Marina Kaljurand: E-Lifestyle and Cybersecurity: some views from Estonia

This op-ed is authored by GCSC Chair Marina Kaljurand and was originaly published in Emerging Europe.

Nobody questions any longer that the ICT (Cyber) revolution is now a permanent part of the landscape and that we should take advantage of it to make the world a better place for everybody. Cyber technology has come to stay, with all its benefits as well as challenges.

My country — Estonia — has had the luxury of experiencing the benefits of the e-lifestyle for more than twenty years.  We like it, we treasure it and we are committed to it.

Estonia has the world’s most advanced nationwide public key infrastructure – an electronic identity (e-ID) system. Today all residents have ID-cards, as it is required by the law. The ID-card is the primary means for establishing proof of identity for Estonian residents, both off- and online.

E-ID enables citizens to officially add online digital signatures. More than 250 million digital signatures have been used so far, which is about 40 million each year. It is estimated that digital signatures save annually five working days and costs worth up to two per cent of Estonia’s GDP.

Estonia was the first country in the world to introduce paperless government – e-Cabinet and online voting (i-voting). I-voting was first made available in 2005, and has gained popularity among voters since then. For example, if in 2005 only 1.9 per cent of votes were cast online, then in 2015 Parliamentary elections more than 30 per cent of votes were cast online. 

Despite the recent challenges to voting systems: attempts to interfere with elections and attempts to “hack democracy”, Estonia is committed to continue with i-voting. First – because the system is unique and security measures are taken very seriously, second – because we think that challenges should be met instead of surrendering and last but not least – because the Estonian people want and trust i-voting, the same way as they want and trust other digital services. Instead of going back to the “only-paper-pencil-booth-voting” we should think “How about modernising democracy so everyone can vote online.” Yes, the last idea is from Mark Zuckerberg’s commencement address to his Harvard Class of 2017.      

We know that e-lifestyle comes with e-vulnerability. All digital services are vulnerable, as are all smart devices and “offline” services. Some risks are common – such as the human factor; some risks are different – hacking versus corruption or falsifying election results. We also know that there are no 100 per cent secure services: neither online, nor offline. But there are possibilities, or even better — obligations — to face the challenges and to take the appropriate measures to minimise risks.   

In 2007, Estonia was the first country in the world to suffer politically motivated attacks against a sovereign nation. Those DDOS attacks did not destroy anything or hurt anybody, but they were disturbing to our e-lifestyle. We learned our lesson and that is the reason why cyber security is very high on the political agenda in Estonia. This starts with an all-nation-approach to cyber security that includes public-private-partnership, cooperation with academia, civil society and technical community and concluding with international cooperation: bilateral, regional and global.

Cyber security has become an important part of international security. Existing and emerging threats and challenges are being addressed at very different forums. Secure and stable cyber space is an objective that motivates states to cooperate with each other, but also with other actors: industry, civil society, academia and the technical community, even if we speak “different languages”. We have to learn to understand the language spoken by the technical community and the technical community has to help us to do that. We have to join our forces; we have to talk to each other and listen to each other, if we want cyber space to be open, secure, stable, accessible and peaceful for the benefit of all people.  

Estonia participates in different discussions and negotiations about digital services and cyber security, starting from the United Nations and concluding with the OSCE, EU and NATO. All of these organisations have their role to play; in raising awareness about cyber security, in dealing with capacity building, in developing confidence building measures, in promoting internet freedom and in introducing digital services etc. Within this context, I would like to underline the importance of the work of the United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UN GGE).

Estonia has had the opportunity to participate in four out of five GGEs. I personally had the honour to be the Estonian expert at the GGEs of 2014-2015 and 2016-2017. The Secretary-General of the UN mandated the 2016-2017 GGE “to continue studying, with a view to promoting common understanding, existing and potential threats in the sphere of information security and possible cooperative measures to address them, and how international law applies to the use of information and communication technologies by States, as well as norms, rules and principles of responsible behaviour of States, confidence building measures and capacity building with the purpose of strengthening the security of global information and telecommunications systems and contributing to the maintenance of international peace and security.”

I firmly believe that the UN has a unique position, as the only global organisation of its kind and, therefore, it has an obligation to lead international discussions and to introduce recommendations to its members — the States, also about cyber security. The international community, especially the States, needs guidance as well as clearly established rules and principles that contribute towards security and stability of cyber space. The GGE reports of 2013 and 2015 contributed greatly to that end, including in the fields of norms of responsible state behaviour and the applicability of international law.

Therefore, it was extremely disappointing that the 2016-2017 GGE failed. The GGE could not adopt a consensus report, and the GGE could not accomplish the task that was mandated to the GGE by the Secretary General of the UN and that some experts were not ready to confirm what was agreed in the reports of 2013 and 2015. It is sad and frustrating. Hopefully the gap that has been left by the failed GGE will be filled in by other forums and hopefully sooner rather than later.     

We are open to international endeavours and we are ready to introduce innovative approaches. Beginning in December 2014, Estonia became the first country in the world to introduce e-residency — a secure digital identity to non-residents. In this way, foreigners can use e-services from all over the world; mainly to run international businesses on-line and/or administer a company from abroad. Today, we can say that people from 138 countries have applied for e-Residency and the number of children born annually in Estonia and can be compared to the annual number of new e-Residents, which is about 15,000. Not bad for a country with population of 1.3 million.

In 2016, Estonia concluded a memorandum of understanding with Luxembourg on housing data and information systems — establishing the world’s first data embassy, in which the Estonian state will back up critical data and services outside its territory. The data embassy will enjoy all the same privileges and immunities that are granted to traditional embassies. The data, to be backed up in Luxembourg, will cover ten priority databases, including the information system of the treasury, the business and population registers, the identity documents’ database and the land registry etc. Estonia concluded internal legal procedures this summer and is looking forward to proceeding with the data embassy — a project which is another brick in the wall of cyber resilience.    

Starting from July 2017, Estonia will host the Presidency of the Council of the European Union. One of the priorities of the Estonian Presidency is “A digital Europe and free movement of data”. We believe that Europe must exploit the benefits of technological progress that is resulting in constant change for citizens, businesses and governments. To this end, the Presidency will focus on developing cross-border e-commerce and e-services; on ensuring modern and secure electronic communications are available across Europe and advancing cross-border digital public services. 

We understand that what we are doing today is not the end of the road but rather just another milestone on the path of technical revolution. We would like to walk that path together with those who agree that cyber continues to provide immense opportunities for social and economic development and who are committed to contributing to secure and stable cyber space.