An entire state taken down by hackers: What we can learn from Estonia’s cyber incident

The Bronze Soldier is a memorial to Soviet soldiers who died during World War II and stood in Tallinn until it was decided that it would be moved to the military cemetery. Illustration: Keith Ruffles

It all started when a statue was moved out of the centre of Tallinn—which means “Danish-town”. The bronze statue from the Soviet era marked the grave of Soviet soldiers, and Russia had clearly expressed its disappointment with the decision before the move.

Suddenly, Estonia went dark. During a hail of so-called DDoS attacks that overload IT systems, the authorities’ websites were the first to fall to their knees. Shortly afterwards, the Estonian banking system, ministries, media, and organizations followed. It was unheard of and a historic attack that successfully took down large parts of a state overnight.

Estonians are convinced that Russians were behind it—but the evidence is scant. Later, however, a pro-Russian Moldovan politician confessed to having orchestrated parts of the attack. In any case, Estonians have since reinforced both their traditional defences and, to a very high degree, their digital preparedness as well. Like Denmark, our Baltic neighbours to the east are among the world’s most digitalised countries.

The big question, then, is what can we learn from Estonians, who are both incredibly digitalised and have gone through a state’s digital nightmare? Version2 has visited the agencies responsible for security in digitalised Estonia, and while there are several similarities between Estonia and Denmark, there are also things we could use as inspiration.

Clear division of responsibilities

First of all, Estonia has an IT minister. This has been considered on several occasions in Denmark, but even after the latest digitalisation campaign, Denmark still has no central IT politician in the upper political strata. This is despite the fact that IT systems in the Danish Customs and Tax Administration, health sector, and in, among other governmental bodies, Banedanmark take up a significant part of the Danish budget and are of critical importance for our digitalised nation.

This means that the responsibility again and again falls between two stools, especially when things go awry. But it also means that efforts in the IT field are fragmented.

This also applies to IT security in the sectors we are so dependent on in Denmark. The energy sector, the health sector, transport, telecommunications, finance, and shipping. We Danes are dependent on each and every one of them, but according to the Danish cyber strategy, they stand alone and are each responsible for their own sector.

Estonia has taken the bull by the horns and has set up a single public CERT (computer emergency response team), which ensures the safety of all sectors that the Estonians have assessed as critical. It they are compromised, it hurts the whole state. Estonians remember this, and therefore the state with a central security body takes responsibility for ensuring that the sectors do not get compromised.

In contrast to Denmark, Estonia has one central CERT, which informs the critical sectors about new threats and collects information about attacks that are distributed between the sectors. Illustration: ING

In Denmark, it works quite differently. While the energy industry, for example, takes responsibility for its own IT security with the privately owned organization EnergiCERT, the health sector is trying to gather forces in the public Danish Health Data Authority.

The two organizations must then both work together and share knowledge across the public and private sectors as well as across different industry sectors—and the same applies to the CERTs that the other sectors have established or are in the process of establishing.

In addition, they must work together with the Danish Business Authority, which is the security authority in the area of telecommunications and personal data in particular, and the Danish Agency for Digitisation, which is responsible for operating and developing, among other things, MitID. And last but not least, they must cooperate with the Centre for Cyber Security (CFCS), which in Denmark has the overall responsibility for cyber security and for advising Danish actors in the complex jungle that is modern IT security.

The problem is just that the CFCS, unlike the security authority in Estonia, is part of the military. On the one hand, CFCS as an authority must share, among other things, information about specific cyber threats and monitor the Danish infrastructure with its sensor network. But on the other hand, it is an organization under the Danish intelligence services that must protect secrets about the nation’s security—including digital secrets, and this creates great frustration among several of the Danish CERTs.

As can be seen in the diagram below, Estonia’s IT structure is centralized, making it vulnerable to attack. In Denmark, the IT security structure is decentralized both politically and practically. Each sector is responsible for establishing a CERT (computer emergency response team).

Illustration: ING

Openness and honesty

It is otherwise a cliché in the Danish and international IT security industry that one has to talk about things—even when they go wrong. The problem is just that when—not if—something goes wrong, then it is more and more common to stay silent as a company or public body.

Neither the public nor other actors in the same sector get the information they need in order to not make the same mistake. The recent Vestas hack was just one example. Information only came out because Version2 dug up Vestas’s files on the dark web. The public and the rest of the industry received only the absolute minimum of information.

In stark contrast, the Estonian security authority publishes an annual report, which tells factually and openly about the year’s hiccups. The Estonian digital authority, RIA, was hacked last year. Estonia’s digital voting system was partially compromised by an angry privacy activist, and it has taught the country not to use a specific legacy structure in its systems.

The Danish CFCS would never air its dirty laundry in public like that. Some annual reports on the threat level, which is always at its highest and with a fairly general inventory of the biggest threats to date, are published. But the public has a very limited insight into the inner workings of the CFCS, and the right of access to documents has deteriorated significantly due to its affiliation with the Danish Defence Intelligence Service.

A real cyber home guard

Estonia has also established a cyber home guard—the Cyber Command. The state has recognized that it is not possible to attract and retain all of the country’s leading IT experts. At the same time, in 2014, it became clear that when cyberattacks hit hard and wide, there is an urgent need for a larger reserve of competent IT experts.

Listen to Mads Lorenzen talk about the arsenal of digital weapons that hackers use in the cyber warfare between Russia and Ukraine in Ingeniøren’s podcast Transformator:

Therefore, the Cyber Command was established, which, in continuation of the otherwise impressive conventional Estonian Defence Forces, will help if the state’s IT security is threatened again.

Denmark has been gradually moving forward with a similar initiative, but since the plan to establish a cyber home guard was presented back in December last year, nothing further has happened. The details of the cyber security strategy that will secure Denmark in the future have not yet been formulated.

Criticism of the situation comes from several Danish actors. The private security industry does not believe that its services should be provided free of charge by a state actor, but that is not how it works in Estonia either. There is an emergency response team that consists of skilled people who know what their role is if the digital state is under attack. Not a travel team that would take action if Vestas lost personal data again.

Just like Estonian Defence Forces do not protect private corporate depots at night.

Changed military doctrines

In conclusion, there are several things that Estonians do differently after the attacks in 2007. But NATO has also changed its specific military doctrines that define the alliance’s reactions in the event of cyberattacks. The next time a country is attacked, as Estonia was, NATO will be ready with a response proportional to the severity of the attack.

As a direct consequence of the attack, the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) opened in Tallinn in 2008. The centre has just held a joint cyber defence exercise called Locked Shields.

So NATO and Estonia have both centralised their coordinating and training competencies. Denmark’s competencies are spread all over the country.