By Logan Carmichael

Logan Carmichael explores Estonia’s cyber revolution and what we can learn from it.

For three weeks in 2007, if you wanted to do practically anything on the internet in Estonia, you were out of luck. The websites of the Estonian government, major banks, and prominent news media outlets were incapacitated. These sites fell victim to a distributed denial of service (DDoS) attack, whereby hackers overwhelm a website with excessive traffic, more than the site can operably handle.

It was believed that the DDoS attack originated from Russia – Estonia’s much larger eastern neighbour with which it shares a long and complicated history – in retaliation for the relocation of a Soviet-era war memorial from Estonia’s capital, Tallinn. What is unclear is whether the cyberattack was carried out by the Russian state, or merely received its support, as Moscow refused to provide any digital forensic evidence to aid the Estonian government’s investigation into the event. However, believed to be the first cyberattack on a government, the event ushered in a new era in global security concerns.

Estonia is a small country of 1.3 million people located in north-eastern Europe. From 1940 to 1991 it was, against its will, a part of the Soviet Union. Before that, it had been conquered by a multitude of different powers, from Tsarist Russia, to Germany, to Denmark. Only since 1991 has Estonia enjoyed its longest-ever period of independence and carved out a distinct national identity rooted in digital trailblazing.

Even before the 2007 DDoS attack, Estonia had been on a path toward digital innovation. In the late 1990s, a programme called Tiger Leap promoting digital literacy was implemented in Estonian schools, championed by the tech-savvy politician Toomas Hendrik Ilves, who became President from 2006 to 2016. In 2001, Estonia was the first country in the world to declare internet access a human right and, in 2005, the first country to offer online voting. Although the 2007 cyberattack devastated Estonia, it provided yet another key opportunity for the small country to innovate and strengthened its resolve to develop iron-clad cybersecurity mechanisms.

Cybersecurity is an entirely new field of study. It’s also an entirely new field to legislate and oversee. At the time of the entirely unprecedented Estonian DDoS attack, the question was raised whether cyberattacks warranted action from NATO under its guarantees of collective security. As a member of NATO, Estonia is party to its Article 5 guarantee of protection in the event of an attack. But did the DDoS attack constitute an attack, as NATO had legislated it? While many Estonians argued ‘yes,’ ultimately NATO did not offer up any intervention. Instead, the onus fell on Estonia.

Estonia’s charge to revolutionise cybersecurity manifested itself both domestically and on the world stage. At home, cybersecurity has been strengthened by forging relationships between the public and private sector.  While the government has proactively implemented “a central system for monitoring, reporting and resolving incidents” of cyber threats, it also works closely with private companies, such as Cybexer. A self-described “cybersecurity and cyber solutions” company, Cybexer (and several other Estonia-based companies like it) run frequent cybersecurity simulations, and cooperate and communicate closely with the Estonian government. In fact, the Cybexer’s President, Klaid Mägi, is also the head of the government’s Incident Response Department (CERT-EE), which handles national cyber threats. Cybexer recently announced its expansion into the Netherlands, signifying that the cybersecurity tactics that have been implemented by the Estonian public and private sectors in recent years have practical applicability far beyond Estonia’s borders.

A year after the 2007 cyberattack, the Cooperative Cyber Defence Centre of Excellence (CCDCOE) was established in Tallinn. The CCDCOE received full accreditation and support from NATO, and has become the world’s pre-eminent source of research into cybersecurity and the legal precedents surrounding it. At present time, the CCDCOE has grown to include 22 members and three contributing participants, with more NATO members and partners, including Japan and Australia, appearing poised to join in the coming years.

In 2013, the CCDCOE, along with the International Group of Experts, authored the Tallinn Manual on the International Law Applicable to Cyber Warfare, a massive, 215-page document outlining how existing international law can be applied to cyberattacks. However, there remain gaps in international law pertaining to cybersecurity. There is still a long way to go in legislating these matters, but Estonia has played a pivotal role in advancing the global cybersecurity landscape to its current point.

Indeed, it has been punching far above its weight when dealing with matters of cybersecurity within NATO. Estonia has been one of only a few members that has exceeded the ‘minimum’ of 2% of GDP contributions to NATO; it is also one of only five states – along with the United States, United Kingdom, Denmark, and the Netherlands – to provide national-level “cyber contributions,” that is, the offensive cybersecurity capabilities it employs at home, to its NATO partners in the event of a cyberattack.

Furthermore, Estonia has made disproportionately large contributions to other organisations such as the Global Commission on the Stability of Cyberspace (GCSC), chaired by Estonia’s former Foreign Minister Marina Kaljurand, herself a cybersecurity expert, from 2017 to 2019. Estonia also played a key role in the United Nations Group of Governmental Experts (UN GGE) in “outlining the global cybersecurity agenda, and introducing the principle that international law applies to the digital space.” Kaljurand has twice been appointed to serve as Estonia’s national cybersecurity expert at the UN GGE.

Cybersecurity isn’t the only tech-related field in which Estonia has been making a splash. The country boasts six times the European average of startups per capita, with five startups per 100,000 people and four ‘unicorns’ – companies valued at over one billion dollars – based in Estonia. Successful companies such as Skype and Transferwise originate from Estonia, but have grown into global enterprises. So why has this small country become such a major hub for the tech industry?

In large part, the answer lies in Estonia’s e-Residency programme. Launched in 2014, Estonian e-Residency provides “access to Estonia’s digital infrastructure and public e-services… [to] establish and manage an EU company,” essentially offering the benefits of doing business without requiring citizenship. The programme boasts over 38,000 members, including German Chancellor Angela Merkel and Microsoft founder Bill Gates. By embracing an increasingly globalised world, Estonia’s e-Residency programme has made the country a desirable place for the tech sector to do business.

It’s not just the Estonian government or businesses that have embraced this digital identity; the general population has also done so. Since Estonia gained independence, its people have done a remarkable job of adjusting to change, from a total upheaval of government system back in 1991 to, in the present-day, having almost exclusively paper-free interactions with their current government. It is mandatory that all Estonian citizens have an ID-Kaart, an identification document that can be used for proving identity and providing digital signatures to use government services. It is reported that 67% of Estonians regularly use their ID-Kaart, with an estimated five days per year saved with digital signatures. Not only are Estonian ID-Kaarts convenient, but also, says CERT-EE and Cybexer’s Mägi, “Estonia’s current cyber security is bolstered by high-functioning infrastructure [and] reliable digital identity.” It is clear that Estonia’s cybersecurity trailblazing and various other technological advancements are intrinsically connected.

The rest of the world could learn a thing or two.

Logan Carmichael is a graduate teaching assistant at the University of Auckland with a Masters of Conflict and Terrorism Studies, focussing on politics and security in Eastern Europe.

Disclaimer: The ideas expressed in this article reflect the author’s views and not necessarily the views of The Big Q. 

You might also like:

Why is New Zealand trailing Australia in cyber security?

Could New Zealand suffer an act of cyberwar?