Stories‎ > ‎

Punching Above Its Weight: Estonia as a Cyber Power

posted Dec 14, 2017, 8:35 PM by James Caroland   [ updated Dec 14, 2017, 8:43 PM ]
By Michael Lenart

An Unlikely Model?

In 2007, the Baltic nation of Estonia moved a statue of a Red Army soldier from the center of its capital, Tallinn, to a military cemetery on the outskirts of town. The move reflected the ethnic Estonian majority population’s perspective that the Red Army symbolized occupation and oppression, rather than the defeat of Nazism – the intended message of the Soviet authorities who had erected the statue in 1947.1 Similarly, many of Estonia’s ethnic Russians perceived the relocation as disrespect toward a generation of patriots who had ostensibly liberated Estonia from Nazi invaders. As a result, many ethnic Russians rioted in protest, while Russian hackers launched massive Distributed Denial of Service attacks against Estonian government and private sector websites. This was the first ever large-scale cyber attack on a nation-state, and it took down the online services of banks, media outlets, and government organizations.2  Fortunately, however, the attacks were mitigated and eventually stopped. Perhaps even more fortunately, as we’ll see later on, Estonia’s decision to be publicly transparent about the attacks significantly advanced global discussion of cyber issues.

Estonia is a country of roughly 1.3 million people in a world of around 7.6 billion. Its land mass is about twice that of New Jersey3. Most people in the world probably aren’t sure where Estonia is located. From a tourism perspective, its biggest draw is the medieval Old Town section of its capital, complete with defensive walls going back as far as the thirteenth century.4

And, as previously recounted, the first cyber-related news most people ever heard about Estonia portrayed it undeniably as a victim.

These may not sound like the characteristics of a rising cyber power. However, Estonia continues to build its reputation as an innovative, IT-savvy state determined to shape the international information environment and fight effectively on the ever-evolving cyber battlefield. Described as a “high-tech hub whose engineers helped invent Skype,”5 Estonia boasts an impressive array of cyber accomplishments and initiatives. For one, the country maintains an unprecedented e-governance system. It also hosts NATO’s Cooperative Cyber Defense Center of Excellence, and it frequently kickstarts international conversations on key cyber issues.


The foundation of Estonia’s global reputation for electronic innovation is its trailblazing e-governance system. This system allows the overwhelming majority of government services to be performed online, greatly increasing efficiency and convenience. The e-estonia website’s description of the system is worth quoting at length, as it shows Estonians’ tendency to be both practical and strategic in their thinking:

"e-Governance is a strategic choice for Estonia to improve the competitiveness of the state and increase the well-being of its people, while implementing hassle free governance.

Citizens can select e-solutions from among a range of public services at a time and place convenient to them, as 99% of public services are now available to citizens as e-services. In most cases there is no need to physically attend the agency providing the service.

The efficiency of e-Government is most clearly expressed in terms of the working time ordinary people and officials save, which would otherwise be spent on bureaucracy and document handling.6"

At the center of this system is the national ID card, containing a chip with the cardholder’s embedded files. Using 2048-bit public key encryption, the card provides digital proof of identity and enables the 
holder access to a host of e-services, ranging from registering property titles to submitting court records, managing health care records and prescriptions, filing quick tax returns, registering businesses, voting, and a host of others.7 The result is that only a tiny fraction of a person’s periodic administrative tasks requires physically going somewhere or mailing paper documents. Creating this virtual ecosystem has required significant investment in network and internet infrastructure, but the investment has made Estonia “the most advanced digital society in the world.”8

Perhaps the most novel feature of Estonia’s e-governance system is that, pending a background check, it’s open to literally anyone. Any person in any country can apply to be an “e-resident” of Estonia. The advantages of this openness are found in the global marketing of Estonia’s innovative national brand, and the increased possibility that a person who, for instance, registers a new business in Estonia will end up paying for some government services there, using an Estonian bank, or partnering with other Estonian business.9

Cyber Defense Center of Excellence

Another very visible example of Estonia’s special status in cyber and electronic issues is the NATO Cooperative Cyber Defense Center of Excellence, located in Tallinn. The Center enhances the cyber expertise of NATO and its partners through education, research and development, lessons learned, and consultation.10 These efforts extend to the fields of technology, strategy, operations, and law as they apply to cyberspace.11

The Center’s most exciting activity is the Locked Shields live-fire cyber defense exercise, which has been held annually since 2010. Locked Shields challenges teams to maintain the networks and services of a fictional country by handling and reporting incidents, solving forensic challenges, and responding to various scenario injects. The 2017 Locked Shields tasked teams to maintain the services and networks of a military air base experiencing severe attacks on its electrical grid, command and control systems, unmanned aerial vehicles, critical information infrastructure components, and other operational infrastructure. The exercise featured around 800 participants from 25 countries, and deployed over 3,000 virtualized systems in the simulated fight.12

The Center also hosts CyCon, perhaps the world’s pre-eminent cyber conference. Each year, CyCon attracts hundreds of international decision-makers and experts from government, academia, and industry. Like the Center’s overall approach to cyber issues, CyCon approaches topics from a variety of perspectives, e.g., legal, technological, and strategic. CyCon 2017, for instance, focused on the following themes: How can the ‘core’ elements of cybersecurity be defined? How do they relate to the essential assets and principles in technical, legal, and political contexts? How can defenders protect critical information infrastructure? How can critical vulnerabilities be mitigated and the most serious threats countered? How can legal frameworks be established and applied to cybersecurity? What technologies can help counter emerging cyber threats? How can effective cybersecurity strategies be developed and implemented? What should the role of the armed forces be in executing these strategies? How can countries deter cyber attacks against core national assets?13

While CyCon generally occurs in the spring, the Center also co-sponsors CyConU.S. each fall with the U.S. Army Cyber Institute. CyConU.S. 2017’s overarching theme was “The Future of Cyber Conflict.” The conference explored how the increasing prominence of cyberspace’s place in everyday life combines with emerging technologies and scientific breakthroughs such as quantum computing, machine learning, Big Data, and robotics to expand the battlespace, and perhaps even redefine the concepts of war and peace.14

Last but not least, the Center also facilitated the writing and publishing of the Tallinn Manual 2.0. Written by nineteen international law experts and technically titled The Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, this publication is an update of the original 2013 Tallinn Manual. While both versions are based on the understanding that pre-existing international law applies to cyberspace, the original manual focused only on the most extreme cyber incidents, such as those that occur during armed conflict. Tallinn 2.0 also addresses more “day-to-day” legal considerations, however. These include principles of general international law, such as sovereignty and jurisdiction, as well as issues of state responsibility such as legal standards for attribution. Tallinn 2.0 also delves into human rights law, air and space law, the law of the sea, and diplomatic and consular law as they apply to cyber operations.15 Though the views expressed in Tallinn 2.0 are only those of its authors and not necessarily official policy of NATO or its member states, Tallinn 2.0 nevertheless remains a well-recognized and, in many outlets, valued legal resource.

Kickstarting the Big Conversations

The final way Estonia exerts its outsized cyber influence is more abstract than its e-governance system and center of excellence, but is perhaps equally important. Namely, it encourages – and sometimes even initiates – key global discussions that otherwise might not occur. The most prominent example was its decision to admit publicly in 2007 that it was under attack, and to be unusually forthcoming about some of the details. As a result, the issues exposed and lessons learned from the attacks led to much greater international cooperation in cybersecurity.16 A more typical, protect-our-secrets-and-reputation style of communication about the attacks may have delayed much of the progress Estonia and its partners have since enjoyed.

A recent and particularly clever example of Estonia’s knack for convening important cyber discussions is CYBRID 2017.17 Estonia, taking advantage of its turn as President of the Council of the European Union (EU), gathered EU Defense Ministers for an exercise to see how they would respond to a fictional cyber attack. In the exercise scenario, a minor cyber incident slowly and ambiguously evolved into a full-out attack on military communications systems, eventually preventing EU headquarters from communicating with ships operating in the Mediterranean. With each (often unclear) development in the scenario, the Defense Ministers were asked how they would respond. The exercise quickly 
revealed “how difficult it is to evaluate how bad things are,” and presented “bureaucratic roadblocks and geopolitical concerns“ that the ministers had difficulty addressing.18 Primary challenges included determining when and how to communicate with other countries, the public, and critical infrastructure providers.19 Many of these requirements simply hadn’t been thought through before, at least not at the national (and international) policymaker level. But CYBRID 2017 began to remedy that, and one hopes similar exercises will follow.

Looking Ahead

One can arguably say that the word “innovative” gets thrown around too easily in contemporary discussions about people, organizations, and other types of entities. However, with a unique e-governance system, a world-renowned cyber center of excellence, and a creative knack for goading its friends in the right direction on key issues, Estonia can make a more legitimate claim than most to this tired (but still relevant) descriptor. Consequently, its reputation as a major player in cyber and digital issues is well-deserved. Considering its size and only recent entry back into the free world, these distinctions are all the more impressive.

Further, as the world’s everyday activities become increasingly electronic and data-driven, the relative power of states will be determined at least a bit more by digital competencies and capital. Thus, proactive countries like Estonia will be well-positioned to benefit from this shift, whatever its magnitude.

About the Author

Michael Lenart is an Army Strategist on detail to the U.S. State Department. His areas of interest include U.S. and international security issues, cyberspace operations, and organizational change.

1Damien McGuinness, BBC News. “How a cyber attack transformed Estonia.”
3CIA World Factbook.
4visit estonia.
5Ott Ummelas, Bloomberg Politics. “NATO’s Baltic Outpost Digging Cyber Trenches for Europe.”
8Ben Hammersley. “Concerned about Brexit? Why not become an e-resident of Estonia.
10Cooperative Cyber Defence Center of Excellence. About Us.
11Cooperative Cyber Defence Center of Excellence.
12Locked Shields 2017.
13CyCon 2017.
14CyCon U.S.
15Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations.
16Lauri Almann. 10 Years of Cyber Estonia: What will the Next Decade Bring? Panel discussion, Center for Strategic and International Studies, November 6, 2017.
17Caroline Houck. “Cyber Defense is Very Much About Political Decisions.”

Photo credits (in order of appearance): Radio Free Europe Radio Liberty, Operation World, e-estonia, OSET Foundation, NATO, Indian Strategic Studies, Delfi.

James Caroland,
Dec 14, 2017, 8:43 PM