About Us | Bookmark Us     


Estonia is preparing to save the world from horrible hackers, sinister cyber-criminals and rampaging robots, says Mike Collier.

During a state visit to the US recently, Prime Minister Andrus Ansip claimed Estonia's success in combating a massive cyber-attack last year made people compare it with Bruce Willis in the Die Hard films. Not content with basking in the glory of being the plucky underdog that punches above its weight, Estonia is now committed to developing a cutting-edge cyber-security industry that will allow it to sell its expertise around the globe.

Ansip said that the issue of how to handle cyber-attacks has become a hot topic and US Secretary of Defense Robert Gates added that America holds Estonia's cyber-readiness in high regard, a fact backed up by the US's willingness to establish NATO's main centre of cyber-warfare expertise in Tallinn. According to Estonian Defence Minister Jaak Aaviksoo, US officials even told him that Estonia had coped better with the April-May cyber-attacks than the US would have done in similar circumstances.

Estonia's IT infrastructure was subjected to a massive barrage of spam, viruses and 'botnet attacks' (using thousands of hijacked home PCs) in April and May 2007, in the wake of riots sparked by the relocation of a Soviet Red Army war memorial in Tallinn. Subsequent investigations confirmed that the bulk of the attacks originated Russia and had a degree of coordination, but the Russian government has denied any involvement.
Whoever was responsible for the cyber-attack has ended up doing Estonia a massive favor. Quite apart from the simple fact of winning the Baltic State headlines and sympathy around the world, Estonia's ability to withstand the attack provided a perfect showcase for its credentials as 'e-stonia', a modern, technologically advanced Scandinavian-style state rather than a dour Eastern European economy playing catch-up with the West.

 "Due to efficient and fast security measures, we were able to neutralise the attacks, but learned a valuable lesson here anyway – cyber security is a new measure of security, which must be actively engaged in both on the domestic and international level," Ansip said in Washington.
Evidence of a serious commitment to 'e-stonia' is not hard to find. As early as 2002 the Estonian parliament approved Internet voting for local elections (now to be extended to general elections) and by January 2006, over 355 governemnt agencies and 50 state databases had been joined using an advanced secure server system called 'X-Road'. 95% of banking operations are now carried out electronically, school pupils receive their exam results via SMS and Estonians commonly us their mobiles to pay parking fees. The country pulled off a public relations triumph when it opened a virtual embassy in the online computer game Second Life.

Estonia is playing the cyber-security card at every possible opportunity. President Toomas Hendrik Ilves banged the drum when he addressed the UN General Assembly in September, saying "Cyber-attacks are a clear example of contemporary asymmetrical threats to security. They make it possible to paralyze a society, with limited means, and at a distance.In the future, cyber attacks may in the hands of criminals or terrorists will become a considerably more widespread and dangerous weapon than they are at present."
Estonia has placed the issue on a par with energy security for its chairmanship of the Baltic Council (which brings together parliamentarians from all three Baltic States) from May 2008 and has already got eight other countries ready to participate in the building of a NATO Center of Excellence in Cooperative Cyber Defense (those countries being the US, Spain, Germany, Italy, Bulgaria, Lithuania, Latvia and Poland).

"Estonia has drafted two cooperation agreements, one of which will be signed between the countries that have expressed the wish to take part in the NATO Center of Excellence in Cooperative Cyber Defense and the other between NATO as an organization and the countries taking part in the center of excellence," Aaviksoo confirmed in November 2007, leaving the door open for commercial as well as military development at the centre. Partners will be asked to formally sign up in January 2008.
In July Estonia's government has called for an international convention on combatting computer-based attacks like those directed against Estonia in May.

Global ratification of the convention would establish "a strong legal basis to fight cyber crimes," the Estonian Ministry of Economic Affairs said in a statement. Signatory countries would cooperate in preventing computer-related crimes and tracking down organizers of cyber attacks.
Such is the lead that Estonia is opening up on cyber-security that other countries are already trying to poach some of its leading figures. Hillar Aarelaid, CEO of the national Computer emergency Response Team (CERT) has admitted to receiving several attempts to lure him overseas already, including an "exotic" bid from Singapore.

As well as government websites, Estonian banks came under cyber-attack during this year's showdown. Swedbank-owned Hansapank was among the targets but managed to keep its infrastructure intact and only relatively minor damage was done. Now that it has 'battle hardened veteran' status, financial institutions elsewhere are willing to learn lessons from the likes of Hansapank in order to protect themselves aginst future threats, according to the bank's  internal-supervisory departments director Toomas Vaks. "Thanks to that [attack]" he told local press, "Estonia has repeatedly been invited to discussions in various international crime fighting seminars... These so called test attacks mean that Estonian banks have to be ready for constant 'wars', during which security systems have to be constantly improved and where police work has to be included. That is also a reason why the joint work between banks and police is extremely good," said Vaks.

Nordea Bank senior analyst Mikka Erkilla points out that by specialising in cyber-security, Estonia is effectively creating a new financial services product. It is almost impossible to put a figure on the likely size of the sector, however, with applications including such diverse areas as communications, database protetction, cost savings and remote military operations, it is potentially enormous. Some estimates put the global cost of cyber-crime at around $100 billion every year.
"The problem is that there are so few listed companies on the Estonian stock market that the question becomes how to attract more companies to list," Erkilla told ToL, adding that it is essential for Estonia to team up with larger international players in order to participate away from its "small and shallow" home market.

" It will be an important industry, and then comes the question of the euro, where [Estonian technology] could help with reducing transaction costs."
Erkilla cites a likely euro entry date of 2011-12, by which time the Estonian cyber-security sector should be up and running and able to offer its services across the whole continent – and beyond.
But the real secret of Estonia's cyber-success lies in the inherent adaptability of being a small, well-organised state not afraid to make bold, unorthodox calls. Alexander Ntoko, head of corporate strategy at the International Telecommunication Union (ITU) told City Paper that it was this imaginative way of reacting that is really behind the secret of Estonia's emergence from the cyber-attacks relatively unscathed. "In a number of countries, when the presidential website is being attacked, everybody rushes to protect it. In Estonia it was different. They said 'Well, let them attack and destroy this,' so that it would divert them from destroying more critical things. The president basically gave up his own website and let them continue to attack it so that they would not be able to attack other things. That took a lot of political maturity."

"They didn't have enough people to be able to deal with the massive nature of the attacks so they had to see how they could divert attention from other resources. We are still following up on the Estonian experience because we want to be able to learn as much as we can and how to help other countries who might be subject to these types of attacks."
But in the fast-moving worlds of information technology and communications, time is of the essence, Ntoko believes. Unless these lessons are learned quickly, we could soon be witnessing scenes that would once have been the realm of sci-fi dystopia.
"Imagine the types of attacks that could occur. Before, we were looking at people destroying information. But soon there will be the possibility of people being able to remotely manipulate industrial machines," Ntoko told City Paper.

"Can you imagine what it would be like when you have robotics controlled via the Internet? Not just service attacks but real attacks on real infrastructure. This link between the physical world and the cyber world is almost disappearing."