Here’s What the US Could Learn From Estonia About Cybersecurity

Estonia's President Toomas Hendrik Ilves addresses the 69th session of the United Nations General Assembly.

Estonia's President Toomas Hendrik Ilves addresses the 69th session of the United Nations General Assembly. John Minchillo/AP

Cyber attacks cost an estimated $400 billion in damages per year, but that number may soon soar thanks to what Estonian President Toomas Hendrik Ilves called “the “little green men-ization of cyberspace."

While the spate of recent cyber attacks against FinlandGermany,Ukraine, and U.S. Central Command has governments worrying about how to combat cyberwarfare, Singapore just took a rare radical step towards doing so. On Tuesday, Prime Minister Lee Hsien Loong’s office announced the creation of the Cyber Security Agency of Singapore, which “will provide dedicated and centralized oversight of national cyber security functions.” Given the sinister ways in which cyber threats are evolving, the move is a necessary step for a wired, wealthy nation that has long been the target of cyber crime. 

Cyber attacks cost an estimated $400 billion in damages per year, but that number may soon soar thanks to what Estonian President Toomas Hendrik Ilves called “the “little green men-ization of cyberspace,” at Davos last weekend, referring to the “little green men” who started showing up around Crimea in unmarked uniforms before Russia formally annexed the peninsula. “It’s not just criminals, it’s not just states, it’s also in between–the unique public/private partnership form that we see where states will pay criminal groups,” buying information about critical vulnerabilities, Ilves said. In the cyber marketplace, where loopholes called “zero-day vulnerabilities” are traded, organized crime, terrorist networks, and state actors are converging, making it increasingly difficult to tell the difference between them. And with the number of politically-motivated cyber attacks on the rise (2013 saw a 91% increase in target attacks) these new channels between states and criminal networks are a crucial aspect of cyber infrastructure.

Eugene Kaspersky, who runs the Kaspersky Lab security group, cautioned that cybercrime has evolved to rival the sophistication of states. “A few years ago, there was criminal malware, and state-sponsored malware. and the difference [was] like a car and a space shuttle. Now, many criminals, unfortunately, the evolution in cybercrime is such that they are very professional.” Jean-Paul Laborde, executive director of the UN Counter-Terrorism Executive Directorate, warned of “more and more connections between organized crime and terrorist organizations.”

It’s unclear what these new cyber connections mean, or how they will shape the market for zero-day vulnerabilities: “It used to be that If I’m a gangster and I want to get access to my competitor’s computer, I go and I get the zero day and I look into that computer,” Andres Kutt, and advisor to Estonia’s Information System Authority, told me. “Now, governments are starting to participate in what used to be a black or grey market for vulnerabilities, botnets and such…that changes the game by pushing more money to the ecosystems and tilting the delicate market balances.”

At Davos, participants diplomatically shied away from naming exactly which countries are increasing their cooperation with organized cybercrime, but their identities are no secret. Uko Valtenberg, chief of the Estonian Defense Force’s cyber range, told me that “Russians are using the criminal element for their politically motivated attacks as well. It’s difficult to determine the military guys from the cyber criminal guys–you could say that they’re the same in Russia, more or less.”

Russia has been accused of sponsoring the hacker group CyberBerkut, which recently took responsibility for the attacks against official German websites. It’s also the more than likely origin of a debilitating cyberattack that took down Estonian banking, government, and media infrastructure in 2007–the first time a country witnessed its critical infrastructure crumble at the hands of hackers. Similar tactics were later used in Georgia and Ukraine in the lead-up to Russian military aggression, and a similar attack against critical infrastructure could easily happen elsewhere–in the US, for instance, where existing vulnerabilities to electricity, water, and gas networks were recently exposed.

“No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids,” President Obama said in his State of the Union address. “We are making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism. And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children’s information. If we don’t act, we’ll leave our nation and our economy vulnerable.”

Among the many cybersecurity reforms that Obama has introduced are measures that would require the private sector to share information about cyber threats with the government, to crack down on the sale of botnets, and to prosecute insiders who exceed authorized access to online networks. But some of those reforms might actually make it more difficult for “good” hackers to do their jobs: “This is good in intent, but will negatively affect positive cyber security outcomes by limiting the tool set that the good guys can use to detect and respond to attacks from bad guys as ‘wire or electronic communication intercepting devices’ are standard tools that are used in all global 500 organizations today,” J.J. Thompson, CEO of Rook Security, told Information Week.

As this new spate of reforms demonstrate, governments are still struggling to come up with effective ways to respond to threats posed by cyber attacks and cyber espionage. They would be well advised to look toward Estonia for advice on how to do so. After the 2007 attack, the Baltic nation overhauled its approach to cyber defense, introducing a systematic chain-of-command that ensures a swift reaction to a future attack. In 2009, it passed an Emergency Act which mandates that all vital services must retain the majority of their capacity in the event that they are disconnected from the Internet.

“Systems need to be built in a way that is difficult to attack. You need to have a holistic view of cybersecurity. It is not enough to have a cybersecurity initiative somewhere off in the Department of Homeland Security,” says Kutt. “We try to promote the concept that cybersecurity is not a technical matter. It never is…It’s a business issue. If your systems are vulnerable to attack, that is a cyber security incident in terms of national security, then they’re probably vulnerable to commercial cyberattacks, and if they’re vulnerable to commercial cyberattacks, they might be more vulnerable to information security risks coming from inside the organization.” So while nations like Denmark and Australia are scrambling to develop offensive cyber capabilities, the centralizing reforms in Singapore and Estonia may actually be a simpler, more effective way of combatting cyber threats.  

Estonia is also home to the NATO Cooperative Cyber Defence Centre of Excellence, housed in the renovated barracks of the Russian imperial army. There, Estonian Colonel Artur Suzik leads a team of researchers in identifying and laying the legal framework for the next generation of cyber threats, and determining what offensive responses would be proportional to incidents like the Sony hack. “Cyber is interconnected by nature, and the cyber environment has no regard for national borders. No one can defend their own network within their network or national borders and consider it safe. It means that cyber defense, especially if we consider it in the context of national security and defense and the provision of vital services, is an inherently cooperative effort,” Suzik said. “Before 2007, there weren’t a lot of national cyber security strategies developed. What we see right now, is that there’s this second wave of this development of national strategies.”

But judging from the sentiment of cybersecurity discussions in Davos, the sort of international cooperation necessary to fight increasingly intertwined criminal, terrorist, and state cyber networks is a long ways away. “Let me tell you how international cooperation really works,” Kaspersky told his Davos audience. “I have an email to my lab from the cyberpolice from country A. ‘Hey, Eugene, do you have a contact for Country B?’ I say, ‘Hey guys, you are both countries from the west, why don’t you call each other?’ ‘Hey, Eugene, it’s too bureaucratic’…this is how it really works.”

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.