It's been called the world's first cyberwar – and it started with the relocation of a Soviet War memorial in Tallinn, Estonia. When Estonian authorities moved the statue of a Soviet soldier to a less prominent location in April 2007, the country's ethnic Russian population took to the streets to protest. Then, within days, websites of Estonian parliament, government ministries, banks and newspapers went offline. Although it hasn't ever been confirmed, it's widely believed Russia was behind the cyberattacks that left large parts of Estonian society at a standstill. The incident served as a wake-up call for the tiny Baltic nation that was already a highly digitally-advanced society. Estonia decided to take big steps to create a cybersecurity strategy.

International cooperation

"At that time, the approach to cyber was very national-minded or very nation-based," said Siim Alatalu, senior researcher of the Strategy Branch at the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE), which opened in Tallinn in 2008. Alatalu said the 2007 cyberattacks facilitated the creation of a permanent NATO unit focused on enhancing cybersecurity. The CCDCOE conducts large-scale cyber defense drills, although it's not technically a NATO operational unit.

The NATO Cooperative Cyber Defence Centre of Excellence (CoE) in Tallinn, Estonia. Maurizio Gambarini | picture alliance | Getty Images

"Our role is to be a step ahead of NATO," Alatalu said. The CCDCOE also created a framework for applying existing international law to cyber operations, called the Tallinn Manual. Now in its second edition, the manual brought together legal and cyber experts to offer an international approach toward cyber law.

Regulatory steps

Experts said one of the most frequent problems with cybersecurity policy is coming up with universal definitions for what constitutes cyber threats. "I'm not convinced that every country has really considered for themselves what they consider an attack to be," said Jessica Ruzic, a cybersecurity fellow at New America, a Washington, D.C.-based think tank. Ruzic said cooperation between the public and private sectors is vital for developing an effective cybersecurity strategy. The Estonian Cyber Defence League, for example, is a voluntary organization made up of IT experts and young people prepared to mobilize during a national cyberattack. Recent EU-wide regulation has also upped the penalties against companies that fail to protect online data. The General Data Protection Regulation, or GDPR, that went into effect in May gives regulators the power to fine companies that don't comply with security measures. Unlike in the past, the fines can be massive: up to 4 percent of global annual turnover or 20 million euros ($23 million), whichever is higher.

Cyber hygiene