How small states prepare for cyber-war

Tablet-on-hand-2.jpg

CNN.com | September 3, 2015
By Parag Khanna

(CNN) - With Russian tanks and rebels firmly lodged in eastern Ukraine, Eastern Europe has been on high alert for months. As Russian bombers intermittently skirt or trespass Western airspace -- and a foreign submarine was reported to be hiding out in waters just off Stockholm last year -- the Baltic states of Estonia, Latvia and Lithuania have ramped up expenditures on armored personnel carriers, mobile missile launchers and other hardware to defend their borders.

But the Baltic states are as fixated on their screens as their borders. Since Russia launched a major cyber-attack on Estonia in 2007 that crippled banks, broadcasters, and political parties, the smallest of the Baltic republics redoubled its efforts to secure electronically what geography dictates will always be at risk physically.

Citizens became instantly educated to protect their data; banks and telecoms cooperated and shared information. The phrase "whole of government" or "whole of society" has become a catchphrase in Washington, but is more of plea for bureaucracy to stop getting in its way.

On my recent trip to tiny Estonia, however, I witnessed the world's first truly cyber-ready society.

After famously gathering in public to sing its way to freedom from the Soviet Union in 1991, Estonia quickly reclaimed its Nordic and Hanseatic linkages, joining the EU, NATO and the eurozone. Necessity, not evolution, sparked Estonia's rapid metamorphosis from tiny post-Soviet republic into world-leading info-state, my term for countries at the forefront of achieving secure connectedness. Centuries of Russian subjugation, German invasion, and Soviet occupation created a messy record of who actual citizens were and the legitimacy of land titles.

Estonia decided to take advantage of Sweden and Finland's early lead in creating digital ID cards and databases and run with it, earning it the label that has stuck since native hero Skype became a global sensation: "E-Stonia."

In Tallinn, medieval buildings have been seamlessly augmented with ultramodern design and the latest digital fittings from electronic doors to motion-sensitive lights and ubiquitous Wi-Fi.

Today every single government transaction or service is performed online, from paying taxes to voting. ID cards are mandatory and issued to everyone at the age of 15, and almost the entire population of 1.3 million has one. This one card is a federal ID, driver's license, library card, and almost every other function rolled into one. But there is no risk in losing it -- or point in stealing one -- because it holds no data. Rather it has an embedded SIM card that holds an encrypted key that corresponds to an anonymized government code accessed by entering a PIN. Sound complicated? Estonians have no trouble deciphering the mechanics of the system since all public schools begin teaching coding at age seven.

Estonian officials mock countries where banks try to outmaneuver each other with flashy security tokens and other gimmicks rather than sharing basic protocols that allow individuals more flexibility. Because banks require more signatures than any other institution, bringing groups such as Swedbank that came on board early meant Estonia had its most important allies in pushing digitization through the country. Telecom operators such as Nortal also play their part both in communications and government services: All citizens get an encrypted SIM which they can insert into their mobile phones to access all the same features without even using a computer. Combining this distributed mobile technology with mandatory voting would create true digital democracy.

With all of Estonia's government agencies online, the society enjoys the growing efficiencies of machine-to-machine communication. Just one day spent enjoying Estonia's digital conveniences makes any visitor resentful of the bureaucratic nightmares found almost everywhere (except other info-states). In a world plagued by check fraud, Estonia has eliminated check. A digital signature supersedes a hand signature in a court of law. (Hand signatures have precisely one remaining symbolic use in Estonia: Marriage.) A lost ID can be replaced in 30 minutes rather than 30 days.

When I explained to Estonian officials about company stamps and inkpads, matching signatures at banks, and getting documents notarized, they looked at me as if I were an 18th century time-traveler wearing a wig. (This may also be because Estonia's prime minister is only 36.) Estonians have gone paperless to such an extreme that cabinet meetings are "BYOD": Bring Your Own Device. My floppy Moleskine notepad and pen were the only writing instruments I saw during my visit.

Digital ecosystem

In small states, trusting data is a convenience; people can always go knock on the president's door (as they do in Estonia). Large states simply have no choice but to trust data -- and if done right, privacy protection can be remarkably simple to enforce. Estonia's X-Road system holds the data of government agencies, but distributes, anonymizes and encrypts its storage. Government employees can only access department specific data about a person, and every search query is logged. (No flashlights and combing through file cabinets with gloves on.) If you are pulled over by a policeman, he scans your ID and can only see your license, registration and insurance information; anything more requires a warrant and judicial grant. Data thus belongs to the public -- not the public administration.

The experiments and mistakes of small European countries inform the plans of their larger-scale associations. With the Nordic countries, Belgium, Portugal, Austria, Denmark and other small European countries all implementing various digital schemes, the EU has set out a Digital Strategy 2020 to harmonize its data systems and services, making itself a more seamless union for flows of people and services.

This midware connectivity among European data clouds is not digital welfare of the traditional European variety. Rather, it is the creation of a much larger eco-system in which a common technology platform enables companies and entrepreneurs to share digital X-rays for patients moving across countries, eliminate mobile phone roaming tariffs, and other steps that improve overall quality of life. Having already been through the experience of trading one currency for another, adding new countries to the economic and digital grid such as Moldova and Albania becomes a matter of snapping them on like small Lego pieces.

How can one of the world's smallest countries enlarge its digital footprint even further? At Ulemiste City, an integrated ICT campus near Tallinn's airport, offices are sprouting up to manage Estonia's latest cyber-venture, one as much diplomatic as social: E-citizenship. While Estonia has barely one million citizens, its nascent e-citizenship scheme could give it more than 10 million virtual ones by 2025: Investors and customers who take advantage of Estonia's 0% corporate income tax, professional e-commerce technicians, and legal access to the entire European Union. A friend of mine shuttling between San Francisco and Portland proudly touts her Estonian e-citizenship card as a portal to all her European clients.

In Estonia one experiences how lonely it is at the top of the digital heap. Its data security technicians have ideas for putting passports on mobile phones, but then they'd be the only ones to have it, rendering it useless ... for now.

The Digital Hanseatic League

Estonia still exhibits the vulnerabilities and strengths of being a small state next to a giant one. During World War II, its far larger cousin-state of Finland was only rendered geopolitically inert (hence "Finlandized"), while Estonia was occupied and subdued into the Soviet Union. In 2014, Russians jammed the virtual fence that serves as their border and snatched an Estonian federal agent. Even with broadband speeds faster than South Korea, Estonia cannot escape its geography.

Still, the country is taking steps to protect everything that isn't dug into the Earth such as creating a cyber-defense league of government supported volunteer IT specialist units -- a virtual version of the fully armed Swiss populace, assigning itself to various quadrants of Estonia's critical infrastructure the way Swiss know which borders they are assigned to defend if communications are shut down. If the government's secure sites are fully exposed or hacked, it can de-activate all tokens through a "red button" style kill switch and reassign all national ID numbers and pins afterwards.

The "Emergency Act" also requires that over three-dozen institutions from banks to grocery stores have back-up strategies to provide the population with necessary cash and supplies should there be a digital shutdown. Cyber-attacks have replaced nuclear war as the daily risk -- and reality -- of geopolitical life. Computer Emergency Response Team (CERT) has become the new Nuclear Emergency Search Team (NEST).

Knowing all too well that they could one day again wake up occupied and potentially exiled, Estonians have come up with novel solutions every diaspora group could use to better organize themselves. Besides their embassies and ambassadorial residences abroad, Estonians have also set-up sovereign "data embassies" in secure locations abroad to which they back-up their national data so they can reconstitute as a virtual, post-territorial nation should the need arise. The virtual country would remain alive even if the physical country becomes inaccessible.

The best defense a small info-state has against an overwhelming physical mismatch is digital deterrence. Estonia now hosts NATO's Cyber-Defense Unit, and gathered over a dozen NATO allies in early 2015 for operation "Locked Shield," a training exercise to ward against attacked emanating through operating systems such as Microsoft Windows. Recent history demonstrates that hacks come from many sources -- but especially Russia, China and North Korea -- and target government and high-value corporate data as well.

In July 2015, Estonia also became a founding member of the world's first formal cyber-allianceknown as the "Digital Five" alongside the UK, South Korea, Israel and New Zealand -- disparate but advanced countries agreeing to securely host each other's servers. Note that the Digital Five isn't named after a place or geography; it's neither North Atlantic Treaty Organization (NATO) nor Shanghai Cooperation Organization (SCO). It's not a geographic alliance but a geodesic one.

Countries don't have to share a border to become more functionally integrated. Indeed, one of the fastest growing categories of trade isn't between any two particular regions, but between governments themselves as they seek to outsource -- or insource -- the best practices from their peers. States increasingly contract services from each other such as energy supplies, currencies, military protection, port facilities, airlines, telecoms, postal services and satellite launches. Eurozone countries have outsourced their central banking to Frankfurt, Morocco places substantial military forces in the UAE to defend it against terrorism, Finland is building an LNG terminal on the Baltic Sea that Estonia will share to cut both of their reliance on Russian gas, and so forth.

The Digital Five is an early stage info-state alliance reminiscent of the medieval Hanseatic League, a maritime federation of northern European city-states that resisted encroachment from Europe's monarchies, refusing allegiance to any overlord in favor of open trade and political autonomy. The inter-city Hanseatic world declined with the rise of sovereign princely states and the 1648 Peace of Westphalia, but in the emerging world of increasingly autonomous city-regions, a postmodern Hanseatic League is rising again, continuing the heritage of maritime connectivity but adding all the new technologies info-states have mastered.

Larger neighbors

Most small countries pose little military threat to their larger neighbors. Rather, they must concentrate on building financial firepower through currency reserves, wealth funds and foreign investment to boost in economic geography what they lack in political geography. Like Switzerland, they need to be connected to the world but not overly integrated, lest they lose their competitive advantages.

Short of nuclear deterrence, most info-states have little physical defense against the potential military encroachment of larger powers. Israel stands out as having a nuclear arsenal, fortified borders, a world-class military as well as robust cyber-capabilities, while Switzerland and Singapore maintain strict border protections, aerial superiority, and constantly train for ground combat operations as well. All three now have trained units of hackers and drone pilots for offense and defense operations.

The digital Hanseatic League has become a robust marketplace of innovative knowledge sharing. There are countless examples already of how leading city-states direct adopt lessons and practices from each other's recent experience. Singapore has studied the planning of London's underground subway expansion before its next major underground lines are developed, the requirements for women in Israel and Switzerland's national service programs, and how Bilbao has turned former manufacturing districts into thriving artistic hubs. Dubai has already been imitating Singapore's e-government services for customs, immigration and police functions. Singapore also guides other city-states not just in governance effectiveness but the pursuit of national self-sufficiency through its construction of oil storage depots wastewater recycling facilities. Singapore is doing whatever it can to survive should its connectivity be switched off.

The case of Hong Kong, however, reminds me of the vulnerability that comes from proximity to a major power. Though Hong Kong has a special history as a Chinese territory, its more than one century as a thriving and open British colonial enclave set the conditions for it to become a top-tier info-state perennially ranked as one of the world's most free, entrepreneurial and dynamic societies. Since the 1997 handover of the island back to China, however, Hong Kong has experienced a steady erosion of its autonomy. Beijing has sought to unilaterally dictate Hong Kong's political structure and leadership, manipulate its history books, diminish its press freedom, and take control of many companies, all the while undermining the unique positioning of its port as Shenzhen's grows, setting up a rival free trade zone in Shanghai, polluting its air with mainland factory smog, and crowding it with hordes of mainland tourists, workers and child-bearing women, and encouraging more talent and cash to seep out to Vancouver. The substantial narrowing of Victoria harbor through land reclamation is a metaphor for how Hong Kong is being swallowed by China, absorbed into the empire as the southern tip of the giant Pearl River Delta urban archipelago.

The sometimes brutal crackdown on the 2014 "Umbrella Revolution" in Hong Kong made clear that China has time on its side and resistance would be futile. At the same time, Hong Kong is evidence of the rupture from an age of empires trading territories to one where even small and vulnerable cities will fight to maintain urban autonomy even if they can't be independent. As I clamored through the throngs of 50,000 protestors in October 2014, I saw all the elements that make a sustained urban occupation possible from portable power generators to small drones, fast food and fresh fruit, and mesh-net Wifi and Bluetooth coordination apps. Hong Kong and the mainland may be growing together physically, but they are growing apart politically due to devolutionary pressure and generational change.

From Hong Kong to Estonia, a technologically empowered digital rallying cry can be heard across the world's smartest small nations: "Info-states of the world, unite!"

Link to article