Estonia's Lessons in Cyberwarfare

If there is no international convention allowing defensive and offensive actions, all countries are vulnerable regardless of their domestic cyber capabilities.

By + More

Scheherazade S. Rehman is a professor of international finance/business and international affairs at The George Washington University. You can visit her homepage here and follow her on Twitter @Prof_Rehman

What is a weapon of mass destruction? According to the Encyclopedia Britannica a weapon of mass destruction, known as WMD, is a

weapon with the capacity to inflict death and destruction on such a massive scale and so indiscriminately that its very presence in the hands of a hostile power can be considered a grievous threat. Modern weapons of mass destruction are either nuclear, biological, or chemical weapons—frequently referred to collectively as NBC weapons.

In fact, if you look up most definitions of WMD, nowhere is the mention of a cybersecurity threat being part of the equation.  While the conventional WMD are truly frightening to most of us, imagine the impact of a real cyberattack in the Western world. Power grids down, banking transactions failures, deliberate scrambling of healthcare or customer credit information, and deliberate mass transportation, commercial airspace, and shipping lines confusion, etc. There is, however, always the issue of how to identify whether a cyberattack is a weapon of "mass destruction or simply a weapon of mass distraction and inconvenience."  Even if a cyberattack is a mass distraction, besides from the inconvenience, the business costs could be astronomical.

[See a collection of political cartoons on the economy.]

Cyberattacks were elevated to warfare status in early 2007 when the tiny country of Estonia decided they were going to let the world know that their country was "under a cyberattack" by the Russians (the government), i.e. state sponsored cyberwarfare. What was claimed and later proven by the Estonians was that the Russians had launched a series of massive coordinated cyberattacks on the Estonian public and private sector in April 2007. Estonian banks, parliament, ministries, newspapers, and TV were bombard. This was all over an argument with the Russians over the reallocation of the "Bronze Soldier of Tallinn" and war graves in Tallinn (the capital of Estonia). This was the second largest state-sponsored cyberattack, second only to "Titan Rain," a series of coordinated attacks on U.S. computer systems between 2003-2006, thought to be of Chinese origin.

Estonia shouted loudly from the roof tops that they were being attacked, that an act of war had being committed by the Russians, and called upon its allies to assist, but they had a hard time getting anyone to believe that this was a "real war" and not a cybernuisance. In the end no one came to help the Estonians but what that alarm did do was to put global cyberattacks on the warfare discussion table for North Atlantic Treaty Organization, known as NATO. Why is it important? Well for starters Estonia happens to belong to NATO, which has something called Article 5 which goes something like this: "attack one of us, and it’s the same as attacking all of us"…along the lines of Alexander Dumas Musketeer slogan "Unus pro omnibus, omnes pro uno" which is Latin for "one for all, all for one." Article 5 is at

the basis of a fundamental principle of the North Atlantic Treaty Organization (NATO). It provides that if a NATO Ally is the victim of an armed attack, each and every other member of the Alliance will consider this act of violence as an armed attack against all members and will take the actions it deems necessary to assist the Ally attacked.

Ironically it was the United States that evoked Article 5 for the first time, in the aftermath of 9/11.

[Read the U.S. News Debate: Should There Be an International Treaty on Cyberwarfare?]

The Estonians were trying to evoke Article 5 when they were being attacked by the Russians in 2007, but thought better of it and did not evoke the article because of the lack of support from their NATO allies; NATO could not agree on the definition of "under attack" in this case and identifying and proving that this was a Kremlin-sponsored attack was difficult. The Estonians were left to fend for themselves.

The Estonians raised global awareness of state-sponsored cyberattacks. We will never know if Estonia was the first real "cyberwar" but it was the first time a country claimed publicly it was under attack. There are still many questions about cyberwarfare and cybersecurity that need to be addressed. For example, what is the threshold of cyberattacks so that a cybernuisance is reclassified as a cyberwar? Is it cyberwar if the perpetrator is a "geeky" kid next door launching an attack from his bedroom versus a state-sponsored group? Moreover, do we declare we are under attack only when the cyber targets are military/government installations or national power grids or even if private institutions are hit? Who do you go after, because usually cyberattacks "ping" themselves through a third party (country) computer server? And so on and so on.

Estonia spent the last six years becoming one of the best defended countries against a potential cyberattack (but with limited offensive capabilities). Today, almost six years later, the Estonian model is studied by many countries on how to build national defensive cybersecurity capability systems. This is of particular importance since the Estonians have a public-private business cybersecurity partnership model which is the envy of many countries.

[See 2012: The Year in Cartoons.]

Like most things, the issue is really now a legal one—about the rules of engagement in cyberwarfare (defensive and offensive), not only including the legal partnerships between a government and its pubic but with other nations. We know one thing for sure, if there is no public-private business partnership, real national cyberdefense is an illusion, and if there is no international convention allowing defensive and offensive actions, all countries are vulnerable regardless of their domestic cyber capabilities.

On a side note, I just got back from Tallinn, Estonia, where I was part of The George Washington University School of Business Executive MBA in Cyber Security Program in partnership with the GW Homeland Security Policy Institute under Frank Cilluffo, former White House special assistant to the president for Homeland Security. GW launched the first ever U.S. university-sponsored residency in Estonia on this issue of public-private business cybersecurity partnership. The GW executives in residence are still there on the ground in Estonia learning first-hand about the complexities of cyber security as this article is going to press. This is a "shout-out" to them for pioneering the future of cyber security. I expect Tallinn will soon be inundated with a proliferation of U.S. universities students interested in learning how to build public-private business cybersecurity programs.

  • Read Stephen Hayes: Can Obama's Foreign Policy Picks Reboot His Static Africa Policy?
  • Read Mackenzie Eaglen: The Military Lost in the Fiscal Cliff Deal
  • Check out U.S. News Weekly, now available on iPad.