The correct control of cyber security often depends on decisions under uncertainty. Using quantified information about risk, one may hope to achieve more precise control by making better decisions.
Information technology (IT) is critical and valuable to our society. IT systems support business processes by storing, processing, and communicating critical and sensitive business data. In addition, IT systems are often used to control and monitor physical industrial processes. For example, our electrical power supply, water supply and railroads are controlled by IT systems. These “controlling” systems have many names. In this Notes they are referred to as SCADA (Supervisory Control and Data Acquisition) systems, or occasionally, as industrial control systems. They are complex real-time systems that include components like databases, application servers, web interfaces, human machine interfaces, dedicated communication equipment, process control logic, and numerous sensors and actuators that measure and control the state of the industrial process. In many industrial processes (e.g., electrical power transmission) these components are also distributed over a large geographical area. SCADA systems can be seen as the nervous system of industrial processes and since our society is heavily dependent on the industrial processes that SCADA systems manage, we are also dependent on the behavior of our SCADA systems.
Over the last two decades our SCADA systems and their environments have changed. They used to be built on proprietary and specialized protocols and platforms. Today, however, SCADA systems operate on top of common and widely used operating systems (Windows XP) and use protocols that are standardized and publicly available. These changes have altered the threat environment for SCADA systems.
The move to more well-known and open solutions lowers the threshold for attackers who seek to exploit vulnerabilities in these SCADA systems. Vulnerabilities are regularly found in the software components used in SCADA systems (the operating systems) and instructions that can be used to exploit these vulnerabilities are often made available in the public domain. The increased openness also lowers the thresholds for attacks targeting special-purpose SCADA components, programmable logic controllers (PLCs). Today there is an interest in the vulnerabilities they have and there is information available in the public domain about their design and internal components. In fact, it is even possible to buy a subscription to exploit code specifically targeting SCADA systems’ components. In other words, a successful cyber attack against a SCADA system today does not require the SCADA-expertise that was required prior to the move to more open, standardized and common components.
In parallel with the move to more common and widely known solutions, SCADA systems have moved from being isolated and standalone to be interwoven in the larger IT environment of enterprises. Process data collected by SCADA systems, production plans, and facility drawings are often exchanged over enterprises’ computer networks. It is also common to allow users to remotely connect to operator interfaces, for instance, so that process-operators can connect remotely when they are on standby duty and so that suppliers are able to perform maintenance remotely.
The increased integration with more administrative enterprise systems has also contributed to a changed threat environment. Administrative systems are, with few exceptions, connected (directly or indirectly) to the internet. Hence, the possibility for administrative systems to exchange data with SCADA systems is also a possibility for attackers or malware to come in contact with these systems and exploit their vulnerabilities, without physical proximity.
The lowered threshold to find and use SCADA-related vulnerabilities and tighter integration with enterprise systems are two cyber security problems that add to the volume of cyber security issues related to architecture and configuration of the actual SCADA systems. Historically, SCADA systems were built to be reliable and available, but not to be secure against attacks with a malicious intent.
SCADA systems are thus critical assets, have exploitable vulnerabilities, and are interwoven into the enterprise architectures. Decision makers who wish to manage their cyber security need to be able to assess the vulnerabilities associated with different solution architectures. However, assessing the cyber security of an enterprise environment is difficult. The budget allocated for cyber security assessments is usually limited. This prohibits assessments from covering and investigating all factors that could be of importance. The set of variables that should be investigated, and how important they are, is also hazy and partly unknown. For instance, guidelines such as do not prioritize their cyber security recommendations. Such prioritizations are also difficult to do in a generic guideline since the importance of many variables are contingent on the systems architecture and environment and guidelines are limited to one or few typical architectures. Variables are also dependent on each other. An attack against a SCADA system may be performed in a number of ways and can involve a series of steps where different vulnerabilities are exploited. Thus, some combinations of vulnerabilities can make an attack easy, but a slightly different combination may make attacks extremely difficult. Thus, informed decisions require an analysis of the vulnerabilities associated with different architectural scenarios, and at the same time, an analysis of how these vulnerabilities relate to each other.
These problems are not unique for SCADA systems. Many administrative IT systems also have complex environments; administrative IT systems often need to be analyzed on a high level of abstraction; the importance of different variables is hazy also for administrative IT systems. Like the administrative environment, the SCADA environment consists of software, hardware, humans, and management processes. And as described above, there is a substantial overlap between the components which are used in both environments today. However, there is a difference in what needs to be protected in these environments. Security is often thought of as a triage of confidentiality, integrity and availability. For SCADA systems, integrity and availability of functionality are crucial, but confidentiality of business data is not. Because of this, cyber security assessments of SCADA systems have a different focus than for many other systems. The importance of availability and integrity has also other implications. For instance, because of the consequence of a potential malfunction, it is recommended that SCADA systems should not be updated before extensive testing, and network based vulnerability scanners should be used with care in SCADA environments.
Information security is increasingly seen as not only fulfillment of Confidentiality, Integrity and Availability, but as protecting against a number of threats having by doing correct economic tradeoffs. A growing research into the economics of information security during the last decade aims to understand security problems in terms of economic factors and incentives among agents making decisions about security, typically assumed to aim at maximizing their utility. Such analysis is made by treating economic factors as equally important in explaining security problems as properties inherent in the systems that are to be protected. It is thus natural to view the control of security as a sequence of decisions that have to be made as new information appears about an uncertain threat environment. Seen in the light of this and that obtaining security information usually in it is cost, I think that any usage of security metrics must be related to allowing more rational decisions with respect to security. It is in this way I consider security metrics and decisions in the following. The basic way to understand any decision-making situation is to consider which kind of information the decision-maker will have available to form the basis of judgments. For people, both the available information, but also potentially the way in which it is framed (presented), may affect how well decisions will be made to ensure goals.
One of the common requirements on security metrics is that they should be able to guide decisions and actions to reach security goals. However, it is an open question how to make a security metric usable and ensuring such usage will be correct (with respect to achieving goals) comes with challenges. The idea to use quantified risk as a metric for decisions can be split up into two steps. First do objective risk analysis using both assessment of system vulnerabilities and available threats in order to measure security risk. Second, present these results in a usable way so that the decision-maker can make correct and rational decisions. While both of these steps present considerable challenges to using good security metrics, I consider why decisions using quantified security risk as a metric may go wrong in the second step. Lacking information about security properties of a system clearly limits the security decisions, but I fear that introducing metrics do not necessarily improve them; this may be due to 1) that information is incorrect or imprecise, or 2) that usage will be incorrect. This work takes the second view and we argue that even with perfect risk assessment, it may not be obvious that security decisions will always improve. I am thus seeking properties in risky decision problems that actually predict the overall goal – maximizing utility – to be, or not to be, fulfilled. More specifically, we need to find properties in quantifications that may put decision-making at risk of going wrong.
The way to understand where security decisions go wrong is by using how people are predicted to act on perceived rather than actual risk. I thus need to use both normative and descriptive models of decision-making under risk. For normative decisions, I use the well-established economic principle of maximizing expected utility. But for the descriptive part, I note that decision faults on risky decisions not only happen in various situations, but have remarkably been shown to happen systematically describe by models from behavioral economics.
I have considered when quantified risk is being used by people making security decisions. An exploration of the parameter space in two simple problems showed that results from behavioral economics may have impact on the usability of quantitative risk methods. The results visualized do not lend themselves to easy and intuitive explanations, but I view my results as a first systematic step towards understanding security problems with quantitative information.
There have been many proposals to quantify risk for information security, mostly in order to allow better security decisions. But a blind belief in quantification itself seems unwise, even if it is made correctly. Behavioral economics shows systematic deviations of weighting when people act on explicit risk. This is likely to threaten security and its goals as security is increasingly seen as the management of economical trade-offs. I think that these findings can be used partially to predict or understand wrong security decisions depending on risk information. Furthermore, this motivates the study how strategic agents may manipulate, or attack, the perception of a risky decision.
Even though any descriptive model of human decision-making is approximate at best, I still believe this work gives a well-articulated argument regarding threats with using explicit risk as security metric. My approach may also be understood in terms of standard system specification and threat models: economic rationality in this case is the specification, and the threat depends on bias for risk information. I also studied a way of correcting the problem with reframing for two simple security decision scenarios, but only got partial predictive support for fixing problems this way. Furthermore, I have not found such numerical examinations in behavioral economics to date.
Further work on this topic needs to empirically confirm or reject these predictions and study to which degree they occur (even though previous work clearly makes the hypothesis clearly plausible at least to some degree) in a security context. Furthermore, I think that similar issues may also arise with several forms of quantified information for security decisions.
These questions may also be extended to consider several self-interested parties, in game-theoretical situations. Another topic is using different utility functions, and where it may be normative to be economically risk-aversive rather than risk-neutral. With respect to the problems outlined, rational decision-making is a natural way to understand and motivate the control of security and requirements on security metrics. But when selecting the format of information, a problem is also partially about usability. Usability faults often turn into security problems, which is also likely for quantified risk. In the end the challenge is to provide users with usable security information, and even more broadly investigate what kind of support is required for decisions. This is clearly a topic for further research since introducing quantified risk is not without problems. Using knowledge from economics and psychology seems necessary to understand the correct control of security.
Estonia’s national security concept
The development of regional and global military cooperation is seen as one of the most important pillars of Estonia’s security strategy, while a concerted effort to domestic security focused on resilience and deterrence is seen as another. Considering Estonia’s defence plan mandates that country’s defence could no longer be restricted to military protection only, armed forces will then be merged with non-military competencies to provide a comprehensive collective defence. National security and the accompanying preparedness are believed to be the responsibility of a multitude of sectors and individuals from both the governmental and corporate sectors, as well as from civil society organisations.
Comparison of the previous two National Security Policies shows that the convergence of security domains alongside ministerial distribution of duties is being substituted by a broad task-based strategy, which is likely the most apparent manifestation of Estonia’s emerging comprehensive strategy. The 2017 National Security Policy also presents the idea of resilience, which appears significantly throughout the paper and is further explored in a distinct sub-chapter for perhaps the first instance.
One of the most important ideas on which Estonia’s national defence policy plans rely is “whole of government” plus “whole of society,” which combine together the two most important parts of the comprehensive strategy framework and the notion of “resilience.” Therefore, it is vital to recognise that such revamped conceptual ideas have garnered a reasonably positive reception from the general public. In addition, the notion that national security should be a shared responsibility of the whole population is widely accepted in Estonia. Consequently, Estonians have high expectations for a complete security and defense architecture, indicating both the intentional robustness of the majority of the people and its ability to adapt to changing circumstances. It is possible to interpret such huge backing for national defence as a byproduct of securitization. In this way, the notion that perhaps a comprehensive strategy towards defence can ensure a country’s security is supported by a large number of people who believe it.
With regard to Estonia, the comprehensive strategy was first embraced as aspect of a progressive European security thought that was gaining popularity at the same time that Estonia was actively integrating into the NATO and European Union. During that time period, it was considered a viable alternative to the classic territorial defence concept. Beginning in 2008, during the course of the August War, incidents in Georgia’s national defence concepts began to take enormous importance. But it was in 2014, following the invasion and occupation of Crimea and the outbreak of violence in eastern Ukraine, until it became clear that these two notions are not in competition with one another. As an alternative, a comprehensive strategy might be seen as an essential supplement towards the territorial defence paradigm in order to achieve greater advantages in terms of resilience as well as deterrence capabilities.
Accordingly, Estonia has adopted a comprehensive strategy to national defence that emphasises the necessity for coordination and cooperation across multiple government agencies in order to develop cohesive response in the event of a crisis. When the breadth of cooperation across nearby but diverse domains is taken into account, the relevance of defence strategy may be appreciated in detail. There are also five other areas being evolved in contrast with military defence, like civilian assistance for national defense, international operations, internal stability, preservation of successive society and the political processes by providing essential services, if not at least, proactive sharing of information and psychological operations. According to the Estonian government, the following ministries are responsible for different tasks: the Defense ministry is instrumental in the advancement of military protection and civil assistance for military defence, the foreign ministry is central to global pursuits, the Interior ministry is responsible for general and internal security as well as the upkeep of the country’s and society’s sustained functions, and the Government is concerned with strategy and psy-ops. These responsibilities are maintained in the revised defence plan as well. It is worth highlighting that, rather than three different laws governing the defence industry in peacetime and conflict, as well as international collaboration, the revised national defence policy, in accordance with the comprehensive strategy rationale, consolidates various regulatory sectors into a single body.
Security Environment & Threats
The Estonian security environment is influenced by the country ‘s global developments and cross-border risks. Estonia’s NSC for 2017 recognises asymmetric risks which do not respect national boundaries and whose origins are impossible to discern. Simultaneously, they have an impact that is comparable to that of conventional security risks. Islamist terrorism has been a persistent concern in the West since the 9/11 bombings on the World Trade center. Middle Eastern and North African countries with unstable governments offer a continual terrorist danger to the West, harming Estonian security. Terrorism is among the greatest security dangers confronting average citizens throughout Europe. Estonia pays attention to European events. Numerous incidents have occurred in Europe during the previous two decades, including bombs in London and Madrid, shooting incident at Frankfurt airport, and Paris terror attacks. As a result of this, Estonia has included global crises and unequal socioeconomic progress as security risks in its policy paper. When Hosni Mubarak was ousted in Egypt, Muammar Gaddafi was executed in Libya, while civil war erupted in Syria and Yemen as a result of the Arab Spring movement, Europe might have been the most adversely affected region. There was an international flood of refugees that will continue for the next decade as a result of the said incidents.
It’s been Russia that has posed the greatest external danger for Estonia during the previous decade. The Russians have employed a variety of strategies to attain their objectives. Additionally, Russia has boosted its troop involvement in the Baltic Region and along the Baltic Countries’ borders. Confrontational and aggressive Russian acts may be seen for instance in military drills and air boundary breaches as well as threats to use nuclear weapons. As a result, Russia poses a danger to the whole Euro-Atlantic area, as it has the potential and inclination to utilise a wide range of non-military armaments: armed, economic, energy, or informational. War, crises, and conflict have occurred in Russia and the surrounding area on a regular basis. There were two direct transgressions: the 2008 conflict in Georgia and the current conflict between Russia and Ukraine, which continues to this day. The rioting in April 2007 (including the assault on the Estonian Embassy in Russia) and the kidnapping of an Estonian security law enforcement officer in 2014 are examples of indirect confrontations that have taken place since. Russia has also demonstrated its digital prowess in a global setting. According to this paper, cyberattacks have indeed been taken into account of factors that affect security because Russia launched a cyberattack against Estonia in April 2007.
While the challenges to Estonia’s security environment have evolved over time, the purpose of protecting the country has remained constant. Keeping Estonia’s national sovereignty, territorial integrity, constitutional order, and national security in tact is essential to the state’s mission. Human rights, basic freedoms, and also the achievement of core human ideals are all intertwined in a country’s security measures. By building civil society and enhancing the country’s worldwide standing, democratic ideals assure the long-term viability and sustainability of society.
Aiming to create solutions that might benefit other nations in the face of global crisis is becoming increasingly important as their impact on Estonia grows. Rule-based world order must be maintained through adhering to international law and the United Nations Charter. As a result, humanitarian assistance and human rights protection are deemed essential. These initiatives have broad worldwide backing. While other Baltic states are more concerned with protecting human rights within virtual environment, Estonia stands out for its emphasis on unfettered Internet access.
Euro-Atlantic collaboration has always been the most important factor in ensuring Estonia’s security, especially prior and afterward entering the EU but also NATO. There is no doubt that NATO is Estonia’s best defence against a potential attack, and thus active participation is a national issue. As a member of NATO, Estonia regards the United States as a vital ally in the country’s security because of its foothold in Europe. Additional collaboration with security-related organisations is crucial to Estonia in order to maintain global and regional equilibrium. There will be a lot of focus on conflict avoidance and the United Nations’ ability to handle global concerns. The Estonian government also endorses the OSCE, which strengthens Estonia’s ability to engage in EU’s Common Foreign and Security Policy. Estonia, on the other hand, has not particularly emphasised enhancing collaboration and actively participating in crafting the security policy of the relevant organisations.
Estonia believes it is critical to limit conventional firearms in Europe, therefore it wishes to join international arms reduction treaties. It highlights the critical role of the country in preventing the trafficking or unlawful movement of weapons of mass destruction including their parts through their borders. Estonia has cordial ties with the Nordic states, the NSC affirms. Close collaboration with these nations has benefited Estonia’s economy and bolstered the country’s defence capabilities. Estonia seems to be eager to develop Nordic-Baltic military cooperation on a regional and global scale and also desires an open discussion with Russia as well as practical collaboration.
Protecting Living Environment
The state of the natural environment and general wellbeing in Estonia, as well as the socio-economic scenario, contingency planning, uninterrupted access to essential services, food, and potable water, and the potential of societal cohesion to effectively deal independently in the situation of a prolonged disruption of essential services are the primary factors influencing the security of the Estonia’s environment. Storms and floods are the most common natural disasters that create crises in Estonia, with storms accounting for the majority of incidents. Active civil assistance is being established in order to cope with crises, which strengthens society’s preparedness to manage with emergency situations that may be fairly expected and planned for. To do this, it is necessary to improve public knowledge of possible threats as well as available mitigation methods. Improved environmental conditions are encouraged in Estonia by promoting environmentally sustainable principles and behavioural habits among the population. This is accomplished through the management and execution of pollution countermeasures, the efficient utilisation of natural resources, and waste minimization. Estonia is putting in place measures to avoid the spread of ecologically dangerous chemicals as well as to detoxify polluted land and water areas. Social and economic concerns have an impact on the living environment as well. As early as 2004, the NSC stressed the need of addressing labour market issues, implementing a viable social security structure that incorporates at-risk populations, and training a qualified workforce in significant numbers to assure sustained economic growth.
Tracking, controlling risk, and coping with the repercussions of climate change are all examples of strategies for reducing the hazards associated with climate change. Cooperative efforts are created with the worldwide community, local governments, the corporate and nonprofit sectors, as well as the scientific community, in order to achieve this goal International collaboration also involves marine traffic management and maritime pollution monitoring, among other things.
Estonia, like its surrounding countries, is cognizant of the potential dangers posed by radiation. Nuclear power stations with in Baltic Sea region that are more than a decade old are regarded to be potentially risky. Estonia engages in worldwide efforts to improve radiation protection in the Baltic Region, being part of a global effort. Early warning systems are in place to identify radioactive mishaps in adjacent nations at an early stage, allowing for faster response times.
International Conflicts and Crises Response
Engagement in crisis response and peacekeeping operations is a significant component of Estonia’s national security strategy. The goal was to design a crisis management framework that would take into account military, regulatory, and financial concerns, among other things. Involvement in international combat operations and civilian initiatives provides the country with an excellent chance to gather valuable expertise. Meanwhile, they represent vows to make a positive contribution to the improvement of regional stability within the immediate area and throughout the globe. When there is an internal emergency, the first responsibility is to secure the survival of the populace. Specifically, the state believes that emergencies may be avoided and their repercussions minimised by collaboration with the general public, local municipalities, government entities, corporate and non-profit organisations, and other organisations and individuals. The duty of the state is to strengthen the information management system of the people and to offer instructions for appropriate conduct in emergency circumstances to the public through various communication channels, including radio and television. All types of exercises have already been extensively researched and designed with the goal of incorporating the greatest number of people feasible. Aside from this, assistance has been granted for voluntary initiatives that try to avoid dangers and deal with the early indications of calamities.
The functioning of critical services is tied to the occurrence of emergencies. The state conducts a rigorous investigation into the interruptions of critical services and the dangers that might result in the suspension of services. To mitigate this, public awareness campaigns are created, and trainings incorporating as many participants as feasible are carried out as a preventative strategy. In order to assure the effective service delivery, effective collaboration between the government with the private sector is essential. Examples include electronic network infrastructure, services supplied, and vital information platforms that are mostly owned and operated by private companies.
The government must be prepared to manage the humanitarian catastrophe while also providing development assistance. In order to do so, it is critical for Estonia to engage in NATO and EU emergency management operations, as well as the activities of the NATO Response Force and its EU Battlegroups, among other activities. Through development assistance, Estonia enables nations that create a social structure that is tolerant of democracy and human rights, in compliance with its skills and resources. According to the National Security Council’s 2017 report, activity in the fields of development assistance and human rights protection contributes to the creation of an atmosphere that minimises the possibility of conflict and promotes security. So the emphasis is placed on the avoidance of global wars and crises, with the goal of reducing the negative effects on Estonia with its allies as a result of these events. As a matter of fact, Estonia endorses the expansion of the EU and NATO, that will contribute to the strengthening of the Western value sphere both in Eastern and central Europe. Because of the same rationale, Estonia is committed to maintaining positive ties with all of its neighbours.
A tiny yet open economy, Estonia’s economy is strongly reliant on global economic growth. National security, according to the 2004 NSC, relies on effective development and accountability of economic connections as well as a stable influx of foreign investments. As a result of its deep ties to the global economy, the state is very vulnerable to downturns and volatility in other economies. The high reliance on non-Estonian (Russian) monopolised energy systems and sources poses a significant risk to the country as a whole.
Estonia’s energy security depends on the safety of its supply chain and its infrastructure. To break free of energy monopolies, countries in the EU must link their energy grids and increase the variety of energy sources they use. Improving domestic energy efficiency is critical to reducing reliance on foreign energy imports. According to NSC 2017, Europe’s energy policy, which seeks to make the most of available resources inside the EU, will be heavily relied upon in the next years. Estonia intends to increase its use of renewable energy sources for power and heating in the far future.
With the ongoing Ukraine-Russian crisis which has resulted in an altered security scenario for Estonia, ceasing to finance Russia’s military complex will require the state to develop a replacement to Russian gas. The construction of a floating LNG import facility, which has been in the works for more than a decade, might help Estonia lessen its reliance on Russian gas imports. A pier plus an additional LNG ship is part of Alexela’s (energy firm) proposal for the Paldiski harbour on the Baltic Shoreline. The Estonian proposal would ultimately need a state assurance and financial support.
Estonian security policy is rife with ambiguity, both conceptually and practically. Two parallel conceptions of comprehensive security and unified defence have emerged in Estonia, a departure from the typical comprehensive approach. Estonia is able to maintain its well-trodden course of complete defence because to the split among these two terms. Even the decision makers of defence policy generally define Integrated Defense in this manner.
As a result of this misunderstanding, Estonia’s strategic decisions prioritise complete defence and asymmetric warfare. This has repercussions for Estonian perceptions of and definitions of threats. Aside from that, the greatest danger to Estonian security is conventional, which is one that Russia has been more likely to influence in its actions in the post-Soviet realm, for example. A parallel idea of resilience exists in Estonia as a result of this misperception. It appears to mean various things for the Estonian defense community’s uniformed and civilian members. This contrasts with how resilience is understood by the military, which views the concept of resilience primarily through the lens of total defence. Using the Estonian method of resilience in conjunction with a comprehensive approach demonstrates how the military versus civilian sides of the security debate focus on distinct areas of security. As a result of Estonia’s current dual strategy, it is difficult to establish broad societal agreement on the most probable levels of uncertainty, operational methods in such conditions, and long-term investments for the country.
Creation of domestic institutions which are adept in participating actively in international security architecture, as well as mobilisation of the regular military force, are required. This includes clearly defining the responsibilities and duties of all organisations in Estonia engaged in comprehensive national security, as well as accurately analysing the nation’s defense capabilities and conveying the findings to Estonia’s military partners.
 “National Security Concept of Estonia – Kaitseministeerium,” 2017. https://kaitseministeerium.ee/sites/default/files/elfinder/article_files/national_security_concept_2017.pdf
 Raik, Kristi, Mika Aaltola, Katri Pynnöniemi, and Charly Salonius-Pasternak. “Pushed Together by External Forces? the Foreign and Security … – FIIA.” The Finnish Institute of International Affairs, 2015. https://www.fiia.fi/wp-content/uploads/2017/01/bp167.pdf.
 “National Security Concept of Estonia – Kaitseministeerium,” 2017, p.3 https://kaitseministeerium.ee/sites/default/files/elfinder/article_files/national_security_concept_2017.pdf
 Marnot, Diana. “Comparison of Security Policy Documents of the Baltic States,” 2020. https://digiriiul.sisekaitse.ee/bitstream/handle/123456789/2568/2020%2010%20julgeolekupoliitika%20ENG_WEB.PDF?sequence=1.
 Fisher, Max. “This Is Bad: Russia ‘Abducts’ Estonian Officer after Obama Says Us Will Defend Estonia.” Vox. Vox, September 5, 2014. https://www.vox.com/2014/9/5/6110037/estonia-russia-officer-kidnapped.
 “2007 Cyberattacks on Estonia.” Wikipedia. Wikimedia Foundation, May 1, 2022. https://en.wikipedia.org/wiki/2007_cyberattacks_on_Estonia.
 “National Security Concept of Estonia – Kaitseministeerium,” 2017, p.3 https://kaitseministeerium.ee/sites/default/files/elfinder/article_files/national_security_concept_2017.pdf.
 National Security Concept of Estonia – Kaitseministeerium,” 2004, p.19 https://www.files.ethz.ch/isn/156841/Estonia-2004.pdf.
 National Security Concept of Estonia – Kaitseministeerium,” 2004, p.19 https://www.files.ethz.ch/isn/156841/Estonia-2004.pdf.
 “National Security Concept of Estonia – Kaitseministeerium,” 2017, p.16 https://kaitseministeerium.ee/sites/default/files/elfinder/article_files/national_security_concept_2017.pdf.
 Tammik, Ott. “Estonia May Build LNG Terminal to Cut Russia Energy Dependence.” BloombergQuint, March 23, 2022. https://www.bloombergquint.com/onweb/estonia-may-build-lng-terminal-to-cut-russia-energy-dependence.
Taking the India-Singapore Cyber Partnership Forward
On the sidelines of the recently concluded Special ASEAN-India Foreign Minister’s meeting, Singapore and India agreed on the need to give their relationship a new impetus. The two countries have a robust political and defence partnership with regular engagements. For India, Singapore has been the top source of Foreign Direct Investments (FDIs), and India’s FDI in Singapore has observed an uptick in recent years. The relations between India and Singapore are based on shared values, economic interests, and convergence of perspectives on key strategic issues. Since last year, both have sought to consolidate relations through increased collaboration in information technology and cybersecurity. In February 2022, the two signed a Memorandum of Understanding (MoU) for deepening cooperation in science, technology, and innovation.
As a global data hub, Singapore has a high stake in the cyber domain. It has paid close attention to efforts for maintaining its reputation in cybersecurity and has worked towards a comprehensive national cybersecurity strategy. As a city-state, Singapore has sought to utilize diplomacy as deterrence to ensure its interests in the cyber domain. Today, Singapore is considered a cyber diplomacy pioneer among the ASEAN countries. It plays an active role in discussions on cyber in the United Nations and other platforms. Singapore has put emphasis on becoming the ‘conversation starter’ for acceptable behaviour in cyberspace and has taken a lead in the war against cybercrime. To this end, the city-state has taken steps to build regional and global alliances for cooperation and experience sharing and has emphasized regular cyber exercises for staying ahead of the emerging cyber threats curve.
According to International Telecommunications Union’s Global Cyber Security Index report, Singapore has focused heavily on national cyber defence and has not taken recourse to any known disruptive actions. This highlights Singapore’s commitment to peaceful cyberspace and projecting its image as a law-abiding nation. For enabling safe and secure cyberspace, Singapore has focused on building resilient infrastructure. It seeks to utilize research and development in the cyber domain as a source of ‘competitive advantage’, with the possibility of turning Singapore into an international hub for cybersecurity innovation.
In recent years, Singapore’s cyber insurance market has created a space of its own in Asia. The global cyber insurance market is estimated to exceed USD 20 billion, by 2025, with the Asia-Pacific market expected to witness almost 35 per cent Compound Annual Growth Rate (CAGR) between 2019 and 2025. It has been argued that the cyber insurance industry stands to witness exponential growth in the emerging climate of record ransomware attacks and cyber incidents.
Singapore updated its cyber security strategy in 2021, which goes beyond critical sectors and seeks a more proactive stance toward cyber threats. While focusing on cyber resilience and capability development for detecting and analysing malicious cyber activities, the plan looks at developing a ‘Made in Singapore’ solution for creating Singapore’s cybersecurity ecosystem. Further, the strategy also underlines the need for addressing ‘dilemmas of digitalization’, such as geopolitical tensions in cyberspace.
Notwithstanding Singapore’s military capabilities, Singapore (like its ASEAN counterparts) believes that escalating cyber incidents might not be beneficial for small states [PDF], as they would want to avoid cyberspace conflicts spilling over beyond the virtual domain. However, while the ASEAN seeks neutrality in the emerging tech rivalry between the US and China, Singapore’s emphasis on ‘ASEAN centrality’ is far from elementary.
Singapore is referred to as the anchor of the US naval presence in Southeast Asia and enjoys long-standing defence ties with the Quad countries. In August 2021, Singapore inked an MoU with the US for expanding information sharing and training to combat cyber threats. However, along with a deep partnership with the US, Singapore balances strong ties with China. While the US remains vital for regional security dynamics, especially in the shadow of increasingly aggressive Chinese maritime manoeuvres, Beijing stands as Singapore’s most important trade partner.
Thus, for Singapore, any partnership which falls outside the ambit of the great power rivalry will have a central role in its strategic thinking. As an emerging tech powerhouse, India possesses natural viability for strategic partnership with Singapore.
For India, there are several dimensions where Singaporean experiences are valuable. The delay in finalising a National Cyber Security Strategy has regularly highlighted New Delhi’s difficulty in opting for the best available policy options in cyberspace. It is argued that India needs to review its cyber-defence policies and should give equal attention to building cyber-offensive capabilities for deterrence. New Delhi’s narrow focus on cyber threats from Pakistan and China, has also been pointed out by some as a constrained approach.
Like Singapore, India has balanced the Western and the Eastern views on cyber diplomacy tables. India seeks to safeguard its strategic autonomy and cyber sovereignty while adopting a multi-stakeholder approach. However, the recent laws like the mandate on the Virtual Private Networks (VPNs) for storing customer metadata, highlight the increasing significance of keeping unrestricted and undesired cyber activities in check. It has been reported that as the tech sector grows in India, cyber incidents like ransomware attacks, which affected a staggeringly high 68 per cent of India’s organizations in 2021, will necessitate a mature cyber insurance market for organisations and businesses at all levels.
The tech neutrality sought by the ASEAN countries has been visible on the 5G issue. While the US has sought to influence countries across the globe to avoid Chinese firms like Huawei over security and espionage-related concerns, governments in Southeast Asia have voiced their discomfort in choosing between the two sides.
The Singaporean PM had downplayed the security concerns over Huawei, saying that it is not ‘a black and white issue’, and that Singapore will carefully study the impact of 5G technology to decide. Unlike most Southeast Asian countries, India has decided to go ahead with indigenous alternatives. For India, a successful 5G experience can consolidate its tech leadership credentials further.
As a global tech war accelerates and a digital divide between the two super cyber powers and the rest of the world emerges, middle powers will be compelled to seek convergence for safeguarding their national interests. As leaders in tech and innovation, India and Singapore stand as natural partners in the Indo-Pacific, as well as beyond.
(Views are personal)
Unmasking India’s IB and RAW
India’s prime minister Narendra Modi granted a year-long extension in service to retiring heads of India’s Intelligence bureau (Arvind Kumar) and the Research and Analysis Wing (Samant Kumar Goel). Both officers are specialists in the art of disinformation and insurgency. They masterminded the so-called Blakote strikes inside Pakistan. Besides, they mounted a world-wide Pakistan-bashing campaign that resulted in Pakistan’s isolation in comity of nations. Pakistan FATF woes could veritably be attributed to the machinations of the said two officers. They are protégé of India’s national security czar Ajit Doval. Doval himself boasts of having carried out covert activities in Pakistan for about eleven years. He did not care a fig for violating the diplomatic norms while posted in Pakistan.
Difference between the Intelligence Bureau and RAW
The common belief is that the IB and the RAW have separate domains. But, in actual fact, the both organisations coordinate their activities. Like the RAW, the IB also has its offices abroad. In his book, RAW: A History of India’s Covert Operations, Yatish Yadav make startling disclosures about activities of India’s intelligence agencies. In a chapter titled “Hunting the RAW traitor”, he reveals the career of the RAW agent Rabinder Singh, an ex-Army man who sold national secrets to the CIA for money. Singh was outwardly a religious person who had a penchant for quoting from Hindu religious book Bhagwad Gita. He led parallel lives and passed on classified information to the foreign power. Although given asylum in the U.S., he was soon forsaken by the CIA and met with an unexplained road accident there. The accident was masterminded by the RAW.
The Intelligence Bureau (IB) is the national domestic internal security and counter-intelligence agency that works under the Ministry of Home Affairs. It was formed as the ‘Central Special Branch’ on December 23, 1887, which was later renamed as ‘Intelligence Bureau’ in 1920. The organisation mainly focused on National Security activities. According to an article published in Jagaran Josh, the Intelligence Bureau (IB) is said to be the oldest surviving intelligence organisation in the world.
About Research and Analysis Wing (RAW)
Initially, the IB was only responsible for India’s internal and external intelligence, but in 1968, it was bifurcated and left with internal intelligence only. While it’s external branch was handed over to the newly created Research and Analysis Wing (RAW).
The bifurcation took place after IB lapse in the intelligence about the Sino-Indian War of 1962, and India-Pakistan War of 1965. So the Research and Analysis Wing (RAW) was founded in 1968 to counter external security threats. The RAW provides intelligence to policymakers and the army and it keeps a close eye on the activities of the neighbouring countries (China, Pakistan, Sri Lanka, Myanmar, etc.) of the nation.
Generally, the IB is the national internal intelligence agency that maintains the internal security of the nation, while RAW is an external intelligence agency that keeps an eye on international threats. The main functions of the IB include counterintelligence, counterterrorism, VIP Security, anti-secession activities and intelligence collection in border areas. RAW on the other hand collects secret information about the activities of neighbouring countries. IB functions under the governance of the Ministry of Home Affairs, while RAW has been placed directly under the Indian Prime Minister’s office. IB gets its employees from the Indian Police Service, law enforcement agencies and the military, while RAW has its own service cadre known as the Research and Analysis Service (RAS). Initially RAW was also dependent on the services of trained intelligence officers from the military, police and other services for its candidates.
The RAW’s objectives include:
Monitoring the political, military, economic and scientific developments in countries which have a direct bearing on India’s national security and the formulation of its foreign policy. Mould international public opinion and influence foreign governments. Covert Operations to safeguard India’s National interests. Anti-terror operations and neutralizing elements posing a threat to India.
To control and limit the supply of military hardware to Pakistan, from mostly European countries, America and more importantly from China.
The RAW stoked insurgency in East Pakistan that led to dismemberment of Pakistan. The Indian army and other agencies acted in tandem.
Another event shows that Indian diplomats developed deep ingress in Islamabad. On May 29, 1988, a senior official of the Pakistan Intelligence Bureau was abducted in Islamabad. India alleges that his abductors were personnel from the Inter-Services Intelligence Directorate (ISI). According to their own account of the incident, narrated in the news magazine Herald, they beat up the IB official until he revealed the location of a secret telephone exchange that was monitoring calls made by Zia-ul-Haq.
Kalbushan Jhadav’s story speaks volumes on how India penetrates even its serving officers to carry out sabotage and subversion in Pakistan.
‘Disinformation’ (Russian deziinformatzia) is a concept that finds mention in Sun Tzu’s Ping Fa (Principles of War). Even before Sun Tzu, Kautilya in Arthashastra supported disinformation as a civil and military warfare tool within his concept of koota yuddha (unprincipled warfare as distinguished from dharma yuddha, righteous warfare).
Tzu’s and Kautliya’s principles were used not only in World War II but also in the Cold War period (to hoodwink own and foreign people). Richard Deacon says, ‘Truth twisting…unless it is conducted with caution and great attention to detail, it will inevitably fail, if practiced too often… It is not the deliberate lie which we have to fear (something propaganda), but the half-truth, the embellished truth and the truth dressed up to appear a something quite different’ (The Truth Twisters, London, Macdonald & Company (Publishers) Limited, 1986/1987, p. 8). He gives several examples of disinformation including subliminal disinformation by which the truth can be twisted so that the distortion is unconsciously absorbed, something which both television and radio commentators have subtly perfected’ (Ibid., p. 9). In the USA, the Creel Committee, through false anti-German propaganda turned pacifist Americans against Germans.
Disinformation influenced even independent-minded Americans who laid down a constitution, beginning with words `we the people’. Yet Chomsky says the American masses are like a “bewildered herd” who have stopped thinking (Noam Chomsky, Media Control: The Spectacular Achievements of Propaganda, p.16). He asserts that in a “properly functioning democracy”, there is a “small percentage of the people”, a “specialised class of citizens” who … analyse, execute, make decisions and run things in the political, economic, and ideological systems”. Chomsky reminds, ‘Woodrow Wilson was elected President in 1916 on the platform “Peace without Victory”, right in the middle of World War I. The American population was extremely pacifistic and saw no reason to become involved in a European War. The Wilson administration established a government propaganda commission, called the Creel Commission [Committee], which succeeded, within six months, in Chomsky reminds, ‘Woodrow Wilson was elected President in 1916 on the platform “Peace without Victory”, right in the middle of World War I. The American population was extremely pacifistic and saw no reason to become involved in a European War. The Wilson administration established government propaganda commission, called the Creel Commission, which [through fake news, films, etc.] succeeded, within six months, in turning a pacifist population into a hysterical, war-mongering population which wanted to destroy everything German, tear the Germans limb from limb, go to war and save the world…. After the war, the same techniques were used to whip up a hysterical Red Square…’ (ibid.page 12).
Fifth-generation war is believed to be a vague term. George Orwell (Politics and the English Language) suggested that that trying to find a clear-cut definition of fifth-generation or hybrid war would reveal exactly that kind of vagueness, with the use of important-sounding, pseudo-technological words to impress readers and convince them that this war is being fought at a level the layperson cannot comprehend. However, India has proved that it understands the dimensions of the fifth generation war or fake news. It knows how to apply its techniques to achieve its objectives. It is time for Pakistan to wake up
EU Lab belatedly discovered a world-wide network that spread disinformation against Pakistan. Even prestigious Indian newspapers sometimes publish reports or articles that smack of being pieces of state-sponsored disinformation. Harvard’s criteria for detecting fake news could be applied to disinformation bloomers. Harvard suggests `everyone should vet a publisher’s credibility first and then check all the sources and citations’. James Carson offers tips in his article `Fake news: What exactly is it – and how can you spot it‘? (Telegraph January 31, 2019)
Disinformation camouflaged in Op-Eds is hard to detect as they do not usually quote their sources of information. A case in point is Shishir Gupta’s article ‘In Imran Khan’s 18-point Kashmir plan for Aug 5, outreach to Turkey, Malaysia and China’, published in Hindustan Times dated July 28, 2020.
RAW officers speak many languages such as Chinese, Russian, Arabic, Sinhalese, German, Polish and Urdu. By the time of Morarji Desai, RAW had a staff of “more than five thousand on its payroll”. Desai turned out to be inhospitable to RAW and Kao, and K. Sankaran Nair left the organisation. N.F. Suntook took charge and “saved the agency”. RAW “recruited trained and deployed informers and covert action teams in the USA, Iran and several European countries as well as in India’s immediate neighbours. It also employed analysts, polygraph examiners, cartographers, linguists, economists and political analysts to defend the country from internal foes and external enemies. While the I.B.’s mandate was essentially within the country, it also opened offices at times on foreign soil. As is to be expected, the two agencies joined hands, and at times fought over turf to the detriment of the common cause.
In Bangladesh, RAW combated the influence of the CIA and Pakistan. The assassination of Sheikh Mujibur Rahman was a big blow and a much-chastened RAW regrouped to regain its lost influence in Bangladesh. By November 1988, RAW’s station head, code-named Krishna Patwardhan, had set up the necessary network in Bangladesh, to target elements that were hostile to India.
RAW saw spectacular action in other theatres as well. On March 20, 1988, RAW operative Anupam Malik began to carry out Mission Fiji’, “aimed to disrupt and dismantle Fiji’s military regime” that threatened to upset the ethnic balance in Fiji. Attempts were being made by this regime to deny political rights to ethnic Indians, most of whom had been immigrants to the country during the British Raj. Deporting all ethnic Indians to India’ was a distinct possibility. By the 1990s Sitiveni Rabuka, the strongman, was honey-trapped and compromised by RAW agents in Fiji and had to abdicate political power.
Similarly, RAW’s involvement in Afghanistan, we learn, began with the Soviet Union’s invasion of the country. The agency’s operatives carried out missions right through the chequered regimes of Tarki, Amin and Karmal encountering opposition from Pakistan’s Zia ul-Haq and the Taliban at different times.
In Sri Lanka, RAW propped up the Liberation Tigers of Tamil Eelam (LTTE) and had to follow the contradictory path of support and opposition following the dictates of the political masters in Delhi.
In the chapter titled “Shadowy War in Washington”, we see the RAW operative code-named ‘Blue Sky’ track down the Khalistani leader Jagjit Singh Chouhan and successfully penetrate the World Sikh Organisation, the International Sikh Federation and the Babbar Khalsa International. While the traditional rivalry between the I.B. and RAW continued, according to RAW operative Krishna’s candid opinion, “the I.B. proved to be far superior in the Canadian theatre than the RAW.”
RAW’s cover officers, including RK Yadav and B. Raman, make no bones about India’s involvement in Bangladesh’s insurgency. They admitted that India’s prime minister Indira Gandhi, parliament, RAW and armed forces acted in tandem to dismember Pakistan. Raman reminds us that the Indian parliament passed a resolution on March 31, 1971, to support the insurgency.
Indira Gandhi had then confided with RAW chief R.N.Kao that in case Sheikh Mujib was prevented ruling Pakistan, she would liberate East Pakistan from the clutches of the military junta.
In order to sabotage the China Pakistan Economic Corridor (CPEC) a cell had been established in RAW with the sole objective of disrupting it and the cell worked ‘under the supervision of the Indian Prime Minister’.
Yet another book (Terror in Islamabad) has been published by an officer Amar Bhushan who happened to have served as a diplomat at the Indian High Commission Islamabad. Before being posted to Islamabad, Bhushan had served as an officer of India’s premier intelligence agency Research and Analysis Wing, Border Security Force Intelligence, and State Special Branch for a quarter of a century. His book mentions another RAW officer, Amit Munshi (real name Veer Singh) posted as Cultural Attache.
Since times immemorial diplomats have enjoyed immunity in countries where they are posted. International conventions govern their conduct in host countries. If a diplomat is caught red handed violating norms of diplomatic conduct, he is declared a persona non grata. Bhushan’s book reveals that Singh’s assignment was to “identify potential Pakistanis for subversion”. The familiar elements of intelligence craft are espionage, sabotage and subversion. India added one more element “insurgency” to the intelligence craft if we go through another RAW officer’s book The Kaoboys of R&AW: Down Memory Lane. B. Raman makes no bones about India’s involvement up to the level of prime minister in Bangladesh’s insurgency.
Building Age-Ready Cities
Authors: Maitreyi Bordia Das, Yuko Arai and Yoonhee Kim* China needs to tackle three priorities to prepare itself better for...
An Assessment on China’s Inflation Trend and Outlook
In the quarterly meeting of its monetary policy committee, the People’s Bank of China (PBoC) repeatedly mentioned price stabilization in...
Artificial intelligence and moral issues. Towards transhumanism?
As artificial intelligence travels through the solar system and gets to explore the heliosphere (enclosing the planets), it will adapt...
China Opens its First Party School in Africa
China has completed its first Political Party School in Tanzania, East Africa. It has taken in its first batch of...
Easier, early cervical cancer testing to save lives
by Alex Whiting Prevention and the HPV vaccine is helping to reduce the numbers of women dying with cervical cancer but...
Lost for words – the devastation caused by aphasia
by Vittoria D’Alessio Aphasia is a devastating diagnosis that affects your ability to speak or understand language. It’s a little-known condition...
British Sanctions Against Patriarch Kirill. Forgiveness and Humility in Response
The UK Treasury has published another list of Russian individuals subject to financial sanctions. Along with 11 other Russians, the Patriarch of Moscow and All...
Economy3 days ago
A Dynamic Private Sector and an EU Orientation Should Be the Driving Force in Ukraine’s Recovery
Southeast Asia4 days ago
Amending the Malaysian Immigration Law: The Rohingya Refugees in Malaysia
Middle East4 days ago
Qatar World Cup offers lessons for human rights struggles
Defense4 days ago
Can BRICS Make a Contribution to International Security?
Africa3 days ago
Why Russia’s Vaccine Diplomacy Failed Africa
Economy3 days ago
Russian-Chinese Economic Cooperation: Opportunities and Obstacles in the New Conditions
Finance4 days ago
Uganda Can Rein in Debt by Managing its Public Investments Better
Green Planet3 days ago
Global Warming And The Future Of Food