Estonia is considered one of the world’s most digitally advanced societies. Much of the country’s state and financial infrastructure is online with ICT being considered one of the central pillars of nation-building by the country’s government. In 2005, it became the first country to hold its elections online and soon after, the first nation to provide e-residency for its citizens. Today, the government is virtually paperless with 99.6% of banking transactions done electronically and 94% of taxes declared online.
Without a doubt Estonia has a keen interest in ensuring its cyber security is up to date. Any hack could result in democratic elections being incorrectly managed or private citizen data being exposed – not that non e-governments are immune to this…
The grand attack…
In 2007, Estonia experienced a cyber attack on an unprecedented scale crippling the banking sector to the media. Known as the ‘digital Pearl Harbour’, it was the first time a country was targeted in an international large-scale cyberattack. The hacks were allegedly committed by Russian authorities after Estonia decided to move a Soviet war memorial. According to the BBC, “Estonians say the memorial symbolised Soviet occupation of the Baltic state. Russians say it is a tribute to those who fought the Nazis.” This was supposedly enough to lead to a full-scale cyberattack on Estonia’s online infrastructure.
The bulk of the attacks were in the form of a denial-of-service attack (DoS attack): this is when the perpetrator disrupts a network connected to the internet by flooding it with superfluous requests which overload the system and ultimately make it unavailable to its intended users.
Although the nature of the attacks were not all that crippling, it did leave users unable to access certain services for several weeks.
Since the attacks in 2007, the government has worked tirelessly with the public and private sector to increase the IT infrastructure’s resilience to another cyberattack. Moreover, it sought to create constructive dialogue within the international community about the imminence, damages and potential prevention of cyber warfare. Several measures the country has taken since the attacks include building stronger ‘authentication services, firewalls and back-up systems’.
Estonia has great motivation in making sure that better solutions to protect their cyberspace are found and that it never has to deal with a crippling online attack again. With a reputation as a leader in e-governance and cyber security across EU and NATO states, Tallinn is now home to the NATO Cooperative Cyber Defence Centre of Excellence whose mission is to “enhance the capability, cooperation and information sharing among NATO, NATO nations and partners in cyber defence by virtue of education, research and development, lessons learned and consultation”.
And this is the bitesize version of how the country is considered the poster child for national cyber security.
We have all heard about the whistleblowing scandal of 2013 which erupted in the USA resulting in a monumental leak of classified CIA files. Edward Snowden, the former contractor at the NSA and man responsible for this scandal soon after became the ‘coverboy for unpatriotism’ for some and heroism for others. Amongst many revelations, Snowden’s leaks disclosed mass surveillance programmes run by the USA; both nationally and abroad.
The leaks resulted in huge debates between governments, intelligence agencies, various industries and the public over the morality and responsibility behind the right to information and privacy. Opinions were torn. Without condemning, condoning or celebrating Snowden’s actions, it is important to note that he was not the first to leak information like this (perhaps the first to do so at this scale) and he will most probably not be the last. Scary thought?
What cases similar to Edward Snowden’s illustrate is that it is very difficult to predict who will be responsible for such leaks. Snowden was contracted into a position which with his expertise granted him almost unlimited access to the network. The truthful quote ‘with great power comes great responsibility’ was turned on its head when Snowden proved that ‘with great responsibility comes great power’. Using his advantaged position, he was able to secretly acquire a copy of 1.7 million classified documents (according to the DoD) without raising any red flags… until he escaped to the other side of the world and leaked.
How did he manage to do this?
Snowden did not need to bypass any firewalls since he had high-level access as a contractor. He could even use USB sticks to transport files from one computer to another within the office – something which could be explained as an authorised job task if considered suspicious by colleagues. Was there anyone who had the required skill level and would have been able to see his subtle ‘mismoves’?
Thus, raising the question: when there is someone as skilled as Snowden, who can be assigned to monitor their activity?
How can intelligence agencies learn to spy on themselves?
Before Snowden, there was Executive Order 13587 (2011) which required intelligence agencies to continuously evaluate anyone with the ‘top secret’ clearance level. Since Snowden, civilian contractors have been limited to what they are able to access. Executive Order 13587 is being more forcefully implemented and apart from that there seems to be little else that can be done, legally.
Still, this doesn’t answer the question ‘who watches the watcher?’… The truth may be that it is simply not possible to monitor every action of every single individual at all times. Almost every government, intelligence agency and large company has been – or will be – victim to leakages, whistleblowing and the like.
The Panama Papers, leaked Brexit negotiations in, leaked phone call transcripts of Donald Trump… these all happened within the last year. Data and information leakage is inevitable. Perhaps the bigger question is how to limit the impact by building resilience to manage the aftermath.
Today, Snowden sits in Russia unable to re-enter the USA with the guarantee of his safety.