This paper evaluates the effect of the Estonian cyber incident on Estonia, Russia, the United States, the European Union, and the North Atlantic Treaty Organization, also known as NATO. The paper employs the Valeriano and Maness criteria for evaluating a cyber incident critically. The article asks how did the Estonian cyber incident come to pass, what were the foreign policy and international relationship effects, what was the impact on Estonia, and how did Estonia react to the attack. The essay concludes that the Estonian cyber incident was a catalyst, prompting the nations listed herein to address the effects of cyber-attacks, and then search for acceptable solutions.
Academic Editor: Barbara Kelemen, Central European Institute of Asian Studies (SK).
Checked for plagiarism: Yes
Review by: Single-blind
Copyright © 2020 Donald L Buresh
The authors have declared that no competing interests exist.
The purpose of this paper is to analyze the Estonian cyber incident of 2007 critically using the Valeriano and Maness criteria1. The analysis will focus on answering the following four questions:
How did the Estonian incident come about?
What was the foreign policy and international relations contest of the Estonian attack?
What was the impact of the attack on Estonia? and
What was the reaction to the incident by Estonia?2
Because there were five parties involved in the incident – Estonia, Russia, the United States, the European Union, and NATO – the answer to the second question is divided into three parts, (1) the relationship between Estonia and the United States, the European Union, and NATO, (2) the relationship between Estonia and Russia, and (3) the relationship between the United States and Russia. The paper concludes by pointing out that the Estonian attacked resulted in better political relations between Estonia and the West, the publication of the Tallinn Manual, while Russia became further isolated from the Western powers.
How Did the Estonian Incident Come About?
The Estonian cyber-attack started on Friday, April 27, 2007, and finished on Friday, May 18, 2007, continuing for three weeks3. The attack was triggered by the decision of the Estonian government to move a Soviet World War II memorial of a Bronze Soldier from central Tallinn, the capital city of Estonia, to a military cemetery4. During holidays related to World War II, Russian Estonians commemorated their losses by placing flowers on the site5. These events increasingly provoked hostile actions against the Estonian government by the Russian government and Russian media, where the protests in the streets quickly morphed into riots6. The Estonian embassy came under siege, and the Estonian ambassador to Russia was physically harassed.7 Estonians had almost universal access to the Internet, where the government had promoted information technology to expand the ability of Estonian citizens to communicate with their government and vice versa8. By 2001, the Estonian government had become virtually paperless9.
The cyber attackers employed the following four methods against the Estonian government and Estonian companies and institutions:
Distributed Denial of Service (“DDoS”) attacks;
Website defacement; and
Data Name Servers (“DNS”) attacks;
Mass email comment spam.10
First, the attacks from April 27 to April 29 involved defacing government websites, where these attacks were reasonably clear-cut, employing the ping command11. However, over time, malformed web queries were used against government and media sites12. The second phase began on May 04, involving penetrating and precise attacks against these sites and data-name servers that employed botnets, where the attacks came from proxy servers located in foreign countries13. The second wave lasted from May 09 to May 1114. In Russia, May 09 is Victory Day, a national holiday, celebrating the defeat of Nazi Germany in World War II15. During this phase, phase, the DDoS attacks were amplified by 150 percent against government websites16. Hansapank, the largest Estonian bank, was also impacted by the DDoS attacks17.
During the third wave, 85,000 Estonian computers were hijacked, where the third wave occurred from noon until midnight on May 1518. The attack on the SEB EestiÜhispank website, Estonia’s second-largest commercial bank, lasted for approximately 1.5 hours for Estonian customers and much longer for customers outside the country19. On May 18, or during the fourth wave, both government and banking websites suffered from DDoS attacks20. The attacks were traced to computers in 178 different countries and were probably politically motivated by people who followed instructions on Russian-language websites21. The second phase of the episode seemed to be controlled from a central location, but only a few individuals acknowledged responsibility for the attacks22. The Russian government denied any involvement in the cyber-attacks23.
The cyber-attack noticeably affected the whole Estonian economy because Estonian institutions heavily relied on information and communications technology infrastructure24. Banks, media companies, government institutions, and small to medium businesses were affected25. Communication with public administrators was significantly impeded along with the information flow to other countries, where one side-effect was that legitimate Internet traffic was congested26. On a technical level, Estonia, along with the European Union (“EU”) and the North Atlantic Treaty Organization (“NATO”), worked together to combat this attack27. In the end, public awareness was magnified, Estonia began cooperating with other nations to prevent such attacks in the future, thereby raising international awareness of cyber-criminal activity28. The result of the episode was that countries became aware that cyber-attacks have global consequences with the possibility of affecting multiple regions and nations29.
What Was the Foreign Policy and International Relations Contest of the Estonian Attack?
In attempting to appreciate the foreign policy and international implications of the Estonian cyber-attack, it is necessary to list the players. Based on the information above, the parties involved directly or indirectly were Estonia, Russia, the European Union, NATO, and the United States30. Mathematically, there are ten possible relationships to consider31. However, from a practical perspective, this number can be drastically reduced because several of the relationships are similar. For example, Estonia’s relationship to the United States, the EU, and NATO can be analyzed as a single relationship because (1) NATO is led by the United States, and (2) the EU is an ally of the United States. Estonia’s relationship with Russia is another possibility because Estonia is a Baltic state that borders Russia, and according to Valeriano and Mannes32, rivalries may exist between Estonia and Russia. Finally, there is the relationship between the United States and Russia to contemplate. Even though the United States and the European Union are separate sovereign entities, and NATO is a non-government organization, their relationship is more likely related to the relationship between the United States and Russia.
Estonia and the United States, the European Union, and NATO
The primary effect of the Estonian cyber-attack was that Estonia drew closer to the West, particularly the United States, the EU, and NATO33. Mansel aptly pointed out that the country went from Estonia to E-stonia34. According to McGuinness, the government of Estonia has established a voluntary Cyber Defence Unit35. These individuals are trained by the Estonian Ministry of Defence, donating their free time to protecting their country by practicing what procedures to follow if a utility or an Internet service provider was the victim of a cyber-attack36. After the Russian annexation of the Crimea in 2014, on the weekends, 25,000 Estonian volunteers dress up in fatigues, practicing their shooting skills37.
Another major international event that brought Estonia closer to the United States, the EU, and NATO were the creating of the Tallinn Manual on the International Law Applicable to Cyber Warfare
(“Tallinn Manual”)38. It was written by the Tallinn-based NATO Cooperative Cyber Defence Centre of Excellence (“CCDCE”) by an international group of approximately twenty experts39. According to Schmidt, in the latter part of 2009, the CCDCE assembled an international group of legal scholars and practitioners to write a manual that dealt with interpreting international law in the context of cyber operations and cyber warfare40. It was the first time that the international community comprehensively and authoritatively addressed cyber operations and cyberwar with the desire to bring order to these highly complex legal issues41.
The result of these efforts was that Estonia drew closer to the West, and the West embraced Estonia42. Another consequence of the Estonian attack was the increased political distance between Russia and the United States, the EU, and NATO43. In other words, the Estonian attack further strained the relations between the United States and Russia (Valeriano & Maness, 2015)44. This will be discussed later in this paper.
Estonia and Russia
According to Valeriano and Maness, the purpose of the Estonian cyber-attack was to punish Estonia for disrespecting Russian culture, history, and identity by removing the Bronze Soldier from central Tallinn to a military cemetery45. At the beginning of World War II and during the post-war period, Estonia became a satellite state of the Union of Soviet Socialist Republics (“USSR”). Thus, it makes sense that when the USSR dissolved, and Estonia received its independence, there would be significant animosity between the two sovereigns46. It should also be remembered that during pre-World War II, there was a substantial number of ethnic Russians that lived in Estonia47. After the war, Estonia was ruled by Moscow via Russian-born Estonian governors. They were from families of native Estonians residing in Russia, having later obtained their education in the Soviet Union during the Stalinist era48. Many of these individuals had fought in the Red Army under the guise of the Estonian Rifle Corps49. Even so, only a few spoke the Estonian language50.
According to Valeriano and Maness, the dispute about the Bronze Soldier began in 1991 when Estonia, like many other satellite states, cast off the Soviet yoke51. Like Latvia and Lithuania, the two other Baltic states, Estonia, viewed the Soviet annexation into the USSR after World War II, trading one oppressive regime (Nazi Germany) for another (the USSR)52. Given that in 2007 seven percent of ethnic Russians lived in Estonia, it was not surprising that these individuals perceived the movement of the Bronze Soldier as an affront to their Russian identity and to the millions of Russians that died during World War II while freeing the world from Nazi oppression53. As a significant power and as a permanent member of the United Nations Security Council, one could anticipate that Russia would be offended by Estonia relegating the Bronze Soldier to a seemingly unknown location54.55According to Valeriano and Maness, it is not astonishing that Russia reacted, or even overreacted, in a manner to protect its perceived honor56. What was startling was that Russia engaged in cyber action as a retaliatory response57.
The United States and Russia
According to Stadnik, US-Russian cyber relations desires to answer the following two questions:
Can the United States or Russia change the cybersecurity discussion in another country without committing a cyber-attack; and
Do shifts in the discourse between the two power promote changes in foreign policy towards cyber-norms? 58
Ashmore observed that the high profile Estonian attack thrust cybersecurity from the domain of Internet magazines into the mainstream media59. In the short-run, the attack advanced the perception of a new Cold War between the United States and Russia and between Russia and former Soviet satellites60. The episode also demonstrated that NATO, the EU, and even the United Nations (“UN”) had inadequately prepared for preventing cyber-attacks61.
At issue is that there is scant evidence indicating that the Russian government was involved in the attack62,63. Even so, the circumstantial evidence does suggest that the Russian government was probably behind or support the attack64. When countries or organizations are opposed to each other, a cyber-attack to influence the other party may be a viable option65. This rule seems to be correct, with one glaring exception – the relationship between the United States and China66. According to Valeriano and Maness wrote that only in this instance is a cyber-attack met with diplomacy by the United States rather than a cyber response67.
On November 18, 2019, a United Nations committee passed a Russia-backed cybercrime resolution by a vote of 88 to 58, with 34 countries abstaining68. The resolution was sponsored by Russia,
Belarus, Cambodia, China, Iran, Myanmar, Nicaragua, Syria, and Venezuela, and was entitled, Countering the use of information and communications technologies for criminal purposes69. Unfortunately, the United States was disappointed with the decision70.
The resolution created terms of reference for a future worldwide cybercrime treaty71. According to Sherman and Reynolds, hacking attacks, privacy violations, or identity thefts are not the primary concern of the document72. The idea behind the proposal is to make it easier for nations to cooperate in repressing political dissent73. Although the ramification of the vote is that China and Russia are becoming quite adept in traversing international politics via the UN, the effect on the US-Russian relationship is that the Russian government is taking steps to curb the blatant use of the Internet for political purposes.74
In contrast, according to Collier (2019), twenty-seven (27) nations expressly agreed that countries should adhere to international law regarding basic rules concerning cyber behavior75. Some signatories include the Five Eyes intelligence alliance (the United States, the United Kingdom, Australia, New Zealand, and Canada) and other major European nations, Colombia, Japan, and South Korea76. The agreement stated that it is acceptable to engage in cyber espionage among nations, but attacking civilian infrastructure or providing a country with an economic advantage is objectionable77.
If the United States and other Western nations (including Japan and South Korea) can overcome their suspicion of Russia and China, the long-term effect of the Estonian attack could be greater cooperation between the two superpowers, their allies, and non-aligned states. Without an international cyber framework, cybercriminals will probably continue to operate successfully, profiting from their activities78.
Thus, it appears that the Estonian attack may be the catalyst for future cooperation among the United States, Russia, and even China79. With diplomacy, a sense of urgency may not necessarily be a precious commodity, but what is essential is that the need for cyber rules is becoming increasingly evident. A synthesis between the American perspective on international cyber regulations and the Russian-Chinese view on cyber laws may be closer than some people think. Time will tell.
What Was the Impact of the Attack on Estonia?
According to Valeriano and Maness, the short-run monetary impact on Estonia was a loss of US $750 million in business and government revenues80. The Estonian government was hampered in conducting normal business operations or providing government services to its citizenry81. Estonia experienced another impact when NATO did not react thoughtfully while the attack occurred82. Rid observed that the long-term result of the incident was that Estonia successfully acquired from NATO permanent cybersecurity agency in Tallinn, the Cooperative Cyber Defense Centre of Excellence83. Although one should remember that the Centre was created before the Estonian incident, the cyber-attack assured that the Centre would, after that, become critical to NATO operations84.
Finally, during the Estonian cyber-attack, there was the real possibility that Estonia would have invoked Article 5 of the NATO Charter, thereby yanking other NATO states into the fray and potentially causing a crisis in conventional foreign policy85. Fiedler (2013) insightfully observed that when other nations are drawn into a conflict, the chances of success decline dramatically. The reason is that calmer minds may be cast to the wayside86. According to Valeriano and Maness, it is possible that Estonia over- reacted, but with no precedent to guide the nation, the Estonian response may have, after all, been reasonable.87
What Was the Reaction to the Incident by Estonia?
According to Valeriano and Maness, after the cyber-attack ended, Estonians felt violated and vulnerable88. A Saar Poll indicated that 65 percent of all Estonians believed that cyber incidents were the greatest threat to this small Baltic state89. In comparison, 55 percent of Estonians thought that foreign intervention threatened Estonian sovereignty90. According to Valeriano and Maness, the cyber-attack did little or no damage beyond a loss of time and a perceived loss of security91. Essentially, the threat of a conventional conflict was negligible92. The real impact is that Estonia is now considered a cybersecurity hub, where Tallinn, the capital of Estonia, has hosted the International Conference of Cyber Conflict at least five times93.
Although Estonia could have prompted NATO to engage in a tit-for-tat response, at the end of the day, it was Russia that was chastened as a disruptor of the international order94. There is a question regarding Russia’s culpability, but it is probably correct to say that the Russian government could have stopped the attack95. Quite likely, the sophistication of the attack caught the attention of the Russian Federal Security Service (“FSB”), the successor to the Komitet Gosudarstvennoy Bezopasnos (“KGB”), and the American Central Intelligence Agency (“CIA”)96. The Estonian targets were hit with surgical precision, pointing to Russian government involvement97. To naïvely state that the cyber-attack was an amateur effort challenges the reasonable mind98. The scope, precision, and organization of the cyber-attack seem to support the conclusion that the attack possessed government support99. Finally, the cyber-attack was comprehensive because of the Estonian response, and not because the attack was organized at the beginning of the conflict100.
In conclusion, the Estonian cyber incident was a significant cyber-attack that did not lead to a kinetic conflict101. It is also an important milestone because the attack led parties in the East and the West to a better understanding of cyber conflict and its ramifications. The Tallinn Manual was created in response to the Estonian cyber-attack102. Finally, even though the major powers cannot currently agree on how to address cyber conflicts, both the United States and its allies, together with China and Russia, seem to be seeking ways to mitigate cyber conflict. Over time, a synthesis will most likely occur, where the meshing of the two perspectives may yield a cohesive whole. It is only a matter of time.