Transcript
Kristjan Prikk [00:00:00]: We believe that our kids will not lose the jobs to AI, but rather they may risk losing their jobs to other kids who know how to use AI better than them.
Frank Cilluffo [00:00:15]: Welcome to Cyber Focus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I’m your host, Frank Cilluffo, and this week we’re in for a real treat. I get to sit down with Ambassador Kristjan Prikk. He is the Estonian Ambassador to the United States. He’s been in this role for five years now, has also recently been tapped to become Estonia’s Ambassador to NATO. Kristjan has served in multiple national security roles, including the Permanent Secretary for the Ministry of Defense, which basically oversees and manages the Ministry of Defense and all the superseding agencies that comprise that. We’ve known each other for a number of years and really excited to sit down with Ambassador Prikk today.
Frank Cilluffo [00:01:02]: Kristjan, thank you so much for joining us today.
Kristjan Prikk [00:01:05]: Thank you, Frank. Great to be with you here.
Frank Cilluffo [00:01:07]: You know, I thought I’d start at the beginning and it’s sort of the Estonian story. For a small country, 1.3 million people, it punches well above its weight on all things cyber and is looked upon internationally as a leader in digital affairs and cyber affairs. But I thought it might be helpful to set the stage to let people know how it got to that point.
Kristjan Prikk [00:01:34]: Yeah, thanks for this question. I think it’s very important exactly, just as you put it. In case of Estonia, the story definitely goes back to the days, weeks and years after the Soviet Union collapsed. Estonia was one of the sad cases of countries that ended up under the Soviet rule. Estonia was actually an independent country before the Second World War.
Frank Cilluffo [00:02:04]: And US never acknowledged its-
Kristjan Prikk [00:02:08]: And very importantly, when the Soviet Union occupied and annexed Estonia, the US never recognized its occupation throughout the Cold War. So when Estonia regained independence, also de facto regained independence after the Cold War, actually we could just carry on where we were before the occupation. Now, getting to the tech side, on the one hand, when the Soviet Union collapsed, we had freedom, we had independence. People were obviously very happy for that. But then again, the economy, the infrastructure was either pretty much non existent or in shambles. So what to do in this situation? Luckily for us, this was exactly the time when certain key technologies became ripe, mature enough to put into wide scale use. I would particularly point out the personal computing. Suddenly computers did not fill the entire room in some institute, but actually were truly personal, and certainly Internet.
Kristjan Prikk [00:03:27]: Whereas most of the western world had access to the same technologies, but then again they had also good enough kind of legacy systems, was it fax or telephone or something else. We pretty much didn’t really have any proper legacy systems. So we had a really strong incentive to go ahead and try out something almost crazy, something that no one had ever tried before, and just see what’s going to happen, so to say. At the same time, what was also important, I would emphasize two other factors. During the Soviet time, the Soviet ideology and the Soviet kind of oppression of people, if at all one were to try to find something positive in it, at least the way my own parents kind of explained it to me, that it was always kind of safer in this crazy Soviet system to study engineering, study math, study physics, you know, chemistry, because these subjects are not ideological. So this means that actually we had very strong, let’s say, layer or group of engineers in this society, including also, let’s say early communication and computer engineering people. At the same time, what we also did, we really opened up our country for trade and investments, including encouraging Western telecom companies and banks, for example, to come and invest in Estonia to set up their own offices and if possible, if necessary, try out some really new, novel approaches. In some cases, I believe some of these Western telecom companies probably experimented with some technologies in Estonia that they did not dare to experiment at their home markets yet. But you know what? These things actually did work.
Kristjan Prikk [00:05:44]: And I am 49 years old right now. I never owned a checkbook in Estonia, an Estonian bank. Now, so this was the starting point. We were, and we still are, too small. And at the same time, let’s say too or enough integrated society. So that rather than starting to develop a completely new set of identification technologies and security protocols and information sharing layers for every government office or government and private sector separately, we actually decided to go into public private partnership. So these things worked.
Frank Cilluffo [00:06:29]: Yeah, that’s very well said. So in a way it was timing is everything. It often is. And it was the advent of new technology. You didn’t have legacy systems you had to take care of. You can invest in the future. Culturally, and disagree with me, but it’s almost the antithesis of everything the Soviets were. So whatever they were, it’s almost the opposite. And give ownership to the individual.
Frank Cilluffo [00:06:57]: On top of that, there was risk and experimentation, which you couldn’t do in some of these other countries. But it was ripe in the Estonian mindset. And then fast forward to investing very much in what is now a digital environment, we’ll talk about that and AI and the fact that everything runs across the blockchain, but I’d be curious as well, the attacks in ’07, in a weird way, the dependence was so great on it that you turned potentially a weakness into a strength. Right?
Frank Cilluffo [00:07:33]: Take us back to 2007, when we first met, actually.
Kristjan Prikk [00:07:37]: Yeah, it’s crazy to think that it’s
Frank Cilluffo [00:07:39]: Almost two decades.
Kristjan Prikk [00:07:40]: Almost two decades ago. Yes.
Frank Cilluffo [00:07:42]: That is crazy.
Kristjan Prikk [00:07:44]: So what happened then was that we experienced something that I think went to the history books as the first ever wide scale cyber attack against the nation state. And the attack was targeted at both the government as well as private sector information systems. What was also very important, that these attacks were very clearly politically motivated and directed, supported and certainly tolerated by a nation state neighbor of us, Russia. So it caught the attention of the world because after all, suddenly we had situation where the access to online banking, major media outlets, certain government websites or websites of individual political parties and so on were suddenly not accessible. And if you add this to a otherwise heightened political crisis situation where there were, for example, accusations from the Russian government against Estonia, there was a Russian State Duma delegation arriving in Estonia stating that the Estonian government should resign and all this. I think one can easily understand what kind of, let’s say, amplifier the cyber mayhem to this situation actually was, particularly in the case that no one had really experienced something like that. However, just as you put it, I believe we turned, let’s say the weakness into actual strength. Firstly, we were able to work very quickly and closely, not only among the different stakeholders in Estonia, but also we were able to involve our international partners to just mitigate the initial waves of attacks and get the access open again, at least in Estonia, using some, let’s say, back channels and so on and so forth.
Kristjan Prikk [00:10:05]: But this was tactical, activities that led to tactical successes, but I guess the strategic importance of all this was that suddenly cyber security, cyber defense became an issue that not even the senior political leadership of countries in Europe and elsewhere in the west could not avoid, could not diminish, and had to start paying attention to. We developed our first cybersecurity strategy in a way inspired by or triggered by these attacks in early 2008 and quite soon, I guess most EU and NATO countries kind of followed with their cyber security strategies and with their redesign or in some cases, founding of the national institutions tasked with dealing with cyber security and defense at the nation state level. So again, as I said before, the events that may have had in practice tactical impact or short term impact at least turned into a strategic wave of changing happening all across the west, including Estonia, for sure.
Frank Cilluffo [00:11:34]: Well said. And you know, it’s not coincidence that when I Look at smaller countries that are punching above their cyber weight, I think of Estonia, I think of Israel, I think of Singapore. They all live in tough neighborhoods. Right? They all have experience. This isn’t a luxury, it’s a necessity. Right?
Frank Cilluffo [00:11:54]: And I think that you also mentioned how the cyber attacks were also, in addition to that could have been the noise to foment physical concerns. And clearly, I think it was Mark Twain who said, whereas history may not repeat itself, it tends to rhyme. We’re seeing a lot of rhyming right now in terms of the TTPs that say Moscow is engaging in other activities, right, in Ukraine and what have you. But I also think that when I look at Estonia, it, I think, acknowledges it’s a fool’s errand to think you can protect everything, everywhere, all the time. But resilience is not. Anything you want to share because I kind of feel like it’s in the DNA and I’m not even sure you see it because it’s so part of what you’re doing. But you got to bounce back or bounce forward.
Frank Cilluffo [00:12:48]: Any thoughts there? Because when I look at RIA, the National Cybersecurity Center’s latest strategy, it makes that clear.
Kristjan Prikk [00:12:56]: Yeah, absolutely. And I do love your way to put it. We have to bounce forward rather than bounce back. So imagine that we can one day defend against all, everyone attack and avoid those. It’s just not realistic.
Frank Cilluffo [00:13:17]: For anyone.
Kristjan Prikk [00:13:18]: For anyone. And in fact, I mean, we shouldn’t expect the cyber domain to be fundamentally different than the other natural domains are, where also accidents happen, and the attackers, if they are persistent, if they are well resourced, and if they try hard enough, they can create some, some damage. It’s the same in the cyber world.
Kristjan Prikk [00:13:52]: And this is exactly the kind of approach that we’ve taken. We certainly tried to shape the environment and the rules pertaining to the actions in the cyberspace so that we reduce or limit the risk of particularly high impact threats, risks materializing. But then again, the more important part is the ability to rebounds, the ability to use alternatives if plan A is not working. Because one day, one way, the risks do materialize and we have to be ready for that.
Frank Cilluffo [00:14:39]: You know, I think you’re seeing a sea change here where, yes, cyber is its own domain, but it also transcends, as you said, all the traditional air, land, sea, space, and it’s really about the cyber effect. In other words, this may sound outlandish, but I care less about who wins the cyber war. I care who wins the war and how cyber makes that happen. Now that said I still want to win all the wars, but point is, are you seeing that level of thinking? And I’d like to bring in the context of Ukraine changed the landscape. And I sort of mentioned how the threat landscape for Estonia, you live in a tough, one bad actor who is pretty active. I think they’re finding that you’re not the easy target anymore, so they’re going elsewhere. But I’d be curious what your thinking is there and how the invasion of Ukraine has changed the threat environment, whether it’s cyber, cyber physical combined, whatever your thoughts are there.
Kristjan Prikk [00:15:47]: Right. Once the dust has settled, so to say, one day, some way-
Frank Cilluffo [00:15:53]: Hopefully soon.
Kristjan Prikk [00:15:54]: This war will end like others. I hope that people will pay enough attention to what has been happening in the cyberspace rather than kind of dismiss it as not important. Why I’m saying that, I would argue that in some ways Ukrainians have been victims of their own success in the sense that whereas firstly, you cannot make cyber defense as sexy as for example shooting down drones or separating tank turrets from the tank bodies and all this. But secondly, Ukrainians have been simply quite good in cyber defense.
Frank Cilluffo [00:16:44]: And that didn’t happen by accident.
Kristjan Prikk [00:16:46]: This didn’t happen by accident, by no means. And we all remember when, before the full scale invasion started, when the writing was generally on the wall, many people with authority claimed that the Russian dominance in the cyberspace is so significant, so huge that Ukraine would not stand a chance. And most likely the kinetic warfare will not even be significant because-
Frank Cilluffo [00:17:22]: It would have folded so quickly.
Kristjan Prikk [00:17:23]: Exactly. This didn’t happen not because there weren’t any attempts, but because Ukrainians together with, and this is important part, together with both government and non government partners were able to avoid, disrupt, and retaliate in the cyberspace. Now why did I mention the private sector? I think that normally people think of warfare as something that is a monopoly of the governments. In the case of war in Ukraine, I think this old way of thinking has been, let’s say put disputed anyway because we know that how actively Ukrainian private companies are offering their drones and jamming and other equipment to even individual frontline units and then average citizens fundraising for donating these pieces of equipment to the units and all this. So this is there, but when it comes to the cyberspace, I think the way the major tech companies mostly based in the US worked very constructively even before the actual fighting started in this full scale invasion in early ’22 with Ukrainians to grow resilience of their government information systems, of critical C2 nodes, and so on and so forth. This is remarkable and I hope that one day these people who took tough but right executive decisions that they also get, let’s say, rewarded or awarded for that. Of course there have been also cautionary cases, not cyber defense per se, but for example, the way Ukrainian forces were stripped of access to Starlink communications at some critical moments offers certainly also some food for thought.
Kristjan Prikk [00:19:46]: But generally Ukrainians for sure have proven the concept of a need to be resilient, need to be able to recover from existing attacks. A need to push back even if things have gone wrong.
Frank Cilluffo [00:20:02]: Excellent. Excellent. And we recently had Greg Rattray on to talk about CDAC and some of the initiatives companies played. And honestly, not only should that be rewarded, but it could be a new model for how, say Taiwan or you name some of the, wherever the next crisis may pop. By the time government gets in, yes, they have an essential role to play, but industry, especially when it comes to critical infrastructure and when it comes to cyber related issues, play a major role in all of this. Along those lines, given the digital nature of Estonia, given you cannot go three minutes without a discussion around AI, can you share and I know you’ve, you’ve spoken publicly on some of the initiatives that the Estonian government and the Estonian, Estonian community writ large is looking at AI, what should we be looking for there?
Kristjan Prikk [00:21:05]: Sure. Firstly, I’d love to say that when it comes to use of AI or thinking how exactly the, let’s say, most efficient use of AI could take place in the society, we are not starting from a blank sheet, but rather we are building on the successes that we’ve had since we started with the digital services and making sure that we build this coherent and integrated digital ecosystem of government and private sector services. So we are trying to rather see how we can adjust this or adapt this existing ecosystem to a more modern era where the AI tool can help us to get to the best result quicker than before. So I would just point out three major initiatives that we have in Estonia. Firstly, taking the existing digital government services that we have offered to our-
Frank Cilluffo [00:22:22]: Which is pretty much everything but marriage and divorce. Right? I think it’s literally everything.
Kristjan Prikk [00:22:26]: In fact, we’ve even taken the marriage and divorce with small caveats. I mean, at one point you still have to have this think through time and all this.
Frank Cilluffo [00:22:37]: So it’s all tied.
Kristjan Prikk [00:22:40]: We’ve taken even this, I’m not sure that this is the best idea, but this doesn’t have anything to do with how the computers are wired, but rather how we are wired. Right? So we’ve taken these services and applied the machine learning on them so that we develop something that we call predictive services, so that people should not waste their time browsing through different government websites and trying to find whether they should apply for a certain permit or whether they are eligible for a certain tax credit or something like that. So predictive services, it all should be made as easy for them as possible. Secondly, we are working on something that is, I think, called government AI. And since I’m not a techie, I can easily use terms or describe things in a way that other people may find irresponsible. So my own way of describing it is simply to kind of root out all the boring and stupid work that people, that we shouldn’t spend our citizens-
Frank Cilluffo [00:23:57]: Waste our time on. Yeah.
Kristjan Prikk [00:23:58]: We should rather outsource this all to AI so that there are always these steps that, you know, with bureaucracy that people are supposed to take.
Kristjan Prikk [00:24:13]: In some cases, we can eliminate the full steps because, for example, in some cases, certain steps have been designed to avoid the, let’s say, human laziness, but human errors, or in some cases, you need, let’s say, two or three people involved in certain processes just to avoid any even attempt to do things in a corrupt way. But as we say in Estonia, you cannot bribe a computer. So we can simply streamline work and make sure that our people only do what really keep them motivated and where the human in the loop adds kind of value, adds something that machines may not be able to do right now. And the third program, and I feel particularly, particularly enthusiastic about that because this is where two of the, I would say, great equalizers that we in Estonia believe in get together. The two great equalizers for us Estonians are technology and education. We think that if we use technology in a proper way and make it available to all of our people, then we can not only give everyone a chance to succeed in the society, but also take advantage of all the talent that we have in the society, rather than missing someone who’s living in a remote village or something. Right? So technology is this.
Kristjan Prikk [00:25:55]: And also we’ve, Estonians have always believed in the equalizing role of education. So we have started something that we call AI Leap. And this is a program, as I think it’s a very good description, that this is an education program that has technology component rather than technology program that has some education component. Basically, we are working together with OpenAI, we are working together with major Estonian universities, and we are working together with Stanford University here in the US, potentially also with some other scientists or universities. OpenAI has worked together with Estonian scientists to basically tweak their ChatGPT so that when all the Estonian high school students get access to this tweaked LLM that is designed to not give them the one right answer to their questions, but rather help them to move through the path to wisdom and, and the options that certain puzzles may have. They call it a Socratic model of teaching. It comes with sophisticated training program also for our teachers.
Kristjan Prikk [00:27:35]: We are not telling them how exactly they should use the AI in their teaching, but we are trying to make sure that they know the potential there, that they can devise their own way how to better prepare for classes, how to better engage students in the classes, how better grade students, and how to do the feedback loop and everything by using AI. We believe, and again, this is the slogan that I did not come up with, but I just love it. We believe that our kids will not lose the jobs to AI, but rather they may risk losing their jobs to other kids who know how to use AI better than them. So we are rather trying to make sure that our kids are better in using AI than their peers in other countries.
Frank Cilluffo [00:28:33]: Excellent point. And quite honestly, I don’t think technology and education are mutually exclusive. It seems like you’re marrying the two up and in a way that nurtures critical thinking skills, not just push a button, give me the answer and pop it out. So that’s a very, very thoughtful approach. Very quickly, we recently had, or last year maybe, Tanel was here talking about the Tallinn Mechanism. You also sort of have the IT Coalition. How do you see those coming together in support of Ukraine?
Kristjan Prikk [00:29:09]: Yes, certainly in support of Ukraine, these two are maybe models for also future support of other countries or other projects. Basically, Estonia has taken the lead on both the civilian side of government, IT and cybersecurity of Ukraine with Tallinn Mechanism and the military side with IT Coalition. These are coordinating formats in a way, let’s say clearing houses or formats where Ukraine can come with their most burning needs, and then this mechanism, within this mechanism, countries can marry these needs with whatever they have they can offer. In the case of, it came up, it was born from a practical need. I mean, there were many countries ready to offer assistance to Ukraine in cyber and IT.
Kristjan Prikk [00:30:24]: There were different Ukrainian government offices that felt that they had certain need. So in order to avoid the chaos where some needs get addressed two times and some others not at all, we decided to take the lead. We act as coordinators. In the case of Tallinn Manual, I believe the aid that has been agreed to exceeds 1.4 billion. The IT mechanism on this military side is even higher than that so I think it is actually a successful model where the countries that assist and the recipient can work together.
Frank Cilluffo [00:31:13]: To put a fine point on it, and I think that this gets lost on a lot of folks, Estonia is in the middle of enabling two, a diplomatic and military initiative that are essential to national security and, and not even its own country to another. I’ve got two very quick questions since we’re coming to the end of our time. One, as you look ahead to your new role, what do you think the cyber and security priorities for NATO will be over the next five years?
Kristjan Prikk [00:31:42]: Certainly in the case of cyber, just like with other domains, we have to study very carefully the, there’s a lesson learned from, not only from Ukraine, but also recent experiences in the Middle East, how the cyberspace has been the domain that has been used for war fighting as well as in support of war fighting. We’re not, certainly not talking, only talking about cyber attacks against certain systems, but also how the cyber space, as the, let’s say, cyber delivery mechanism has been used, how the supply chain issues may actually end up with major cyber problems, and so on, so forth. So while acknowledging that every military conflict may be very different, I’m sure that we have lots of work to do with the lessons learned from these conflicts. Generally, I think that within NATO, the different bodies that we have should, including the NATO Cyber Center of Excellence in Estonia, Tallinn, should take even more active look on the, let’s say, operationalizing the data, the experience that has been extracted from different countries from different sources. I think NATO is currently in the stage where we have to make sure that as much as possible is operationalized so that we don’t let us be strategically surprised and we are ready to fight if necessary.
Frank Cilluffo [00:33:44]: Well said. In the US, recognizing the title 10 authorities in addition to all the other authorities, and happy to hear that and a lot to be done there. And final question, Estonia, a small country, has shown that with innovation, with resilience, with clarity of purpose, it can punch above its weight. What’s one or two takeaways you’d like a large country to be able to benefit from Estonia’s history?
Kristjan Prikk [00:34:16]: Yeah, in some cases, of course, the experience of a small society is difficult to replicate, but in cyber, maybe the experiences are more replicable because tech side at least is scalable. So I remember former Cybercom commander Keith Alexander often said that cybersecurity is a team sport. And this is exactly what I’ve been repeating all over again, that the domain may be human made, but humans have to establish context between them, and we have to make sure that when the problem appears, then we don’t have to start searching for contacts of other people. The organization has to be there. So this is one point. Secondly, as we discussed before, resilience is as important, or if not more important than hardening the systems and the defense. And certainly something that has very much to do with the first point that I mentioned.
Kristjan Prikk [00:35:34]: International cooperation does matter. The way the cyberspace is set up means that we cannot only be confined in our own quarters and expect that if we keep it in order, then nothing happens. And we have worked extensively with the US, Estonia State Partnership Program with Maryland. Maryland happens to be very strong in cyber defense, so this is the military part of it. Our law enforcement people are extensively working with FBI and others on cybercrime, including ransomware attacks and others. We’ve worked with US on some efforts to standardize the information sharing on cyber attacks, for example, to make sure that we can really take advantage of the trust that has been built between the allies as well as take advantage of the technology, technological developments so that machines can use the same trust that has been built between the people and then take care of some of these threats in the cyberspace. So I think that is something that we can share with other countries, and we intend to do so.
Frank Cilluffo [00:36:59]: Ambassador Prikk, thank you for spending so much time with us today. But more importantly, thank you for your leadership. Thank you for being such a good friend to the United States. Good luck in your next role. They’re lucky to have you. And let me leave you with a token, figuratively and literally, of our appreciation, our coin. Thank you, sir.
Kristjan Prikk [00:37:18]: Thank you, Frank, thank you so much. And you know what? If there is one hobby that I have, it’s, it’s collecting these great tokens.
Frank Cilluffo [00:37:27]: Thank you, sir. Thank you, Kristjan. Thank you for joining us for this episode of Cyber Focus. If you liked what you heard, please consider subscribing. Your ratings and reviews help us reach more listeners. Drop us a line if you have any ideas in terms of topics, themes, or individuals you’d like for us to host. Until next time, stay safe, stay informed, and stay curious.