Ten years after experiencing debilitating cyber attacks from Russia, Estonia is more wired than ever. This small northern European country on the Baltic Sea is pioneering innovative e-governance methods and has declared access to internet a human right. Estonia was the first nation in history to offer internet voting in a nationwide election in 2005. Nearly every citizen has an ID card, which provides digital access to all of Estonia’s e-services, making daily tasks like banking or business operations, signing documents, or obtaining a digital medical prescription faster and more convenient. Recently, Wired magazine named Estonia the most advanced digital society in the world. But 10 years ago, this fearless innovation culture made the country uniquely vulnerable to equally as innovative acts of warfare. This attack was one of the first and at that time rare cases of large scale acts of cyber-terrorism on one sovereign nation by another sovereign nation. Estonia’s experience left the international community and Estonia itself with many lessons learned. The most important of those was the fact that although Estonia is a member of NATO, its defense policies—and particularly its Article 5—were ill-equipped to effectively address, deter, or retaliate in cases of cyber-warfare. Now that Russian hacking, online disinformation efforts, and robotrolling are making headlines again, it is important to revisit Estonia’s experience and re-examine the lessons learned from this incident. Ms. Helen Popp is Council for Cyber at the Estonian Embassy in the United States. She has previously served as Cyber Coordinator at the Estonian Ministry of Foreign Affairs, coordinating cyber policy planning, and contributing actively to the design of cyber security policies within international organizations. We spoke with Ms. Popp about Estonia’s e-society, e-governance, and cyber-security post-2007 cyber attacks. Q. Do you think that cyber threats were taken more seriously by Estonia than by some other NATO countries before 2007?
A. By 2007, we had already moved so much of our life online—on both, government and business sides—that we had to consider and prepare for possible attacks. Most other NATO countries at the time did not yet share such levels of digital penetration (Estonia had a significant portion of services offered online by both public and private sector entities, with high participation by the population), but they did realize the potential threats. For Estonia, cyber security in early 2007 and all the more since 2007 has been something that is demonstrably needed to defend our e-lifestyle. That cyber defense is an integral part of our defense systems and planning is a logical continuation of that. Q. What changes were made to prevent a large-scale cyberattack from happening in Estonia after the 2007 DDoS attacks?
A. The 2007 experience indicated that large-scale cyber attacks are not entirely preventable, as they’re about taking advantage of the fundamental way the internet is designed to function (deliver bits and bytes from any point to any other without delay or discrimination), and we are all interested in retaining that fundamental functionality due to its role as an enabler for our convenient modern lifestyle. What the DDoS attacks did signify was a realization of the impact of cyber disruptions to the society and economy—if your website is suddenly inaccessible to the public, how do you deliver your service to your customer? This understanding of the impact caused by cyber became the focus of the changes—how to improve resilience and ensure efficient response. Possibly the two most important lessons of the 2007 cyber attacks were that the existing technical, legal, and organizational measures were in fact suited to address an incident like that, and that cooperation—on the national level, among government and private sector, as well as with international partners—is key to determine the effectiveness of response. Of course, neither of the existing frameworks or cooperation was perfect. But they were there, and cooperation was remarkably efficient. The 2007 attacks created awareness for both the strengths and the deficiencies in our systems, and we began work to improve them, following a whole-of-government and whole-of-society approach that had proved itself appropriate throughout the response to the DDoS attacks. Our first cyber security strategy (2008) set up the main structure and responsibilities of different actors. We updated our penal law and extended a risk management system to ensure continuity of our vital services in the face of cyber threats. We improved our technical capabilities. We are working on fully integrating cyber security and defense into the national crisis management structure. For improving our cyber security posture, public-private partnership has been an underlying principle as we understood how interdependent both were (and still are). The natural public-private cooperation exercised in facing the 2007 attacks led, for example, to the institutionalizing of such cooperation by creating a Cyber Defense Unit under our voluntary national defense organization, and the Defense League, the latter being part of Estonia’s national defense structure next to the regular Defense Forces. The Cyber Defense Unit unites cyber experts from the public and private sectors that form a network of trust and train together, and whose expertise can be used to support government agencies in crisis situations and, if necessary, in conflict under military command. Membership in the Cyber Defense Unit is voluntary; the unit is comprised of experts across the board—not just technical but also other fields of expertise. It is a great facility for us to test different ideas and solutions (adhocracy point); most importantly, however, in times of crises to make sure we can engage support from the best assets to counter any attacks. Also, in 2008, NATO Cooperative Cyber Defense Centre of Excellence was established in Estonia, which has grown from the original seven to 19, soon 20 NATO allies and partner countries, and has made a significant contribution to, for example, the understanding of international law governing cyber operations of states. The Centre’s cyber defense exercise, Locked Shields, has grown to be the largest international technical live-fire cyber defense exercise. That and the Baltic Ghost exercise, as well as NATO’s annual cyber defense exercise Cyber Coalition, are supported by the Centre of Excellence and are run using the facilities of the National Cyber Range of the Estonian Defense Forces. All in all, Estonia has not only improved its own cyber defense posture, but it also is supporting the strengthening of NATO Allies’ capabilities in this area as well. Q. What role does NATO play in Estonia’s cyber defense?
A. NATO’s priority is to defend its own information systems; therefore, the direct role is small. NATO does have a mechanism to assist Allies facing cyber attacks (Rapid Reaction Team, but the general approach is that cyber defense is a national responsibility. Of course, in case a cyber attack is so serious that it amounts to an “armed attack,” Article 5 becomes applicable. Q. How important was the act of expanding NATO’s Article 5 to cyber space?
A. This was an important political step both for the Allies themselves (i.e., should such a devastating cyber attack occur, this discussion has already taken place and in deciding how to respond, the question of whether Article 5 applies or not won’t arise and thereby saves critical response time) as well as for non-NATO States from the deterrence perspective. From a legal perspective, Article 5 covered cyber even before the Wales declaration was adopted—for individual and collective self-defense, what matters are the consequences, not the means by which they are brought about. Q. Where do you see cyber threats/attacks as fitting into "hybrid threats"/disinformation more broadly?
A. In many ways, the 2007 cyber attacks can be described as a hybrid activity: it was an asymmetrical attack against a government and society by non-state actors with no direct attribution to a state and with an apparent aim to influence decision making and generally sow discord among the society. The use of cyber attacks as a tool of hybrid “warfare” has of course substantially evolved and refined since then. We have plentiful examples from the last year alone on how cyber attacks appear to have been used as a Clausewitzian “continuation of politics by other means” while remaining below the thresholds of international responsibility, whether by interfering with the political processes of some states by means of disclosing stolen information and manipulating it for propaganda purposes, or by disrupting critical infrastructure of other countries to cause fear and uncertainty among the population about the government’s capability to ensure security and order in its territory. The boundaries of this hybrid playground are drawn by the geopolitical interests and opportunities, cyber operational capabilities, and national doctrine of the states engaging in hybrid activities—and by the responses, or lack thereof, of states that become target of such activities. In this regard, it is vital to be sure that states stop viewing such hybrid/influence operations in isolation as low-impact cyber events that ignite little or no response from the affected state. Which brings us back to the starting point of the lessons from Estonia 2007—cyber, or a cyber attack, is nothing significant in isolation. Cyber is a modern-time enabler for certain impact—whether for societal and economic prosperity, or for imposing one state’s geopolitical agenda over the other’s. *Maia Otarashvili is Research Fellow and Program Manager of the Eurasia Program at the Foreign Policy Research Institute in Philadelphia. She holds an MA in Globalization, Development, and Transitions from the University of Westminster in London, UK. Her current research is focused on the post-communist countries of the Eurasia region, including the Black Sea and Caucasus states.