President of Estonia: Cyber allows enemies to ‘paralyze a country without attacking its defense forces’

"In cyberspace, no country is an island"

From Toomas Hendrik Ilves, International Herald Tribune:  Today, almost everything we do depends on a digitized system of one kind or another. Our critical infrastructure — our electrical, water or energy production systems and traffic management — essentially interacts with, and cannot be separated from, our critical information infrastructure — private Internet providers, lines of telecommunications and the Supervisory Control and Data Acquisition (Scada) systems that run everything from nuclear power plants to delivery of milk to our supermarkets.

Understanding that cybersecurity means defending the entirety of our societies, we need to re-examine many assumptions of security. In cyberwarfare, it is much harder to identify the attacker, and therefore to know how to retaliate.

In a modern digitalized world it is possible to paralyze a country without attacking its defense forces: The country can be ruined by simply bringing its Scada systems to a halt. To impoverish a country one can erase its banking records. The most sophisticated military technology can be rendered irrelevant. In cyberspace, no country is an island.

This requires rethinking some of our core philosophical notions of modern society: the relations between the public and private spheres, between privacy and identity.

At a time when the greatest threats to our privacy and the security of our data come from criminal hackers and foreign countries (often working together), we remain fixed on the idea that Big Brother, our own government, is the danger.

This may have been true in the past, when only national governments had the ability to monitor citizens. Today, as we know, a single hacker can access the most intimate details of your digital and nondigital life, your finances and your correspondence.

This is a clear case of market failure. A bank that builds identity theft and fraud into the cost of doing business is an example of market failure. A power company that treats a cyber-induced power outage as an act of God, no different from a tornado or earthquake, demonstrates market failure.

If the private sector is unwilling to take the necessary steps to guarantee the integrity of its online activities, the government must step in to fulfill its most fundamental task — to ensure the security of its citizens; that is, to provide them with a secure identity.

Identity lies at the core of security online. Virtually all breaches of computer security involve a fake identity, be it stealing a credit card number or accessing the internal documents of the European Commission. A three-digit security code on the back of a credit card does not provide you with a secure identity, nor does an ordinary computer password. The fundamental question is whether you can be sure the person you interact with online is who he claims he is. . . .

In Estonia, the government has become the guarantor of secure transactions online, while identity is authenticated by a body independent of the government. We use a two-factor identification system in which the ID is protected by both a chip and a password. A binary key or public key infrastructure guarantees securely encrypted transfer of information. Thus far, our system has proved secure. Even during the DDoS attacks of 2007, our digital government system remained online and intact. . . .

Cybersecurity is not just a matter of blocking bad things a cyberattack can do; it is protecting all the good things that cyberinsecurity can prevent us from doing. Genuine cybersecurity should not be seen as an additional cost, but as an enabler, guarding our entire digital way of life.

Toomas Hendrik Ilves is the president of Estonia. He is speaking Friday at the Forum for New Diplomacy hosted in Paris by the International Herald Tribune and the Académie Diplomatique Internationale.  (graphic: Daniel Haskett/IHT)

Image: iht%204%2011%2013%20Ilves%20cyber.jpg