Two ways to read the story
- Quick Read
- Deep Read ( 13 Min. )
Russian hackers are believed to have carried out the world’s first politically motivated cyberattack against a nation in 2007, leaving large parts of Estonian society electronically dark. As the United States heads into the 2020 election, looking to better protect itself against Russian interference, Estonia offers key lessons.
This tiny country bordering Russia has become known around the world for its cybersecurity expertise and secure online voting system. But its greatest defenses may not be technical at all. They lie in a way of thinking – an urgency and unity of purpose that impel coordination across diverse sectors.
“For the U.S., my suggestion would be not to wait until a cyber 9/11 but to come together much earlier,” says Marina Kaljurand, a cybersecurity expert and former ambassador to the U.S.
Estonia’s cyber minutemen, volunteers affectionately dubbed the “nerd reserves,” come mainly from the country’s vibrant information technology community. But they also include teachers, lawyers, and utility employees. “They fight for free, basically, and that’s the beauty of doing it of free will,” says Aivar Sarapik, an Estonian Orthodox priest who has served as the unit’s chaplain. “You protect your lifestyle, you protect your value system, you protect who you are.”
If a modern-day Paul Revere were to gallop through cyberspace yelling, “The Russians are coming!” Jaan Priisalu would be among the first to jump to the rescue.
A taciturn information technology expert who seems to make some of his best decisions in the sauna, Mr. Priisalu is no stranger to battling Russian cyber warriors. When Russian hackers were believed to carry out the world’s first politically motivated cyberattack against a nation in 2007, leaving large parts of Estonian society electronically dark, Mr. Priisalu was in charge of IT risk management at the country’s leading bank. Today, he is a researcher at Tallinn University of Technology. On a dreary November day he is sitting in his office in red polka-dot socks and slippers when the phone rings. It is Andrus Padar, commander of Estonia’s Cyber Defense League, asking if he could join in an exercise this week.
With a shoestring budget of about $300,000 to cover office space and a few staff members, Mr. Padar depends on hundreds of volunteers like Mr. Priisalu who are willing to spend their evenings and weekends bolstering the country’s cyberdefenses. They do everything from giving talks at elementary schools to planning elaborate simulated cybercrises so government officials can refine their response skills.
These volunteers are affectionately dubbed the “nerd reserves,” and come mainly from the vibrant IT community in Estonia, which developed the original software behind Skype. But they also include teachers, lawyers, utility employees – even a man of the cloth.
“They fight for free, basically, and that’s the beauty of doing it of free will,” says Aivar Sarapik, an Estonian Orthodox priest who has served as chaplain for the unit since its inception. “You protect your lifestyle, you protect your value system, you protect who you are.”
These are the modern-day minutemen of Estonia. They’re part of a broader electronic bulwark this Baltic nation has built since the 2007 attacks, which were a prototype of 21st-century conflict that Russia has since refined and deployed in numerous Western democracies. With the help of everyone from academics to ambassadors, military officers to election officials, Estonia has emerged as a model for other countries keen to counter Moscow’s meddling.
According to experts here and in Washington, Russia aims to undermine Western democracies both to boost its own global standing and to thwart democratic aspirations at home. It tries to do this by sowing doubt about democracy, undermining public trust in democratic leaders and institutions, and dividing nations and alliances. The foreign intruders have proved they can infiltrate everything from voting lists to banking systems and personal laptops.
“The adversary, looking to delegitimize or create fear, confusion, and doubt about our societies, is working across the globe and we know that they’re not shy about recycling effective methods,” says Liisa Past, chief national cyberrisk officer for Estonia’s National Security and Defense Coordination Unit.
As the U.S. heads into the 2020 election, looking to better protect itself against the Russian interference that roiled the country four years ago, Estonia offers key lessons. This tiny country on the fringes of Russia has become known around the world for both its cybersecurity expertise and secure online voting system. But its greatest defenses may not be technical at all. They lie in a way of thinking – a shared understanding that erecting a protective cyber wall requires alertness but not alarmism as well as an urgency and unity of purpose that impel coordination across diverse sectors.
“The lessons we learned from 2007 can apply to all countries, irrespective of size,” says Marina Kaljurand, an Estonian cybersecurity expert and former ambassador to the United States now serving in the European Parliament. “For the U.S., my suggestion would be not to wait until a cyber 9/11 but to come together much earlier.”
On a spring evening in 2007, Heli Tiirmaa-Klaar had finally just gotten her children to bed around 11 p.m. when the phone rang.
It was one of her husband’s colleagues, who demanded that she wake him up. There was a water cannon, used for riot control, standing in front of their European Commission office downtown, he said.
You are dreaming, she recalls telling him. The capital had been quiet since Estonia regained its independence from the Soviet Union in 1991.
But sure enough, protesters were smashing store windows, setting fires, and chanting “Russia, Russia, Russia!” Most of them were from Estonia’s sizable ethnic Russian minority, and were upset by the Estonian government’s decision to move a controversial Soviet-era monument, known as the Bronze Soldier, from a prominent location downtown to a military cemetery not far away. The larger backdrop was growing tension between a resurgent Russia under President Vladimir Putin and NATO, which – thanks to Estonia’s admittance as a member three years earlier – now had a presence on Russia’s doorstep.
At first, the protests appeared to be a spontaneous outburst by local youths. But shortly thereafter a wave of coordinated cyberattacks disabled government websites, newspapers, and banks. Estonians quickly became convinced that Russia was behind the digital assaults, especially when Russian law enforcement authorities refused to cooperate with their Estonian counterparts in identifying the culprits.
“We decided we just have to become much more resilient, and make sure, in case something similar happens again, we will be ready,” says Ms. Tiirmaa-Klaar, Estonia’s ambassador at large for cyberdiplomacy, who was then at the Ministry of Defense.
Estonians are well aware of Moscow’s attempts to manipulate and deceive them. As Soviet citizens, they were subjected to everything from TV broadcasts full of propaganda to more covert shenanigans: Estonians have a museum in an upscale hotel in Tallinn that shows, among other things, how the KGB famously embedded listening devices in plates at the hotel restaurant.
“We have 60 years of experience in reading between the lines and speaking between the lines,” says Tõnu Tammer, head of the computer emergency response team at the Estonian Information System Authority. “It’s actually our dear adversaries that keep those skills honed for the younger generation.”
Social media and the internet have opened new ways for Russia to infiltrate networks and disseminate disinformation with vastly more speed and scope. U.S. intelligence agencies have blamed a Russian cyberespionage team for penetrating the computer networks of the Democratic National Committee in the run-up to the 2016 American presidential election. Later, Russian hackers gained access to thousands of private emails of Hillary Clinton’s campaign chairman, John Podesta. More broadly, U.S. investigators have found evidence of Russian intrusion in election systems in all 50 states, even though voting seemed to be largely unaffected in most areas.
Russia is also the prime suspect behind one of the costliest cyberattacks, NotPetya, which targeted Ukraine in 2017 and then spread to 64 countries, causing an estimated $10 billion in damage.
Estonia, however, was virtually untouched by this attack. Across society – from Mr. Padar’s volunteer Cyber Defense League to grandparents being taught to use more complicated passwords – the country has honed a robust civilian and government network to protect the young democracy against foreign intrusion.
It has also helped bolster its neighbors, in part because of an idea for joint cyber exercises hatched in one of Mr. Priisalu’s sauna sessions with a couple of Swedes.
Several years after 9/11, when Estonia joined NATO, it proposed hosting a NATO center of excellence for cyberdefense. The initial response from other members: Cyber? We’re in the middle of helping to fight a war in Afghanistan. Plus, there was doubt that tiny Estonia could be of much help. But after the 2007 attacks, NATO agreed to back the initiative.
“Do we lack people and resources? Yes. We’re a country of 1.3 million people,” says Col. Jaak Tarien, who today oversees the NATO Cooperative Cyber Defense Center of Excellence (CCDCOE) in Tallinn. But, he says, “2007 made people realize that it is important and maybe [Estonians] know what they’re doing.”
Today the CCDCOE hosts the largest live-fire cyberdefense exercise in the world. Known as Locked Shields, the annual drill draws more than 1,200 participants from nearly 30 countries.
Last April, the scenario involved a coordinated series of cyberattacks during a national election, seeking to manipulate how the public perceived the election results, and also affecting vital services. The exercise provided strategic decision-makers and technical experts the opportunity to learn to work more closely in a time of crisis.
Although Estonia itself hasn’t faced a major attack on its voting system, it has been vigilant in defending its electoral machinery. The government offers free cybersecurity screenings for political parties and trains candidates how to recognize and avoid breaches. Estonian security specialists try to break into the country’s voting system about a year ahead of elections. Any vulnerabilities that are discovered are reported to the public, along with what’s being done to fix them. Thanks in part to the heightened trust such transparency affords, more than 40% of Estonians now vote online.
That’s made possible by a system created in the 1990s, which gives each citizen a unique digital identification. A smart ID card with a chip, together with personal identification numbers, acts as a double authentication system that has enabled Estonia to offer nearly all government services online. New parents can order birth certificates from their laptops or access their children’s school system, parties can sign contracts, and patients’ medical prescriptions are issued electronically.
When a security lapse was discovered in the country’s digital ID card system, the “nerd reserves” were brought in to help, demonstrating the practical assistance that goes along with their efforts to raise awareness among citizens and officials alike. “It’s very important that we not only don’t scare them ... we must also offer solutions,” says Mr. Padar.
To bolster the country’s electronic security, the nerd reserves stage exercises similar to the NATO cyberdefense center’s. In one drill, members of the government’s Cabinet confronted a Chernobyl-like disaster. They were told that sensors along the eastern border with Russia flashed readings showing a rapid rise in nuclear radiation, ostensibly due to a Russian nuclear plant malfunction. Unknown to the participants, however, there was no radiation. Instead, a cyberattack had relayed the false readings.
“The purpose was to create ... a mess and the government need to think through what to do,” says Mr. Padar.
At one point during the exercise, cameras that were allowing outside observers to watch the Cabinet members’ response were shut off by the government security service. Was that part of the drill or because officials didn’t want details of the exercise to get out? “I can’t tell you more,” says Mr. Priisalu, cryptically.
In December 2018, a story circulated on Russian social media with the hashtag #ESTexitEU. It purported to show someone beating up an ethnic Russian in the Estonian capital. The attack supposedly took place in a district of Tallinn called Lasnamäe, where ethnic Russians makeup nearly two-thirds of the 118,000 residents.
The implication was clear: The Russian-speaking minority in Estonia isn’t safe.
But a propaganda watchdog group called Propastop found the posts suspicious. One volunteer, who didn’t want to be named for security reasons, sat on his couch night after night after his children had gone to bed to track down the story’s origins. Through his and other people’s efforts, Propastop revealed that there was more snow in the photo than there had been on the ground the day of the alleged beating – implying the location or the date, or both, were fabricated. Propastop and investigative journalists Holger Roonemaa and Martin Laine also found that the people running the accounts on Facebook and Vkontakte, a popular social media site in Russia, were using fake names and profile photos. Presented with this evidence, Facebook shut down numerous accounts by mid-January. But the Vkontakte groups are still open.
“You can’t do anything, just observe,” says the volunteer.
This is another way the Russians try to meddle, not only in Estonia but in the U.S. as well: spreading disinformation. In fact, America is likely even more vulnerable to this type of manipulation than cyberattacks, and it’s an area where Estonians – who lived for decades under Soviet occupation – may have the most to teach Americans.
In the U.S., Russia has sought to exploit ideological divisions between Democrats and Republicans, liberals and conservatives, inciting heated conversations on Twitter or Facebook from a troll factory in St. Petersburg. The trolls focus on hot-button issues, such as immigration or racism, the latter of which constituted some two-thirds of fake Russian account activity around the 2016 election. They performed their dark arts not so much through the blunt instrument of propaganda, as in Soviet days, but much more subtly through fake social media accounts that often appeared sympathetic to popular causes, such as Black Lives Matter.
In Estonia, by contrast, Russia seeks to exploit ethnic divisions. But the tactics are the same – trying to divide from within. In 2014, after Russia annexed Crimea – an area of Ukraine with an ethnic Russian majority – many outsiders looked at Estonia’s eastern flank with its high concentration of ethnic Russians and wondered if it would be next.
But Sven Sakkov, director of the International Center for Defense and Security (ICDS) in Tallinn, says Estonia is not easy prey for Russian propaganda.
“For us, Russian information campaigns, information warfare, influence operations, fake news is not something that just happened in 2014,” he says, noting that because of its long history with such interference, the country is now “quite well inoculated.”
There is one possible exception, though: Lasnamäe. Dmitri Teperik, who studies national resilience in the face of hostile foreign influence activities at ICDS, estimates that while only 7% to 9% of Estonian society could be destabilized on ethnic or linguistic grounds, it’s enough to create trouble.
“Even small groups can dictate some general or major shifts in society, especially if these minor groups are backed or supported by foreign actors,” says Mr. Teperik, a Russian-speaking Estonian who co-founded a nongovernmental organization designed to increase ethnic Russians’ enlistment in the military. “The gunpowder is definitely here. What we are missing, fortunately, is the spark.”
In 2018, Estonia’s Government Office started a strategic communications team, which monitors the three main Russian TV channels as well as online media, and last year hosted an inaugural media literacy week. Students in Estonian-speaking high schools all take a required 35-hour media and manipulation class. Strategic communication adviser Siim Kumpas says that efforts are underway to extend the class to Russian-language schools as well.
The State Electoral Office is also involved, running a working group that meets daily during election campaigns to monitor media and identify any attempts to influence elections through disinformation.
In a media climate with several Russian-language outlets that are considered propaganda machines, Estonia has allowed them to continue to operate, but has refused to give their reporters access to certain government events and high-level officials. Estonian authorities would also like to see social media platforms better regulate political ads.
“If citizens don’t know who is whispering in their ear, then you don’t have a genuine political discussion but you have this post-modernist hodgepodge of yelling out loud,” says Ms. Past, the government’s chief national cyberrisk officer. “Ever since the late 18th century, we have put all our effort into building a society that is better than that,” she says, referring to Western democracies.
The question still looms: To what extent are these efforts applicable to the U.S.? Some, such as implementing a unified education curriculum similar to Estonia’s, with its media and manipulation class, wouldn’t be easy. It would require the buy-in of 50 states and thousands of local school boards, says Bret Schafer, social media analyst for the Alliance for Securing Democracy at the German Marshall Fund in Washington, who has visited Estonia twice.
Similarly, protecting election machinery against cyberattacks the way Estonians do would be difficult. Estonia has one unified State Electoral Office. The U.S. puts decisions about voting machines and methods in the hands of thousands of state and local officials. “I’m not sure our country’s model can immediately be imported,” says Merle Maigre, executive vice president of government relations at CybExer, an Estonian cybersecurity firm.
Yet there is plenty the U.S. can draw from Estonia’s model. Ms. Kaljurand says Estonia learned three key lessons from 2007 that can be applied to countries of any size: putting the topic high on the political agenda, establishing a clear division of responsibilities, and creating a multistakeholder model of security that involves not only the government but also the private sector, academia, and civil society.
The U.S. has taken important steps in this direction, classifying election systems as critical infrastructure, improving coordination between various government agencies, and better supporting state and local election officials. But it has no overarching national strategy to counter foreign influence, despite various agencies tackling different aspects of the issue, according to a 2019 report by the Homeland Security Advisory Council. Mr. Schafer notes that there is no strategic communications group like the one Mr. Kumpas is part of and “that’s a huge problem.”
Still, Estonia is proof that such alertness can come from the people themselves. As a youth growing up in Soviet times, Mr. Padar – like many other young people – was influenced by the ubiquitous propaganda designed to produce good Soviet citizens. He yearned to become a soldier and defend the great homeland. But in high school, he started thinking more for himself, and found another way to serve – first as a police officer, and now as commander of the Cyber Defense League.
In the event of a crisis, not only will his volunteers spring into action as minutemen, but other techies in Estonia’s private sector will likely join in as well, says Mr. Sakkov. “I’m more than certain that they will basically call their friends and say, ‘How can I help?’”
This story was supported by a grant from the Renewing Democracy Fund of the Solutions Journalism Network.