Estonia's Ambassador-at-large for Cyber Security, Heli Tiirmaa-Klaar, shared her country's experience as not only one of the most thoroughly digitized societies in the world, but as the victim of what's come to be generally regarded as the first cyber war, Russia's 2007 cyberattacks against the networks of the Baltic republic. In her May 1st keynote, she characterized these attacks as the "first politically motivated cyber campaign in history," and drew the lesson that good public-private partnership and solid expertise can work to build a society resilient enough to withstand even attacks by a highly capable cyber power.
She pointed out that what happened in Estonia twelve years ago has since happened to other countries since. For all that, diplomats continue to encounter difficulties in negotiating norms of behavior in cyberspace, hoping that such norms will induce nations to act more responsibly in cyberspace as they currently do in kinetic space. Admittedly international norms are at best imperfectly followed in kinetic space, but they nonetheless enjoy a measure of success, and serve as a restraint on state action.
But some states continue to argue, Tiirmaa-Klaar said, that international law does not apply in cyberspace. Others continue to misunderstand state behavior in cyberspace, and the domain’s inherent deniability serves to impede their understanding.
The biggest problems she sees come from threat actors supported by governments. “Now we’re putting together a like-minded coalition for cyber resilience and deterrence.” And these start, she argued, with cooperative attribution.
She ended on an optimistic note, one similar to that Richard Clarke would offer on the Summit’s final day. She asked the Summit to consider the experience of NotPetya. This was an attack designed and executed by Russian intelligence services against Ukraine, but it affected targets throughout the world as well. “Estonia felt no impact.” Prevention was good, systems were patched, and Estonia was unaffected. Thus, she argued, a reasonable measure of security and resilience is indeed attainable.