Cyber fortress Estonia teaching the world

Martin Kutti
, toimetaja
Please note that the article is more than five years old and belongs to our archive. We do not update the content of the archives, so it may be necessary to consult newer sources.
Photo: Tairo Lutter

Political news portal Politico published its list of the most influential people in Europe next year last week, with fifth place going to Estonia’s cybersecurity ambassador Heli Tiirmaa-Klaar.

Tiirmaa-Klaar takes her place in between well-known Europeans, after Secretary General of the European Commission Martin Selmayr and in front of Ukrainian presidential hopeful Yulia Tymoshenko. Politico believes Italy’s populist interior minister Matteo Salvini will be the one to influence Europe the most next year.

Politico put you on a highly influential list. How did you learn of the fact and what was your reaction?

I became fully aware the day it was published. I had received an invitation to the event a few weeks prior, but no one had explained what exactly would be happening.

I’m used to attention and familiar with people in Brussels, so it did not baffle me as such, while it’s nice to be recognized.

Problems with elections and cyberattacks have put cybersecurity on the map in the European Union. I was the one to introduce certain topics in the EU, and they are aware of that. I believe that was the reason.

You are Estonia’s first cyber envoy, and you’ve been busy for three months now. What does an ambassador at large for cybersecurity do and how does it differ from ordinary diplomatic work?

It is global thematic diplomacy. If an ordinary diplomat works in a given geographic region and seeks cooperation within, cyberdiplomacy is an important new element in foreign and security policy.

A lot of major countries already have similar positions or teams. In Europe, France has a cyber ambassador, the Brits do not have an envoy but a director and a team of 20 people. The Americans have a team, Germany has an ambassador. All our main partners have created these roles.

We remain an exception among smaller countries, but Finland also has a cyber ambassador.

There are a lot of formats within international organizations – NATO, EU, UN and OSCE. Smaller meetings between certain countries are also quite commonplace, as well as various events and conferences where it is my job to represent Estonia.

Next to that, there are professional cooperation formats the precise contents of which we do not discuss publicly. There, we discuss things within a small circle of serious cyber countries.

Do you agree that cybersecurity celebrated its tenth anniversary last year in connection with the Bronze Night?

Estonia’s digitation in the 1990s was rapid but did not place emphasis on security. The latter entered the picture with the 2006 e-elections which is when the first CERT (computer emergency response team – M. K.) was created.

The cooperation network we created in 2006 helped us survive the 2007 attack, which likely came as a surprise to the assailants. It was rather a good test for us.

It was excellent cooperation between specialists that managed to fend off the 2007 attack. It would have been much harder without such a network.

We received observers from NATO and elsewhere, but there was little for them to do. Our people repulsed the attacks, knew what they were doing and remained in contact with one another throughout the process.

If until then cooperation had taken place on an operative-technical level, we built a systematic cybersecurity system after 2007.

We could say we are protected. For example, the NotPetya global ransomware attack left Estonia virtually unscathed. Some individual organizations were at risk, but those were branches of major international companies the IT-systems of which are controlled by their parent companies.

Estonian organizations were unaffected, which means our efforts at prevention have been successful. People are aware. The State Information System’s Authority (RIA) has done great work, while private sector specialists also pursue close cooperation. Estonia is quite good at defending itself in cyber matters.

A serious crisis will not only test how quickly our units are armed but also our vital services. How well defended are they?

We passed a law designating 42 vital services that need to be defended both physically and in cyberspace back in 2009. We have been working on defending these vital objects for ten years. We have crisis-time plans for defending them and pursue constant cooperation with relevant service providers. It is the responsibility of RIA.

Telecommunications operators are obligated to maintain certain networks even in case of force majeure or a major crisis.

We consider ourselves to be a cyber fortress in global comparison, while major countries, like the United States of America for example, have much greater resources. Can we compare ourselves to major world powers in the cyber domain?

Talking about defense, then yes, we are a fortress. A small country is easier to defend than America. Major countries have massive cyberattack programs that require a lot of people and technical capacity.

It is clear that USA, Russia and China have far greater capacity than any European country. Even though some European countries may be very good at it, they are still smaller.

Estonia is very well equipped to defend itself and has a voice on the strategic level. Technical capacity alone, without seeing the strategic big picture, does not serve the right goal. Someone must put two and two together.

Talking about military defense or attack plans, cyberspace is key in all domains. We cannot rely on great technical capacity to get things done without strategic thinking.

Estonia’s peculiarity is that because we are such a small system, we have tested all possible models and reached a point many other countries haven’t in terms of strategic thinking. Our small size makes it possible for us to quickly take steps that would take others years.

Military capacity is easier to measure than things in cyberspace: there are fixed sums that can buy a fixed amount of equipment. If in the field of military defense, we would like to have medium-range anti-aircraft capacity, what would be our medium-range AA in the cyber domain? What are our aspirations?

Training. Training, exercises and tests are the most important aspects in cyberspace. Machines, computers and technology in general is not all that expensive, but we need to be able to keep the good people we have.

We have them today and must do everything in our power to keep them in the public sector. Even if they work in the private sector, they must still be tied to national defense through the cyberdefense league. That is our priority.

Of course, technical capacity must be increased at one point as we need to stay with the times, and things are developing rapidly in the field of cyberattack capacity.

How far are we in terms of the right to counter cyberattacks?

Talking about cyberoperations that fall short of armed conflict, international law states countermeasures are allowed if the country has suffered damage. These measures need to be proportional and in accordance with international law.

It has not been provided that a response to cyberactivity needs to be contained to the cyber domain. Other types of reactions are also possible, like sanctions for example.

It is very difficult to respond to cyberattacks that fall short of the level or armed conflict in a way that would manage to deter their organizers. Sanctions provide a good opportunity for a proportional response as they send a strong signal and are more than a statement. Being banned from entering the Schengen area is quite a potent sanction.

The exact deterrence effect depends on the assailant and their calculations. Statements might have an effect on countries that do not want to lose face, while they do not work on others.

Estonia’s case is simple as we usually have a single country to worry about. Major European countries also worry about China.

Russia deploys denial in conventional warfare. How to hold them accountable in much more complicated cyberspace?

We have made attempts. We started with the NotPetya attack. A group of likeminded countries, including Estonia, led by the US and the UK, ascribed to Russia the most serious global attack yet that was initially aimed against targets in the Ukraine but quickly went global.

We ascribed to Russia a number of other operations in October. Also in connection with four OPCW agents who sought to conduct a cyberoperation in the Hague but were arrested.

You need to start somewhere, and we have started with publication.

Looking at the Kerch Strait incident, did you notice a spike in attacks against Ukraine before or after the events?

Ukraine has constantly been a target, and new methods are tested there all the time. To what extent the group behind cyberattacks is associated with other groups has not been convincingly proven. We have tried to help Ukraine; for example, by helping them secure elections.

A delegation from RIA is in Ukraine this week to attend an event to teach the country’s central electoral committee adopt basic cybersecurity measures. We all have a lot to learn from what is going on in Ukrainian cyberspace.