Estonia’s experience in handling the cyber attacks of 2007 has positioned the country as a thought leader in cyber security. This article outlines the major lessons learned from these serious instances of ultra-modern warfare, as told by Lauri Almann, the Permanent Undersecretary of the Ministry of Defence at the time of the attacks.
A cyber attack against a country seems like something out of a science fiction movie. However, a perfect storm of political controversy and successful psychological warfare turned this into a reality in Estonia, when in 2007 the relocation of a Soviet World War II memorial started an unprecedented unrest in the country’s capital that has later been labelled the Bronze Night.
A group of high state officials, including several ministers and police chiefs, were watching the events unfold in a secure location near the centre of Tallinn. “It was on the second day of the unrest and the riots had begun to settle when the government’s press officer Martin Jaško suddenly stepped into the situation room to report that he was unable to upload press releases to the government’s web portal. We were about to dismiss it as a trivial hiccup,” recalls Lauri Almann.
In fact, the cyber attack had begun, with the first targets being different government web pages as well as the homepage of the Reform Party that led the coalition at the time.
Lesson 1: Have the mental readiness to accept the possibility of a cyber attack
“Estonia was extremely lucky,” Almann says. Namely, not long before the Estonian intelligence services had briefed the government on the possibility of cyber attacks. This had been in the context of risks related to electronic voting. However, this provided the mental readiness that was necessary to recognise the possibility of being under attack.
“The fact that all the leaders were aware of the reality of such attacks saved us a lot of time that otherwise could have been spent on turning around existing convictions about cyber warfare,” Almann argues.
Lesson 2: Cooperate with the private sector and think outside the box
While the attacks on government portals were of a symbolic meaning rather than attempts to hurt the normal functioning of the state, the next phase was still to come. With major online news portals beginning to get hit by the attack, the threat became more evident.
However, the gravest moment arrived when Swedbank, the leading bank in the country, suddenly became the target. “Targeting an important financial institution had real potential for creating widespread civil unrest. With people unable to get to their bank accounts, the ensuing bank run could have brought the country to its knees and created the havoc that the attackers wished for,” Almann explains.
It would have been quite difficult to tie the attacks together and tackle them as one, would it not have been for the cooperation agreement that the state had recently signed with some of the biggest private sector enterprises in Estonia. (The agreement was initiated by the current director of the Estonian Information System’s Authority Jaan Priisalu, who was chief of Swedbank’s IT security at the time.)
The attack was eventually mitigated by disabling the top domain for Estonia (.ee) temporarily. “It was effectively an internet kill switch for the country, so nothing that a private sector company would have been able to do on their own,” says Almann, who believes that the cooperation between the public and private sector helped to defy the attack in a matter of hours, not in days or even weeks.
Lesson 3: Be public about the issues
According to Almann, there were moments during the process of handling the attacks when things could have taken a different turn. Going public with the attacks turned out to be the right thing for Estonia in a number of ways.
Firstly, it saved the government from having to come up with mock explanations about what was going on and allowed it to be more efficient in mitigating the attacks.
Secondly, it became the foundation of Estonia’s e-service boom by creating the basis of trust that is necessary between the state and its citizens.
Thirdly, while it seemed to be a severe blow to the country’s reputation as an e-tiger, it actually launched a new episode in Estonia’s success story by positioning the country as a thought leader in cyber security.
Today, Estonia is home to the NATO Cooperative Cyber Defence Centre of Excellence as well as the EU agency for large-scale IT systems. “The reason why we are being heard today on the matters of cyber security is that we decided to be open and public about our own matters,” Almann believes. In today’s world, where little remains secret, this looks like the only way forward.