One of Russia’s Neighbors Has Security Lessons for the Rest of Us

(Bloomberg Businessweek) -- Estonia is the first member state in the European Union that might be called Extremely Online. Over the past decade, the Baltic republic of 1.3 million people fully digitized its government services and medical data. More than 30 percent of Estonians voted online in the last elections, and most critical databases don’t have paper backups. To sleep a little better at night, the country has recruited volunteer hackers to respond to the kinds of electronic attacks that have flummoxed the U.S. and other countries in recent years. While many are civilians, these men and women, numbering in the low hundreds, have security clearances and the training to handle such attacks. Their sturdy, bearded commander, Andrus Padar, previously a military reservist and policeman, says the threat is taken as a given: “We have a neighbor that guarantees we will not have a boring life.”

Padar’s militia of amateur IT workers, economists, lawyers, and other white-hat types are grouped in the city of Tartu, about 65 miles from the Russian border, and in the capital, Tallinn, about twice as far from it. The volunteers, who’ve inspired a handful of similar operations around the world, are readying themselves to defend against the kind of sustained digital attack that could cause mass service outages at hospitals, banks, and military bases, and with other critical operations, including voting systems. Officially, the team is part of Estonia’s 26,000-strong national guard, the Defense League.

The additional support is welcome. Estonia’s Information System Authority says its volume of cybersecurity cases, including malware-spreading web domains and emails, rose to about 11,000 in 2017, a 20 percent jump from the year before. In 2016 hackers linked to Russian military intelligence allegedly infiltrated the network of the nation’s largest shale oil producer. (Russia has denied ordering any attack.) “We have been very, very keen on collaborating with them,” says Uku Sarekanno, the information agency’s deputy director general, of Padar’s group.

So are security officials elsewhere. French authorities say they’ve been inspired by the Estonian system, and Latvia set up a similar unit a few years ago. Through a partnership with the U.S. Department of Defense, the Maryland National Guard’s digital squads have trained with Estonian forces, and the head of Michigan’s Cyber Civilian Corps is planning to visit Tallinn later this year. “We’re learning a lot from them,” says Air Force Colonel Jori Robinson, vice commander of the Maryland Air National Guard’s 175th Wing.

Estonia’s civilian hacking-defense corps grew out of the aftermath of a 2007 attack that periodically took banking, government, news, and other websites offline over several weeks following the nation’s worst-ever street riots. Authorities blamed Russian operatives—the attack followed the relocation of a Soviet-era war memorial in Tallinn, a trigger for the riots—and security experts still rank it among the worst cases of state-sponsored internet warfare. Vladimir Putin’s government denied involvement.

Formally established in 2011, Padar’s unit mostly runs on about €150,000 ($172,000) in annual state funding, plus salaries for him and four colleagues. (If that sounds paltry, remember that the country’s median annual income is about €12,000.) Some volunteers oversee a website that calls out Russian propaganda posing as news directed at Estonians in Estonian, Russian, English, and German. Other members recently conducted forensic analysis on an attack against a military system, while yet others searched for signs of a broader campaign after discovering vulnerabilities in the country’s electronic ID cards, which citizens use to check bank and medical records and to vote. (The team says it didn’t find anything, and the security flaws were quickly patched.)

Mostly, the volunteers run weekend drills with troops, doctors, customs and tax agents, air traffic controllers, and water and power officials. “Somehow, this model is based on enthusiasm,” says Andrus Ansip, who was prime minister during the 2007 attack and now oversees digital affairs for the European Commission. To gauge officials’ responses to realistic attacks, the unit might send out emails with sketchy links or drop infected USB sticks to see if someone takes the bait. A CD labeled with an image of Russian porn star Katya Sambuca in a bikini proved especially effective at ensnaring military officials—now the country’s military computers shut down if they detect an unknown disc or USB drive. Major Ivars Ercums, the commander of Latvia’s National Guard Cyber Defense Unit, says his team can learn from the Estonian group’s tactics.

So far, the Estonian volunteers haven’t seen a reprise of the 2007 attack—unsophisticated by today’s standards—or the 2015 blackouts in Ukraine attributed to Russian agents. That has something to do with the very presence of the defense squads and the many additional IT experts hired by most major Estonian companies over the past decade, says Tim Maurer, co-director of the Cyber Policy Initiative at the Carnegie Endowment for International Peace.

Padar is an unlikely choice to lead this “gang,” as he calls it. As a boy watching Soviet propaganda on TV, he longed to become a Soviet military officer, until he “woke up” in high school, he says. He joined the Estonian police force in 1991, the year the country regained its independence from the USSR, and spent years training as a military reserve officer on the side. He still trains his people with military precision, his helmet and tactical vest often within arm’s reach. “If the trees have very good roots, deep in the ground,” he says, “then it’s not so easy to break them.”

--With assistance from Ott Ummelas, Helene Fouquet and Vernon Silver.

To contact the editor responsible for this story: Jeff Muskus at jmuskus@bloomberg.net

©2019 Bloomberg L.P.