Estonia’s Cyber Defence League: A Model for the United States?

Sharon L Cardash, Frank J Cilluffo, Rain Ottis. Studies in Conflict & Terrorism. Volume 36, Issue 9. September 2013.

The cyber threat spectrum that prevails today is both broad and deep. While we cannot protect everything, everywhere, all the time, we can and must make a concerted and sustained effort to shore up national defenses as they pertain to cybersecurity. Despite considerable differences of scale and scope, Estonia’s made-in-country cyber solutions may hold promise for the United States, at least with some adjustments and tailoring to take into account differing requirements and traditions. There may be much to learn from a country that bills itself as “e-Estonia, the digital society,” and also delivers on that promise. Specifically, the country’s Cyber Defence League is a concept and construct that may prove useful for the United States to consider and contemplate at a time when significant cyber threats continue to multiply, but the skilled personnel needed to counter the challenge are in short supply on the U.S. side.

The cyberthreat spectrum that prevails today is both broad and deep. At the high end are nation-states who are sophisticated in terms of capabilities and determined in terms of intent. Yet the digital battlefield is not occupied exclusively by national military forces. It extends to and incorporates the activities of society as a whole, including commercial entities and even individual citizens—all of whom our adversaries target freely and regularly for a range of reasons, from the prospect of economic gain to the hope of gaining strategic advantage in the name of national security. Foreign intelligence and security services, transnational organized crime, terrorist groups, and other entities—sometimes operating as unique actors, and other times joining forces with each other to form a hybrid threat—pose a complex and ever-evolving challenge to public safety, competitiveness, and other objectives that democratic free-market countries hold dear. From espionage and the cyber-equivalent of intelligence preparation of the battlefield (focused on critical infrastructure like water and power plants), to identity theft and simple fraud, the possible permutations for risk and vulnerability are mind-boggling. While we cannot protect everything, everywhere, all the time, we can and must make a concerted and sustained effort to shore up national defenses as they pertain to cybersecurity.

During a period of economic downturn when resources are scarce, the nature of the challenge is further magnified. Under such circumstances, it may be both prudent and productive to look beyond borders for creative solutions to shared problems. Despite considerable differences of scale and scope, Estonia’s made-in-country cybersolutions may hold promise for the United States, at least with some adjustments and tailoring to take into account differing requirements and traditions. The juxtaposition of the two countries may not be obvious, yet there may be much to learn and adapt from a country that bills itself as “e-Estonia, the digital society,” and also delivers on that promise (http://e-estonia.com/). Specifically, the country’s Cyber Defence League is a concept and construct that may prove useful for the United States to consider and contemplate at a time when significant cyberthreats continue to multiply, but the skilled personnel needed to counter the challenge are in short supply on the U.S. side.

Estonia’s Cyber Defence League

When Estonia regained independence in 1991 after the Soviet empire crumbled, the country had very little in terms of information infrastructure. The Government of Estonia quickly determined that information technology (IT) should be a priority for the country, and so it has remained ever since. Today the country is a leader in e-governance, with much to offer the international community in the way of lessons observed, best practices, and so on. Over the last two decades-plus, Estonia has made great progress in setting up both physical infrastructure and IT services, often taking an aggressive “early adopter” stance. For example, since 2001, the country has used national identification cards that provide legally binding digital signatures. This has enabled the introduction and continued secure operation of a myriad of public and private digital services, such as electronic filing of taxes (over 94 percent in 2012), online banking, and e-voting (in municipal elections since 2005, and national parliamentary elections since 2007; http://estonia.eu/about-estonia/economy-a-it/e-estonia.html).

This quality and volume of e-services comes with a price, however: dependence on the Internet. IT is nothing short of critical for many lines of business and governance, and therefore requires robust, effective, and continuous protection. A good illustration of the double-edged character of ubiquitous e-service provision by both the public and private sectors is the cyber conflict of April–May 2007, in which Estonian government and private systems were affected by a politically motivated cyberattack campaign. Though subjected to repeated distributed denial of service (DDoS) attacks over the course of several weeks, both government-related and private sector defense mechanisms generally worked, and there were no critical effects on the population or the economy (such as loss of life or substantial financial losses) as a result of the cybercampaign—but several critical services were temporarily affected. The episode served as a wakeup call, nevertheless, and led to a rethink of how critical Estonian systems might be best protected in the cyber age.

One fundamental outcome of the 2007 incident and the security reassessment that followed, was the creation of the Estonian Cyber Defence League (CDL), whose mission is to “protect Estonia’s high-tech way of life.” The CDL is a component of the Estonian Defence League, which is a volunteer national defense organization that was created in 1918, which could be roughly described as a cross between the U.S. National Guard and a nationwide militia. On the one hand, the Estonian Defence League is a uniformed reserve service that is part of the military chain of command. The organization’s senior leaders (generally battalion level and above) are active duty military officers, and the organization itself is divided into territorial units that cover all of Estonia’s counties. The Defence League contains infantry, anti-tank, artillery, and other “conventional” units, and is currently over 13,000 strong (http://www.kaitseliit.ee/en/new-beginning;inacountryof1.3millionpeople), thus easily outnumbering the country’s full-time military of 3,800 (http://www.mil.ee/en/defence-forces). On the other hand, the vast majority of Estonian Defence League members are volunteers, who participate in the organization in their free time, separate and apart from their day jobs. The volunteers do not receive pay, nor do they have strict obligations—unless mobilized. Generally, company-level units are manned and led exclusively by volunteers with the appropriate military training and rank. The Defence League also contributes to wider security tasks, such as civilian evacuation during natural disasters, or search and rescue efforts.

In 2009, two cyberdefense sub-units were created in Tartu and Tallinn, as part of the corresponding regional units (malev) of the Estonian Defence League (Kaitseliit). This bottom-up initiative was supported by the private sector cybersecurity community as well as the Government of Estonia. In 2011, these regional sub-units were re-assigned and formed into the Estonian Defence League Cyber Unit (CU). Interestingly, the term Cyber Defence League and its Estonian equivalent (Küberkaitseliit) became popular and thus both are still widely used as synonyms for what is properly called the Defence League Cyber Unit or CU. This relatively unorthodox organization has several advantages for national cyberdefense. First, it allows cybersecurity experts to contribute to national defense on a regular basis, but without undue stress on their work and family life. The flexible membership option means that they can and do scale their involvement as circumstances permit. Second, as part of the military chain of command, the CDL can be relatively easily involved in planned missions (with advance warning), training, exercising, planning, and so on. Obviously, the members who participate in such activities must also have the necessary clearances. Third, it is a very cost-effective way of building a highly skilled and specialized reserve force.

The key problem with the volunteer CDL is that it cannot cover the full mission spectrum. Missions that require 24/7 readiness or long-term deployments can be done, but are difficult to guarantee. Another difficulty is that many specialists work in critical positions (outside the CDL) and may not be available during a larger crisis. Both of these problems can be somewhat mitigated, however, by having a large reserve pool. At this point, the CDL is still a developing organization, both in terms of membership and regulations. As a volunteer organization, there are no strict recruiting goals—quality is preferred over quantity.

As with most military organizations, the CDL engages in two broad types of activity: capability building and operations. The first refers primarily to individual and unit training, while the second is handled on a case by case basis. In terms of training, the CDL has been actively involved in a number of national and international exercises, both as a player and as an organizer. As part of its international cooperation efforts, the CDL has also partnered with the 175th Network Warfare Squadron of the Maryland Air National Guard. It is important to note that the opportunities for interesting training and participation in exercises are strong sources of motivation for the volunteers.

Currently, the CDL is tasked with raising cybersecurity awareness across the whole of society; improving the skills and knowledge of IT specialists; and assisting in critical information infrastructure protection (http://www.kaitseliit.ee/en/frequently-asked-questions). Of these three tasks, the last is clearly the most complex and technically challenging (although the emergency circumstances that would invoke the CDL on this count are rare). In times of crisis, however, the CDL can be assigned to assist the country’s Computer Emergency Response Team (CERT-EE) in the protection of critical information infrastructure. This increases the relevance of the CDL compared to traditional military units, which are typically limited to the protection of military systems. In consequence, the CDL is viewed quite favorably by the civilian components of Estonia’s cybersecurity community.

At the time of writing, the Estonian government is in the process of revising the regulations that govern the CDL. A publicly available draft of the updated CDL task list includes network traffic analysis, reverse engineering malware, and conducting security audits. The capabilities, roles, and significance of the CDL will likely change in the coming years, but the League will almost certainly remain an important cornerstone of the country’s cyberdefense. Since Estonia has not experienced a serious cyber-emergency since the creation of the CDL, it is difficult to assess the League’s current capabilities and potential effectiveness. However, a handful of examples serve to illustrate the special nature of the organization:

  • In 2011, the CDL acted as a ready reserve for CERT-EE during the country’s parliamentary elections. Fortunately, there were no cyberincidents that would have required CDL involvement, but the experience was a very valuable one for the volunteers.
  • In 2012, the CDL organized a tabletop exercise for Cabinet Ministers, complete with a live demonstration. These strategic-level activities sparked greater interest in national cybersecurity at the highest level of government, which continues to this day.
  • Each year, the CDL participates in tactical military exercises such as the annual Spring Storm exercise; the latter combines units from the active component, the reserves, and the Defence League.
  • In order to host an international exercise a few years ago, a complex group task first needed to be resolved. A quote obtained from a large defense contractor for this purpose was an order of magnitude greater than the budget for the entire exercise itself. At this point, the CDL stepped in and undertook the equivalent of several personnel-months of work. The problem was thus resolved by volunteer experts, basically for the price of coffee.

Bearing in mind the nature and value of the CDL, we turn now to the question of whether the concept and construct might be exported and tailored to the U.S. context.

Possible Applications to the United States

Taken on its own terms, Estonia’s Cyber Defense League is clearly a creative and historically grounded response to a real threat that government alone (any government) cannot adequately protect against. From a U.S. perspective, the open questions are whether and how the CDL concept might be tailored and adapted stateside in order to meet U.S. objectives. The shortage of skilled professionals equipped to undertake the military and civilian cybermissions that the U.S. federal government (and its state and local counterparts) have set for themselves is striking. Moreover, in a climate of economic austerity and an operating context marked by sequester, the gap between U.S. government needs and the resources (both human and capital) required to fulfill those needs is growing rather than shrinking. On top of this mismatch, the cyberthreat spectrum that the United States faces continues to expand as well as evolve in terms of complexity. These developments favor the adversaries of the United States, making it all the more important to come up with a way forward that better addresses these U.S. shortcomings and vulnerabilities.

U.S. Homeland Security Secretary Janet Napolitano is seeking to recruit and retain hundreds of young people to her Department and help bulk up the US cyberworkforce that is specifically dedicated to countering cyberthreats. The hurdles to doing so that she and her public sector colleagues face are substantial. Difficulties include the limited size of the available pool of qualified candidates; competition from the private sector for these candidates, including more attractive remuneration packages that are available outside government; and candidate backgrounds and past activities that may be viewed as dubious at best from the perspective of security clearance granting authorities. Competition between and among U.S. government entities for individuals in the limited pool is also significant. Consider further that the military alone has plans to expand U.S. Cyber Command (CYBERCOM) by more than four times, from 900 as it now stands to over 4,000 people. On the public sector side, moreover, retention is as much of a problem as recruitment, if not more so. The situation is akin to the immediate post-9/11 period when all federal entities (as well as state and local ones) were fishing from the same finite pond of intelligence analysts.

Against this background, what can and should be done in the United States? While the scope and scale of the cyberchallenge may be reasonably well understood and also constitute a problem that is shared by Estonia, the United States, and other countries, the CDL is of course a made-in-Estonia solution that fits the facts and circumstances prevailing there. The difference in size alone between Estonia and the United States (and the attendant differences in scale and scope that vary by many orders of magnitude) obviously holds implications for whether and how to introduce and insert the CDL concept in America. Likewise, there are important political, legislative, institutional, and cultural differences between the two countries (to name just a few). In addition, Estonia’s early and robust embrace of e-government, and implementation of digital strategies across all sectors of society, together created a sense of “cyber ownership” that filtered down to, and bubbled up from, the level of the individual—both complementing, and spurred on by, the leadership position taken by the country’s public and private sectors, at the highest levels. One could argue that the manner in which these developments (e-governance, etc.) came about, meaning the 2007 cyberattacks associated with a political conflict between Russia and Estonia, fueled a further special galvanizing effect based as it was, partly on supporting one’s country (and following from a long and difficult history of occupation and oppression).

However, Estonia and the United States also share a significant set of interests and values, and there are historical antecedents and models both within and outside the United States upon which the United States may build, with a view to creating one or more CDL-style American entities. Drawing on and extrapolating from elements that already constitute a part of U.S. history and practice is perhaps the safest course, as these components are already ingrained in U.S. experience and/or structure, and thus run a lesser risk of failure or rejection by the body politic. At the same time though, there may be real opportunities to build on what others have done. After all, if everything had to derive directly from the fabric of U.S. history and practice, innovation would be unnecessarily circumscribed.

One logical place to begin is with the nature and roots of the civil defense culture, and the citizen-soldier, in the United States. During the Cold War, plans, planning, and responsibilities for evacuation and other matters in the event of a nuclear strike were meted out among U.S. authorities. Today many of the corresponding activities have been assigned to the Department of Homeland Security (DHS), and the state-level National Guards and Reserves operating under the authorities set out in Title 32 of the U.S. Code. Mapping former portfolios and who held them onto their latter-day counterparts matters less than understanding and appreciating the spirit that currently underpins and motivates not only those charged (officially) with protecting the homeland, but the American people themselves. On the Estonian side, it is in essence the spirit of voluntarism that animates the CDL. The notion that there could and should be an opportunity for Americans, too, to contribute at home is presently manifesting itself in various ways in connection with the cyber domain. Notably, that spirit and the activity to which it attaches are not exclusively military, and both U.S. spirit and action are evident outside that realm.

Consider for instance New York City’s newly established Code Corps, which is founded on the skills and service of “volunteer vetted technologists” and designed to address “civic needs” including those that may arise in the wake of emergency and disaster (such as a Hurricane Sandy scenario). Working in partnership with the Mayor’s Office and “data scientists, developers and experts from across city government,” the volunteers will help advance “strategic projects.” These might include “developing new databases, Web and mobile applications, emergency-related information maps using city data, analysis of impacted populations, and data sharing with other governments or utilities.” New York’s Code Corps is one manifestation of a broader concept embodied by the nonprofit organization Code for America, which bills itself as “a Peace Corps for Geeks.” Their mission is to “change the way cities work through technology and public service” by pairing “civic-minded” and skilled volunteers “with innovative city governments to build new solutions to civic problems” (http://codeforamerica.org/). The animating principle of Code for America is of special interest for present purposes. As the organization’s executive director observes: “What used to be about passively receiving services and dictates is now about participation. … Young people, because of social media, have always felt they’ve had a voice. … They’re coming from the assumption that government is a hackable system—an operating system that can be optimized. It’s in their DNA, and they just go and do it.”

It does not take a huge leap of imagination or logic to reach the conclusion that this ethos and demonstrated combination of expertise plus civic engagement could likewise support some form (or various forms) of CDL-style entity and activity in the United States. Already there is evidence of progress in this regard, and it is not limited to the “digital-native” generation. The Cyber Security Forum Initiative (CSFI) which encompasses almost 5,000 professionals is perhaps the most prominent example. Created in 2009 by a security engineer at AT&T, CSFI describes itself as “a non-profit organization headquartered in Omaha, NE and in Washington DC with a mission ‘to provide Cyber Warfare awareness, guidance, and security solutions through collaboration, education, volunteer work, and training to assist the US Government, US Military, Commercial Interests, and International Partners'” (http://www.csfi.us/?page=about). Outside the cyber-specific context, other precedent exists for shoring up government capacity and capability in a time of emergency by drawing on individual and civilian talent. To wit, the National Defense Executive Reserve established by Executive Order of President Eisenhower in 1956. As set out in the final iteration of the order (the original was amended twice and then superseded by EO 11179 in 1964): “There shall be in the Executive Branch of the Government a National Defense Executive Reserve composed of persons selected from various segments of the civilian economy and from government for training for employment in executive positions in the Federal Government in the event of the occurrence of an emergency that requires such employment.” The reference to training is significant, for love of country and a sense of duty are by themselves insufficient to give life to and sustain the CDL construct in the United States. While laudable, these qualities cannot substitute for technological literacy and the related “hard” skills needed to confront the threat spectrum in the cyberdomain.

For the United States, the challenge extends back into the education system and specifically a curriculum that, in contrast to Estonia’s, does not yet do enough to highlight and impart the fundamentals of cybersecurity from grade one onward. While U.S. universities and colleges are moving into this space faster than elementary and high schools, even the post-secondary institutions are doing so fairly slowly and in a way that does not yet convey the skills that are needed to confront the threat. The situation is not unique to the United States. Other countries, such as the United Kingdom, have also recently recognized the need to recalibrate their curricula to better reflect and respond to prevailing realities and prepare students accordingly. To succeed in U.S. schools, teachers and trainers will need to make learning in this area fun (“‘cool and exciting'”). Games can be serious business though, and an effective tool for learning as well as recruitment into public service. In China for instance, the People’s Liberation Army runs an annual competition to identify prospects for its cyberforces.

Notably the private sector too has an interest in the curriculum component given U.S. industry’s appetite for, but the under-supply of, computer programmers in the country. Recently the founders of Microsoft, Facebook, and Twitter, together with other well-known figures plus individuals who are not household names, initiated a campaign (Code.org) designed to get more U.S. schools to offer programming classes. Senior officials at the U.S. DHS have also urged U.S. companies to help spur interest in cybersecurity as a career path on the part of high school students. U.S. government programs like CyberCorps, roughly akin to the G.I. Bill in terms of the “scholarship for service” principle, serve to further encourage students along that track.

Ultimately each country will have to craft a “homegrown” response to the prevailing ecosystem of cyberthreats. Various national models upon which to build already exist, separate and apart from the Estonian one. Britain for instance has “the WARP Programme,” which refers to warning, advice, and reporting points. Initiated in 2002 and currently part of the U.K.’s Centre for the Protection of National Infrastructure, the program fosters “trusted information sharing.” The idea is “to provide a specific community with the capability to share security related information—both problems and solutions—and thereby to develop more secure and responsive environments”. Since inception, WARPs have coalesced along a range of lines including “Public Services—NHS, Police, MOD…” and “Business—Law, SMEs, IT…”. Importantly, WARPs agree to abide by “the WARP code of practice” (http://www.warp.gov.uk/index.html).

France also takes an interesting approach (although not a cyber-specific one) in the form of its “Citizens’ Reserve,” which is separate and distinct from the country’s operational reserve composed of volunteers. The purpose of the Citizens’ Reserve is “to maintain the French concept of l’esprit de defense, or the spirit of defense. …” They do so by contributing to recruitment efforts, acting as “liaison with the public,” and undertaking “civil assistance operations of a nonmilitary nature.” Perhaps tellingly, membership is “very limited.” Yet France is not alone in experiencing a seeming disconnect between its military and broader public. Israel for instance has also seen this type of gap, at times, that can frustrate official efforts to build up and reinforce a whole-of-society approach to defending the homeland. From a U.S. perspective that is cyber-specific, however, the good news is that there are multiple examples of civic-spirited action (as outlined above); and it is not a stretch to think that these could serve as a springboard for and precursor to expanding and deepening U.S. cyberdefenses through the talents and time contributed voluntarily by private citizens, as needed.

Looking ahead, it may be productive to proceed in a sector-specific manner that corresponds to the U.S. infrastructure sectors that have been designated “critical” (such as communications, emergency services, energy, financial services, water, etc.). Although a national effort is required, a one-size-fits-all approach is unrealistic, unworkable, and at odds with U.S.-style federalism, which is highly decentralized and attaches the greatest respect for and trust in solutions developed at the level where the greatest circumstance-specific expertise resides. To date a number of states including Delaware, Maryland, Rhode Island, Utah, and Washington have taken the initiative and created “special cybersecurity units” within their National Guard. This approach makes good fiscal sense in tight economic times (since such units “cost less to train, maintain, and retain than active duty forces”) and leverages local skills and aptitudes. The Washington state unit for instance draws on and benefits from members who also work at Microsoft Corporation and other Silicon Valley tech giants. That unit pursues its mission in close cooperation with others including “an intelligence squadron.”

Notably, Maryland also maintains a special partnership with Estonia that dates back to 1993. Originally designed to “strengthen military-to-military contacts” as Estonia regained its independence from the Soviet Union in 1991, the partnership has since expanded and now incorporates a range of other dimensions including military-to-civilian and civilian-to-civilian cooperation as well as cultural and social aspects. Most importantly however, the partnership has provided an avenue for Estonia to “export expertise in cyber defense.”

These and other state-level initiatives have not gone unnoticed at the federal level. To the contrary, in a hearing before the Senate Armed Services Committee earlier this year the commander of CYBERCOM General Keith Alexander stated that he and his team were already in the process of exploring how each state National Guard might help support CYBERCOM, as well as “‘how we train everyone to the same standards, active [duty forces] and Guard.'” Alexander suggested further that these specialized state Guard units could offer FBI and DHS “assistance in response and recovery to cyber-attacks,” to supplement the efforts of CYBERCOM and the National Security Agency. In fact, legislation—The Cyber Warrior Act of 2013—has just been introduced in the Senate to provide countrywide National Guard civil support, in the form of “Cyber Guards,” to governors or the U.S. Secretary of Defense in the event of cyberattack. The proposed Act also envisions a training role for the Cyber Guards, specifically: “education and training for State and local law enforcement and governmental personnel on analysis and protection to prepare for and respond to emergencies involving an attack or natural disaster impacting a computer, electronic, or cyber network.”

These various measures to grow state-level capabilities and capacities, and lash them up with federal efforts and entities (through Titles 10 and 32) constitute important steps forward. Yet the personnel challenge remains, since the U.S. appetite for these abilities will not be satiated by building up the state Guards alone. In consequence, there is room for multiple avenues of approach and solution, which is why a series of sector-specific programs and measures could also prove useful. These could be undertaken successively and in a manner that is complementary to the other initiatives described. Ideally, each subsequent sector-step would reflect and respond to lessons learned at the previous stage(s). Think of the impact such support could have for U.S. banking, for example. Supplying our financial services firms with the know-how and manpower to protect their assets, as defined in the broadest sense of that word, and thereby allow these companies to concentrate on their core business without distraction, would yield substantial benefit not just to the firm but to its clients and customers—and beyond, to include U.S. national security itself.

While the future and contours of CDL-style groups in the United States is not yet entirely clear, there are a number of encouraging signs and interesting developments underway. When circumstances demanded in past, moreover, the country successfully re-invented and implemented the means and mechanisms necessary to meet and defeat grave and prevailing threats. The Office of Strategic Services (OSS) created in World War II is just one example. Today a similar determination and creativity is needed to effectively address the challenges posed by the cyberdomain. If the OSS was Harvard meets business meets diplomacy, bound together by a certain esprit de corps, the U.S. cyber-response can and must be equally innovative, cohesive, and multidimensional/multidisciplinary. The ability to adapt and act speedily is a timeless asset. America’s civic-minded technologists, the seasoned and younger alike, have both the requisite can-do attitude and expertise needed to rise to the challenge.

Conclusion

Being grounded and founded in specific historical circumstances and cultural traditions, the CDL is an instrument that serves Estonia well. Whether the CDL can or should be adapted to help address the challenges that exist in other countries is an open question that each nation must decide for itself. As regards the United States, there are multiple potential ways forward that draw on Estonia’s example and could bring the United States to a higher state of readiness in response to prevailing cyber circumstances. In recent months alone, there is substantial evidence in the United States of intellectual ferment and private initiative undertaken in the public interest, and directed toward better securing the cyberdomain. Likewise, on the government side, DHS recently announced the creation of “a dynamic Cyber Surge Capacity Force composed of certified cybersecurity professionals with critical skills in the private sector, who will be readily available for rapid support and deployment in response to potentially significant cyber events impacting our nation’s critical infrastructure.” Few details on this DHS measure have been shared publicly at this stage, but it would appear to be a step in the right direction, as well as consistent with and complementary to a number of the ideas and concepts outlined and explored in this article.