Ieva Ilves is a cybersecurity expert and diplomat who currently serves as a digital policy advisor to Latvian President Egils Levits. She was the First Lady of Estonia during the presidency of her husband, Toomas Hendrik Ilves, who served until 2016. A native of Latvia, she served as the head of National Cyber Security Policy Coordination for Latvia from 2012 to 2019. In 2019, she ran as a Latvian candidate for the European Parliament. She also served as the representative of the Latvian Ministry of Defense to NATO from 2007-2009.
Content warning: This article contains a mention of suicide.
Can you tell us about your path to becoming an expert on cybersecurity? Was it influenced by Russia’s 2007 cyberattacks on Estonia?
I’m from Latvia, and I have had a long career in international relations. I have a master’s degree in political science, and I have studied a lot of foreign policy. In the 1990s, I started my foreign policy career as a hard security person. I worked with NATO on defense. I worked on the Membership Action Plan for Latvia to join NATO and was responsible for the policy part of this process because the document has both foreign policy and military implications.
Then I shifted into “soft” policy, looking at democracy and human rights. I took a year off for an academic break at Johns Hopkins, and then came back around 2011. By then, new technologies had penetrated society in general. There was this clear feeling that tech required policy regulation. Until then, it was believed that tech would only be driven by services and products. That was still very early, though, when political circles had not yet figured it out.
A famous start-up was created in Latvia at this time called Ask.fm. There were suicidal messages posted after severe bullying. It was an international company so we got questions about this, and the correct response was unclear. The company had terms of services which ensured that they were not liable for the messages, so they didn’t have to respond. Countries reached out at a high level. We had no system to address the code, and people asked, are we doing anything about it? And so the government started to look at this issue. I started to write a cybersecurity strategy in 2012.
It wasn’t really a time when you could take another country’s plan and copy and paste it. So I was really walking and learning at the same time. Coming from that perspective, you start to see that when a society experiences a cyber threat, it’s not clear who handles it. I was really lucky to have a solid Cyber Incident Response Team. Every country has one—it’s like a fireman in the digital world. I had the honor to work with them, which was basically a quick crash course with really smart people who helped me understand what’s going on technologically. Then I translated this to the political level, to ministers, and to the cabinet so they could future out what to do. It was a natural progression, I never studied cybersecurity on purpose.
Afterwards, I took a lot of classes—whatever was available on the market. It was a lot of learning by doing because I initially came from the security field so I have this security-focused mindset. But I also have this history of studying human rights and democracy. These areas merge in my head. I look at technology and its safety from the angle of what it means to be secure, as an individual or as a country, but also what it means to protect your freedoms, your values, and personal prosperity.
In what ways do you think Estonia and Latvia are more prepared now than they were in 2007 to deal with cyberattacks?
Both Latvia and Estonia actually have done a lot. It’s hard to measure how secure you are until something happens. When nothing has happened, you don’t know whether somebody has already penetrated the system and is waiting to use that power. Hackers systematically look for windows or doors, ways to compromise systems, ways to get inside and be invisible. Their goal is to get inside and use that asset when it will have the biggest impact.
This year was a big test because we faced massive attacks for two weeks in Latvia and Estonia. On the surface, very few websites were affected. We have a lot of websites for donations to refugees, and some of those websites crashed or did not work for a day or two. But it was basically very little on the surface. I take it as a high award that nothing has happened because, over these years, we have developed quite effective technological approaches and systems.
What steps do you think still need to be taken to improve cybersecurity in the Baltic States and in the West more broadly?
Challenge number one is the lack of human resources. I don’t know about the U.S., but the EU does not have enough technology or cybersecurity people. It’s not easy to get that education or get people with that education to work in the public sector. So there has to be a lot of creativity in how to engage people who are not working for the government.
Latvia has, for example, the Cyber Defense Unit, which was originally an Estonian idea. This is a voluntary job. For example, people who work at banks as cybersecurity experts can join the unit in their free time. They get state security clearance and get additional training on state systems. When a crisis comes, those people are capable of volunteering and helping. This helps us as a government because we can’t hire many highly paid experts. But in general, there is still a lack of human capital.
We really have to invest in training and building up the next generation, which is capable of being very skillful in cybersecurity. This has many dimensions—it’s not just system administrators or software designers. For example, there are also the legal angles of cybersecurity and many conversations about cybersecurity insurance to explore. There are also ethical questions around Artificial Intelligence. So there are a lot of diverse topics that we need to be thoughtful about.
The human part of cybersecurity doesn’t come about naturally. It needs to be fished out. In September, I had a meeting with people from US-CERT [the United States Computer Emergency Readiness Team], which is part of the Department of Homeland Security. They have the same challenge of how to attract and encourage and motivate people to get into the cybersecurity field. That’s the biggest challenge we all face: human resources.
What would you say to young people who are considering going into the cybersecurity field?
I keep telling young people that I was never trained to be a cyber expert, but that it doesn’t matter because my experience in national security and human rights was actually essential. Sometimes it’s more important that you have some core skills, whether in medicine, law, or something else. This experience adds a human component to the field.
I was actually a mentor last year for girls learning about technology, and I especially encouraged them to acquire digital skills. This mindset where people think they are not talented enough to do anything in the digital domain has to be changed. Take whatever your skill or your interest is and think of it in digital terms because technology is a part of everything today.
Many academics and pundits have written about how Russia might be on the brink of using nuclear weapons because of its unfavorable position in Ukraine, though it seems that a cyberattack could be a more likely event. Do you think that this risk is more imminent now that the Russian army is retreating?
You are correct to be skeptical that Russia would use nuclear weapons—there is so little benefit to be gained. Putin is not an entirely rational person, but he wants to stay in power and using nuclear weapons seriously endangers him to the world and even within his own circles of power. If Russia loses its alliance with China or India because of nuclear weapons, they won’t have many other countries to turn to.
Cyberattacks have already happened. I was very worried when the war started because I know that everything that happens in real life is accompanied by digital attacks. Every policy nowadays is supplemented by digital components. The digital realm is often used to attack systems or to manipulate people’s minds, and Russia invaded the digital space as soon as it started the war. But what is interesting is that they actually failed on the information front.
It’s clear that Russia was trying to manipulate all kinds of messaging and tools, but it didn’t work very well. Pro-Ukraine sentiment was much more widespread. Russia also attacked critical infrastructure, both in Ukraine and in other countries, and we learned once more that we could identify them quickly. They are attacking but not succeeding.
In the digital realm, you can never rest because you know that your enemy is constantly looking for new ways to attack. You have to constantly keep up your own capabilities. For Russia to disrupt Ukraine’s access to water and energy, it had to resort to bombing. Russia could not disrupt those critical infrastructures by penetrating SCADA [Supervisory Control and Data Acquisition]. Russia attacked the digital management systems of all critical resources, and they didn’t succeed like they did a few years ago, during the Crimean War. But clearly the Ukrainians have learned a lot and have really improved since then. So I’m rather confident in the current balance of cyber with tangible weapons, but you can never be certain because cyber is something that can change very quickly, so you always have to stay alert.
You mentioned that you’re originally from Latvia, you’ve worked for the Latvian government, and you’ve also served as the First Lady of Estonia. What kind of security cooperation exists among the Baltic States? And has that changed at all since the Ukraine crisis began?
Historically, on security topics, our cooperation has been priceless. Each country has economic and national features that compete in the market where they want their companies to succeed, but security is a domain where we actually are not competing because we know that we have one common principle: fix attention on our border, on the east. And so when we gained independence starting in the early ’90s, you had the formation of these BALBATs—Baltic Battalions. They were in charge of overall coordination, technologies, and military specialization.
When we joined NATO, it became less about the integration of regional forces into specific structures. With war on our border, one big change is that we push the latest NATO summit decisions. NATO has to concretely bring force and forward deployment to its eastern border because it did not exist on a large scale before, it satisfied the bare minimum requirement. This is an ongoing process. That’s where we cooperate.
Obviously, NATO allies are divided. The Americans are covering Poland. We are having Canadians commit to actually bringing in a brigade. Estonia is welcoming UK forces. It’s like a sort of regional cooperation because, in terms of military planning, we’re dealing with one chunk of land that has to be very tightly planned together. I think the war has increased this trend. I’m very curious to see how the Finns and Swedes will integrate because I think it will entirely change the equation. I think we speak very little about this since, of course, our attention is on Ukraine—what we see is so horrifying that it completely captures our focus. But I think that Sweden and Finland joining NATO, which was unimaginable for 60 years, is really going to be a big geopolitical security game changer.
The Baltic Sea will become an inner lake. I believe this will entirely change military defense development back home and it will be very good to see that, because otherwise, we’ll continue to have this stretch of uncertainty.
In the same way that Ukraine has become much more united after this invasion, do you feel like this applies to Baltic countries around the region? Do you have a sense that national unity has acutely increased after the invasion, or has it been a more gradual process?
On a societal level, the support and consolidation has been amazing. We are not the richest countries in Europe. We acknowledge that we are very advanced, especially Estonia in digital terms, but we are not yet at the level of Germany’s income, so people in Latvia and Estonia have given up so much to help refugees. Compared to Western Europe, we will pay an incredible price for cutting off Russia’s gas. We will have gas because we have LNG, but the price of LNG is abnormal. It’s not that society is happy with this, but they can actually stand up and say: ‘Look, I’m okay. I can give up my Christmas holidays. I can pay my bills. I will stand up for Ukraine.’ And it’s amazing.
But the other phenomenon that is quite concerning is that the Baltic States have a large Russian population. And that’s where you’re seeing that nationalism is really accelerating in our nations. These relationships are difficult, very difficult. We just had parliamentary elections in Latvia. And one commentator said, ‘We used to have one Nationalist Party in Latvia, and now all parties are nationalist.’ So basically, it is hard to single them out, because everybody has a nationalist agenda, and it drives quite a wedge into society. So I hope we will not overdo it.
There have been a lot of revisions—a lot of us cutting out the Russian language from public institutions. I can understand it, I’m a more liberal person. My husband is a very liberal person, but even he says: ‘No, I don’t want to see those options.’ I don’t want to sit down in a restaurant and think about how other people next to me are judging me when I speak. People are coming to terms with this. It’s a dangerous trend, but it’s natural. It happens with war, and you can’t escape it.
Do you think Russia will always be a hostile neighbor to the Baltic States? Is there hope for a better relationship? If so, would that look like regime change or a gradual decades-long process?
That’s a very difficult question to answer, but I think the position in the Baltic States is that we are preparing for a long winter and that we are preparing for more than decades since we will have a hostile neighbor. Even if you overthrow Putin, we see that the system and the attitudes don’t change so much and that’s what keeps fueling the logic of this mass of 148 or so million people. It seems that conflict will remain regardless of how the war goes and regardless of who will physically be in power.
Even if you look at [Alexei] Navalny—and we have big fans of him and the awards he won and the amazing speech he delivered—even in some of his public appearances, you sense an imperialistic feeling. When you ask who Crimea belongs to, that immediately kills any conversation. So I think Russia is a problem for its own people. I tend to think that Russia’s solution is to dissolve—it’s too big. There is no national unity. If some of those other nations and nationalities would fall apart, then they could rally around their flag without this imperialistic challenge, because the challenge of imperialism is not only occupying others, but finding out what holds them together, and they haven’t figured it out. And as long as they have that problem, they translate it to being an aggressive neighbor.
But who knows, right? If you look at the history of the Berlin Wall, it seemed like the Soviet Union would exist forever, and then it collapsed. When you read history, through so many Sovietologists, they could not predict that event. The same is true today. But for strategic planning in our countries, we must basically make it clear that this hostile country will always be at our border. And that obviously requires military and defense investments, it also requires economic modification, which is even harder because, besides gas, there’s a lot of business, trade, and corporations at play. This is a crisis moment and we have chosen to shut down and get reoriented. We have cut off our relationship and we have to accept it. Russia will not be a sustainable decades-long partner for anything.
Last month, Yale received a visit from a University of Chicago political scientist named John Mearsheimer, who has argued that the West and NATO are “principally responsible” for Russian aggression because of NATO’s expansion to Eastern Europe. We’re curious what you make of that argument. Should NATO have accepted the Baltic States in 2004? And should it accept new members such as Sweden and Finland?
For both questions, obviously, it’s clear. Independent countries have the right to make and sustain their different decisions. I forgot to mention this, but for a while before the war, Baltic States used to be Russia’s number one enemy, its number one threat. They would do these public opinion polls in Pravda and newspapers and we would constantly be laughing in a bad sense because sometimes it was Estonia on top, and sometimes it was Latvia, and it makes you think how we can be a threat to that country. It’s just a narrative that Russia has successfully exploited, and we have bought into it.
I think Georgia’s war was avoidable given the political map of the time. I was part of NATO’s formation, and that document has no commitment of anybody getting into NATO. I helped write it as a desk officer, and I thought that we would never enter, that it would be an endless wait, but both Latvia and Estonia were invited after 9/11. If you remember the global constellation at the time, NATO was basically a program that let us, together with our allies, rebuild our defense system without the promise that we were ever going to be in a formal alliance.
But, as we know, big tectonic shifts happen in global politics, and the moment sometimes presents an opportunity, and 9/11 was exactly that moment where we decided: Okay, we need more allies to fight terrorists. I don’t know how and when or if ever Georgia will be able to join, but when you look at the war in Georgia, NATO would not meet at the time because everybody bought Russia’s narrative. NATO basically gave them a green card too late. They were wholly focused on terrorism, and I think that you can’t really ever be done with terrorists. Now, that argument doesn’t stand any chance with Ukraine because before, Russia had reasonable queries—they were ambitious like everybody else, and they were more or less reasonable. After what we saw in Ukraine, we can’t come to this same interpretation.
To close, why should the Yale community and the U.S. in general be interested in what’s happening in Estonia, Latvia, and on the other side of the Atlantic?
It goes back to what my husband said about elections: We told you so. But if you unwrap this idea a little, it comes down to expertise. Unfortunately, we are experts in what happens in Eastern Europe. What do I mean by that? We would love to live in a country that does not share borders with crazy leaders—we have Lukashenko on one side and Russia on another.
I think you should frame your mindset and your willingness to cooperate by looking at these countries and seeing that they are not whining. They are the true experts in the field. Come over, invite us, or learn from the ground because these interactions convey reality even if, in the digital age, distance is not always relevant. This is the case with Russia. The same techniques that Russia uses on the ground have been and will be used to interfere in elections and to exploit soft power mechanisms abroad—from the U.S. to France and Sarkozy’s elections. It comes down to treating the Baltics as an extended branch of knowledge and expertise that is good and important and valuable. Of course, we might use more emotion than others, which is also natural, but I think that expertise is very important.
That’s the reason why we were not surprised. The war did not surprise us and the war did not catch us unprepared. Since we became technologically strong in the 90s, we have that type of relationship, that expertise—not that we are super happy about it—but you should use that expertise to get your countries more prepared in advance. What makes our resilience is our awareness of what our adversaries and partners are doing.