What the hell is a ‘cyber diplomat’?

What the hell is a ‘cyber diplomat’?
Credit: MGM/icons8 (edited)

I’m an avid consumer of any TV series or podcast that’s even remotely political. I love the drama, intrigue, maneuvering, and most of all, the power. But when it comes to the actual workings of the world of geopolitics, diplomacy, and backroom dealings (those are still a thing, right?), I’m kind of clueless. Then I’m even more oblivious when you throw out the term “cyber diplomat.” Is it a Robocop-esque humanoid with a British judge’s wig? No clue, all I know is it sounds cool.

That’s why I went to Tallinn to speak with Estonia’s first Ambassador at Large for Cybersecurity, Heli Tiirmaa-Klaar — often described as Estonia’s heavy-hitter in the field of cyber diplomacy — to get the details on how this new frontier in diplomacy works, why Estonia is leading it, and what being a cyber diplomat actually means.

Cyber diplomacy is computers and stuff

First up, cyber diplomacy…? Although the name might seem like a weird amalgamation of sci-fi and bureaucracy, it’s actually one of the most important fields in geopolitics today. In its simplest form, cyber diplomacy is diplomacy in the cyber domain (incredibly informative, I know).

This basically means is that nation states are finally waking up to the importance of cyberspace (fun word for our computer/online/virtual world) and how it relates to national interests. Cyber diplomacy spans everything from security to trade, from freedom to governance. Stuff is happening to us via computers and countries want a say in how it happens.

And how do governments make sure they have a say, you ask? Through cyber diplomats.

Taming the digital Wild West

The reason why all of ‘cyber’ has been grouped separately when it comes to diplomacy is that we’re lacking the basic foundational rules we’ve established in other fields of geopolitics as a global society. You invade another country? Nope, not allowed. Don’t bother to clean up an oil spill? Think again, pal.

In cyberspace, it’s far from being this clear. We’re still struggling with basic questions like what constitutes an ‘attack’ in cyberwarfare — which would be quite obvious when it comes to other forms of aggression. What’s our collective stance on botnets, malware, and exploiting software vulnerabilities? That’s exactly what Tiirmaa-Klaar and her fellow cyber diplomats are trying to figure out.

Credit: Estonia's MFA
Heli Tiirmaa-Klaar speaking at EUCF19

“It’s paramount nation states make sure that cyberspace doesn’t become the Wild West, where everybody can do whatever they want,” says Tiirmaa-Klaar. “What’s happening now in a global perspective, is that we’re trying to establish the parameters of what behavior should be punished in cyberspace.”

Tiirmaa-Klaar mentions the WannaCry and NotPetya global malware campaigns as the most recent example of why it’s important to have clear international rules. The attacks originally targeted Ukraine and were likely perpetrated by Russia, but the malware soon spread across the globe, crippling hospitals in the US, factories in Tasmania, and even hit a Russian state oil company.

Was this an attack on every country that felt its effects? And if so, what do we do about it? There aren’t any definite answers to these questions yet, but the EU does at least now have ways to employ sanctions in response to cyberattacks — a tool which Tiirmaa-Klaar helped to create while at EEAS.

Currently, Tiirmaa-Klaar is helping to push for Estonia’s and other Western countries’ cause to establish proper ‘arms control’ in cyberwarfare. Unfortunately, this isn’t done through machiavellian scheming like in the suspenseful political TV dramas I binge. Instead, it’s more about slowly pushing for resolutions and improvements through years of talking, meetings, and compromises. Therefore Tiirmaa-Klaar advocates responsible state behavior to the rest of the world — one meeting at a time.

Wait a minute. All of this is fine (and sounds incredibly important), but are cyber diplomats just regular diplomats that talk about computer stuff?

Credit: Estonia's MFA
Beautiful picture of the Estonian Ministry of Foreign Affairs (bottom left) and the city of Tallinn

Not your run-of-the-mill diplomat

The whole field of cyber diplomacy is still alien to many traditional diplomats, who like most of us regular folks can get discouraged by the barrage of technical jargon that comes with it. Tiirmaa-Klaar says there’s a real need for specialized diplomats like herself that can act as translators and find ways to bring about necessary actions to improve cybersecurity.

This new breed of government officials, which she likes to call ‘cyber diplomats,’ also have to deviate from the traditional playbook to help the world catch up to the threats its facing.

“In more conventional arms control or non-proliferation talks, diplomats only talk to diplomats and they don’t really need input from other communities. But in the field of cybersecurity, you need to talk to all stakeholders because you need to keep up to date on all technological developments,” Tiirmaa-Klaar explains.

Just like when it comes to defending against cyberwarfare, cyber diplomacy therefore requires input from a whole range of experts — a real multidisciplinary approach. This is why Tiirmaa-Klaar finds herself spending almost 40 percent of her time speaking with non-governmental representatives, to tap into the knowledge and concerns of the private sector, academics, and the wider tech community.

Currently, the number of cyber diplomats is still small, but nation states are realizing the importance of this new type of diplomacy. Countries like France, Germany, Finland, Denmark, and Australia have similar posts as Estonia’s Ambassador at Large for Cybersecurity.

This shouldn’t be surprising for the bigger states, but why is it that Estonia keeps being among those who pioneer digital and cybersecurity efforts? One of the reasons is that Estonians know what it’s like to be under attack.

Cyberattack on Estonia was a defining moment

Even though there’s been seemingly endless leaks and breaches in the last year (Facebook, Google, Twitter, etc.), very few of us have felt the terror of being a victim of a cyberattack. Estonians, however, collectively experienced it back in 2007, when the country’s newspapers, broadcasters, governmental institutions and services came under attack.  

As the country’s basic services were hit with DDoS attacks, journalists couldn’t publish articles and government agencies couldn’t communicate. The attack, which has been referred to as the world’s first cyberwar, came after a dispute over Estonia’s decision to relocate a statue of a Red Army soldier in Tallinn — something Russia didn’t like. Although it’s never been proved, the general consensus is that the Kremlin was behind the attack.

Credit: Gette/Wikipedia
The disputed statue in its new location.

Tiirmaa-Klaar says this attack was a watershed moment for people and governments when it came to realizing the real dangers of cyberwarfare: “The attack was an incredibly important milestone when you’re looking at the history of cyberconflict — but mostly from a strategic point of view, not technical.”

She says the technical community might’ve witnessed much more sophisticated attacks before — as the capabilities for an attack like this had long been established — but how the cyberattacks were employed was new. “The attacks were used to support the larger campaign: in terms of timing, coordination, and selection of targets,” Tiirmaa-Klaar explains.

The future of cybersecurity is human

As I’ve covered before, cyberwarfare eventually comes down to the human brain, and Tiirmaa-Klaar says the same goes for cybersecurity. The motives and responses to attacks are all driven by people, and the domain is entirely man-made. The issue of cybersecurity is therefore not just a technology issue, as it eventually comes down to human behavior.

This is why cyber diplomats are truly a new breed of government officials, they have to bridge the gap between governments, the private sector, and citizens — making sure our society’s digital transition will be as smooth as possible.

Finally, if there’s one thing Tiirmaa-Klaar wants for people and organizations to understand about cybersecurity and other digital issues, it’s that it’s everybody’s responsibility.

“Every person who owns a smartphone, laptop, desktop, or any type of device has to make sure that there are minimum security requirements in place. And the same goes for any head of an organization,” says Tiirmaa-Klaar. “So it’a a bit like public health, it starts with basic hygiene that then supports the robust public health system.”

Tiirmaa-Klaar is optimistic we’ll be able to tackle the challenges of cybersecurity by making it more easily understood by people. Awareness is increasing, both in governments and among the public, and every day we’re finding new ways of visualizing and communicating cyber-related issues. Someday soon, people will know better than to think a cyber diplomat is a Robocop with wig.

Read next: Facebook is launching a ‘global’ cryptocurrency in 2020 – we’re all doomed