Welcome to CyberFocus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I'm your host, Frank Cilluffo, and this week I have the privilege to sit down with Tanel Sepp. Tanel is the Ambassador at large for Cyber Diplomacy in Estonia and has served in multiple diplomatic posts, including the United States, Afghanistan, Ethiopia, and also did a stint at the Ministry of Defense where he led
cyber policy efforts and international efforts with partners overseas. Today we'll discuss why a small country in the Baltic became a cyber superpower, as well as a particular effort, the TALON mechanism that I think is going to serve as a model for conflicts going forward, as well as the role of cyber in warfare and conflicts. And Tanel, thank you for joining us. Well, thank you inviting me. It's a pleasure to be here.
Well, Estonia, for a small country is punching well above its weight when it comes to digital and cyber activities. And I don't want to steal any thunder. Hint, hint, they live in a tough neighborhood. But how did it become a cyberpower? Well, I
would go back to 1991 when Estonia regained independence. We came out of the Soviet occupation and in a really bad shape. We were really poor. And at the same time, we had quite young leaders governing Estonia who were actually clever enough to listen to their advisors. And one of the points they had was that with a really small amount of resources and having the task of rebuilding the whole government, we had to look for some kind of alternative options. And digitalization was one of the main
options there. However, we could not even buy off the shelf products. We had to redevelop this on our own. And this is actually the start of our digitalization journey. And I'm quite proud to say that still, even today, we are kind of leading nation in terms of the E services, E governance and the penetration of these E
services amongst the population. So it is a story that is great to tell also to other countries and especially the developing countries who are now digitalizing and, and Estonia can really serve as an example for them how you can actually achieve a lot with that digitalization. Well said. And in 2007 there was a bit of a wake
up call. No, indeed. In 2007 we had kind of, let's say, a cyber reaction
and there was one Soviet era statute set you in in the center of Tallinn. It was replaced into more decent place in the military cemetery. But because, because of the Soviet background, the Russians really took action and, and so we faced the first ever kind of nationwide DDoS attacks and that was really a wake up call, not distributed. Denial of service attacks. Exactly. And it took down several, several services. It affected
our banking sector, our media. I was myself serving in Brussels then. I do remember how our Foreign Ministry email accounts were down for quite a while. But yes, it served as a wake up call, not just in Estonia, but elsewhere. That cyber can actually cause effects. And then we need to deal with that. Absolutely. And then the
year following, Georgia saw a similar pattern in terms of Russian pre military engagement as well. Correct. I think Georgia serves as an example where for the first time you
really had some connection between cyber and military activity. Yeah, yeah. So in, in, in
07, just to, to, to step back for a second for a country that bet everything on digitization and basically ripped and replaced and is the antithesis of anything Soviet or communist in many ways it went all in on digitization. You used a crisis and hopefully. And obviously the story is not fully over. But that turned into a success story as well in terms of the investment around cybersecurity. Fair. Absolutely. I mean
already in year 2000 our government went paperless. So we are just sitting here next to the Capitol Hill and how much paper is there still right now? Quite a
bit. Quite a bit. But digitalization, along with this wake up call in 2007 and
attention to cybersecurity, that became our niche topic. So Also even before 2007 we were trying to establish a NATO center of excellence in Estonia. There was not much attraction to that. After 2007 attacks, immediately you got the political attention. And I think it's
fair to say, and not to put you in a delicate position, but it's not surprising that two smaller countries, Israel in one case, Estonia in another, and maybe Singapore, they live in tough neighborhoods. So you have a lot of experience as well from bad actors. Is that fair, you think? Well, our attention due to our geography is
mostly to the east, to our neighbor there. But at the same time, yes, we see also attacks from different other countries. And you mentioned Israel. An interesting case that we had recently was after the November attacks when Israel started firing. Back then we saw some attacks against PLCs in our heating plants because these were Israeli made. So that also kind of brought in new dimension to kind of politicization of cyberspace. Absolutely.
And whereas history may not repeat itself, it does tend to rhyme. And I do think that what we're seeing play out in Ukraine. And I really want to spend the bulk of our time talking about an amazing effort, the TALON mechanism. And rather than try to put words in your Mouth. But in essence it's a way to enhance, enable international support for domestic and civilian cyber defense. Tell me about the TALON mechanism, what led to it and how you're seeing it play out and
who's part of it. If you allow me, I'll take a bit more personal look
into this. Yes, I've served also in Afghanistan, in Ethiopia, really exciting places. And I've been kind of engaged in some other conflict areas also. And in every place you have this recurring theme that we need to improve donor coordination. Every single year, every single conflict, it's really recurring, it's kind of mantra. So finally, at least in cyber,
we decided to do something about it. So beginning of 22 when this full scale invasion started, we had been engaged in Ukraine already for over 10 years helping to build their digital ecosystem and so on. So we knew the people and we had companies who had been there active for a long time and our E Governance academy, that is one of the main bodies that is active abroad and sharing our experiences,
had been there for a long time. So we started getting all kinds of different requests from Ukrainians, from our friends, and there were less coming from one corner, corner and another corner and it was complete chaos. And I mean, I'm not blaming Ukrainians,
I mean they were in war, dealing with the crisis. Exactly. But then we, it took a bit of time and actually with the initial leadership of Germany, there were 10 countries that met in Brussels at the NATO headquarters and we also had NATO and EU representatives there to really discuss along with Ukrainians how to better start assisting Ukraine. That led to the next meeting in Tallinn where we kind of settled the major scheme, how it should work and then we fine tuned some details and
then at the end of last year we officially launched it. So in essence how it works is that we have kind of steering body that really deals with the more strategic questions, looks at different procedures, bottlenecks, and it's really focusing on eliminating any problems or challenges. Then we have back office in Poland and front office in Kiev. So back office is manned by Poland and the front office by Estonia. That's Lowry,
right. Our guy who's been dealing with crisis management forever. So he knows how to
deal with that and he's very active and his main task is to be kind of the front person for the Ukrainian government and to talk to them and also to see if there are any other issues to solve, to talk also to other donors. Then his task is also to kind of collect the information from Ukrainian government and feed it to the back office in Poland and back office is the place where we can then match the Ukrainian requirements with the donor opportunities. So this is
how it works. I immediately have to say that great parts. Let's say that there's a major role for Ukrainian government and they have done amazing job. They've done really their homework. Ukrainians changed some laws even to better cater the needs of telemechanism. They established intra governmental working group led by Deputy Prime Minister Fedorov. So this working group takes all the different cyber requirements, validates this, prioritizes this and then feeds
these to the tally mechanism. So telemechanisms has truly become one and unique channel for cyber assistance for Ukraine. And how many countries are members? Right now we have 10 countries, including. The United States, including the US, Canada. UK, France, Germany, the Netherlands, Denmark, Sweden, Poland, Estonia. Usually memorize it by going through the map. Yep, yep, yep. And
I, you know, many of us, when we saw the initial invasion, thought we would see a lot more cyber activity. It's not to suggest it isn't playing out. It is, it's playing a significant role. Viasat very beginning played a significant role. But do you think that's in part because of the homework they did to enhance their defenses? Because this didn't happen overnight, The Ukrainians were bracing themselves for hostilities. No, look,
Ukrainians have been in war since 2014 when Crimea happened. Crimea, yep. And they're being under cyber attacks ever since, let's not forget that. So they had been working a lot on cyber defenses. And the kind of second part to answering to your question is that there have been many people kind of saying that there will be some kind of cyber Armageddon, cyber 9, 11. I hate those analogies otherwise and it never
happens. And I think it leads actually to one of these main conclusions or kind of initial lessons identified from, from this current war is that physical war still matters. Cyber has had a major role and I believe that for the first time cyber has been fully integrated into military activity. And we definitely want to pull the thread
on that discussion because I think that is an important takeaway, that we tend to look at these things in isolation and reality. Anyone who can marshal and mobilize cyber and place that into doctrine, strategy and war fighting, and obviously all the tactics, techniques and procedures that come with that will lead. And I do want to pull that thread in a second. But before we do that, I do think that the TALON
mechanism will serve as a model. You brought it up yourself not only in terms of cyber, and that is clearly the focus with TALON mechanism, but almost Every war, major crisis, you're right. How often donors get in the way rather than enable and help. And the time to be thinking about this is not when the bomb goes off, not in the midst of a crisis. It's well before. How do you see that playing out? And I'm glad to say there has been some recognition, including a
recent award for the mechanism. But talk about the award and then jump into what you think this means kind of going forward. Yes, we got the awards for. It's
a Cyber policy awards in recognition of 2023 international policy impact. I guess it's for figuring out what could be the kind of future mechanism in cyber assistance. At the same time, I have to say I had a bit of mixed feelings when first learning about the nomination and then receiving the award because we still don't have too many concrete outcomes. We're at the beginning of the process. I rather would have received the awards a bit later when we could re showcase what we have achieved. But
it's absolutely great recognition and really came as a surprise. So yeah, all the, all the Italian mechanism member states now have the. The statute. So awesome. We got this during our last TURING Group meeting in Geneva last week. Oh great. So with also with Ukrainians and everybody wanted to have pictures with Ukrainians and then the awards and
that was a kind of cute moment. But in terms of kind of replicating this kind of assistance scheme, yes, we are thinking about different situations at the same time. I wouldn't jump too much ahead. There are still elements that we need to work out. The whole buildup of telemechanism has been like building a unicorn company. We have a great vision in the midst of a war, in the midst of the war and at the same time trying to figure out some of these challenges while doing
things. So there are still elements that we need to work on. So in the end I do see this kind of scheme working elsewhere. But then it might be called not talent mechanism, but maybe let's say Canberra mechanism, for example. Reality is you
can't take a one size fits all approach in any situation. It's going to be unique to the environment, to the crisis, to the act. But I do hope there's some lessons that Taiwan can take from Ukraine and obviously the international community in the event of a crisis of some sort or another. So I just think that many in my community gave Ukraine a week. Thank goodness they were wrong. And it also. But I think the real takeaway is a lot of blood, sweat and tears went
into ensuring their ability to withstand push back and fight. So can't take it for granted. No. And, and we still have a lot to do also in kind of
kinetic world. Absolutely, absolutely. So in terms of lessons that are still being learned,
I, I, I think you and I have discussed in the past the role of the private sector is something we're still trying to you trying to figure out through the talent mechanism. Is that fair? That is fair. But let me start from another
kind of observation and that is really about the role of cyber. I mean the main takeaway that I've taken from this bloody war is that if you bomb a maternity hospital, that has much bigger physical and psychological effects than taking down an abstract network. At the same time, the challenge for us is really to show actually the critical role of cyber. And we're seeing questions attacking critical infrastructure the same way as they do with the rockets. So that goes way that really goes against
the, the responsible state behavior that we are advocating internationally all the time. And there is no difference in between then the kinetic and cyber attacks. Yes, cyber attacks don't cause any life loss. They can in turn it can cause afterwards. And especially now, I mean with, with the cyber attacks and now really the physical attacks against the energy infrastructure in Ukraine. And we're in beginning of summer right now, but winter is
coming in some months and that's going to be really tough. And we sort of
touched on this for a second. But, but it is integrating cyber into traditional war fighting strategies that we're talking about here. Right. Because whether it's surveillance or reconnaissance or targeting, there is a cyber dimension to all of that. Even if it's, if its outcome isn't purely behind the clickety clack of the keyboard. Right? Absolutely. And it becomes
even more relevant with, with all the, the advanced weaponry that we give to Ukraine. We need to these also to work in a safe manner. Absolutely. And whether it's
a kinetic attack on a critical infrastructure or a cyber enabled attack on critical infrastructure, the outcome's the same. So it's kind of moot. And you referenced before the Viasat
case. So we have a new dimension also in the space. And then another kind of this observations is that cybersecurity now has also gained physical dimension because at the beginning of this war you also had Russians targeting Ukrainian data centers kinetically. So you also need to really think about physical security. Absolutely. And what are others gleaning, including
adversaries from the current crisis, do you think? I mean, I do think five years from now cyber will be interchangeable with traditional kinetic modalities. But what do you think some of the other lessons that Estonia is learning as well as maybe some of the allies in the region? Region. So I would tie that this into to a
question that you asked before about the link with the private sector. I do believe that this war is showing kind of tectonic change in terms of engaging with private sector and the role of private sector, the big tech. We are talking about Big Tech directly assisting foreign governments in a war. We're talking about big Tech also providing information and that our intel services are relying more and more on this information. And
we're talking about big Tech also storing or migrating sovereign data. So this combination creates certain expectations for the future. And are we ready to talk about these expectations? Many companies are also doing pro bono activities, which is absolutely great. But what are the conditions when the board, for example, decides that, okay, it's enough for pro bono activities,
now someone has to pay for it. Yeah, yeah. So again, it creates expectations. And now already for the second year, we've used the occasion of SAICON conferences in Tallinn. I mean, these are in our region, the best cybersecurity conferences. We've used this conference to have really kind of closed door discussions with the industry on these kind of expectations to start some kind of discussion and in the end, hopefully to come to
some conclusions. You're right. When you talk industry in the private sector, you've seen one
company, you've seen one company, they're all very different. A critical infrastructure owner operator would be very different than Big Tech. That would be more like a Google or a Facebook or the old Fang companies or an Amazon. The incentives are all a little different in terms of what makes them tick. But at the end of the day they're companies and if they're running at a huge deficit, they're going to be out of business. So that is a delicate balance. Yes. And we also had a case
with, with a Starlings, for example, when, when Elon Musk at one point decided that in one particular area the Starling should not work. So that has direct implications on war fighting and safety. Yeah, public. And again, yeah, I come back to the expectations. What should the governments expect then? And vice versa also. And is that something that's
being discussed within the talon mechanism, how to absorb? Because at the end of the day it's often going to be engineers coming from companies that are going to get the lights back on or get the, get the power running or whatever it may be. I mean, the implementation part is always the toughest and that poses so many
challenges. And the more countries you have, the more kind of procurement rules you have. So it becomes quite messy. But we are really trying to work out what is the best way to interact with industry. And, and personally I've also been in contact with the cdac, the Cyber Defense Assistance Collaborative that is kind of umbrella organization for the big tech in Ukraine. And they're doing amazing job. Yeah, they are. But then the question is how do you kind of align their doings with what we do
in telemechanism? And in no way do we want to kind of cancel their operations. No, but we, we want them to align to what we do and at the same time to see how we can really collaborate within the priorities that the Ukrainian government sets itself. And the lines between civilian and military seem to be blurring. Right.
So that gets complex there too. That's another one hour podcast. But, but I might
be wrong, but at the same time I, I'm feeling more and more strongly about the need in the future to really start discussing again what is military, what is civilian. Because in cyber security this kind of delineation doesn't make too much sense anymore. You have the hardcore military, let's say the weapons platforms and systems, let's leave this
aside. But everything supporting is dual use, transportation power. Yeah. To protect, deploy. Also with telemechanism, this is devised to follow the ODA rules so that it's development cooperation funds being used there. And then we have it coalition that Estonia is also leading that is focusing on military. But we're seeing right now already that actually then the line between these two is so vague. If we talk again about Starlings, is it military
then or civilian? Exactly. If, if Ukraine needs it for one moment civilian, civilian purpose, and then gives it to military to survive and fight back, where's the line? And
what lessons is Estonia gleaning to be able to better prepare and defend? I mean, let's hope that this is the last military adventure. But that hope is not a strategy and it's not a good one. I, I, what, what, what, what is being discussed back home to. I, I think that one of the main lessons and, and
I'm taking again a bit personal view on this is that kind of the basics still matters, that every country needs to invest in its own cybersecurity. It is not cheap, but if you don't do it, it's much more costly. And that lesson gets
lost. I mean, Estonia has always been not only covering its 2% but increasing that 2% over the past decade. Right. I mean, has always been in terms of defense spending in NATO and that doesn't even include all the cyber spending. So. So it's actually probably significantly higher. I think we are the smallest country with its own cyber
commands. So that, that's already telling quite, quite a bit. But in kind of if I take the helicopter view here, then it's really about safeguarding our digital lifestyle and way of life. Exactly. And this is so relevant right now also to Ukraine. So that is something that really unites us. So it's really in our interest also to showcase that Ukraine can be resilient. Absolutely. And it significant not only for Ukraine, which
of course is tantamount in front and center, but for so many others that can be observing as well. Right, Absolutely. I mean this isn't ancient history. It's not so long ago where many countries had been occupied by communists and the Soviet Union. So I, I think that gets lost in some of the discussion in DC. This isn't 100 years ago. This is recent history. So that my own family was personally impacted by and affected by so. And obviously yours. Tanelle. What, what other things should we
be taking? What lessons would you, if you were to speak to our congressional leadership and our executive branch, as you do regularly, what are, what are some of the big takeaways you'd be, you'd be providing them? This is a tough question. I would
say that don't dismiss cyber. And I, I really believe that actually the, the U.S. cyber ambassador, Nate Vic has done amazing job in terms of also popularizing the. The topic. And one great thing that, that the US has is that are actually these congressional hearings that really help to kind of bring the topics in front of the awareness. Yes. Yep. This is something that many countries don't have. So I would encourage
to use these kind of instruments more and more. What questions didn't I ask that
I should have? I mean one of these messages I still have is that we
have been really good in building trust, but you cannot build trust just overnight. So why the telemechanism is called telemechanism is because of our, not just our, I mean our collective work, but, but also because we had the opportunity, along with others to shape it. And we could, we could shape it because we had the context before. So we've seen also now that you have some countries who want to really be active in cyber and in Ukraine, but they don't have any context. They don't. And
they don't have the trust to build trucks. Years to build it and you can.
Lose it nanoseconds and another point here with Ukraine that I know is a really sensitive topic here in Washington, but elsewhere also is a corruption. It's a reality, is
it not? It is a reality. But at the same time, I'm witnessing also Ukrainians
that we are working with, and that's the Ministry of Digital Transformation and Foreign Ministry and all other agencies there that they're really sensitive about that. So they are doing their utmost really to make sure that we do things as accordingly, that we have sound procedures in place to really make sure that there's absolutely no chances for corruption. So I'm absolutely applauding Ukrainians for that. But we should not expect that that corruption
goes away overnight. Overnight. So it takes time. You know, it was a former president
of yours and a friend, Tomas Ilves, who said you can't bribe a computer. And the role that technology plays in all this can also bring in greater transparency. Exactly.
And this is another kind of narrative that we are using also for other countries who want to kind of take this digitalization path that this is the way how you can root out corruption, at least partly because you can always bribe a person behind a computer. Ambassador Sepp, thank you for spending so much time with us today.
Thank you for helping lead such a significant set of issues and fight that all of our countries are facing and hope to have you on again soon. And thank you so much. Just give me a call and I'll come. Roger that. Thank you.
Tanao.