May 27, 2019

How Estonia uses Cybersecurity to Strengthen its Position in NATO

Sander Ilvest/Eesti Meedia/Scanpix
A secure, digital ID for each citizen allows for the provision of almost all state services online; in the parliamentary elections in March 2019, 28% of the electorate voted online.
A secure, digital ID for each citizen allows for the provision of almost all state services online; in the parliamentary elections in March 2019, 28% of the electorate voted online.

Small states, especially those in close proximity to potentially threatening regional powers, tend to seek reassurance in collective arrangements often in the form of security agreements.

For example, the understanding that there is safety in numbers has prompted almost all small central and eastern European states to integrate with, or to seek integration, with the Euro-Atlantic communities of the EU and NATO after the fall of communism.

Alliances are never absolutely firm. Especially for small states, the fear of abandonment by one’s allies is constant. Small states depend on NATO far more than NATO depends on them. They must therefore strive to be as valuable and indispensable to the Alliance as possible, to ensure firm NATO commitment and to allay fears of abandonment.

Estonia provides a good illustration of this phenomenon. Since re-independence in 1991, its foreign and security policies have been focused on guaranteeing its own security and sovereignty through NATO and EU membership. By the mid-1990s, Estonia had begun to boldly carve out a niche for itself as a forward-thinking and technologically advanced country. It eagerly embraced the internet and, as a result, Estonia has long been one of the world’s most wired states, sometimes called “e-Estonia.” A secure, digital ID for each citizen allows for the provision of almost all state services online; in the parliamentary elections in March 2019, 28% of the electorate voted online. Such innovation and moves toward a ‘digital society’ have not only brought Estonia social and economic dividends, but also play an important role in its bigger-picture national security. Estonian excellence and leadership in cybersecurity—especially after the 2007 cyberattacks—have strengthened its national security, particularly by enhancing Estonia’s position in the NATO Alliance.

What doesn’t kill you makes you stronger: 2007 as a blessing in disguise

In April 2007, violent riots erupted in the streets of Tallinn, Estonia’s capital. The rioters were members of Estonia’s significant ethnic Russian minority who, riled by Russian rhetoric and propaganda, protested against the relocation of a controversial Soviet WWII memorial to a military cemetery. In the midst of these riots, Estonia became the first victim of politically motivated cyberattacks against a sovereign state’s political and economic infrastructure. For three weeks, coordinated cyberattacks targeted Estonian government, banking, media and other sites, as well as specific routers and servers. Estonian defenders were effective and overall successful in mitigating the effects of the attacks.

Ironically, the 2007 cyberattacks have strengthened Estonia’s security situation proving, among other things, to be a turning point in Estonian efforts to increase their country’s strategic position in the NATO Alliance. Defence officials, speechwriters, and government press officers spun the unprecedented attacks into calculated narrative, seeking to frame them not as a classic Russia-versus-Estonia story, but as a new emerging global security challenge to all. Critical to this framing was a general strategy of transparency, which saw almost all information about the attacks declassified and shared with experts and analysts from across the world. Media hype and outside interest were welcomed, as the attacks were used to gain attention, sympathy, support and admiration. They were also used to demonstrate to allies that events in cyberspace are not too different from those in the physical domain; these attacks were but a preview of the threats enabled by the growing dependence the internet in increasingly digitalizing societies. The attacks exposed weaknesses and challenges facing the whole NATO Alliance, opening the door for public discussion on such attacks and highlighting the need for international cooperation in this area.

The 2007 attacks also laid the context for recognition of Estonia’s cyber defence leadership, as six other nations joined Estonia in establishing the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn. The Centre is essentially a military think-tank that leads the world in crafting cyber defence solutions through a multinational, interdisciplinary analysis of various cyber issues. As of 2018, the CCDCOE is responsible for identifying and coordinating education and training solutions in cyber defence for all NATO bodies across the Alliance. Today, the CCDCOE comprises 22 states, 18 NATO nations and four NATO-allied contributing participants. Many more are lined up to join, including NATO partner states Japan and Australia.

Outside of the CCDCOE, the 2007 cyberattacks and Estonia’s transparent response to them have led to major changes in NATO’s cyber defence policy. During those 2007 attacks, incumbent Estonian Defence Minister Jaak Aaviksoo said that “at present, NATO does not define cyber-attacks as a clear military action. This means that the provisions of Article V… will not automatically be extended to the attacked country.” NATO was, at the time, unprepared to adequately respond to cyber threats. The 2007 Estonian experience was a wake-up call for NATO, galvanising it into action on updating and reforming its policies to adequately address events in cyberspace as continues to do to this day.

Pending Allied approval, NATO’s first cyberspace operations doctrine is to be completed this year. According to Merle Maigre, director of the CCDCOE from 2017-2018, this doctrine is heavily influenced and shaped by work done at the CCDCOE, which takes pride in being “the custodian of NATO doctrine writing.”

Indeed, Estonia’s role in shaping NATO doctrine is a central component of its National Cyber Security Strategies over the past several years. As its 2014-2018 National Cyber Security Strategy stresses, “At the international level, the preservation of a free and secure cyberspace as well as Estonia’s central role in guiding and developing international cyber security policy in international organizations as well as like-minded communities must be ensured.”  In a NATO more concerned with cyber threats, and increasingly prepared to deal with them, Estonia can have an outsized role.

Estonia’s alliance commitment mechanisms in cyber defence

A NATO that is adequately prepared to face cyber threats is better both for Estonia’s security and also for its strategic position in the Alliance. Yet the question of whether and to what extent NATO would ever go to war over a small and far-away country like Estonia is constantly in the back of Estonians’ minds. As a result, Estonia must ensure that NATO will be firmly committed to its security, and therefore must make itself as valuable and as indispensable as possible. In seeking to make NATO abandonment less likely, Estonia uses various commitment tactics in cyberspace. These tactics include: exchange, burden-sharing, normative and legal entrepreneurship and, more broadly, new ideas and innovation.

Home to NATO’s Cyber Range, Estonia and the CCDCOE host major international exercises Locked Shields, Crossed Swords, and Cyber Coalition, as well as major conferences such as CyCon – mostly at Estonia’s own expense.  Estonia also hosts a wide range of other events and exercises aimed at bolstering EU and NATO states’ cyber defence positions, including EU CYBRID – a live table-top cyber defence exercise in which EU defence ministers themselves must respond to a cyber-crisis scenario. Through such events, Estonia uses the tactic of exchange; by offering important services to the Alliance, the Alliance feels more dependent on Estonia, thereby offering it stronger commitment.

Burden-sharing has been a central Estonian tactic since it joined NATO. One of Estonia’s biggest commitments to NATO is that it will not free-ride. In general, Estonia shows this by being one of just a handful of NATO states to exceed the minimum 2% of GDP spending on defence required by the Alliance. It also has a long tradition of punching above its weight vis-à-vis contributions to EU, NATO and UN military missions abroad. In cybersecurity, Estonia spends money and resources to ensure resilience of its networks, and also offers help to allies. In October 2018, then-US Defense Secretary James Mattis revealed that Estonia will become––along with the US, UK, Netherlands and Demark––one of just five NATO allies to makes its offensive cyber capabilities available to the Alliance, when needed. Other allies will surely join in lockstep, but there is some significance to being among the first.

Another area of success for Estonia, despite its small size, has been norms entrepreneurship in cyberspace, particularly regarding the application of law to cyberspace. At the forefront of legal norms in cyberspace is the Tallinn Manual (currently version 2.0). The Tallinn Manual is a non-binding, academic study on how international law applies to cyber conflicts and cyber warfare – the most authoritative and comprehensive of its kind. It is continuously developed by the CCDCOE, with input from nearly 50 states. Estonia has also positioned itself as a key player in normative work in cyberspace by the Global Commission on the Stability of Cyberspace (GCSC) and in UN deliberations, such as the UN GGE process. Through pushing for legal norms and international agreements in the UN and elsewhere, Estonia is playing an important role in the Alliance.

Finally, and more broadly, Estonia’s efforts toward ‘building a digital society’ and general path toward digitalizing its services and democratic institutions also afford the country a more secure place within NATO. NATO is an alliance based on principles of liberal democratic governance, and these principles are essential for its effectiveness, cohesion, and raison d’être. In line with NATO values, Estonia has long been a proponent of a free and open internet, as well as a champion of liberal democracy. Its society-wide experimentation and innovation with digital systems and services puts Estonia at the forefront of the nexus between technology and democracy, while intently focusing on the security threats posed by such digitalization. In this sense, Estonia is like a lab––or an incubator––that can go on to inform NATO both on security questions regarding technological advances, and on the effects of these advances on democracy and society. Insights and experiences from Estonia offer valuable models and test cases for the Alliance – and in turn ensure that Estonia remains valuable to it.

Estonia is a pawn among kings. With only 1.3 million citizens, its population and GDP are tiny. Yet thanks to its successful adoption, mastery and promotion of digital technologies and cyber excellence, little Estonia has earned a seat at the table and a voice that finds a global audience. Estonia learned this in the aftermath of the 2007 cyberattacks, discovering that in cyberspace, it is possible for tiny states to provide added value and have influence. Moreover, Estonia has found a niche in which it has a comparative advantage, and it leverages this advantage to attain a more secure position in the NATO alliance – among many other benefits. Estonia, by emphasizing cybersecurity to better its national security, shows how states can use various mechanisms to complement existing diplomatic, political, and strategic objectives.