Volunteer Cyber Army Emerges In Estonia

Enlarge this image toggle caption iStockphoto iStockphoto

In April 2007, the Baltic republic of Estonia became the first country in the world to experience cyberwar. Government, financial and media computer networks were paralyzed by a series of attacks, which authorities ultimately concluded originated in Russia.

In the years since that cyberassault, Estonia has distinguished itself once again: Now it is a model for how a country might defend itself during a cyberwar. The responsibility would fall to a force of programmers, computer scientists and software engineers who make up a Cyber Defense League, a volunteer organization that in wartime would function under a unified military command.

"[Our] league brings together specialists in cyberdefense who work in the private sector as well as in different government agencies," Defense Minister Jaak Aaviksoo says. The force carries out regular weekend exercises, Aaviksoo says, "to prepare for possible cyber contingencies."

The unit is but one division of Estonia's Total Defense League, an all-volunteer paramilitary force dedicated to maintaining the country's security and preserving its independence.

2007 Cyberattack Targeted Country

Aaviksoo says Estonian civilians are willing to be mobilized to defend their country because of their experience of invasion and occupation: by the Soviet Army in 1939, followed by the Germans in 1941 and then again by the Soviet Union, which occupied Estonia until it broke free in 1991.

"Insurgent activity against an occupying force sits deep in the Estonian understanding of fighting back," Aaviksoo says, "and I think that builds the foundation for understanding total defense in the case of Estonia."

The 2007 cyberassault followed a controversial government decision to relocate a Soviet war memorial, and authorities ultimately traced the attacks to Russia, which was angered by the government decision. In a speech last September, Aaviksoo described the attacks as "a coordinated attempt to destabilize our government."

Whoever the attacker was, the choice of cyberwar methods made sense. Estonia is one of the most wired countries on the planet. Eighty percent of Estonians pay their taxes online and engage in electronic banking.

The sense of cyber vulnerability in Estonia has been a key rallying point for the Cyber Defense League. No democratic country in the world has a comparable force, with computer specialists ready and willing to put themselves under a single paramilitary command to defend the country's cyber infrastructure.

Insurgent activity against an occupying force sits deep in the Estonian understanding of fighting back, and I think that builds the foundation for understanding total defense in the case of Estonia.

Aaviksoo says it's so important for Estonia to have a skilled cyber army that the authorities there may even institute a draft to make sure every cyber expert in the country is available in a true national emergency.

"We are thinking of introducing this conscript service, a cyber service," Aaviksoo says. "This is an idea that we've been playing around [with]. We don't have the mechanism or laws in place, but it might be one option."

Private Sector Cooperation

In the United States, most top cybersecurity experts work in the private sector and are not available for government duty, even in times of an emergency. Stewart Baker, who tried to coordinate cyberdefense efforts at the Department of Homeland Security under President George W. Bush, says a Cyber Defense League like Estonia has would have been helpful.

"It means people are keeping their skills up to date in the private sector, and those skills can be called on in an emergency, which is the only time the government really needs all of them," Baker says. "That's a very sensible approach, and I only wish we had the same kind of relationship with our [Information Technology] sector that they obviously have with theirs."

When top cybersecurity experts are willing if necessary to put themselves under a single paramilitary command, a country's computer networks can be defended more efficiently. In Estonia, as in the United States, the information technology underpinning the power, transportation and financial systems is largely in private hands. With the responsibility for defending that I.T. infrastructure split between government and private industry, there are always security gaps.

But Baker, a former general counsel at the National Security Agency, says it's been hard in the United States to promote public-private collaboration in cybersecurity.

"The people who work in IT in the U.S. tend to be quite suspicious of government," Baker says. "Maybe they think that they're so much smarter than governments that they'll be able to handle an attack on their own. But there's a standoffishness that makes it much harder to have that kind of easy confidence that you can call on people in an emergency and that they'll be respond."

Estonia's firsthand experience with cyberwar has probably made it easier for authorities there to implement innovative security measures, from its Cyber Defense League to a new requirement for using digital IDs to carry out many online transactions. Many countries would face resistance to such efforts. But that only means Estonia now has the opportunity to serve as a model, and NATO has recognized Estonia's efforts: The alliance's new Cyber Defense Center for Excellence has its headquarters there.