Watch the full event
H.E. Kersti Kaljulaid, President, The Republic of Estonia
Anne Neuberger, Deputy National Security Adviser for Cyber and Emerging Technology, US National Security Council
Paula J. Dobriansky, Vice Chair, Scowcroft Center for Strategy and Security, Atlantic Council
Kim Dozier, Global Affairs Analyst, CNN
PAULA J. DOBRIANSKY: Good morning. I’m Paula Dobriansky, vice chair of the Atlantic Council’s Scowcroft Center for Strategy and Security, and I’d like to welcome you to the Council’s latest Front Page, our premier live ideas platform for global leaders.
Today, we have the very distinct honor of hosting President of the Republic of Estonia Her Excellency Kersti Kaljulaid and Deputy National Security Adviser for Cyber and Emerging Technology the Honorable Anne Neuberger for a discussion about “Securing Digital Infrastructure in an Era of Strategic Competition with China.” President Kaljulaid, Ms. Neuberger, thank you so much for joining us this morning. Co-hosted by the Council’s Scowcroft Center and its Forward Defense practice area, the Digital Forensic Research Lab, the Europe Center and the GeoTech Center, today’s conversation will cover the cross-cutting issue of digital security in light of emerging geopolitical and technological developments.
Now, let me put today’s discussion in context. Novel technologies, brought about by the fourth industrial revolution, have welcomed transformative progress in key sectors, such as energy, transportation, and communication. Yet, when in the hands of our adversaries, they carry with them major security challenges. China has made massive global infrastructure investments through its Belt and Road Initiative, influencing global actors and unlocking sensitive data with potential vectors for coercion, disruption, and attack. Trusted connectivity offers a viable framework to counter Chinese tech and infrastructure investment. Connectivity represents the full range of digital and physical infrastructure, connecting the world. And trust is essential when dealing with these technologies that now bind the world together.
In an era defined by tech advancement, maintaining the technological advantage and building digital security are key to prevailing in competition with China. The G7 and leading democracies recognize this and are developing their collective and individual responses to the growing demand for digital and physical infrastructure. Just this month, G7 leaders launched the Build Back Better World Partnership, building upon the standards established by the Blue Dot Network to offer transparent infrastructure partnerships to developing countries that might otherwise fall prey to China.
The US Congress is also considering the US Innovation and Competition Act of 2021 to strengthen US leadership in critical technologies. And a key US ally and renowned leader in digital security, Estonia, is preparing to host the Tallinn Digital Summit this September to further advance the conversation on digitalization. Driven by strategic and technological competition with China, the United States and its transatlantic allies are finding the silver lining—new opportunities to collaborate across governments and corporations in forging a future of trusted connectivity.
We are truly fortunate to be joined today by two very esteemed digital leaders who require no introduction, but it’s necessary to do it because they are leaders in this space. Elected in 2016 as president of the Republic of Estonia, President Kaljulaid is the youngest president and first female head of state of Estonia since the nation declared independence. A champion of the digital revolution, President Kaljulaid leads one of the world’s most advanced digital governments. Among many tech achievements, she executed Estonia’s e-identity program, or e-dentity program, the first country-wide platform allowing citizens to pay taxes and vote online.
Joining President Kaljulaid for this discussion will be the honorable Anne Neuberger. Ms. Neuberger currently serves as deputy assistant to the president and deputy national security advisor for cyber and emerging technologies on the National Security Council. Previously she served in a number of capacities with the National Security Agency, receiving the Presidential Rank Award for her impressive service. Among other roles, she served as NSA’s director of cybersecurity and as the nation’s first chief risk officer and led NSA’s election security effort.
Moderating this conversation will be Kim Dozier, CNN global affairs analyst and Time magazine contributor. Prior to her current role she worked for seventeen years as an award-winning CBS News TV correspondent.
Now, before I turn it over to Kim Dozier for this timely discussion, and vibrant discussion, I would like to remind everyone that this event is public and on the record. And we encourage our audience on Zoom to direct any questions to President Kaljulaid and to the honorable Ms. Neuberger using the Q&A tab, which you can find at the bottom of your screen. Now, be sure to identify yourself and your affiliation in your questions, and we will be collecting them through the event. And Kim Dozier will pose some to our guests at the end of the conversation.
We will also encourage our online audience to join the conversation on Twitter by following @ACScowcroft, @DFRLlab, @ACEurope, @GeoTech, and also using the hashtag at #ForwardDefense. Thank you all for joining the Atlantic Council for what I know will be absolutely a captivating conversation.
Kim Dozier, without further ado, over to you, and I’d like to welcome all of you here this morning. Thank you.
KIM DOZIER: Thank you, Ambassador Dobriansky, and thank you to the Atlantic Council for sponsoring this discussion of trusted connectivity, which, as I understand it, takes the ideas of traditional military and intelligence alliances and applies them to digital communication and even transport, how we get from A to B and how we get our energy supplies.
President Kaljulaid, could you tell us what some of the building blocks of this are?
PRESIDENT KERSTI KALJULAID: Well, let’s make it very simple. Imagine that the GPS, which is not a natural resource, even if many of us nowadays think it is, it’s technology, and it is controlled by democratic forces. Hence, we can trust it to be available and build our systems which use it, and would be totally useless, both practically and investment wise, if GPS were not there or if somebody started to blackmail us in order to, I mean, control our use of GPS.
This is exactly the same thing. If we want in twenty-first century to connect ourselves via digital channels, roads, railways, grids, all this has a technological component, which we used to call digital. Nowadays, I think we should actually just refer to connectivity or connections. There is no difference.
And if these connections have to rely on technology which belongs to or is controlled by somebody whose objectives are unclear to us and who has not demonstrated or even declared that they share the values which we do, then we cannot really be sure that the service is continued whenever we need it.
Wherever there is a dispute, we might risk to see the situation that some of our infrastructure simply malfunctions. This is maybe taking it quite far. But I mean simple issues like using our data to do something which we don’t want to be done—just, for example, create bubbles to, I mean, disrupt our democracies.
All this is possible if you control the technology. And that’s why smart connectivity should use technology which we can trust, which can explain itself to us, and which is created and maintained in an independent way where no political control is exercised over it. And the best space for that for a democratic world could be the Three Seas Initiative, which is all about connectivity, and we want to make it really smart. That’s why Tallinn Digital Summit this year will concentrate on smart connectivity, trust-based connectivity.
KIM DOZIER: So the Three Seas Initiative, what are some of the things that it’s trying to build? And for an audience who hasn’t followed developments in the Baltic, what does it mean in practice?
PRESIDENT KERSTI KALJULAID: Three Seas Initiative is a private-public partnership where governments of the European Union nations who were formerly behind the Iron Curtain who have huge infrastructure investment gap are trying to, by offering a common economic space, which is given to us because we all are members of the European Union, by promising that politically we will facilitate the cross-border projects and by using private money to develop infrastructure in these countries.
This is, in a nutshell, the Three Seas Initiative. And for this Three Seas Initiative resources, we are right now trying to fulfill the Three Seas Investment Fund, which is run privately by Amber Capital Management, where also governments of the Three Seas Initiative have put resources in.
But they have said this fund has an objective, infrastructure projects, and that’s it. We take our hands off. There is no political decision-making. There has to be a return on investment, but there has to be the development aspect, and this will be decided by the fund management. This is the Three Seas Initiative, which for many years now actually has been one of the strongest growing economic cooperation projects between the US and Europe.
KIM DOZIER: So to launch from the Three Seas Initiative, does it mean laying down new internet lines? Ms. Neuberger, how does it—how does it apply to trusted connectivity in the States? What are some of the parallels? I mean, what do you fix first? What needs to be fixed?
ANNE NEUBERGER: Absolutely. So, first, thank you to the Atlantic Council for hosting this event. And I wanted to begin by offering my congratulations to President Kaljulaid for her recent announcement as the Global Advocate for Every Woman and Child—the first ever, I believe. That’s a very exciting announcement, and our warmest congratulations. And we look forward to the work you will do in that new role.
PRESIDENT KERSTI KALJULAID: Thank you.
ANNE NEUBERGER: So Kim, to your question, you know, as President Kaljulaid outlined, there are several aspects of the Three Seas Initiative that are at the root of digital-infrastructure initiatives and I would say, very similarly, at the root of the recent announcements of B3W, Build Back Better World, that was announced at the G7, President Biden and other G7 leaders announced.
And those aspects are, first, a recognition of the significant need to build out infrastructure, first among the Build Back Better World, specifically among low- and middle-income countries, and a recognition that bringing countries together to invest in that infrastructure is needed.
A second aspect, as the president outlined, is the public-private partnership aspect, the fact that bringing in both government and private-sector investment in order to achieve those common goals.
The final aspect is how do we build digital trust? And as you noted, when we’re building digital trust, we approach it in a layered way. I’ll take it out of the digital aspect to the physical world for a moment. It’s sometimes easier to think about this in a world that we all know and are familiar with.
So when we commute to work each day and we pick up our groceries, we merge onto a highway. That’s a shared physical highway. It’s a shared space. And yet, when we do so, we have confidence in the safety of that highway because of the fact that there are standards and transparency on those standards. So there are standards for how a highway is built so that we have confidence it won’t collapse.
There are standards for how individual drivers get a driver’s license so we know that they can be trusted not to merely cross lanes and hit the car next to them. And our own cars include airbags and safety belts that are required for everybody driving on that highway. Not only that; if indeed there’s an accident, we have confidence, in whatever country we’re driving—in the United States, for example—that there’s a national traffic-safety board that will review the accident and learn to improve on safety in the future.
So when we bring that physical world into the digital infrastructure and digital-connectivity world, we take those same concepts of interoperability, transparency about rules, standard rules that are pretty common. So while I’m a driver in the United States, if I have the pleasure and the privilege of driving in Estonia, the rules are pretty similar. So there’s confidence that if I come with a US license, an Estonian government official knows what that conveys. And that’s what we seek to build in the digital space, that same set of layered rules, within each country and then across countries, since our global infrastructure is completely interoperable and interconnected.
KIM DOZIER: So as I’m understanding this, part of Trusted Connectivity is laying down agreed rules of the road by which everyone operates. Is there also a physical component to it? What is the first thing that that fund, for instance, would seek to build in the physical world?
PRESIDENT KERSTI KALJULAID: Yes, of course. I mean, the Three Seas Initiative fund builds all kind of connections. They can be electricity lines. They can be different pipelines. They can be roads. They can be railways. But nowadays none of these runs without a digital component. Obviously, all the signaling systems have to be there. And the only difference nowadays, compared to the example—you brought this—that we had a hundred years to evolve with our traffic code for today’s level of technology of highways and cars on it.
Now the technology is moving much, much faster. So actually we cannot legislate for each and every generation of technology. We should rather keep our eye on next generations of technology and simply define the principles. And the principles are exactly this. We need to trust because we have standards which we can trust. And this is accompanying each and every connection. And there is no difference what is being transported—trains, cars, gas, electricity. It doesn’t matter. It’s all the same thing. It has to be something which we know what is deep inside.
That is the political component, but that is also technological component. Technology nowadays is so complicated that it has to be able to explain itself to us. How exactly we define this as a standard; we know there are some differences of opinion between even Europe and America. But this doesn’t matter. We will figure it out. And then we all set up to the singularity, if we wish, to the artificial intelligence.
KIM DOZIER: And on the specific digital side, does it also mean somehow securing the physical lines through which those signals travel? Or is that – can that be done in cyberspace?
ANNE NEUBERGER: It does require—as we look at technology, to truly have confidence in that technology, as President Kaljulaid talked about, it is both digital standards as well as the alignment with broader values—alignment with how data, for example, is brought together; how privacy protections, how civil liberty protections are put in place when that data is aggregated.
So traditionally we look at that as, first, confidence in our telecommunications providers. There’s been a lot of discussion, for example, about 5G and the need to have trusted 5G providers. One reason for that is that 5G reflects the next generation of the internet. It will enable—and it’s important that we talk about the positive aspects of technology. I will note as a—as a quick aside on that the work Estonia has done in terms of inclusivity in allowing individuals to vote online and pay their taxes online. So an individual who—you know, an older person who may have difficulty getting out, somebody who may be homebound due to sickness, due to disability, can now be included and gain the benefits of their government services in a way that perhaps may not have been possible before. So it’s important to talk about the positive aspects of that technology and how much we want to bring that to our nations’ citizens.
In line with that—to answer your question, Kim—as we think about digital technology, we start with that communications layer. 5G, who are the trusted providers? What are the standards they agree to with regard to data, which kind of governments have access to data? How is data aggregated to give specific information related to an individual? How do we ensure that there are privacy protections related to those individuals? So each of those are layered.
And then we see a set above that, which is how do individual users communicate? And do they have the ability to communicate securely with confidence in the security of those communications?
Certainly, advancements in technology—whether movements to the cloud, whether artificial intelligence—that allows us to gain unique and powerful insights by bringing large amounts of data together require us to think quickly and thoughtfully about how we bring those values-based approaches to these new technology interfaces.
KIM DOZIER: Well, I’m hearing from both of you what sounds like a campaign that would challenge China’s Belt and Road Initiative, that would—it has echoes of President Biden’s sweeping infrastructure plan for the United States. It would also push back against Russia’s attempts to spread disinformation, not do enough to fight ransomware, and impose internet controls on its own country.
But you are asking a lot of countries coming out of a pandemic with struggling economies—this sounds like major investment. And from some of the discussions from the G7 and even NATO, it’s as if not everyone has agreed on who the enemy is. Germany has pushed back publicly about China being a potential spoiler. Even Britain had arguments within its own national security community about whether or not to trust Huawei with 5G. Now, it took them a couple of years and they’ve gotten to the point where they’re even pulling out old Huawei equipment, but that was a big debate. So how do you convince people who don’t have much money in the bank to spend this kind of money when they’re not as afraid of some of the enemies that the US or Estonia are?
PRESIDENT KERSTI KALJULAID: But they are. I mean, if you look, for example, in Germany or in France, their people are far more worried about how their personal data is treated. Indeed, they are worried mostly when they think of the government services because you cannot avoid using the government services. And that’s why Europe has decided that through the eIDAS project all European citizens will have a trusted digital ID which has to be up to the level of eIDAS, which means that it’s standardized, safe identity. This is where trust starts for individuals: I know with whom I’m acting and transacting online. In Europe, we all have the right to a trusted digital ID. This is a huge, massive step for us to build this trust.
Now, our next step is, indeed, the technology which we use in the grids and networks, and there has been a period where everybody has been discussing how to move forward. Can we simply set up a technical verification body which will verify technology, which will be independent from where this technology is created or made, to understand whether we can trust it? Maybe we are not yet there. Maybe one day we might do it. But today, the element of who has made this technology and who may have control of this technology and backdoors has to come into the game.
And that’s why many countries, including Estonia, we had very similar [inaudible] to UK. By 2025 our grids must only have trusted technology in them. Otherwise, we do not trust that we can move ahead with 5G. With these adjustments, actually, the 5G gird development in Estonia is stalled. We are even looking now on a possibility to build and operate a neutral single 5G network. Being a small country and not densely populated, this might be a good way to save costs, because you brought out the worry of citizens about cost.
And then there is the third element which is not cost-related at all. And this is the legal space. It has to be permissive to technology but at the same time also clear how we deal with those who perpetrate the security. And one way Estonia has been contributing is through United Nations Security Council membership. We have brought the cyber issues to Security Council table to normalize this same thing. What they cannot do to states in analog space you cannot do to states in digital space. And we don’t need a separate model, separate system. We have Security Council where we can report, if necessary attribute, and then take necessary action against perpetrators.
What we haven’t got is the issue if they are nonstate actors but sponsored, for example, by the state. Thinking of these ransomware attacks. On the other hand, what these attacks have demonstrated to us is that all this is null and void unless we have some level of cyber hygiene. But cyber hygiene, again, starts with digital identity. We’ve had it for twenty years. No Estonian trusts somebody simply on Google or Facebook who says they are called Pete or John. I mean, we know we can communicate with them, but we cannot trust them because we have trusted connection as well. If we want to trust, then we sign in, the other side signs in, and trusted we are—encrypted we are.
KIM DOZIER: But I see what you’re saying, that it—you didn’t sell this massive investment to people through you got to watch out what China and Russia might do to you. It was instead through something that they wanted, a protection of their privacy, and they understood that. And that was an avenue to explain the need for these trusted connections. But you also mentioned cyber attribution. And I—you know, I read the NATO communiqué. There was also language in the G7 talking about cybersecurity and an update to the policy. But what does that mean in practice? Because if thirty NATO members can’t decide on a unified policy if Russian troops invade Ukraine, how could they decide on some sort of retribution in the cyber world when attribution is so difficult?
ANNE NEUBERGER: So thank you for noting, Kim, the really excellent advancements that were made on cyber issues both at the recent NATO summit as well as at the G7. Where NATO, for example, updated cyber—its cyber policy for the first time in seven years and at the G7 there was a strong joint statement specifically around cybersecurity and specifically related to ransomware. One interesting distinction between the example you note about NATO’s role with regard to Russian threats and cyber is that every NATO country—and in fact, I would say probably every country around the world—has been the victim and experienced cyberattacks. And each country has seen the disruptive nature, for example, of ransomware—whether targeted against German and French hospitals, the Irish health-care system, US pipelines.
Globally around the world those attacks have created both a sense of urgency and a sense of shared collective threat that is very helpful to making rapid advancements. So I’ll build on President Kaljulaid’s example of ransomware because it’s a really good one. First, I’ll note the recent—that once again the United Nations, the governmental group of experts, reaffirmed a set of norms for responsible state behavior in cyberspace, which was important. These are voluntary norms. And of course, norms are future-looking, looking to the future, and setting—but they set out a set of expectations about how countries will behave in that common, shared, interoperable space that is cyberspace.
Building on that, though, when we look ransomware as largely nonstate actors, but in some cases given safe harbor by countries and as such needing to be addressed, the G7 statements around ransomware talked about what each country seeks to do within their own country: building resilience; what we can do learning from each other’s efforts to build resilience; what we can do, for example, in the United States. We’ve had a decades-long effort on building virtual currency regulation to allow us to have the benefits of virtual currency but also manage the illicit use. That’s an example of where, within our own ransomware strategy, we seek to do capacity-building to help other countries build that same virtual currency regulation so that we can gain the benefits and manage the risks.
And then we can agree on a set of principles to say no country should harbor actors who disrupt critical infrastructure in other countries, who disrupt the critical services that our citizens rely on. And as such, the G7 announced building that international coalition to hold countries accountable who allow ransomware attacks from within their country and share those efforts to build capacity on resilience, on cryptocurrency, and on common policies of how we disrupt the ransomware ecosystem.
KIM DOZIER: But in terms of the carrot and the stick with Russia and China, have any of your moves, Madam President, at the Security Council—have you seen activity—malign activity stop because of something that’s come out of the Security Council that you’ve reported? I mean, I’m looking for what are—what are the teeth. And President Biden just met with President Putin, and it’s probably too early for the working group that came out of that to produce results yet, but will—if Moscow gets the respect that it has been seeking, is that the carrot that will help them to agree to follow these rules? So—
PRESIDENT KERSTI KALJULAID: Well, it has been long a problem, especially for smaller nations. I mean why attribute if you have nowhere to go and complain at the international level? Now Security Council is the place where you can go and complain. Last year in March, Estonia, UK, US raised under any other business a cyberattack against Georgia, attributed it to Russia. This was first-ever. Now, I mean, as we know, international law is case law. We have continued. We’ve had now official discussion about cyber issues in the Security Council.
And again, to give you an analogue in the analog world, that is the question of Tigray. It’s a very painful issue right now. The solution has to come from the parties and from the region. But the transparency—what has happened, who has been killed, and all these issues—merits a discussion at the Security Council for which, for example, we have also been pushing. That’s the role of the Security Council in this.
Now, countries all can do their own work as well. Estonia already a couple of years ago declared its intentions on how we behave in cyberspace. Now, of course, probably in the light of this G7 discussion, we need to update because it didn’t cover all the elements which were—which were discussed. But this way, again, the international legal space is created and gradually made more safe for the users, and I’m quite sure that we will also develop mechanisms by which to sanction those who are not behaving according to the expectations which will be worded in international law.
KIM DOZIER: So just having the transparency of having it aired, having a number of countries agree this is what happened, this is who did it, and having that laid down helps tell the malign actors “stop”?
PRESIDENT KERSTI KALJULAID: Yeah, I would—I would very much like, you know, that the Security Council as soon as, let’s say, whether it’s Ukraine and Georgia and Tigray issues we are monitoring in the Security Council, all sides would agree that we need peace agreement, we need to stop killing people, miracle. This is not true in analog world. Similarly, it will not be true in the cyber world. But transparency is what we are seeking here. And also, this informs nations and countries, I mean, with which countries they can work together. But we need clear rules.
For example if I see a malign act coming towards me from one country, this country may be supporting this or this country may simply be, let’s say, failed state in the digital sphere, unable to do something about it. We need to have different approaches to how we react in these cases. And this we don’t yet have, but we have to create it. And by national declarations you can gradually, I mean, develop this kind of understanding.
Some of us who are bigger, of course, want to create some strategic ambiguity in these declarations. Some of us can be more open. And that’s precisely exactly how we in Security Council, small countries are the guardians of formal agreements and international law. Bigger ones can sometimes risk to think out of the box and to resolve and break through the Gordian knots, which small ones normally don’t do; exactly the same in the cyber sphere.
KIM DOZIER: I see.
So Ms. Neuberger, has anything that NATO or G7 passed, or is UN Security Council resolutions, have they cut through gray-zone activity? Or is reaching out to, for instance, Moscow and Beijing, is there a diplomatic way to get them to comply?
ANNE NEUBERGER: So I think, as President Kaljulaid outlined, there is a set of four areas that, when built together and integrated and then learned from, will allow us to make rapid progress in the space, notwithstanding the challenges, as we learned from the analog space.
One of those is outlining expectations for responsible safe behavior in cyberspace. And we’ve seen the—I noted the UN governmental group of experts that recently revalidated that set of norms so that we get to a common understanding of what is and isn’t responsible in cyberspace.
A good example there, which fits to my second one, is CERT to CERT. CERTs, computer emergency response teams, are the teams each country has that investigates a specific incident. And the teams—experts, essentially—communicate, share information, because as a shared internet, an attack may come from one country via a second, third and fourth country to a fifth country. And as such, CERTs can come together and build a common understanding of what actually occurred.
So, as an example, so I noted one norm is that CERTs will work together after an attack or to answer any questions. So that would be that second piece, building the capacity to have resilience and to build the network defense teams working closely together on that.
The third piece is what we saw President Biden and President Putin’s conversation, where President Biden clearly communicated our willingness to work with Russia to build stability and predictability in the relationship but also an expectation the United States will defend our citizens and our economies online. And we made clear our expectations and that we also have an obligation to protect the critical services that our countries rely on.
And then, finally, going back to the beginning of our conversation, is the trusted digital infrastructure, the more we can build infrastructure secure. What we’re grappling with today is that we have our lives, our economies and our critical services built essentially leveraging an internet which wasn’t built for the level of connectivity and reliance we have today.
So, for example, when we’re building a 5G network, when we announce a Three Seas Initiative or B3W, Build Back Better World Initiative, we have the opportunity to build this next generation secure from the bottom up with principles that allow us to make them far more defensible.
So those four elements together, I believe, allow us to make good progress towards the goal you set of a more safe, secure, transparent online environment.
KIM DOZIER: Well, inside the US, both the SolarWinds attack and the Colonial ransomware attack, they seem to have exploited the space between what the FBI and NSA are allowed to look at. Is there anything that the Biden administration is working on to close that gap without infringing on privacy?
ANNE NEUBERGER: You raise such a thoughtful issue. In the United States we want both security and privacy. We’re a proud democracy. We want our citizens to feel confident that their civil liberties and privacy are protected online. And we also want our citizens to feel that if a crime is occurring online, the government—a crime or a national-security issue—the government has the visibility to protect it.
In the United States, as a democracy, there is very limited domestic monitoring of networks. And that’s why both public-private partnerships and thinking about—the Biden administration, as we build our cybersecurity strategy, one key element of it is purpose-built information-sharing with the private sector, to say there are companies who are our core digital connectivity, our cloud providers, our internet service providers, the cybersecurity companies, the companies who built our network hardware and software.
We need to ensure that there’s purpose-built, focused information-sharing between government knowledge of threats, the companies’ visibility of threats, so that we can enable and ensure that our citizens can have confidence that they’re protected from threats online and also have confidence in their private and civil liberties online. So that’s one key element of the administration’s approach.
I would note just a second key element of President Biden’s approach, which is modernizing our defenses and having the federal government lead by example. You may have seen in the first months of the administration the president signed out an executive order which essentially set the entire federal government on a tight timeline to roll out five key security initiatives to say: We believe these initiatives will dramatically reduce risk and we’ll lead by example by funding them and rolling them out rapidly. So that’s another key way that government can demonstrate its commitment to cybersecurity is by leading by example and showing the expectations of the private sector, particularly of critical infrastructure that have the services our economies rely on.
KIM DOZIER: And what date should we mark on our calendar to check in on the progress of the rolling out of those initiatives?
ANNE NEUBERGER: So I’ll note that the first few do outs, which were forty-five and sixty days post the May sign-out, have been achieved. One, for example, was the Department of Commerce signing out of standards for critical software. One key element of the executive order was noting that the US government will only buy software—critical software that meets those standards. Those timelines were met. And the remaining ones are at sixty, ninety, and 180 days.
KIM DOZIER: Thank you.
At this point, I want to ask—I want to remind the digital audience that you can send in questions. And I’m going to start taking some that have come in already.
Here’s one from Clementine Starling from the Atlantic Council: How do we make large-scale cross-border infrastructure investments needed in US and Europe attractive to the private sector?
PRESIDENT KERSTI KALJULAID: Well, Three Seas Initiative does that. Governments have decided that the investments should go to the infrastructure projects. They have to be cross-border, preferably, and they have to be trust based. The rest, all the vetting of the projects, is done without any political involvement. So return on investment has to be there. And in Three Seas countries, of course, this is very easy to achieve because they are the most dynamic part of the European Union. We outgrow the rest of Europe regularly and long-term. So this can be done.
I believe very much in involving private sector and helping governments to, I mean, gain some kind of assurance from these practices to make sure that what they are doing really also makes economic sense. I strongly believe in this, despite the fact that everybody says that we can print money and it doesn’t cost anything, and so on, so on. We need private-sector cost control. We’ve seen it so many times in our own country, but as soon as something goes astray cost-wise it didn’t have enough private element. Estonian public sector very much relies on private sector. Our digital systems are basically—I mean, yes, there is the government procurement, but they are built—all the most sensitive elements, including digital ID, are privately created. There are many, so there is some security.
And we’ve had all this debate, which I now heard you were having here, about ten, fifteen years ago. And we found nothing better than to cooperate with private sector, make sure that we are all on the one page. For example, when Europe when to regulate the security of the digital services, we felt that all other governments were regulating those others—meaning private sector. We were regulating ourselves as well, because it’s intertwined. And that’s the only way forward. You have to trust those in the private sector who still remember that money has a time value.
KIM DOZIER: So, Ms. Neuberger, one of the complaints I hear from private sector is classification issues mean we don’t hear government’s needs until way down the road. And privacy issues mean we fear sharing some of our data with government. So how do you cut some of those ties—or, take out some of those roadblocks?
ANNE NEUBERGER: I think it begins, Kim, with starting with what is the end goal? What are we seeing to accomplish? And if we say what we’re seeking to accomplish is citizens’ trust in digital infrastructure, then we can say let’s understand which are the threats that are of interest. And where there is unique, timely, and actionable information that government has or that the private sector has, we create the people and the forums to do that. Trust is built not only in infrastructure but by humans. And by bringing together individuals who work in the public and private sector across key critical infrastructure sectors, and setting those common goals, and setting a common understanding of—for a given sector, where are the core choke points? Where is the resilience?
And thinking about them, I would say in both the physical and cyber matter, in an interrelated way. We learn this giving a—it’s always nice to take it out of the theoretical to the practical. We learn this very much during the government response to the Colonial Pipeline attack, where we said: There was certainly a cyber aspect of it. And we learned a great deal about the need to have standards for the security between, for example, the part of a company’s network that connects to the internet and a part of a company’s network that runs their operations. Their business continuity relies on that.
But we also learned that from a broader economy perspective we needed to understand, how does gas move through an economy? Where are the pipelines? What are the backups? How many pipelines serve a given region of the country? We moved as an economy to just-in-time manufacturing and just-in-time supply. That leaves us far less room for a one-, two-, or even three-day disruption. So I think it taught us that as we do our tabletop exercises of how the government and the private sector works together in cyber, we need to ensure we link those in the physical and cyber realm, in the analog and digital realm, so that we’re building genuine resilience and, through that, trust between our private and our government sectors.
KIM DOZIER: Thank you.
A question from Jörn Fleck in Washington, D.C. to the president: You have spoken to standards development in smart and secure connectivity. But we have a Three Seas summit coming up on July 8th where tangible first measures—so what tangible first measures can the Three Seas leaders take at the summit to drive this forward? And, to Ms. Neuberger, what can the US and EU do together on this to set transatlantic and global gold standards?
PRESIDENT KERSTI KALJULAID: Already last in Tallinn, Three Seas summit, the trust-based connectivity and smart connectivity was declared as one of our objectives. And definitely we will forward this kind of thinking. The digital summit in Tallinn in the autumn will definitely deal with deeper technical issues. This is not for presidential fora. This is for this digital summit which will actually draw from all this work which is going on under various names, starting from the Blue Dot going on to the Building Back Better World, our own trust-based connectivity. This is where we will try to—well, start to create some kind of technical thinking around the legal space there. Because, I mean, this is for the political layer to decide how we want to move forward with standardization.
So in the summer at the presidential fora none of us is expert. I’m listening here to those people who really have deep knowledge. Frankly speaking, yes, I come from a totally digitally transformed state, but I’m a consumer. Even being a consumer in such an economy helps me to understand and inform myself. But this is deeply technical issue to create standards and to continue pushing towards it. We have involved the OECD into Tallinn Digital Summit to make sure that we also have this wider picture, not only concentrating in Three Seas. But we are offering ourselves as a test bed for that kind of investment.
KIM DOZIER: So you’re working on rules of the road first before physical infrastructure.
PRESIDENT KERSTI KALJULAID: Yeah, absolutely. We are working—I mean, physical infrastructure is not physical nowadays. I mean, you cannot send the train out from one station and receive it at the other end without any digital elements. I mean, we have to forget this difference between analog or digital. It doesn’t exist anymore. And this is the view we take. And if you think of the future, where cars talk to cars, roads talk to cars, bicycles talk to scooters—I mean, we have a few of these kind of crossroads in Tallinn already where these kind cyber systems are in place. So I can imagine how the future will look like.
But at the same time, we are very far from, from example, even applying similar rules to all delivery robots, I mean, globally. There are delivery robots who walk on the streets of the Tallinn. And we already have, like, they have to behave in a similar way. It cannot be that one thinks it’s a pedestrian and crosses in front of the cars and the other thinks that cars need to pass by, it doesn’t have priority over the cars and waits at the roadside. Imagine! I mean, such a simple thing.
Our traffic code says that, I mean, cars have priority over the robots. Robots stop on the roadside, wait for the cars to pass by. But you know, because they’re cute, cars tend to stop. And then you have a total, I mean, clog-up—[laughter]—because, I mean, the car is waiting for the robot to go, the robot’s waiting for the car to go. We had to do a public campaign to inform citizens. Imagine! This is only with one type of robots on the streets. And now you have the whole world, and it will operate this way. This is how far we are, and we still have this one single example.
But that’s why I’m speaking about Estonia and Three Seas region as a test bed. We do all these things. You can have a bus on the road which is remotely controlled in Estonia, for example. So test bed is necessary, but even test beds have to be very safe. And this brings out these interesting, well, which—things which you may laugh about, but if you are in that car you’re probably not laughing. [Laughs.]
KIM DOZIER: Yeah, no.
So, Ms. Neuberger, when you talk about, and to the person who asked the question, this idea of, you know, what can the US do to set standards in the US and Europe, let’s keep going with the robots, does it go down to private sector? When you are designing robots, you must tell them to do this, this, and this, in terms of obeying traffic laws, that they have—they must yield to cars?
ANNE NEUBERGER: First, I must say I love that example and I’m smiling at the picture it must have created. [Laughter.] That’s quite—that’s quite a wonderful example to cite, both of where we are on the path and where we need to be. So thank you for that.
So you may have seen the recent announcement of the USU Digital Council, I believe it was called, which laid out a set of lines of effort for digital efforts between the US and the EU across a number of areas. Standards bodies are, indeed, the foundational place where we’re building not only the security standards but the values approach that we will enable in this digital infrastructure.
How will data be protected? What confidence do we have in those protections? Will it allow for secure ways to share data, for secure identities that can then be tied to data? So those are, really, ground zero for trusted digital infrastructure in that way.
And I think, certainly, to the—to the specific question that you asked, the standards approaches cross the systems, very importantly, the data, how you bring data together to have the benefits of it, as well as, as the president cited, the rules, so that there’s a common understanding of rules, certainly, not only which one goes first, but also what data can be brought together, how data, for example—we’ve certainly seen examples like that in the United States, ensuring that data allows for inclusivity and diversity of—in some cases there may be—you know, artificial intelligence systems build and learn from the data that there is. If certain populations or certain problem sets are not represented in that data, the results may not be fully inclusive, transparent, or fair.
So it is both the security standards as well as the value standards that are implicit in the way we build those standards, and the United States is absolutely committed to working within global standards bodies and to working with the US private sector to ensure that we place a priority on that, working with our close allies and partners like Estonia and the EU.
KIM DOZIER: Now, here’s a question on, you know, you can set standards but it doesn’t mean the public will want to follow them, in that Mark Massa asks: Democratic publics have been skeptical that technologies developed in autocracies, such as Huawei or TikTok, actually pose a threat to themselves, their privacy, their livelihoods. What work needs to be done on public communications to explain the risks of creeping digital authoritarianism? Like, how can you convince them that TikTok is bad?
PRESIDENT KERSTI KALJULAID: I mean, first, you have to provide a safe alternative, and this is what we, from Estonia, have been preaching globally for twenty years now and Europe, at least, has heard us. That’s why every citizen will have a digital ID, because every Estonian notices that if you use your digital ID, for example, to buy solar panels and sign the contract and then pay through safe banking link, not credit card, you do not get advertisements of any kinds about solar panels. But if you do it with your credit card over public internet, you do get it.
So you must provide—everybody must provide a safe alternative. It’s deeply wrong to bash private companies and say that you allow nicknames, you allow anonymity, and so on. I mean, legal documents, which digital ID is, they are the prerogative of a government. We have to give our citizens the safe tools.
So if we want this understanding of cyber hygiene to develop, first, people must have the tools to be really hygienic in the internet space. As long as you do not have a digital ID which encrypts the communication between both sides and also guarantees that everybody is who they have told they are, I mean, you cannot really demand this on the citizens.
So, first, do your own job and then you can demand something from the citizens.
KIM DOZIER: Of course, Ms. Neuberger, you’ve got the situation of, you know, the Biden administration may put out, you know, good internet hygiene guidance but, politically, there’s a large part of the country that won’t listen to those because they’re not in the Biden tribe. So how do you—how do you find some trusted neutral actor that they would believe?
ANNE NEUBERGER: It begins with making it in their interest, as President Kaljulaid just outlined. And the rising number and awareness of fraud online, I think, for example, helps people better understand the potential value of a digital identity and how that protects their own data, similarly to your question about TikTok. What was so concerning about TikTok was the aggregation of data about individuals, about society, and the potential for both using that information to target individuals based on whether they were dissident, based on whether they have—they have controversial views on a given topic that is found of concern. So what we start with is sharing the goal, which is keeping our citizens safe online, keeping our economies and the protection of civil services—civic services, and then outlining to our citizens here’s the tools that we think you need, and we strongly encourage you for your own protection to do that.
But I love the point President Kaljulaid made, which was: It’s our job as government to provide the tools and to make it easy to do. We all know the old principle in security is if it’s too hard people won’t do it. So the connectivity across build-in security standards in the products that they’re using so they don’t have to decide how to turn on encryption, they don’t have to decide how to turn on their secure ID—it’s the default—is a big part of how we can make it less of a decision and more of a default expectation. As much as for me when I commute onto and join a highway, I’m not wondering if the person in the car next to me has a license; I know they do. And that’s where we need to be.
PRESIDENT KERSTI KALJULAID: And this is doable. This has happened in Estonia. I mean, we use the digital ID, which is physical token or digital token plus token codes. And everybody without thinking, I mean, which kind of service I’m using assumes that I can enter whichever service space online with this tool. It would be totally unimaginable that somebody also in the private sector would gain any market share if they tried not to use our digital ID because this is simply the default option for the people. You sign in into your work computer, you sign in into your online bank, you sign in into the tax board and it’s always the same. And this starts to facilitate safety because, I mean, it doesn’t vary, and it has government guarantee, and it also has government guarantee that the government develops it technologically. If it becomes unsafe, I mean, we revamp it so that it’s safe again.
ANNE NEUBERGER: What I would note is what’s particularly interesting about Estonia as an example is there have long been privacy concerns regarding issues like a digital ID, and those are issues we have to carefully consider in building a US approach. So learning from countries that have approached these issues and said how have we ensured our citizens’ privacy and security can help across the West, countries where we share values. We can approach these security and privacy decisions and policy approaches thoughtfully, building on the experiences of countries like Estonia who share our values.
KIM DOZIER: Well, in the roughly five minutes we have left, I’d like to recenter the conversation with a question from Barry Pavel, who goes back to the title of this event, “Trusted Connectivity.” He says it sounds like an ambitious new concept, and we heard you say in the Tallinn Summit in—that the Tallinn Summit in September is a key milestone in providing it. So what other specific steps are needed for advancing this new, important effort? And what’s the toughest challenge to get it done?
PRESIDENT KERSTI KALJULAID: The toughest challenge is psychological. When we’ve living on paper, we were very comfortable in regulating only the objective and letting all kind of entities to decide how they achieve this objective. To make it very simple, we told our doctors patients’ files have to be kept secret, not to be shared with anybody, and you had to have them in the safe place. You may audit the hospitals sometimes to verify they are doing it, but each and everybody decided how they do it.
Now, in a—in a world where, I mean, technology changes every day, and where it is totally impossible, for some reason we are not satisfied with describing the objective, which would be something like this: this is how we gather data, this is how we use the data, this is how we dispose of the data. I mean, and that should be the end of story for the regulation. Instead, we are trying to regulate pathways to safety.
And really, this is the biggest challenge which I’m still seeing. I mean, we have to come off from this objective to regulate the pathway because in the previous analog world you didn’t say the doctor has to keep my file in the green room in the red safe and so on and so on. For some reason now in the digital world, because it’s difficult to understand, we are seeking transparency by being overly normative. We have to really change that. If we can achieve this, I think it might be—I mean, really the most valuable, even if it’s intangible outcome—many people have asked me what was the tangible outcome of the Tallinn Digital Summit of the European Union of 2017, during our Council presidency? And my answer is that was the point where European leaders realized it’s not an option, it’s an obligation, because our people simply are acting and transacting already online. We have to give them safe tools for everybody.
During German Council presidency, this was finally achieved technically. But I mean, we created recognition in 2017, yes, it’s intangible, but you know intangibles are very important in this collective thinking. And we have to be thinking, all democratic nations collectively, to create this trust-based connectivity.
KIM DOZIER: Thank you.
And Ms. Neuberger, if I can leave the last word to you.
ANNE NEUBERGER: Absolutely. No, so beautifully put.
We’re coming out at the end, one hopes, of the pandemic. And COVID taught us a great deal on both the power of digital technology and of the risks. On the power side, it enabled so many of us to continue our lives remotely. It enabled us to maintain global connections. So technology really enabled a great deal when the pandemic forced us to rapidly change the way that we operated. And yet it highlighted the risks. We’ve seen a significant rise in cyberattacks, even targeting critical services like hospitals, which we would have expected would have been safe zones, particularly in a pandemic.
So I think, building on those lessons from COVID, we now have in multiple countries economic investment—the economic investments that President Biden announced in the United States, the economic investments that were announced at the G7 on the Build Back Better World kind of addressed needs in low- and middle-income countries, the Three Seas Initiative that President Kaljulaid outlined.
So we have the opportunity to bake in, in those investments, the digital standards to build secure our values-based approaches for how data is brought together, to truly build that next generation of investments we’re now already committed to make, to leverage those lessons and to learn that, much as COVID taught us the things that were sacrosanct and we thought would never change – we never thought that large numbers of people could probably work somewhat productively, and very productively, from home.
Let’s take the psychological lessons the pandemic taught us, combine them with the investments we’re making, and that we know many of the technology and security approaches, to build back together so our successors are having a different conversation than we had today regarding how one builds trust in digital infrastructure and they can take for granted that they’re operating on trusted digital infrastructure.
KIM DOZIER: And in the meantime, as people log off this Zoom event today, should they update their computers, use VPN, and wait for this to come? Anything else?
ANNE NEUBERGER: They should make sure their systems are patched. They should ensure that they have an endpoint detection running. And they should always look at, in the United States CISA.gov always has practical advice on things to do.
And certainly [inaudible] the president would like to add something as well.
PRESIDENT KERSTI KALJULAID: They should demand the elected officials to provide them with a digital identity which is safe and security to use as well.
KIM DOZIER: Fantastic. Thank you very much. Madam President, Ms. Neuberger, thank you so much.
And thank you to everyone for watching this event at the Atlantic Council.
Transcript May 5, 2021
Estonian President Kaljulaid and US Senator Shaheen on challenges from Moscow and the future of Nord Stream 2
By Atlantic Council
Estonian President Kersti Kaljulaid and US Senator Jeanne Shaheen talked about how the US and EU should engage Russia, craft a transatlantic approach to Afghanistan, lead a strategy to mitigate climate change, and more.
Seizing the advantage May 27, 2021
A connected world is a vulnerable world. The US can help secure it.
By Benjamin Jensen
National security is no longer measured by the size of a country’s military forces. It is measured by how efficiently and securely a country, as part of a network of allies and partners, exchanges information, resources, and ideas.
Report Jun 28, 2021
Collective cybersecurity for the Three Seas
By Safa Shahwan Edwards, Simon Handler, Trey Herr, Adam Marczyński, and Jakub Teska
In Central and Eastern Europe’s Three Seas region, twelve countries have joined together to invest in critical infrastructure projects and increase interconnectivity on energy, infrastructure, and digitization efforts along the way. To strengthen the resilience of these technical investments and better bind together the defensive cybersecurity operations of these societies, Three Seas member states should establish a regional hub for cybersecurity together with key private sector partners.