The 2007 Estonian Cyber Incident: A Digital People's War

On the night of April 27th 2007, a statue was removed from a busy intersection in the middle of the Estonian capital of Tallinn, and relocated to a military cemetery a short distance away.  Beneath the statue were the graves of a number of Red Army soldiers who perished in World War II.  The incident touched off several days of riots in Tallinn, and sparked what later became known as 'Cyber War I’.^[1]  Though for all intents and purposes the relocation of the statue was a classically political move, several factors specific to Estonia and the era made it unique.  We’ll first consider the classical elements, and then unique features, and finally interpret it in terms of securitization.

In 1944, as the Nazis retreated before the Red Army, Estonia briefly enjoyed sovereignty, at least in name, between approximately the 18th and the 22nd of September.  During that period, an Estonian flag flew over their seat of government, replacing a Nazi flag and preceding a Soviet flag.  In multiple separate actions, the Red Army defeated Estonian forces, and proceeded to occupy the country.  A widespread resistance movement began, but was largely crushed by 1950, at least in part due to mass deportations of suspected sympathizers and family members to Soviet Gulags.^[2]

It was during this period in 1947 that the bronze statue central to the 2007 incident was erected in the center of Tallinn to commemorate the three year anniversary of the ‘liberation’ of Estonia from the Nazis.  It was called the “Unknown Soldier”, and sat atop a small Red Army grave site.  Estonia would remain an occupied territory until the fall of the Soviet Union some 50 years later, and during that time the area’s ethnically Russian population grew significantly, constituting roughly a quarter of the population by 2007.  Given its background, it is no wonder that a statue which ethnic Russians consider a monument to the sacrifice of the Red Army, and which some Estonians call the “Unknown Rapist” would lend itself to political tension.^[3]

We’ll not delve into the particulars of the political machinations that lead to the decision to move the statue in 2007, as this background information is intended only to reinforce the issue as classically political.  However, regardless of political bent, the statue had become a focal point for tension between ethnically Estonian and ethnically Russian Estonians by early 2007, and for various reasons, the Estonian Government decided it was time to move it.  On the 26th of April they erected a tent over it, and established a police cordon.  Over the next two days, as the authorities worked to move the statue, protests grew into riots, eventually leading to one death, and widespread looting.^[4]  As the riots subsided, a two-phase cyber campaign was beginning.  Russian ‘hacktivists’ targeted the Estonian government’s web presence for defacement and denial of service, egged on by Russian-language media.^[5]

The commencement of cyber attacks on a nation’s core infrastructure is the first of the unique factors at play in the Estonian incident.  After a few days of these amateurish attacks, Estonian authorities noticed a substantial uptick in the traffic bombarding their government and big-business services.  They had come under attack from much more sophisticated, highly distributed sources.  This enhanced attack managed to disable parliament's email, and caused disruption in several large Estonian banks and media outlets.^[6]  With the benefit of a decade’s worth of hindsight, it would seem that the incident was not particularly devastating in terms of systems disrupted.  However, like Morris’ worm, it served to shake up the status quo, and represented a major paradigm shift in the understanding of the balance of power in cyberspace.

In order to explore this shift, it is first important to appreciate the second unique component of the incident: the Estonian state’s aggressive adoption of e-governance and high technology.  In a description touted by Estonia’s own ‘e-estonia’ promotional site^[7], Wired last year referred to Estonia as “the most advanced digital society in the world”.^[8]  The facts back this up.  After it gained independence in the wake of the fall of the Soviet Union, Estonia sought to distinguish itself from its Baltic neighbors through digitalization, and by 1997 had begun to roll out ‘e’ systems.^[9]  By 2000 the majority of Government services were available via the web, and most tax filings were done electronically.  Famously, Estonia completed a national election via the Internet in 2005.^[10]

Though the 2007 incident was classically political, due to the ‘e’ nature of Estonia several features of the event stand out as unique, if not transformational.  First, like Morris’ worm before it, the realization of the potential danger of a nation-wide cyber event, and the clear links to the Russian influences caused the predominant threat model of “lone hackers and script kiddies” to be reexamined.^[11]  Where Morris’ worm and the unmasking of Markus Hess had demonstrated the potential damage of lone-wolf attacks and the potential sophistication of so called “bored students”, the attack on Estonia demonstrated the potentially enormous destructive power of a well-financed, state-assisted cyber assault.  No longer were lone wolves the baddest actors around.

Secondly, as asserted by Otis in his analysis of the 2007 cyber attack on Estonia, the event exhibited all the features of a ‘people’s war’, the requirements for which he enumerates, building on previous Chinese work^[12]: variety in agents, external motivation of agents, and the existence of state support.  There is substantial evidence to support the cyber assault on Estonia as a people’s war.  Indeed, through its obstinate resistance to abide by post-Soviet legal cooperation treaties with Estonian law enforcement in relation to the incident, Russia implicated itself to a significant degree.^[13]  However, despite a widespread belief that the Kremlin had at least some hand in orchestrating the incident, or at least fanned the flames, little action has been taken - certainly no action in keeping with the ‘war’ rhetoric so often associated with the incident.  As Otis notes succinctly, “The beauty of people’s war is that it provides near perfect deniability for the government or any other entity that is behind the attacks”.^[14]

This plausible deniability, and the Estonian government’s decision to treat the event as a criminal act rather than terrorism, or more serious still, as an act of war, is at the heart of the third outcome we may observe.^[15]  Estonia is a NATO member, and thus, under the mutual defense conditions of NATO’s Article 5, should the cyber assault have been deemed an act of war, all NATO members would be required to respond.  The only Article 5 invocation in the history of NATO was after the September 11, 2001, attacks on the United States which resulted in a broadly collaborative action in Afghanistan.  Though there seems to have been little real consideration of invoking Article 5 in 2007, the shield of plausible deniability in its context was widely appreciated.^[16]  Considering NATO, and similarly binding treaties in the context of cyber conflict, the ‘after Estonia’ stage of modern international conflict is one that takes full advantage of this plausible deniability, and to a large extent divorces cyber activities from traditional, kinetic terms and language.

In the wake of the cyber attack several measures were taken.  They included setting up the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE), which runs Locked Shields, one of the most advanced cyber-conflict exercises today, and has famously published two versions of an internationally compiled discussion on law and norms in cyber conflict called the Tallinn Manual.^[17]  In the US, cyber issues, which had no place on the Department of Defense’s list of top threats until 2008, soared to number one by 2012.^[18]  Snowden’s revelations in 2013 included information on a 2009 Chinese hack of Lockheed Martin in which they stole huge troves of data to do with the development of the state-of-the-art F-35 jet fighter.  The Chinese J-31 fighter unveiled in 2012 bore a striking resemblance to the F-35.^[19]  At around the same time, in 2010 the public learned of Stuxnet, often considered the first major state-developed cyber weapon.^[20]

In the context of these developments, the 2007 Estonian incident would seem to have been a watershed moment in the escalation of cyber activities, marking the public emergence of the nation state onto the cyber scene.  In doing so, nation states may have tipped their hands.  For instance, the Tallinn Manuals represent a direct response to the incredibly difficult problem of applying kinetic-oriented legal frameworks to the cyber landscape which Russia utilized to maintain plausible deniability during the attacks on Estonia.  This time period, therefore, represents an escalation in the securitization of cyberspace.

It is quite difficult to know with any accuracy what was known by, or going on inside governmental structures prior to the public revelations and events beginning with these attacks.  However if we consider public knowledge, they represent the emergence of a new threat, the identification of a new theater with its own specific, untested set of rules, and a scramble to develop new security aparati sufficient to exercise some control over these new threats.  The new threat was the nation state.  The new theater was a previously undefined intersection between international relations and the Internet, and while the jury is still very much out on the outcomes of attempts to establish control over this area, we may with some validity consider modern trends in its context.

Let’s consider the development of hypersonic missiles.  A hypersonic missile is one which approaches its target at many times the speed of sound; a speed which, in combination with its potential to follow an erratic flight path toward its target renders most extant missile defense systems useless.  They may carry either a nuclear or conventional payload, and given the global reach that at least the US currently possesses, would allow Washington to - with only minimal preparation - strike any location in the world within minutes.  Hypersonic missile technology is currently a very hot area of research, with the US, China and Russia having all devoted significant defense spending to their development.^[21]  The most recent US defense budget included 2.6 billion for hypersonic research.^[22]  Most poignantly, from our perspective here, there is no equal defensive technology, which has lead strategic thinkers to the necessity of states having a ‘deterrent’ stockpile of their own hypersonic missiles.

It is not hard to see this development of offensive capability, which is by no means a new paradigm, as running parallel to the emergence of the nation state and the inherent ‘grey-space’ of international cyber action.  In the absence of an overarching authority, and in the presence of potentially adversarial others, the prisoner’s dilemma of how to deal with uncertainty has resulted in a cyber arms race.  However, as the Estonian case demonstrated, this parallel is uniquely cyber.  For instance, unlike the most recent conventional arms races - most notably nuclear - we have already witnessed a large number of nation states launch cyber attacks against other nation states.  Given the similar, yet unique quality of this cyber arms race, the securitization of the theater will naturally follow a similar, but uniquely cyber track; a track characterized by widespread pushing of limits.  Where the Cuban missile crisis developed into an almost purely human affair as a result of developments in offensive, kinetic technology, the 2016 US election meddling was one where the actual weapons - hacking, exploitation of big data, ‘platform abuse’^[23] - took center stage.  The 2016 election meddling also serves to demonstrate the continued skew toward offense in the cyber theater, as Russia seems to still be quite successfully benefiting from the lack of an adequate defense against the plausible deniability of a cyber people’s war.

It remains to consider the Estonian incident from the perspective of our core concepts.  From the preceding, relatively unstructured analysis of the securitization that resulted from the 2007 Estonian incident, we see an instance of securitization which appears parallel to the paradigm present in the previous cases.  First, the utopia-heavy rhetoric which has often been associated with Estonia’s digital governance supports the idea that, at least to some degree, the space Estonia continues to build possesses commons-like aspirations.  Second, throughout the event and its aftermath we see instances of exclusion manifested, from the tragic, exclusionary denial of service produced by the attacks, to Estonian responses which included both literal exclusion and political actions which appeared designed to reinforce feelings of otherness toward their attacker.  Finally, the emergence of the nation state has to a degree defined the last decade of cybersecurity thought - especially the post-2016 election era.  Usefully, however, there are features of the Estonian situation which differ markedly from our previous events, providing the opportunity to better understand the general phenomenon through contrast.  The most prominent of these features is the historic enmity between Estonia and Russia, and the fact that, as a nation state, Estonia lacks a ready-made authority from which to request protection.

The aforementioned e-Estonia promotional website provides a tailor-made entry point to considering both the commons-building nature of the Estonian digital governance project, as well as their existential, eastern threat.  The site features a synopsis of a 2016 Guardian article from which they’ve quoted “[Estonia] ‘rapidly transformed from Soviet state to digital utopia’” to use as the page’s title.^[24]  Similar references to digital utopia building abound, and in Utopianism lies the same tragic vulnerability present in the commons, in no small part due to the assumptions necessarily implicit in such an idealized project.  The Utopia imagined by Thomas Moore’s 1516 book from which we derive the term featured slavery.^[25]  Despite critiques suggesting that Moore’s slavery was intended to be at least more egalitarian than the then-English practice of executing petty thieves - used as it was largely as a punishment for breaking Utopia’s laws - Moore’s was an era of slavery, and the institution found its way, largely unchallenged, into his Utopia^[26].  It is not difficult to see the history of the United States and its 13th constitutional amendment as both literally, and abstractly following the same pattern.  Likewise, Estonia’s self-affirmed Utopian digital-governance ambitions necessarily carries the weight of tradition.  In the Estonian case, those traditions clearly included a fraught relationship with Russia, and a threat model which didn’t provide for either a nation-state actor, or the related people’s war effort.        

Fundamentally then, the Estonian experience in 2007 was one which tragically demonstrated a divergence of reality from expectation.  Their threat model, though seemingly well informed with regard to Russia, didn’t anticipate the emergence of the nation state.  However Estonia can hardly be faulted for having not predicted the next major cyber-security trend, and their response to the sudden, tragic realization of their model’s inadequacy is one which seems to have beneficially drawn on traditions of securitization.  Most explicitly, they implemented exclusion in several different ways, and managed to achieve a relatively high level of exclusion with regard to Russia despite not having a supranational authority to turn to.

During the second phase of the incident, when the Estonian authorities noticed that a large portion of the malicious connections originated outside of Estonia, they disabled many of the connections which allowed Estonia to communicate with the rest of the Internet.^[27]  This first act of exclusion proved effective in the short term, preserving banking and civil services for the people living in Estonia.  The next year, in 2008, NATO founded the CCDCOE in Tallinn.  As an organization developed specifically to check Soviet expansion, and which post-Soviet Russia still sees as a direct threat, closer cooperation with NATO effectively distanced Estonia from Russia.^[28]  Despite NATO’s supranational existence, the people’s war nature of cyber actions, among other political concerns effectively prevented NATO from assuming the securitizing role the US Federal Government had played when it passed legislation explicitly forbidding and enumerating punishments for specific behavior.  NATO couldn’t act directly.  A reaffirmation of vows, backed by real, tangible action on the part of both NATO and Estonia effectively filled the void, albeit not in the exact same form we have seen previously.  While no monolithic entity was tasked with enforcing rules, the aggrieved parties agreed to cooperate more closely.  Lacking an authority to turn to, the commons grazers resorted to collectivism to improve the commons’ ability to withstand unpreventable instances of abandoned moral-restraint.

The final component of the Estonian narrative which makes it so compelling can be seen in how it played out two major, relatively recent developments in cyber security.  First, as we have discussed, the emergence of the nation state as most-dangerous threat actor has unequivocally demonstrated that cyber threats have exceeded international legal structures.  The fact that the Tallinn Manuals, despite being called manuals, are chiefly “commentaries” underscores the problem of territory-based laws and political structures bringing their traditions to an inherently global Internet.^[29]  Second, the tragedy inherent in the Utopianism of Estonia’s digital-governance project was in the collective realization that a state’s national processes and infrastructures were not only vulnerable to cyber attack, but that agents existed who were willing to attack them.  This loss of innocence captures the escalating stakes in cyber security.  Where Morris’ worm instigated the securitization of a relatively new technology, and social violence in the chat rooms of the 90s securitized a new, Internet-enabled space, the 2007 attack on Estonia catalyzed the cyber-securitization of the age-old institution of statehood.  The past decade has seen this escalation continue, from the State infrastructure of Estonia, to the democratic infrastructure of the 2016 US election meddling.

On top of these nebulous cyber advances is the disparity between offense and defense and the ever-increasing pace of technological development.  If time-to-market negatively incentivizes security during the development of a digital technology, the short-termism that so widely pervades our commercial sectors suggests little cause for optimism.^[30]  The cyber arms race compounds this problem, as prioritizing offensive capability over defense will likely result in a less secure cyber environment overall.  However Estonia’s response suggests possible recourse.  Faced with an unprecedented technical challenge wearing the trappings of historical Russian enmity, the Estonians combined a unique technical defense, and a wholly traditional political solution.  In this way, the Estonian event ushered in an improved era in NATO cyber-preparedness and lead to extensive investigations like those reflected in the Tallinn Manuals.  While Estonia certainly suffered, it wasn’t wholly in vain.

References: