Marina Kaljurand. Photo Credit: Lawrence Jackson, licensed under CC-BY-2.0

Marina Kaljurand chairs the Global Commission on the Stability of Cyberspace (GCSC), a group of experts from around the world working on issues related to international cybersecurity. During a long diplomatic career in her native Estonia, she served as the country’s ambassador to the United States, Mexico, Canada, Russia, Kazakhstan, and Israel, and finally as Minister of Foreign Affairs. While she was ambassador to Russia (2005-2008), Estonia became one of first sovereign states in the world to be subjected to politically motivated cyberattacks launched in response to the relocation of a Soviet war memorial, the Bronze Soldier.  

Following her recent visit to the Silicon Valley, I interviewed Ms. Kaljurand about the development of international norms in cyberspace, the work of the Global Commission, and other pressing topics in cybersecurity.

International norms and legal frameworks in cyberspace remain a work in progress. How would you describe the current state of the cyber norms debate? What role does the Global Commission play in developing new norms and encouraging their adoption?

The debate on international peace and security issues in cyberspace is at a critical juncture. The issues we’re deliberating today will probably decide what happens in the next decade, at least, of international cybersecurity, and also how individuals experience cyberspace’s most important infrastructure, the internet. After the failure of the UN Group of Governmental Experts (GGE) to reach a consensus report in 2017, governments took some “cooling-off time” to evaluate the present situation and to consider the way forward. There are several ideas being discussed at both the global and regional levels. Some of them are focused on the UN or UN agencies, while others try to draw on the lessons of the past, actively avoiding the challenges those structures bring by considering radical ideas outside of the UN framework. What all the approaches agree on is that so-called “inadvertent escalation” – accidental war – through state actions in cyberspace is a real and increasing threat, and one that we urgently need to address.

To date, the focus has been the development of legally non-binding norms on the behavior of state actors – but also increasingly non-state actors – in cyberspace. These include commitments states make on what is permitted in peacetime. For instance, within the UN GGE it was agreed that critical infrastructure was off limits and that the work of cyber defenders should not be interfered with for offensive purposes. We are still a long way off from being able to draft new legally-binding conventions that would be both monitorable and enforceable, or even understandable in terms of having agreed on definitions of key components – so for now, legally non-binding norms are still our best way forward. We cannot even agree on what cybersecurity is, so obviously agreeing on how to protect it is a major task. And unfortunately, ideological division among states on approaches toward the use of information and communications technologies is deeper than ever before.

At the same time, everybody recognizes that international cooperation in cybersecurity is crucial, and that governments can’t provide effective cybersecurity without cooperation from the private sector, academia, IT experts, and civil society.

The Global Commission wants to drive the discussion forward by showing what factors need to be considered for the future. On the one hand, we support norms as a helpful step – and in fact have started drafting our own proposals. Our first norm, the Call to Protect the Public Core of the internet, has been widely praised for highlighting the importance of protecting the common critical infrastructure of the internet, but also for drawing attention to how that common infrastructure is currently run, and how that should be considered in making policy. We are currently deliberating a number of other norms that we may put forward, on issues such as election security, states “backdooring” commercial products, and so on. But we are also trying to go beyond norms, and help provide input on the wider governance questions that the demise of the UN GGE raised. For the first time in 20 years, there is no real consensus on the way forward, and as luck would have it, our Commission is one of the very few trying to tackle these issues. We have a historic responsibility to give this our very best shot.

You have spoken eloquently about the importance of promoting gender equality, yet the number of women in cybersecurity and related policy roles remains quite low – just 11 percent globally, and even lower in Europe and Asia, which is something we are keenly aware of in our grantmaking to help build a cyber policy field. What impact do you think increased attention to diversity, equity, and inclusion could have in better cybersecurity policy outcomes?

Cyberspace is not only for men, and certainly not only for educated, young white men. On the contrary, smart countries have understood that technology can and should contribute to the development of whole societies, and can benefit each and every person – men and women, young and old, people from cities and rural areas, individuals with Ph.D.s, and those with basic literacy. That’s why it is crucial to include diverse groups in policy discussions. I’m a strong supporter of getting more women involved in cybersecurity. The current situation reminds me how difficult it was for women to enter diplomatic service and to gain representation in foreign and security policy discussions. Today, finally, women occupy some very important posts in governments and international organizations, although it should have happened much earlier and there is still a long way to go. Look at the UN, NATO, EU foreign and defense ministers’ meetings – there are still very few ladies among the crowds of men. I hope that with cybersecurity, we will be smarter and faster. Foundations like Hewlett can make a difference in breaking stereotypes, promoting women in cybersecurity, giving them a voice and platform, supporting education, and introducing outstanding women as role models for this field.

Given the siloed nature of the huge sums spent on cybersecurity each year — government priorities or hardening individual company networks — we believe there is an important role for philanthropy to play in fostering more cooperation among government, industry, civil society, and academia. Where would you advise us and other funders interested in supporting cybersecurity globally to invest our resources?

Investing in dialogues and high-level exchanges is key. We currently have a great deal of knowledge out there and indeed, our Commission itself invests in new research, but the main challenge is getting that knowledge into the wider political debate to really facilitate change. The Commission has representatives from the technical and hacker community, experienced politicians focusing on data protection and critical infrastructure, leading business executives, and also former government officials who have planned and executed state cyber operations. The Commission is a way to connect and focus all that knowledge on a relatively narrow problem set – namely that of international cybersecurity – but that diverse knowledge base is incredibly important to other tasks as well. And we still have a real gap between those with technical knowledge and those with political knowledge, and unfortunately that gap is increasing, not decreasing.

Secondly, for those who are interested in liberal democratic values, it’s also key to support the multi-stakeholder model of internet management. The private sector builds the internet and does most of the coding and management of core logic infrastructure – government’s role on this has been fairly limited. Today, some governments are pushing for cyberspace to become predominately the domain of states. Obviously, that would be extremely dangerous to human rights and personal freedoms, and it wouldn’t advance the cause of international peace, either. I would therefore encourage philanthropy not only to invest in university research programs, as critical as they are, but also the actual basic foundation of internet governance – the volunteers from civil society, the programmer, the lawyer, and the policy person who built the internet to begin with. Cyberspace has grown dramatically, and so have the pressures on this community. Without the support of philanthropists, the entire delicate ecosystem that gave us the internet could wither away.