At a grey complex of buildings on the outskirts of Tallinn, Estonia, a battle is about to take place. But on this April morning, the surrounding streets are quiet. Troops are nowhere to be seen. This battle will happen in cyberspace, and most of the combatants are thousands of kilometres away, taking their positions in countries across the world.
This is the NATO Cooperative Cyber Defence Centre of Excellence (CCD COE), host to the world’s biggest annual cyber defence exercise, called Locked Shields. There are hundreds of participants: cyber security and technical experts from 25 nations. A Red Team squares off against a Blue Team to wage cyberwar in a sophisticated simulated universe that was designed and built at this centre.
The Red Team are the attacking side, and aim to cripple the Blue Team through simultaneous attacks on multiple fronts. They can hack the power grid, crack compromising information out of databases, and take remote control of the Blue Team’s drones to turn them against their own side — all using methods of destruction that have been deployed in the real world.
The Blue Team must defend and repair infrastructure, and decide what to prioritize and what to abandon as the waves of attacks keep coming. Amid a (fictional) growing media storm, the Blue Team must also race to identify who is behind the attacks and figure out what, and when, to tell the public.
As the Blue Team’s cyber defenders rush to protect their imaginary homeland, they are in constant consultation with team members advising on the legal and diplomatic implications of various strategies — including whether or not they should hack back against their aggressors.
The training exercise is designed to help security experts who could be called upon to protect their countries from future cyber attacks. It forces the Blue Team to grapple with some of the most contentious questions in cyber security today: When is it acceptable to go on the offensive? Which acts of state cyber aggression are serious enough to permit retaliation? Should powerful cyber weapons, such as malware that can take down an attacker’s power grid, ever be on the table?
There is no clear road map for a country that suffers from state-sponsored cyber aggression — as the United States learned in the aftermath of a presidential election campaign that was characterized by hacking, interference by social media bots and other digital influence operations. Attempts by the global community to establish norms around online behaviour have been mixed. And experts fear that until that happens, bad actors will take advantage of the uncertainty to keep wreaking havoc while the rest of the world grapples with how to respond.
It’s no coincidence that the issue is being debated here in Estonia. Ten years ago, this small Baltic country of 1.3 million people suffered an attack that would become a landmark in the history of cyberwarfare: the first known assault on an entire state.
The Bronze Soldier
Among the tombstones in a graveyard behind the CCD COE stands the statue that ultimately led to the centre’s founding. The Bronze Solider is a Soviet war memorial. It is an imposing figure, two metres tall, dressed in World War II fatigues and standing with its head lowered against a broad stone backdrop. Fresh carnations left by visitors adorn the soldiers’ hands and feet.
To Estonians, this and other Soviet memorials may represent occupation and oppression, recalling the invasions of World War II that ended Estonia’s first period of independence and brought it under Soviet Union rule until 1991. But among the Russian minority that makes up a quarter of the country’s population, and particularly among Estonia’s many Soviet army veterans, such war monuments are cherished testaments to the defeat of Nazi Germany and the millions of lives lost in the effort.
In the first years of the newly independent Estonia, the Bronze Soldier occupied a prominent position in a central Tallinn square. But by 2006, with the interpretation of history an increasingly important political tool under Russian leader Vladimir Putin, just on the other side of the Narva River, the monument became the focus of rising tensions. There were standoffs between Red Army veterans who gathered there to mark military anniversaries, and Estonians who objected to their Soviet flags.
In April 2007, the Estonian government decided to act. It blocked access to the monument and moved to relocate the statue to a military graveyard, where it now stands. The response from Estonia’s Russian community was furious. Reports circulating on Russian-language media — a main information source for Estonia’s Russians — claimed the monument was being demolished, along with graves of fallen Soviet soldiers. The reports were false, but it made no difference.
On the night of April 26, the anger boiled over. Mass riots and looting broke out in Tallinn’s streets. For two nights, Russian-speaking protesters faced down riot police. Shops were smashed and cars flipped over; one person was killed, more than 150 were injured and 1,000 were taken into custody.
But as rioters clashed in the streets, a new front in the conflict emerged. On April 27, Estonian institutions came under sustained and coordinated cyber attack. Botnets swamped banks, newspapers, telecommunications companies, government ministries and the Estonian parliament with spam and distributed denial-of-service attacks. The country that had rebuilt itself since independence as a tech-savvy cyber state now discovered the vulnerability that came as a flipside, as some of the attacks continued for weeks. Almost 60 key websites were offline at once. Automated teller machines and government email stopped working. And Estonians couldn't look to the media to find out what was happening, because journalists couldn’t use the internet to report or deliver the news.
The cyber attackers were out to cripple the infrastructure of the Estonian state. Many of the attacks were traced to Internet Protocol addresses in Russia, and Russian-language instructions for launching attacks were posted online on various forums. The attacks also escalated on May 9, when every year Russia commemorates Germany’s 1945 surrender to the Soviet Union, and dwindled the next day. But Moscow continues to deny it played any role in the attacks.
While the Estonia attacks in 2007 were the first suspected incident of state-sponsored cyber attacking, they were far from the last. The Stuxnet virus that damaged Iran’s nuclear centrifuges, discovered in 2010, was attributed to the United States and Israel. North Korea was blamed for the massive hack on Sony in 2014. Russia was suspected of attacks that briefly knocked out Ukrainian power grids in 2015 and 2016. And then came the US election operations in 2016, which US intelligence officials attributed to Russia.
Cyber security experts fear that without clear global norms and expectations around cyber offences — including states’ rights when it comes to responding to attacks — such attacks will only continue. In a recent paper for the Centre for International Governance Innovation, cyber policy expert Melissa Hathaway writes that the lack of strong, predictable responses to cyber attacks is contributing to “a new de facto norm — ‘anything goes’ — and this is dangerous because it increases the risks to international peace, security and stability.”
State of Play
The internet has revolutionized every aspect of society it has touched, and international relations is no exception. The theoretical frameworks that underpin conventional warfare — concepts such as deterrence and credibility — have been turned on their head by cyber warfare. Unlike with physical weapons, it is virtually impossible to verify the cyber capabilities of opposing states, and an adversary is unlikely to disclose its capabilities willingly — cyber weapons are only useful if your enemies do not know about them and cannot patch their weaknesses in response. At the same time, the origins and methods of cyber attacks can be obfuscated, making it difficult to attribute attacks with total certainty.
The global community has made several attempts over the years to address the rapidly changing nature of cyberwarfare. In 2004, the United Nations established its first Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, commonly known as the GGE. Rather than drafting a new treaty or protocol, this group brought together independent experts representing 15 states to build consensus on how to promote peace and stability in cyberspace. The third GGE, in 2013, agreed on a set of foundational norms — most importantly, the idea that international law applies to cyberspace.
That same year saw the first edition of the Tallinn Manual, a set of guidelines drafted by legal experts interpreting international law in the context of cyberspace. The manual was commissioned by NATO’s CCD COE, which was established in Tallinn after the 2007 attacks to train and forge cooperation networks between NATO states while establishing how defence doctrine would apply to the cyber arena. The second edition of the manual was published in early 2017.
According to the principles of international law, states have the right to use force to defend themselves when attacked by another state. When it comes to cyber attacks, the growing consensus in the international cyber security community is that states can respond with force if the attack inflicts physical harms comparable to those caused by a conventional weapons attack. In 2016, NATO Secretary-General Jens Stoltenberg acknowledged that a cyber attack of sufficient seriousness against a member state could trigger an article 5 collective response.
The key problem is that the vast majority of cyber operations do not cause lasting physical damage to property or citizens, meaning they fall short of that threshold. That doesn’t mean these attacks are harmless: hacking, ransomware or influence operations can disrupt government or health services, delete essential data or sow widespread confusion. But the global community lacks clear agreements, norms or precedents that could provide a road map for states victimized by these kinds of operations. While the Tallinn Manual 2.0 addresses at length attacks that are below the threshold of armed conflict, it is not a definitive document. Even the director of the project notes that “our understanding of how international law applies to cyber operations is in its infancy.”
States also have the option of using “countermeasures” short of military force to respond to an attack, but only under specific circumstances. For one thing, a state can only use countermeasures after it has asked the attacker to stop and the attacker refuses. But international law that was designed to deal with physical attacks is poorly suited for responding to cyber attacks. “The speed and secrecy of cyber means that an attack will likely be over before the victim even knows it has occurred, let alone has the opportunity to file a request for cessation and wait for a response,” legal expert Rebecca Crootof writes. “States are likely to have delayed reactions to cyberoperations — and delayed reactions look more like prohibited punishment than permissible countermeasures.”
In the face of so much uncertainty, states facing cyber attacks have been reluctant to respond with counterattacks — and that lack of consequences may only embolden the attackers. “My personal opinion is that we don’t do deterrence well enough in this area,” Chris Painter, formerly the US State Department’s cyber coordinator, told the audience at CyFy: The India Conference on Cyber Security and Internet Governance, an international tech and security conference held earlier this month in New Delhi. “You only deter bad actors if you have a credible and timely response, and I don’t think our responses have been all that timely, and I don’t think we have enough credible tools out there.”
Without a clear legal option for responding to cyber attacks in kind, states have mostly found other ways to retaliate. For instance, the United States used economic sanctions to punish North Korea after the 2014 Sony hack, and responded to the 2016 election operations by expelling Russian diplomats. But are such measures enough to deter states from acts of cyber aggression? Noting an “uptick in incidents,” Crootof writes in an upcoming paper that the answer is probably no.
The question of if and how states should respond to cyber attacks was a major reason the fifth iteration of the GGE ended in deadlock this summer. A group of countries that reportedly included Russia, China and Cuba refused to accept any agreement that specified that states had the right to defend themselves and respond to intentionally wrongful cyber attacks.
After the talks ended without a resolution, the American representative to the GGE, Michele Markoff, released a statement warning of the potential consequences of the stalemate on international stability. Spelling out lawful options for states to respond to malicious cyber attacks would act as a deterrent by presenting bad actors with potential consequences for their aggression, she wrote.
“I am coming to the unfortunate conclusion that those who are unwilling to affirm the applicability of these international legal rules and principles believe their States are free to act in or through cyberspace to achieve their political ends with no limits or constraints on their actions,” Markoff wrote. “That is a dangerous and unsupportable view, and it is one that I unequivocally reject.”
Going on the Offensive
Increasingly, states and international alliances such as NATO are debating whether and how to deploy offensive cyber capabilities, or “active defence” cyber measures that can fend off or prevent attacks — such as bringing down a server that controls an adversary’s automated weapons. These activities can also be used to support traditional military operations.
NATO recognized cyberspace as a “domain of operations” in 2016. The Warsaw Summit Communiqué stated that cyberspace fell within NATO’s core task of defence and was an area in which it had to be effective, just as for air, land and sea. The declaration also vowed to ensure “more effective organisation of NATO’s cyber defence,” although last month a NATO defence official said offensive capabilities will be up to its member states.
Several NATO members have already begun ramping up their cyber offence. Denmark, France, the Netherlands and the United Kingdom have cyber offensive capabilities in varying degrees of development, and the United States is a global leader in the field. This year, Canada also announced new measures that would let its military and cyber intelligence agency undertake offensive measures against foreign targets.
In addition to acting as a deterrent to states considering malicious actions, offensive cyber capabilities offer strategic military benefits, according to James Lewis of the Center for Strategic and International Studies in Washington, DC. “A cyber defensive orientation is…the equivalent of a static defence, defending fixed positions rather than manoeuvring, and conceding initiative to opponents,” he wrote in a 2015 paper.
But not everyone thinks cyber offence is the answer. At a conference in Washington last month, US Department of Homeland Security adviser Tom Bossert said cyber actions would be less effective than “real-world” punitive measures when it came to deterrence. “There’s very little reason to believe an offensive cyber attack is going to have any deterrent effect on a cyber adversary,” he said. “In fact, it’s going to encourage them to hurry up and become better hackers and develop better defenses.”
Carl Bildt, the former prime minister of Sweden and chair of the Global Commission on Internet Governance, also sounded a note of caution at CyFy this month. He suggested that cyber weapons could have unexpected consequences for the countries that unleash them. “I think there’s much too loose talk in much too many countries about acquiring offensive cyber capabilities. It’s dangerous, dangerous, dangerous territory,” he said. “Concentrate on the defensive aspects. That’s going to be demanding enough in the years ahead.”
Back in Estonia, the defence ministry announced this year that it would develop a centralized cyber command, bringing together its cyber expertise in one place. It is not clear whether this will include offensive capabilities, and if it does, whether Estonia would reveal it publicly. The Estonian defence ministry did not respond to a request for comment.
While the state of its cyber offence is still ambiguous, Estonia is aiming to protect itself from future attacks by building a strong defence — a strategy that has a long tradition here. Little Estonia has always been a battleground for the great powers of the day, lying at a choke point between Russia and continental Europe. The wars of Germany, Russia, Sweden and Denmark have pushed its borders back and forth, endlessly churning its countryside, which is pocked with the scars of the twentieth century. Farmers still dig up rusted weapons and the bones of soldiers who never made it home.
This history has given the Estonian government an acute awareness — paranoia, Moscow might say — of the geopolitical ambitions of its much larger neighbour. It was deeply alarmed by recent Russian activities in its “near abroad,” which have seen Moscow weigh in on domestic standoffs in former Soviet states such as Georgia and Ukraine, often in the name of protecting Russian minorities. Such interventions have often featured the same portfolio of information operations and asymmetric tactics seen in the Bronze Soldier incident.
The Estonian strategy is to prepare for the worst, and make any attack on the country as unappetizing a prospect as possible. To this end, it combines compulsory military service for men with a tradition of volunteer defence militias. The Kaitseliit, or Estonian Defence League, is a civilian militia network with roots in Estonia’s War of Independence in the early twentieth century. Its members — men and women, many with ordinary office jobs — meet in the countryside to train in weaponry, guerrilla tactics and survival in the wilderness.
This tradition of voluntary civilian defence provided a model for how to respond to challenges in the cyber realm. The Bronze Soldier attacks acted as a catalyst, bringing together the cyber experts of Estonia to tackle a common challenge. The country’s tightly interconnected tech circles communicated and shared expertise as they scrambled to figure out what was happening and get systems back online. But it was already clear that more robust systems of defence were urgently needed in case of future attacks.
“In Estonia everybody knows everybody. Back in 2007, everyone called each other and helped out each other. But it was very ad hoc and it wasn’t formalized,” said Ragnar Rattas, 28, a technician at the CCD COE and a participant in the Locked Shields exercise. “The idea was to have this formalized body of volunteers who can contribute to national cyber defence.”
This idea grew into the Estonian Defence Unit’s Cyber Unit, a network of security experts from across the public and private sectors, brought together regularly for training. Experts such as Rattas are ready to be called upon to respond in case of an emergency.
“It’s something that’s very highly important, keeping your country safe,” said Sille Laks, 30, a fellow Cyber Unit member who fends off day-to-day cyber attacks as part of the Computer Emergency Response Team Estonia.
“If you want to see a change you have to start with yourself,” she added. “You can’t wait for someone else.”
At the same time, rather than rolling back its cyber exposure in the wake of the 2007 attacks, the Estonian government doubled down. It pressed ahead with digitizing the state, creating online solutions for everything from tax returns to voting. It was partly a strategic gamble that digitization was only likely to accelerate. It was also a pragmatic decision for a small country of modest means in need of efficiency.
“Because we are such a small country we don’t have enough people to have lots of people in lots of offices running public services,” said Rattas. “But we are able to implement programs more quickly than large nations can.”
Estonia pursued its determination to build a resilient e-state ambitiously and creatively, implementing practices that put it at the forefront of international data security and also made it a frontier for theoretical debates about how the nation-state can be reconceived in the cyber era. If done properly, Tallinn believes, an e-state can be more resilient to attack than a traditional one.
The government began backing up key data outside its borders in embassies around the world. It is building its first full “data embassy” in Luxembourg, a data centre that will serve as a comprehensive backup copy of the functions of the state. To manage its citizens’ data, it has begun using blockchain. The distributed ledger technology means the system will stay running even if parts of it are knocked out, and comes with automatic encryption and a permanent record of who has accessed the encrypted data.
“You can’t take down Estonia any more,” said Kaspar Korjus, the 29-year-old managing director of an e-residency program, in an interview in Tallinn. The program allows non-Estonians around the world to claim an Estonian identification card and found companies, open bank accounts and pay taxes. “You can attack one part, but the system will still be up and running. Even if we don’t have control of our land, we have data centres in our embassies. Even in the worst-case scenario, we can keep functioning as a state. You can pay your taxes, elect the president.”
Estonia’s strategy reflects one school of thought in the cyber security community: in the unpredictable cyber realm, you can’t expect to fend off every single attack. The important thing is to make your systems as resilient as possible to minimize damage and disruption, and to convince your enemies that the gains they achieve from attacking your country won’t be worth the effort they expend.
But not every country has the resources or inclination to refit their data infrastructure with Estonia-level resiliency. Nor does this solve the problem of “hybrid warfare” that combines cyber actions with influence operations designed to spread misinformation or manipulate public opinion, most vividly demonstrated during the US election.
Initiatives such as the Tallinn Manual and the GGE are attempting to draw the boundaries of acceptable state behaviour in cyberspace, but despite these efforts, the field remains murky. Perhaps because of this, even countries with offensive cyber capabilities have been reluctant to use them in response to cyber attacks. There is a fear that responding to offence with offence will set off an escalatory cycle of more frequent and severe attacks. But without serious consequences, belligerent actors have had little motivation to curb their cyber aggression regardless.
In the world of Locked Shields, the Red Team always attacks and the Blue Team always defends. In the real world, the clear line between those two roles might soon be getting a great deal blurrier.