Francis Maude: The Cyber-Attack against Estonia Was a Big Wake-Up Call for the World
The British minister in charge of cyber-security, Mr Francis Maude, tells Diplomaatia that the cyber-attack against Estonia in 2007 was a big wake-up call for the world, adding that a balance should be struck between cyber-security and personal freedoms.
Erkki Bahovski talked to Minister Francis Maude in Tallinn in May 2012.
Estonia fell under a cyber-attack five years ago in 2007. Since you are in Estonia now, I think you are familiar with the situation here, but overall it was probably the first nation-level cyber-attack. What is the situation now? What has happened in the meantime? How seriously does the world take the challenge of cyber-war?
The first point is that this is a new issue because of the Internet which is a wonderful thing. The Internet has driven economic growth and prosperity. It improves people’s lives. So, we only have a problem with cyber-attacks because of something which is incredibly positive.
Having said that, obviously what happened in Estonia was very serious. This was a big wake-up call for the world. In terms of Estonia herself, it meant that the Estonian government and those in Estonian business got very serious about defence against a net attack. I think that it has been a good development – bad event what caused it, but a good development that illustrated the problem of vulnerability. Governments take this extremely seriously and businesses are taking it increasingly seriously, but still there are massive variations – some businesses are at a high level of readiness, whereas others have much further to go.
To what extent is cyber-war real war? Estonia would like to link cyber-wars to NATO to be covered by NATO’s famous Article 5. What is your opinion? To what extent can we take cyber-war for actual war?
It is a very difficult question. There is no doubt that it is possible to use malware of different kinds, distributed through the Internet, as an offensive weapon which can inflict serious damage on a country, both on its government and its economy.
Do we really know where the attacks are coming from? The attack on Estonia could be traced back to a huge number of places. Some of them were in America; some say that the actual source of the attack was very dispersed. Being satisfied as to where the attack comes from, the attribution of the attack to a state, a government or a particular source is really difficult indeed.
Consequently, a state can use non-state actors when it is bound to cyber-attack?
It can. The difficulty is being satisfied about knowing that it is happening. It is very hard to know. This is not over yet. Sometimes a cyber-attack can happen without anyone knowing that it has happened. It can have a delayed effect. So, it is very hard to attribute a particular act to a particular actor.
Most of the documents of international law have been written at a time when there was no Internet. What is your opinion now? Should the possibility of cyber-warfare and cyber-attacks be inscribed in international law?
Those are complex areas. International law itself is a complex field of law. The Internet is a relatively recent phenomenon, as I said, an overwhelmingly positive phenomenon. Finding the way in which international law can cover the possibilities of Internet attack is going to take time.
There are various kinds of attack. There are attacks which are designed to inflict damage on a country or economy, on a particular business or a particular government. There are attacks which are designed to steal intellectual property for purposes of espionage which might be espionage against the government, but it might be industrial espionage in which case there need to be consistent laws stating that such attacks are criminal. These are not trivial events; these are serious events.
Finding the right basis in international law will take time to be satisfactorily concluded, but there will be criminal offences in many countries’ domestic law which cover this eventuality.
Consequently, there must be a difference between cyber-war and cyber-crime?
Yes, there is. They may well overlap. It may be in some circumstances hard to know which is which – an attack on a country’s crucial infrastructure, its power grid, for example, or its transport system or major oil refineries. You might imagine this in international law to amount to an act of war. It is certainly cyber-crime; it is inflicting damage on private or public interest. There will be cyber-attacks on countries’ weaponry which will be clearly warfare rather than crime. But there will be a lot of overlap.
You already mentioned that governments are more aware of the possibilities of cyber-attacks. This also raises the question of cyber-security and this, in its turn, raises the question of personal freedom. When we are talking about security, not everything is free. How do you see the situation developing in terms of the relationship between cyber-security and personal freedom?
I think that the two should not be seen in conflict. The Internet has given people a lot of freedom. The Internet and social media underpinned the emerging democracies in the Arab world. The Internet is very much a promoter of freedom. It gives people freedom; it liberates them. People are entitled to have the Internet protected.
In terms of protecting against Internet attacks, there is no inconsistency at all between personal freedom and security. Where there will be tension is in the protection that governments and the law seek to give to intellectual property on the Internet – where one participant’s right to drive an income from intellectual property, such as films, music, whatever, may undermine another participant’s belief that they are entitled to participate in it.
A balance has to be struck because the reality is that imposing sanctions on those who use the Internet to abuse others’ intellectual property – any sanctions – can have a disproportionate effect on impairing the freedom. Striking that balance will always be very difficult because those two interests are in tension with each other.
The developed world is more and more relying on the Internet. This, of course, raises concerns about cyber-attacks. Estonian President Toomas Hendrik Ilves whom you met here has spoken about e-dependence. We are literally an e-state. Everything we do is happening on the web. That creates a situation where less developed nations can attack a country that relies completely or almost completely on the web. How do you see the situation now? What are the checks and balances?
I can see the issue that in a country like Estonia where e-government and the digital delivery of public services have gone very far – as far as anyone in the world has gone – that by definition creates vulnerability.
How do you deal with that? I think that however we decide to deliver the public services, we need to have a business continuity plan and that has to be serious. The last few weekends in England we have been facing activists’ attacks on the government’s websites. These are of the kind that are organised by huge numbers of computers that log into the particular government’s website and cause them to crash. Now we have business continuity arrangements. We knew that this was happening and they have not managed to hack into the underlying material at all. So, when it actually happens – you cannot absolutely guard against it happening – you put something else in place. People know what is going on and it is not the end of the world. I think that having the proportionate preparations is the best security against an attack and then having a business continuity plan if there is a successful attack. This has to be done proportionally.
In the era of industrial warfare, large industrial nations played a very important role. In the era of cyber-world, what is the situation? What is the role of large and small states there?
In some stages, large states are more vulnerable because there are more points to attack. There needs to be a high degree of international collaboration which is one of the reasons why we hosted the cyber-conference in London last November. We brought together not only heads of states and governments, including the President of Estonia who came and spoke very eloquently, but we are very keen not only about governments collaborating closely. We were very much behind the Budapest Convention negotiations, but we wanted also to bring together the business world and civil society organisations because of the role of these organisations in collaborating much more closely. I think it still has some way to go.
How well is the United Kingdom prepared for cyber-attacks?
Getting better all the time. Despite our austerity measures and having to cut public spending, we committed an additional 650 million pounds to cyber-security. That is underway; I have responsibility for that. We are endeavouring to show that money has been spent as well as possible. We are to promote a space where the public sector and the private sector companies can interact and share information, knowledge and know-how and help each other prepare. There is a long way to go and this will be very fast moving. There will be people – developers all over the world – who would be spending that time developing new Internet attacks and new forms of malware. We are aware of that and we need to deal with that as best as we can.
The issue of cyber-attacks and cyber-war is being taken very seriously by the Estonian media. How seriously does the British media take it?
They are not very much focused on that until there has been no attack. There were some activists’ attacks on some of the government’s websites; that attracted some attention. They were rather unsuccessful attacks, but that does not mean that they cannot be successful. The media will tend to react if there is a high-profile story, but in terms of general awareness and the need for sensible organisations to prepare, the attention is not very high yet.