Today, Estonia is ranked among the global heavyweights in cybersecurity. But 13 years ago, the country was forced to scramble to respond to one of the most devastating cyberattacks in history, executed by Russian operatives.
On that day in April 2007, Jonatan Vseviov was posted at Estonia’s embassy in Washington, D.C., handling the small eastern European country’s political affairs. He learned quickly of the attacks after he lost access to websites.
“You have to remember that it wasn't just a cyberattack that happened,” said Vseviov, now Estonia’s ambassador to the U.S., referring to the escalating tensions between Estonia and Russia. The cyberattacks were spurred by the relocation of a bronze statue of a Russian soldier.
At the time, “we felt overwhelming support from our allies," said Vseviov, speaking during an opening fireside chat at RiskSec 2020 Digital. "When I went to the House of Representatives or the Senate and asked for support, there had never been objection – except for one tiny topic. Cyber. It was so new, so unusual. It sounded as if I was talking about a sci-fi scenario.”
Register for RiskSec 2020 DIGITAL to hear from security leaders about resilient thinking, in an unpredictable world
Interestingly, at that time in 2007, cybersecurity and this concept of a digital society was not new to Estonia. The country was arguably ahead of other western democracies in that regard. Suddenly, Vseviov and Estonian leaders were forced to educate the world, while confronting their own wakeup call.
“We made a conscious decision to go digital [in the 1990s], based on the fact that we had lost five decades to various occupations,” Vseviov recalled. “After regaining our freedom, we not only wanted to return home to Europe to the west, we also wanted to make up for lost time.
"And then all of a sudden, a relatively unsophisticated act overwhelms the system.”
Two lessons emerged from that experience, which factored into Estonia’s ability to rapidly advance beyond a digital society to a security culture.
First, “when it comes to cybersecurity, geography really does not matter,” considering the attacks against Estonia were initiated in multiple countries, outside its own borders. “And lesson number two, you really need to move from the whole of government approach [to digital], to a whole of society approach.”
The challenge faced by Estonia at that time was not unlike the challenge faced by companies across all verticals trying to create a security culture among employees and partners. It was just at a grander scale.
Vseviov likened it to the current pandemic.
“At the end of the day, we need people washing their hands and making sure they don’t sneeze on other people,” he said. “Stuff that might sound less sophisticated – but that is as important. You can’t deal with any of this alone.”
Interestingly, since the 2007 cyberattacks, Estonia has accelerated its digital capabilities. Beyond a national ID program that was already in place, providing all citizens a digital signature, the country transitioned virtually all public services online. Estonia was also the first country to offer e-Residency, which allows non-Estonians to establish companies and access Estonian services. The program is aimed towards location-independent entrepreneurs such as software developers. It also established the Digital Nomad Visa, allowing remote workers to live in Estonia and legally work for employers registered abroad.
None of these efforts would succeed without a high level of trust from citizens.
“That trust is built over time. You don’t get there overnight, obviously,” Vseviov said. "But one of the building blocks is transparency and not trying to fool anybody into thinking that all of a sudden you’ve come up with a digital system that is 100 percent secure. Nothing is 100 percent secure. We don't think that our systems are 100 percent. And yet, we believe that they are better than the analog alternatives.”
Vseviov recalls an incident a few years ago, when a security flaw impacted 300,000 digital IDs that citizens use for all public services – from accessing student records to getting a prescription filled at a pharmacy. The first decision that was made when the issue was identified was to go public.
“Turns out people are quite used to the fact that things break on the internet,” Vseviov said. “There was no panic. What people took away from [the incident] is that we had a major concern, and the first thing that the government did was make it public. That ended up building trust, not eroding it.”
So is the world better off, 13 years after the cyberattacks heard around the world?
“Estonia is a small country. That means that when it comes to brute force, we may not be an equal match to bigger countries on the world stage,” Vseviov said. “What we can do, and have been doing in the digital domain, is be the first to let everyone know that we found something out that is new. We can be the canary in the coal mine. That bird is motivated by its own desire to live in a world that is dangerous. But by being motivated, it cries out. That’s our role. That’s what we did in 2007. We started yelling and screaming about cybersecurity.”