Statecraft as a Framework for Resilience with H.E. Kolinda Grabar-Kitarović

Hello and welcome back to another episode in the Rethinking Cyber podcast series with me, Rebecca McLaughlin-Easton. Today, my special guest is the former president of the Republic of Croatia, Her Excellency Kolinda Grabar-Kitarović. During her presidency, she championed digitalization, — gender equality, and reform of the education system. And while serving as the first woman assistant secretary general of NATO, Her Excellency led the transformation of NATO's public diplomacy division at a time of austerity and rising public skepticism. Here's my conversation with her about cyber resilience and lessons from diplomacy and capacity building in cyberspace. Madam President, it's wonderful to speak to you. Thank you for joining me from Washington today. Thank you. Thank you for your invitation and it's a pleasure to speak to you today. From your experience in diplomacy and international relations, what key steps can governments and global organizations take to strengthen collective cyber resilience? I remember when I arrived at NATO as assistant secretary general for public diplomacy, that was back in 2011. Cyber security and cyber threats, yes, they were a thing at the time, but as someone in charge of strategic communications, basically coming down to explaining what security means and why security matters and why NATO matters in that context, I was mostly focused on the cyber aspect as you know, using web 2. 0 and transferring from published communications to social media etc. And cyber at the time, cyber threats were discussed, but with the development in the recent years throughout my presidency, cyber security has obviously developed as something that goes well beyond the technological domain. And it has become a geopolitical, economic, and societal one. So, cyber security today has really become a pillar of national and international security and the only effective response is a multi-stakeholder and multi-national response. As cyber threats know no borders. Meanwhile, NATO has defined cyber as one of the main of operations alongside the air, water, land, and space. And ultimately, cyberspace has become not just a huge area of opportunities for us, but dangers. So, since it's a shared threat like climate or pandemics, it means it requires shared solutions. And our defense must be collective. First, prevention, obviously building strong foundations before crisis hits. That goes through basic hygiene, education, and digital literacy because citizens are actually the first line of defense. The second pillar, resilience, it means to prepare not only to defend, but to recover. You must always assume that no matter how much effort, human resources, and money you've put into prevention, breaches will happen. So, this resilience needs to be built on redundancy by creating redundant channels of protection, of raising awareness, and acting together. But also transparency, crisis protocols like we've seen for instance in NATO experience or the EU directives, regular stress testing, regular exercising, etc. The third pillar is engagement and that is basically using diplomacy and diplomatic tools to prevent escalation or perhaps prevent incidents from happening at all and later in the stages of reconciliation and rebuilding, diplomacy comes in as a very important element. Then there are information sharing and political hotlines, crisis communication channels, the so-called red telephone lines that can be picked up even when other communication is not existent. Cross-border exercises, so multi-national exercises. What I'm most afraid of always is somebody misjudging the situation or making a mistake that would lead to an escalation. So, diplomatic measures can prevent that from happening. And the fourth and final pillar, partnership. Because governments cannot do this

alone. We need multiple partnerships that actually multiply and reinforce each other. For instance, we need public-private action and partnerships because 80 to 90% of infrastructure and critical networks are privately owned. You mentioned both the shared threats and the shared opportunities. You also touched upon cross-border exercises and collaboration. What has history taught us about successful international partnerships? So, why international collaboration matters. First of all, no single country has the full picture. Attackers probe networks globally and one anomaly detected in one state may be the early warning for another. And without information sharing, every country fights blind when they they're not aware of that information or when sometimes they're not even aware that they're under attack. So, when I was president of Croatia, you know, our cyber security networks were still being developed and we would often get information from other countries, do you know that currently you're being you're under a cyber attack? Sometimes they're visible because the networks go down, but sometimes they are invisible. And we very much appreciated that information from other countries information sharing, it obviously builds trust, but it helps you react and recover quickly. And information sharing is one of the basic elements of international action. And then secondly, the weakest link determines the strength of the whole system. Um when you talk inside communities or inside companies and also regionally or internationally. So, inside a company, a single unsecured port or outdated protocol or person not sticking to those protocols can undermine the security of the whole company and it can happen on regional levels as well. And I think that here the NATO practice and the EU practice are an excellent example. NATO has the 360-degree lens of threat perception and cyber cells are integrated into defense networks, there are cyber rapid reaction teams that can help countries who are not able to respond quickly that can be deployed within 24 hours. It has a cyber defense center of excellence in Tallinn, which does a lot of research and information and experience sharing. And joint cyber exercises are very important aspect of experiential learning. Whereas the EU is focusing on the civilian standard building and good practice building among EU nations, but also trying to move those standards on the regional and global levels as well. And the third aspect is when crisis hits, trust must already exist. You need to be able to trust the parties who are communicating to you about your own breaches, but also reporting about what's happening in their domain, what the potential ways forward could be, etc. And certainly diplomatic cooperation builds that habit of transparency. And if there is one lesson that I've learned from diplomacy is that building trust like building consensus, it's never easy, but it's always worth it. Going into a bit more depth, how can lessons from post-conflict recovery and regional security efforts inform proactive strategies towards a safer cyberspace? I have a lot of experience in post-conflict recovery and regional security efforts throughout my career starting out as a young civil servant and career diplomat in the early 90s during the war in Croatia, then in Bosnia and Herzegovina and regionally. So, throughout the peace efforts and all of the peace agreements and one of the lessons learned that stands out in particular is the peaceful reintegration the occupied region of Eastern Slavonia in Croatia in 1998. The process that led to it was very complicated. It was a very difficult process because we learned that rebuilding infrastructure is a lot easier than rebuilding trust. But if you want to reintegrate a region that was hostile to you

peacefully, you need to make compromises, but most importantly, you do need to build that trust. Trust in the future, trust in institutions. So, it's not just about military reintegration. It's about having the population, having everybody on board. So, throughout the years preceding the reintegration, we were not just taking different legal steps, but people from who would who were working on this process from Croatia would go to the occupied regions, and they would literally bring food and chocolate to children and everybody else to establish those human connections, the network to let people know that we're here to rebuild, to reintegrate. And the best approach in all of it is always to remove the root causes of the conflict. Then you really work on prevention and resolution at the same time, because when you're resolving one conflict, you have to look into the future and create the conditions that prevent another from happening. And I would say that there are three key lessons from post-conflict and regional security that apply directly to cyberspace. First, early action always costs less than late response. Unfortunately, in the case of Croatia, since there was so much hesitation when it came to our independence and our fight for freedom, it did not happen. But, prevention is so much cheaper than recovery in war and in cyberspace. And we literally would have measured that through the number of people who unfortunately throughout the war, the cost of reconstruction, the number of refugees, displaced persons, and all of that. But, if you're able to contain a crisis, like if it had been contained in Croatia, I don't think that the wars in Bosnia and Herzegovina, etc. would have happened. It was not the case. So, the conflict spread, and the same goes also in cyberspace. If a breach is contained early, it is a crisis that is avoided. Second, transparency and communication reduce panic and prevent escalation. Certainly, when you look at the war in Ukraine, state of world affairs, it's one of the predominant aspects is misinformation and political and information vacuums that are being filled by third parties or adversaries. And the third point that again I cannot emphasize enough is that reconciliation is as important as reconstruction. Post-war peacekeeping requires confidence-building measures. And cyber diplomacy is often crisis prevention, not postmortem analysis. But, throughout that process, still through looking at what went wrong, a lot can be learned into defining red lines and consequences for those who breach cybersecurity. And again, having cyber hotlines and other channels of communication to reduce miscalculation. And just a final lesson from the regional security experience in the so-called Western Balkans or Croatia's neighborhood is that fragmentation is always dangerous, but unity is stabilizing. And ever since the end of the war, since we've been able to work on the resolution of open issues and rebuilding cooperation, shared intelligence and interoperability, and regional trust-building, it actually replaced the zero-sum thinking that we had earlier that a gain for one country is immediately a loss for another or vice versa. With cybersecurity skills in such short supply, how can public and private sectors work closely together to build the capacity needed for the resilient future that you speak of? First of all, inclusion. We need more people from more backgrounds. It's not just women and um those who are socioeconomically disadvantaged. It's also those who are disinterested in cybersecurity and cyber in general. But, I do believe that we need to focus on digital skills from early education. From preschools and kindergarten throughout

the whole school system to have educated, resilient, and vigilant citizens. And in all of that, for me as a mother and as someone who's been working in international relations, the protection of children not just from actual harm that happens with child abuse, etc., but also looking at safe spaces for mental well-being is exceptionally important to prevent the new forms of bullying and issues in society such as cyberbullying, etc. We need to use AI-supported cybersecurity. We need to look into regulating the artificial intelligence so that it doesn't get out of hand. So, in all of that, we need partnerships with universities, with technical schools, and with industry. And of course, the third element, investment. Investment not just into infrastructure, but really into people. We need to treat cyber talent as strategic infrastructure, where the sectors meet and where we have the multiplier effect is merging the efforts from the government to the private sector to academia and the civil society, because the private sector often innovates first. Governments invest and scale. The academia or academic sector sustains that pipeline, and the NGO sector multiplies all of these effects. So, together we can create that resilience that we need for the future. And there we sadly have to leave our conversation. President Kolinda Grabar-Kitarović, it's been fascinating to speak with you today. Thank you for your time. Thank you, Rebecca. It was a pleasure to talk to you, and I hope to see you soon. again soon. I hope you enjoyed that episode in the Rethinking Cyber podcast series. For more like it, just head to Apple, Spotify, and YouTube. And you can follow the Global Cybersecurity Forum, GCF, for updates. Until next time, take care and goodbye.