Digital Front Lines

  1. Cyber Operations
  2. Multistakeholder Responses
  3. Future Hybrid Wars

Speaking to FP Analytics, Estonian Defense Minister Hanno Pevkurdiscussed how his country has tackled cybersecurity since Russia’s 2007 large-scale cyberattack and how forging public-private partnerships has been key to Estonia’s resilience.

FP Analytics (FPA): What are the major cybersecurity challenges that Estonia currently faces in general as well as those that have emerged against the backdrop of the war in Ukraine?

Hanno Pevkur (HP): One challenge is that the situation in Europe has definitely increased the intensity of cyberattacks. Since Russia’s invasion of Ukraine, we have noticed an increase in malicious cyber activity against our networks, so although it is not as visible to the public, there is a constant conflict happening in cyberspace. Since cyber crosses borders with ease, cyber warfare is not limited to Ukraine; it also affects those who support Ukraine. One thing we have to do better is communicate the effects of cyberattacks. Moreover, we have to do that in a clear way so people understand the kinds of impacts different cyberattacks might have.

So far, we have mainly seen distributed denial-of-service(DDoS) attacks, which have actually exceeded the scope and intensity of what we experienced during the large-scale cyberattack from Russia in 2007. However, thanks to preventive measures, these attacks have either had no impact or only a minimal impact on the availability of our services, so our everyday users have not noticed much. That said, in conditions of increasing Russian hostility, we have to continuously stay ahead of developments and constantly upgrade systems, because the threat vectors and landscape are in a state of perpetual change.

Artificial intelligence (AI) presents another challenge. While it has the potential to be a beneficial tool, it can also be used as a tool of attack. Today, it is a known/unknown, a buzzword that many use without comprehending how it will affect our societies, what kinds of threats it will pose, and how we will be able to mitigate and counter those threats.

Lastly, having a qualified workforce to solve all these issues is an ever-present challenge.

Encompassing all of these challenges is the need to look ahead at what is coming in 10 to 20 years. To be prepared, we have to take actions today.

FPA: What is the role of the private sector in addressing cyber threats and facilitating cyber defense? And what kinds of partnerships have you seen work well?

HP: When we talk about digitalization or cyber security, most of our related services are somehow linked to the private sector. On a daily basis, we use information and communications technology solutions and products designed and provided by the private sector, so it is in our interest for their products and services to be secure and reliable. We are not just communicating that expectation to the private sector, but we have actually taken actions to help them in this area. For example, Estonia’s Ministry of Defence initiated the Open Cyber Range project, which enables small and medium-size companies to enhance their cyber security capacity in a safe and controlled testing environment.

Cooperation with industry also provides an opportunity to mitigate the workforce problem, which we all face in this field. In Estonia, we have established a volunteer-based Cyber Defence Unit under the Estonian Defence League. The expertise and skills that many members of the unit have developed working in the private sector can be very useful in times of crisis—especially because part of the unit serves as a reserve to the Cyber Command in our Defence Forces.

FPA: Can you tell us more about Estonia’s Cyber Defence Unit? How does it work, and what are the lessons learned from using this approach?

HP: The beauty of Estonia is that we are small; people working in the public sector know the best people in the private sector, and we have established a cyber security community across government and sectors. So if there is a need, we know whom to turn to.

After the 2007 cyberattack, that approach was formalized as the Cyber Defence Unit, with formal systems for how to communicate and determine what kind of information can be shared, alongside a clear understanding that if there is a need, members can come together and deal with a specific threat. The main impulse for creating the Cyber Defence Unit was to enable those people who are experts in the field to have a way to contribute to protecting Estonia’s vast digital infrastructure, which allows its citizens to communicate with the government and easily access 99% of public services.

We have quite a decentralized model. For example, within the area of governance of the Ministry of Economic Affairs, the Estonian Information System Authority (RIA) is mostly responsible for our critical infrastructure information protection. If there is a need, the Cyber Defence Unit and its members with the necessary expertise can help as well. The Cyber Defence Unit provides a reserve not only for our Cyber Command, but also for the RIA.

FPA: What is Estonia’s approach to civil-military coordination with regard to cybersecurity? What are the challenges that arise when it comes to civil-military coordination, and how are you trying to overcome them?

HP:  When we talk about civil-military cooperation, one issue is that stakeholders have to handle state secrets, which requires a certain level of clearance. However, many IT companies and experts don’t want to take the time to go through the clearance process. This is one of the challenges. Additionally, the public sector suffers from a lack of IT engineers. The private sector can always pay more, which makes it challenging to hire and retain the best possible workers in the public sector.

In one way or another, critical and essential services are all “connected,” meaning they have a component that potentially could be hampered through cyber means. Our military is also dependent on some of these services (e.g., medical, banking, transportation), so effective cyber security is essential in ensuring that those services remain available. Our civilian cybersecurity agency, the Estonian Information System Authority, is the leading force for critical infrastructure protection. It is doing an outstanding job preventing cyber threats from becoming a reality by, for example, raising awareness in society about cyber hygiene, conducting training with critical service providers, and monitoring the Estonian cyberspace and sharing information about vulnerabilities. Considering the cross-dependencies, civil-military coordination and cooperation is indispensable. Sharing insights on situational awareness and conducting joint exercises are two ways to facilitate civil-military cooperation and coordination.

FPA: Looking ahead, what are Estonia’s priorities for building cyber security and resilience against cyber operations, especially considering the interaction of cyber and kinetic warfare?

HP: We’re not looking at cyber defense only as cyber defense, because we see more and more that we are facing situations where cyber is combined with malicious activity in other domains. A key question is how to identify an attack, because one move might seem to be an attack, but actually it isn’t, or vice versa—it seems like natural communication or natural action but is actually an attack.

In Estonia, we have acknowledged that all ministries are responsible for cyber defense, and everyone has to look into their systems to ensure they are secure from cyberattacks.

Strictly in the military context, NATO and allies need to work more toward integrating cyber into the multi-domain operations. Although it is difficult to assess the impact that the cyber domain has had on the war in Ukraine, cyber operations have been an integral part of the fight. The Cyber Command’s area of responsibility has to be an integral part of overall operational planning.

In addition, cyber implications need to be discussed in a broader community—not just among cyber experts. This is of key importance to identifying cyber threats and operational benefits and being ready and able to respond to cyberattacks.

For older, legacy space systems, with low-level intrusion protection, this is a particularly difficult problem. For new systems, with the increasing commercialization of space and the exponential growth in launches and satellites, the cyberattack surface is growing exponentially as well, so cybersecurity by design is a key requirement.

SatCen’s core mission is to provide geospatial intelligence analysis for European Union bodies, EU member states, and EU partners—international organizations such as the United Nations, the Organization for Security and Co-operation in Europe, the Organisation for the Prohibition of Chemical Weapons, and/or third states—based on a special mandate from the EU Council. It is therefore a ground-based organization relying on secure, trustworthy data, mainly from space sensors, for its work. The reliability of data and cybersecurity of SatCen’s own systems are therefore key. To that end, we use multiple satellite data sources from trusted providers and employ a multilayer cybersecurity protection architecture. Above all, our most important assets are indeed our highly professional staff.

Hanno Pevkur became Estonia’s Defense Minister in July 2022. Prior to that, he was a member of the 13th and 14th Riigikogu (Estonia’s parliament) from 2016 to 2022 and held several ministerial positions: Minister of the Interior (2014–2016), Minister of Justice (2012–2014), and Minister of Social Affairs (2009–2012). Having started his career in law, he served in the Nõmme District Administration in Tallinn from 2000 to 2005, first as an administrative secretary and later as city district elder. From 2005 to 2007, he was a member of the Tallinn City Council, Chairman of the Nõmme District Administrative Board, and an advisor to the Minister of Justice. From 2007 to 2009, he was a member of the 11th Riigikogu.