A Nation Transformed from Cyberattack Victim to Cybersecurity Leader
In April 2007, the Estonian government approved a controversial plan to relocate a statue from the center of its capital, Tallinn. Soviet authorities had unveiled the monument, a life-sized World War II Russian soldier with a clenched right fist and a bowed head, 60 years earlier, after their forces retook the city from Nazi Germany.
For ethnic Russians, the statue, originally named “Monument to the Liberators of Tallinn”, represented the victory over Nazism. For ethnic Estonians, it symbolized a half-century of painful Soviet oppression.
Violence quickly erupted as the public learned of the plan to move the monument to a military cemetery on Tallinn's outskirts. The government convened a middle-of-the-night emergency meeting to assess a rapidly escalating situation and, based on the recommendation of its security council, voted to transfer the statue immediately. Three hours later it was gone from its original location. The rioting and looting continued for another two days, resulting in more than 1,000 detentions, 156 injured and one death.
An outraged Kremlin called the decision to move the statue “sacrilegious”. The Russian public also erupted in rage. Protesters stoned the Estonian embassy in Moscow and physically harassed the Estonian ambassador, Marina Kaljurand. Estonian products were boycotted, and one Russian restauranteur even posted a sign warning that “Estonians and dogs may not enter.” Russian Foreign Minister Sergei Lavrov threatened serious repercussions, which soon followed. On the very evening of the statue’s relocation on April 27, Estonian government, bank and media websites became inaccessible.
Estonia, having undergone a “digital revolution”, was by then one of the world’s most digitally advanced societies. After gaining independence from the Soviet Union in 1991, the government prioritized investing in digital infrastructure to become a global leader in this area. The small Baltic nation with a population of 1.3 million saw the strategy as a way to grow economically and, after acquiring EU and NATO membership in 2004, gain respect in both blocs. Estonians, with their exceptionally high digital literacy rate, relied on the internet as a main communication channel. The Estonian government went essentially paperless and stored online personal data that included election ballots, tax documents and electronic ID cards, making the inability to access the internet even more chaotic.
Estonia quickly consulted with its EU and NATO partners about how to handle the unprecedented cyberattack, which exposed the vulnerabilities of a modern, digital state. The country’s authorities closed their digital borders and blocked international web traffic. The immediate aim was to stop the distributed denial of service (DDoS) attack, which Estonia quickly blamed on Russia. Moscow denied involvement, although hackers traced to a Russian IP address were behind the havoc. Their botnets had sent massive waves of spam while a huge number of automated online requests flooded servers and overloaded bandwidth. Despite knowing the location of the hackers, EU and NATO technical experts could not prove a link directly to the Kremlin. However, they agreed that it would have been in the Kremlin's interest to organize the assault.
Recovery and the Path Forward
It took the Estonian government 22 days to fully mitigate the cyberattack. As the country recovered, officials recognized that their strong commitment to digitized public services required action to prevent more harmful attacks. They also saw the cyberattack as a moment to bolster Estonia’s position in the EU and NATO.
The country seized the opportunity of being immersed in the digital spotlight to warn allies of their vulnerability and unpreparedness to respond to a similar crisis, and reinforced its call for NATO to enhance its cyberwar capabilities. This included launching a discussion on NATO’s Article 5 collective defense guarantees, which at that time could be invoked only if an attack led to the loss of life. Additional debate swirled around the consequences of being unable to identify an attacker with certainty and, therefore, the implications for retaliating. Perhaps one of the few areas in which no ambiguity existed, however, was the recognition by policymakers and national defense agencies that cyberattacks presented rising security threats. Press coverage sympathetic to Estonia and subsequent public debate also reinforced the need for NATO allies to cooperate in combating these new threats.
Only a year later, in 2008, NATO opened its Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn. The agency, established by Estonia and six NATO partners, identifies and coordinates education and training needs in cyber defense for all alliance members. The CCDCOE is arguably best known for its Tallinn Manual, first published in 2013. The manual, whose third edition may be released in 2023, has become an influential resource for legal experts and policy advisers examining the applicability of international law to cyber warfare. The CCDCOE also hosts the world’s largest cyber defense training simulations, and more than 2,000 participants from 32 countries participated in the tenth simulation in April 2022. The exercise required teams to defend a fictional island country, Berylia, where public unrest broke out after an attack on military and civilian IT systems. The simulation was intentionally similar to the cyberattack against Estonia in 2007. This year’s gathering assumed, amid the war in Ukraine, even greater significance as cyber experts warn that additional, destructive Russian cyberattacks could occur at any time.
On the very evening of the statue’s relocation on April 27, 2007, Estonian government, bank and media websites became inaccessible.
It took the Estonian government 22 days to fully mitigate the cyberattack.
Estonia has continued to be at the forefront of advocating for more cyber defense. The European Union Agency for Cybersecurity (ENISA) helps member states organize, develop, implement and evaluate their national cybersecurity strategies (NCSS). Estonia’s own 2014-2017 NCSS clearly reflected an ongoing national objective by stating that, “At the international level, the preservation of a free and secure cyberspace as well as Estonia’s central role in guiding and developing international cybersecurity policy in international organizations as well as like-minded communities must be ensured.” In 2017, Estonia held the rotating EU Council presidency and focused its priorities on digital transformation and the free movement of data. The result was greater comfort among less tech-savvy member states with the digital revolution.
Estonia has also been active on the domestic front. Thanks to an initiative launched just a year after the cyberattack, the government provides free computer literacy classes to citizens. Elementary-school children are even taught how to code. The country’s other notable technological advancements include being home to many successful digital startups, such as Skype and ID.ME, and being a pioneer in using digital COVID-19 vaccination certificates.
Estonia has also been continually strengthening its own cybersecurity. It is the first country to place all critical information infrastructure onto a blockchain network that allows easy detection of cyberattacks. In an article in The New Yorker, Nathan Heller compares Estonia’s blockchain network to a hand-knitted scarf in which each stitch depends on the previous one. The fabric is interwoven, just like a blockchain network in which any breach is traceable to the source. Estonia has also established an “e-Embassy” in Luxembourg, where duplicate government servers are located in case those in Estonia are compromised.
Public support for the government’s initiatives is strong, and Estonians themselves also contribute to the effort to bolster digital defenses. A government-sponsored volunteer program, the Estonian Defense League, provides citizens with defense training in cyber simulation tournaments. The league is widely respected as an innovative and effective model for citizen involvement in enhancing cyber defense capabilities.
The Estonian government considers data ownership a civic responsibility and computer education essential. Most Estonians, in turn, trust their government to keep personal data safe. This mutually reinforcing relationship increases government confidence in its digital resiliency, which is critical since 98% of Estonians have a digital ID-card, a majority of Estonian companies are established online and the entire country has broadband. Tanel Sepp, a defense ministry cybersecurity official, has said that, “The cyberattack in 2007 was a great security test. We just don’t know who to send the bill to.” Estonia emerged stronger from the cyberattack and more prepared for future threats. The country may be small, but it leads the way in cybersecurity and the larger digital world.
Since the Russian invasion, Estonia has demonstrated great solidarity with Ukraine and a willingness to continue standing up to Moscow. Estonian Prime Minister Kaja Kallas announced in August 2022 that her country would remove all Soviet-era war monuments from public spaces. Given the country's past experience, this was a controversial decision, but the prime minister expressed confidence. “The Estonian government will not afford Russia the opportunity the use the past to disturb the peace in Estonia,” she stated firmly. One month later Tallinn reached an agreement with Kyiv to support its digital transformation, including boosting Ukrainian cyber resilience against Russia. Ukrainian Deputy Prime Minister and Minister of Digital Transformation Mykhailo Fedorov noted that Estonia was an inspiration whose example his country will follow.
The small Baltic nation has evolved from cyberattack victim to a digitally resilient state whose strong sense of leadership is now aimed at helping its allies undergo a similar transformation.
For more information on this topic, check out the first episode of our Leadership in Action interview series entitled "Russian Cyber-Attack on Estonia," featuring an interview from former Estonian Foreign Minister Marina Kaljurand.