“Nothing in Cybersecurity Is Satisfactory:” Former Swedish PM Carl Bildt on the Need for Norms in Cyberspace

In February 1994, Carl Bildt, who was at the time serving as Prime Minister of Sweden, typed a brief two-paragraph email addressed to then-U.S. President Bill Clinton. The note congratulated Clinton on his decision to end a trade embargo on Vietnam, but also marked a historic event for the internet: It was the first known email sent between heads of government.

“Sweden is—as you know—one of the leading countries in the world in the field of telecommunications, and it is only appropriate that we should be among the first to use the Internet also for political contacts and communications around the globe,” the message read.

Among world leaders, Bildt has gone on to become an outspoken advocate for the internet, and was an early pioneer for email newsletters, blogs, and social media platforms including Twitter. He’s chaired committees on global internet governance, and has pushed to keep the internet open and accessible, even as countries increasingly tighten their grip on how citizens use it.

I talked to Bildt recently about how global leaders should think about cybersecurity, and which policies and practices can help keep people safe online. To Bildt, we are often our own worst enemy: “The greatest threat is ignorance. That you don’t pay sufficient attention to sometimes rather basic cybersecurity issues,” he said. The conversation below has been lightly edited for space and clarity.

The Record: You wrote several years ago that cybersecurity is high on the list of global concerns—it’s clear that you were right. Do you think the problem will continue to worsen, or are you optimistic?

Carl Bildt: Either way, there’s no doubt that cybersecurity is getting far greater attention than it was years ago, but the threat picture or the challenge picture—however you may phrase it—it’s increasing at least as fast. Our dependence on digital systems has taken a substantial leap forward during this particular year with COVID-19. So it’s a race.

It’s good that cybersecurity is more highlighted and more of a source of concern for political and business leaders, but the magnitude of the challenge has also increased.

TR: What’s the biggest threat you’re concerned about?

CB: The greatest threat is ignorance. That you don’t pay sufficient attention to sometimes rather basic cybersecurity issues. There’s a lot of attention paid to the more sophisticated issues—Russia or China breaking into systems, yeah that’s a major threat, no question about that—but a lot of that is facilitated by minor errors made by people being careless. A lot more attention needs to be given to upgrading general awareness, of the need to be careful and take precautions. If you do that you block a lot of low-level stuff, but also high-level threats.

I keep in the back of my head that the Pentagon a couple of years ago did a study of the breaches they thought they had, and 80% were caused by people making small errors that they shouldn’t have done that create vulnerabilities. The more sophisticated operators out there, it could be individual hackers looking to make money or have fun—robbing banks nowadays ain’t much fun, because they don’t have any money in there, but the digital version of it, ransomware, is gaining ground quite substantially. You have cyberwarfare operations, and we’ve seen in a number of cases a lot of collateral damage, because by their nature cyber operations and cyberweapons are difficult to restrict. You can try to target it in one place and sometimes they succeed but we’ll see them proliferate in other systems as well. And we’ve seen them turned around and used against the countries that developed the tools in the first place—it’s a fairly dangerous environment out there.

TR: How do you think world leaders should be thinking about cybersecurity and cyber threats?

CB: I think every government must have fairly high policies as the priorities, to set up the national structures and manage it—protecting the critical security systems, critical national infrastructure, but also a lot of things that are critically important to society and the private sector, so setting up methods for collaboration and information sharing between state agencies and different private actors. There isn’t always a tradition of doing that, but the necessity of doing it should be apparent, I think.

In Sweden overall a lot of the critical infrastructure is privatized. Telecommunications, to take one thing that’s fairly important. Sometimes these private actors are more aware of the dangers and are taking precautions. A telecom operator would be aware of these things because you’re in the vicinity of everything happening on a daily basis, so you might take your precautions. But do they share that information with other companies? Are they aware of what’s happening with other parts of society? Do they share the information with the state? Sometimes they do, sometimes they don’t. And then of course you sometimes have the problem of private actors not being keen to share attacks that have been successful, because that could have a negative impact on their reputation. Financial actors, to take one example, are attacked constantly but banks don’t are not keen on putting out a press release every other day saying we’ve been attacked. This is perfectly understandable and natural, but it might have a negative effect on the information sharing.

TR: How is information sharing accomplished in the EU right now?

CB: Different in different countries. The EU is setting up different agencies—they’re setting up a new cybersecurity agency that will be located in Bucharest, we have a cybersecurity network in Greece and Brussels. There are different agencies but a lot of this is national competence, so it’s a question of coordination between the different companies. A lot of it is bilateral and based on the different relationships.

TR: Do you think that system is satisfactory, or would you want there to be changes?

CB: There is nothing in cybersecurity that is satisfactory—that’s the simple answer. There’s a need for constant improvement.

TR: You’ve been an advocate for the internet for decades. Which policies do you think world leaders need to advocate for that will ensure a safer internet?

CB: They need to have the state organizations that are able to deal with this, in coordination with the private sector. Then there’s of course a constant political dialogue between different nations on standards and technical issues that sometimes is not given that much attention. But it’s very important for the evolution of the internet, and has implications for how we deal with cybersecurity sometimes.

TR: There’s been a lot of talk about the splintering of the internet—some people call it the balkanization of the internet. Do you think it will remain coherent, or will we soon see an EU internet, a Russian internet, an Iranian internet?

CB: A couple of years ago I was chairing a commission on global internet governance, and we spent quite some time on that particular issue and we were very concerned with that—it was given substantial space in the report we issued. I think the open and global nature of the net has been a huge advantage. But clearly there are tendencies of the balkanization of the net, primarily with the Chinese but not only the Chinese. They talk about internet sovereignty, which is essentially every state should control its part of the internet. That would be a disadvantage of the long-term evolution of global cooperation and integration. But there’s no question that there’s a significant move in that direction.

TR: What can be done to reverse that movement?

CB: We argued that we keep it open as much as possible. And there’s a discussion going on in the framework of the United Nations, as difficult as it is, of norms for state behavior on the net. It has been possible to agree on entirely basic things, but I understand that the work has stalled again. I think it’s important to keep that dialogue going to see if we can get some agreement on standards for state behavior on the net.

TR: Which norms do you hope to see in the future, and how do you think we’ll get them?

CB: There have been a couple of different attempts—I was involved in another global commission that issued a number of suggested norms and tried to get them included in the UN process. Then the French government suggested another set of norms. But then of course it sounds difficult when you look at something like the SolarWinds thing that happened, and whether that violated any of these norms. It’s not entirely easy to say, in part because there are aspects that we don’t know… but was it just an intelligence operation? In theory intelligence operations aren’t only undertaken by Russia, and no one has suggested that there should be a norm against intelligence operations. But did it go further than that? Did it insert things, start to tamper with the data, did it do God knows what? Even if the norms discussion is an important one—and we’re making gradual, grudging progress on it on the international scene—the applicability of it is far from easy.

TR: Related to that, countries always deny that they’re behind attacks that have been attributed to them. Doesn’t that make norms and standards seem toothless?

CB: Attribution is difficult, it’s not a 100% thing, but there has been development in the last four or five years where investigators have been more willing to go public and make attributions. But you have to be fairly certain when you do it. Sometimes they feel embarrassed, sometimes they don’t care, but sometimes it changes their behavior.

Anyhow, I think it’s a trend that we should see as good—that when you can attribute, you should do it. And you also have a lot of private cybersecurity firms doing it—SolarWinds was attributed by a cybersecurity firm.

The greatest threat is ignorance. That you don’t pay sufficient attention to sometimes rather basic cybersecurity issues. There’s a lot of attention paid to the more sophisticated issues—Russia or China breaking into systems, yeah that’s a major threat, no question about that—but a lot of that is facilitated by minor errors made by people being careless."

—Former Swedish Prime Minister Carl Bildt.

TR: Russia was blamed for an attack on Swedish media organizations a couple years ago, and more recently was blamed for attacking Norway’s parliament. What repercussions should they face for attacks like these?

CB: I think it’s very difficult and I’m not quite certain what can be done. The only effective thing that can be done is to beef up your defense, become aware of the way the world works and defend yourself.

TR: Would an appropriate response ever involve offense?

CB: It’s tricky business. Under normal circumstances I would be very careful with that for X number of reasons. First, you have to be extremely certain of attribution, otherwise you end up in an escalatory situation. You think you were attacked by someone, you attack that particular organization, they might not be particularly happy and attack back. They might think the attack was from someone else and attack them instead. So it is tricky and i’ve always cautioned people against being too forward-leaning on offensive cyber operations, because I think there are a lot of dangers involved and I think they can never, ever replace having an appropriate defense.

Cyber weapons are a bit like nuclear weapons, but to some extent are more similar to biological weapons because you don’t know where these things end up. A nuclear weapon you see a big bang and where it’s coming from. And when it’s blown up, it’s blown up—they’re not reusable. Digital weapons are. You can catch it, you can reengineer it, and you can reuse it. If you manufacture pretty sophisticated things and send it out there, you might see that the adversary finds it and uses it. We’ve seen examples of that.

TR: What will it take for countries like Russia, China, or Iran to arrest cybercriminals operating within their borders?

CB: We do have a proliferation of cyber actors. These countries—whether it’s Saudi Arabia, Russia, or whomever—must be aware of the fact that these people present a risk to themselves as well. Sometimes there can be an interest in getting these things under control, because cyber criminality is a threat to everyone. But in the absence of those actions, improving cyber defense is the number one step.

Carl Bildt served as Prime Minister of Sweden from 1991 to 1994, and was Sweden's Minister for Foreign Affairs from 2006 to 2014. He currently co-chairs the European Council on Foreign Relations, is on the Board of Trustees of the RAND Corporation, and was recently named an advisor to Recorded Future, among other roles.