Estonia has done a stellar job in marketing itself as an e-country, where digital services permeate to every moment of a citizen’s life. At the same time, every book or article ever written on the concept of “cyber war” always includes a reference to Estonia being the first country to ever be targeted by a state-sponsored cyber attack in 2007. We can only be e-Estonia if that “e” is secure.
Estonian e-services have always been developed with security in mind. No system is ever rolled out without certainty that threats have been addressed and risks managed. This includes the ID-card and e-voting. While the security of those systems has been attacked in the international media, there are no risks or threats associated with the system that the authorities are unaware of, thus having been deemed reasonable. No system is ever 100% secure. That is a mathematical certainty. But if the government has gone through a rigorous risk management exercise – which it has – Estonians can be sure that the system is secure beyond reasonable doubt.
“Estonian e-services have always been developed with security in mind. No system is ever rolled out without certainty that threats have been addressed and risks managed. This includes the ID-card and e-voting.”
Cyber attacks, however, remain an ever-increasing threat, especially in a country with a heavy reliance on e-services and a location that provides for a volatile security situation. In addition to the standard three domains of military defence – land, air and sea – analysts started thinking about space as a fourth during the Cold War and cyber as a fifth domain in the 21st century. While no one can be sure whether a war can be waged just in the cyber domain, it is clear that Estonia needs to be certain of its defences there as much as anywhere else.
Whether we call what happened in 2007 cyber warfare or not, it was certainly a wake-up call not only for Estonia, but also for NATO. Estonian computer experts were able to curb the damage done in 2007 rather effectively, but future attacks are likely to be much more concentrated, sustained and professional. Cyber defence capabilities had to be incorporated into the national defensive thinking. Because the lines are thin between what is military action and what is criminal activity, what is a concerted state-driven attack and what a lone hacker testing their abilities, all plans in Estonia include a vast variety of actors – ranging from computer scientists to banks to the armed forces. Only a dedicated effort by all actors is what will guarantee the country’s security.
An important initiative was proposed soon in aftermath of the 2007 events – incorporating Estonia’s wide network of IT-specialists into the defence strategy. Thus the Defence League’s Cyber Defence Unit (CDU) was born. Estonian military defence is built on three pillars – professional armed services, compulsory military service for all young men and the paramilitary Defence League. The Defence League is a voluntary organisation that through exercises and education enhances the readiness of the country to defend itself. The CDU is similar – it brings together IT-specialists and security experts and trains them to be ready to protect the country in case of an attack. In its very essence and most importantly it has created a network of men and women who are capable of protecting the cyber sphere that we all cherish. In a country as small as Estonia a network like that is what could make a difference if the country is ever under attack. Estonia simply cannot afford to have thousands of cyber security specialists on its payroll but through patriotically-minded volunteers the country can be assured of having the necessary capacity to take on even the most professional of attacks.
“Estonia simply cannot afford to have thousands of cyber security specialists on its payroll but through patriotically-minded volunteers the country can be assured of having the necessary capacity to take on even the most professional of attacks.”
NATO commended Estonia’s prowess in the cyber domain. By placing its Cooperative Cyber Defence Centre of Excellence in Tallinn in 2008, Estonia well and truly established itself as a world-leader in cyber defence capabilities. In cooperation with the CDU it hosts annual cyber exercises called Locked Shields, which bring together specialists from across NATO. During the exercises, “blue” teams are charged with defending fictional national systems and “red” teams attempt to attack them. The best defenders win (Poland won this year). Like with any other military domain, experts need these training exercises to test their skills and challenge their capabilities, all in the name of being ready when a real-world attack comes.
Estonia’s strength in the cyber domain is built on the skills of the country’s experts. But that is not what makes the national cyber defence policy extraordinary and keeps fascinating foreigners. It’s the acceptance – both in the highest levels of government and among the general public – that the country needs to pull together to ensure its security. The Cyber Defence Unit is just one example. The bigger picture of various levels of government, the armed forces and the private sector working together to achieve common goals is a model that other countries still need to adopt. As long as those in charge of creating cyber security policy continue to accept that as the minimum standard of cooperation in the field, Estonia will be just fine.