11 May 2021 The leaps and bounds of e-Estonia

Eneken Tikk

Disassembling bronze monuments and concrete tokens of a half-decade of occupation and expelling Soviet troops from Tartu’s strategic bomber airfield and the Paldiski nuclear reactor base in the early 1990s was a play against time. It was, then and there, also a race against two major powers – inherently opposed, yet perpetually intertwined in the strategic superpower culture.

The agility and wit of a few angry young men in the re-independent Estonian government played a major role in cutting this small nation loose from the Soviet Union without major concessions. All means were justified – in love, war, and now – in taking back the country from the occupying power. But as the last trainloads of Soviet troops were clanging across the border, the nation was left with desolate fields and riven villages. Poverty, crime and corruption were just over the horizon. After the applause, the population was becoming impatient.

Hardly anyone in Estonia believed in change across the eastern border. This made our strategic orientation and partnerships very clear. Memberships of the European Union and the North Atlantic Treaty Organization were to pave the way to economic stability and secure this insignificant nation’s independence. 

Estonia’s ambition did not end there. Racing towards successful reintegration with Europe against a flock of countries with similar backgrounds, Estonia had no intention of being just “another” Eastern European country or “a mundane Baltic state”. Estonia was going to become more. To do that, it was necessary to uproot the legacy lifestyle and governing mentality forced westwards across its eastern border. 

To outsmart the grim post-Soviet reality, this small hope-filled nation came up with a plan. A bold strategy. Both grand and novel. Recently re-independent Estonia’s first modern highway was not going to link regions and towns. It was going to connect everyone throughout the nation. To each other. And across international borders. Estonia’s first new avenue was going to be the information highway.

Democracy, freedom, connectivity and progress

Estonia’s ideals could not have been more closely aligned with the Clinton-Gore promise of a global superhighway that delivers democracy, freedom, connectivity and progress to all corners of the world. There was no need for steel or concrete. Estonia was going to be a wired and wireless society all at the same time.

The late 1990s saw Estonia experiencing a meteoric rise as the nation’s Tiger’s Leap project delivered the internet to every village, every school and all government institutions. Estonia’s mother-tongue was the foundation of the people’s survival through nearly 1,000 years of oppression. Less than one-and-a-half million Estonians were too small a market to warrant the (mostly American) software giants providing Estonian language versions of their products. So, Estonia built its own national information systems.

The Estonian Parliament adopted a raft of policies concerning information society development, country-wide connectivity, digital innovation and online services. European regulations of various aspects of information and communication technology use were an easy target for Estonia. Way before most other European countries, Estonia pioneered the availability of public sector information, digital signatures, and nation-wide e-services.

Estonia accustomed itself to being the first. Among the first to implement a rollout of Internet access to every Estonian school, installing computer labs in most schools, and replacing the legacy infrastructure. Among the first to have public institutions publish a wide range of government records on their websites. Among the first to implement a nation-wide e-health information system. Among the first to create a data exchange layer solution that allowed government to securely exchange information over the Internet. Among the first to conduct elections online. Among the first to collect taxes online. Among the first to make it possible to create companies online. Among the first to adopt, in a public-private partnership, a nation-wide identity in the electronic environment. Among the first to take government sessions online. Among the first ready to declare access to the internet a human right.

As the new Millennium dawned, the whole world was admiring Estonia’s e-lifestyle. Estonia’s economy was on an upcurve. Estonia was first among the Baltics, first in Eastern Europe, first in the world. And now, it was set to be first in NATO.

Cyberwar defence

NATO’s transformation in the early 2000s offered Estonia an opportunity to contribute to the alliance’s superpowers. Around 2003-2004, the Estonian Ministry of Defence approached NATO with a proposal to set up a centre for cyber warfare expertise. Setting up a NATO-accredited centre of excellence in the Estonian capital was seen as a guarantee and contribution to the partnership, even when Tallinn was still struggling to meet the required defence investment threshold. After some political finessing, the Cooperative Cyber Defence Centre of Excellence (CCD COE) project was, around 2006, set in motion. 

Having invested in cyber defence, Estonia was to appraise the politico-military risk of its information society stocks. And again, Estonia became one of the first to do so. By means of a thorough series of consultations, a group of researchers and young officers established the first bridges between the ICT-infused private sector, information society-oriented government entities and the rather cyber-distant Estonian defence organization.

The word pair “cyber defence” was not an easy sell to an information society invested in societal and economic growth. Indeed, Estonia’s cybercrime indicators were of no major concern and information society indices were all rising. Even a hint of securitization was met with resistance and distrust on the part of the public bodies responsible for the information society and its infrastructure development. 

It was a hard sell to the allies, too. For a NATO Centre of Excellence to be established, Estonia needed at least two other allies to invest in the initiative. Yet nobody believed in the danger of a cyberwar. Moreover, in the UN Disarmament Committee, Washington was busy convincing the world that Moscow’s predictions of the threat of hostile uses of ICTs were just a myth.

Struggling to find sympathizers, Estonia was to find support to its newly found cyber aspirations from the most unlikely direction.

Hackers and service denial

Ironically, or: conveniently, a remaining piece of bronze and concrete became the token of Estonia’s rise to cyber power. In late April 2007, high political tension unfolded between Tallinn and Moscow around the Estonian government’s decision to relocate the Bronze Soldier – a World War II memorial – from downtown Tallinn to a military cemetery out of the immediate city traffic. Russia-aligned patriotic hackers cloaked in Estonian websites and apparently Kremlin-backed coordinated denial-of-service attacks against Estonian public and private web services over a period of more than three weeks demonstrated how devastating cyber-attacks can be against societies deeply dependent on their ICT infrastructure and online services. 

With just this glimpse of what could happen, the world’s perception and narrative of the Internet and ICTs was turned upside-down. The NATO CCD COE was started not by three but seven sponsoring states. Coming out as a winner from the Web War One, Estonia, digitized to the teeth, had just thwarted a major power. NATO was now set to adopt its first-ever cyber defence policy. Developments in Estonia and, one year later, events in Georgia, were also factors in changing US cyber policy. As cyberwar was out in the open, there was no longer any point in denying the obvious.

As Estonia was among the first to adopt a national cybersecurity strategy and the Pentagon was making preparations for initiating the US Cyber Command, the international community was destined to face national trials between information society and security apparatus. 

Once again, Estonia was the best student in the classroom. Estonia suddenly found itself in the company of the major allied powers. From the UN First Committee discussions to EU digital and cyber policy reforms and NATO cyber policies to world-wide capacity building and Security Council Membership, Estonia faced a surge in fame and visibility. 

As Estonia’s success grew, so did its ambitions. To keep up with all the opportunities, Estonia has taken a pragmatic, almost project-managerial approach to international affairs: setting up a cyber range for NATO, hosting the EU’s Agency for the Operational Management of Large-Scale IT Systems, setting up its own military cyber command, and taking up operational responsibilities in NATO and in cooperation with the United States.

While the Estonian success story is next to impossible to disregard, it may be less evident how Estonia has been transformed through its own success. Once a poster child of progressive and agile all-inclusive information society with no concessions on human rights and online freedoms, Estonia has learned first-hand that online presence comes at a cost. 

Cracks at the seams

In 2017, Estonia had to revoke almost half its national ID-cards due to a vulnerability that allegedly had not been duly attended to by the government. In the light of this incident, especially the slow pace of reclaiming these cards, the arguably near-100% participation of the Estonian population in national online presence came into question. In 2018, the state audits office raised questions about the profitability and sustainability of the e-Residency program projected to bring the Estonian e-population up to 10 million in just a few years. 

Another state audit revealed that cybersecurity competency in local government that lay outside of the epicentre of government IT-innovation, was very low. Estonian success stories faced domestic criticism for government decisions to curb anonymity online. The 2019-2022 cybersecurity strategy stressed the need to repair serious systemic failures: a weak strategic integral management, limited investments in R&D, low cybersecurity awareness and a deficient sense of ownership in risk management, lack of specialists and insufficient supply of new talent. 

To the world, the early visible signs of the crumbling façade are the now stopping or declining indices of online freedoms, and an alarming contrast between the digital savvy and less cyber-privy generations and community groups. 

It is also easy to observe the impact of securitization on Estonia’s current stage of digital development. Decision-making about the various instalments, investments and uses of ICTs are increasingly made at the executive, rather than parliamentary level. Estonia’s views on international law gained new emphasis in the law of cyber operations, the right of self-defence and countermeasures, even collective countermeasures, something that had never been the main emphasis in a small state’s take on the rule of law in the international community. 

How to sustain success

There is little doubt that Estonia is (or was) one of the most successful information societies. The choices made in the early 1990s paved the way towards an inclusive, open and free society. However, sustaining these choices in the current strategic climate has proved a daunting task. Recent years have highlighted Estonia’s unwillingness, or perhaps inability, to compromise leading to a daring appeal for securitization and even militarization. 

Having ticked all the boxes of an exemplary information society and a cyber power, Estonia is hardly a whole. Both on- and offline, the country seems still on its way to finding a balance between socio-economic and politico-military expectations and ambitions surrounding the development and use of ICTs. Will there be a meaningful compromise between free and open on the one hand and secure on the other? Can a country be larger, richer and more powerful in cyberspace than offline? 

The outcome of the Estonian experiment has implications way beyond the Baltics, the Nordics or Eastern Europe. Full throttle into the information society has not proven to be a magic formula for many countries. Estonia might add whole new chapters in international relations and economics books – about states as start-ups, societies as projects and lessons about their management. Or it might face dire realities that cannot be substituted by or compensated for using ICTs. Or it might transform on the information highway into something rather different than was originally aspired to. ν

Eneken Tikk (dr.iur.) is Executive Producer of the Cyber Policy Institute (CPI) in Finland and associate researcher at the Erik Castrén Institute (ECI) of International Law and Human Rights at the University of Helsinki. She began her career as a lawyer with interest in ICTs and public international law and participated in developing Estonian data protection, public e-services and cybersecurity legislation. Dr Tikk was member of the team that started the NATO CCD COE, where she established and led the legal and policy branch. During her term as Senior Fellow for Cyber Security at the International Institute for Strategic Studies (IISS, 2012-2016) in Bahrain, Eneken published the Strategic Dossier on the Evolution of the Cyber Domain. She was part of the Estonian delegation in the UN GGE (2012-2013, 2014-2015 and 2016-2017), advising the Estonian experts on international law, international cyber policy and cyber diplomacy. Eneken is co-editor of the Routledge Handbook on International Cybersecurity (2020). She currently leads the Cyber Conflict Portal project at CPI and the International Law project at ECI, with particular focus on the role of international law in cyber conflict prevention.