Estonia’s prime minister, Kaja Kallas, spoke at ASPI’s Sydney Dialogue about how Russia’s invasion of Ukraine has highlighted the importance of securing democracies against malicious cyber actors. An edited transcript of her speech follows.

Two years ago, I had the opportunity to chair the first-ever official UN Security Council meeting on cybersecurity. Almost everyone there stressed that all states have already agreed that international law, including the UN charter in its entirety, applies in cyberspace. Only two countries did not. Half a year later, one of those countries, Russia, started its full-scale aggression against Ukraine and violated every rule in the book. For years, we heard predictions that the next big war would be a kind of cyber Armageddon. But instead, Russia brought back large-scale conventional war.

A year ago, the world woke up to the images from Bucha, a suburb of Kyiv, where Russian occupiers had brutally tortured and killed civilians before it was liberated by the Ukrainian forces. The extent of Russia’s war crimes, crimes against humanity, and possibly genocide, today repeat the Kremlin’s atrocities from the past. The fact that [Russian President Vladimir] Putin is wanted by the International Criminal Court speaks for itself and shows that no one is immune from responsibility, not even heads of state. During Russia’s war of aggression against Ukraine, much of our focus has been on conventional war, our vocabularies: Javelins, Stingers, Leopards and HIMARS. Rightly so.

The aggressor must be defeated on the battlefield. Ukraine must win, and for this it needs all the military support it can get, and fast. But as I often stress, in addition to conventional war, Russia is also waging a hybrid war. This includes energy war, information war, cyberwar. We must draw lessons from this both for our own support to Ukraine and to take the leap forward in our own defence. Russian aggression is also a reminder that we actively need to enforce a world where rules still apply and where technology works for, not against, democratic societies and human rights.

First, cyber integrated into regular warfare is now established practice. An hour before Russian tanks rolled over Ukraine’s border, Russia took down Viasat satellites. It left the Ukrainian military without the vital communication line for the first few days. There was also a big spillover effect. For example, across Europe it took offline hundreds of thousands of Viasat TV subscribers. In Germany, it took offline more than 11 giga[watts] of wind turbine generation capacity. This is just one example of direct collateral damage from Russian aggression in the rest of Europe. Russia has also targeted digital infrastructure, data centres, wireless masks, in the same way they have targeted energy infrastructure.

And second, having a trustworthy digital society is a strength, not a weakness. Ukraine’s digital backbone has been invaluable to keep the state running and deliver services online even during the war. Many Russian cyberattacks have not been successful. Not because of luck, but because Ukraine has spent years building up cyber resilience with help from Estonia and others. And now they have lessons to teach us. Some government data systems were physically relocated, simulating Estonia’s pioneering ‘data embassy’ concept.

The Ukrainian state app called Diia was offering citizens a one-stop shop for public services already before the full-scale war. Now it allows Ukraine to keep providing services for millions of refugees spread across Europe or trapped under Russian occupation. It has even replaced physical identity documents. Estonia is already working with Ukrainian partners to adopt the app also for our citizens. Ukraine has also shown us how the skilful use of technology helps to keep society going even during a war: taxes paid, public services available, data kept safe and secure.

Third, there’s currently a real sense of impunity in cyberspace. The blurred lines of responsibility and difficult attribution make cyberattacks more attractive as a tool. Russia continues to use the so-called DDoS diplomacy to send political signals and try to create disruptions beyond Ukraine. We are seeing more activities by state-sponsored malicious cyber groups across the world. Nearly every week Estonia experiences major cyberattacks against government and private services. Some of those have been more severe than the 2007 cyberattacks against Estonia. The effects have been minimal, but only because we are well prepared.

And finally, the private sector has transformed its role during this war. Companies like Palo Alto, Amazon Web Services and others have provided much-needed services and security measures for Ukrainians to defend their e-governance. The analysis provided by companies like Microsoft and Mandiant has been crucial. We need to take public–private partnership to a whole new level. But we also need to manage our mutual expectations. For example, when it comes to the spread of disinformation, social media platforms are still not doing enough. To paraphrase Churchill, due to social media a lie gets half around the universe before the truth has a chance to get its pants on. This is a particular concern in smaller markets like Estonia.

The question now is, where do we go from here? First, we must all be prepared that the cyberwar will continue even after the conventional war ends. The security environment has changed, and we must all adapt rapidly. A strategy of deterrence against cyberattacks or disinformation has not been sufficient. Our focus must be increasingly on resilience, giving our institutions and people the skills to cope in a high-risk environment. As a highly digitalised society, we need to make sure that public services remain available and data is kept safe also during aggression and crisis. Last year Estonia nearly doubled its annual cybersecurity budget. This had instant results. All countries and companies must significantly increase their investment in cybersecurity.

When a few years ago hospitals only had to worry about some drug addict coming and stealing their morphine, now their security risks are cyber. If they are cyberattacked, they could be taken down and there could be civilian casualties. We all talk about cooperation, but this is not enough. The cyber threat picture can change fast, so there is a need for swift information exchange. We need a high level of trust between like-minded countries, service providers and intel agencies to share the kind of information that can prevent attacks elsewhere in the future. For example, in the European Union, the Estonian National Cyber Security Centre is by far the most active in sharing cyber threat information with cyber authorities in other member states. The bad guys share information with each other. So must friends.

Second, we must step up our efforts in cyber capacity building. Closing the digital divide must go hand in hand with building up cyber resilience. Estonia has long shared its knowhow. A recent example is helping to set up a new Cyber Competence Centre for Latin America and the Caribbean in the Dominican Republic. We have also been helping countries in Africa, Central Asia and Eastern Europe build more robust cyber defences over many years.

Third, we must do more to send a clear signal that there’s no place for impunity, not in cyberspace, not anywhere else. Becoming better and faster at attribution is one important thing, but we need to look also at the big picture. Russia’s strategic goals are much bigger than Ukraine. It wants to rewrite the world in its own image where might makes right. In the struggle between democracy and autocracy, the digital sphere is not the sideshow but the frontline.

A few weeks ago, Russia tabled a new cyber warfare treaty at the UN. It aims to undermine the obligations for states under existing international law and justify censorship domestically. But existing international law applies in cyberspace in full. One of the risks I see is sleepwalking into negotiating new legally binding international rules with an outright war criminal. We can’t negotiate new international norms where an aggressor feels like the existing ones are not suitable for its goals. Let’s review and be aware of our engagement with Russia in international organisations.

And finally, it is clear that security can no longer happen in silos. Any serious approach to defend liberal democracies will have to go beyond current institutional limitations. We must build connections and set standards with those we can trust, especially as new technologies like artificial intelligence, 5G and quantum computing become realities. The Indo-Pacific region is at the forefront of this conversation. Those in the region who share the same values should be natural partners for European countries.

We must keep widening the circle of like-minded countries. For too long we have been over-reliant on countries who do not share our values and who weaponise our trust. The era of such dependencies has come to a close. We must be able to shape the age of rapid technological development so that it will serve our societies, including fostering ethical AI and building more trustworthy digital ecosystems. Liberal governments cannot do this alone. It needs to be in partnership with businesses and civil society.

And it also involves big tech putting its money where its mouth is to protect democracy—transparency, better algorithms, adequate content moderation also in smaller markets. We are in it for the long haul. Tyrannies like Russia do not want freedom and democracy to prevail. It is a direct threat to dictatorship. That is why they will keep trying to turn technology into a tool of oppression and a means to destabilise free societies. Our job is to help Ukraine win the war, rethink our connections and ensure impunity does not prevail in any sphere, cyberspace included.