Discover Intelligence & Interview and Subscribe to the Newsletter!
In the modern digital era, the importance of cybersecurity cannot be stressed enough. As recent developments have shown, the security of personal data and trade secrets, the protection of critical information infrastructure, even the integrity of democratic processes as such all depend on the smooth functioning of cybersecurity mechanisms. This especially holds true in the current Covid-19 reality, where increased digital consumption and massive readjustments of ways of life and work through cyber-technologies all multiply the possibilities for major digital assets to be compromised. In popular imagination, however, cybersecurity is still closely connected to the technicalities of the field, the so-called hard cybersecurity, while the soft – i.e. legal, political, socioeconomic, cultural, and ethical – dimensions of it remain yet understudied. To narrow this gap, we have invited to our interview series Lucie Kadlecová, an expert in cybersecurity policy and governance. She is a PhD candidate at Institute of International Studies, Charles University (Czechia) and a senior associate in strategy and threat intelligence for Estonian cybersecurity company CybExer Technologies. Both Czechia and Estonia are well-known hubs of cyber-technological expertise, so Lucie Kadlecová’s experience in academia and industry in both countries can help highlight the key trends in this field from the insider’s perspective. In our interview, we discuss cyber security strategy of the EU, the role of non-state actors and public-private partnerships in cybersecurity governance, the importance of cyber hygiene and gender equality in the field, as well as the prospects for enhanced cooperation between industry and academia in tackling cybersecurity challenges worldwide. On behalf of the Scuola Filosofica Team, our readers, and myself, Roman Kolodii, Lucie: thank you!
#1 Lucie Kadlecová, how would you like to present yourself to the international readers of Scuola Filosofica?
I suppose I could be described as either a professional with an academic background or as an academic with professional experience, depending on the reader’s point of view. By nature, I am more of a professional who likes hands-on experience. That’s why I am deeply grateful for my previous experience working as a trainee for international organizations such as NATO, and helping to build the then-quickly growing Czech National Cyber Security Centre years ago. At the same time, however, I could see a gap between practice and academia in the “soft topics” of cyber security such as international relations and international law in the Czech Republic as well as around Europe. This feeling encouraged me to pursue my PhD, and to start teaching and publishing about these topics in order to contribute to closing this gap. At the same time, academic experience from King’s College London, Charles University in Prague, and Massachusetts Institute of Technology, as well as other interactions in the academic world shaped my way of thinking about cyber security and its “soft” aspects.
#2 What motivated you to get involved in cybersecurity policy and governance? What were key factors that helped you develop your interest in this area?
My passion for this topic has developed gradually. Initially, my interest lied in Eastern European studies and security studies. During my degree at the Department of War Studies at King’s College London, I came across cyber security which, in combination with my previous research interests, was just a small step away from cyber security policy and governance.
What motivated me the most was the novelty of this field. In comparison to sea, land, air and space, cyber space is a bright new man-made domain which was invented only several decades ago, and keeps developing all the time. It is very exciting to witness changes such as the establishment of norms of behaviour and rules of law almost in front of your eyes in real time. For example, take the attribution problem – a few years ago, we did not even dare to point a finger at possible perpetrators of malicious cyber attacks. Today, governments are slowly gaining capabilities together with the courage enough to do so, thereby setting important precedents.
On top of that, studying and working in this field has been a true challenge – a great majority of people still understand cyber security as a purely technical problem omitting “softer” elements. That is a huge mistake. Human behaviour and human decisions are key factors in cyber space. Therefore, when you decide to take this career path, you are challenged by these stereotypes, which are fun to break down with the outcomes of your work.
#3 You are working for Estonian company CybExer Technologies. Could you describe the mission and activities of your company? What is your area of responsibility in the team?
CybExer Technologies is a NATO-awarded cyber security company originally established in Estonia but running business activities across Europe and beyond. We have broad experience in providing and maintaining highly sophisticated IT platforms with a particular focus on cyber ranges and other capability development solutions such as e-learning and risk assessment platforms or strategic exercise platforms. These platforms are the cornerstone of the successful delivery of our various cyber security training and exercises (both technical and strategic) designed for technical experts, ordinary users as well as the highest ranks of strategic leadership. Our customers come from all sectors, including the private sector, government, and defence forces, but also academia and NGOs.
My role in the company is twofold. Firstly, I am a senior associate in the strategy and threat intelligence branch. This means I contribute to the development of our strategic products and services such as strategic decision-making exercises or e-learning and risk assessment courses. Secondly, I serve as the company’s representative for the Czech Republic and neighbouring countries.
#4 Given your expertise in strategy and threat intelligence, how would you evaluate the state of cybersecurity in the EU? What are key threats facing the EU cybersecurity strategies and ways to mitigate them?
This is a highly complex question. Cyber security has been at the top of the EU’s agenda for several years now, and the new cyber security strategy published in December 2020 suggests it will remain so for the foreseeable future. The EU is well aware that in order to remain an important global actor, keeping up with IT and cyber security developments is key.
As for the threats, we can observe certain long-term trends. Our society is more and more dependent on modern technologies and smart solutions. At the same time, various important sectors are becoming increasingly interdependent. Whilst this is great for efficiency, economy and complexity, it also brings new types of dangerous systems vulnerabilities which could be exploited in future malicious campaigns against critical infrastructure. Additionally, these risks will grow with 5G implementation. Last but not least, the geopolitical developments of the past couple of years have showed us that security and trustworthiness of supply chains must be considered as well. The more powerful and complex our infrastructure becomes, the more governments must trust their suppliers of systems components.
It is not an easy task to become ready to mitigate such complex threats in the first place, as the threat landscape changes fast. I can see three important areas of improvement which could enhance the EU’s resilience and readiness in the long term. Firstly, the EU must encourage greater shared situational awareness among member states as well as with its own structures. The key to effective and timely defence against any cyber attacks and malicious campaigns is intelligence shared among the EU and its member states. Secondly, a long-term problem of the EU and member states is lack of IT and cyber security professionals. More emphasis should be put on attracting more students to the industry across Europe while special attention should be paid to young girls. IT and cyber security is traditionally perceived as a male domain, and so women should be encouraged to join the industry, breaking the stereotypes and filling up the shortage of qualified human resources. Finally, the third point is the general lack of cyber security awareness and hygiene in the general public. I have heard the opinion that cyber security is “not someone’s responsibility because he or she is not an IT person” countless times. This is wrong! The majority of cyber attacks are successful because a user makes a mistake, not the system. Therefore, cyber awareness and hygiene should be the responsibility of each of us, and the EU and member states should educate their citizens on the topic. By working hard on these three elements, I believe the EU will strengthen its resilience against any current or potential threat which might emerge from cyber space in the future.
#5 While some countries like China and Russia advocate for a leading role of the state in cyber governance, others, like the US, call for a more extensive inclusion of non-state actors. What do you think would be the future of cybersecurity governance? If the state yields much space to non-state actors in this field, what implications, both positive and negative, can it have?
I strongly believe in the multi-stakeholder, bottom-up approach towards cyber security governance. On the one hand, this is a very challenging model as more stakeholders such as the private sector, academia and the non-governmental sector must be engaged, and their opinions reflected. This means it is more difficult to reach an agreement. On the other hand, this is the only way how to make sure key values such as protection of the rule of law and human rights survive online.
We have recently been witnessing ground-breaking changes in the international political arena of internet governance – the internet is experiencing a demographic shift of the gravity centre from the North and West to the South and East. Emerging economies with a very different political and cultural background in comparison to the currently still predominant pro-Western view are gathering momentum. In order for the multi-stakeholder approach to succeed, the negotiation table on internet governance and cyber diplomacy must be expanded. The key task for cyber negotiators at the moment is to persuade so-called swing states to engage in the debate. The swing states are usually those states whose technical and political cyber capabilities are still in development, and that have not made a clear decision about which of the two camps (state-centric or multi-stakeholder) they will side with. Therefore, I see the future of internet governance not only in the struggle between the two camps, but even more importantly in persuading the undecided states to join one or the other side.
#6 Having gained experience in both academia and the private sector, can you identify some practical gaps in knowledge about cybersecurity that academic research has not yet addressed sufficiently? Conversely, do you see any academic trends or accomplishments in the cybersecurity research that the industry overall ignores?
I do not dare to identify any such gaps because, as mentioned earlier, cyber security is a quickly evolving field and the activities both in practice and academia are constantly undergoing changes.
That said, what I would like to see in the future is a closer cooperation between practice and academia as this relation would be highly beneficial for both. Academia can feed practice with top research. This has been successfully exercised in modern technologies. In the “softer” topics, however, academia’s voice could still be heard louder. A bright exception was, for example, the Tallinn Manual project (despite its various criticism) which was written by group of recognized legal experts, mostly from academia, in order to help governmental experts navigate in international law applied in cyber space. Governments had the opportunity to express their points of view on the Manual’s draft during the Hague Process. I strongly believe it would be very beneficial to see more such projects also on other topics such as cyber diplomacy.
Moreover, academia educates bright young minds which join the ranks of IT experts both in the public and private sectors after graduation. It is thus in the best interests of the private and public sectors to have close contact with academia, bring their experience to students, and also have the latest knowledge of activities in research. Such close cooperation would simply benefit both sides equally.
#7 With the expansion of the private sector into the cybersecurity field, there has been a growing interest in public-private partnerships in this area. Working in a private cybersecurity sector, what opportunities and challenges can you identify when it comes to cybersecurity cooperation between government and private entities?
There are, of course, countless opportunities and several challenges, but I will limit myself to just one of each. For opportunities, the private sector has very strong capacities and capabilities as they need to be ahead of their competition, and it is easier and more flexible for them to invest resources into research and development where needed. Also, private companies can become a leader in a particular area, which can be essential for government with limited resources for development of products and services to a top level.
Nevertheless, the public-private partnership in cyber security also involves certain challenges. One of them is the necessary trust. As a government, you work with highly sensitive or classified data, and so if you want to enter into a public-private partnership you have to have full confidence in your partner to establish a strong, reliable and close cooperation. And by partner, I do not mean just the company itself, but even more crucially its employees and managers. It is exactly their performance, attitude and leadership on which the organization’s trustworthiness is built. In general, trust is a key variable in cyber security partnerships.
#8 You are currently pursuing your PhD at Charles University in Prague; what research question are you investigating? What is the anticipated impact of your dissertation based on its research focus?
I am looking into how the state practice of sovereignty in cyber space changes our traditional understanding of the state sovereignty concept. Lots of research on state sovereignty has already been conducted in relation to authoritarian regimes, most typically China and its Great Firewall. I try to prove however, that state sovereignty is a concept desired and vividly exercised also by democracies. Hence, I study several cases of the pioneers of state sovereignty in cyber space from the transatlantic area. The ultimate goal of my research is to bring more attention to state sovereignty in cyber space as a cornerstone of international relations and international law, and encourage more research on the concept in relation to non-authoritarian regimes.
#9 How can our readers follow you and your organization on social media or elsewhere?
#10 Could you list five words that characterize you?
Persistent, curious, European, open-minded, pragmatic
 Senior Associate, Strategy and Threat Intelligence at CybExer Technologies, Estonia; PhD candidate at Charles University Prague; former visiting researcher at MIT; MA from King’s College London.