In June 2014, NATO took a major step forward in the field of cyber defence, announcing that the defence ministers of member states had agreed to adopt an enhanced NATO cyber defence policy (the previous one was adopted in 2011). The policy improves NATO activity in the critical areas of information sharing, mutual assistance, training and exercises, as well as cooperation with industry. Estonia has played a modest but notable role in the lead-up to this significant development.*
Accession to NATO in 2004 was arguably Estonia’s most important security policy achievement. It was a validation of more than a decade of efforts in civil-military relations, respect for human rights and civil liberties, as well as of its democratic form of governance more broadly. Yet while NATO’s Article 5 (which stipulates that an attack on one NATO member is an attack on all members) is the ultimate assurance, Estonia has been eager to be, and be perceived as, not only a passive and helpless consumer of international security but also an active and contributing producer of it.
Estonia has come to play a leading role in a newer type of capability for NATO
In fact, Estonia has indeed come to be seen as a country that “punches above its weight” in international military affairs. In addition to upholding NATO’s defence spending commitment, investing wisely and participating actively in international operations, Estonia has also come to play a leading role in a newer type of capability for NATO – cyber. Thus far, NATO has often been criticised by experts as not ambitious and capable enough in the field of cyber defence, at least in comparison to its overall status as the most powerful political and military alliance in the world.
As the cyber security expert, Jarno Limnell, has noted, the central barrier to greater cooperation and overall increased cyber capability for NATO has essentially been a certain lack of trust. More powerful allies don’t yet fully trust less capable ones with information and knowledge about their abilities and weaknesses and prefer to have bilateral or smaller-scale multilateral cooperation in the cyber defence domain. However, a variety of recent events and processes, many of which have taken place in Estonia, have put wind into the sails of NATO’s growing activeness in this field.
NATO Cooperative Cyber Defence Centre of Excellence
At the centre of many of these developments is the (CCD COE) based in Tallinn, Estonia. An operationally independent international military organisation, set up in 2008 and funded as well as directed by voluntarily participating states, it focuses on research, development, training and education in both the technical and non-technical aspects of cyber defence. Contrary to the popular belief, the CCD COE is not responsible for NATO’s cyber security. However, its publications, conference and exercises do have a significant effect on NATO’s growing cyber capability.
More than half of all NATO member states, including those allies with the greatest individual cyber capabilities, have now joined. Additionally, it is significant that the centre has also welcomed the first non-NATO member, Austria, into its ranks as a “Contributing Participant” (with slightly different rights and responsibilities).
NATO CCD COE has also hosted annual Cyber Conflict (CyCon) conference in Tallinn, bringing together over 450 experts from around the world to discuss the interconnected technical, legal, policy and strategic dimensions of cyber security, with a focus on the blurry but extremely important concept of “active cyber defence”. Only with this kind of dialogue, collaboration, debate and joint experiences, not only at the political level but also at the expert level, can trust between individuals and nations be developed and deepened.
Perhaps even more significantly, NATO CCD COE also plays a central role in cyber exercises. Called Locked Shields and organised annually, it involves almost 300 experts from 17 NATO and non-NATO states.
It is the biggest multinational exercise of its kind, with participants operating from their home countries to compete but also to learn to work together, share information and more fully grasp the rapid dynamics of cyber crises. These kinds of exercises are critical for creating bonds between specialists of different countries, improving interoperability, internalising the value of information sharing and practicing the intricacies of defending against malicious cyber operations. All of this contributes meaningfully to building trust and strengthening the cyber capabilities of individual states as well as NATO more broadly.
Estonia, for its part, through encouraging the CCD COE as well as through the work of its ministries and agencies, will most likely continue to promote greater trust, information sharing and joint activities in order to strengthen NATO’s role and ability in this crucial field of international security. It has already offered the Estonian Defence Forces’ “cyber range” (practice ground) to NATO for adoption as its official cyber training facility. This is just one of many moves that Estonia has made and will continue to make so that one day NATO will be able to provide the same kind of deterrence and reassurance to allies in the cyber realm as it so effectively does in the more traditional, conventional security domains.
* The original version of this article was published in June 2014. Cover photo is illustrative/courtesy of Estonian Defence Forces.