To Bolster Cybersecurity, the US Should Look to Estonia
By Monica Ruiz, Alumna of The Fletcher School at Tufts University
United States policymakers have long sought ways to boost federal agencies’ capacity to implement cybersecurity and plan for significant cyber incidents. As early as 2002, Senator Ron Wyden of Oregon advocated for the creation of the National Emergency Technology Guard (NETGuard), a corps of volunteers with technology experience who could help following a cyber incident.
Fast forward to 2019, when General Robert Neller, former commandant of the Marine Corps, said that the Marines would create a new cyber auxiliary, where it’s OK for members to have “purple hair,” paving the way to attract, recruit, and retain civilian cyber talent. Other branches of the military have already offered cyber warriors steep bonuses to reenlist and the Army has even created a direct accession program in cyber warfare.
These programs have surfaced as threats emanating from cyberspace continue to outpace the chronic talent gap faced by the public sector along with poor cyber hygiene among the general population (e.g., poor password management, not using two- or multifactor authentication, lack of backups). A 2017 report on Supporting the Growth and Sustainment of the Nation’s Cybersecurity Workforce found that there is an estimated 299,000 active openings for cybersecurity-related jobs in the US and a global projection of a 1.8 million shortage in the cybersecurity workforce by 2022. To counter this, the US will have to do a whole lot more. For some key lessons, we must turn to Estonia.
The 2007 cyberattacks against Estonia were a turning point for when cybersecurity began to be accepted as an essential part of national security. The incident, a response to the relocation of a Soviet War bronze soldier statue, crippled the websites of banks, government agencies, and media outlets for weeks. Today, the country is on its third National Cybersecurity Strategy (2019–22)—previous strategies ran from 2008–13 and 2014–17. Estonia’s current strategy highlights its innovator role at the vanguard of novel cyber approaches.
In 2008 Estonia set up a unit of cyber volunteers composed of average citizens from outside government to protect Estonian cyberspace. Put in place out of need after 2007 cyber incident, and out of historical precedent, since the voluntary national defense organization, the Estonian Defence League (EDL), has existed since 1918 , this unit has endured, but continues to undergo refinements.
Within the EDL’s volunteer Cyber Defence Unit, tasks are crisis management exercises and training the public. This includes conducting exercises for policymakers and civil servants, including members of the government, and cybersecurity awareness courses in Estonian schools. Its two responsibilities that build long-term resilience are capacity building and operations. This includes securing Estonians’ online lifestyle, distributing cybersecurity-related knowledge and strengthening cooperation across sectors.
In August 2018, Estonia also created its Cyber Command, which has caused unstoppable ripple effects throughout the Cyber Defense Unit. The Command will consist of 300 military and civilian personnel, including private sector professionals by 2023. This may trigger shifts in military tasks and responsibilities; result in direct recruitment and integration of the unit; and impact the unit’s civilian nature as it may become back-benched to accommodate the Command’s priorities, hindering the use of its members’ full potential.
Separately, the strategy highlights differences in roles between the Ministry of Defence, where the EDL CDU resides, and the Ministry of Economic Affairs and Communications (MOC), placing the unit at the nexus of both military and civilian groups. While the Ministry of Defence implements activities related to military defense, the MOC manages the implementation of the strategy and develops technological resilience. Against this backdrop, the EDL CDU continues to expand. The unit, composed of over 200 cyber volunteers, has created two additional regional units.
For a small country of 1.3 million people, reallocating existing resources is hard. A pervasive and fundamental challenge is its limited capability for specialization due to its small population. However, their consolidation of cooperation and communication mechanisms and reductions in fragmentation of expertise allow already limited resources to be efficiently used.
As with any major effort, the devil is in the details. The Tallinn-based NATO Cooperative Cyber Defence Centre of Excellence was established in 2008 as a way for Estonia to contribute to NATO’s cyber defense. The creation of the EDL CDU was the logical next step. Although both efforts were discussed in unison, the unit was meant to serve as a recruitment branch for the Centre and to foster public-private partnerships by giving volunteers an opportunity to engage in cyber defense. Since its creation, some lessons that could be applied in a US context around profiling criteria for incoming volunteers, efforts toward shifting the threat narrative—although it’s not a function of the unit—and the criticality behind effective leadership rose in prominence.
- Profiling Criteria
Initial questions in recruitment forms were detailed, but lacked an initial profiling criterion and identification of tasks, which would have facilitated the pairing of volunteers to defined gaps. Some members of the unit have proposed adopting norms and laws in crisis management and critical infrastructure protections (e.g. Cybersecurity Act and 2017 Emergency Act) to inform the profiling criteria and tasks framework needed for the unit. This approach could also streamline response efforts since shared profiles would help improve who the unit sends to respond.
- Threat Narrative
The work needed to shift the threat narrative in cyberspace is a critical task. The ongoing narrative of cyber-attacks and conflict, which especially in the US focuses on offenses, does not get at the long-term necessity to build cyber awareness and resilience at the local level. Estonia’s strategy addresses this by stating that “one important solution for raising cybersecurity awareness is coverage of the topic in general and vocational education.” As the unit expands geographically, its local reach and unique standing at a military and civilian nexus makes it suited to continue focusing on long-term capacity building.
- Leadership
Founding member and current Estonian Parliamentarian Johannes Kert said that “only passionate leaders can lead volunteers. Particularly for the EDL CDU, they need passion for a free homeland— sounds idealistic, but it works!” This highlights the importance of the unit’s leadership, which plays a key role in appealing to someone’s sense of duty for recruitment and retention; highlights access to a network of security experts created through the unit that members may otherwise not have access to; and emphasizes skill-building opportunities through trainings, exercises, and social gatherings to reach a certain degree of technical skill. Essentially, social interaction can be leveraged to help raise social capital, reducing bureaucracy down the line for efficiency and effectiveness in specific tasks. Its lead also helps identify and ensure provision of resources relevant to assistance engagements. He or she is aware of members’ skill-sets and status, often communicating and maintaining relationships with them directly. This allows leverage to engage the right individuals when needed.
The EDL has historically been a crucial vehicle that integrates outside talent and focuses on long-term capacity building. Establishing something like the EDL CDU in the US presents its challenges. Size, political, legislative, institutional, and cultural differences vary between the two countries. However, the need to tap into and build cybersecurity talent is dire and growing at an alarming pace. Some states are already taking innovative measures to address this and have begun adopting similar models, like Michigan’s Cyber Civilian Corps (MiC3), Wisconsin’s Cyber Disruption Teams, and Ohio’s Cyber Reserve within their National Guard. More are sure to follow, especially against the backdrop of growing demand and limited supply. Like the Minutemen of the American Revolution who independently organized into military units or the Baltic Forest Brothers who waged a guerrilla war against Soviet rule, the EDL CDU addresses key challenges in this domain and serves as an example model for cyberspace that should be adopted, adapted and put to scale.