e-Estonia: Between Russia and the Cloud

Although the poster child for everything to do with cyber warfare since 2007, Estonia’s standing in that ever-widening domain is at best am-bivalent after the country suffered the world’s first widely acknowledged politically-motivated cyber attack, almost universally attributed to Russia. A thorn in Moscow’s side with its defense of Georgia and Ukraine in their respective wars with Russia and a vocal advocate of EU and international sanctions, Estonia is also home to more than 300,000 ill-integrated ethnic Russians. Yet, for ten years now it has been spared massive cyber intrusions. The same applies to Latvia and Lithuania, the other two Baltic republics who largely share Estonia’s geopolitical predicament.

The greater the digital heights that the country manages to scale, the bigger its vulnerability if Russia does indeed constitute a threat.

The potential vulnerabilities of Estonia and the other Baltic countries are difficult to overstate. Top Estonian officials freely admit they see the cyber domain as the one crucial dimension in a coming struggle with Russia which appears inevitable to the Baltic nations. Attacks on information and communication networks, social manipulation, not to mention direct targeting of vital infrastructure systems constitute an integral part of Russia’s feared hybrid warfare toolkit. Estonian officials point to historical evidence: both Russia’s conflict with Georgia in 2008 and its ongoing war with Ukraine since 2014 have seen prodigious numbers of cyber attacks directed at the smaller countries’ political, social, and economic infrastructure.

After Massive Attacks, the Internet Ground to a Standstill

Also, the point is always made that Estonia itself serves as the ultimate cautionary tale to testify to the potential of (alleged) Russian cyber wrath. In 2007, in the wake of a contentious decision by the Estonian authorities to remove a WWII memorial from a prominent location in central Tallinn, which provoked three nights of rioting by mostly Russian-speaking local youth, Estonia’s relatively advanced world of Internet-based services suddenly ground to a standstill. A massive wave of denial-of-service attacks crippled parts of the country’s commercial infrastructure for sustained periods of time.

As Hillar Aarelaid, the then head of Estonia’s Computer Emergency Response Team, was to observe, during the two peaks in the attacks on May 10 and May 15, 2007, Estonia first lost 50 percent of its “bread, milk, and gasoline” for 90 minutes and then again for another five minutes. In other words, people without cash on their persons were unable to purchase many commodities in a country which has made the ease of electronic payment one of the bywords of its success. Strangely, despite the experience of 2007, this is not seen as a vulnerability by the authorities. In 2016, the previous President Toomas Ilves even suggested the country should work towards doing away with cash altogether.

“Cyber hygiene” has become the byword for Estonia’s stint as the rotating EU presidency between July-December 2017. The country’s signature souvenir proffered to EU visitors is to be a “cyber condom”

This highlights a paradox which neither Ilves nor the authorities in Estonia with more hands-on responsibilities seem to perceive: the greater the digital heights that the country manages to scale, the bigger its vulnerability if Russia does indeed constitute a threat. Of course, Russia continues to deny responsibility for the 2007 or any other attacks and rejects suggestions it is in any way interfering in other countries’ cyber domains. Whatever the truth of the matter, Estonia’s dependence on digital services is greater than ever before and continues to grow at a very fast pace.

The country, which prides itself on the ever-increasing sophistication of its digital infrastructure and its expansion into an ever-growing number of facets of life, is literally an accident waiting to happen. If the events of 2007 were seen as a great upheaval because the banking networks were down for less than two hours in total over a period of five days, any similar future attack would have far greater potential for disruption.

A particularly attractive target would appear to be Estonia’s famed e-elections. Almost alone in the world, Estonia allows for part of its parliamentary elections to take place electronically, with officials insisting the system is invulnerable. Yet, even if the integrity of the election data could somehow be guaranteed in a world where IT professionals aver nothing is “unhackable,” simple DDOS-style disruption bringing down networks could materially affect outcomes simply because people used to the ease of e-voting would not or could not go and vote in person.

The Baltic Countries Report a Steady Increase of Cyber Incidents

These sorts of dangers are obliquely alluded to in the Estonian Information System Authority’s (EISA) 2017 yearbook: “The data communication networks of state authorities are being scanned and mapped on a continual basis, the capabilities of our communication networks are being tested, and apart from the authorities themselves, the computer networks of companies offering vital services are subject to intrusion attempts.” All three Baltic countries report a steady increase in the number of cyber incidents recorded. In Lithuania, the number was up 21 percent in early 2017, year on year. Latvia reports the growing sophistication of attacks.

Yet, a very large majority of these attacks remain of the humdrum variety, a reflection of the Baltic countries’ presence in global networks, but also of their relatively minuscule size. Estonia, which has projected an image of itself as singularly at risk from Russian cyber aggression, did not report a single high-priority, let alone critical cyber incident in 2016. Like other developed nations, the Baltic countries suffer from phishing campaigns (although, remote as the three languages are, poor grammar remains a problem for attackers relying on translation algorithms), botnets, malware, ransomware, and server breaches. DDOS attacks have been relatively few in number of late.

The Baltic countries remain part of the Russian energy grid. There are plans to switch to EU frequencies which Russia is thought not to favor. The attacks point to a great potential for material harm.

Reflecting the changing nature of the perceived threat, the Estonian authorities’ immediate preoccupations seem to have moved to the other end of the scale. “Cyber hygiene” has become the byword for Estonia’s stint as the rotating EU presidency between July-December 2017. The country’s signature souvenir proffered to EU visitors is to be a “cyber condom” — a contraption which blocks the data connections of any USB device, allowing it to be charged without fear of digital snooping. This dovetails nicely with anecdotal reports by officials in sensitive positions suggesting reluctance even to travel to Russia or countries known to have been penetrated by Russian intelligence services for fear of having their mobile devices hacked.

Estonia’s hopes have in recent years been more actively associated with NATO, where the country has vigorously advocated elevating the cyber domain to a similar status with land, sea, and air

The experience of the other two Baltic countries, which have already performed their first EU presidencies, suggests Estonia will also have to contend with attempts to “deface” its websites. Lithuania presents the most cautionary example of note. In 2015, unidentified but presumed-Russian hackers posted material on the website of the Lithuanian armed forces purporting to amount to a joint Estonian-Latvian-Lithuanian plan of attack on Kaliningrad. Latvia reported only five attacks targeting its 2015 tenure chairing the EU, all attempts to either crash or change websites dedicated to various EU meetings.

Attacks against Baltic Energy Networks

There are indications of more serious designs on the part of Russia – although, again, Russian authorities have denied any involvement. Reuters reported in May 2017 that “exploratory cyber attacks” have been conducted against the energy networks of Estonia, Latvia, and Lithuania. The reports, however, are not particularly recent, pertaining to late 2015 attacks against a Baltic Internet gateway used to control a Baltic energy grid and against a Baltic petrol distribution system. The attacks were of the DDOS type. Both Lithuania and Latvia have denied being targeted recently, while EISA suggests part of the Reuters report originates in an incident reported in its 2016 yearbook which discussed a case of cyber espionage against a private petro-chemical company in Estonia’s northeast.

The Baltic countries remain part of the Russian energy grid. There are plans to switch to EU frequencies which Russia is thought not to favor. The attacks, if Russian in origin, point to a great potential for material harm and even loss of life. A precursor would be the attacks against the Ukrainian energy grid in 2015 — which, however, given that Ukraine’s reliance on networked technology is much lighter, were relatively easy to repel.

The guarded official reactions to the Reuters report highlight another aspect complicating any assessment of the scale of the true cyber threat faced by the Baltic nations — such matters are seen as pertaining to national security. Therefore, no government appears inclined to openly discuss the threats it faces. This is part of a wider pattern affecting cyber issues in EU and NATO nations. Partly as a result of national caginess, the EU’s own cyber security agency ENISA, based in Heraklion, Greece, remains an underdeveloped and nonpermanent affair.

NATO: A Cyber Attack Could Trigger the Alliance’s Article 5

Estonia’s hopes have in recent years been more actively associated with NATO, where the country has vigorously advocated elevating the cyber domain to a similar status with land, sea, and air. In 2016, the efforts were met with qualified success: the NATO Warsaw summit recognized cyberspace as an operational domain. As a consequence, NATO officials say a cyber attack massive enough against one of the allies could trigger the alliance’s Article 5 mutual defense clause. Meanwhile, former President Ilves claims NATO still lacks the strategy and tools to properly counter cyber aggression “beyond locking down its computer networks,” and is unwilling to countenance aggressive countermeasures.

Recognizing the inertia involved in the task early on, Estonia successfully lobbied NATO to set up a Cooperative Cyber Defense Centre of Excellence (CCDCOE) in Tallinn in 2008. Whilst not formally a NATO Institution, the center enjoys the alliance’s backing and currently brings together 20 NATO and non-NATO nations. It sports a unique cyber training facility, where an Estonian IT company has created a modern and flexible environment for exercises involving training in cyber defense and countermeasures. Annual exercises are held under the moniker “Locked Shields.” The 2017 iteration was the largest of its kind in the world, bringing together 800 IT professionals from 25 countries.

Estonia Has a Precarious Security-Political Position

Despite Ilves’s exhortations, no official in Estonia seems prepared to discuss the ramifications of the concept of cyber deterrence – let alone cyber offence. Their reticence is understandable, considering Estonia’s precarious security-political position on Russia’s immediate western border, harboring a Russian-speaking minority that makes up a little less than one third of its population. Also, the obverse of Estonia’s push to have the cyber domain put on a par with traditional domains of war is, of course, that any aggressive response to a cyber attack would by definition itself qualify as an act of war. Again, retaliation remains a hugely complicated affair as a result of the difficulty in attribution, with Russia guaranteed to reject responsibility.

The strategies used in these attacks to gain illegal access to computer systems are very similar in modus operandi to the recent high-profile interference in the US presidential race in 2016.

Recently, advances appear to have been made, however, in building up an increasingly convincing case against Russia involving a wide array of groups and “attack vectors” behind malware attacks against EU and NATO servers, designed to exfiltrate files and siphon off sensitive data. A thorough report discussing the evidence was released by the Estonia-based International Centre for Defense Studies (ICDS). In it, researcher Patrick Maldre examines a spate of suspicious recent cyber attacks across the world involving sophisticated malware—investigated by Symantec, Kaspersky Labs, and other IT outfits and bearing codenames such as Uroburos, the Dukes, Pawn Storm, Red October, etc.—finding that they tend to be highly organized, hint at formal malware development environments requiring large human and financial resources, suggesting, in other words, the backing of a major government.

More to the point, the targets include governments, militaries, think tanks, research institutes, and activists in NATO and EU countries and the former Soviet Union – all directly relevant to Russian strategic interests. The programming also contains Russian-language encoding and compilation timestamps that fall almost exclusively within Mos-cow time zone workdays between 8am and 6pm.

The strategies used in these attacks to gain illegal access to computer systems are very similar in modus operandi to the recent high-profile interference in the US presidential race in 2016, the leaks targeting Emmanuel Macron in France, as well as the recent intrusion into the servers of the German Bundestag. Hackers in all these cases have used sophisticated strategies of “spear phishing” to get recipients unwittingly to download malware such as trojans. Apart from bogus links, seemingly secure websites (often Polish) are taken over so that a simple visit to one of them is enough to infect the visitor’s computer. In the German case, the country’s authorities were so certain the attack came from Russia that they considered a counterstrike – only to reject the idea for fear of provoking an unpredictable response from Vladimir Putin.

Estonia, as well as the other two Baltic nations remain in the eye of the storm for the time being. As indicated above, no substantial attacks appear to have been directed against them for the past 10 years. Whether this is due to their cyber defense prowess or simply a lack of Russian interest is impossible to say. However, as a reminder of how the horizons of conventional and cyber warfare converge, the Estonian government has let it be known that it is in the process of backing up all of its e-government data to servers in Luxembourg. An official at the ministry of the economy comments: “This will add another layer to Estonia’s security and digital continuity. If something were to happen to the local data centers here, the data will be available outside Estonia.” Estonia may be the very first country in the world to entrust its very sovereignty to cloud-based technologies.