Estonian Cyber Security Case Study

timer Asked: Mar 8th, 2019
account_balance_wallet $15

Question Description

Read the following case study (attached).

Jackson, C. M. (2013). Estonian Cyber Policy after the 2007 attacks: Drivers of change and factors for success. George Mason University, School of Public Policy. ISSN:1947-2633

Answer the following questions:

  1. What strategic recommendations would you make based on your review of the case study?
  2. What operational security aspects should be considered so as to prevent such attacks in the future?
  3. What sort of an encryption policy, if any, would have helped in this situation?


  • Your paper should be 4-5 pages in length, not including the title or reference pages.
  • Be sure to provide citations from your readings and additional research to support your statements.
  • Your paper must follow APA style guidelines, as appropriate.

Unformatted Attachment Preview

Volume VII Spring 2013 Estonian Cyber Policy after the 2007 Attacks: Drivers of Change and Factors for Success Camille Marie Jackson Executive Summary ISSN: 1947-2633 On Friday, April 27, 2007, a number of Estonian government officials could not access their e-mail at work. Microsoft Outlook-based systems were not able to send or receive e-mail, and overall network connectivity slowed.1 Such incidents are fairly common and generally shortlived, and many Estonian officials thought the error would be fixed in a few minutes or hours. However, as days and weeks wore on, it became apparent that Estonia was under a serious cyber attack—or rather a series of attacks---which had significant economic, political, and security consequences for this tiny, technologically-dependent Baltic country. The cyber attacks of Spring 2007 sparked a series of dramatic policy changes designed to make Estonia’s networks more secure, ranging from adjustments to the legal code to the creation of a Cyber Security Strategy and Cyber Defense League. 2 For the remainder of this case study, we will examine the forces driving these policy changes, as well as the special cultural and political dynamics at play that allowed particular proposals to come to fruition. We will then look at the policies that were adopted, and assess the success of these measures. It is important to understand that the cyber attacks on Estonia coincided with an intense political conflict with Russia. After Estonia regained its independence from the Soviet Union in 1990, it began a process of modernization and de-Sovietization—a course that sometimes created tension among the ethnic Russian minority living in Estonia.3 4 Their concern reached a climax in April 2007, as Estonian officials were debating whether to move a controversial bronze Soviet statue located in Tallinn, the Estonian capital. To the ethnic Russian minority, this statue was a symbol of their legitimacy and rights in Estonia.5 But for some Estonians, it represented a brutal Soviet takeover of their country, and in 2006 these citizens petitioned the Tallinn City Council to demolish the monument.6 Spurred by growing protests on both sides, on April 26 and 27, 2007 2 the controversy spiraled into deadly rioting and looting, and the Estonian government decided to dismantle the bronze statue to close the matter and dispel the rioting. 7 It was within this framework that the cyber attacks took place, beginning on April 27, 2007. On April 29, hackers hit the ruling Reform Party’s webpage and posted a message indicating that the Estonian Prime Minister had sought forgiveness from Russia and promised to return the statue.8 Hackers manipulated other websites to redirect visitors to pictures of Soviet soldiers or quotations from Martin Luther King Jr. about resisting “evil.”9 Additionally, a significant portion of Estonian government, banking, and media websites were inundated with Distributed Denial of Service (DDoS) attacks, preventing them from communicating via e-mail or conducting business transactions. The scope, sophistication, and duration of these attacks were unprecedented, according to US scholars.10 The cyber attacks on Estonia had a significant impact in part because Estonian society is so heavily dependent upon modern information systems. In a meeting with President George W. Bush in June 2007, then-President of Estonia Toomas Ilves noted that "it is a serious issue if your most important computer systems go down in a country like mine, where 97 percent of bank transactions are done on the Internet. When you are a highly ‘Interneted’ country like we are, then these kinds of attacks can do very serious damage."11 In addition to Estonian banks’ heavy reliance on online transactions, the country’s eGovernment system also makes it particularly vulnerable to cyber attacks. E-Government is a system that uses the Internet to make government goods, information, and services available to citizens and businesses.12 According to Kristina Reinsalu, program director at the e-Governance Academy, Estonia’s use of e-Government systems to conduct transactions is “remarkably high,” and Estonia ranks first among new members states in the EU for the use of such systems.13 3 These vulnerabilities made the cyber attacks particularly crippling, and basic government functions were adversely affected for weeks. As the attacks continued, Tallinn eventually decided to cordon the nation’s networks off from international servers, isolating the country’s systems to allow them to recover.14 As a result, during this time Estonian computer networks were cut off from the outside world—a solution that served to block the attacks, but created additional connectivity problems. For example, although Estonians could access their e-mail and online services within Estonia, those travelling abroad could not access e-mail or banking services.15 The Estonian networks were finally re-established after several weeks, and reconnected to foreign servers in late May 2007, a month after the initial attacks. 16 Yet an obvious task remained: how could Estonian officials prevent such an attack from happening again in the future? According to Kristjan Prikk, an Estonian diplomat who was stationed at the Ministry of Foreign Affairs when the attacks occurred and at the Ministry of Defense as many new policies were being implemented, four unique forces provided the impetus for Estonia’s new cyber policies: the country’s heavy dependence on information technology; the fact that a number of new policy ideas had already been introduced, but not implemented; strong support from the public and industry to implement changes; and a unified vision within the Estonian government.17 First, Estonia’s heavy dependence on information technology is central to explaining the changes in the country’s cyber policies. Estonia’s heavy use of information technology is part institutional and part cultural. Over the past twenty years, the Estonian government has invested significant resources into modernizing the country’s infrastructure,18 creating institutions and 4 policies to bring Estonia more fully into the twenty-first century, and connecting it more closely with the rest of the world. At the same time, as political scientist Francis Fukuyama has noted, “institutions reflect the cultural values of those in the country in which they are established.”19 The information technology systems that have appeared in Estonia cannot necessarily appear anywhere—Estonia has a unique culture that is open to these establishments, that is willing to do 97 percent of all banking transactions online, and that is willing to sacrifice some privacy in exchange for efficiency, convenience, and modernity.20 According to Linnar Viik, a professor at the Estonia IT College, information technology is a way of life in Estonia, and “this way of life and the values of society aren’t controlled by state ministries of defense. They are supported by culture, education, the economy.”21 Because of this unique blend of culture and institutions, Estonia became a prime location for new, sweeping information technology policies to take hold. Second, in addition to this information technology culture, a number of initiatives to increase Estonian cyber security had already been introduced within the government, but not yet adopted. In John Kingdon’s conceptualization of the policy-making process, solutions to policy problems are often devised long before the problems arise. 22 Then, he argues, policy “entrepreneurs” lie in wait until a policy window opens, at which time they have an opportunity to couple their solution to a particular policy problem.23 The 2007 Attacks were that window. When the cyber attacks struck, Estonian officials had a variety of ideas to choose from and implement; initiatives such as the Cooperative Cyber Defense Center of Excellence (CCDCOE) and the Estonian Cyber Defense League. Third, there was strong support from the both the Estonian public and industry to increase cyber security. According to Mr. Prikk, as Estonian officials were considering and making new 5 policy, “The top political leadership was interested in seeing new policies succeed, while people in the private sector [had] trust; the drive for doing something was everywhere.”24 Before the 2007 Attacks, most of the major banks in Estonia were owned by foreign—primarily Swedish— banks. This ownership structure encouraged Estonian banks to integrate their institutions more closely with the Swedish banks, including hosting servers on Swedish territory. However, after the 2007 attacks, it became apparent that the presence of Estonian banks’ servers on Estonian soil was essential for the banks’ ability to protect themselves and quickly recover from an attack. As a result, the government began instituting regulations on which banks’ and other critical businesses’ servers could be hosted, as well as the size of data storage. Estonian banking firms, which had been hit hard by the cyber attacks, supported government efforts to make their networks more secure. 25 Fourth, Mr. Prikk also noted a sense of unity within the Estonian government, which acted as an added impetus for policy change.26 This factor is comparable to the momentum that propelled the US Congress and the White House to pass new legislation and make significant changes to US homeland security policy following the September 11 Attacks. According to Mr. Prikk, “the interconnectedness between the people and the institutions was the greatest achievement. . . . This was not necessarily a top-down approach or a bottom-up approach, but it was an inclusive approach. Not just a whole of government approach, but a whole of nation approach.”27 Out of the 2007 Attacks emerged a sense of unity, a sense that all elements of the government infrastructure—working together—were necessary to combat the cyber threat. Phillip Bobbit reflects this general idea in his book The Shield of Achilles by noting that: 6 For the first time since the birth of the State, a state structure is no longer necessary to organize violence on a scale that is devastating to society. And yet, perhaps ironically, this development makes the role of the State all the more crucial in achieving international peace and national security. This is because the shift away from retaliatory, threat-based strategies to defensive, vulnerability-based strategies will require a State— indeed will require a society of states—to successfully execute.28 With these four forces driving the Estonian government to enact new policies to secure its infrastructure, Estonia chose to implement several new policies. Czosseck, Ottis and Taliharm outline Estonia’s most salient policy changes in a 2011 paper released by the Cooperative Cyber Defense Center of Excellence (CCDCOE).29 Because of the large number of changes implemented by the Estonian government, for the purposes of this paper we will discuss only three below: the creation of a Cyber Security Strategy, the CCDCOE, and the Cyber Defense League. (For additional policy changes, see Appendix A.) First, the creation of Estonia’s Cyber Security Strategy has been heralded as “the most significant step” in the country’s cyber security response.30 Released in May 2008, the Strategy was created by a multi-agency council led by the Ministry of Defense, and identified five strategic objectives: developing and implementing a system of security measures, increasing competence in information security, developing a legal framework for cyber security, developing international cooperation, and raising cyber security awareness.31 Estonia’s Cyber Security Strategy has become the guiding document for the state’s comprehensive cyber policy, 32 and has been a driving force for additional changes. Second, the creation of the CCDCOE was a significant policy change and, as with a number of initiatives implemented by the Estonian government, had its beginnings well before 7 the April 2007 attacks.33 In 2003, even before Estonia joined NATO, the country recommended the creation of a new “center of excellence” for telecommunications security within the NATO framework.34 Despite general support from NATO leadership, the idea did not gain momentum until after the 2007 attacks, when it received significant support and finally came to fruition in May 2008. According to a press statement on the CCDCOE’s website, “the [CCDCOE] is a NATO accredited international military organization with aim to enhance cooperative cyber defence capabilities of NATO and NATO nations.”35 The CCDCOE is not an active cyber force or a cyber control center—rather it is an international research consortium meant to increase international awareness and understanding of information security best practices. Though seemingly unimpressive, within this consortium Estonia is able to promote international cooperation to solve cyber security problems—a multinational focus that Estonian officials maintain is necessary for success in the cyber security realm.36 A third institutional and policy change was the creation of a Cyber Defense League in 2010. The league is made up of information technology specialists who volunteer to assist the Estonian military during a time a crisis. The Cyber Defense League is made up of small, locally operated units. Prior to 2010, these volunteers worked loosely together to defend Estonian networks, and the creation of an Estonian Computer Emergency Response Team (CERT) in 2006 as well as new policies on information sharing increased collaboration between these groups. However, after the 2007 Attacks Estonia decided to nationalize this unit so that it could more effectively and cohesively defend the country during a cyber attack.37 According to Mr. Prikk, a strong public desire to reach out and help was key to creating the Cyber Defense League. “Whenever there is a big crisis,” he said, “there are always people 8 who…will to do something for the country.”38 Many Estonian citizens self-mobilized following the 2007 Attacks. Some helped in more immediate and visible ways, joining the police reserve force and helping to quell rioting in the streets. A second wave of volunteers responded cyber attacks, as individuals with computer technology skills decided that they, too, would like to help their country.39 By forming the Cyber Defense League, the Estonian government was able to harness this desire and channel it in a comprehensive, constructive fashion. Having examined the driving forces that led Estonia to adopt a series of new cyber policies, we will now examine the effectiveness of these new measures. Cyber policy is a relatively new area of public administration, and because Estonia’s policies are still new and untried, our ability to accurately judge the effectiveness of these measures are limited. However, by examining three criteria—assessments by experts, whether other countries have followed Estonia’s lead, and whether Estonia has successfully defeated additional attacks—we can reach a general estimate of the policies’ success. A number of academics and experts have given general, overarching assessments of Estonian information security policies. Czosseck, Ottis and Taliharm approve of Estonia’s rapid development of its Cyber Security Strategy by noting that these policies are a “significant step” and recommend that other countries adopt their own cyber security strategy.40 Further praise for Estonian policies comes from Dr. Lene Hansen and Dr. Helen Nissenbaum, researchers at the University of Copenhagen and New York University, respectively. They note that Estonian officials were successful in garnering support for cyber security and implicitly give credit to the Estonians for driving forward NATO’s cyber policy, including the creation of the CCDCOE.41 Legal scholar Scott Sheckelfield praises the short-term response of the Estonian Cyber Emergency Response Team (CERT) for ultimately prevailing against the attacks; but believes an 9 international treaty in needed to clarify appropriate responses and prevent future cyber attacks.42 In general, the literature on Estonian cyber policies is positive, although no author has come out with a categorical assessment of all Estonian national information security policies since 2007. Estonia’s adoption of a comprehensive cyber strategy and similar initiatives undertaken in neighboring countries provides the best example of how various nations are following Tallinn’s lead. Since Estonia released its Cyber Security Strategy in May 2008, a number of European countries have released similar strategies, including Germany, the Netherlands, France, and the United Kingdom.43 44 45 46 It is impossible to prove that Estonia’s Strategy was the central catalyst for these new policies, and, indeed, the United States released its own Comprehensive National Cyber security Initiative in January 2008—four months before the release of Estonia’s document.47 However, the proliferation of national cyber security strategies shows that many countries are reaching the same conclusion: it is in a nation’s best interest to develop a comprehensive strategy to secure information networks. Estonia was one of the first nations to adopt such a Strategy, and continues to lead the way in promoting this trend. We can also measure the effectiveness of Estonian policies by observing the extent to which these measures have protected Estonian networks from additional attacks. There have not been any significant computer network breaches reported in Estonia since the 2007 Attacks. The Estonian Information System’s Authority website refers only to the 2007 Attacks when noting the incidents they have addressed.48 However, a lack of visible evidence for a cyber attack is not necessarily evidence of success for Estonian cyber policies. It is possible for the Estonian government to hide breaches of its networks, or significant attacks may have not yet tested the new infrastructure and policies in place. However, available evidence suggests that Estonia has 10 not suffered any debilitating attacks on the same scale as the 2007 incident. If used as one metric among various criteria, we can conclude that these new policies have been successful. It is too early to judge the full effectiveness of Estonia’s policies since the 2007 Attacks. However, the forces driving these policy changes have become clear: the country’s heavy dependence on information technology; the underlying, existing groundwork for a number of these policies; strong support from both the public and industry; and a unified vision and impetus within the Estonian government. These forces suggest that the changes which have taken place in Estonia over the past four years are unique given its culture and position. However, other countries are already mimicking some of Estonia’s new policies, and Tallinn’s initiatives may continue to set precedents as cyber security becomes more important in world affairs. 1 Based on a personal interview with Mr. Kristjan Prikk, currently an Estonian diplomat stationed in Washington DC, and in April 2007 stationed at the Ministry of Foreign Affairs in Tallinn, 21 November 2011. 2 Christian Czosseck, Rain Ottis and Anna-Maria Taliharm, “Estonia After the 2007 Cyber Attacks: Legal, Strategic and Organizational Changes in Cyber Security.” Cooperative Cyber Defense Center of Excellence Website, 2011. _Attacks.PDF. 3 Raphael Shen. Restructuring the Baltic Economies: Disengaging Fifty Years of Integration with the USSR. 1994. London: Praeger Westport, 1-2. 4 Marju Lauristin and Mati Heidmets. The Challenge of the Russian Minority: Em ...
Purchase answer to see full attachment

Tutor Answer

School: Boston College

Hi, I'm through with the case study and here is the solution. I've made sure to follow all the instructions. In case of any question or edits reach me out here we work on it together.


Estonian Cyber Security Case Study
Student’s Name
University Affiliation




During the 2007 cyber-attack, Estonia was far much ahead in terms of development
among the countries in Europe concerning the extensive use of information and communication
technology (ICT) in entirely all the fields. They relied so much on the use of the internet to
conduct a broad extent of transacting business and lived to be a usual routine. For instance,
approximately 99% of the banking transactions were made electronically, above one hundred
public e-commerce services were there and the first elections to be made online in the world.
Estonian government made a great achievement from the use of technology. As Estonia
continued using technology, cyber attacks became prone as seen in the recent shooting in 2007.
This case study will not only discuss the evaluation of the incidences, but also it is widely going
to talk about the Estonians cybersecurity policies and the operational aspects which should be
considered to prevent future attacks (Czosseck, Ottis, & Talihärm, 2011). Additionally, it will
discuss the strategic recommendation that would be made in this case.
The recommendation that would be made based on a review of the case study.
Cyber threats have become prone in business as the number of cyber thugs has increased
and keeps o...

flag Report DMCA

awesome work thanks

Similar Questions
Hot Questions
Related Tags
Study Guides

Brown University

1271 Tutors

California Institute of Technology

2131 Tutors

Carnegie Mellon University

982 Tutors

Columbia University

1256 Tutors

Dartmouth University

2113 Tutors

Emory University

2279 Tutors

Harvard University

599 Tutors

Massachusetts Institute of Technology

2319 Tutors

New York University

1645 Tutors

Notre Dam University

1911 Tutors

Oklahoma University

2122 Tutors

Pennsylvania State University

932 Tutors

Princeton University

1211 Tutors

Stanford University

983 Tutors

University of California

1282 Tutors

Oxford University

123 Tutors

Yale University

2325 Tutors