10 Years After the Landmark Attack on Estonia, Is the World Better Prepared for Cyber Threats?

The Estonians just wanted to relocate a statue.

Ten years ago today, authorities in Tallinn set out to remove a Soviet World War II memorial from the capital’s downtown. The Russian government had warned that removing the statue would be “disastrous for Estonians,” but since Moscow no longer called the shots in the Baltic state, the statue was duly shipped off to a suburban military cemetery.

Soon after, Estonians found that they couldn’t use much of the internet. They couldn’t access newspapers online, or government websites. Bank accounts were suddenly inaccessible. “It was unheard of, and no one understood what was going on in the beginning,” Toomas Hendrik Ilves, then Estonian President, told Foreign Policy.

Soon, he was informed that it was not an internal failure — but an attack from the outside. It was a Distributed Denial of Service Attack — an orchestrated swarm of internet traffic that literally swamps servers and shuts down websites for hours or days.

That was made crystal clear at the stroke of midnight on May 9 GMT, when Russia celebrates Victory in Europe day for World War II. Annoying cyber attacks dramatically intensified for exactly 24 hours, then trailed off as fast as they’d spiked. Ilves asked his cyber experts what happened. “Well, the money ran out,” he was told — the attack had been bought and paid for by someone — or some state — using criminal hackers to cripple one of the most internet-dependent states in the world.

“Looking back on it, it was the first, but hardly the last, case in which a kind of cyber attack … was done in an overtly political manner,” Ilves said.

Estonia marked a watershed in the use of state-sanctioned cyber attacks to advance foreign policy goals. “Ten years ago, [Russia] put everyone on notice that it was willing to behave badly in cyberspace,” said Jason Healey, a senior research scholar at Columbia University. (Moscow denies any role in the 2007 Estonia hack.)

Since then, Russia has melded cyber into broader strategies that combine hacks with information war, hybrid war, or old-fashioned conventional war in a bid to advance Moscow’s aims. And it hasn’t been shy about using them.

Just a year after the Estonia attack, Russia hacked Georgia at the same time it invaded with conventional forces, eager to punish the country for flirting too openly with the west — and, specifically, with NATO. (Russia denies the attacks.) A few years later, it had turned its attention to the United States, hacking the NASDAQ stock market in 2010 and planting malware on U.S. infrastructure in 2011. In 2014, Ukraine was the target — with “little green men” of the Russian special forces helping grab Crimea, while Ukrainian security services said their country’s lawmakers phones were under attack via equipment in Crimea.

It hasn’t let up since. Denmark’s defense minister recently said Russia hacked the ministry in 2015 and 2016. The U.S. intelligence community believes Russia hacked the Democratic National Committee during the 2016 presidential election. Those same hackers, believed to be working for or with Russian intelligence, also got into French media outlets and the German Bundestag.

Both Paris and Berlin are scared that the Russian hackers who helped elect a candidate who openly praised Russian President Vladimir Putin in the U.S. election could do the same in upcoming elections there; indeed, indications have already appeared that the hackers linked to Russian intelligence that broke into the DNC are targeting the one anti-Putin candidate in the French election.

Healey stresses the importance of putting cyberattacks within the context of a broader information war. The damning thing about the DNC hacks, he said, was not the hacks themselves, but their dissemination and the narrative around the content they unveiled, which helped distort media coverage of the front-running candidate.

“The damage came from what was being done, how that information was being used, the context around that situation,” he said. “Putin never forgot that stuff.”

In some ways, the cyber threat since the groundbreaking attack in Estonia has only gotten worse. The United States and Israel unleashed the “Stuxnet” virus on Iran as early as 2007, according to some researchers (though it was discovered in 2010), to slow down its nuclear program. That opened the door to malware that can wreck physical — not virtual — gear.

Potentially even more problematic, says Rob Morgus of the New America Foundation, is the so-called Internet of Things, the universe of internet-enabled devices like televisions, refrigerators, copiers, and more. Indeed, experts believe that the cyber attack that took out much of America’s internet last October — the largest in history — poured through a network infected with special malware. The network was not of computers, but of internet of things devices.

Yet, a decade on, the wake-up call in Estonia has helped spur significant action. Ilves recalls the difficulty of getting NATO to take cyber threats seriously before his country came under attack.

He recalls telling NATO officials, “‘Listen, cyber is an area NATO has to deal with.’ And they were like, ‘yeah, yeah, yeah, go away. We’re worried about real stuff.’ And then this happened.”

The NATO-accredited (though not NATO-funded or commanded) Cooperative Cyber Defence Centre of Excellence was launched in Estonia a year after the attacks, bringing together cyber experts from the military, government, and industry.

“Estonia 2007 was the first cyber attack in history that affected a country nation-wide,” said Helen Popp, counselor for cyber issues at the Estonian Embassy in Washington, D.C. The increased “awareness, understanding, resilience and defense capability” stemming from that attack in Estonia and inside NATO, she said, “has been immense.”

Cooperation to deal with cyber and hybrid threats continues. Just recently, several NATO member states joined with Finland and Sweden to sign a memorandum of understanding to establish the European Center of Excellence for Countering Hybrid Threats in Helsinki.

And, partly as a result of the big 2007 attacks, Estonia today has a world-class cybersecurity sector. The country is currently hosting Locked Shields 2017, the world’s largest and most advanced cyber defense exercise.

More to the point, Estonia’s served to prove that even a coordinated, history-making cyber campaign won’t necessarily advance an adversary’s foreign policy goals if there is a strong enough defense, resilient enough digital infrastructure, and enough geopolitical will to shape one’s own narrative.

Ten years after Russian hackers attacked, the Soviet statue is still exiled outside the capital.

If Russia aimed at coercion, Healey said, “it absolutely failed. Estonia still moved the statue. They did what they were going to do.”

Photo credit: Sean Gallup/Getty Images