Though the cyber attacks against state institutions that followed the 2007 Bronze Night riots put Estonia’s digital defenses to the test, the reaction to them and the public debate propelled the country to the forefront of the new field of cyber defense.
Jaan Priisalu, senior researcher at Tallinn’s NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE), told ERR in an interview last week that through Estonia’s initiative and the public debate that followed the attacks, a topic was now getting attention that before was talked about only behind closed doors, and that some even looked at as an embarrassment.
Bronze Night riots make cyber defense a relevant issue
Though Priisalu said that he didn’t see Estonia’s rise as a cyber state as a direct consequence of the events surrounding the relocation of the monument. “Let’s say they were a catalyst that helped getting the message across to the public and to politics,” Priisalu said. “Estonia became a milestone and a symbol. That’s why we can talk about cyber, and people listen to us.”
According to Priisalu, the 2007 attacks were just a stage in a series of developments that had begun earlier. “The preparation, that we had specialists, that we knew anything about the subject at all, that we have an e-society that can be attacked at all, this work began with regaining independence,” he said.
Estonia’s 2008-2013 cyber strategy shows that after the attacks, development in the field went in several different directions. As Priisalu puts it, the strategy was a collection of the lessons learned, and based on them, a system to respond to this sort of incident was put in place.
New defense infrastructure, new university curriculum, new policy
People involved in cyber security were brought together and asked what could have been done differently, and what else should have been done. Instructions were written up, lines of communication laid out, and a cyber security curriculum put together at the Tallinn University of Technology (TUT). With it, systematic education in the field of cyber security began in Estonia.
At the time, the country wasn’t lacking specialists, but there was no action plan and no system in place to guide any kind of response. “People knew each other, and thanks to that we were able to put something together on the fly. The effect of 2007 was that officials began to take the cyber field seriously,” Priisalu pointed out.
The tendency of leaders to underestimate the importance of what goes on in cyber space has not completely disappeared, Priisalu insisted. “Still today we have the kind of leaders that will tell you that they have 20 more important things to worry about if you suggest they could deal with cyber exercises and security. If an official deals with the issue this way and doesn’t allocate serious resources to it, then one day an accident will happen.”
From fending off attacks to protecting independence
But things have changed over the past ten years. Where the first cyber strategy called for the creation of the necessary infrastructure, Estonia now concentrates on maintaining trust between states, an element of which is the concept of the data embassy, introduced at the end of 2016. The data embassies keep information vital to the functioning of the state safe on servers in other European Union member states.
“If an operator is planning to occupy another country, one of their objectives is going to be to take over the existing institutions, or to suppress them, and if you can make these institutions exterritorial, take them out of reach of the potential attacker, you increase the political price of the attack,” Priisalu explained the function of the data embassies.
Cooperation with other countries is thus vital for Estonia. As Estonia heavily depends on other countries economically, one way of attacking the country could be to attack supply chains, or countries Estonia depends on. “This means that we need to build up proper cooperation with those other countries. Luckily we have a framework for this. Europe is the place where this is currently being trained, and where this kind of professional competence can be developed.”
Short and long-term effects
Even if an analog attack on Estonia was unlikely, denial of service attacks were possible, Priisalu said. “At the same time, the problem with denial of service attacks is that they don’t produce long-term results. You can manage to interrupt things for a while, but the potential attacker would likely want a long-term result. And for that, one possibility is to steal data and publicize them, like it happened in the American elections—that kind of regular espionage. The other option is to damage the data.”
As denial of service attacks had become a lot worse over the years, a large-scale attack would still be a problem, Priisalu opined. At the same time, any potential attacker would have to deal with other countries as well. The French elections would likely become a target, in Ukraine there was a war-like situation with attacks happening all the time, and all of this would take up plenty of resources of anyone interested in attacking Estonia. They wouldn’t have plenty of resources left to plan a complicated attack.
Editor: Dario Cavegn