05/31/2023 | Press release | Distributed by Public on 05/31/2023 03:23
I am honoured to open this year's International Conference on Cyber Conflict. I warmly welcome everyone, and especially those who have travelled here from all over the world. This conference is a treasure trove of insights into cyber defence and security. Shared expertise will help us all think better about cyber conflict and operate more effectively in this domain.
One year into Russia's war of aggression against Ukraine, all of us need to double down on understanding the impact of conflicts in cyber space, and how they affect our societies. It is time to learn from these experiences, share them, and find solutions that increase our resilience individually and collectively.
I would like to highlight some conclusions for Estonia from the past fifteen months.
It will not be a surprise to you that nation state actors - not just from Russia, but also from other unfriendly countries - are increasingly active in cyber space. They were already becoming more interested in Estonia, but threat levels jumped up when Russia invaded Ukraine.
Estonian government systems, transport companies, banks, news websites and other critical service providers are constantly scanned for vulnerabilities. Cyber criminals and state-affiliated hacker groups that may exploit those vulnerabilities have always been a concern. But the current geopolitical confrontation makes the situation much worse, and requires sustained attention on cyber security. To illustrate - in 2022 the amount of distributed denial of service attacks in Estonia increased by 300%.
Past months have brought home that cyberattacks are increasingly used to retaliate against political decisions which one or other governmental actor doesn't like. In Estonia, we have experienced waves of distributed denial of service attacks that were politically motivated, such as the attacks after we removed a Soviet era tank monument from the city of Narva.
This monument had been erected to mark the occupation of Narva by the Red Army in 1944. For Estonians, it reminded of the brutal invasion of the Soviet forces, with Narva itself razed to the ground, much like Mariupol or Bakhmut today. But for many Russian-speakers this monument was a powerful reminder of the victory in the Great Patriotic War.
The war in Ukraine made the monument more divisive than ever since 1991. So in August 2022, our government decided to move the tank to the military history museum. As a result, Estonia was subjected to the largest distributed denial of service attacks in our history. Thanks to our preparedness, most people in Estonia never even noticed. The incident confirmed that preparation helps mitigate attacks and limit damage. But this is no ground for complacence - on the contrary. This case further illustrates the importance of resilience and staying ahead of hackers who constantly invent new tools.
In this context, both our public and private sector, indeed, the society as a whole, must do more for cyber resilience. That is a lot easier said than done. Most people don't spend much time thinking about the link between yet another security flaw that needs patching, and a potentially harmful security incident. This is why we must work more than ever on awareness building, at all levels.
Russia's activities against Ukraine in the run-up to and during the invasion also offer serious food for thought regarding the challenge to our digital societies and the critical service providers in wartime. We have seen Russia shaping the battle space with cyber means, attempting to cripple the IT systems of Ukrainian government institutions, blocked access to reliable information and critical services, and worked to undermine trust in the resilience of the Ukrainian state. A case in point was the cyberattack on VIASAT, attributed by EU to Russia, aimed at disrupting Ukraine's military command and control and government communications.
Cyberattacks targeted civilian critical infrastructure: electrical grids, railway operators, telecom companies. The lesson is to bring the providers of those critical services to the level where they have the best chances to resist such attacks. In Estonia, a large majority of critical infrastructure is in the hands of the private sector. The only way to ensure their resiliency is seamless cyber security cooperation between the private and the public sector. In both peace and wartime, cyber security must now be a whole of society effort.
Finally, I want to emphasize the importance of international cooperation in cyber space. This includes the work towards accountability for crimes committed with cyber means in the framework of an international armed conflict.
Estonia has long declared that among other relevant international law rules, International Humanitarian Law applies to states' activities in cyberspace. The cyber component of Russia's aggression against Ukraine should push us to go further - to develop an understanding of how the specific rules of the International Humanitarian Law apply when malicious cyber means are used in armed conflict. For instance, what constitutes use of force in the cyber context? What is the legal status of civilians participating in an 'IT Army' of hackers? We need to clarify these issues so that we can meaningfully determine what constitute violations of international rules in cyber space during war.
As you know, in the context of Russia's war in Ukraine, Estonia has spoken a great deal about ensuring accountability for war crimes, crimes against humanity, and the crime of aggression. This is about ensuring justice, but also about strengthening deterrence by punishing those who violate those most sacred international laws and norms.
But what can we do about crimes that are committed in cyber space or by using cyber means? Here, too, our position is clear - no matter what are the means, those responsible must be brought to justice. In Ukraine, as in other armed conflicts, we should not think of cyberattacks during armed conflict as something separate from the rest of the military campaign. The same logic should apply to accountability.
Estonia is a strong supporter of the International Criminal Court and its mandate, the work it is doing to investigate horrific crimes in conflict regions globally and in Ukraine. The ICC is also of central importance in keeping international criminal justice up to date and in ensuring that cyberspace does not allow those behind atrocities to hide from investigation and prosecution.
I commend the work done so far to delineate an approach on how the rules on international criminal justice could be applied when cyber means are used. One great example are the efforts by the Council of Advisers on the applicability of Rome Statute of the ICC to cyber operations. But we need to continue to align international criminal justice with the challenges of today, and make sure that it is applied. Criminals, and particularly war criminals, should not be able to hide from their responsibility in cyber space.
Improving the effectiveness of cyber deterrence by imposing and raising costs to malicious actors will not be an easy task. Work to impose costs on state cyber threat actors must include more and collective attributions to state cyber threat actors. So we have our work set out for us for years to come.
To conclude on a happier note, I would like to congratulate Ukraine on becoming a member of the NATO Cooperative Cyber Defence Centre of Excellence. Ukraine's experiences have made it a leader in understanding the cyber dimension in modern warfare. Their membership is a great opportunity for us to learn from our Ukrainian friends.
Thank you, and I wish you a great time at the conference!