Select Page

Read the following case study (attached).Jackson, C. M. (2013). Estonian Cyber Policy after the 2007 attacks: Drivers of change and factors for success. George Mason University, School of Public Policy. ISSN:1947-2633Answer the following questions:What strategic recommendations would you make based on your review of the case study?What operational security aspects should be considered so as to prevent such attacks in the future?What sort of an encryption policy, if any, would have helped in this situation?Directions:Your paper should be 4-5 pages in length, not including the title or reference pages.Be sure to provide citations from your readings and additional research to support your statements.Your paper must follow APA style guidelines, as appropriate.

Unformatted Attachment Preview

Don't use plagiarized sources. Get Your Custom Essay on
Estonian Cyber Security Case Study
Just from $10/Page
Order Essay

Volume VII
Spring 2013
Estonian Cyber Policy after the 2007
Attacks: Drivers of Change and Factors
for Success
Camille Marie Jackson
Executive Summary
ISSN: 1947-2633
On Friday, April 27, 2007, a number of Estonian government officials could not access
their e-mail at work. Microsoft Outlook-based systems were not able to send or receive e-mail,
and overall network connectivity slowed.1 Such incidents are fairly common and generally shortlived, and many Estonian officials thought the error would be fixed in a few minutes or hours.
However, as days and weeks wore on, it became apparent that Estonia was under a serious cyber
attack—or rather a series of attacks—which had significant economic, political, and security
consequences for this tiny, technologically-dependent Baltic country.
The cyber attacks of Spring 2007 sparked a series of dramatic policy changes designed to
make Estonia’s networks more secure, ranging from adjustments to the legal code to the creation
of a Cyber Security Strategy and Cyber Defense League. 2 For the remainder of this case study,
we will examine the forces driving these policy changes, as well as the special cultural and
political dynamics at play that allowed particular proposals to come to fruition. We will then
look at the policies that were adopted, and assess the success of these measures.
It is important to understand that the cyber attacks on Estonia coincided with an intense
political conflict with Russia. After Estonia regained its independence from the Soviet Union in
1990, it began a process of modernization and de-Sovietization—a course that sometimes created
tension among the ethnic Russian minority living in Estonia.3 4 Their concern reached a climax
in April 2007, as Estonian officials were debating whether to move a controversial bronze Soviet
statue located in Tallinn, the Estonian capital. To the ethnic Russian minority, this statue was a
symbol of their legitimacy and rights in Estonia.5 But for some Estonians, it represented a brutal
Soviet takeover of their country, and in 2006 these citizens petitioned the Tallinn City Council to
demolish the monument.6 Spurred by growing protests on both sides, on April 26 and 27, 2007
the controversy spiraled into deadly rioting and looting, and the Estonian government decided to
dismantle the bronze statue to close the matter and dispel the rioting. 7
It was within this framework that the cyber attacks took place, beginning on April 27,
2007. On April 29, hackers hit the ruling Reform Party’s webpage and posted a message
indicating that the Estonian Prime Minister had sought forgiveness from Russia and promised to
return the statue.8 Hackers manipulated other websites to redirect visitors to pictures of Soviet
soldiers or quotations from Martin Luther King Jr. about resisting “evil.”9
Additionally, a significant portion of Estonian government, banking, and media websites
were inundated with Distributed Denial of Service (DDoS) attacks, preventing them from
communicating via e-mail or conducting business transactions. The scope, sophistication, and
duration of these attacks were unprecedented, according to US scholars.10
The cyber attacks on Estonia had a significant impact in part because Estonian society is
so heavily dependent upon modern information systems. In a meeting with President George W.
Bush in June 2007, then-President of Estonia Toomas Ilves noted that “it is a serious issue if
your most important computer systems go down in a country like mine, where 97 percent of
bank transactions are done on the Internet. When you are a highly ‘Interneted’ country like we
are, then these kinds of attacks can do very serious damage.”11
In addition to Estonian banks’ heavy reliance on online transactions, the country’s eGovernment system also makes it particularly vulnerable to cyber attacks. E-Government is a
system that uses the Internet to make government goods, information, and services available to
citizens and businesses.12 According to Kristina Reinsalu, program director at the e-Governance
Academy, Estonia’s use of e-Government systems to conduct transactions is “remarkably high,”
and Estonia ranks first among new members states in the EU for the use of such systems.13
These vulnerabilities made the cyber attacks particularly crippling, and basic government
functions were adversely affected for weeks. As the attacks continued, Tallinn eventually
decided to cordon the nation’s networks off from international servers, isolating the country’s
systems to allow them to recover.14 As a result, during this time Estonian computer networks
were cut off from the outside world—a solution that served to block the attacks, but created
additional connectivity problems. For example, although Estonians could access their e-mail and
online services within Estonia, those travelling abroad could not access e-mail or banking
The Estonian networks were finally re-established after several weeks, and reconnected
to foreign servers in late May 2007, a month after the initial attacks. 16 Yet an obvious task
remained: how could Estonian officials prevent such an attack from happening again in the
According to Kristjan Prikk, an Estonian diplomat who was stationed at the Ministry of
Foreign Affairs when the attacks occurred and at the Ministry of Defense as many new policies
were being implemented, four unique forces provided the impetus for Estonia’s new cyber
policies: the country’s heavy dependence on information technology; the fact that a number of
new policy ideas had already been introduced, but not implemented; strong support from the
public and industry to implement changes; and a unified vision within the Estonian
First, Estonia’s heavy dependence on information technology is central to explaining the
changes in the country’s cyber policies. Estonia’s heavy use of information technology is part
institutional and part cultural. Over the past twenty years, the Estonian government has invested
significant resources into modernizing the country’s infrastructure,18 creating institutions and
policies to bring Estonia more fully into the twenty-first century, and connecting it more closely
with the rest of the world.
At the same time, as political scientist Francis Fukuyama has noted, “institutions reflect
the cultural values of those in the country in which they are established.”19 The information
technology systems that have appeared in Estonia cannot necessarily appear anywhere—Estonia
has a unique culture that is open to these establishments, that is willing to do 97 percent of all
banking transactions online, and that is willing to sacrifice some privacy in exchange for
efficiency, convenience, and modernity.20 According to Linnar Viik, a professor at the Estonia IT
College, information technology is a way of life in Estonia, and “this way of life and the values
of society aren’t controlled by state ministries of defense. They are supported by culture,
education, the economy.”21 Because of this unique blend of culture and institutions, Estonia
became a prime location for new, sweeping information technology policies to take hold.
Second, in addition to this information technology culture, a number of initiatives to
increase Estonian cyber security had already been introduced within the government, but not yet
adopted. In John Kingdon’s conceptualization of the policy-making process, solutions to policy
problems are often devised long before the problems arise.
Then, he argues, policy
“entrepreneurs” lie in wait until a policy window opens, at which time they have an opportunity
to couple their solution to a particular policy problem.23 The 2007 Attacks were that window.
When the cyber attacks struck, Estonian officials had a variety of ideas to choose from and
implement; initiatives such as the Cooperative Cyber Defense Center of Excellence (CCDCOE)
and the Estonian Cyber Defense League.
Third, there was strong support from the both the Estonian public and industry to increase
cyber security. According to Mr. Prikk, as Estonian officials were considering and making new
policy, “The top political leadership was interested in seeing new policies succeed, while people
in the private sector [had] trust; the drive for doing something was everywhere.”24 Before the
2007 Attacks, most of the major banks in Estonia were owned by foreign—primarily Swedish—
banks. This ownership structure encouraged Estonian banks to integrate their institutions more
closely with the Swedish banks, including hosting servers on Swedish territory. However, after
the 2007 attacks, it became apparent that the presence of Estonian banks’ servers on Estonian
soil was essential for the banks’ ability to protect themselves and quickly recover from an attack.
As a result, the government began instituting regulations on which banks’ and other critical
businesses’ servers could be hosted, as well as the size of data storage. Estonian banking firms,
which had been hit hard by the cyber attacks, supported government efforts to make their
networks more secure. 25
Fourth, Mr. Prikk also noted a sense of unity within the Estonian government, which
acted as an added impetus for policy change.26 This factor is comparable to the momentum that
propelled the US Congress and the White House to pass new legislation and make significant
changes to US homeland security policy following the September 11 Attacks. According to Mr.
Prikk, “the interconnectedness between the people and the institutions was the greatest
achievement. . . . This was not necessarily a top-down approach or a bottom-up approach, but it
was an inclusive approach. Not just a whole of government approach, but a whole of nation
Out of the 2007 Attacks emerged a sense of unity, a sense that all elements of the
government infrastructure—working together—were necessary to combat the cyber threat.
Phillip Bobbit reflects this general idea in his book The Shield of Achilles by noting that:
For the first time since the birth of the State, a state structure is no longer necessary to
organize violence on a scale that is devastating to society. And yet, perhaps ironically,
this development makes the role of the State all the more crucial in achieving
international peace and national security. This is because the shift away from retaliatory,
threat-based strategies to defensive, vulnerability-based strategies will require a State—
indeed will require a society of states—to successfully execute.28
With these four forces driving the Estonian government to enact new policies to secure its
infrastructure, Estonia chose to implement several new policies. Czosseck, Ottis and Taliharm
outline Estonia’s most salient policy changes in a 2011 paper released by the Cooperative Cyber
Defense Center of Excellence (CCDCOE).29 Because of the large number of changes
implemented by the Estonian government, for the purposes of this paper we will discuss only
three below: the creation of a Cyber Security Strategy, the CCDCOE, and the Cyber Defense
League. (For additional policy changes, see Appendix A.)
First, the creation of Estonia’s Cyber Security Strategy has been heralded as “the most
significant step” in the country’s cyber security response.30 Released in May 2008, the Strategy
was created by a multi-agency council led by the Ministry of Defense, and identified five
strategic objectives: developing and implementing a system of security measures, increasing
competence in information security, developing a legal framework for cyber security, developing
international cooperation, and raising cyber security awareness.31 Estonia’s Cyber Security
Strategy has become the guiding document for the state’s comprehensive cyber policy, 32 and has
been a driving force for additional changes.
Second, the creation of the CCDCOE was a significant policy change and, as with a
number of initiatives implemented by the Estonian government, had its beginnings well before
the April 2007 attacks.33 In 2003, even before Estonia joined NATO, the country recommended
the creation of a new “center of excellence” for telecommunications security within the NATO
framework.34 Despite general support from NATO leadership, the idea did not gain momentum
until after the 2007 attacks, when it received significant support and finally came to fruition in
May 2008. According to a press statement on the CCDCOE’s website, “the [CCDCOE] is a
NATO accredited international military organization with aim to enhance cooperative cyber
defence capabilities of NATO and NATO nations.”35
The CCDCOE is not an active cyber force or a cyber control center—rather it is an
international research consortium meant to increase international awareness and understanding of
information security best practices. Though seemingly unimpressive, within this consortium
Estonia is able to promote international cooperation to solve cyber security problems—a
multinational focus that Estonian officials maintain is necessary for success in the cyber security
A third institutional and policy change was the creation of a Cyber Defense League in
2010. The league is made up of information technology specialists who volunteer to assist the
Estonian military during a time a crisis. The Cyber Defense League is made up of small, locally
operated units. Prior to 2010, these volunteers worked loosely together to defend Estonian
networks, and the creation of an Estonian Computer Emergency Response Team (CERT) in 2006
as well as new policies on information sharing increased collaboration between these groups.
However, after the 2007 Attacks Estonia decided to nationalize this unit so that it could more
effectively and cohesively defend the country during a cyber attack.37
According to Mr. Prikk, a strong public desire to reach out and help was key to creating
the Cyber Defense League. “Whenever there is a big crisis,” he said, “there are always people
who…will to do something for the country.”38 Many Estonian citizens self-mobilized following
the 2007 Attacks. Some helped in more immediate and visible ways, joining the police reserve
force and helping to quell rioting in the streets. A second wave of volunteers responded cyber
attacks, as individuals with computer technology skills decided that they, too, would like to help
their country.39 By forming the Cyber Defense League, the Estonian government was able to
harness this desire and channel it in a comprehensive, constructive fashion.
Having examined the driving forces that led Estonia to adopt a series of new cyber
policies, we will now examine the effectiveness of these new measures. Cyber policy is a
relatively new area of public administration, and because Estonia’s policies are still new and
untried, our ability to accurately judge the effectiveness of these measures are limited. However,
by examining three criteria—assessments by experts, whether other countries have followed
Estonia’s lead, and whether Estonia has successfully defeated additional attacks—we can reach a
general estimate of the policies’ success.
A number of academics and experts have given general, overarching assessments of
Estonian information security policies. Czosseck, Ottis and Taliharm approve of Estonia’s rapid
development of its Cyber Security Strategy by noting that these policies are a “significant step”
and recommend that other countries adopt their own cyber security strategy.40 Further praise for
Estonian policies comes from Dr. Lene Hansen and Dr. Helen Nissenbaum, researchers at the
University of Copenhagen and New York University, respectively. They note that Estonian
officials were successful in garnering support for cyber security and implicitly give credit to the
Estonians for driving forward NATO’s cyber policy, including the creation of the CCDCOE.41
Legal scholar Scott Sheckelfield praises the short-term response of the Estonian Cyber
Emergency Response Team (CERT) for ultimately prevailing against the attacks; but believes an
international treaty in needed to clarify appropriate responses and prevent future cyber attacks.42
In general, the literature on Estonian cyber policies is positive, although no author has come out
with a categorical assessment of all Estonian national information security policies since 2007.
Estonia’s adoption of a comprehensive cyber strategy and similar initiatives undertaken
in neighboring countries provides the best example of how various nations are following
Tallinn’s lead. Since Estonia released its Cyber Security Strategy in May 2008, a number of
European countries have released similar strategies, including Germany, the Netherlands, France,
and the United Kingdom.43 44 45 46 It is impossible to prove that Estonia’s Strategy was the central
catalyst for these new policies, and, indeed, the United States released its own Comprehensive
National Cyber security Initiative in January 2008—four months before the release of Estonia’s
document.47 However, the proliferation of national cyber security strategies shows that many
countries are reaching the same conclusion: it is in a nation’s best interest to develop a
comprehensive strategy to secure information networks. Estonia was one of the first nations to
adopt such a Strategy, and continues to lead the way in promoting this trend.
We can also measure the effectiveness of Estonian policies by observing the extent to
which these measures have protected Estonian networks from additional attacks. There have not
been any significant computer network breaches reported in Estonia since the 2007 Attacks. The
Estonian Information System’s Authority website refers only to the 2007 Attacks when noting
the incidents they have addressed.48 However, a lack of visible evidence for a cyber attack is not
necessarily evidence of success for Estonian cyber policies. It is possible for the Estonian
government to hide breaches of its networks, or significant attacks may have not yet tested the
new infrastructure and policies in place. However, available evidence suggests that Estonia has
not suffered any debilitating attacks on the same scale as the 2007 incident. If used as one metric
among various criteria, we can conclude that these new policies have been successful.
It is too early to judge the full effectiveness of Estonia’s policies since the 2007 Attacks.
However, the forces driving these policy changes have become clear: the country’s heavy
dependence on information technology; the underlying, existing groundwork for a number of
these policies; strong support from both the public and industry; and a unified vision and impetus
within the Estonian government. These forces suggest that the changes which have taken place in
Estonia over the past four years are unique given its culture and position. However, other
countries are already mimicking some of Estonia’s new policies, and Tallinn’s initiatives may
continue to set precedents as cyber security becomes more important in world affairs.
Based on a personal interview with Mr. Kristjan Prikk, currently an Estonian diplomat
stationed in Washington DC, and in April 2007 stationed at the Ministry of Foreign Affairs in
Tallinn, 21 November 2011.
Christian Czosseck, Rain Ottis and Anna-Maria Taliharm, “Estonia After the 2007 Cyber
Attacks: Legal, Strategic and Organizational Changes in Cyber Security.” Cooperative Cyber
Defense Center of Excellence Website, 2011.
Raphael Shen. Restructuring the Baltic Economies: Disengaging Fifty Years of Integration
with the USSR. 1994. London: Praeger Westport, 1-2.
Marju Lauristin and Mati Heidmets. The Challenge of the Russian Minority: Em …
Purchase answer to see full

Order your essay today and save 10% with the discount code ESSAYHSELP