- Research Programs
- Regions & Topics
- All Publications
A nation must think before it acts.
In 2017, a skillful combination of military aggression, attacks on information and communications systems, widespread disinformation, and psychological pressure has established itself as the winning formula in modern hybrid conflicts. This winning strategy has made cyber security—once a marginal issue—crucial. The Baltic states, especially Estonia, see themselves as frontrunners in the development of cyber-defense and cyber deterrence. Moreover, in contrast to conventional warfare, in cybersecurity, quality can match, if not outdo, quantity. However, in light of growing pressure from Russia, are the cyber-defence centers of the Baltic states ready for effective deterrence? Experts and government officials alike must avoid falling into the false comfort-zone of the collective defence narrative. While the Baltic states must believe in their (and NATO’s) collective cyber deterrence, Russia must also find it credible.
Success and supremacy in cyber deterrence for the Baltic states, as for Russia, depend on several factors: a) the ability to define legal and moral limits for effective engagement; b) the ability to the gain the initiative; c) the ability to combine military and civilian competence; and d) the ability to understand the characteristics of the cyber security battlefield.
The main obstacles on the road to cyber supremacy and convincing deterrence include self-imposed legal limitations, moral hesitation, lack of testing and feedback methodology, and the tendency to follow comfortable and traditional “best practices.”
Increasingly dependent on sophisticated digital technologies (including digital signature, cloud-based civil services, e-governance), the Baltic countries are particularly vulnerable to cyber attacks. While they should direct special attention to cyber deterrence against Russia, the attacks may come from all directions, even from inside the Baltic states and their civil service networks.
Recent history has clearly shown good reason for any country to be well prepared. In 2007, Estonia faced serious cyber attacks. Although the attackers could not be identified with absolute certainty, some of the internet addresses of the attackers pointed directly to Russian state institutions. There is also evidence that local Russian speakers had a role in the attacks. Just hours after Estonia had relocated a Second World War memorial dedicated to Soviet soldiers, the country experienced aggressive cyber attacks, along with protests organized by the local Russian-speaking community for 22 days.
In three waves, illegal robot networks (or botnets), consisting of 85,000 computers from 178 countries, attacked the websites of the Estonian government, political parties, commercial banks, news agencies, telecommunication companies, and even the emergency call service. In response, these websites temporarily closed access to foreign internet addresses. For example, a major local news agency banned foreign visitors for a week from its website. These attacks became the first incident in modern cyber warfare (the so-called Web War I), where organized and guided cyber attacks were used to terrorize a particular country and to destabilize its society. While Russia denied participation in these incidents, it declined to cooperate in a joint investigation.
Based on Russia’s strategy in Ukraine and Georgia, elements of “cyber warfare” will likely play an important role in future Russian conflicts. Russia carried out similar or even more advanced attacks during the Russian-Georgian conflict in 2008 and the Ukrainian conflict from 2013. In Georgia, attackers combined targeted denial-of-service attacks (DDOS) with military action to impede strategic communications and to create panic among civilians. During the Russian-Ukrainian conflict, Russia’s strategy has also focused on disinformation and psychological warfare through online media, massive trolling on social media, and even attacks on mobile phone operators. In contrast to their NATO counterparts, Russia’s cyber and propaganda units have shown great independence from moral considerations or legal hesitation, using every opportunity to compromise the Baltic states and NATO.
Considering Russia’s current ambitions in Ukraine, the Baltic states are not likely the most important targets of Russian cyber attacks. However, as the “cyber war” from 2007 showed, they are vulnerable. If transatlantic security priorities change after Brexit and Trump’s election, the Baltic countries may come under considerable pressure again.
Following its experience in 2007, Estonia has become a pioneer in international cyber security. Fortunately, contrary to military capabilities and power games, the size of a country does not matter much here. A cyber war’s battlefield is the whole world, and quality, initiative, and position are often more important than quantity. Waiting for the opponent’s first moves and relying only on defense does not bode well for success. Additionally, standardized and comfortable administrative procedures in combination with the highest possible compliance with international law offer little advantage against an opponent using a more flexible command model and selective approach to international law.
However, today, the European Union as a whole seems uncomfortable creating a serious pre-emptive strategy against Russia’s violation of international norms both in the military arena and in the cyber world. From the Baltic perspective, the current deterrence network relying on rhetoric but not on credible retaliatory capacity is essentially useless. The key to success relies on deeper knowledge about and testing of when cyber deterrence becomes credible as well as what would make Russia withdraw from a conflict. The leading role of the Baltic states in cyber defense could be at risk if outdated rules, unwarranted moral dilemmas, inadequate legal procedures, incompetence due to personnel mismanagement, and insufficient financing discourage the current national initiative.
The Baltic countries should strive to stay a step ahead of Russia. To achieve this goal, they must combine the resources and the knowledge of both the private and the public sector, guaranteeing more flexibility when countering cyber threats. First, cyber deterrence and cyber defense must be re-conceptualized and distinguished from one another. The Baltic states all too often understand cyber defense as a passive instrument that produces effective deterrence by itself. Thus, they focus mainly on reactive and defensive measures, with the status quo as the best possible outcome in regional cyber confrontation. As part of a re-conceptualization of cyber deterrence, it is also crucial to better understand Russia in terms of its fears and weaknesses, and a wider circle of specialists should contribute to cyber deterrence. More awareness of Russian technological capabilities, motives, and recent practices is also necessary.
Second, the organizational structure and procedures of cyber defense units need to combine the best practices from the public, private, and military sectors, each with advantages and limits. The command chain must focus on results as much as possible, with automatic procedures and flexible power delegation in critical situations. Currently, army practices and rules dominate the logic of decision-making and resource distribution. However, the military rotation cycle, rank-based roles, commitment to manuals, the tendency to avoid innovation, strong limits for investments and procurements, and intolerance to failures do not contribute to success in cyber conflicts. Speed, flexibility, expertise, and new solutions are crucial there.
Third, globalization and limited legal regulation of cyber security and deterrence must be fully exploited. There is no need to limit preparation and actions to traditional state boundaries, “best-practices” of the public sector, moral considerations, and legal hesitation. Cyber security units can and should have cells outside NATO territories, employ private contractors, and use unexpected retaliation tactics. Taking these actions can create the best possible deterrence against Russia’s model of aggressive hybrid warfare. Governments must equip their cyber units with the best possible resources in advance, and these units should have permission to test their tactics and tools and tolerance for failure during the development of these procedures. To start, more visible power, initiative, and agility will help to create effective deterrence against Russia.
In practical terms, cyber defense action needs to follow a pre-emptive mentality because if Russian forces attack first, they might disable further defense or counterattack capabilities. By limiting cyber defense only to self-defense in the spirit of best moral and legal considerations, the Baltic states and NATO in general give Russia a comfortable zone of action. NATO voluntarily restricts itself from efficient strategies and warfare. Crimea was a clear sign for the West that in a hybrid war restricting oneself to a reactive role and “playing a Russian game” without innovation and initiative will lead to defeat.
Baltic states have very little time and a lot to do: these countries and NATO should not merely focus on spending 2% of GDP on defense, but be more specific about the capabilities required to achieve the compulsory level of traditional and cyber deterrence. Goals, red lines, and success markers require more clarity. After Brexit in the UK, and the U.S. presidential elections, the Baltic states must further develop their cyber capabilities, especially cyber deterrence. Preserving peace may depend on it.