Ieva Ilves is a cybersecurity expert and diplomat who currently serves as a digital policy advisor to Latvian President Egils Levits. She was the First Lady of Estonia during the presidency of her husband, Toomas Hendrik Ilves, who served until 2016. A native of Latvia, she served as the head of National Cyber Security Policy Coordination for Latvia from 2012 to 2019. In 2019, she ran as a Latvian candidate for the European Parliament. She also served as the representative of the Latvian Ministry of Defense to NATO from 2007-2009.
Content warning: This article contains a mention of suicide.
Can you tell us about your path to becoming an expert on cybersecurity? Was it influenced by Russia’s 2007 cyberattacks on Estonia?
I’m from Latvia, and I have had a long career in international relations. I have a master’s degree in political science, and I have studied a lot of foreign policy. In the 1990s, I started my foreign policy career as a hard security person. I worked with NATO on defense. I worked on the Membership Action Plan for Latvia to join NATO and was responsible for the policy part of this process because the document has both foreign policy and military implications.
Then I shifted into “soft” policy, looking at democracy and human rights. I took a year off for an academic break at Johns Hopkins, and then came back around 2011. By then, new technologies had penetrated society in general. There was this clear feeling that tech required policy regulation. Until then, it was believed that tech would only be driven by services and products. That was still very early, though, when political circles had not yet figured it out.
A famous start-up was created in Latvia at this time called Ask.fm. There were suicidal messages posted after severe bullying. It was an international company so we got questions about this, and the correct response was unclear. The company had terms of services which ensured that they were not liable for the messages, so they didn’t have to respond. Countries reached out at a high level. We had no system to address the code, and people asked, are we doing anything about it? And so the government started to look at this issue. I started to write a cybersecurity strategy in 2012.
It wasn’t really a time when you could take another country’s plan and copy and paste it. So I was really walking and learning at the same time. Coming from that perspective, you start to see that when a society experiences a cyber threat, it’s not clear who handles it. I was really lucky to have a solid Cyber Incident Response Team. Every country has one—it’s like a fireman in the digital world. I had the honor to work with them, which was basically a quick crash course with really smart people who helped me understand what’s going on technologically. Then I translated this to the political level, to ministers, and to the cabinet so they could future out what to do. It was a natural progression, I never studied cybersecurity on purpose.
Afterwards, I took a lot of classes—whatever was available on the market. It was a lot of learning by doing because I initially came from the security field so I have this security-focused mindset. But I also have this history of studying human rights and democracy. These areas merge in my head. I look at technology and its safety from the angle of what it means to be secure, as an individual or as a country, but also what it means to protect your freedoms, your values, and personal prosperity.
In what ways do you think Estonia and Latvia are more prepared now than they were in 2007 to deal with cyberattacks?
Both Latvia and Estonia actually have done a lot. It’s hard to measure how secure you are until something happens. When nothing has happened, you don’t know whether somebody has already penetrated the system and is waiting to use that power. Hackers systematically look for windows or doors, ways to compromise systems, ways to get inside and be invisible. Their goal is to get inside and use that asset when it will have the biggest impact.
This year was a big test because we faced massive attacks for two weeks in Latvia and Estonia. On the surface, very few websites were affected. We have a lot of websites for donations to refugees, and some of those websites crashed or did not work for a day or two. But it was basically very little on the surface. I take it as a high award that nothing has happened because, over these years, we have developed quite effective technological approaches and systems.
What steps do you think still need to be taken to improve cybersecurity in the Baltic States and in the West more broadly?
Challenge number one is the lack of human resources. I don’t know about the U.S., but the EU does not have enough technology or cybersecurity people. It’s not easy to get that education or get people with that education to work in the public sector. So there has to be a lot of creativity in how to engage people who are not working for the government.
Latvia has, for example, the Cyber Defense Unit, which was originally an Estonian idea. This is a voluntary job. For example, people who work at banks as cybersecurity experts can join the unit in their free time. They get state security clearance and get additional training on state systems. When a crisis comes, those people are capable of volunteering and helping. This helps us as a government because we can’t hire many highly paid experts. But in general, there is still a lack of human capital.
We really have to invest in training and building up the next generation, which is capable of being very skillful in cybersecurity. This has many dimensions—it’s not just system administrators or software designers. For example, there are also the legal angles of cybersecurity and many conversations about cybersecurity insurance to explore. There are also ethical questions around Artificial Intelligence. So there are a lot of diverse topics that we need to be thoughtful about.
The human part of cybersecurity doesn’t come about naturally. It needs to be fished out. In September, I had a meeting with people from US-CERT [the United States Computer Emergency Readiness Team], which is part of the Department of Homeland Security. They have the same challenge of how to attract and encourage and motivate people to get into the cybersecurity field. That’s the biggest challenge we all face: human resources.
What would you say to young people who are considering going into the cybersecurity field?
I keep telling young people that I was never trained to be a cyber expert, but that it doesn’t matter because my experience in national security and human rights was actually essential. Sometimes it’s more important that you have some core skills, whether in medicine, law, or something else. This experience adds a human component to the field.
I was actually a mentor last year for girls learning about technology, and I especially encouraged them to acquire digital skills. This mindset where people think they are not talented enough to do anything in the digital domain has to be changed. Take whatever your skill or your interest is and think of it in digital terms because technology is a part of everything today.
The rest of the interview can be found in The Politic, Yale University’s undergraduate journal of politics and culture. It was conducted by Bryson Wiese and Yorktown research assistant Axel de Vernou.