Anna-Maria Talihärm, NATO CCD COE (Cyber Defence Centre of Excellence) analyst
They may not be able to call on real-world cooperation and defence agreements to build their cyberspace defences yet, but government security organisations may find value in emulating Estonia’s experience building a voluntary ‘cyber corps’ of security professionals available in times of need, NATO CCD COE (Cyber Defence Centre of Excellence) analyst Anna-Maria Talihärm has advised.
Technology savvy Estonia has been undertaking information-security research since 1991. A national CERT (Computer Emergency Response Team) was created in 2006 and the NATO CCD COE got its accreditation in 2008. In 2011, the Estonian Defence League’s Cyber Unit (EDL CU) was formally established.
Quite differently than the model used in many parts of the world, EDL CU is involved in enhancing public-private partnerships by maintaining a volunteer structural unit within the EDL. Private-sector security experts, as well as those involved in law and other IT-related fields, are encouraged to be involved in the effort to preserve what the EDL CU charter calls Estonia’s ‘e-lifestyle’.
“What makes this unique is that many countries have defence units within their military structure, but the Estonian example is on a voluntary basis,” Talihärm – a senior analyst with NATO CCD COE and lecturer at Tallinn Technical University who presented on Estonia’s model at AusCERT 2013 – told CSO Australia.
“What is really interesting for me as a researcher is how we can use this unit in a situation of crisis,” she continued. “When we talk about cyber attacks it becomes much more serious because you never know how far or where does the cyber incident escalate: it can go right across thresholds of nations, and is closely related to national security.”
With state-sponsored cyber attacks on the agenda, developing a firm action plan for cyber-attacks had escalated the urgency for a clear chain of command, Talihärm said.
The EDL CU’s mission statement says the organisation “focuses on helping civilian structures during peacetime and on the establishment of supportive capacities for operation in crisis situations”, but it is the nature and power of those capacities that drew Talihärm’s interest.
“Other countries have platforms for public-private partnerships, but Estonia has taken it one step further by writing the possibility of using this unit in a time of crisis into its legal access. There are conditions, but still we have a structure that allows us to use a voluntary based EDL CU in the national structure.”
NATO CCD COE, currently involving 11 sponsoring nations, has found the Estonian example of a Cyber Unit to be a compelling research topic, touching the broader issue of effective national coordination and international cooperation in a time of crises. Attempts to extend such arrangements beyond geographical borders and reinforce existing regional partnerships would, however, be bound to run into legal and political issues such as national sovereignty and differences in security philosophy.
These differences would make it build an EU-styled cybersecurity relationship based solely on countries’ proximity to each other: “you have to take into account 27 member states’ different opinions and different development levels, so in a sense it’s easier to protect one country,” Talihärm said.
Such differences would complicate the formation of NATO-like ‘blocs’ of cyber-defence powers, although Talihärm said it did not mean that countries couldn’t ally with each other to improve their co-ordinated response in the event of cross-border cyber-attacks.
If country A was being attacked by country B from servers based in country C, Talihärm hypothesised, such cooperation might see country C providing information and support to country A to help it fight the threat.
Such alliances could rewrite geopolitical alliances that have historically been based on geographic concepts but can, through the instantaneous global connectivity of the Internet, be based more on shared interests with countries at similar developmental stages.
That would suit the Asia-Pacific geography, where developed first-world countries like Australia, New Zealand, Singapore and Japan shared more cybersecurity commonalities with peers in the US, UK, and Europe than with many of their neighbours.
“It is understood that it’s difficult to agree on something concrete because there are so many different concepts and frameworks at both national and international levels, and people and countries are afraid to bind themselves to certain rules,” Talihärm said.
“However, we believe in principles. Cyberspace has no borders, so the enforcement problem will always be there – but I think the most likely thing to happen would be that like-minded countries agree to exchange certain information, and work to certain principles, to fight the threat together.”