Exploring Policy Conditions for Cyber Deterrence: An Estonia Case Study
Table of Contents
This paper seeks to study the policy conditions for successful application of deterrence in cyberspace. The traditional concepts of deterrence are difficult to apply to cyberspace, yet as cyber becomes increasingly more prominent a domain, an understanding of the applicability of these concepts is crucial. Classical deterrence has always been closely associated with a Cold War-era nuclear context, and its translation to cyberspace will require a broader approach. With its experience of a large-scale cyberattack in 2007, Estonia provides a positive case study for such a holistic conception of deterrence, at both strategic and domestic levels. I will analyze how Estonia has managed to implement a deterrence framework through denial, multilateral cooperation and promotion of international norms, and increasing societal strength and resilience among its population.
There is little disagreement that the proliferation of technology and the internet has dramatically altered conventional concepts of defense. Within the last decade the world has seen a 1052% growth in internet usage (Miniwatts Marketing Group 2018), and countries around the globe continue to pursue further digitization and integration of the Internet of Things (IoT). While this has brought undeniable efficiency and progress, dependence on cyberspace for economic and critical services has only increased. This creates a security conundrum, at a time when malicious activity in cyberspace by state and non-state actors seems ever so prevalent. Cyberspace as a fifth dimension of warfare (The Economist 2010) is not only relatively new, but also relatively unknown. More crucially, it is not yet well understood. Some countries have already begun attempts to secure their own cyberspace and prepare for conflict within it. For example, the United States (US) has designated cyber as an operational domain (Alexander 2011), and is revamping its Cyber Command to strengthen America’s ability to conduct defensive and offensive cyber operations (Associated Press 2017). However, not all countries are equally well equipped to navigate the perils and uncertainties that are characteristic of cyberspace. There are problems associated with attribution, qualifications of the “use of force”, and proportionality of response that the international community continues to grapple with. Compounding these problems is the difficulty of translating traditional concepts of defense, especially that of deterrence, to cyberspace.
Despite the lack of understanding and consensus on strategies for deterring potential aggressors in cyberspace, I believe it is through Estonia’s experience that instructive lessons can be drawn. In 2007, Estonia suffered a large-scale cyberattack as part of domestic incident related to the relocation of a Soviet war memorial known as the Bronze Soldier. Since then, Estonia has become a household name for cybersecurity and digital expertise. On a strategic level, it has moved to increase multilateral cooperation among allied nations, spearheaded the North Atlantic Treaty Organization’s (NATO) efforts in the cyber realm, hosted NATO facilities like the Cooperative Cyber Defense Centre of Excellence (CCDCOE) and the Cyber Security Range, coordinated international cyber exercises, and signed multiple Cyber Cooperation Agreements with partner states. On a domestic level, it has moved to strengthen its societal will, psychological resilience, and political credibility in the face of potential attackers.
The way in which Estonia responded to the attack, and the subsequent strategic and domestic policies implemented by the government, serve as an example to demonstrate how deterrence in cyberspace can encompass more than its conventional meaning and methods. In particular, they illustrate the possibility of deterrence through denial, multilateral cooperation and promotion of international norms, and increasing societal strength and resilience among one’s population.
That is the overarching argument of the paper – that a broader conception of deterrence is needed, one that adopts differentiated approaches that include a range of political, diplomatic, social, educational and technological responses. The first part of this paper will look at deterrence in cyberspace more broadly – what does deterrence mean, the problems cyberspace creates, and the alternative forms of deterrence available. The second part of the paper will be a historical account of the 2007 cyberattacks, and a brief analysis of the Estonian context. Having gone through the types of deterrence available, the third part of the paper will look at the strategic level policies that Estonia has enacted in line with its deterrence strategy. The fourth part of the paper will similarly look at the domestic level policies implemented by Estonia. The fifth part of the paper will then identify and review the challenges facing Estonia’s deterrence strategy moving forward, followed by a conclusion.
Cyberattacks happen every day. In a 2016 report commissioned by the US Government Accountability Office (GAO), a survey of 24 federal agencies found that the number of cyberattacks climbed 1,300% between 2006 and 2015, from 5,500 to more than 77,000 a year (United States Government Accountability Office 2016). It is only set to increase, but against such a backdrop, it is necessary to understand what the term cyberattack refers to. There is a myriad of ways an attacker can intrude into a target system – Denial of Service, Malicious Code, Scanners, Probes, Attempted Access etc. To technically account for all of them would be futile, so for the purposes of a policy discussion such as this one, we will use a RAND Corporation definition for cyberattacks as the deliberate disruption or corruption of a system of interest by one actor to another actor (Libicki 2009). It is important to note here that as stated in the same RAND report, this definition will exclude cyber espionage and theft, or Computer Network Exploitation. This is because a) it does not deprive the user of the full use of the cyber system, b) the user suffers no consequential harm other than having secrets stolen, and c) the law of war rarely recognizes espionage as a casus belli. However, the question remains how to deter such cyberattacks if their scope and methods are so broad and diverse.
Deterrence as a concept is not new, and has been around since Thucydides wrote about the Peloponnesian War and framed deterrence as a strategic interaction problem (Lebow 2007). It has since been most understood through the modern context of build-ups of nuclear and conventional military means. At the height of the Cold War, it was the deterrent narrative of Mutually Assured Destruction (MAD) that kept the US and the Soviet Union from launching into full-scale thermonuclear war in the face of ideological and geostrategic competition. The principle of massive retaliation against the scepter of any nuclear threat guided the grand strategy of administrations from both countries. It was simply the risks and scale of response that prevented rash action by any one party. The same could be easily applied in conventional military situations, where strong armed forces serve as deterrents to guard against potential geopolitical conflicts. Israel and Singapore are immediately examples that stand out in this regard (Kok 2014).
Therein lies a major challenge of translating deterrence to cyberspace. Implicit in these analogies is the appealing concept of clear, tangible, and proportional retaliation. Also known as deterrence by punishment, this conception of deterrence has arguably been the mainstream understanding of deterrence theory internationally since the Cold War. However, the very nature of cyberspace makes such a concept of deterrence almost to impossible to achieve. Common definitions from the International Organization of Standards and the United Nations (UN) share a similar understanding of the cyber realm, that unlike the more familiar domains of the air, land, and sea, the intangible domain of cyberspace is difficult to comprehend and secure owing to its scope and complexity (NATO CCDCOE 2012). Cyberspace is multidimensional, and involves both public and private entities. The sheer number and diversity of users in cyberspace renders it impossible for governments to have the same degree of control over it as in the physical space (Tan 2018). Yet, it is the medium through which many of society’s services are provided.
This poses three key issues for deterrence by punishment. Firstly, actors are no longer able to calibrate the proportionality of their responses in cyberspace. The communal nature of cyberspace means that not only does it provide the foundations for social activity, but that for economic, military, and malicious activity as well. What we are left with is a domain in which any action might have unforeseen and much further-reaching consequences than initially expected. Deterrence by punishment then quickly becomes troublesome, if not unfeasible. An actor is no longer confidently able to ascertain a proportional response to a cyberattack that falls within the intended threshold of damage, and not risk escalation or international condemnation (Tan 2018). Collateral damage because a key point of contention, and without the ability to gauge outcomes with certainty, the results could be unintentionally catastrophic.
Secondly, it is increasingly difficult to attribute attacks in cyberspace to specific actors. Certainly, conventional and nuclear attribution to actors is also not always a guarantee. However, there are well-established ways of tracing troop movements, weapon shipments, signatures from radioactive material and the like to state actors. The barriers for non-state actors to attain the capability for similar actions is also significantly small. Yet, as William Lynn wrote, “Whereas a missile comes with a return address, a computer virus generally does not.” (Lynn III 2010) The sprawling architecture of cyberspace, with its numerous ports, servers, and routers, creates unique issues of identification and attribution of action unparalleled to the physical world.
Thirdly, there is still a lack of agreement on what constitutes ‘use of force’ in cyberspace. States are increasingly finding the applicability of traditional law of armed conflict (LOAC) principles to cyber operations to be limited, since a kinetic scope of conflict no longer fits this new type of cyberwarfare (Dev 2015). Informal rules of conduct in cyberspace have recently been introduced by scholars, the most well-received one being the Tallinn Manual on the International Law Applicable to Cyber Warfare. Rule 11 of the manual states that a ‘cyber operation constitutes a use of force when its scale and effects are comparable to non-cyber operations rising to the level of a use of force’ (Schmitt 2013). There is also a general understanding that, should cyberattacks employ capabilities that cause, or are reasonably likely to cause, physical damage to property, loss of life or injury of persons in a manner equivalent to kinetic attacks, they will qualify for Article 2(4) of the UN Charter (Roscini 2015). However, such efforts lack the enforceability mechanisms which would enhance the legitimacy of and reciprocity for the LOAC. They also present a dilemma when dealing with cyberattacks that fall short of the devastating impact as stated above. With no codified international consensus, states thus take a subjective view of what is lawful due to an absence of objective, internationally-accepted assessment. This absence of clear parameters for warfare has created a “grey zone” for conflict, where actors conduct cyberattacks below a threshold deemed to be less-than-serious and calculated to not warrant escalation. That this calculation is subjective, and the ramifications of such cyberattacks are uncertain, is disconcerting to many policymakers for whom cyberdeterrence is often viewed as a binary strategy, to be applied to state actors within a context of geopolitical competition (Burton 2018).
These complications make it difficult to understand modern deterrence in the cyberspace, but not impossible to translate. At its very core, deterrence is nothing more than a rational cost-benefit analysis the predates the nuclear age (Ayson 2004) – the dissuading of someone from an action by making them believe that the costs to them will exceed their expected benefit. Moving away from the traditional lens of deterrence, there is a need for a more comprehensive approach. The use of the same frameworks as nuclear and conventional deterrence cannot be sufficient and a new form must be envisioned. As more individuals, businesses, and governments digitalize, cyber vulnerabilities will continue to pervade society. Cyberattacks on critical institutions, both public and private, can then have immediate and consequential national security implications. Deterring against cyberattacks on such financial, transportation, and other vital infrastructure has taken on equal importance as deterring cyberattacks against military and strategic targets. If the scope for targets is now wider than before, it only stands to reason that so should deterrence strategies be too. As Joseph Nye remarks, deterrence can still be observed in today’s cyber age if we broaden the way we use the concept (Nye Jr. 2017).
While cyberattacks can be carried out by both state and non-state actors, this paper will focus mainly on state actors, riding on the experience of the 2007 Estonian cyberattacks allegedly carried out by Russia. The cyber aspect of international relations is quickly become a central point of debate and discussion within the international community, and there is an urgent need for the study of both the role cyber plays in international relations, and the conditions by which states can protect themselves in cyberspace. That being said, the policy suggestions explored through the course of this paper is by no means limited to deterrence against state actors. The concepts and principles behind deterrence are equally applicable to non-state actors.
In his paper, Nye mentions four different types of deterrence and dissuasion in cyberspace: threat of punishment, denial by defense, entanglement, and normative taboos (Nye Jr. 2017). In this paper, I would like to adapt his ideas to create a different, more encompassing conception of cyberdeterrence which would include deterrence by punishment, deterrence by denial, multilateral cooperation and promotion of international norms, and capacity building.
As previously discussed, classical deterrence is most associated to deterrence by punishment. Just as the use of conventional and nuclear weapons helps to inform the decisional calculus of any potential attacker, so too can the use of offensive cyberweapons. Yet, I have shown that due to problems of attribution and uncertainty in knowing the exact type of retaliatory damage that will be incurred, such retaliatory threats of punishment are less likely to be effective in cyberspace. However, punishment is still possible through the Diplomacy, Information, Military, Economic, Financial, Intelligence, and Law Enforcement (DIMEFIL) model (Haaster 2016). Responses need not be within the same domain, but on a spectrum extending horizontally outside that domain. This affords the state a degree of flexibility in choosing a response that appeals to its strength. These may include economic sanctions, foreign policy maneuvering, releasing of information etc.
While this form of deterrence was not often considered as a feasible strategic option during the nuclear Cold War era, deterrence by denial is perhaps one of the most promising forms of deterrence in cyberspace. When the adversary is unknown, the timing of the attack is uncertain, and the intents are unclear, increasing the costs of an attack through good defense can discourage an adversary from even attacking. The harder it is for the attacker to achieve his objectives, the less incentive he will have to attack. Such defenses can also prolong the adversary’s efforts, making him commit more time and resources without the guarantee of success. This disrupts the cost-benefit model of the attacker, and discourages further attacks. The side effect of creating more resilient systems is a greater capacity for the state to recover after an attack, which is valuable in itself.
Creating a conducive and stable environment for the use of cyberspace is only possible through an internationally agreed, rules-based order. This can and should serve as a framework that guides the behaviour of both state and non-state actors, resulting in predictability and security through common understanding. The key to this is establishing international norms through supranational organizations and multilateral cooperation, forming expectations and taboos that could serve to impose reputational costs on actors who fail to comply. This will be sustained by confidence-building measures like bilateral exchanges and international dialogue, as well as cooperation through forensic assistance. Such frameworks must also include dispute resolving mechanisms and avenues for redress and punishment. This will prevent and reduce the risks of unintended escalation of incidents in cyberspace, and will provide a measure of assurance to all actors regarding mutual compliance and normative behaviour. Without such an international system, the strong will do what they can, and the weak will suffer what they must.
The importance of robust systems cannot be understated in efforts to discourage potential attacks. If attackers cannot realize their objectives, there will likely be less motivation for the attack. However, while similar to deterrence by denial, capacity building emphasizes less on the technical aspects of cyber defence, and more on the peripheral and holistic factors that compliment it. This includes increasing societal strength and resilience, strengthening political processes and will, and raising the level of national readiness through backup systems and disaster drills.
Taken individually, these concepts are necessary but insufficient conditions for establishing a successful deterrence strategy in cyberspace. It is only by drawing on the totality of these concepts that credible signals about a state’s capability, resilience, and intentions can be made through coherent policy making. This must be done through a whole-of-government, and even whole-of-nation approach requiring close coordination across all relevant government and civil agencies.
To that end, Estonia provides a good case study demonstrating how to leverage the various government and civil levers to establish effective response and lasting deterrence towards a cyberattack. Few would have expected Estonia to be at the center of a massive cyberattack, given its relatively small economy, population, and geographical size. Yet, with such a tumultuous history, Estonia is no stranger to foreign aggression. Having endured multiple occupations – being subject to the rule of powers like Denmark, Sweden, the Russian Empire, Nazi Germany, and the Soviet Union – the need for robust security policies to ensure their own survival is deeply ingrained into their national psyche. As a small country, Estonia is also keenly aware of its vulnerability to changes in the global environment that can leave a faster and deeper impact on small states, who often are less able to manage the risks and deal with the consequences.
This vulnerability was manifested on April 30, 2007, when Estonia suffered what was at the time considered to be one of the most crippling cyberattacks on a state – a massive denial-of-service attack on its networks which affected citizens’ access to financial and government services. This cyberattack occurred within the overall climate of tension between ethnic Estonians and the country’s Russian minority population, and against the backdrop of a decision by the government to move a Soviet memorial called the “Bronze Soldier”, commemorating the liberation of Estonia from the Nazis, from Tonismagi Park in central Tallinn to the Tallinn Military Cemetery. To ethnic Estonians, the memorial represented a symbol of Soviet oppression, but for the Russian minority, its relocation represented further marginalization of their ethnic identity by the state. As riots broke out on the streets, this nationalist backlash was complemented by distributed denial-of-service (DDoS) attacks targeting key national infrastructure and servers used for e-mail, the web, domain name resolution, and other services. (Healey 2013) Systems stalled under unusually high data traffic, which exceeded average-day peak loads by a factor of 10. In addition, the political establishment was publicly undermined through the defacement of websites and spamming of email inboxes. Government websites like those of the Estonian Parliament were affected, and the attacks quickly spread to media outlets, financial industries, and banks like Swedbank as well. Overall, it was a multifaceted cyberattack campaign consisting of a number of distinct attacks conducted over the course of almost four weeks in multiple phases, and comprising of not only synchronized human actions but also botnet-based techniques.
Much of the technical response activities to the cyberattacks were handled by the Estonian Cyber Emergency Response Team (CERT), but after the attacks there were indications attributing the attack to Russia. The Estonian Minister of Justice also asserted that some of the data packets in the overload of data traffic were traced back to IP addresses originating from Moscow offices in the Kremlin. (Rantanen 2007) Although concrete and indisputable evidence linking Russia to the attacks is hard to obtain, the immediate assumption that Russian authorities were involved were soon embraced by both Estonian officials and academic scholars. Regardless, the cyberattack was understood to be the first of its kind that was directed as a coercive instrument in a political conflict against a state.
What is interesting to note is that the attack did not actually come as a surprise to Estonian authorities. News had been spreading that commenters were rallying within Russian-language security forums online in mid-April to find comrades to help initiate low-intensity DDoS attacks against organizational pillars of Estonian society. Estonian officials also knew that with the extent of its society using government e-services, Estonia offered a tantalizing target. However, they had assumed that the cyberattacks would likely occur in May and coinciding with the completion of Estonia’s e-Elections, with the expectation that the attacks would be aimed at exposing the vulnerabilities of their electronic voting systems.
A task force had been setup to continuously monitor the Estonian internet during the elections in an effort to reduce such risks, and after the uneventful conduct of the elections, the task force was on standby. Yet, there was an inability to centrally monitor national internet services, and the cyberattacks were only confirmed through mutual updates between individual technical operators in Estonia. In fact, there was a serious breakdown in communication, as coordination between key personnel both within the government and with the private sector mainly occurred through sauna sessions and informal interactions instead of clear lines of institutional communication. Allegedly, there were moments where approval authorities were unclear, and major decisions were made without prior approval, such as the shutting down of the entire national internet network for the rebooting of Swedbank’s security systems.
Now more than a decade later, Estonia is a household name in the cyber domain. The tiny nation-state has built itself a strong international reputation for its expertise in cyber defense and cyber security. It has successfully managed to optimize policy at both the systems level and sub-systems level, involving a whole-of-government and whole-of-country approach to create a cyber operating environment that is safe, monitored, cooperative, and sustained. Its experiences of the 2007 cyber attack has offered it not only a hard look at its own system vulnerabilities, but also an opportunity to bolster national resilience and exploit other possibilities in the field of cyber.
As stated in its 2017 National Security Concept, Estonia addresses its security as a part of a wider international security. Its small size means that trends connected to globalization and the impact of international crises and conflicts affect Estonia with increasing immediacy. In maintaining its security, Estonia seeks and supports ways and means that have a positive impact on Estonia as well as on other states. Therein lies the overarching impetus for its specialization in cyber. In particular, there are two compelling arguments for Estonia’s push towards an emphasis on cyber.
Firstly, from a strategic point of view, cyber is a domain that is not just constantly growing, but also has the potential to revolutionize a range of sectors. Operations in the military, financial, governance, and resource sectors could be augmented by developments in this field. By leveraging and spearheading these developments, Estonia can not only enhance its own defense and economy, but position itself to remain relevant in the global arena and increase its own survival as well. This is especially important since small countries often lack the clout to influence their international environment, and have to strive harder to ensure their survival in a world where you are either at the table or on the menu.
Secondly, the relatively low-cost nature of cyber operations and development makes the industry a sensible option for Estonia to focus on. A small economy and lack of manpower means that in contrast to more intensive primary and secondary industries like manufacturing, and even some tertiary industries like biomedical science, cyber offers a practical and feasible alternative for investment. Indeed, this was one of the key considerations of Estonian officials when choosing cyber as a niche for Estonia.
How Estonia has managed to progress in cyber, with the use of both strategic and domestic level policies, is worth exploring to provide a blueprint for other national efforts in the future to secure this ever-growing paradigm.
From a foreign policy perspective, Estonia has approached cyber deterrence with a framework that consists of investing the interests of other powers and signaling its expertise to the international audience. It has sought the buy-in and recognition of many countries towards the importance, potential, and dangers of cyber. More crucially, it has positioned itself as an agenda-setter in the field of cyber by using various multinational organizations and diplomatic agreements to push for its interest and solidify its relevance in the field.
The most evident example of this political maneuvering is the NATO CCDCOE. Estonia had initially proposed for the creation of the center in 2003, and while the details were slowly worked on in the following years, the 2007 cyber attacks helped Estonia in highlighting the potential vulnerabilities of other NATO countries and their institutions to disruption of their information, financial, and communications systems. Estonia’s proposals were expectedly well received by other NATO members, and the CCDCOE was set up in Tallinn in 2008. This makes it one out of 12 COEs that “train and educate leaders and specialists from NATO member and partner countries, assist in doctrine development, identify lessons learned, improve interoperability, and capabilities and test and validate concepts through experimentation.” (NATO 2018) With a diverse group of experts from 20 nations and mixed military, government and industry backgrounds, the CCDCOE is one of the few global nexuses for the development of cyber capability and concept of operations.
The significance of the CCDCOE for Estonia has to do both with what it organizes and what it provides, contributing substantial value towards Estonia’s cyber deterrence. It conducts one of the world’s largest and most complex international technical cyber defence exercise Locked Shields, as well as the annual premier cyber conflict conference, CyCon. It offers a platform for foreign operators to hone their skills, while benefiting NATO and Estonia with the opportunity to enhance interoperability and learn CONOPS from other militaries to strengthen its cyber resilience. It also helps to set parameters on acceptable norms revolving cyber activities and warfare, which goes some way in promoting international behavioral frameworks. Most importantly, it reinforces Estonia’s role in the cyber domain, and helps put the country at the forefront by sending a clear signal that Estonia remains a strong player in cyber. The international involvement in the CCDCOE also ensures that enough countries have a stake in Estonia, its defense, and its survival. This investment serves as a strong deterrent which gives it both the relevance and the clout it needs to increase its policy space in the international area.
Another good example is Estonia’s efforts in the European Union (EU). In 2017, it assumed the rotating presidency of the EU Council of Ministers for 6 months with a clearly articulated intent of making the presidency a digital one. (Pommereau 2017) Aside from the many other climate, migration, and Brexit-related issues, it put emphasis on positioning itself as the driver for cyber-related issues in the EU by tapping on its niche expertise and the weight of its presidency to highlight the importance of the field in EU affairs. Its achievements in E-Governance were a potent source of soft power for Estonia, which Estonia used to push for a digital Europe and work on the free movement of data across all 28-member states. (e-estonia 2017) By the end of the presidency, they had managed to shift the conversation to tech, build consensus on reform for telecom and chat privacy rules, and rope EU heads of state into a high-level Digital Summit. (Politico 2017) In addition, Estonia also managed to sign E-Governance cooperation agreements with the African Union (AU) to develop similar digital systems. (Vahtla 2017) While done with the aim of developing African states and supporting the expansion of trade and service accessibility, it has sparked regional interest in Estonia’s cyber offerings and enhanced Estonia’s image as a champion for digitalization and cybersecurity. Lastly, recognizing that responses to cyber threats require tight coordination across all sectors and all levels of government, in 2017 Estonia cooperated with the European Defense Agency to organize EU CYBRID – a strategic table-top cyber-exercise for EU Ministers of Defence, focused on choices and considerations at the ministerial level to test crisis response to a major offensive cyber campaign against EU military structures in a hybrid warfare context. (European Defence Agency 2017) This helps to harmonize threat perception, situational awareness, and strategic communication processes to ensure common understanding and guide structural responses in the event of any cyber incident.
Estonia’s holistic cyber defense preparations account for not just infrastructure-related vulnerabilities, but platform-related vulnerabilities as well. On the bilateral level, Estonia also holds an annual exercise with the Maryland National Guard to simulate response against a cyberattack on military platforms in the context of a hybrid warfare campaign. Named Exercise Baltic Jungle, the 2017 edition featured a team of 35 US and 5 Estonian cyber operators at Ämari Air Base pit against a scenario where a hypothetical adversary had infiltrated malware into computers that run maintenance diagnostics on the US A-10s. (Peterson 2017) The interwoven use of conventional weapons system like the A-10 with modern cyberwarfare assets is a bellwether for the kind of complex, multidimensional defensive combat tactics Estonia and NATO need to hone to defend themselves from modern hybrid warfare threats.
These international involvements have a tremendous effect on boosting the credibility of Estonia’s cyber capabilities. It sends a strong message to potential aggressors that Estonia has the diplomatic clout to table cyber issues at the highest levels of NATO and EU politics, and also that it has the technical expertise to secure its cyberspace and those of its partners. In that same vein, Estonia has also shown its ability to add value in crafting international parameters for acceptable cyber behavior, and promote interoperability, cooperation, and harmonization amongst friendly partner states. This all serves to enlarge Estonia’s security space and signal its investment, as well as that of many international partners, in its security and survival, particularly against cyber operations. Such efforts will certainly influence the decisional calculus of state and non-state actors, who are likely to factor in the increased costs arising from Estonia’s capacity and international safeguards. From a strategic perspective, Estonia is thus able to burnish its deterrence against any future cyber attacks.
On the domestic front, Estonia compliments its strategic efforts of deterrence by coordinating policies across the education, social, governance, and defence sectors. This approach creates a conducive deterrent environment through building societal resilience, establishing national direction, and sustaining military capabilities against cyber threats. Working in tandem with one another, policies and directives that seemingly exist in isolation can actually have a cumulative effect on reinforcing security in the cyberspace. Taken together, they present holistic attempt to increase Estonia’s ability to withstand cyber attacks and decrease the likelihood of success for potential aggressors.
In the education sector, Estonia has put emphasis on policies that build up the talent pool needed to help the state specialize in the cyber domain. Serving as the foundation for this is a keen understanding that success in this aspect requires attention at not just the higher tertiary levels of education, but at levels as early as first grade. While attracting talent through postgraduate offerings is important, talent-scouting competitions and institutionalized introductory programming courses at the lower tiers are equally necessary for identifying promising individuals and equipping citizens with the necessary computer skills to survive in a digital age.
Estonia’s universities provide strong academic curricula at the postgraduate level for many cyber-related fields of study. For example, at the Tallinn University of Technology (TTU), the cybersecurity programme jointly offered with the University of Tartu since 2010 allows students a unique chance to study under professional cyber security practitioners hailing from Estonian banks, telecoms, law enforcement, CERT and the NATO CCDCOE. (TTU 2018) TTU also offers a masters degree in E-Governance technologies and services, focusing on IT solutions at the government level and their impact on the economic, legal, and policy functions of a modern state. These academic programmes have all only been introduced within the last decade, and are intended to attract and send a clear signal to prospective students to contribute to Estonia’s cyber industry.
Yet, simply creating a talent pool at the university level is insufficient, so Estonia also organizes challenges at the middle-to-high school stages of education for the purposes of raising awareness and identifying gifted students. In particular, Cybernut and the CyberOlympics are 2 key competitions held annually in-part by the Ministry of Defense. (studyitin.ee 2017) They are aimed at students aged 14-19, who are tasked with dealing with malware and encryption, among other cyber tools and problems. (studyitin.ee 2016) While winners are provided a unique opportunity to visit the most important cyber defence centers in Estonia, it is clear that the intent of these competitions is to foster interest in the cyber domain, as well as to earmark talented individuals for grooming in the cyber field.
At even earlier stages of education still, perhaps the most impressive of its policies is Estonia’s Progetiger program. In what may be one of the most farsighted education models in the world, Progetiger teaches Estonians the foundations of computer programming from as early as kindergarten. (HITSA 2018) Launched in 2012, this initiative to improve the technological literacy of the entire population from such a young age is an investment, made with an eye on equipping future generations with the necessary fluency in ICT disciplines. This is also in line with developing digital competences through education, one of the 8 key competences that the national curriculum focusses on. (e-estonia 2018) However, by exposing the young to programming and computer technologies, Estonia is not just ensuring a steady supply of future cyber specialists. It is also making sure that the public will be more familiar with cyber technologies and their associated benefits and detriments, which will be useful for gathering public support and maintaining order in times of crisis and cyber-related incidents. This translates to an increased societal capacity for resilience, as well as greater political maneuvering space for the government to respond to potential cyber threats.
In the social realm, Estonia stresses simple cyber hygiene as the cornerstone for cybersecurity. There is an acute recognition among Estonia’s security circles that regardless of the technical defenses and software solutions that can be implemented, it is often the lack of proper cyber hygiene training of individuals that creates the greatest vulnerability of cyber systems. (IIE 2018) This is taken seriously by the Estonian authorities because of the rate of technological penetration in its society. E-Governance is a fixture of daily life and is used to access almost every available government service. Estonians also use state-issued electronic identification cards regularly, which by design require two-factor authentication. To this end, Estonia’s businesses and government offices frequently go through web-based tests that assess their knowledge of cyber hygiene and seek to mitigate risks associated with such security lapses. (CybExer Technologies 2016) Initiated years ago by the Ministry of Defence, the CybExer cyber hygiene online training platform was created by the company CybExer Technologies, to test and improve individual awareness of possible threats in a digital environment, ranging from handling USB drives to opening spam email. Notably, participation has been made compulsory by the Estonian Information System Authority for all civil servants starting 2017. (CybExer Technologies 2017) This makes Estonian society less susceptible to cybersecurity oversights and attempts by actors to exploit cyber vulnerabilities.
On the part of governance, Estonia has committed itself to establishing a clear direction for the state’s cybersecurity trajectory. There are 2 prongs that can be deduced from its efforts post-2008 – to institutionalize the strategic conception of cybersecurity development and operations, and to create clearer, more defined decisional and authority chains.
Two crucial documents form the basis of Estonia’s domestic security policy in cyber. The first is the Cybersecurity Strategy, an annually reviewed whole-of-government plan that lays out Estonia’s current challenges in cyber and future capability development or areas of interest.
Started in 2008, the first iteration of the strategy focused on regulations, organizational setup, and widespread awareness and cooperation across a period from 2008 to 2013. (Cyber Security Strategy Committee 2008) This marked a stage of transition with regard to conception of cyber: from a specialist niche area of expertise to a topic with sprawling implications across significant areas of governance. The Ministry of Defence – in cooperation with the Ministry of Education and Research, the Ministry of Justice, the Ministry of Economic Affairs and Communications, the Ministry of Internal Affairs, and the Ministry of Foreign Affairs – laid down the principles, means of coordination, and regulatory frameworks upon which to build common standards that would transcend both state and private agencies to reduce vulnerabilities at the national level. This included efforts to identify and bolster the security of existing information architecture, such as the X-Road system, a secure national data exchange layer crucial to the function of the public and private sectors.
Noteworthy is how this iteration of the strategy recognizes that it is “necessary to specify better the distribution of tasks and responsibilities between agencies in order to achieve a more efficient organization of cyber security of the critical infrastructure and a better co-ordination of activities in combating cyber threats”. Following this, in 2009, a Cyber Security Council was added to the government’s Security Committee to support inter-agency cooperation and supervise implementation of the objectives of the Cyber Security Strategy. In 2010, the Estonian Informatics Centre was given government agency status and renamed the Estonian Information System Authority, under the Ministry of Economic Affairs and Communications. It received additional powers for maintaining the security of the state’s information and communication systems. This also gave them the power to audit private sector security systems to ensure national standards were met.
The second iteration of the strategy moved away from the bureaucratic reformation seen in the first iteration, and instead moved towards an approach of technical refinement of cyber capability and national continuity. Recognizing that the advancement of technology was accompanied by “an increase in the state’s growing dependence on already entrenched e-solutions”, there was an expectation of an inevitable rise in the number of potential vectors for, and complexity of, attacks. (Ministry of Economic Affairs and Communication 2014) This led to an emphasis on protection of critical information systems through a review of alternative solutions for important services, as well as the introduction of virtual embassies that ensure digital persistence “regardless of Estonia’s territorial integrity”. Aside from fighting cyber-crime, the synchronization of military capabilities for civil cyber emergencies is also stressed to provide for seamless response to defense threats. This is coupled with plans for developing the next generation of cybersecurity professionals, state involvement in cyber research and development (R&D), as well as promoting a conducive legal and international environment for cross-sectoral cyber integration across agencies and global partners. All of this contributes to a reinforcement of the Estonian “cybershield”. As of the time of writing, Estonia is still crafting the third iteration of its Cybersecurity Strategy.
The other document of significant importance is the National Security Concept, revised and amended by parliament whenever there are changes in Estonia’s security environment. It establishes the objectives, principles, and directions of the state’s security policy by taking a broad approach to defense, inter-agency cooperation, and horizon scanning of emerging threats. This sets it apart from the Cybersecurity Strategy, since it takes into account parallel developments in security from a macro perspective. It highlights the role of cyber in terrorism and state conflict, considering its effects not just at the practical and functional level, but also at the societal level. The underlying immutable for the National Security Concept is a strong civil society as the foundation for a strong defense. As it states, “cyberspace may be used for inciting tension and conflicts within the society” and so “attacks against cohesion of Estonian society necessitate greater attention to the sense of cohesion and psychological defence”. (Riigikogu 2010) This signals a keen understanding of national resilience as a key and intuitive part of defense against cyber attacks, as seen in the government’s efforts in the social and educational sectors, which goes a long way in preparing Estonia for future attacks and lowering the effects they may have on the country.
What this translates to is a definition and prioritization of the national strategic objectives in cyber, maintaining a long-term view of the field that allows it the room to harmonize its advances in cyber with other national strategies and policies. The result is a united cyber front with clarity of direction, organized in alignment with other sectors of government. This reduces the likelihood of success of a cyberattack, given the tight linkages that afford quick reaction in the defense of critical systems.
Lastly, on part of the military, Estonia has swiftly moved to set up cyber capabilities in both the Estonian Defense Forces (EDF) and the Estonian Defense League (EDL). Since 2016, the EDF has been allowing national service conscripts to enlist as cyber experts instead of being streamed into the traditional infantry vocation. (Satter 2017) This leverages on enlistee expertise and prevents the wastage of information technology talent, fully utilizing the available resources to buttress the defense of the military’s electronic equipment. Just last month, the EDF also launched its Cyber Command into operational status, making official the military’s cyber capabilities that are believed to have existed as early as 2005. The new command will be tasked with carrying out operations to support the ministry and military, while also protects Estonia’s cyber resources, handling everything from training and organization of units to conducting support and information operations. (Cavegn 2018) Interpreted through the lens of defense development, this is part of an effort not just to add value to the present defensive structure of Estonia, but also to explore offensive capabilities that could give the state an upper hand in cyberwarfare or retaliation. As an EDF official pointed out, “As a small state on the defensive, there is strong cultural and ethical resistance for offensive capabilities. But when dealing with a domain like cyber, if Estonia finds itself having to cross that border, it should have the tools to do so.”
The EDL works in tandem with the EDF, functioning as a volunteer, paramilitary organization that serves to enhance the readiness of Estonia’s defense. While initially unplanned, the Cyber Defense Unit (CDU) was set up under the EDL in the wake of the 2007 cyber attacks to create professional networks in order to bring together public and private sector expertise. Its activities include technical training, joint drills with the EDF and international cyber units, educational campaigns, and open-source intelligence analysis. Amongst its ranks are former employees of technology companies like Skype and Microsoft, with not just generalist knowledge of the cyber domain, but functional specialist competencies that lend themselves to task teams in service of national emergency response agencies. While some of these personnel belong to the military reserves, some can also be seconded to any ministry if needed. Indeed, the overarching purpose of the unit is deeply rooted in ensuring the continuous functioning of critical services or deterring threats against such services. (Kaska, Osula and Stinissen 2013) Legal provisions are also made to use the unit in times of crisis to prevent damage to targets deemed to be at high risk of attack. The CDU, then, can also be thought of as serving as a pseudo cyber civil defense force for Estonia.
These military capabilities present a side of Estonia’s cyber defense that is perhaps most visible to the international audience. The state has built up these credible institutions to defend its cyberspace, and it is through them that deterrence, both by denial and potentially punishment, can be afforded to politicians as diplomatic apparatus. However, taken in totality with the other domestic policies enacted by Estonia, they only provide one part of an extensive, holistic national approach to cybersecurity. Estonia’s domestic planning is comprehensive not just in its conception of cyber and its implications, but also the various levers across other government sectors that can be made available in support of cyberdefense. Through this expansive effort, Estonia creates for itself both the reputation and the actual capability to truly be a contending force in the securitization and protection of its cyberspace.
Despite the suite of policy instruments Estonia has created for itself, there are still challenges that arise from Estonia’s inherent characteristics that come with being a small country. The constraints that a modest economy, comparatively tiny population and workforce, and limited resources for R&D present restrictions on both Estonia’s policy space and competitive viability in the long run. While one has immediate policy implications, the other has the potential to adversely affect Estonia’s position in the cyber domain.
- Lack of international clout and small economy means F in DIMFIEL is not plausible Cannot enact sanctions as punishment (allmann)
- Lack of resources Cyber bubble, might come a time when Estonia cannot compete with other powers
Alexander, David. 2011. Pentagon to treat cyberspace as “operational domain”. July 15. https://www.reuters.com/article/us-usa-defense-cybersecurity-idUSTRE76D5FA20110714.
Associated Press. 2017. US Finalizing Plans to Revamp Cyber Command. July 15. https://www.voanews.com/a/us-finilizing-plans-to-revamp-cyber-command/3945554.html.
Ayson, Robert. 2004. Thomas Schelling and the Nuclear Age: Strategy as Social Science (Strategy and History). Routledge.
Burton, Joe. 2018. Cyber Deterrence: A Comprehensive Approach? Tallinn: NATO Cooperative Cyber Defence Centre of Excellence .
Cavegn, Dario. 2018. Defence Forces cyber command takes up operations. August 1. https://news.err.ee/850719/defence-forces-cyber-command-takes-up-operations.
Cyber Security Strategy Committee. 2008. Cyber Security Strategy. Tallinn: Ministry of Defence, Estonia.
CybExer Technologies. 2016. CybExer Technologies Launches a Unique Cyber Hygiene e-Learning Platform. May 19. https://cybexer.com/cybexer-technologies-launches-a-unique-cyber-hygiene-e-learning-platform/.
—. 2017. Estonia Implements CybExer Cyber Hygiene e-Learning Course to All Civil Servants. May 18. https://cybexer.com/online-training-increases-awareness-of-public-officials-regarding-cyber-hygiene/.
Dev, Priyanka R. 2015. “”Use of Force” and “Armed Attack” Thresholds in Cyber Conflict: The Looming Definitional Gaps and the Growing Need for Formal U.N. Response.” Texas International Law Journal 380-398.
e-estonia. 2017. Estonia’s EU presidency: digital Europe and the free movement of data. June. https://e-estonia.com/estonias-eu-presidency-digital-europe-and-the-free-movement-of-data/.
—. 2018. “FAQ – Digital Competences.” e-estonia. August 30. https://e-estonia.com/wp-content/uploads/faq-a4-v02-digitalcompetences.pdf.
European Defence Agency. 2017. First cyber exercise at EU ministerial level focuses on strategic decision-making Tallinn . September 7. https://www.eda.europa.eu/info-hub/press-centre/latest-news/2017/09/07/first-cyber-exercise-at-eu-ministerial-level-focuses-on-strategic-decision-making.
Haaster, Jelle van. 2016. “Assessing Cyber Power.” 2016 8th International Conference on Cyber Conflict. Tallinn: NATO CCD COE. 7-21.
Healey, Jason. 2013. A Fierce Domain: Conflict in Cyberspace, 1986 to 2012. Cyber Conflict Studies Association.
HITSA. 2018. ProgeTiger Programme. August 30. https://www.hitsa.ee/it-education/educational-programmes/progetiger.
Huth, Paul. 1988. “Deterrence Failure and Crisis Escalation.” International Studies Quarterly (International Studies Quarterly) 29-45.
IIE. 2018. How Estonia uses cyber hygiene as the cornerstone of cyber security . June. https://investinestonia.com/how-estonia-uses-cyber-hygiene-as-the-cornerstone-of-cyber-security/.
Kaska, Kadri, Anna-Maria Osula, and Jan Stinissen. 2013. The Cyber Defence Unit of the Estonian Defence League. Tallinn: NATO CCDCOE.
Kok, Xing Hui. 2014. Why S’pore needs a deterrent military force. January 18. https://www.todayonline.com/singapore/why-spore-needs-deterrent-military-force.
Lebow, Richard Ned. 2007. “Thucydides and Deterrence.” Security Studies 163-188.
Libicki, Martin C. . 2009. Cyberdeterrence and Cyberwar. Santa Monica: RAND Corporation.
Lynn III, William J. . 2010. “Defending a New Domain.” Foreign Affairs September/October.
Ministry of Economic Affairs and Communication. 2014. “Cyber Security Strategy.” Tallinn.
Miniwatts Marketing Group. 2018. World Internet Usage and Population Statistics. https://www.internetworldstats.com/stats.htm.
NATO CCDCOE. 2012. Resources: Cyber Definitions. https://ccdcoe.org/cyber-definitions.html.
NATO. 2018. NATO Centres of Excellence. 8 24. https://ccdcoe.org/nato-centres-excellence.html.
Nye Jr., Joseph S. 2017. “Deterrence and Dissuation in Cyberspace.” International Security 44-71.
Peterson, Nolan. 2017. A Dress Rehearsal For Defending Estonia From A Putin Invasion. September 17. https://www.newsweek.com/dress-rehearsal-defending-estonia-putin-invasion-666280.
Politico. 2017. Estonia’s presidency: How it went. December 20. https://www.politico.eu/article/estonias-presidency-how-it-went/.
Pommereau, Isabelle de. 2017. Estonia takes EU’s helm with focus on digitalization, cyberdefense. June 29. https://www.dw.com/en/estonia-takes-eus-helm-with-focus-on-digitalization-cyberdefense/a-39480254.
Rantanen, Miska. 2007. Virtual Harassment, but for Real. Helsingin Sanomat.
Riigikogu. 2010. “National Security Concept of Estonia.” Tallinn.
Roscini, Marco. 2015. “Cyber Operations as a Use of Force.” Research Handbook on International Law and Cyberspace 233-254.
Satter, Raphael. 2017. Cyberconscripts: Baltic draftees can choose IT over infantry. January 24. https://apnews.com/3e5b8cc4e63b4630b10fd5186f36ba90.
Schmitt, Michael N. 2013. Tallinn Manual on the International Law Applicable to Cyber Warfare. Tallinn: Cambridge University Press.
studyitin.ee. 2017. CyberOlympics 2017/European Cyber Security Challenge 2017 Estonian preliminary round. May 18. http://studyitin.ee/en/cyberolympics-2017-european-cyber-security-challenge-2017-estonian-preliminary-round.
—. 2016. First cyber defence competition for schoolchildren. December 31. http://studyitin.ee/en/estonian.
Tan, Eugene EG. 2018. “Cyber Deterrence in Singapore.” The RSIS Working Paper Series No. 309.
The Economist . 2010. War in the Fifth Domain. July 1. https://www.economist.com/node/16478792.
TTU. 2018. Cyber Security. August 29. https://ttu.ee/cyber-security/#overview-24.
United States Government Accountability Office. 2016. Information Security – Agencies Need to Improve Controls over Selected High-Impact Systems. Washington DC: Report to Congressional Requesters.
Vahtla, Aili. 2017. Estonia signs e-governance cooperation agreement with African Union. December 1. https://news.err.ee/646044/estonia-signs-e-governance-cooperation-agreement-with-african-union.
 From an interview with Lari Almann
 According to BHC Laboratories
 From interview with MFA official
 From an interview with MOD official
 Interview with MoD official
 Interview with MoD official
 Interview with EDF official
 Interview with EDL official
 Interview with MoD official