named Arkadi Popov in an alleyway where ambulances waited in line.

“Welcome to our world,” Popov, who leads emergency medical care, said grandly, gesturing with pride toward the chariots of the sick and maimed. “Intensive care!”

In a garage where unused ambulances were parked, he took an iPad Mini from the pocket of his white coat, and opened an “e-ambulance” app, which Estonian paramedics began using in 2015. “This system had some childhood diseases,” Popov said, tapping his screen. “But now I can say that it works well.”

E-ambulance is keyed onto X-Road, and allows paramedics to access patients’ medical records, meaning that the team that arrives for your chest pains will have access to your latest cardiology report and E.C.G. Since 2011, the hospital has also run a telemedicine system—doctoring at a distance—originally for three islands off its coast. There were few medical experts on the islands, so the E.M.S. accepted volunteer paramedics. “Some of them are hotel administrators, some of them are teachers,” Popov said. At a command center at the hospital in Tallinn, a doctor reads data remotely.

“On the screen, she or he can see all the data regarding the patient—physiological parameters, E.C.G.s,” he said. “Pulse, blood pressure, temperature. In case of C.P.R., our doctor can see how deep the compression of the chest is, and can give feedback.” The e-ambulance software also allows paramedics to pre-register a patient en route to the hospital, so that tests, treatments, and surgeries can be prepared for the patient’s arrival.

To see what that process looks like, I changed into scrubs and a hairnet and visited the hospital’s surgery ward. Rita Beljuskina, a nurse anesthetist, led me through a wide hallway lined with steel doors leading to the eighteen operating theatres. Screens above us showed eighteen columns, each marked out with twenty-four hours. Surgeons book their patients into the queue, Beljuskina explained, along with urgency levels and any machinery or personnel they might need. An on-call anesthesiologist schedules them in order to optimize the theatres and the equipment.

“Let me show you how,” Beljuskina said, and led me into a room filled with medical equipment and a computer in the corner. She logged on with her own I.D. If she were to glance at any patient’s data, she explained, the access would be tagged to her name, and she would get a call inquiring why it was necessary. The system also scans for drug interactions, so if your otolaryngologist prescribes something that clashes with the pills your cardiologist told you to take, the computer will put up a red flag.

The putative grandfather of Estonia’s digital platform is Tarvi Martens, an enigmatic systems architect who today oversees the country’s digital-voting program from a stone building in the center of Tallinn’s Old Town. I went to visit him one morning, and was shown into a stateroom with a long conference table and French windows that looked out on the trees. Martens was standing at one window, with his back to me, commander style. For a few moments, he stayed that way; then he whirled around and addressed a timid greeting to the buttons of my shirt.

Martens was wearing a red flannel button-down, baggy jeans, black socks, and the sort of sandals that are sold at drugstores. He had gray stubble, and his hair was stuck down on his forehead in a manner that was somehow both rumpled and flat. This was the busiest time of the year, he said, with the fall election looming. He appeared to run largely on caffeine and nicotine; when he put down a mug of hot coffee, his fingers shook.

For decades, he pointed out, digital technology has been one of Estonia’s first recourses for public ailments. A state project in 1970 used computerized data matching to help singles find soul mates, “for the good of the people’s economy.” In 1997, the government began looking into newer forms of digital documents as a supplement.

“They were talking about chip-equipped bar codes or something,” Martens told me, breaking into a nerdy snicker-giggle. “Totally ridiculous.” He had been doing work in cybernetics and security as a private-sector contractor, and had an idea. When the cards were released, in 2002, Martens became convinced that they should be both mandatory and cheap.

“Finland started two years earlier with an I.D. card, but it’s still a sad story,” he said. “Nobody uses it, because they put a hefty price tag on the card, and it’s a voluntary document. We sold it for ten euros at first, and what happened? Banks and application providers would say, ‘Why should I support this card? Nobody has it.’ It was a dead end.” In what may have been the seminal insight of twenty-first-century Estonia, Martens realized that whoever offered the most ubiquitous and secure platform would run the country’s digital future—and that it should be an elected leadership, not profit-seeking Big Tech. “The only thing was to push this card to the people, without them knowing what to do with it, and then say, ‘Now people have a card. Let’s start some applications,’ ” he said.

The first “killer application” for the I.D.-card-based system was the one that Martens still works on: i-voting, or casting a secure ballot from your computer. Before the first i-voting period, in 2005, only five thousand people had used their card for anything. More than nine thousand cast an i-vote in that election, however—only two per cent of voters, but proof that online voting was attracting users—and the numbers rose from there. As of 2014, a third of all votes have been cast online.

That year, seven Western researchers published a study of the i-voting system which concluded that it had “serious architectural limitations and procedural gaps.” Using an open-source edition of the voting software, the researchers approximated a version of the i-voting setup in their lab and found that it was possible to introduce malware. They were not convinced that the servers were entirely secure, either.

Martens insisted that the study was “ridiculous.” The researchers, he said, gathered data with “a lot of assumptions,” and misunderstood the safeguards in Estonia’s system. You needed both the passwords and the hardware (the chip in your I.D. card or, in the newer “mobile I.D.” system, the sim card in your phone) to log in, blocking most paths of sabotage. Estonian trust was its own safeguard, too, he told me. Earlier this fall, when a Czech research team found a vulnerability in the physical chips used in many I.D. cards, Siim Sikkut, the Estonian C.I.O., e-mailed me the finding. His office announced the vulnerability, and the cards were locked for a time. When Sikkut held a small press conference, reporters peppered him with questions: What did the government gain from disclosing the vulnerability? How disastrous was it?

Sikkut looked bemused. Many upgrades to phones and computers resolve vulnerabilities that have never even been publicly acknowledged, he said—and think how much data we entrust to those devices. (“There is no government that knows more about you than Google or Facebook,” Taavi Kotka says dryly.) In any case, the transparency seemed to yield a return; a poll conducted after the chip flaw was announced found that trust in the system had fallen by just three per cent.

From time to time, Russian military jets patrolling Estonia’s western border switch off their G.P.S. transponders and drift into the country’s airspace. What follows is as practiced as a pas de deux at the Bolshoi. nato troops on the ground scramble an escort. Estonia calls up the Russian Ambassador to complain; Russia cites an obscure error. The dance lets both parties show that they’re alert, and have not forgotten the history of place.

Since the eleventh century, Estonian land has been conquered by Russia five times. Yet the country has always been an awkward child of empire, partly owing to its proximity to other powers (and their airwaves) and partly because the Estonian language, which belongs to the same distinct Uralic family as Hungarian and Finnish, is incomprehensible to everyone else. Plus, the greatest threat, these days, may not be physical at all. In 2007, a Russian cyberattack on Estonia sent everything from the banks to the media into chaos. Estonians today see it as the defining event of their recent history.

The chief outgrowth of the attack is the nato Coöperative Cyber Defense Center of Excellence, a think tank and training facility. It’s on a military base that once housed the Soviet Army. You enter through a gatehouse with gray walls and a pane of mirrored one-way glass.

“Document, please!” the mirror boomed at me when I arrived one morning. I slid my passport through on a tray. The mirror was silent for two full minutes, and I backed into a plastic chair.

“You have to wait here!” the mirror boomed back.

Some minutes later, a friendly staffer appeared at the inner doorway and escorted me across a quadrangle trimmed with nato-member flags and birch trees just fading to gold. Inside a gray stone building, another mirror instructed me to stow my goods and to don a badge. Upstairs, the center’s director, Merle Maigre, formerly the national-security adviser to the Estonian President, said that the center’s goal was to guide other nato nations toward vigilance.

“This country is located—just where it is,” she said, when I asked about Russia. Since starting, in 2008, the center has done research on digital forensics, cyber-defense strategy, and similar topics. (It publishes the “Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations” and organizes a yearly research conference.) But it is best known for its training simulations: an eight-hundred-person cyber “live-fire” exercise called Locked Shields was run this year alongside cybrid, an exercise for defense ministers of the E.U. “This included aspects such as fake news and social media,” Maigre said.

Not all of Estonia’s digital leadership in the region is as openly rehearsed. Its experts have consulted on Georgia’s efforts to set up its own digital registry. Estonia is also building data partnerships with Finland, and trying to export its methods elsewhere across the E.U. “The vision is that I will go to Greece, to a doctor, and be able to get everything,” Toomas Ilves explains. Sandra Roosna, a member of Estonia’s E-Governance Academy and the author of the book “eGovernance in Practice,” says, “I think we need to give the European Union two years to do cross-border transactions and to recognize each other digitally.” Even now, though, the Estonian platform has been adopted by nations as disparate as Moldova and Panama. “It’s very popular in countries that want—and not all do—transparency against corruption,” Ilves says.

Beyond X-Road, the backbone of Estonia’s digital security is a blockchain technology called K.S.I. A blockchain is like the digital version of a scarf knitted by your grandmother. She uses one ball of yarn, and the result is continuous. Each stitch depends on the one just before it. It’s impossible to remove part of the fabric, or to substitute a swatch, without leaving some trace: a few telling knots, or a change in the knit.

In a blockchain system, too, every line is contingent on what came before it. Any breach of the weave leaves a trace, and trying to cover your tracks leaves a trace, too. “Our No. 1 marketing pitch is Mr. Snowden,” Martin Ruubel, the president of Guardtime, the Estonian company that developed K.S.I., told me. (The company’s biggest customer group is now the U.S. military.) Popular anxiety tends to focus on data security—who can see my information?—but bits of personal information are rarely truly compromising. The larger threat is data integrity: whether what looks secure has been changed. (It doesn’t really matter who knows what your blood type is, but if someone switches it in a confidential record your next trip to the emergency room could be lethal.) The average time until discovery of a data breach is two hundred and five days, which is a huge problem if there’s no stable point of reference. “In the Estonian system, you don’t have paper originals,” Ruubel said. “The question is: Do I know about this problem, and how quickly can I react?”

The blockchain makes every footprint immediately noticeable, regardless of the source. (Ruubel says that there is no possibility of a back door.) To guard secrets, K.S.I. is also able to protect information without “seeing” the information itself. But, to deal with a full-scale cyberattack, other safeguards now exist. Earlier this year, the Estonian government created a server closet in Luxembourg, with a backup of its systems. A “data embassy” like this one is built on the same body of international law as a physical embassy, so that the servers and their data are Estonian “soil.” If Tallinn is compromised, whether digitally or physically, Estonia’s locus of control will shift to such mirror sites abroad.

“If Russia comes—not when—and if our systems shut down, we will have copies,” Piret Hirv, a ministerial adviser, told me. In the event of a sudden invasion, Estonia’s elected leaders might scatter as necessary. Then, from cars leaving the capital, from hotel rooms, from seat 3A at thirty thousand feet, they will open their laptops, log into Luxembourg, and—with digital signatures to execute orders and a suite of tamper-resistant services linking global citizens to their government—continue running their country, with no interruption, from the cloud.

The history of nationhood is a history of boundaries marked on land. When, in the fourteenth century, peace arrived after bloodshed among the peoples of Mexico’s eastern altiplano, the first task of the Tlaxcaltecs was to set the borders of their territory. In 1813, Ernst Moritz Arndt, a German nationalist poet before there was a Germany to be nationalistic about, embraced the idea of a “Vaterland” of shared history: “Which is the German’s fatherland? / So tell me now at last the land!— / As far’s the German’s accent rings / And hymns to God in heaven sings.”

Today, the old fatuities of the nation-state are showing signs of crisis. Formerly imperialist powers have withered into nationalism (as in Brexit) and separatism (Scotland, Catalonia). New powers, such as the Islamic State, have redefined nationhood by ideological acculturation. It is possible to imagine a future in which nationality is determined not so much by where you live as by what you log on to.

Estonia currently holds the presidency of the European Union Council—a bureaucratic role that mostly entails chairing meetings. (The presidency rotates every six months; in January, it will go to Bulgaria.) This meant that the autumn’s E.U. Digital Summit was held in Tallinn, a convergence of audience and expertise not lost on Estonia’s leaders. One September morning, a car pulled up in front of the Tallinn Creative Hub, a former power station, and Kersti Kaljulaid, the President of Estonia, stepped out. She is the country’s first female President, and its youngest. Tall and lanky, with chestnut hair in a pixie cut, she wore an asymmetrical dress of Estonian blue and machine gray. Kaljulaid took office last fall, after Estonia’s Presidential election yielded no majority winner; parliamentary representatives of all parties plucked her out of deep government as a consensus candidate whom they could all support. She had previously been an E.U. auditor.

“I am President to a digital society,” she declared in her address. The leaders of Europe were arrayed in folding chairs, with Angela Merkel, in front, slumped wearily in a red leather jacket. “Simple people suffer in the hands of heavy bureaucracies,” Kaljulaid told them. “We must go for inclusiveness, not high end. And we must go for reliability, not complex.”

Kaljulaid urged the leaders to consider a transient population. Theresa May had told her people, after Brexit, “If you believe you’re a citizen of the world, you’re a citizen of nowhere.” With May in the audience, Kaljulaid staked out the opposite view. “Our citizens will be global soon,” she said. “We have to fly like bees from flower to flower to gather those taxes from citizens working in the morning in France, in the evening in the U.K., living half a year in Estonia and then going to Australia.” Citizens had to remain connected, she said, as the French President, Emmanuel Macron, began nodding vigorously and whispering to an associate. When Kaljulaid finished, Merkel came up to the podium.

“You’re so much further than we are,” she said. Later, the E.U. member states announced an agreement to work toward digital government and, as the Estonian Prime Minister put it in a statement, “rethink our entire labor market.”

efore leaving Tallinn, I booked a meeting with Marten Kaevats, Estonia’s national digital adviser. We arranged to meet at a café near the water, but it was closed for a private event. Kaevats looked unperturbed. “Let’s go somewhere beautiful!” he said. He led me to an enormous terraced concrete platform blotched with graffiti and weeds.

We climbed a staircase to the second level, as if to a Mayan plateau. Kaevats, who is in his thirties, wore black basketball sneakers, navy trousers, a pin-striped jacket from a different suit, and a white shirt, untucked. The fancy dress was for the digital summit. “I have to introduce the President of Estonia,” he said merrily, crabbing a hand through his strawberry-blond hair, which stuck out in several directions. “I don’t know what to say!” He fished a box of Marlboro Reds out of his pocket and tented into himself, twitching a lighter.

It was a cloudless morning. Rounded bits of gravel in the concrete caught a glare. The structure was bare and weather-beaten, and we sat on a ledge above a drop facing the harbor. The Soviets built this “Linnahall,” originally as a multipurpose venue for sailing-related sports of the Moscow Summer Olympics. It has fallen into disrepair, but there are plans for renovation soon.

For the past year, Kaevats’s main pursuit has been self-driving cars. “It basically embeds all the difficult questions of the digital age: privacy, data, safety—everything,” he said. It’s also an idea accessible to the man and woman (literally) in the street, whose involvement in regulatory standards he wants to encourage. “What’s difficult is the ethical and emotional side,” he said. “It’s about values. What do we want? Where are the borders? Where are the red lines? These cannot be decisions made only by specialists.”

To support that future, he has plumbed the past. Estonian folklore includes a creature known as the kratt: an assembly of random objects that the Devil will bring to life for you, in exchange for a drop of blood offered at the conjunction of five roads. The Devil gives the kratt a soul, making it the slave of its creator.

“Each and every Estonian, even children, understands this character,” Kaevats said. His office now speaks of kratt instead of robots and algorithms, and has been using the word to define a new, important nuance in Estonian law. “Basically, a kratt is a robot with representative rights,” he explained. “The idea that an algorithm can buy and sell services on your behalf is a conceptual upgrade.” In the U.S., where we lack such a distinction, it’s a matter of dispute whether, for instance, Facebook is responsible for algorithmic sales to Russian forces of misinformation. #KrattLaw—Estonia’s digital shorthand for a new category of legal entity comprising A.I., algorithms, and robots—will make it possible to hold accountable whoever gave a drop of blood.

“In the U.S. recently, smart toasters and Teddy bears were used to attack Web sites,” Kaevats said. “Toasters should not be making attacks!” He squatted and emptied a pocket onto the ledge: cigarettes, lighter, a phone. “Wherever there’s a smart device, around it there are other smart devices,” he said, arranging the items on the concrete. “This smart street light”—he stood his lighter up—“asks the self-driving car”—he scooted his phone past it—“ ‘Are you O.K.? Is everything O.K. with you?’ ” The Marlboro box became a building whose appliances made checks of their own, scanning one another for physical and blockchain breaches. Such checks, device to device, have a distributed effect. To commandeer a self-driving car on a street, a saboteur would, in theory, also have to hack every street lamp and smart toaster that it passed. This “mesh network” of devices, Kaevats said, will roll out starting in 2018.

Is everything O.K. with you? It’s hard to hear about Estonians’ vision for the robots without thinking of the people they’re blood-sworn to serve. I stayed with Kaevats on the Linnahall for more than an hour. He lit several cigarettes, and talked excitedly of “building a digital society.” It struck me then how long it had been since anyone in America had spoken of society-building of any kind. It was as if, in the nineties, Estonia and the U.S. had approached a fork in the road to a digital future, and the U.S. had taken one path—personalization, anonymity, information privatization, and competitive efficiency—while Estonia had taken the other. Two decades on, these roads have led to distinct places, not just in digital culture but in public life as well.

Kaevats admitted that he didn’t start out as a techie for the state. He used to be a protester, advocating cycling rights. It had been dispiriting work. “I felt as if I was constantly beating my head against a big concrete wall,” he said. After eight years, he began to resent the person he’d become: angry, distrustful, and negative, with few victories to show.

“My friends and I made a conscious decision then to say ‘Yes’ and not ‘No’—to be proactive rather than destructive,” he explained. He started community organizing (“analog, not digital”) and went to school for architecture, with an eye to structural change through urban planning. “I did that for ten years,” Kaevats said. Then he found architecture, too, frustrating and slow. The more he learned of Estonia’s digital endeavors, the more excited he became. And so he did what seemed the only thing to do: he joined his old foe, the government of Estonia.

Kaevats told me it irked him that so many Westerners saw his country as a tech haven. He thought they were missing the point. “This enthusiasm and optimism around technology is like a value of its own,” he complained. “This gadgetry that I’ve been ranting about? This is not important.” He threw up his hands, scattering ash. “It’s about the mind-set. It’s about the culture. It’s about the human relations—what it enables us to do.”

Seagulls riding the surf breeze screeched. I asked Kaevats what he saw when he looked at the U.S. Two things, he said. First, a technical mess. Data architecture was too centralized. Citizens didn’t control their own data; it was sold, instead, by brokers. Basic security was lax. “For example, I can tell you my I.D. number—I don’t fucking care,” he said. “You have a Social Security number, which is, like, a big secret.” He laughed. “This does not work!” The U.S. had backward notions of protection, he said, and the result was a bigger problem: a systemic loss of community and trust. “Snowden things and whatnot have done a lot of damage. But they have also proved that these fears are justified.

Seagulls riding the surf breeze screeched. I asked Kaevats what he saw when he looked at the U.S. Two things, he said. First, a technical mess. Data architecture was too centralized. Citizens didn’t control their own data; it was sold, instead, by brokers. Basic security was lax. “For example, I can tell you my I.D. number—I don’t fucking care,” he said. “You have a Social Security number, which is, like, a big secret.” He laughed. “This does not work!” The U.S. had backward notions of protection, he said, and the result was a bigger problem: a systemic loss of community and trust. “Snowden things and whatnot have done a lot of damage. But they have also proved that these fears are justified.

We gazed out across the blinding sea. It was nearly midday, and the morning shadows were shrinking to islands at our feet. Kaevats studied his basketball sneakers for a moment, narrowed his eyes under his crown of spiky hair, and lifted his burning cigarette with a smile. “You need to constantly be who you are,” he said.

This article appears in the print edition of the December 18 & 25, 2017, issue, with the headline “The Digital Republic.”

Nathan Heller, The New Yorker
Full Article Here →
Global Cybersecurity Day
Decentralized Data Centers

“In Estonia, we could not have a centralized database for economic reasons. Every ministry has its own servers, but everything is connected to everything else including your identity.” Even if someone breaks into the system, the person “is stuck in one room and cannot get into the rest of the system.”

Known as X-Road, this decentralized system is the backbone of e-Estonia. Claim the developers, “It’s the invisible yet crucial environment that allows the nation’s various e-services databases, both in the public and private sector, to link up and operate in harmony. It allows databases to interact, making integrated e-services possible.”

The system is so well-integrated that Pres. Ilves claims it streamlines submitting paperwork for various needs to a point where it saves every Estonian 240 working hours a year by not having to fill out tedious forms. Nearby Finland has joined in implementing such a system along with Panama, Mexico, and Oman.

Pres. Ilves added that, Blockchain technology is used to store personal information to assure the integrity of the data. “I might not like it if someone sees my bank account or blood type, but if they do it is not as bad as changing my financial records or blood type – which cannot be done.”

Estonia further assures the safety of its data by having an extraterritorial server in Luxembourg where the information is duplicated outside its borders. As a result of its legal and political approach to security, “Estonia is the most cyber secure country in Europe, Estonia is also the most democratic.”
Global Cybersecurity Day
International Cyber

Joseph Nye, Harvard University Distinguished Service Professor, Emeritus and former Dean of the Harvard’s Kennedy School of Government explored ways nations can develop cybersecurity and cyber-attack norms, drawing parallels between cyber and nuclear technology norms, threats and international agreements. “It took two decades to develop norms for nuclear war. We’re now about two decades into cyber depending on how you count.”

Nye recalled that cybersecurity problems emerged in the mid-1990s when web browsers became widely available sparking the “huge benefits and huge vulnerabilities” of cyberspace about two decades ago.

He noted, that with establishing norms to harness the destructive power of nuclear technology, “The first efforts centered around UN treaties.” though “Russia defeated UN-centered efforts after the Cuban missile crisis.”

Nye told some 40 delegates at the World Cybersecurity Day event, that the beginning of real efforts to set norms around nuclear technology, came with test ban treaties, which were essentially focused on environmental concerns over detonating nuclear bombs in the atmosphere. That came in the 1960s. “It wasn’t until the 1970s that SALT (Strategic Arms Limitation Talks) produced something that began to set constraints.”

Turning to cybersecurity, global efforts to limit cyberattacks by states, “especially against critical infrastructure” began in 2015 in a report taken to the UN Group of 20 the world’s most powerful economies made up of 19 nations and the European Union. In 2017, however, they failed to reach consensus due largely to difficulties between the US and Russia. China backed off as well.
Global Cybersecurity Day
Setting Cyberspace Norms

Nye explained that “A norm is a collective expectation of a group of actors. It is not legally binding, and differs from international law. Norms can also be common practices that develop from collective expected behavior and rules of conduct.”

While large groups of nations have tended to achieve little in terms of establishing norms in cyberspace, bilateral agreements offer promise. “The US and China have very different views on Internet rules regarding [say] freedom of speech. For years the US corporations complained about cyber espionage being undertaken to steal American companies’ intellectual property and giving it to Chinese businesses,” Nye said, recalling that, at first there were denials but the issue became a top priority when the Edward Snowden affair let China off the hook. At that time China totally blocked IP theft.

The US further stated that it would sanction Chinese companies unless their government took a position against stolen IP. Then, with a US-China summit coming up 2015—the US made it clear that if the meeting was to succeed, intellectual property theft, had to stop because of its corrosive impact on fair trade. “Espionage is one thing, but corrupting the trade system is different than stealing other secrets.” What’s more, Internet espionage is, “quick, cheap and you don’t have to worry about your spy getting caught.”

Finally, when Xi Jinping and President Obama met in September of 2015, China agreed to no longer acquire intellectual property. “While some IP spying continue on the margins, there has been a discernable reduction since the meeting,” said Nye.

The benefit of bilateral agreements Nye emphasized is, “They don’t stay in a box but become the kernel of the broader game of establishing wider norms,” noting that while broad multi-nation global agreements may have failed, bilateral agreement between states with very different views have succeeded. “Progress may not be made by a large global agreement such as convening 40 states. Finding ways states can negotiate concrete decisions between themselves and broadening them to encompass more nations is a much more plausible approach.”
Global Cybersecurity Day
International Law for Cyberspace

Nazli Choucri, Professor of Political Science, MIT and Director, Global System for Sustainable Development noted that, while it is a long way from norms to international law, it is especially important to recognize the important contributions of the Tallinn [Estonia] Manual 2.0 on International Law Applicable to Cyber Operations for Cyberspace Operations, to current thinking about order in a world of disorder.

When reading the four-part Manual, it should come as no surprise that the state and the state system serves as anchor and entry point for the entire initiative.

  • Part I is on general international law and cyberspace, and begins with Chapter 1 on sovereignty.
  • Part II focuses on specialized regimes of international law and cyberspace.
  • Part III is on international peace and security and cyber activities.
  • Part IV is on the law of armed conflict.

Each Part is divided into Chapter (some of which are further divided into Sections), and each Chapter consists of specific Rules. It is at level of Rules that the substantive materials are framed as explicit directives – points of law.

This approach — presented in the best tradition of linear text – records the meaning of each Rule, Rule by Rule and its connections to other Rules. A document of nearly 600 pages, the Manual amounts to a daunting task for anyone who wishes to understand it in its entirety, or even in its parts. Further, the text-as-conduit may not do justice to what is clearly a major effort. It is difficult to track salient relationships, mutual dependencies, or reciprocal linkages among directives presented as Rules. For these reasons, researchers at MIT found ways of representing the content of the 600 pages of the Manual in several different visual representations that are derived from the text.

The purpose is to understand the architecture underlying the legal frame of the Tallinn Manual. One type of representation consists of network views of the Rules – all 154 of them in one visual form and in one page. And there are many more.

No longer are we dealing with rather dry text form of equally dry legal narrative. Rather we are looking at colorful networked representations of how the various Rules connect to each other – and to some extent why. This brief summary does little justice to process or product. At the same time, however, it points to new ways of understanding the value of 600 pages of text.
Global Cybersecurity Day
Cybersecurity and Executive Order

By definition text undermines attention to feedback, delays, interconnections, cascading effects, indirect impacts and the like – all embedded deep text. This is true for Tallinn Manual 2.0 as it is for responses to Presidential Executive Order (EXORD 2017).

The text-form may be necessary, but it is not sufficient. In fact, it may create barriers to understanding, obscure the full nature of directives, and generate less than optimal results – all of which prevent good results. If there is a summary to be made, it is this Table.

Other avenues to cyber defense

Prof. Derek Reveron of the Naval War College said, “Cybersecurity challenges the way we think about domestic and foreign boundaries. The military looks outward but with cyber threats boundaries have less meaning.”

He added that effectively combating cyber threats can be hampered by “tension between intelligence agencies and Cyber Command which is charged with responding. Cyber Command might be able to attack ISIS in cyberspace, but then the intelligence community will lose assets. Attacks also needs clearance from Congress,” thus delaying action.

“Cybersecurity measures also challenge our idea of what’s public and what’s private,” said Reveron noting that cyberspace is monitored and run by corporate entities that are global not national—companies are more important than governments” in defending cyberspace, he said.

Additionally, it is difficult to isolate malicious cyberattacks to determine their source and privacy and freedom come into play as well when deploying cyber defensive measures outside the US. “In China and Russia, for example, internet freedom is a threat to authoritarianism,” he observed, adding, “Google had to give up some of its values in China that it has in the US.”
Global Cybersecurity Day

Reveron underscored several practical cyber-defense rules of the road to consider:

  1. Characterize the threshold for action and understand the adversaries’ thresholds for reactions
  2. To avoid escalation, governments should maintain the monopoly on cyber-attacks not companies
  3. Critical infrastructure attacks will have a local impact, so if the power goes out in Cambridge, we need a connection between local and national responders
  4. Within a country there must be collaboration across all entities—banks, telecom, retailers and the like
  5. Practice comprehensive resilience to prepare municipalities and individual states for cyber attacks
  6. Enhance the cybersecurity of developing countries by making their systems more resilient and their citizens more digitally savvy

A recent paper on the subject Principles for a Cyber Defense Strategy by Derek S. Reveron, Jacquelyn Schneider, Michael Miner, John Savage, Allan Cytryn, and Tuan Anh Nguyen is available on the Boston Global Forum Website.

During the meeting, Tuan Nguyen introduced the launch of the Artificial Intelligence World Society, an offshoot of the Michael Dukakis Institute for Leadership and Innovation.

Global Cybersecurity Day was created to inspire the shared responsibility of the world’s citizens to protect the Internet’s safety and transparency. As part of this initiative, BGF and the Michael Dukakis Institute for Leadership and Innovation also call upon citizens of goodwill to follow BGF’s Ethics Code of Conduct for Cyber Peace and Security (ECCC).

Boston Global Forum, a think tank with ties to Harvard University faculty, includes scholars, business leaders and journalists. BGF is chaired by former Massachusetts Gov. Michael Dukakis, a national and international civic leader and BGF’s cofounder. As an offshoot of The Boston Global Forum, The Michael Dukakis Institute for Leadership and Innovation (MDI) was founded in 2015 with the mission of generating ideas, creating solutions, and deploying initiatives to solve global issues, especially focused on Cybersecurity and Artificial Intelligence.

See more here →
Global Cybersecurity Day
DECEMBER 12, 2015
Japan’s Prime Minister Shinzo Abe was named the World Leader in Cybersecurity for his “exemplary leadership and contributions in promoting cybersecurity in Japan and Asia” in the Global Cybersecurity Day event which was held on December 12 at Harvard Faculty Club.
Prime Minister Shinzo Abe
Germany’s Chancellor Angela Merkel was awarded the World Leader in Peace, Security and Development for her “exemplary leadership in promoting peace, security, and development not only in Germany but also in the EU and adjoining regions” in the Global Cybersecurity Day event which was held on December 12 at Harvard Faculty Club.
Chancellor Angela Merkel
DECEMBER 12, 2016
UN’s General Secretary Ban Ki-Moon was awarded the World Leader for Peace, Security and Development for his “leadership on a wide range of issues, from LGBT rights to conflicts in Africa, Asia, and the Middle East, contribution to progress on cyber security; leading the UN’s efforts to promote global citizenship education; pressing nations to deal with the threat of climate change”.
UN’s General Secretary Ban Ki-Moon
Global Cybersecurity Day
Cofounder and Chairman of the Boston Global Forum and the Michael Dukakis Institute, Elected Massachusetts longest-running Governor, Distinguished Professor J.D. at Harvard University.
Governor Michael Dukakis
Cofounder and Member of Board of Directors, Boston Global Forum. Bradlee Professor of Government and the Press at Harvard Kennedy School.
Thomas E. Patterson
Cofounder, CEO of the Boston Global Forum, and Director of the Michael Dukakis Institute, Founder and Former Editor-in-Chief of VietNamNet.
Nguyen Anh Tuan
Member of Boston Global Forum’s Board of Thinkers. University Distinguished Service Professor at Harvard University.
Joseph S. Nye Jr.
Board Member of the Michael Dukakis Institute; Professor of Political Science at MIT.
Nazli Chourci
Board Member of Michael Dukakis Institute, the An Wang Professor of Computer Science at Brown University.
John Savage
Board Member of Michael Dukakis Institute, Stanley Cobb Professor of Psychiatry at Harvard Medical School.
Dr. David A. Silbersweig
Institute Innovator, Michael Dukakis Institute, Professor of National Security Affairs at the U.S. Naval War College.
Dr. Derek Reveron
Turn your device to view content
Turn your device to view content
World Leaders in Cybersecurity Logo It is a pleasure to greet the Boston Global Forum. I thank Governor Michael Dukakis for his long-standing support of the United Nations and his engagement across the international agenda. I am grateful to the Boston Global Forum for honouring me with its World Leader for Peace, Security and Development Award, which I accept on behalf of the talented and dedicated staff of the United Nations.
World Leaders in Cybersecurity Logo I very much appreciate having been chosen to receive the World Leader in Cybersecurity Award. I consider it a great honor. It is greatly reassuring me that the members of the Boston Global Forum are promoting cybersecurity-related awareness raising activities and fostering discussions in various countries around the world.
World Leaders in Cybersecurity Logo It is a great honor to receive the award in recognition of my leadership and contributions to peace and security. The German government will continue to work for a European solution to the challenges of migration and thus contribute to peace and security in Europe and beyond.
World Leaders in Cybersecurity Logo World Leaders in Cybersecurity Logo