Toomas Hendrik Ilves served as president of Estonia from 2006-2016. He is a distinguished visiting fellow at the Hoover Institution.
STANFORD, Calif. ― With Facebook handing over Russian propaganda ads from the U.S. election to Congressional investigators, we must understand that this is part of a much broader assault. The threat of these digital attacks extends to all democracies, in the West and beyond.
Furthermore, attacks on elections over the past year are asymmetric. Liberal democracies do not and often cannot respond in kind to cyberattacks on their own way of governance. Democracies with free and fair elections are vulnerable to attack, while in autocratic societies, it only matters who is counting the votes. Authoritarian regimes do just fine manipulating their own elections. In Russia, tweeting or sharing real news that’s embarrassing to the regime can land you in prison. Imagine then the response of the regime to fake news that’s damaging to the Kremlin. If democracies actively disseminated such fake news, it would only reduce us to Russia’s level and lead to greater repression there.
Beyond elections, cyberwarfare has made traditional rules governing armed conflict irrelevant. Just this week, it has emerged that Russia has targeted NATO soldiers’ smartphones in order to gain information about troop activity and to intimidate soldiers. Such instances beg the question: What is “deterrence” in the digital world? What is a “proportional response” when a ship’s navigation system is hacked or a power plant shut down? What happens when it takes months to track down who was responsible for a debilitating attack on the financial system?
The response to these cybercrimes must be international and must be broad-based, ranging from regulating social media to guarding our electrical grid and electoral systems. Building a collective defense in this new code war is at least as great a challenge as staving off the territorial or regional threats of the Cold War, when NATO was established in order to respond to threats in Europe.
Today, NATO’s territorial defense remains as relevant as ever, but in addition to the security organizations we have relied on since 1949, we need a new type of defensive alliance to protect all democracies — one that is not bound by geography. We need a strict criteria-based organization to defend all countries that are genuine democracies as defined by free and fair elections, rule of law and the guarantee of fundamental rights and freedoms. After all, Australia, Japan, Uruguay and Chile, all rated as “free” democracies by the watchdog organization Freedom House, are just as vulnerable as the NATO allies of the North Atlantic.
Can the wider West establish a global “cyber NATO?” It would be difficult but so too was the founding of NATO itself, which was called into being only after successive communist coups in Eastern Europe. When it comes to digital threats, the liberal democratic West has been subjected to enough wake-up calls.
Five years ago at the Munich Security Conference, I suggested that we consider a cyberdefense and security alliance for genuine democracies. At the time, the threats were not considered to be that serious. Today, with anti-democratic cyberspace attacks worldwide, awareness has skyrocketed. At the 2016 NATO summit in Warsaw, the allies agreed to name “cyber” as a fourth domain of operations, in addition to the traditional domains of land, air and sea. This is a start, but it is still insufficient.
Currently, the only functioning international agreement in the digital sphere with any relevance is the Budapest Convention on Cybercrime, which deals with computer-related crimes, including hacking, fraud and child pornography. Originally a Council of Europe convention, a number of countries — including the U.S., Canada, Japan and Australia — have since acceded. Unfortunately, many of the primary sources of computer crime — including Russia, China, Brazil and Iran — are not signatories. Far less successful has been the U.N.’s 13-year-old attempt to regulate cyberwarfare, which collapsed after Russia, China and Cuba objected to Western proposals that would allow countries to retaliate in self-defense in cyberspace.
Concern, however, is growing. NATO’s own Cooperative Cyberdefense Center of Excellence in Tallinn, the capital of Estonia, which is still more of a think tank than an operational center, is open to non-NATO democracies. Together with the Riga-based Strategic Communications Center of Excellence, another NATO initiative, and the recently-opened European Center of Excellence for Countering Hybrid Threats in Helsinki, the conceptual bases for international digital defense now exist. These centers deal with all of the threats — from infrastructure and hacking to manipulations of social media — that we have encountered in recent years across the board, often from the same list of usual suspects.
What remains is a broad recognition of the common nature of the threats and the political will to bring interested nations together to map out how to guarantee the defense of liberal democracies. A conference open to like-minded countries — those that Freedom House ranks as “free” — would be a good start. Until defense of democracy in the digital era is taken up by governments collectively, both in NATO and outside the alliance, liberal democracies will remain vulnerable to the cyberthreats of the 21st century.