The deterioration of the security situation in Europe has not left cyberspace untouched. This article considers the possibilities for Estonia to strengthen its cyber security in the framework of its foreign and security policy.
A small country is more vulnerable to cyber threats than a big one because its human and material resources are rather smaller. But sometimes this smaller scale is an advantage, and Estonia has been successful in using this factor in cyberspace. In foreign policy we have been able to play in a higher league than our size would suggest. Like Finland and the Netherlands, Estonia’s advantage lies in successful cooperation between the public and private sector in order to develop an e-lifestyle and guarantee the secure use of cyberspace (e.g. creating the Estonian Defence League’s Cyber Unit, which has been a role model for many countries). In terms of foreign policy we have won a reputation for being a competent, trustworthy spokesman for digital progress and cyber security. Our good reputation has certainly helped in garnering international support for Estonia’s initiatives (e.g. Estonia suggested the establishment of the NATO Cooperative Cyber Defence Centre of Excellence, and offered to host it).
Quantitative indicators also confirm our head start. For example, according to an index published by the International Telecommunication Union (ITU), Estonia ranks 21st in the world based on the development of an information society,1 seventh in the EU for our digital competitiveness according to an index of the European Commission,2 and equal fifth among the top countries in the world for cyber security according to the ITU index.3 Estonia is also a donor in terms of cyber security, sharing its knowledge about an open information society, e-governance, e-democracy, cyber security and ICT solutions in neighbouring Eastern European countries and further afield. On the other hand, the more digitised a country and society is, the more vulnerable it is and the more it should be worried about cyber security and defence. As the rapid progress of technology and cyber-attacks are impossible to predict,4 we should be prepared for the unlikeliest of scenarios. Cyber experts stress that countries are currently preparing a blueprint for how cyber tools are going to be used in the future, taking into consideration, for example, the actions of Russia, China and the US.
Politically motivated cyber threats
Although the total number of cyber incidents against Estonia did not increase last year, they had greater impact (20% of incidents were categorised as critical). Public authorities reported four times as many incidents as the year before, which, according to the Information System Authority, demonstrates that there were more attacks and interruptions, and also that information systems were more actively used and public authorities were more active in reporting incidents. The number of incidents relating to the foreign security service also increased.5 While cybercrime, the economic and industrial intelligence of states, including intellectual property theft, cause the most economic damage on the global level, in our region politically motivated attacks are the most common.6 Countries consider damage to data integrity—which means that there is no certainty that data has not been altered without permission—an increasingly serious threat.
Cyber threats from Russia
Compared to 2007, when Estonia’s government bodies, news portals, banks and Elion-branded servers and routers were hit by fairly basic attacks (mostly denial-of-service attacks and sparse denial-of-service attacks), the intensity, complexity and frequency of cyber-attacks have increased all over the world.
Although there is no exact data about the development of Russia’s cyber capabilities, it is known that Russia is creating a military cyber command, whose tasks include cyber-attack and propaganda operations7 as well as infecting an opponent’s management systems with malware.8 According to cyber security companies, Russia is also developing malware (Remote Access Trojan) in order to achieve remote access to critical infrastructure management systems (supervisory control and data acquisition, or SCADA).9 Many experts think that Russia has implanted zero-day security holes in Western states’ critical infrastructure and weapon systems that can be activated during a crisis. In any case, US intelligence considers Russia to be a more serious threat than China (those two countries are followed by Iran and North Korea), and cyber threats to be the most serious national security threat. The US revealed this year that hackers who receive support from Russia have on numerous occasions achieved access to the unclassified computer networks of the Pentagon and the White House, which, taking into account the leading position of the US in cyber security, should be one of the best-guarded information systems in the world.10 According to cyber security companies, a lot of malware aiming to damage SCADA systems are almost certainly created by hackers with support from Russia.11 Furthermore, those reports have shed light on the highly developed cyber surveillance capabilities of the Russian groups of Advanced Persistent Threat.12
Notably, Russia was the first country to use cyber tools synchronised with a military attack, in Georgia in 2008 and as a part of the so-called hybrid war in Ukraine in 2014.13 Cyber space is a good example to illustrate how Russia uses a reverse comprehensive approach in order to achieve its political and military goals, employing the services of high-level cyber-criminals and so-called patriotic hackers who operate with the approval or support of the state.
Why cyber security is a foreign and security policy matter
Political and military leaders of many countries have recognised facts that might seem trivial. First, cyber security is not a technical problem to be resolved by a CERT (computer emergency readiness team) or CSIRT (computer security incident response team). It is a strategic issue that must be regularly discussed at a senior level. Second, it is not possible to ensure the absolute security of any computer system, which is why the prevention of security incidents is not enough—the focus should be on discovering them, reacting to them and alleviating the consequences of those that have already taken place (an incident may be discovered after about 200 days, but often not at all).14 It has to be assumed that the information systems have already been compromised. It is not necessary to build an impenetrable defensive wall against an external enemy, but resilience must be improved in such a way that the operational capability of a system or service is assured in every situation.
It is also widely known that most incidents are caused by the lack of cyber hygiene and human error, and most cyber-attacks do not pose a serious threat. Most politically motivated cyber-attacks have not had consequences that can be considered equal to using military force. There is no international consensus about what cyber activities could be labelled as the use of military power or a military attack. Russia and China do not want the use of power to be defined based on the extent and consequences of the attacks, which is a common position in democratic countries.15 Those countries also view psychological operations and information warfare as part of cyber warfare, which means that they qualify as a military attack. It is safe to assume that it is not in Russia’s and China’s interests to reach an agreement that would allow countermeasures to cyber-attacks be legitimised in international law. That would restrict their activity, or at least force them to justify their actions. As long as there is a gap between the values of democratic and authoritarian states and incompatible national interests impede the achievement of a global agreement on responsible behaviour in cyberspace,16 a consensus can still be reached among like-minded countries.
Countries exercise power based on values and national interests, and cyber power is no exception. Whether we consider cyberspace as the fifth domain of warfare or as the substrate on which all the various dimensions of war are based and depend, it is a new sphere of human activity that gives a state an additional opportunity to exercise its monopoly of sovereign power both within its own jurisdiction and at an international level. The means of cyberspace allows the target to be influenced and pushed in a non-violent way. A country’s arsenal includes attack tools, tools of informational power (for example, laws for data localisation and controlling the contents of the Internet) and measures for achieving physical and technical control (for example, laws that oblige service providers to identify all users, register social media platforms, exercise control over hardware and software, and allow surveillance activity by the security authorities). The goals of such cyber-attacks could be to restrict data accessibility or stop the provision of services; damage computer networks, computers and software; cause disturbances in society and undermine credibility; exercise psychological and political influence over target groups; and organise information and surveillance operations. Cyber security is thus multidimensional—the line between war and peace, internal and external has become blurred. Cyber security is also a matter of foreign and security policy and part of the wider concept of comprehensive national defence.
The Estonian agenda
Estonia is developing its cyber capabilities in military defence and contributes actively to discussions about international norms, confidentiality and measures of trust in the OSCE and UN. In addition to international cooperation, promoting alliances and developing the EU’s cyber policy (some of the country’s main goals, according to the Estonian cyber security strategy to 2017),17 it is also necessary to protect Estonia against politically motivated cyber-attacks. Defence begins with an early warning system, raising awareness about the situation and sharing this with other parties. From the foreign-policy perspective, it is important to build trust and form bilateral relationships, mainly with like-minded cyber intelligence and cyber capability developers. To achieve credible deterrence we have to make sure that NATO is able to implement collective defence measures rapidly against serious cyber-attacks. Although the statement that NATO’s collective defence also includes defence against cyber-attacks has had a stabilising effect,18 credible deterrence presupposes that countermeasures are implemented as a response to incidents in addition to sending a clear message (e.g. the US has increased its deterrence capability by filing official charges against China’s military officers and legitimising the implementation of sanctions). Credible deterrence also means that the capabilities of resilience and attributing attacks are improved and the capabilities of deterrence by denial and cyber security are enhanced.19
In conclusion, although this article does not discuss informational and psychological operations in detail, it is important that the EU develops measures against hybrid threats, including Russia’s information war,20 and that the EU and NATO send a clear common strategic message. It is no less important for the Estonian authorities to send a common message and act in accordance with a common agenda.
1 “Measuring the Information Society Report 2014”. ITU, 2014.
2 Estonia belongs in the average development group along with Belgium, the United Kingdom, Luxembourg, Ireland, Germany, Lithuania, Spain, Austria, France, Malta and Portugal. Within the EU, it is in second place for developing public sector e-services, in fourth place for the number of Internet users and in seventh position for the digital skills of citizens, but in 22nd place for the implementation of digital technology in the business sector. European Commission, June 2015.
3 In the ITU index, 14 countries share the first five places; Estonia shares fifth position with Brazil, India, Japan, South Korea, Germany and the United Kingdom. “Global Cybersecurity Index and Cyberwellness Profiles Report 2015”. ITU, 2015.
4 According to Nassim Taleb’s black swan theory, it is impossible to predict developments in the economy, financial markets and technology. A black swan is an unexpected event, which is not likely but has a massive impact (e.g. World War I, 9/11, the creation of the Internet and the rise of Google). The anti-fragility principle offers protection against black swans and helps to retain resilience and progress in the midst of chaos. Instead of relying on the academic knowledge of experts, Taleb suggests the trial-and-error method. See Nassim Taleb, “Learning to Love Volatility”, The Wall Street Journal, 16 November 2012. www.wsj.com/articles/SB100014241278873247351045781… 5 The failure of public e-services was often also caused by power and data communication failures. “2014 Annual Report, Cyber Security Branch, Estonian Information System Authority”.
6 Peterkop, “Meie regioonile on iseloomulikud poliitiliselt motiveeritud küberrünnakud” (“Politically motivated cyber-attacks are characteristic of our religion”). Riigi Infosüsteemi Amet, 21 August 2015. www.ria.ee/meie-regioonile-on-iseloomulikud-poliit… 7 In the Russian approach, psychological and information operations also belong in the arsenal of military cyber tools.
8 www.cbsnews.com/news/russia-tops-list-of-nation-st… 9 www.newsweek.com/2015/05/15/russias-greatest-weapo….
10 For example, it is thought that the email system of the Pentagon’s Joint Staff was hacked in August 2015 by Russian hackers, who the US has previously accused of invading the computer networks of the Pentagon and the White House. edition.cnn.com/2015/08/05/politics/joint-staff-em…. The leakage of data from the US Office of Personnel Management, containing information on 21.5 million people, came from China, according to experts. According to the Deputy Secretary of Defense, both hostile countries and other hackers search for vulnerabilities in the computer networks of the US Department of Defense millions of times a day. Bob Work, Opening Speech of the US Deputy Secretary of Defense to the Armed Services Committee of the US House of Representatives, 29 September 2105.
11 For example, the Russian group of hackers Dragonfly/Energetic Bear has been attacking Western oil and gas companies since 2011. “Russian Hackers Targeting Oil and Gas Companies”, The New York Times, 30 June 2014.
12 See, for example, Patrik Maldre, “Vene küberspionaaži mitu palet”, 28 August 2015. KK blog.
13 In addition to cyber-attacks, Russia also used the means of electronic warfare.
14 In 2014, attackers were detected in a victim’s computer after a median 205 days. “2015 Internet Security Threat Report”. Symantec, 2015. www2.fireeye.com/WEB-2015RPTM-Trends.html 15 See rules 11 and 30 of the Tallinn Manual. Michael Schmitt (general editor), “Tallinn Manual on the International Law Applicable to Cyber Warfare”. Prepared by the International Group of Experts at the Invitation of the NATO Cooperative Cyber Defence Centre of Excellence (CCD COE). Cambridge University Press, 2013.
16 Following agreement on voluntary and legally non-binding measures, during the last few years progress has been made in reaching agreements over international norms and measures of confidentiality and trust (in OSCE CBM 11), as well as on information security issues (in the UN Group of Governmental Experts).
17 Estonia’s main goals in the field of cyber security include limiting cyber-crime, enhancing the resilience of vital services and infrastructure, and developing international cooperation and military cyber security, including active defence. “Cyber Security Strategy 2014–2017”. Ministry of Economic Affairs and Communication, 2014.
18 James Lewis, “The Role of Offensive Cyber Operations in NATO’s collective defence”. Tallinn Paper No. 8. NATO CCD COE.
19 Robert Butler, speech in the US House Committee on Foreign Affairs. 20 September 2015. See also: James Lewis, “The Role of Offensive Cyber Operations in NATO’s collective defence”.
20 The EU is planning to adopt a common framework against hybrid threats by the end of 2015.The new foreign and security policy of the EU, which is to be adopted in June 2016, should also cover aspects of hybrid war. NATO has been also recommended to develop a plan against hybrid threats.