 Well thank you very much. It's great to be here. This is not a computer injury, my shoulder. And I'm very glad to be here because the Institute has always been very friendly toward us. Back when we were a supplicant, I mean a candidate member of the EU, then probably the best understanding of our plight and of our position around Europe I found here and precisely in this place. So I'm glad to be back. What I thought I'd do in my title really should be the good, the bad and the really ugly. And so I'll just talk a little about the good and why we are so involved in all this. This is basically for us, when we became independent again, we basically faced, we knew that we wanted liberal democracy and then we wanted to have a market economy. But the problem was that everything else was basically 50 years old, including our phone exchange. And the question was how are we going to get over this? How are we going to make up 50 years of unbuilt infrastructure? And the solution a number of us came upon was basically we're going to focus on digital solutions. We sort of leapfrog a whole bunch of steps and that we're going to not take as aid. Legacy machinery forms, whatever, because we don't want to, we want to advance to the highest level as quickly as possible. And we took a fairly concerted approach to getting schools online, getting services online, taxation online, which all of which had the benefit of getting kids starting very early on using computers, which is where my own experience with that was very important there. Tax compliance, tax payment compliance rates are much higher. If you have an easy to deal with computer program, it takes me about two minutes to do my taxes. I just look it over, press the button, it goes off. And then all kinds of other things that we have online today, from eHealth records to voting, which in our case, we've had three elections, two general and one local election, none online. Our eHealth services are probably among the best in the world. We have digital prescription, which I understand after an investment of 35 billion was an utter failure, a billion pounds was an utter failure in the UK, but in our case, 90% of prescriptions are done online. You just do it at home, or you call your doctor and you say, I ran out, he says, makes a few keystrokes. You go to any pharmacy in the country, you put in your little ID card, they say, okay, you get whatever it is that you need. But that's the good side. We are a country that is highly dependent upon the use of computers and ultimately just the rationale for it is not only that we can get to leapfrog a whole lot of backwardness, but the other thing is our fundamental neurosis with our smallness. I mean, we're 1.3 million. What can you do in the world? How are we going to survive in the world? I mean, we're sort of half the size of Copenhagen. It's a tough challenge. And the answer came to me reading a Neil Luddite, Neil Marxist text by Jeremy Rifkin about 15 years ago called The End of Work, and there he talks about how everyone's going to be without a job because all computers are going to do everything and machines are going to do everything. And the example he brought, which was so inspirational to me, was a steel plant in Kentucky which produced, I don't know, X hundred or thousand tons of steel a year and employed 12,000 people. Then it was sold to a Japanese company that automatized and computerized the whole operation and now they're producing exactly the same amount of steel but with 120 people. And this was an example of how terrible it all was. And as an Estonian, 1.3 million people, I said, this is great. This is what we need. We need to computerize everything and liberate people from doing all those things that machines can do better and have them do creative things. And that's more or less the way things have gone. I guess we're the most advanced country in Europe, at least on e-services or government services on the web. I mean, other areas, perhaps not so advanced. One of the advantages of the school program, of course, the kids started learning programming at a fairly early age which then brought brilliant results for us when a group of four kids first invented something called Taza, which they then almost went to jail for in the US but they escaped that and then they invented something because basically it's based on the same kind of idea but it is called Skype. And Skype's research and development headquarters remains in Estonia even though they pay taxes to Luxembourg and they're owned by Microsoft today. But anyway, these young guys, disgustingly young people are all billionaires but what can you do? Now, not to the nasty part, which is the bad and then we'll get to the really ugly. The bad part is that the computer crime has been going on almost since the beginning of the use of computers. I remember in 1972 reading an article about how clever programs that rounded up interest or rounded off interest would sort of give sort of, you know, 10,000th of a penny would be deposited in some other account but if you do this for a New York bank you end up pretty soon amassing quite a bit of money. But things have gotten much more advanced and in 2007 we were subjected to what are called DDoS attacks. Distributed Denial of Services attacks, which for the uninitiated is basically huge numbers of attacks come to a server and it overloads the server and it frizzles or stops working. And the mechanism for doing this in all cases almost are using mafia, criminal, network of robot computers, hijacked computers that are called bots and botnets are networks of hijacked computers. They're under the control of some group. Their day job is sending out Viagra ads via spam but they can be hired for doing other things and that is focusing instead of a wide array of recipients that you can have stuff that piles up in your junk mail. They can be used also to attack a specific computer and do it sort of a million pings a second and the server can't handle it. Now DDoS attacks which do represent already a unique form of public-private partnership between or can represent if they're hired for political ends have been used for years against mainly ministries of defense. The Germans, the Israelis, the Americans, the Brits, the Estonians, you know, the Pentagon, they've all been subject to DDoS attacks. They're kind of a nuisance. But they, and those clearly are a case of public-private partnership because basically who really cares about the, you know, sort of, you know, I mean, they don't care about ministries of defense, governments do, governments organize them and that's what we have dealt with. In 2007 we were Estonia because of a political dispute we had with the Russians regarding a statue of a Soviet soldier that was in the center of town. I guess you would, the moral equivalent of it would be to have a soldier from your eastern neighbor, a statue of a soldier of your eastern neighbor in your main square and then they wanted to keep it there and you think you don't want it there. We basically had the same problem and so we moved the statue. We did not destroy it or anything. We just put it into a less obvious place. We put it into a military cemetery. But as a result... But we found as a result of this, I mean, increasing number of cyberattacks which culminated on the 9th of May, the day of the anniversary of the end of World War II for the Soviets for its European day for us and in the rest of the world, May 8th is the day, but Stalin wanted to have his own day. Anyway, May 9th. And our banks were attacked, our newspapers were attacked, all government sites were attacked, briefly even our 112 emergency number was attacked and the newspapers were down, the banks were down, government sites were down. Looking back on it, I mean, it was kind of this crazy period and they're all kind of ad hoc solutions, banks, in order to keep these, to stop these attacks basically, we isolated the country, wouldn't take anything in from outside of the country, but then again, all the people, since so much of our banking, 95% is done online, that means any kind of transfers from abroad or to abroad were then shut down. I mean, it clearly had major economic effects. When we looked at it after the attacks, after the fact, we went to our cert, the computer emergency response team that every EU member has one of these cert things where the smart guys with ponytails look at what's going on in the infrastructure. I was showing a graph of this and I was expecting sort of the normal Gaussian curve sort of rising up and then fading away and all centered around this time, when in fact the graph they showed me was completely discreet. It's 00000 GMT, the attack started and then it just was hugely high level, lasted exactly 24 hours, 0000 GMT, the next day it stopped and I said, well, this is not normal. I mean, this is not to be expected. And they said, yeah, right, well, that's the way it was and I said, well, how was that? I said, well, the money ran out. I mean, the money ran out as well. So, I mean, these things are higher, they're rented, the attack lasts for a certain number of hours and then it stops. I mean, this is all for rent and that's where I realized there was this thing, this sort of unique public-private partnership going on and it has nothing to do, I mean, certainly that disposes the whole argument that these kinds of things are, you know, this is an enraged civil society protesting against the movement of a statue. I mean, this is done for money. The next step in this kind of stuff, which sort of gets a little more, sort of creates a little more nervousness, is that a year later in the Georgian War, what the military calls these days, kinetic attacks, that is anything that flies, that hits you, be it a bullet or rocket, a missile, in areas that were being attacked by the Russians, about half an hour, 20 minutes, sometimes an hour beforehand, they were coordinated cyber attacks against that area, which is, you know, if you think of Colin Powell's sort of new integrated approach of warfare from the first Gulf War, which is basically, you combine the air attacks together carefully in precision manner with the tank attacks, that data, this was moved one step beyond. I mean, I won't talk more about it, except that if you Google something called the Small Wars Journal, there actually is something called the Small Wars Journal, and the January 2011 issue has an article by a senior officer in the U.S. cyber command about how they found that these cyber attacks were taking place against sites that basically blank out an area, so to make it sort of blind. And that was, we see that this is serious. Now if we move beyond that, the next level where we all get very nervous is that there is something we've all probably read about, the Stuxnet attack on the Bushhair uranium enrichment plant. Now what Stuxnet did was it attacked something called a SCADA system, which is a supervisory command and data acquisition program, but we'll keep it at SCADA. And the SCADA system is basically an internet-based system that controls something. And this is something, in this case, it's a kind of feedback loop. The centrifuge starts going too fast, something monitors it, which is constantly monitored, and something says, okay, slow it down, it slows down, then if it slows down too much, then the data comes back, says speed up. Everything is run on these things. But this was a specific program designed to drive this system crazy. And it worked. The problem we face today, our SCADA systems aren't everything. Your supermarkets, basically I'd say that any modern European supermarkets food supply is based on a SCADA system. How much milk, how many hands of peas, whatever. It's not the guy in the little sort of goes around with his clipboard saying, okay, we need more peas. I mean, it's all done automatically. It's just all on the internet. It's there, that's how it works. You don't see it yourself, but it is done on the internet. And SCADA systems are highly vulnerable to these kinds of attacks. One of the problems with the Stuxnet approach that was specifically designed for the Bushhair centrifuge is that basically if you sort of know, you can read code, you can basically take out the centrifuge specifics and you can apply it to anything. Power plants, you can apply it to. You can apply it to cars. I mean, there have been experiments in which using the Bluetooth connection to a car radio, you can shut down a car's brakes. How much toner you have in your photocopier is also on a SCADA system and you get sent the toner on the internet, the signal says it's down to this level. Except if you control the SCADA system you can do something very clever such as basically send copies of everything in photocopies to another number or someplace else. I mean, you can do anything with these systems. Unfortunately, if you put enough brains to it and that's where everyone is getting really worried because they're huge vulnerabilities. Both in Estonia about a month ago we did a, the government, the cabinet had a gaming session and they shut down our electrical system. President Obama did the same two weeks ago because again, people don't worry about, we didn't believe it and basically did a gaming session and they shut down an electrical power plant in New York in, I mean, in virtual reality. But it's, you know, if you can achieve the shutdown commands through computers then it's just basically as good as a real shutdown command. Now, while this is, while these are the kind of more military kinds of problems that we worry about I would say there's our own experience so that the real problem perhaps or the most threatening problem to countries, especially if they think that they have no enemies, is actually to our economies. All right, my experience was basically last year that the Munich Security Conference which is, a little more time, Munich Security Conference which is held every year in March. In Munich it used to be called Verkunde. It's where all the security policy people come together and talk about all kinds of nasty things. Last year was the first time everyone ever approached the topic of cybersecurity. And why it was so strange for me was that suddenly, I mean, in particular the speeches from the UK because in all of our attempts to get countries to sort of work on the issue of cybersecurity the UK had always been the most standoff it always blew us off whenever we said luckily we don't need to do something here and suddenly they have Cameron comes and gives a speech three quarters which is devoted to cybersecurity William Hay comes and he gives his entire speech which is devoted to cybersecurity announces there's a huge cybersecurity conference taking place which took place last December and then I went to Dame Pauline Neville Jones who I just happened to know in the security policy field for years and years so what did you guys, what's happened? I mean why have you changed? You have basically been telling us all these years and no, no, no, this is not worth talking about and suddenly you've done a complete change in policy and so we realized how much money we're losing and that the real our countries, UK but basically wealth these days is basically on our is based on our intellectual property not movies and act though but I mean product development drugs, computer programs, whatever it's all done it's all on computers and it's being stolen and it's not only the UK problem last week my name is Sean Henry but just in my first name you probably have some Irish roots is what it is still it's for a little time longer the head of cybersecurity at the FBI and he was he testified before the US Congress and basically he said there's a company he didn't name which one that had lost in one night stolen 10 years worth of research done by a US company amounting to a billion dollars of investment and it just was like we can imagine where it went and they got it for free I mean they have it and I mean it was a very depressing testimony you can read about in last week's Wall Street Journal and today's New York Times has kind of even sort of a sexy summary of it by Richard Clark who has written one of the best books on cybersecurity in general I highly recommend it before it goes out of date I mean all things do go out of date in this field very quickly the problem is that it is for any country whose wealth and wealth creation is based on intellectual work not on natural resource extraction has to pay attention to these issues because you're going to lose it and you know if they're attacking Estonian companies and it's not just the big ones and in Ireland with such major emphasis on IT on intellectual property work so much of your wealth creation comes from precisely the kind of stuff that depends on your independent research your investment into new products you're being attacked I mean I don't know no one will tell me you're being attacked but basically if you're doing anything worthwhile you're being attacked and so think about it where do we go from here I mean there are a couple of solutions and a couple of problem areas the problem is that IT or this whole area of cyber is not we talk about cyber war cyber defense it's less akin to having joint forces peacekeeping forces it's not countries come together and say okay we'll give you 50 men we'll give you three tanks or whatever and we're going to go to Lebanon or Somalia or Afghanistan it's much more like espionage or the whole intelligence field where no one talks to anybody because everyone's sort of and while we understand but the the approach unfortunately has to be international because basically you'd be a real idiot to attack your own country from inside your country I mean if you want to get it something you're going to do it from somewhere else especially given the sort of the sad state of legal affairs regarding cyber crime cyber war and so forth so without cooperation we're not going to go anywhere limited attempts of cooperation exist in terms of the the council of Europe treaty or convention on cyber crime which it's actually pretty good and it's not only the council of Europe it's been exceeded to by the United States by Canada, the Philippines, Japan South Korea I mean other countries involved in intellectual property but of course two countries in the European in the council of Europe Russia and Belarus refuse to sign on to it and of course China does not sign on either so I mean not much good and the biggest problem causers are not there at the European Union level we have been facing for years the traditional stove piping problem we have basically four different directions dealing with cyber security cyber cooperation and so each one has their thing they don't really talk to each other of course this happens in governments too in my country we have the Ministry has one thing they're doing relating to cyber security the Ministry of the Interior has their silo and the Ministry of Defense has its silo and so even there trying to get cooperation inside of a government is hard because everyone has their own turf now when we look at the EU it's even harder Cecilia Monstrom was in Estonia last week opening the Schengen data system agency and she promised that she would be coming up with something by the end of the year to try to try to bring these different agencies in the EU together there's one more thing where I would just throw out which I mean when going back to 2007 one of the things were so we sort of smile about is that the cyber attacks really were an own goal for the people in it because we have been complaining we have been urging NATO for years to say we need to deal with this issue again they kind of blew us off all the time then came April May 2007 they said oh we have this great idea why don't we have a cyber center in Estonia cyber center in Estonia which basically deals with the more theoretical aspects of it its official name is the cyber center of excellence it's under NATO and we are open to all in sundry so neutrals Switzerland I mean Sweden Finland obviously Austria is sending a full time person there Korea so anyway you guys are interested just talk to us I mean it carries the name NATO and I realize that sort of politically there's a different residence in Ireland but nonetheless it is you can think of it as a sort of pfp terms and we'd be glad to have someone if you're interested and the ambassador can there's the former ambassador hi anyway that's one area there you are yes I mean that's one thing we can do we need to address these issues far more than we have in the last couple of years cyber has been bogged down with ACTA and those problems in terms of intellectual property being illegally downloaded and it's mainly sort of Hollywood intellectual property but let's not get carried away and let's keep our I spoke on the real issues I could talk about this for basically four hours non-stop so I won't talk about it anymore I've spoken for a half hour and that's enough very much it's great to be here