Andrus Ansip told EURACTIV.com in an interview that Estonia’s digital success can’t be copied everywhere and the 2007 cyber security attacks there would have been worse if EU countries hadn’t shared information to help out.
Ansip is vice-president of the European Commission. He was prime minister of Estonia until 2014.
Ansip spoke to EURACTIV in Tallinn as Estonia started its six-month EU Council presidency.
Estonia is presenting an image of itself as the most digitally advanced EU country. Is that an exaggeration or do Estonians really have a better understanding of tech and cybersecurity compared to the rest of Europe?
When it comes to digital public services Estonia ranks first according to the digital economy and society index among EU member states. But when talking generally, then there are many many other countries where developments were much faster than here in Estonia. For example, digitalisation of industry is not developed at all in Estonia. But generally speaking, Denmark is the country where those digital developments are remarkable. To be in first place in digital public services in the EU is also good for Estonians.
When we regained independence and our banks started to act as banks again then they didn’t have a tradition of banking. When they started with internet banking they made that free of charge. This is the reason why especially elderly people are so familiar with computers in Estonia. If you don’t have to pay, you take that option. Because in bank offices those services were not free. The government decided not to provide support to help citizens buy computers. Our approach was to provide more and more public services via the internet and it used to work because they came to this understanding that this is a question of efficiency. They started to buy computers and use services provided by the government.
But I don’t want to say that anybody could copy this model they’re using here in Estonia in some other country. There are different situations in other countries. I don’t think Estonia is perfect enough to teach other countries using its own example.
You were prime minister of Estonia ten years ago during the big cyber attacks here. How did you deal with that?
There was tension around one thing, when the bronze soldier was moved two kilometres away to a cemetery. And of course the Kremlin supported those tensions. Then on two nights we had riots. In some towns in some western European countries when the local football team loses a game, they have those kinds of experiences. But it was something really very new for Estonia and unexpected. For three weeks we faced quite heavy denial of service attacks.
Of course we were not so well prepared for those attacks. But we decided to make it public. To turn our weaknesses into a strength with really good cooperation between different national CSIRTs [national cybersecurity authorities in EU countries] and between the public sector and private sector. They caught the majority of those attacks before they even crossed our borders. I believe in those situations, transparency is needed. And also cooperation between member states is needed. I’m sure no single member state in the EU, it doesn’t matter if it’s a small one or big one, is able to deal with those threats alone. We have to cooperate.
We already have this NIS directive [the first EU cybersecurity law, agreed last year], which is also about transparency and cooperation. Now we have to fully implement this NIS directive. But it’s not enough. We would like to prepare the new cybersecurity strategy for the European Union, including also a new mandate for ENISA [the EU cybersecurity agency]. But things like the internet of things didn’t exist in the year 2013 when we launched this existing cybersecurity strategy. Now we know how those bad people were able to crate botnets in the United States based on connected devices. We know that they were able to generate quite heavy denial of service attacks and to take down even global service providers. So we have to try to agree on global common cybersecurity standards for the Internet of Things. And we have to be able to work with those things at least on the level of the European Union.
Some member states don’t want to share sensitive data with each other about those vulnerabilities. Will some countries object if you propose to make ENISA stronger?
Of course. ENISA has to be stronger. Now they’re working on the basis of a temporary mandate but the role of ENISA according to my understanding has to be connected with the full implementation of the NIS directive. Because of those Wannacry attacks and those recent attacks – whether we call them Petya or NonPetya or [says something in Russian, laughs]. You’re not able to understand, that’s Russian. I think everybody got this understanding that we have to act and we have to pay much more attention to cybersecurity issues.
When we think about the next midterm financial framework [EU budget], my understanding is very clear that we have to invest much more in cybersecurity in the European Union. It’s the same thing as when we talk about defence cooperation. In the United States they say 80% of cybersecurity research funds come from the military budget. In the European Union, they say it’s around 20%. So how is it possible that in 28 member states they’re dealing exactly with the same issues? 20% in the EU is not as much as 20% in the United States because of inefficiency. It could be because of fragmentation. Everyone is trying to solve the same problem separately. Our 20% is probably more equal to 1% in the United States.
Does investing much more in cybersecurity mean putting more money into centralised EU centres like ENISA?
I’m not talking just about ENISA. But yes, because of the Wannacry attacks, because of Petya or NotPetya attacks. Smaller member states especially asked for operational capabilities on the EU level. I think it has to be based on ENISA or on CERT-EU [the EU’s cybersecurity emergency body] because CERT-EU has just 30 employees. What kind of 24/7 emergency response can we talk about when you have just 30 workers? It’s impossible. But there is a need. We have to discuss how to create operational capabilities in the EU.
Some bigger member states say it will be inefficient and there’s no need for that. And some smaller member states say they would like to have those EU-level operational capabilities. NATO’s cyber defence centre of excellence is located here in Tallinn. But to create a cybersecurity product, a European product, we have to have a really strong cybersecurity excellence centre in the European Union. It’s even better to have a network of those excellence centres in the European Union. There are many areas where we can do more than we’re doing now.
Estonia is one of the countries that asked you to propose legislation guaranteeing the free flow of data between EU countries. France wants the proposal to include some exceptions on access to data, portability and security and now other countries said exceptions could weaken the law. How far will you go with including exceptions to make France happy?
It’s too early to say. At the Telecoms Council last December, 18 speakers really supported the free data flow idea and asked for immediate legislative action. One was generally supportive but had some doubts and now this country stated very clearly they support this idea. But one country was against it. And now I would like to say there is a new government in that country and we’re not talking abut the same proposal the Commission was ready to provide last year. This new proposal will be more balanced. We have to guarantee also that there will be a legal basis for law enforcement access to those data stored in other member states.
For example, Denmark changed its bookkeeping act and according to this act, it’s not important in what country data is stored. It’s much more important to provide access for the tax department to that data online if there is a legal basis for that. Their approach was based on neutrality, not on geographical location.
Now we would like to also provide a proposal that will be more balanced. Not just to allow free data flows. There will be some exemptions anyway on national security, etc. There will be free data flows but at the same time access to data. I hope we will get to the point where all member states support this proposal. If we can remove existing barriers for data flows we will be able to cut those cloud service prices by €7.2 billion within five years. But the influence on economic developments will be much bigger: €8 billion per year.
Next week Mariya Gabriel is expected to be confirmed by European Parliament as the new EU Commissioner for digital issues. You’re in the middle of negotiating some really controversial bills, like copyright and telecoms. Is she ready to take over?
She has to be ready. Council meeting by council meeting, topic by topic. I think she was pretty well prepared for her hearing in the parliament. I hope she will join the team very soon because we have too many Council meetings to cover, too many different issues. This help is definitely needed. Thinking about the next presidency: now it is Estonia, but I think it will be easy for Bulgaria to deal with digital files when they have a Commissioner responsible for those issues.