• Subscribe

Is cyberwar inevitable?

Estonia is the world’s most digital country. This small, northeast European nation of 1.3 million people has an almost entirely digital government. Estonians can obtain prescriptions, sign documents, pay taxes, transfer property, and vote online. Even those who don’t live in Estonia can apply for e-residency.

<strong>Digital pioneers.</strong> Estonia's capital, Tallinn, may look medieval but its citizens are living in the world's most digitally advanced society. Courtesy Rob Oo <a href='https://creativecommons.org/licenses/by/2.0/'>(CC BY 2.0)</a>Estonia also has the doubtful honor of being one of the first countries to suffer cyberattacks as a form of modern warfare. In 2007, sophisticated DDoS attacks hit broad targets, swamping the websites of banks, newspapers, broadcasters, and the Estonian government, and taking down the internet for regular citizens. Estonian authorities traced the attacks to Russia.

Science Node recently spoke with Liisa Past, Chief Research Officer for Cybersecurity of the Estonian Information System Authority. We asked her about living in a digital nation, voting online, and the future of cyber warfare.

Estonia’s transition to an almost fully digital government is impressive. But isn’t it incredibly risky to store so much infrastructure—including citizens’ personal and confidential information—online?

The digital world doesn’t bring greater risks, just different risks. Take something basic like government archives. If records are kept on paper, they’re hard to back up. If there’s any kind of damage—like fire, flood, or theft—it’s very hard to restore. Digital backup is easier.

Or take confidentiality. If someone accesses your paper archives, especially now that you can have a camera embedded in just about anything, it’s difficult to trace who accesses what, and what they might take out. But with digital records, you can log every single step and movement. If someone breaches the confidentiality, you can trace it back.

Some people find the idea of digital voting scary. How did you reassure Estonians that the process was secure and that they could and should trust the government?

Remote vote. One-third of Estonians prefer to vote online rather than visit a pollling station. Courtesy e.-Estonia.

We’ve built trust over the course of fifteen years. The first time i-Voting was offered in Estonia, in 2005, just under two percent of voters opted to use it. But as digital services kept expanding and achieved high penetration across society, trust grew. People banked online more, and they voted online more. They began to prefer to change their population registry records online rather than show up at the office.

i-Voting uses a secure voting app on an internet-connected computer. You sign in and then double-sign your vote with your government-backed ID card. Now one-third of Estonian voters prefer to vote online. It has become so democratized that an i-Voter is an average voter.

No factor predicts i-Voting — not education or political preference, not even computer literacy. The only factor that influences i-Voting is if the trip to the polling place takes more than a half-hour.

One of the lessons we’ve learned is that you don’t just change the system abruptly. You introduce these things slowly as an enhancement. Most people will prefer convenience.

Implementing these systems and technologies must have been expensive. What’s the advantage to the government?

After the initial investment, it’s more cost-effective. We estimate that 2-6 percent of GDP is saved through these digital solutions. There’s also a lot less room for error and a whole lot less duplication.

I can’t help but suspect that Estonia has only been successful with this transition because of its small size. Could the same system work in a large, heterogenous society?

It’s true that if you’re dealing with only 1.5 million people, it’s easier to implement new solutions. But those solutions can be scaled up.

Many organizations have trouble just preventing their employees from responding to phishes. Are Estonians more computer-savvy than the rest of the world?

<strong>Liisa Past</strong> is the Chief Research Officer for Cybersecurity of the Estonian Information System Authority.The biggest attack surface is between the screen and the chair. A lot of security incidents are very basic, due to people clicking on malicious links, being spear-phished, or targeted through very sophisticated social engineering.

But you can’t make the user responsible for everything—you can’t just educate them and hope for the best. We don’t expect people to practice their own medicine or to fix their own teeth. We have specialists to do that.

For a successful digital society, there has to be a legal framework. Government and corporate best practices have to facilitate the user making the right choices. Estonia is one of the champions of the world when it comes to communicating vulnerabilities and incidents very openly.

What about a worst-case scenario? What about hackers or an escalation of cyber-warfare?

One of the things we’ve seen is that nations seem to exercise self-deterrence in cyberspace. They don’t apply full capabilities, partially because they don’t know what are the capabilities of the other nation to respond. So there is deterrence through doubt.

Blackout. A 2015 cyber attack on Ukrainian power stations left a quarter of a million people in Kiev without power. Past says that such politically-inspired attacks are likely to continue. Courtesy NATO.

I don’t think cyberwar will happen in isolation. It will be integrated into armed conflict as an extra domain of military operations—and that’s actually the language NATO uses. Just like information operations and the issuing of fake news and misinformation, cyberattacks are another way that a nation tries to assert itself and its interests during peacetime.

What makes cyber operations different from conventional territorial defense is that it’s very good at creating inconvenience. But in a very digital way of life, everything from how food is produced to how you communicate with loved ones to critical infrastructure has an element of computer control.

Take the 2007 attack on Estonia, the DNC hack, the Sony hack, the attacks against the Ukrainian power grid in 2016, to name prominent examples that appear to be either state-sponsored or at least politically-inspired. None of these were anywhere close to the level of warfare, or what international law calls use of force or an armed attack.

But they were inconvenient, and they were enough to get some citizens to doubt their government’s ability to protect their lifestyle. That creates chaos, but it’s not warfare. It’s just something that, as societies, we have to be aware of. These are platforms that politically motivated actors will continue to use.

Join the conversation

Do you have story ideas or something to contribute? Let us know!

Copyright © 2018 Science Node ™  |  Privacy Notice  |  Sitemap

Disclaimer: While Science Node ™ does its best to provide complete and up-to-date information, it does not warrant that the information is error-free and disclaims all liability with respect to results from the use of the information.

Republish

We encourage you to republish this article online and in print, it’s free under our creative commons attribution license, but please follow some simple guidelines:
  1. You have to credit our authors.
  2. You have to credit ScienceNode.org — where possible include our logo with a link back to the original article.
  3. You can simply run the first few lines of the article and then add: “Read the full article on ScienceNode.org” containing a link back to the original article.
  4. The easiest way to get the article on your site is to embed the code below.