In the cyber world, it is hard to find a more inspiring and intimidating biography than that of Marina Kaljurand. A former diplomat trained as an international lawyer, she has occupied the most prestigious Estonian diplomatic posts – including that of Diplomat-in-Chief. Her achievements in shaping thinking about the cyber domain are comparable only to her success as a multiple national champion in badminton.
Many people consider Marina Kaljurand a godmother of Estonian cyber diplomacy. She has not only secured a place for Estonia at the most relevant international cyber-related debates, she has also paved the way for generations of women – from Estonia and further afield – in this otherwise male-dominated policy area. Kaljurand’s career is impressive. She joined the Estonian Foreign Service in 1991, the year Estonia regained its independence. After serving in a range of prestigious roles, she describes her election to the European Parliament in 2019 as a 180-degree-change in her life, and as a protest against the right-wing populists gaining a foothold in Estonia and across Europe.
A New Beginning
When Kaljurand became a member of the European Parliament – alongside other accomplished Estonians like former Commissioner for Digital Single Market Andrus Ansip – I hoped she would become a strong advocate for the EU’s global digital and cyber engagement and rally other political heavyweights behind this message. Instead, she opted to join the Committee on Civil Liberties, Justice and Home Affairs (LIBE Committee). When I expressed my amazement at her decision, Kaljurand explained that “foreign affairs are important in the European Parliament, but the AFET Committee is the only one without legislative powers”. It is true that AFET Committee – the Committee on Foreign Affairs, with its Subcommittee on Security and Defence – has very limited powers when it comes to shaping the EU’s foreign and security policy. The Committee can produce its own initiative reports, but, at best, these provide inspiration for other institutions. More often, they end up as a long wish list of undelivered commitments.
“So my preference was LIBE Committee”, Kaljurand continues, “as the main body dealing with civil liberties, democracy and migration, but also privacy and digital services. I think that these are the topics that are crucial in determining the future of Europe and its commitment to values such as the freedom of expression, freedom to seek and receive information, the right to privacy and the freedom of peaceful assembly and association”.
Kaljurand is currently the Shadow Rapporteur on behalf of the Socialists & Democrats Group for the regulation on preventing the dissemination of terrorist content online that has been hotly debated and criticised due to its potential impact on civil liberties.
An Advocate for Cyber Stability
Though Kaljurand has never practiced law, she has become a key advocate of peace and stability in cyberspace. She is a current member of the UN Advisory Board on Disarmament Matters. Prior to that, she served as chair of the Global Commission on Stability in Cyberspace and as a member of the UN Secretary-General’s High-level Panel on Digital Cooperation. In other words, she understands the nuances of international cyber diplomacy like few others.
Kaljurand has a simple explanation for the ongoing ideological conflict with China and Russia. “We all talk about our commitment to an open, accessible, affordable, resilient and free Internet, human rights and the multi-stakeholder model. But there is a big gap between what states say and how they act. The Estonian understanding of a free and open Internet differs from the one recognised and promoted by Russia or China. And that is a sad reality”.
Kaljurand’s legal background gave her a big advantage over other cyber diplomats. While her counterparts parroted soundbites about the applicability of existing international law to cyberspace, she could actually explain what that means. This came in particularly handy when she served as the Estonian representative to the UN Group of Governmental Experts (UNGGE) from 2014 to 2015. Recalling the experience, Kaljurand explains the key challenge of the time. “For likeminded experts, it was crucial to expand the wording of the 2013 consensus report, which contained the ground-breaking statement that ‘international law, and in particular the Charter of the United Nations, is applicable and is essential to maintaining peace and stability and promoting an open, secure, peaceful and accessible ICT environment’. We saw it as a preventive measure, one that provided clarity on what was allowed and what was not allowed in the cybersphere. It was a matter of responsibility, accountability and countermeasures.”
Behind this public effort, Kaljurand says, the group was confronting difficult dilemmas. “We pushed hard for any explicit recognition of Article 51 of the UN Charter – the inherent right of self-defence – and principles of International Humanitarian Law. It was difficult because the Russian and Chinese delegations, with their supporters, did not want to add any or very little new language to what was agreed in 2013. So there was the dilemma: either to have a consensus report with little progress on applicability of the existing international law, or not to have the report at all”. The outcome is well-known: the Group adopted the consensus report in 2015.
Kaljurand offers further insight into her reasoning at that time. “I supported the first option because I thought that it was very important to reiterate what had been said before, even with little progress. Today, five years later, and after the failure of the UN GGE to reach a consensus in 2017, I think that it was the right decision. It is very important that we have two consecutive GGE Reports stating very clearly the applicability of international law to cyber. I agree that a lot remains to be discussed on how exactly international law applies to cyber, but with the Reports of 2013 and 2015 UN sent a very clear signal – cyber is not a lawless jungle where the strong rule, and there are consequences to online activities that violate international law”.
Law: Only for the Small?
International law has always been one of the most controversial pillars in the discussion about responsible behaviour in cyberspace. Lawyers continue to search for common ground that can guide states in their actions. But reliance on international law has its limitations. Kaljurand’s views on how states use international law are striking. In an interview with Estonian Public Broadcasting, she admitted very candidly that, nowadays, international law is shaped and changed by the major powers, leaving other states bound to comply. I ask her about this, and she replies with similar candour. “Big countries, at least some of them, are much more flexible in choosing which laws and norms to apply. Look at the list of states who have adhered to the Paris Call – the first genuinely international and multi-stakeholder document on cyber stability. Where are the United States, Russia or China? Why don’t they support it? My answer is – either they don’t need or don’t want it. In both cases, they have the privilege to apply only the norms that suit them”.
It is a bitter observation, albeit an accurate one. Despite much talk about the need for responsible behaviour in cyberspace, each of these countries has moved towards developing their own strategy for cyberspace – often at the expense of multilateral arrangements. China’s approach to cyber diplomacy is driven by the overarching objective of becoming a “cyber superpower” in the economic, normative, military and commercial realms. Diplomacy is used to promote Chinese values and objectives through international initiatives, such as the digital silk road. Russia’s focus lies in information security as the ultimate guarantor of internal stability. Russia’s interpretation of international law and international norms, in particular, challenges the principle of “the rules-based international order” on the basis that it is “undemocratic”.
It seeks to mobilise grievances in international society; however, the aim is not to democratise decision-making. Rather, it is to secure an equal place at the decision-making table. The United States, on the other hand, has opted for the so-called defending forward and persistent engagement approaches, founded on the principles of getting as close to adversaries as possible – to see what they’re planning – and of increasing the cost of conducting cyber operations.
So where does this leave the rest of us? We both sigh. “It is a reality that international law serves the interests of small states, like Estonia”, Kaljurand says. “We need agreed rules and norms, predictability and legal certainty to survive in today’s world. We are vocal about the violation of international law and the need for clear norms of responsible state behaviour. We can’t allow violation of international law, or we will be punished”.
Mission Impossible?
This isn’t just theoretical talk. As Estonia’s Ambassador to Russia during the 2007 cyberattacks against Estonia – the moment that turned the country into a champion of digital development and cybersecurity – she has first-hand experience dealing with difficult partners during a cyber crisis. “Those were the first explicitly political cyberattacks against an independent, sovereign state in history. From today’s perspective, they were not overly sophisticated. But they did cause serious disruption in the functioning of our society – something we could not ignore”, Kaljurand explains. Lessons from the engagement with the Russian government at that time led to an important conclusion: “Estonia recognised that there are complex issues concerning the application of international law, in particular the ‘thresholds’ for a breach of sovereignty, use of force, aggression or armed attack”.
This experience influenced Estonia’s priorities for the 2014/2015 Group of Governmental Experts: norms of state behaviour regarding protection of critical (financial) infrastructure, cooperation in incident response and mutual assistance in resolving cyber crises. “We also kept in mind that these proposals might have potential for consensus, since they should reflect common interests of all states to ensure the safety of their information and communication systems. Also, it was expected that there would be more divergent views on the details of the application of international law”.
The norm obliging states not to knowingly allow their territory to be used to perform cyber operations against other states was reiterated in the 2015 UNGGE report, but its full implementation depends on the concerned countries’ political will to cooperate. In reality, countries often dismiss suggestions that their territory is being used to perform such malicious activities, or simply claim a lack of capacity to control of everything that happens in the cyberspace. “This is why it is important for the European Union to promote the implementation of the UNGGE norms and stress the obligation of states to due diligence”, Kaljurand adds, concluding, “One of the best ways to do that is to strengthen the cyber capacities of other countries and build their resilience”.
All this legal talk has left little time to dive into the role of the European Union in all this. I have constantly argued that the EU needs to appoint a Special Representative for International Cyberspace Policy. So I have to ask: if Josep Borrell called tomorrow to offer her the job, would she take it? The great diplomat she is, she replied: “I know that the right answer is never say never”. The great politician she is, she added: “But today, I can say that I am very happy with my work in the European Parliament. It is challenging, it is ambitious, it requires all my diplomatic skills and it gives me a very special feeling of pride and responsibility to be elected and represent more than 65,000 citizens who gave me their vote and support”.