Estonia’s Cybersphere as an Asset and a Vulnerability

Photo Credit: https://e-estonia.com/


By: Nikolai F. Rice

Estonia’s e-governance regularly pushes the boundaries of cyber-administration. Roughly three-quarters the territory of West Virginia and a population just smaller than Maine, Estonia’s size plays to its cyber-administrative advantage.[i] The nation manages it taxes, elections, and healthcare administration almost entirely online.[ii] The unfortunate byproduct of Estonia’s rapid cyber development is a new center of gravity for adversarial leveraging. In a period when the world’s strategic actors are preparing for the resurgence of great power competition, one small nation sits at the control screen of the world’s most developed cyber-governance platform.

Technology and Previous New Centers of Gravity

Through most of history, violent actors conquered by targeting three centers of gravity: the head (of state), the body (core territory), and/or the limbs (militaries). Then, states were (usually) the rudimentary extensions of a single or few persons’ power. The administration of large empires required parsing territory into administrative regions, and empires could survive losing one or several districts—so long as the core withstood the political and economic ramifications. Administration made states easier to rule, but administration centers, or trade, or even relatively rudimentary pre-industrial production were all centers of gravity for adversaries. Cities, trade routes, mines, and agricultural fields were all tempting prizes to conquer—or plunder.

The advent of attritional war, however, changed the traditional calculus. Wars are expensive, and conventional wisdom says the quickest way to win a war is to win it fast. Attrition make wars long—and expensive. The advent of strategic airpower empowered opponents to strike regularly, without espionage or subterfuge or prolonged infiltration, at adversaries’ centers of gravity—simultaneously reducing adversarial means of production as well as the targets’ conquest-values. War materiel industries, supply depots, and transport bottlenecks became critical centers of gravity in attritional war. Airfields, too, could be centers of gravity, but their smaller number and operational utility meant defenders prioritized their anti-aircraft security.

The development of nuclear weapons is an entire microcosm of center of gravity issues. Highly-developed nuclear arsenals pose a simultaneous threat to any and every enemy center of gravity—cities, arsenals, military concentrations, industrial centers, trade nodes, etc. Nuclear forces within themselves also present a center of gravity, spurring the counterforce versus countervalue debate in nuclear strategic literature.[iii] Nuclear weapons are a proverbial “limb” of the most modern nations, but one that can simultaneously strike every part of an adversary’s body of state. This makes nuclear arsenals simultaneously indispensable means as well as unwieldy tools of war and diplomacy.

Though e-Estonia was a domestic endeavor, it has emerged as a center of gravity through adversarial targeting. The question is how many lessons of the history of emergent centers of gravity are applicable to e-Estonia.

The Administrative Promise and Strategic Risk of e-Governance

E-Estonia promises to make the Estonian government more efficient, reliable, transparent, and accessible.[iv] Though Estonia had elections and taxation before e-Estonia, the platform simplifies citizen-government interaction.[v] Unfortunately, the streamlining of so many services through a single cybersphere conduit makes it easier for adversaries to disrupt essential government administration by striking fewer targets in both the cybersphere and the physical world. The Estonian cybersphere is a particularly tempting target for NATO adversaries because of its relatively weak conventional defenses and continued skepticism over alliance resolve.[vi]

As Russia continues its self-driven resurgence, it only makes sense for it to push proverbial buttons in optimizing the the strategic value of its unconventional conflict operators. In fact, Russia did just that before its resurgence, in 2007 with the alleged massive disruption of the Estonian net, and with it banking, government administration, traditional and online communications, power supply, and a host of other cyber-connected services.[vii] “Allegedly” because the nature of internet-based operations makes it difficult to link results to actions, actions to actors, and actors to state organs.[viii] The 2007 cyberattack originated in Russia, but the trail runs straight into the darkness that is Russia’s tangled mess of cyber-operators. Moreover, the attack—though against a NATO member—resulted in only a single, indirect death.[ix] A cyberattack temporarily crippled a NATO member’s governance, but NATO had no proportionate means of response, let a lone a target to aim for.

NATO and the Estonian government catalyzed a massive cyber-defense initiative. The Cooperative Cyber Defense Center of Excellence (CCDCOE) is Estonia’s (and NATO’s) first line of cyber-defense and a critical proving ground for defensive cyber-operations.[x] NATO nations partner with Estonia, constantly developing ever-newer methods of detection, defense, tracking, and inoculation against cyber-threats. Where the military protects Estonia’s sovereign territory, CCDCE protects Estonia’s sovereign cybersphere. CCDCOE, however, is a special kind of target itself.

Concentrating international cyber-defense capabilities into a single initiative, especially one networked by infrastructure promising momentary communication and interaction, centralizes skill and knowhow; however, concentration also exposes NATO members to greater risks. If CCDCOE truly is the forefront of NATO cybersecurity, then adversaries know what defenses to target when developing cyber-operations intended not to damage only Estonia but also other NATO members. The issue is of time-sensitivity, and whether CCDCOE can solve breaches and disseminate solutions as quickly as adversaries can infiltrate and multiply their success. This analogous conflict of cyber-attrition is one-sided, in which one team always infiltrates and the other always blocks. There is, however, no alternative if Estonia and other states wish to evolve and defend their cyber-governance capacities.[xi]

Conclusion

Estonia’s drive to modernize the administration of its governance has benefited the nation domestically while putting itself and its allies at risk geopolitically. Though the Estonian cybersphere is not inherently a center of gravity, adversarial attacks make it one nonetheless.[xii] The Baltic problem will only become more pertinent in the coming years, and NATO states will have to come to an agreement about the kind of escalation they are willing to risk in order to either deter or respond to cyberattacks against e-Estonia, CCDCOE, and alliance members in general. Cyberattacks kill through cascade, much like “proportionate” responses lead to war through escalation. If any actor seeks to control cyberwarfare, they must seek solutions—combining intelligence, espionage, cyber-craft, and non-lethal covert operations—that inhibit opponents without destroying traditional targets.

Bibliography

[i] “List of States and Territories of the United States by Population Density,” Wikipedia, February 08, 2019, https://en.wikipedia.org/wiki/List_of_states_and_territories_of_the_United_States_by_population_density.

[ii] “We Have Built a Digital Society and so Can You,” E-Estonia, 2019, https://e-estonia.com/.

[iii] Robert Jervis, The Meaning of the Nuclear Revolution: Statecraft and the Prospect of Armageddon (Ithaca: Cornell University Press, 1990), 11-14.

[iv] “Solutions,” E-Estonia, 2019, https://e-estonia.com/solutions/.

[v] “Data Exchange Layer X-tee,” Estonian Information System Authority, January 7, 2019, https://www.ria.ee/en/state-information-system/x-tee.html.

[vi] Judy Dempsey, “NATO’s European Allies Won’t Fight for Article 5,” Carnegie Europe, June 15, 2015, https://carnegieeurope.eu/strategiceurope/?fa=60389.

[vii] Damien McGuinness, “How a Cyber Attack Transformed Estonia,” BBC News, April 27, 2017, https://www.bbc.com/news/39655415.

[viii] Rajesh Kumar, “The Problem of Attribution in Cyber Security,” International Journal of Computer Applications 131, no. 7 (December 17, 2015), doi:10.5120/ijca2015907386.

[ix] Ian Traynor, “Russia Accused of Unleashing Cyberwar to Disable Estonia,” The Guardian, May 17, 2007, https://www.theguardian.com/world/2007/may/17/topstories3.russia.

[x] “About Us,” CCDCOE, 2019, https://ccdcoe.org/about-us/.

[xi] “Cyber Security,” Estonian Ministry of Foreign Affairs, May 18, 2018, https://vm.ee/en/cyber-security.

[xii] Richard Iron, “Viewpoint – What Clausewitz (Really) Meant by Centre of Gravity,” Defence Studies 1, no. 3 (Autumn 2001). doi:10.1080/714000041.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.