Lessons from Estonia’s cyber ambassador

By Yun Xuan Poon

Interview with Heli Tiirmaa-Klaar, Ambassador-at-Large for Cyber Security, Ministry of Foreign Affairs, Estonia.

“You cannot have an arms control regime in cyberspace,” says Heli Tiirmaa-Klaar, Estonia’s Ambassador-at-Large for Cyber Security. How then can nations safeguard their digital territories?

When Tiirmaa-Klaar became Estonia’s first cyber ambassador in 2018, one of her priorities was to support global efforts to promote cyber norms, according to Estonia's Ministry of Foreign Affairs. This has become even more important in the wake of Covid-19: as our activities move online, so must our defense.

She shares the key issues global cyber leaders must wrestle with, and how we can work towards a safer, more regulated cyberspace for all.

How to train cyber diplomats

There is a global shortage of three million cyber experts, and Tiirmaa-Klaar’s office feels this gap acutely. “I think the biggest challenge for all the cyber ambassadors would be to find a trained workforce to fill the roles in our teams,” she says.

Cyber diplomats don’t need to be technical experts. “Like with the nuclear years, the diplomats negotiating nuclear non-proliferation treaties were not physicists,” she points out.

But they do need to understand how tech affects society. There isn’t yet a “core academic basis” for cyber diplomacy training, as social science schools don’t typically teach diplomats how tech functions or how it changes the way people see the world, she says.

Estonia wants to change that. It conducted its first cyber diplomacy training in 2019, reported CyberScoop. Diplomats from EU and NATO learned from previous international negotiations on cybersecurity issues, tech developments behind the latest cyber threats, and international norms and laws in cyberspace. Estonia plans to make these trainings “globally accessible”, shares Tiirmaa-Klaar.

Build capacity

This falls in line with one of Estonia’s top cyber priorities. “We have to step up capacity building efforts globally, to make sure that all the nations outside of technologically advanced countries also will be able to set up the minimum safeguards when it comes to addressing cyber threats,” she says.

This can be done by setting up computer emergency response teams, which consist of IT experts in charge of handling cybersecurity incidents, or helping organisations to protect their critical infrastructure better. Awareness and education programmes will also be useful, she notes.

Tiirmaa-Klaar sees regional and international cooperation and exchange of best practices as a key way to strengthen countries’ cyber defenses. For instance, Estonia and Singapore signed an agreement in 2018 to learn from each other how to organise cyber training exercises and develop a cyber training area, according to Estonia’s Ministry of Defence.

What’s being done now?

It’s difficult to regulate cyberspace, but international organisations have come up with mechanisms of cooperation to help keep the online domain safe. The EU cybersecurity toolbox, for instance, allows the EU to take collective action against malicious cyber behaviour. This includes imposing sanctions, according to the Council of the European Union.

How does the EU decide whether and how to take action against malicious actors? Member states share information on who was behind the attacks and consider the political or economic influence of the attack, Tiirmaa-Klaar explains. She helped to establish the toolbox guidelines when she was working in the EU in 2017.

The toolbox was adopted just a few months after organisations around the world were hit by the WannaCry ransomware attacks. This sent a strong signal to malicious actors that such behaviour would not be tolerated, says Tiirmaa-Klaar. After the EU’s 2018 statement, “we have not seen such a large scale malware attack anymore in Europe,” she adds. In 2020, EU adopted two sets of sanctions against actors behind malicious cyber activities.

The EU also released a new cybersecurity strategy in December. The strategy focuses on protecting European cyber assets to ensure reliable digital services across banks, hospitals and electricity grids.

The Union will build a new cyber shield that uses AI to detect imminent cyber attacks. It will also establish a joint cyber unit that brings together all cybersecurity communities in the EU to share threat information and respond collectively to incidents, announced the European Commission.

Outside of the EU, the United Nations Group of Governmental Experts has come up with a set of norms to guide responsible cyber state behaviour. These recommend that states do not knowingly allow cyber activity that damages critical infrastructure, and cooperate to exchange information. The second important building block for cyber stability is applying international law to state activities in the cyber domain.

The next step is to implement these norms, says Tiirmaa-Klaar. “We have been agreeing on those norms from five years ago, but when we are discussing cyber issues in cyber conferences there are very few people who have knowledge about those norms,” she recently told The Daily Pennsylvanian. “So in a way we are now in a mainstreaming phase with everything cyber diplomacy related.”

Divide and conquer

Yet, it’s not just diplomats or central governments who are responsible for cyber defense. Cities, the private sector and individuals have to step in as well, says Tiirmaa-Klaar.

A decentralised approach is crucial for responding quickly to cyber attacks. “You cannot set up the fire team somewhere in the headquarters of the international organisation,” she points out. Organisations and capital cities should have the minimum capacity to deal with basic issues, instead of relying on a larger organisation to protect them.

“I have to explain that quite often because in Europe, we sometimes have the understanding that if the European Union will do this for the member states, then member states would be so much better off,” she adds.

Diplomats work to prevent war and promote peace. The work is a lot harder when the war can’t be seen, but Tiirmaa-Klaar believes that building cyber capabilities, international partnerships and decentralised defence will help to protect cyberspace.