CybersecurityEstonia considers draft for newly created cyber army in emergency

Published 17 January 2011

Estonia just announced the creation of an all-volunteer cyber army; the Cyber Defense League unites computer experts from the private sector and the government; the League conducts regular drills and operates under a unified military command; Estonian defense officials are contemplating instituting a cyber expert draft in the event of a serious national crisis; Estonia is the first country to experience a cyber war — in 2007 Russian hackers, suspected of having been directed by the Russian military, systematically shut down major government, financial, political and news Web sites

Estonia recently announced the creation of an all-volunteer cyber army.

After being subject to crippling cyber attacks in 2007, in what NPR calls the first cyber war, Estonia has launched the Cyber Defense League. The unit is a volunteer organization comprised of programmers, computer scientists, and software engineers that, in the event of war, would operate under a unified military command.

Defense Minister Jaak Aaviksoo says the force “brings together specialists in cyberdefense who work in the private sector as well as in different government agencies.” They conduct regular weekend exercises “to prepare for possible cyber contingencies.”

No other democratic country in the world has a similar force that can be mobilized under a military command to defend the country against cyber attacks.

In the event of a national emergency, the defense minister says he will consider implementing a draft of all available cyber experts in the country.

Estonia depends heavily on the Internet, with 80 percent of its people paying their taxes online and engaging in online banking.

In 2007 hackers hit Estonia with a barrage of cyber attacks that disabled the Web sites of government ministries, political parties, newspapers, banks, and companies. The attacks persisted for three weeks and began after Estonia and Russia sharply disagreed over the Estonian removal of an old Russian Second World War memorial in its territory.

While difficult to attribute with certainty, officials believe that the cyber attacks emanated from Russia.

These attacks left an indelible impression on the people of Estonia, who have experienced several invasions and occupations, beginning with the Soviet Army in 1939, the Germans in 1941, and the Soviets once again following the Second World War.

Given the recent cyber war and their history, the Estonians are acutely aware of their vulnerability to cyber attacks. Officials believe this feeling has driven heavy private sector cooperation with the government to create the Cyber Defense League and a willingness to accept such controversial measures as the creation of digital IDs for online transactions.

Replicating similar measures in the United States may prove difficult as top cyber security experts seldom work in conjunction with the government.

The people who work in IT in the U.S. tend to be quite suspicious of government,” said Stewart Baker, former general counsel at the National Security Agency (NSA).

Baker continued, “There’s a standoffishness that makes it much harder to have that kind of easy confidence that you can call on people in an emergency and that they’ll be respond.”

Under President George W. Bush, Baker failed to create an emergency cyber defense force, like that in Estonia, under the Department of Homeland Security (DHS).

That’s a very sensible approach, and I only wish we had the same kind of relationship with our [Information Technology] sector that [Estonia] obviously has with theirs,” lamented Baker.

According to NPR, unifying cyber defenses under a single paramilitary command allows computer networks to be defended more easily.

Like in many other industrialized nations, in the United States the private sector largely controls the critical internet infrastructure that operates the electrical, transportation, and financial systems. Splitting responsibility for security among various government and private sector businesses creates natural security gaps and vulnerabilities that hackers can exploit.