Democratic nations around the world -- including and building out from the NATO partners -- should forge a global partnership on cybersecurity, starting with an informal forum for collaboration and growing into an alliance with legal structures and responsibilities, according to former Estonian President Toomas Hendrik Ilves.
And, Ilves said in an exclusive interview with Inside Cybersecurity, “only the U.S. is capable of putting this together, only the U.S. has the possibility of providing leadership.”
Ilves is currently a distinguished visiting fellow at Stanford University's Hoover Institution. He served as president of Estonia from 2006-2016 and previously as foreign minister, member of European Parliament, and as Estonia's ambassador to the United States.
In the words of The Guardian, Ilves “orchestrated the ambitious 'wiring' of what has been called 'E-stonia'” and turned the Baltic nation into a cybersecurity policy and innovation hub following a massive 2007 cyber attack attributed to Russia.
Estonia is home to the NATO Cooperative Cyber Defence Centre of Excellence -- and that body, now a decade old, is open to non-NATO members, which is a start, Ilves said.
“NATO has really good experience with international cooperation, and we should start with that,” Ilves said. “But we need to think beyond the transatlantic, to Japan, Korea, Mexico” and beyond.
“I'm under no illusions, it's hard, but we have a serious problem,” he said. “We need a broader tent of liberal democracies. The bad guys are attacking democracies.”
Further, he said, “We don't have symmetry. If they're to going to hack the [Democratic National Committee], we can't respond by hacking the Russian elections, because that's not really democracy.”
The U.S. must take the lead in galvanizing a global response to the cyber challenge, pulling together like-minded countries to counter the aggression in cyberspace perpetrated by authoritarian governments including Russia, he said. “Right now,” Ilves said, “everybody is alone.”
Ultimately, Ilves said, an international structure will need to be formalized, “if only to allow domestic legislation to be passed” in the participating companies.
“Initially it would be a forum, a way of sharing stuff,” he said, including information on “new worms,” best practices and other valuable material. “But if you want to make it work, you have to formalize it.”
Ilves acknowledged, “It's a long haul,” and noted, laughing, “I'm 64, I'm not sure it'll happen … for a long time.”
Still, he pointed to the formation of NATO itself as an instructive and promising historical analogy. “In 1946 and '47, there was no talk of a NATO,” he said, but in 1948 pro-Soviet coups and other Soviet actions in eastern Europe compelled a western response and the alliance was formally launched in 1949.
“Putting the 'O' in NATO and making it organizational was the key piece,” Ilves said. “But I'm not sure we're in the same situation yet where there is full recognition of the problem.”
The urgency is clearly there, he said, and there “needs to be a coming together” internationally on issues from cyber deterrence to data security.
“There should be some kind of regulation on how personal data is secured,” Ilves said. He said critical infrastructure operators in the U.S. “are probably scared enough and are taking good steps” to protect their systems, but the handling of personal data by all kinds of organizations, ranging from Equifax to the U.S. government itself, “is a travesty.”
“When we talk about cyber, it's often 'Pearl Harbor.' But it's a catastrophe already in terms of what's happening to people's data,” he asserted. -- Charlie Mitchell (firstname.lastname@example.org)