Josh “Juku” Gold is a research assistant at Citizen Lab, and a 2019 visiting fellow at The Hague Program for Cyber Norms. His bachelor’s thesis (University of Toronto) investigated the 2007 cyberattacks against Estonia and their legacy. Josh is Estonian-Canadian.
How and why does Estonia have so much influence in building international cybersecurity norms?
If you are reading this article, or familiar with e-Estonia, it is likely that you know something about Estonia’s bold and successful digital innovation. You may be aware that—as is necessary for a society reliant on digital technology—Estonia is also very focused on cybersecurity. Yet this focus is not only on ensuring its own national cybersecurity at home. Instead, especially since 2007, Estonia has held a prominent role in leading international cybersecurity efforts – particularly those focused on establishing rules for behaviour in cyberspace.
Punching above its weight: Estonia’s prominence in cyberspace governance
Estonia has been at the centre of global cybersecurity discussions and action since at least 2008. That year saw the establishment of the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn. The Centre is essentially a military think-tank that leads the world in crafting cyber defence solutions through a multinational, interdisciplinary analysis of various cyber issues. As of 2018, the CCDCOE is responsible for identifying and coordinating education and training solutions in cyber defence for all NATO bodies across the Alliance. Today, the CCDCOE comprises 25 states and more are lined up to join, including NATO partner states Japan and Australia.
The Centre is best known for its Tallinn Manual process, a non-binding, academic study on how international law applies to cyber conflicts and cyber warfare. It is the most authoritative and comprehensive of its kind, and is continuously developed by the CCDCOE with input from nearly 50 states.
Estonia is also deeply involved in global efforts focused on security in cyberspace. Most prominent of these is the United Nations Group of Governmental Experts (UN GGE), which has met five times since 2004 to deliberate on developments in information and communications technology (ICT) in the context of international security. Although the size of the GGE is very limited, from 15 members in 2004 to 25 members today, Estonia has been selected to this group for its past four iterations and will be represented at its upcoming set of meetings this year.
Estonia is home to the e-Governance Academy, a non-profit think tank and consultancy that has worked with over 200 organisations and trained more than 5,500 officials in 130 countries on e-government, e-democracy, and cybersecurity solutions.
Upon its founding in 2012, eu-LISA—the EU’s Agency for the Operational Management of Large-Scale IT Systems—has been located in Tallinn.
In October 2018, a speech by then-US Secretary of Defence James Mattis revealed for the first time that Estonia would join the US as one of just four other countries to offer NATO national cyber capabilities to help fight in cyberspace, if necessary.
In June 2019, Estonia was elected for the first time as a non-permanent member of the UN Security Council, which Estonia’s ministers and President say they will use to further action and spread knowledge on cybersecurity and digital governance.
From 2014-2019, former Estonian prime minister Andrus Ansip was in charge of the EU’s Digital Single Market, which among other things deals with security, privacy, and general coordination of the EU’s digitalisation. Upon Ansip’s departure, Estonian bureaucrat Juhan Lepassaar was elected among 80 candidates to become executive director of ENISA, the EU’s cybersecurity agency.
The list goes on and on.
But why is this so? How did Estonia get here, and why do other countries value Estonian opinion? And why should Estonia spend so much effort on this when it has so many other things to worry about?
Learning From Experience
The answer is directly related to Estonia’s experience with cyberattacks in 2007, policy decisions then, and steps forward since.
In spring 2007, during a time of heightened tension between Estonia and Russia, Estonian online services came under a barrage of cyber attacks of varying intensity and sophistication. They continued for three weeks. Luckily—and surprisingly to some Western observers—Estonia was quite successful in defending against the attacks, and direct damage was minimal. But the implications were huge; the attacks demonstrated the risks of political events extending into cyberspace, and the social threat posed by large-scale disruption of the public internet. This was emblematic of the future of war, and a wake-up call for all nations.
And nations did wake up. The NATO CCDCOE, which Estonia had pushed for since 2004, was quickly established. Estonia became one of the world’s first countries to release a National Cyber Security Strategy (2008-2013); essentially a ‘lessons learned’ from its 2007 experience. Other states studied this document closely and it went on to inform NATO and other states’ doctrine.
That Estonian leaders decided to be transparent during and after the attacks brought great dividends. Estonia declassified almost all information about the attacks, turning the country into the global case study for cyber conflict while also, through its openness, maintaining trust of its citizens using e-services.
Small States Need International Rules And Cooperation
Estonia is now one of just a small handful of states globally to have released a third generation National Cyber Security Strategy (2019-2022). Notable throughout all three of these cyber security strategies is a focus on the global nature of threats in cyberspace and the need for international, multilateral action.
To stay at the forefront of digital governance and continue developing its digital society, Estonia must remain a leader in security. As stated in its 2019 Cyber Security Strategy, “For Estonia, cybersecurity does not mean protecting technological solutions; it means protecting digital society and the way of life as a whole.”
Moreover, as a small state, Estonia is particularly reliant on international rules. By setting the agenda and developing norms, Estonia brings countries together to agree on rules for cyberspace, thus working directly in Estonia’s big-picture security interests. A stable, rules-based cyberspace is of critical interest to a digital society like Estonia, which is among the most vulnerable to cyber threats. As is discussed in a recent article by Liisi Adamson and Zine Homburger, Estonia has become a global entrepreneur and pioneer of cyber norms.
What Doesn’t Kill You Makes You Stronger
The 2007 cyberattacks have proven to be a blessing in disguise. Estonia’s successful defence against those attacks, combined with openness, have given Estonia international legitimacy and credibility, thereby allowing it a seat at the grown-ups’ table.
As it advances its digital society and tries new things, Estonia remains something of a digital experiment; an incubator and testing grounds. New technologies and their applications bring new challenges, ensuring that Estonian policymakers stay a few clicks ahead of most of their foreign peers. So long as Estonia’s digital society remains innovative, effective and secure, it can continue to have influence and punch above its weight.