How do you use technology/policy to improve citizens’ lives? Tell us about your role or organisation.
From a citizens’ perspective, a holistic view of the digital ecosystem of services is paramount. Simply put, our societies do not care for any particular technical solution; instead they expect the convenience of technology enhancing their everyday lives. So successful development, by government or otherwise, is one that focuses on solving a problem or adding value, not one that centers on the bits and bytes.
I am a Next Generation Leader at the McCain Institute for International Leadership at the Arizona State University and the former Chief Research Officer at the Cyber Security Branch of the Estonian Information System Authority, where I designed, led and carried out analysis related to cybersecurity, including risk, threat and impact assessments.
Most recently, I have focused on cybersecurity of election technology. It’s a lively and dynamic sector that further exemplifies the way technology should be introduced to improve governance and citizens’ lives. First of all, election technology should not blindly replicate paper systems but rather focus on doing the job of allowing citizens to cast their vote in free, fair and open elections.
Secondly, any government e-service should be appropriate for the ecosystem it is surrounded by. Digitalisation of elections, for example, should mirror the overall level of digitalisation in that society. This way, electoral procedures rest on trust that already exists, and the citizens are served in the best way possible. This approach also explains the incredible diversity we see in election technology – ranging from almost completely decentralised paper-based systems in some countries to comprehensive election information systems in others. Estonia even i-votes, meaning our citizens can cast their ballot through any internet-connected computer. This is facilitated by a highly digital ecosystem that includes a government-backed secure digital identity.
What has been the most exciting thing that you worked on in 2018?
The EU Compendium on Cyber Security of Election Technology was the highlight of 2018 for me. Drafted under the Cooperation Group of the Network and Information Security Directive with Estonian and Czech co-leadership, it brought over 20 EU Member States together to share practical guidance, best practice, case studies and checklists for securing the technology and infrastructure underlying elections. The document has to a great degree informed and furnished the further discussions and recommendations.
The compendium covers the full election life cycle offering advice on introduction and development of technology (such as procurement models, testing, procedural controls and many more) as well as digital solutions specific to stages of elections ranging from candidate and voter registration to tallying votes and communicating the results. It is a practical approach, most of the contributors having been those tasked with hands-on defences of the systems underlying our elections. It brings together case studies and best practices from over 20 countries.
The process was both humbling and eye-opening, demonstrating the balance of perseverance and diplomacy, leadership and compromise. In the end, the result is the sum of all contributors. I’m so pleased to see many agencies already use it to design their procedures across the world.
If you were to share one piece of advice that you learned in 2018, what would it be?
2018 highlighted two lessons in leadership and technology. First of all, 2018 emphasised again that technology should not be viewed in isolation. For citizens and customers, it’s about living a highly electronic lifestyle.
In terms of cybersecurity threats, we were reminded of how integrated the picture is. The continued attacks on democratic institutions across the world highlighted yet again that the opportunistic adversary integrates cyber operations with other forms of asserting its influence, be it mis- or disinformation, lawfare or diplomatic hostility. An effective defender will similarly take a comprehensive risk approach and look at the holistic threat picture.
Secondly, in such a dynamic environment, most things are what you make of them. The sector is developing in a multitude of directions, so professional, dedicated and competent approach will get you far.
Come to think of it, the last is true of most things in life. While you might not control events, environment or circumstances, your reactions often determine what you walk away with.
What are your priorities for 2019? What tool or technique particularly interests you for 2019?
As of this fall, I’m participating in the Next Generation Leaders program at the McCain Institute for International Leadership at the Arizona State University. It is a rare mid-career opportunity to develop leadership and practical approaches that will propel my home environment forward.
I have dedicated this year of being a Next Generation Leader to working with government agencies and election management bodies, focusing on further operationalising cyber security of democratic processes.
I am working on developing practical tools for cybersecurity of elections, amongst them risk and cyber posture assessment methodologies, self assessment tools and vulnerability management. Being placed with CYR3CON, an artificial intelligence company focusing on cyber threat intelligence, that has developed hacker-centric approach to vulnerability prioritization, I have the unique opportunity to see how these tools, well-established in corporate cybersecurity, might work for these government systems.
What is one skill that has helped you the most throughout the course of your career?
Asking questions and then listening really carefully has been the basis of any job or role I have ever had – be it promoting technology in government or arguing for human rights as an activist.
Critical thinking, asking the tough questions and analysing the answers, is a universal skill for any career. I’m grateful for having been part of the global debate on education movement as a student and an educator. It focuses on structured argumentation, persuasion and logic as well as public speaking, preparing participants for any challenge in life.
What advancements do you predict will happen in your field in the next ten years?
We’ll continue to see the explosive growth of connected devices, be it for commercial or home use. However, it would be wrong to focus on any particular technologies, as by doing that we would already be narrowing our field of vision.
In the foreseeable future, it continues to be fundamental to maintain a security-by-design view of all and any technologies, connected devices included. Central to that is comprehensive and integrated risk management, taking a holistic threat picture.
Unlike many, I am not keen on standardisation, even certification, of emerging technologies. The diversity allows innovation and the cybersecurity sector is not mature enough for standardisation. Worst case scenario, certification while lacking maturity hinders growth of promising technologies and owners will need to choose between actual operational security and certification through a process that can be both slow and expensive.
Coffee, yoga, music… what powers you through your day?
I run on good constructive conversations. Cybersecurity attracts dynamic and unconventional minds and I’ve been fortunate to work alongside many. In this fast-paced environment, no single person has the answers, so a collaborative work process is fundamental.