Estonia’s experience in handling the cyber attacks of 2007 has positioned the country as a thought leader in cyber security. This article outlines the major lessons learned from these serious instances of ultra-modern warfare, as told by Lauri Almann, the permanent undersecretary of the Estonian defence ministry at the time of the attacks.*
A cyber attack on a country might seem like something out of a science fiction movie. But a perfect storm of political controversy and successful psychological warfare made it a reality in Estonia in 2007, when the relocation of a Soviet World War II memorial sparked unprecedented riots in the country’s capital, later dubbed the Bronze Night.
The removal sparked protests among the local Russian-speaking minority, who saw the statue as a symbol of their contribution in World War II. These demonstrations escalated into violent riots, looting, and clashes with the police, leaving one person dead and over 150 arrested. The event also led to a cyberattack on Estonia’s government and financial institutions, believed to have originated from Russia.
A group of senior state officials, including several ministers and police chiefs, watched the events unfold from a secure location near the centre of Tallinn. “It was the second day of the riots and the disturbances had begun to subside when the government’s press officer, Martin Jaško, suddenly entered the situation room to report that he was unable to upload press releases to the government’s web portal. We were about to write it off as a minor hiccup,” recalls Lauri Almann.
In fact, the cyber attack had already begun, with the first targets being various government websites and the homepage of the Reform Party, which led the government coalition at the time.
Lesson one: have the mental readiness to accept the possibility of a cyber attack
“Estonia was extremely lucky,” says Almann. Not long before, the Estonian intelligence services had informed the government about the possibility of cyber attacks. This was in connection with the risks associated with online voting. This provided the necessary mental preparedness to recognise the possibility of being attacked.
“The fact that all the leaders were aware of the reality of such attacks saved us a lot of time that could otherwise have been spent on overturning existing beliefs about cyber warfare,” Almann argues.
Lesson two: cooperate with the private sector and think outside the box
While the attacks on government portals were more symbolic than attempts to disrupt the normal functioning of the state, the next phase was yet to come. As major online news portals began to fall victim to the attack, the threat became more apparent.
But the most serious moment came when Swedbank, the country’s leading bank, suddenly became a target. “Targeting a major financial institution had the real potential to cause widespread civil unrest. With people unable to access their bank accounts, the ensuing bank run could have brought the country to its knees and created the devastation the attackers wanted,” says Almann.
It would have been difficult to link the attacks together and deal with them as a whole had it not been for the cooperation agreement that the state had recently signed with some of Estonia’s largest private companies (the agreement was initiated by the current director of the Estonian Information Systems Authority, Jaan Priisalu, who at the time was head of IT security at Swedbank).
The attack was eventually mitigated by temporarily disabling the top-level domain for Estonia (.ee). “It was effectively an Internet kill switch for the country, nothing that a private sector company could have done on its own,” says Almann, who believes that public-private sector cooperation helped deflect the attack in a matter of hours, not days or even weeks.
Lesson three: be public about the issues
According to Almann, there were moments during the process of dealing with the attacks when things could have turned out differently. Going public with the attacks turned out to be the right thing for Estonia in many ways.
First, it saved the government from having to come up with fake explanations of what was going on and allowed it to be more efficient in containing the attacks.
Second, it became the foundation of Estonia’s e-services boom by creating the necessary trust between the state and its citizens.
Third, while it appeared to be a serious blow to the country’s reputation as an e-tiger, it actually launched a new episode in Estonia’s success story by positioning the country as a thought leader in cybersecurity.
Today, Estonia is home to NATO’s Cooperative Cyber Defence Centre of Excellence and the EU’s agency for large-scale IT systems. “The reason we are being heard today on cybersecurity issues is that we have decided to be open and public about our own affairs,” Almann believes. In today’s world, where little can be kept secret, this seems to be the only way forward.
* This is a lightly edited version of the article first published by e-estonia.com. The article was originally published on 22 October 2013 and lightly amended on 17 September 2024.
