Meet Tanel Sepp, Ambassador at Large for Cyber Diplomacy at Ministry of Foreign Affairs of Estonia. He talks with Joe about navigating Estonia’s security strategy as the country emerged from 2007 cyberattacks to become an international leader for digital governance, banking, and media. Learn about the latest advancements in cyber law, public-private partnerships, and multi-national bodies that are coordinating cybersecurity thought leadership and response activities.
Tanel on X(Twitter): @tanel_sepp
Tanel on LinkedIn: linkedin.com/in/tanel-sepp-79b89226b
Connect with Delinea:
Delinea Website: https://delinea.com/
Delinea LinkedIn: https://www.linkedin.com/company/delinea/
Delinea Twitter: https://twitter.com/delineainc
Delinea Facebook: https://www.facebook.com/delineainc
Delinea YouTube: https://www.youtube.com/c/delinea
Joseph Carson:
Hello everyone. Welcome back to another episode of the 401 Access Denied Podcast. I'm the host of the show, Joe Carson, chief security scientist and advisory CISO. And it's a pleasure to be here with you today and this is a very special edition because very rarely do we get to do these opportunities of the podcast in person. It's been quite a while. I think one of the previous times we did this was back in RSA where we actually did a couple of episodes in person with the awesome John Hammond, Pamela Dingle and it was fantastic episode. So really glad to be back in person again. And this really changes the atmosphere. It really gets more exciting for me. It allows a really intriguing discussion. So I'm actually joined by a very special guest today, so I'm going to let Tanel introduce yourself. If you want to, Tanel will give us a bit of a background about who you are, what you do, and some fun things about yourself.
Tanel Sepp:
Well, hello first, and thanks for inviting me. My name is Tanel Sepp. I've been an Estonian diplomat now for twenty-one years. And for the past two years, I have been Estonia's Ambassador-at-Large for cyber diplomacy as well as head of digital and cyber diplomacy department. But let me say also that, for me, as a diplomat, it's more natural to speak really face-to-face because you cannot do diplomacy only through Zoom or any other device. So I'm really happy to do it in person.
Joseph Carson:
Fantastic. And it's a pleasure to have you here. Has Estonia had a cyber ambassador for a long time, and how did you get into the role? What did you do prior to becoming the cyber ambassador for Estonia?
Tanel Sepp:
Well, I am the second cyber ambassador. We've had this digital cyber profile for many years now because we have been in the forefront of digitalizing our governance and the whole society for many years already. But I got into the Cybersphere actually when I was serving in D.C, in Washington. And one of these tasks I had, and I was there as a deputy head of mission, was to engage more with the congress and I went to DC in twenty-twelve and then it was really scratching every single door trying to talk about our security situation. But it was real difficult.
Of course, I was in DC until:Joseph Carson:
nts over the years, including:Tanel Sepp:
o paperless mode already near:So there's a lot of this background noise in terms of what we have been really trying to do, and it has become kind of part of our DNA to do things online. I also served in Afghanistan a long time ago, 2009 until 11. And I do remember I was carrying out also elections for Estonian Soldiers in Helmand and I had this ballot box with me, and we set up tents and the small booths for our guys to be able to vote. And then, it was so funny for me. I was really proud that there was a line waiting to cast the vote, but around half of the guys told me that, no, no, no, I'm not coming. I have my ID card, I can vote online. That kind of hit me that this is where we are already. So it's kind of, as I said, part of our DNA to do things online. I mean, why should you go and then stay-
Joseph Carson:
... Stand in queues and, especially, the weather here is not something you want to be spending time going, and standing in queues, and waiting for long lines and finding parking. One of the things I always say is that what changed in Estonia is that it's really emphasized on reducing wasted time. And that's one of the things we always talk about in the world. What's the most valuable things? And some people talk about real estate, some people talk about data and cryptocurrencies and so forth, and oil and energy, they focus on the physical things. But I always look at what things do we have personally that we all have limited of, and it's time and the less time I spend wasting in queues and filling in forms and filling in forms multiple times with the same data, the better it is for my life, and it gives me time back. And that's one thing I enjoy about Estonia is it actually focuses on reducing the waste of time and allowing the citizens to really do the things that matters the most and prioritize that.
Tanel Sepp:
In my mind, I put it the other way around, it's not reducing the waste of time, but it's really gaining time for whatever you want to do.
Joseph Carson:
Absolutely. It's giving you the time to do the things you enjoy.
Tanel Sepp:
Exactly. And I mean, I've seen quite many these different presentations from different distilled authorities about the X road, the kind of backbone system we have for this, or just the governance, and that has been this one picture of a young couple in a park. And that is exactly the reason why we're doing it so that you would have time for your family, for your hobbies or for whatever else you want to do. And as I said, we are all equal in terms of the time we have.
Joseph Carson:
of Estonia. What happened in:Tanel Sepp:
I mean, we don't like to interact anyhow with other people.
Joseph Carson:
Yes.
Tanel Sepp:
ter having lived here. So, in:Joseph Carson:
It's walkable.
Tanel Sepp:
Exactly. But whatever we do, and this has been throughout the years, is that every single decision by Estonian government that is somehow linked to our history or linked to Russia, our neighbor is always taken up by Russians in one or another mode. We saw riots in Estonia and, as I said, we don't like to interact with other people and rioting is not anything. I mean, this is so far from our ideal life that this is really a rare reaction. So, obviously, there were some instigation behind that and Estonian Police was quite resolute in putting the riot down and then hacks or DDoS attacks started. It was the first time when a whole government or so many different services from the public and private sector were targeted.
So it was our banking sector, our media. I remember I could not access my work email for a week or so, and I was... Here's a one life hack that I was given at that time when the riots happened, and Estonian Media was down. I was watching CNN in my Brussels apartment and somebody told me, through Skype then, "hey, check the weather forecast sites." They have also live cameras and directed to the central television and there we could actually see, I mean, real-time, what was happening. Having this open mind and thinking outside the box is one thing, but anyhow, this event, and today, I don't want to overemphasize what happened. We had DDoS attacks, services were taken down, we managed to restore the services quite fast and that is really important lesson for anybody for the future. But the most important thing there was that these attacks brought cybersecurity as a theme to politics.
Joseph Carson:
Absolutely. Before, because I've been in the industry for quite a long time and I don't remember any time prior to that it being on a top agenda for any government or in the political scene, even on the media side. Of course, there's the anonymous side of things that happened prior to that. There was lots of DDoS attacks that happened in the years before, but I think this is really the first one that really targeted a society at a large. I think even the media made it out to be more than what it... Because I remember, yes, things were slow for a few days, but basically, the Estonian government and IT responded very quickly and within a few days everything was back up to normal. If you're outside Estonia, you probably had a bit more difficulty accessing systems in Estonia, but if you were in the country within a few days, things were back to normal almost. Yes, things were a bit slower, but I always felt that, from the outside and the media made it that it was bringing the country to a standstill. But yeah, it was inconvenient.
Tanel Sepp:
I mean, for me, if I want to paraphrase one saying, it would be like, thanks Putin. I mean, this really gave additional attention to what we were already doing in Estonia, and for example, these attacks really helped to restart developing thought around cybersecurity and cyber defense in NATO. We already had established our own national Cyber Defense Center of Excellence, but that helped to gather further political support and after these attacks since then we have the NATO Cooperative Cyber Defense Center of Excellence, which is one of the best think tanks in ...
Joseph Carson:
Absolutely. It's really going to getting to the point where it's able to now start analyzing all the capabilities and all the resources happening about some of the best practices about the cooperation and really bringing lots of countries together to cooperate and work together. It's really took a lot of those previously where there's lots of walls down and sharing of information and that's one of the places that actually enables those important discussions.
Tanel Sepp:
Absolutely. We didn't have this kind of center before and right now, seeing what the center is doing, I mean, they're still organizing the world's largest live fire-
Joseph Carson:
... Lock shields.
Tanel Sepp:
Locked shields and working on international law, which is really important for us. Or Zaitan Conference, which I do believe is one of the best regional cybersecurity conferences, at least in Europe.
Joseph Carson:
Absolutely. I think, for me, the important part of it is it brings all the key leaders and thought leaders and those who's working in the field all together in one place to have really important discussions.
Tanel Sepp:
nd it doesn't mean that since:Joseph Carson:
ming of the [foreign language:Tanel Sepp:
I mean, the origin of that is in the fact that in the Soviet Union... I mean, one thing that Soviet Union was good was science and building rockets, and we had quite many engineers. We had the Institute of Cybernetics already from the sixties, so we had the School of Engineers that could really build up different systems and I mean, to be honest, in '91, when we regained independence, we were poor. And this is actually the reason why we are so good now. Was that we could not afford buying off-the-shelf solutions. We had to build our own solutions.
Joseph Carson:
One thing I always admired about Estonians is that when something breaks, they're not just focused on replacing it, they're adamant on repairing it. I'm sitting here, I've got soldering irons and stuff, but pretty much every Estonian household has a soldering iron, has a set of tools, and every time I see something that's break... I remember, even with my father-in-law, we had traveled places and when we went to stay in a hotel, and he had found something that was broken, he could not leave until he actually fixed it. Clocks, TVs, radios. And I think I always admired it because absolutely, you're right. Is that the key thing is Estonia was, even during Soviet times, was that key center for mathematicians, for science, for cryptography, for engineering and programming.
That was that key part, and I think that was one thing that a lot of Estonians excel after the re-independence was that key knowledge that was here and the ability to do things on a shoestring is that do things, you had to build it yourself. You people able had to develop it and create it, and that was a great, I think, foundation to start with.
Tanel Sepp:
And it's still an asset for us, because whenever I go around the world and speak about Estonian experience or our diplomats are doing the same, then our story of being quite poor after the collapse of Soviet Union and now seeing where we are now. I mean, we have done huge developments, and we have gained so much, so much credit goes to the digitalization and what we have done in this sphere that this story, it's also quite relatable to our global partners. Yes, the question, of course, is about education and how do you build up the school of engineers and the school of people who can really do the development work, but nevertheless, I mean every country has its own universities institutes. The question is how do you really utilize this knowledge base.
Joseph Carson:
And what the focus on and what's the core elements. Exactly. I think that's critical. So going back to your role as a cyber ambassador, what do you do, and what types of activities do you get involved into? Do you work closely with other... I mean, I don't believe every country has cyber ambassadors. I've met a few, but who do you interact with in other countries, and what types of activities and resources do you create?
Tanel Sepp:
Oh, that's somewhat loaded question for me. Well, if you think of what we talked just before about where Estonia is and what is Estonian story, it is about digital nation and how we survive in the world. I would also add that there's no way for Estonia to go back to paper-based services.
Joseph Carson:
No, physically, I don't think even the citizens would want to.
Tanel Sepp:
No.
Joseph Carson:
I mean, one fundamental moment last year, I believe, was that in the local elections last year, that it overtook for the first time, the e-voting or internet voting, was actually more than, the electronic voting. So that was a significant, I think, event showing that's the direction people want...
Tanel Sepp:
The internet voting.
Joseph Carson:
Internet voting, yes.
Tanel Sepp:
Because electronic voting could be something that-
Joseph Carson:
... Pushing a button on a machine. Yeah, I always try to do internet voting versus electronic, because in the US they sometimes think of that as the same thing, but here it's too distinct as one is using, not going to location of pushing a button, you're doing it from your own device in your own time at your own location.
Tanel Sepp:
And soon we'll see also mobile phone.
Joseph Carson:
So going back to one of the things you were saying about...
Tanel Sepp:
So, there's no way to go back to paper, which means that for our kind of existence, our functioning of the society. What we need is stability and predictability in cyberspace. Cyberspace obviously is not just one country's business, so it's really international. It's a multidimensional, it's multi-stakeholder approach. I mean, all these multi-words. So my role really is to represent Estonia in this global forum in the regional forum to make sure that the policies we commonly decide upon would increase the stability of, the cyberspace because this is really...
Joseph Carson:
More cooperation and consistency and same terminology and...
Tanel Sepp:
Same terminology. That's actually one big question, but also this kind of key aspects of international law. What does sovereignty, for example, mean in cyberspace?
Joseph Carson:
There's big questions right now in the U.S. about what does material mean with the SEC, launching the new rules into what does data owner refer to? There's lots of those things about every country, even go back to the U.S when I talked about data collection, that can mean many different things. So terminology for me is that yes, we all have the same, sometimes, terms, but do we have the same understanding of those terms and phrases and meanings?
Tanel Sepp:
Or even would data be a subject in international law? I mean there are many, many questions here, and we are focusing a lot specifically on the international law. We do have a lot of expertise there. So, on a global scene, for example, everybody has agreed more or less that international law is applicable in cyberspace. The question is how?
Today, with the war against Ukraine, obviously we're also talking about international humanitarian law, so basically international norms during the wartime. What does it mean? So we can easily see this global competition. In the techie world, there's this huge global competition that we talk about, that is about the chips and then all the industry, access to data, access to AI and all this. But we do have a global competition that has been there for years and years in terms of how do we interpret what's happening internationally in cyberspace. We can talk about, as an example, the internet governance. We do have countries that do not like this multi-stakeholder approach. We coming from Estonia, we see that as one of the main building blocks for stability.
Joseph Carson:
Absolutely. Which results in a lot of countries still having laws that allow safe havens for criminals to operate in. That's one of the challenges and that's why I think this is such an important role is to make sure that we have fewer places in the world where criminals have the free rein to operate from and the diplomacy and policy and transparency and cooperation is one of the foundations that reduce that where possible.
Tanel Sepp:
Absolutely. But it's so difficult. So difficult in the sense that in the UN we operate under the consensus, and you are in the same room with the Russian Federation, with Iran, Syria, China and North Korea.
Joseph Carson:
And they all have different values and different ways of looking, but we have to always find what is the common ground. I think that's one of the things is what's a common? Unfortunately, sometimes it's the things that we don't have the same values that can become the focus and the highlights rather than finding what can we do together.
Tanel Sepp:
For me, what the past two years of my summer ambassador job has really shown is that values really matter and values also matter in a sense that value-based policies can easily become issues for security policy. This kind of connection between value-based discussions at the UN, how these will shape the international scene tomorrow and what implications these will have on our digital society.
Joseph Carson:
I think there's been several attempts. One of the things you talked about is that having the consensus about what does it mean for society? And over the years there's been a couple of discussions around things like the Tallinn manual that was going to attempt to... What does that look like? And then we had discussions around the Geneva Convention for cyberspace, and recently Estonia announced the partnership with several key players on the Tallinn Mechanism. Can you explain? So it's been lots of different versions of the years. What is the Tallinn Mechanism that was announced recently?
Tanel Sepp:
Yes. On 20th of December, we announced Tallinn Mechanism. It was announcement of the launch of Tallinn Mechanism. We had been working on this for some time along with the US, Canada, UK, France, Germany, the Netherlands, Denmark, Sweden, Poland, quite many countries.
Joseph Carson:
And NATO, as I understand, as an observer.
Tanel Sepp:
NATO, and the EU.
Joseph Carson:
And the EU. Okay.
Tanel Sepp:
And one of the key partners I didn't mention yet, that is Ukraine. So what we saw when the war broke out in February of last year in Ukraine was that Ukrainians were then, obviously, in a bit of mess.
So different donors started to get different lists of requirements and we really, sorry, two years ago. I'm mixing up many years with the new year. So with some of the donors, we really sat down and started to figure out how to change the system so that we could, with a much more agility, give the assistance that a country needs. And then we came up with a kind of new coordination, download coordination mechanism, which did not have the name Tallinn Mechanism at first. I can get back to that afterwards. But the idea was to have kind of a three-tier coordination mechanism. So you would have front office in Kiev that is kind of locally gathering information.
Joseph Carson:
So, it's the feet on the ground, it's the intelligence and the eyes and ears. It's kind of operating locally.
Tanel Sepp:
Exactly. And also coordinating with others. Then you have a back office that is kind of logistics hub and that is the place where you would do them kind of mixing and matching that you would have the requirements coming from Ukraine. You have the opportunities from the donors and the industry, also. Let's not forget the industry here.
Joseph Carson:
Yeah, because industry's pretty much been there from the start. I think, individually, you've had the likes of Microsoft Cisco all providing services in order to make sure that their digital infrastructure is withstanding all those daily attacks. That's happening all the time and then each country's been doing it individually. So I see this as the first time, because I think it's always important when you're looking at any type of operation that you work together. And, I think, for me, rather than everyone's doing it individually and maybe overlapping resources or duplicating resources, that this is now a more coordinated effort together. To not only support Ukraine in a kind of military defensive side, but in the cyber capabilities, much more stronger going forward.
Tanel Sepp:
Absolutely, and this is how we have seen it from the start, and we can come back to this, but I think the industry's role has really shaped the whole environment where we operate. But just to conclude the whole mechanism with the front and back office, we also have the student committee where we just, on a high level, we try to solve some issues or look what's in front, but the front office in Kiev, this is manned by Estonian diplomats. So we have already made a lot of effort to make sure that it works well enough that the back office is in Poland, which is also for logistical-
Joseph Carson:
... Logistical reasons.
Tanel Sepp:
It's quite logical. And now we, sorry, we've been also in close contact with organization called CIDAC, which is Cyber Defense Assistance Collaborative. And this is kind of this organization that brings in all these big tech companies that have been assisting Ukraine because we really see that we cannot do without them, and we would not want to do it without them. And they, as far as I've understood, that they are also have been looking for this guidance for what is a priority area now. What are these priority needs that they could also help out with? So we will come in with that information, and we can easily put together different sets of information and also maybe at one point tell the industry that, hey, we see that this is a futile activity right now. Maybe you could turn our attention to something else that is more priority right now because, in the end, we need Ukraine to win the war.
Joseph Carson:
Yeah. It's ability to be more, as you say, agile, move faster, make decisions faster. We have that insights on the ground, quick cooperation, which can really make a difference.
Tanel Sepp:
And I mean, if this kind of cooperation works well, this could be easily a great example also for the future for some other conflicts.
Joseph Carson:
Absolutely. I mean, we've been a bit surprised that I don't think we've seen the full capabilities to date of the cyber side of things because ultimately, I guess, from a conflict side of things it's much more easier and going back to your traditional methods. So I think, still, from cyber it's still a bit unknown into what a true conflict and cyber would look like.
Tanel Sepp:
I mean, my conclusion or lesson in this regard is that we are not in a situation where we would see this cyber Armageddon or cyber-9/11 yet. And what Russians have really shown is that a children's hospital destructed by a missile has a much bigger physical and psychological effect.
Joseph Carson:
Psychological impact on society than it has of your are basically a website you're trying to access going down.
Tanel Sepp:
Exactly.
Joseph Carson:
Yeah, absolutely. Because I think we're still in that situation where we're still living in the real world and the more we see the impact in the real world, the more that damages you from a basically mentally perspective.
Tanel Sepp:
But that doesn't mean that we should undermine the role of cyber. If we think of that 23rd of February, two years ago, the KSAT attacks, these are quite scary if you put these into strategic view and how different electricity grids, power plants have been attacked constantly. But, the second lesson for me, is really that Russians have turned the theory into practice of integrating fully cyber into military warfare. So cyber is now a conventional part of any kind of warfare. I'm quite sure that's also some other countries that might have some sinister ideas are looking quite close to what's happening.
Joseph Carson:
would you like to achieve in:Tanel Sepp:
ave something to say. I think:Joseph Carson:
Yes, the dependency on the volume has significantly increased.
Tanel Sepp:
So, my big question here is that this is really elevating the expectations from both sides, the industry and the government, and the Ukrainian case is quite black and white. And we're lucky with that, but in the future it will have some other conflicts that would not be so black and white. That means that we need to really talk with the industry and not just with the industry, but we need to also engage the civil society to have this, not the dialogue, but the trialogue between three parties.
Joseph Carson:
I think governments have actually started really realizing this more and more and more. I think Estonia has been doing it for quite a long time, but I've also seen the UK government becoming much more focused on around the public-private partnership. The US as well with CISA, was something that was really never happening prior to that, that they've started becoming more proactive, more sharing and trying to, rather than sharing intelligence quickly so that people can actually do something about it.
Where previously, it was more about one directional information flowing. You get it from private industry would go to the governments. Now, it's actually more cooperation. I think it's more transparent, it's more bi-directional, which makes a massive difference, because then it allows those organizations to really know what they can do much better. This has really changed, I think, more so in recent years. So I think that as we see moving forward, I completely agree that it's the cooperation which is going to be the foundational key to making sure that one is we not only provide a safer internet for people and citizens within countries, but all over the world and countries that may not have those capabilities, it will be able to expand it and share resources so that they can become having a safer internet as well.
Tanel Sepp:
Exactly. I would add one other topic here, which will be a key one for me this year, and that relates to AI. I'm really trying to figure out what should be the role of foreign ministry in all this. I could ask that from Chat GPT.
Joseph Carson:
It's going to tell you what it was two years ago.
Tanel Sepp:
Exactly. But, in all fairness, I mean when I was last summer, I attended the RightsCon conference in San Jose, and that's one of the main conferences for civil society. And it was really interesting for me to hear that, for the civil society organizations, one of the main concerns right now is AI, and I never thought that it's going to be so predominant. And that really opened my eyes. And then I started to think that, okay, if civil society is concerned and rightful to large extent concern, then why am I not concerned, and what should be my concern? So I mean, asking that question also from my colleagues all around the world, and I mean mostly, different countries have been thinking internal politics or internal use of AI and how that needs to be regulated. But my main concern right now, as a cyber ambassadors is really about the international cooperation and what are the topics that we need to still address. The EU came up with the first-
Joseph Carson:
... The EU-AI Act established.
Tanel Sepp:
Exactly.
Joseph Carson:
Explainability, accountability, responsibility, which is all key parts, I think. And then, of course, we had the UK government, I think jumping a little bit ahead. They wanted to get their announcement out before the EU came into play where our cooperation between the AI guideline best practices, which I think is a good start. I think all of these are great because it really sets a starting point.
Tanel Sepp:
But would that be the only implication on foreign and security policy? I'm not sure. So I'm trying to take another step there further.
Joseph Carson:
hat's something we do predict:Tanel Sepp:
And I mean, one wish I have for this year is that developers of different AI systems would be more considerate. More considerate towards the global partners. Again, in San Jose, it was at the RightsCon conference, somebody, I think it was a diplomat from Nigeria, she was saying that, what are you talking about? Let's start from connectivity. We need still connectivity because without the connections, you can't generate data. Without data, you can't generate AI, so why are you jumping ahead so much? At the same time, I'm hearing more and more also about data colonialists, that is us abusing the data that we mine in these third countries, or our global partner countries, and then using for the development of our AI systems and not really allowing these countries to benefit as well.
Joseph Carson:
That's an interesting perspective that I haven't thought about. Now I've got an idea to do more consideration around it.
Tanel Sepp:
And there are so many other questions that I don't know about yet. And this is frightening me because I want to know about most of the important questions, but these keep popping up and I'll kind of leave you with another AI related question here, is that if the AI that is developed in this global north, and that is relying mostly on the data on global North, what will be the implications in the global south?
Joseph Carson:
It will be bias and, by nature, that's the problem. Yeah, I think that's the challenge we've had is that since the majority of data has been generated in certain countries for a certain amount of time, that there will be a lot of, let's say retraining, that needs to be done with the algorithms moving forward as new data sets start to get interlinked into it. So I think it's going to be a challenge. So we've seen that in some of the existing models today. So I think, for the audience, we're going to leave that as something on their mind to look into going forward about what their input and what their feedback are. Maybe it might even trigger some of the audiences to do some research in this area that can then report on later in the year. So, Tanel, it's been fantastic having you on the show and really intriguing conversation and great to hear a lot about some of the activities, some of the history and some of the things that you've been doing.
Ultimately, hopefully, this was going to make one of society not just in Estonia, but in the world, a safer place and that other governments will start to make sure that cyber ambassadors become something that every country should establish and should establish to have that cooperation, to have that point of contact. Because today, I don't think every country has a point of contact, who to speak to on that perspective. So for the audience, many thanks for tuning in. I hope this has been educational, enjoyable. Tanel, you've been an awesome guest, and thank you and it's great to see you in person. For the audience, tune in every two weeks for the 401 Access Denied Podcast. We're bringing you latest topics, themes, educational information, and we hope this has been something that has been a valuable lesson and enjoyable for you. Thank you. Take care and stay safe and see you soon.