Estonia’s cyber ambassador on digitalization, punching upwards and outing GRU spies

Over the best part of the last four years, Tanel Sepp, Estonia’s inaugural ambassador-at-large for cyber diplomacy, has helmed a surprisingly effective diplomatic enterprise. Estonia has an outsized footprint among international efforts to address the problems of digital statecraft — including recently identifying three officers working for the GRU, Russia’s military intelligence agency. He is set to leave the role in August and head to Seoul to become the country’s ambassador to South Korea.

Sepp argues that Estonia’s diplomatic footprint exists because of, rather than despite, its size; with a population of just 1.3 million, Estonia is the third-smallest country in the European Union, ahead of only Malta and Luxembourg. Sepp attributes this overperformance to Estonia seizing the moment when it regained its independence in 1991 and became relentlessly focused on digitization, partially to address the economic impact of Russian occupation. In 2007, following a political decision to relocate a Soviet-era war memorial, the country faced a series of punitive cyberattacks crippling this prized digital infrastructure. The incident highlighted how critical cybersecurity was to Estonia's wellbeing. The political scene in Tallinn has now been awake to those risks for much longer than they have approached the pressing end of agendas in Washington, Westminster or Brussels. 

Most recently, the full-blown Russian invasion of Ukraine has reminded Estonians of their own families being torn apart by deportations during Soviet occupation. Sepp is proudest of his team for their work on the Tallinn Mechanism, an effort to support Ukraine’s civilian cyber resilience amid ongoing Russian attacks. By the Estonian government’s own estimates, alongside this civilian and humanitarian assistance, its military assistance for Ukraine has been equivalent to more than 1.4% of its GDP — smaller in real terms than many other state donors, but proportionately the most generous of any.

Recorded Future News spoke to the ambassador-at-large on the sidelines of the Tallinn Cyber Diplomacy Summer School — another of the Ministry of Foreign Affairs’ efforts to help build a platform for diplomats and experts to navigate cyber issues — about the country and his team. This interview has been edited for length and clarity.

Recorded Future News: Why does Estonia have an ambassador for cyber diplomacy?

Tanel Sepp: I think any country that cares about digitization and cybersecurity needs to have this kind of position, because both digital diplomacy and cyber diplomacy have become mainstream fields. There are many different negotiations going on internationally, and we feel that we need to be present because Estonia is one of the most developed countries in terms of digital governance, digital services. We consider ourselves a digital nation with a digital lifestyle. This is kind of our niche topic.

RFN: How did Estonia become that kind of digital nation?

TS: When we regained independence in 1991, we had been under Soviet occupation for 50 years and the economic impact was devastating. We were poor. We had to re-establish our whole government, society, but without any resources. We were lucky in a way that the beginning of the 1990s also coincided with the emergence of the internet. And we were lucky also as we had a very young prime minister then [Mart Laar] who assumed the position when he was 32. He also had young advisors, and he was wise enough to listen to these advisors who were suggesting that we use digital tools. At the same time, we didn't have enough money to buy some of the products off the shelf, so we had to devise our own. Again, we were lucky that we had enough engineers who were able to put together these kinds of tools. So it escalated. Putting things online made the administration cheaper, made it more transparent, gave us opportunities to get rid of Soviet-era corruption, and made the whole governance manageable. By the end of the year 2000 our government went paperless. That was already 25 years ago.

And then 2007 came. The government decided to move one Soviet-era statue from the center of Tallinn to a military cemetery — which is also actually quite in the center of Tallinn — to place the Soviet war memorial alongside the graves of Soviet soldiers. That caused cyberattacks, mainly DDoS attacks, that were the first nationwide attacks. These really disturbed our everyday life, the websites of the financial sector, media, government sector were taken down. It was a wake-up call that with digitization, you really also have to think about cybersecurity. It was a wake-up call for everybody. So that's where it started.

What is really important for us, and the main lesson, is that in today's world you are always under the threat of cyberattacks. The question is how you mitigate the risks. In 2007, we managed to recover our services quickly. We were pushed to our knees, but we stood up quickly. And that is part of the story really, because with digital solutions, with e-Governance, the core is the trust. How do you build up trust towards the systems? Because if people do not trust the systems, they won't use them. If people don't use the systems, the systems are useless.

RFN: Many countries struggle with digitization and with cybersecurity and, speaking to some of the foreign visitors to the Summer School, that is something Estonia is seen to have succeeded at. Has your relatively smaller population made that easier?

TS: It might be, but it might not also be. What do you really need in terms of carrying through some reforms? You need political will. Without political will, you won't get people to use any systems, you won't be able to create any kind of unified system. We see so many places where people have three or four different ID cards for different systems to authenticate themselves. It has to be one unified system to really make it work. 

This has given us a system or mechanism where we have digitized all the services. We have structured data about everybody using those services, and that allows us now to potentially move on really fast in terms of using AI tools to make sure that we take the positive benefits of AI. For example, the government has a “personal state” project using AI tools to make it easier to provide services for people. If you think of a person's lifecycle, everybody has more or less the same life events. So let's provide or propose some of the services that people need when they need them. So people will not have to go and ask for these services themselves, but the state will provide them proactively — and we can actually use a lot of AI tools for these kinds of purposes.

It was over 20 years ago that we understood that we had something special with the digitization of Estonia, and many other countries were interested in that. So that's when we actually established the e-Governance Academy, because our government system is so small that we would never be able to cater all the requests [for collaboration and information sharing] coming from abroad. So we needed some additional body here that would focus exactly on that.

And we got people with reform experience at the e-Governance Academy and this is how it has been thriving, in a way. Of course, we're also using our companies a lot, because our companies obviously have business interests abroad. But the key point here is the way we developed our e-governance system has been a really good partnership between the government and private sector. I keep saying that what we have done right is that the government has been a smart customer for the private sector, because the government always needs to figure out what exactly it needs and then we have let the private sector deliver.

RFN: The sense of reform experience and the role that tackling Soviet-era corruption played in Estonia’s digitization is really interesting to me. Speaking to some of the international participants here at the Summer School, there’s a strong sentiment that Estonia doesn’t feel like a post-Soviet state. They say it feels more Western European. How did you get here, from Soviet occupation to becoming a member of the European Union, NATO and — as you’re proud about — so digitized?

TS: Well, to answer this question, we have to go back in history to the 13th century. The whole Estonian identity is a miracle for me in a way. We have some written documents from the 13th century when Estonia was crusaded by the German Teutonic Order — and some other countries also — we have evidence of our Estonian language from these documents. We see some phrases that we still recognize today. And then we were ruled by many different crowns. Our neighbors, except Finland and Latvia, most of them [ruled us at some point]. But to see that Estonian culture, the language, Estonian identity has prevailed throughout these centuries… that is, at least personally for me, why I feel proud to be Estonian and to speak the Estonian language and carry on this legacy in a way. And this is why independence for us is so important, because we're so small — just 1.3 million people — we have this feeling that we need to be number one in everything, in everything that we do. So this is why we strive to be as good as possible, also internationally. We're very competitive in that sense. If you look at the social media feed of the foreign ministry, you see a lot of these charts where Estonia is leading internationally, this is kind of in our nature.

RFN: Do you think your efforts have been successful in driving stability in cyberspace? 

TS: What are the metrics of success here?

RFN: Globally, are we seeing fewer cyber incidents?

TS: No. We see more and more. But we also see more occasions where we really try to attribute different kinds of cyberattacks, and also create consequences for those attacks. As Estonia is part of the EU, the EU Cyber Diplomacy Toolbox is a very useful set of tools for us where we can really get some of the perpetrators under EU sanctions. That already means quite a lot, and it's also quite a big international message. Because, the main threat for us is obviously Russia, and Russian people, Russian authorities, the States, with the present war against Ukraine, they're under so many different sanctions. So even if we attribute some of the Russian hacktivists or hackers, and we get some sanctions on them, it might not have such an impact on that directly, but it gives a clear message. And we do not take attribution statements easily. We’re careful that we don’t dilute the meaning of these attributions.

RFN: What was the most recent attribution?

TS: I want to bring up the fifth of September last year. It was the first time when we actually concluded our own investigation and came up with three names, three GRU officers. And this was actually a bigger international investigation, over 10 countries were involved, but we had our own investigation. I hope that that the fact that we actually concluded with the three names — it's factual, it's evidence based — that it also gives a signal that attribution is not something only for the big countries, also small countries can do it.

RFN: We spoke earlier about Sir Richard Moore’s praise for the Estonian Foreign Intelligence Service, and the attribution also contributes to that picture of the competence of the Estonian authorities. Where does all of this expertise, the digitization too, the Summer School, the CCDCOE, come from?

TS: When I talked about the Estonian digital story, as mentioned we had some lucky moments. In this context, I would, in a way, rephrase it, saying that we have always tried to take advantage of any situation. So at the start of the CCDCOE, we had started a center of excellence before the attacks of 2007, but these attacks — while they brought political attention — we managed to raise it up to the NATO level, and get the accreditation of NATO to the center, and then also gather more political support to this. So we use that moment.

Of course the current Russian aggression has clearly shown the importance of dealing with cyberattacks, because what we see in Ukraine is that cyber has now been fully integrated into conventional warfare. And there are many lessons to be learned there. But for me here, the wider context is that, as I keep saying, that any country that is dealing with digitization has to be in Ukraine, has to learn how to build up their resilience. Because the story of resilience in Ukraine is just remarkable. They have kept their digital services running throughout the war. This is something really special. Almost every country in the world is digitizing to a certain extent, so I think we really need to stress the importance of that.

What we're trying to do also, and here I'm bringing in the Tallinn Cyber Diplomacy Summer School, is build a wider community of cyber diplomats, a network. Actually, I shouldn't say cyber, because it's a diplomatic network of those who deal with cyber. We have seen, already for some years, that there is a knowledge gap amongst the diplomats who could really deal with cyber issues. And when I see what's happening in the UN over the past years, you've had the like-minded Western countries, and then you have China, Russia, and in the middle there’s a huge group of countries that don't have the capacity to be on either side — or at least, we don't want them to be on the Russian/China side. So we really had to stress on capacity building. And there wasn't anybody really doing this kind of thing. Well, UNIDIR [the United Nations Institute for Disarmament Research] has been doing some capacity building with some countries, and been doing in a smaller scale, but we saw that there's a need, really, to bring in people from all around the world, for them to build a community, to exchange ideas and views, and to really create the network for them for the future. This year, we're organizing for the third year this kind of global summer school, and we also created the Summer School’s own WhatsApp group where we keep that alive, so whenever people need to they can immediately ask questions from there. Or, what I've been trying to do is when I'm at the UN at the Open-Ended Working Group sessions, and I see somebody from the summer school speaking, taking the floor, I immediately post a picture to the group saying, ‘Hey, you see, it's useful.’