How Europe's smallest nations are battling Russia's cyberattacks

Transatlantic Media Fellowship

European countries are leading the way in digital security

Estonia's landscape mirrors their flag
Teaser Image Caption
Estonia's landscape mirrors their flag

TALLINN — Earlier this year, the country of Berylia came under a coordinated cyberattack. For two days, hackers targeted the island nation’s power grid and public-safety infrastructure, while cyber experts from across Europe worked to counter the attacks.

Of course, the island nation of Berylia is imaginary, but the threat is not, and the exercise, known as Locked Shields, involved real network infrastructure provided by companies like Siemens and water-treatment systems from South Korea.

Major Gabor Visky, a Hungarian researcher working for the NATO Center in Tallinn, Estonia, where the exercise took place, told Yahoo News during a tour last month that the simulation aims to get “as close as possible to real life.”

It’s not surprising that a NATO cyber defense exercise would take place in Estonia, which has long been at the forefront of the digital revolution. The country took many services online years ago, including the 2002 introduction of its now famous digital ID card for accessing government services.

Hannes Krause, the head of policy and analysis for Estonia’s Information System Authority, the country’s cyber agency, says the Baltic nation is succeeding in defending its online network of government services, which ranges from internet voting to ordering prescription drugs, in part because officials have worked to replace outdated technology and software and to educate the public.

“We were untouched by the WannaCry and NotPetya campaigns,” says Krause, referring to devastating cyberattacks that spread around the world in 2017. The damage caused by the malware cost companies like FedEx and hospitals throughout the U.K. millions of dollars. But in Estonia, the virus didn’t spread. “Then we realized we had probably been doing something right,” Krause continued. “It left us literally untouched,” he continued, particularly in comparison to the global devastation elsewhere. (A few Home Depot-style stores were hit by the malware, but that was because their servers in France were infected.)

Today, even as larger and more advanced countries struggle with cyberattacks, whether politically motivated hacks or finance-related crimes, Estonia has become one of the most digitally connected — and secure — societies in the world. And as the United States approaches the 2020 presidential election mired in debates over how best to secure its voting process against the type of attack Russia carried out in 2016, some of the smallest European countries have modernized at a fast pace.

Though Russia’s cyber operations got a major boost of publicity during the 2016 U.S. presidential election, Moscow’s use of hackers to extend its influence abroad dates back to the late 1990s, when NATO began airstrikes in Yugoslavia. Moscow had opposed the move, and Russian hackers tunneled into digital systems belonging to governments and militaries in the U.S., the U.K., Canada, Brazil and Germany. The FBI dubbed the theft “Moonlight Maze,” one of the earliest digital campaigns of that scale.

However, it wasn’t until 2007 that Russia mounted its first full-scale digital attack on a country.

That was the year the Estonian government decided to move a Soviet-era statue from the heart of its capital in Tallinn to a military cemetery. Russian-speaking citizens in Estonia took to the streets in protest. Those tensions exploded over “fake” stories in Russian media about the destruction of the statues, and next a crippling denial-of-service attack that flooded Estonian servers from the Parliament to local businesses with digital traffic. Estonia briefly went offline.

“The history of cyberwarfare will always begin with Estonia,” said former Estonian President Toomas Hendrik Ilves in an interview with Yahoo News in May. The 2007 attacks were “a taste” of the future of cyberwarfare, said Ilves, who was president of Estonia from 2006 to 2016 and now works at Stanford University.

While the U.S. and the U.K. sent scouts to observe the Estonian system after the attack, many in the intelligence and national security community failed to take the threat seriously. “I’ve always felt so bad for Estonia,” said one former CIA official who did analysis on Europe.

The former official recalled Estonian officials pleading in D.C. meetings for U.S. attention. “They’ve always been like, ‘Hey, but also Russia. Don’t forget us.’ Cybersecurity is an actual thing we need to worry about, and Russia is fighting us on a daily basis.”

Estonia also learned from those attacks, however, and in 2008 Estonian officials even helped Georgia when it was hit by a similar Russian attack by offering mirror sites it had created for important online resources such as government agencies and public services.

That same year, Estonia established an academic center dedicated to cybersecurity, the NATO-accredited Cooperative Cyber Defense Center of Excellence. (Estonia first proposed the idea in 2004, but there was no “fertile soil,” or political support, to develop it at the time, according to Siim Alatalu, a strategy researcher at the center.) Today the center has 18 sponsoring nations and three additional participants, and annually hosts Locked Shields, the largest cyber exercise in the world. Estonia also has a voluntary cyberdefense force and partners closely with the U.S. state of Maryland, where a large amount of digital security knowledge is concentrated, thanks to institutions like the National Security Agency.

Following Russia’s annexation of Crimea from Ukraine in 2014, Kremlin-directed hackers turned their attention to Ukraine, which became a testing ground for an array of Russian attacks. In 2015, less than 10 years after the NATO center was established in Estonia, parts of Ukraine’s power grid temporarily went down thanks to a digital attack later linked to the Russian hacking group Sandworm.

This renewed wave of Russian operations prompted more countries in Europe to build up their cyber forces. Sweden, which is not a NATO member and remains staunchly neutral, recently reinstated conscription and is currently recruiting its first class to educate cyber soldiers. It could take years to find the right people with the right skills, said Charlotta Ridderstråle, one of the people designing and recruiting for the program.

“Like many countries, we see more and more activities in our systems,” she told me in Stockholm. “In Sweden we’re quite digital,” making protection important, she said. “We don’t have too many chances to do it right.”

The Netherlands, in fact, has been active for a while in tracking and countering Russian attacks. In 2014, the Dutch intelligence agency known as AIVD penetrated the Russian hacking group responsible for the hack of the Democratic National Committee and other operations, Cozy Bear. That allowed it to tip off the Americans before the 2016 election.

More recently, the Dutch have been focusing on trying to go public with some of these operations. In October 2018, the Dutch Ministry of Defense released a detailed report on Russian military intelligence officers’ attempt to spy on the Organization for the Prevention of Chemical Weapons in The Hague. The organization had been investigating the poisoning of former Russian intelligence officer Sergei Skripal.

The Dutch, working with the U.S., were able to get other countries such as Germany and France to agree to a mutual release of information on the attempted hack, according to Chris Painter, the former top cyber diplomat under Presidents Trump and Obama. “They are being targeted, their institutions are being targeted,” he continued. “The Dutch have a very strong reputation in the human rights community and have also established a strong reputation and leadership on cyber issues, and they can bring other countries in as well.”

Estonia was also faced with a recent challenge. In 2017, an academic group discovered that certain Estonian ID cards could potentially be breached based on a security flaw. But it would have taken hours and “buckets of money” to break into one individual card, said Estonian Defense Minister Jüri Luik. The government quickly issued new cards, routinely updating the populace on the progress, and no breaches were detected. Multiple Estonian officials told Yahoo News the card’s security flaw, which the company initially did not disclose to the Estonian government, was a good example of how a bureaucracy can efficiently handle inevitable digital security concerns.

Alexander Klimburg, the director of the Hague-based Global Commission on the Stability of Cyberspace, told Yahoo that Europe is also leading in setting the norms of behavior for how governments operate in cyberspace. That includes the Tallinn Manual in Estonia, which was published after the 2007 cyberattacks to interpret how existing law applies to cyberspace, new data collection laws in Sweden and Holland, and the new European privacy law, GDPR.

Klimburg, also a program director at the Hague Center for Strategic Studies, says that even as Europe steps up, Washington has been less engaged in discussing cybersecurity. The Trump administration doesn’t currently have a top cyber diplomat, a position that was last filled in the summer of 2017, or a White House official in charge of cyber issues. However, the U.S. in 2018 declared it would offer assistance in offensive and defensive cyber operations to NATO allies, if asked.

Klimburg, the author of “Darkening Web: The War for Cyberspace,” was also critical of the Pentagon, which declared its intention in a “strategic vision” document for U.S. Cyber Command in June 2018 to ramp up its engagement in cyberspace. It followed through, allegedly shutting down internet connections in Moscow on the day of the U.S. midterm elections, and recently in Iran, striking command-and-control technology for the Islamic Revolutionary Guard Corps in response to commercial ship bombings. That kind of escalation blurs the lines between peace and wartime, argued Klimburg.

For Klimburg and other cyber experts in Europe, the real way to respond to the Russian meddling in the 2016 election is for countries to ensure their own institutions are well protected. “It is always about resilience,” he said.

Other European countries, like Finland, appear to be following suit. In 2015, Finland established the European Center of Excellence for Countering Hybrid Threats, which trains governments around the world to get officials in the military, intelligence communities and other areas to work together, according to Päivi Tampere, a spokeswoman for the center. We need to “look inward at our own societies,” she said, instead of simply blaming bad actors like Russia.

For Estonia, a key test of that “resilience” was its recent European Union parliamentary elections, which were conducted in part online. Since Estonia introduced the option of voting online in 2005, digital security experts have heavily criticized the decision, pointing to inherent vulnerabilities with voters’ computers and devices as well as difficulties ensuring voter privacy and tally accuracy. Estonian officials acknowledge the vulnerabilities but continuously work to improve the system. They believe the digital ID card, which uses two-factor authentication and anonymizing software, eliminates a large number of basic digital attacks and affords people the convenient option of voting remotely, increasing democratic participation.

They don’t need to be the fastest gazelles on the plain — they just need to beat the slowest ones, they argue. And the intelligence services are confident in their ability to detect attempts at meddling.

Plus, the Estonian people have confidence in online voting. The option may not be directly applicable to the United States, where voting is decentralized and there is little confidence in voting technology, but the general principles of establishing trust over time and putting security first may be valuable lessons. Almost every high-ranking Estonian official interviewed by Yahoo News, including former President Ilves, said they had voted online for the parliamentary elections in May.

“In the case of this year’s election in Estonia, high levels of confidence were noted in internet voting and in the technical abilities of the authorities to ensure their smooth operation,” said Katya Andrusz, a spokesperson for the Office for Democratic Institutions and Human Rights, an independent international body that oversees elections and has given Estonia both praise and criticism over the years for its digital voting option.

For Ilves, the former Estonian president, the country’s success also highlights how far the United States has to go.

“If you want to know how bad it is elsewhere, in the United States, in the U.S. Congress … the staffers are issued ID cards that have a chip decal on them, not an actual chip,” he said. He had visited Congress weeks before. A Senate aide confirmed the ID cards still have fake chips, while the sergeant-at-arms responsible for congressional security, including the ID cards, did not respond to a request for comment.

“Do you wonder why the U.S. Congress has been repeatedly hacked?”

This article originally appeared on Yahoo News on June 29th, 2019.