EU shows "a complete lack of security thinking" says former Estonian president

Estonian ex-prez Ilves and Columbia Law prof deliver stark warning to cyberpros

The liberal democracies are in “more trouble than we realise” when it comes to relentless cyber-attacks from authoritarian regimes, the former president of Estonia told an audience of cybersecurity professionals in Helsinki this week.

Toomas Hendrik Ilves, who led the Baltic country when it suffered a crippling cyber-attack from Russia in 2007, told the audience at WithSecure’s Sphere event that historically, “the methods of war were always based on kinetic energy” but today, adversaries were able to inflict possible death and disruption using electrons.”

Moreover, it was hard to divine who enemy was, “or even if we were under attack”, he said. “In just 25 years we have entered a security nightmare” which went just hacking to existential threats.

National-level efforts to contain hostile state threats were “an unsustainable state of affairs,” he said.

The free world needs “to face the fact that digital domain has been hijacked and pulled into existential conflict”.

Yet, he said, interdepartmental rivalries and national siloes undermined the “west’s” efforts to fight back.

He said NATO and the EU don’t share information, for example. This was partly down to signals intelligence legacy in many cyber policies. This was essentially an espionage activity, which depended on holding information close.

Q&A: NATO's first CIO Manfred Boudreaux-Dehmer on priorities and progress

The Five Eyes network doesn’t share info with NATO Allies, he continued. While the EU had woken up and developed the Cyber Resiliency Act, its cyber agency ENISA is undermanned, “It simply lacks the weight of personnel to be able to respond to serious attacks.”

And, he continued, “There's, I think, even an even more fundamental problem with the European Union, which is there is a complete lack of security thinking.”

More broadly, the liberal democracies with shared values, – including the US and EU, as well other Five Eyes members, and South Korea, Switzerland, Israel are “competing with each other rather than with the adversaries.”

“So, we must begin to rethink digital security in the digital era.  The task that we face in the longer perspective, is moving beyond just defense and mitigation in cyber, to understand what is our fundamental conflict, which is the conflict between liberal democracy and authoritarian autocracy.”

And he added, “it’s not clear that we’re going to win”. Politicians didn’t see the big picture, he said, “So this is where you the cybersecurity experts should have a broader role to make clear to policymakers and politicians that the threats what the threats are, what needs to be protected.”

See also: EU reveals plans for Joint Cyber Unit, Rapid Reaction teams - very, very slowly

Ilves’ comments were echoed by Professor Anu Bradford of Columbia Law School at the same conference, who described the regulation arms race between the US, EU, and China, underpinning their respective “digital empires”.

“This is increasingly globally a consensus that technology needs rules,” she said. “But there is no consensus on what those rules are to apply.”

The US had embraced a market driven model to allow its companies to dominate world markets, she explained, while Europe followed a rights driven model.

China, by contrast, was “state driven”.  The Chinese government focused on becoming a technological superpower, while also “deploying technology as a tool for surveillance and censorship and propaganda, in an effort to entrench the political power of the Communist Party and ensure social stability.”

But China was also using its tech industry to establish “infrastructure power” worldwide, in the form of undersea cables, datacenters, smart cities and surveillance technologies.

This presented the US with a dilemma, Bradford said, as it sought to rein in over-mighty American companies. Meanwhile, the EU faces a problem matching its ambitious regulatory regime with sufficient enforcement.

“China has shown to the world that freedom is not necessary for innovation, they have created a thriving tech economy without being free,” Bradford said. And this presented a challenge for liberal democracy.

“It really depends on the choices that we face, as governments, as tech companies, as investors, as individual users of technology,” said Bradford, “[As to] Whether technology will exploit and control us or whether we are in charge of shaping and deploying that technology for the benefit of humanity.”