Lessons from Estonia’s Cyber Army
Dr. Who fans, don’t get excited. Estonia is not creating an army of Cybermen.
Instead, as reported by NPR, it has created an all volunteer force of programmers and computer scientists that would be mobilized to defend the country during a cyberwar.
The responsibility would fall to a force of programmers, computer scientists and software engineers who make up a Cyber Defense League, a volunteer organization that in wartime would function under a unified military command.
“[Our] league brings together specialists in cyberdefense who work in the private sector as well as in different government agencies,” Defense Minister Jaak Aaviksoo says. The force carries out regular weekend exercises, Aaviksoo says, “to prepare for possible cyber contingencies.”
For a nation as dependent on the internet for everyday life as Estonia, the fear of cyber attack is strong. The risk was made vivid following the 2007 assault on many of the country’s networks. So strong, in fact, that there is serious consideration given to instituting a cyber draft:
The sense of cyber vulnerability in Estonia has been a key rallying point for the Cyber Defense League. No democratic country in the world has a comparable force, with computer specialists ready and willing to put themselves under a single paramilitary command to defend the country’s cyber infrastructure.
Aaviksoo says it’s so important for Estonia to have a skilled cyber army that the authorities there may even institute a draft to make sure every cyber expert in the country is available in a true national emergency.
There seems to be some obvious lessons for U.S. cyber efforts, but cultural difference may present too large of a firewall…
In the United States, most top cybersecurity experts work in the private sector and are not available for government duty, even in times of an emergency. Stewart Baker, who tried to coordinate cyberdefense efforts at the Department of Homeland Security under President George W. Bush, says a Cyber Defense League like Estonia has would have been helpful.
But Baker, a former general counsel at the National Security Agency, says it’s been hard in the United States to promote public-private collaboration in cybersecurity.
“The people who work in IT in the U.S. tend to be quite suspicious of government,” Baker says. “Maybe they think that they’re so much smarter than governments that they’ll be able to handle an attack on their own. But there’s a standoffishness that makes it much harder to have that kind of easy confidence that you can call on people in an emergency and that they’ll be respond.”
Potential lessons learned for U.S. homeland security are not limited to the cyber arena.
The unit is but one division of Estonia’s Total Defense League, an all-volunteer paramilitary force dedicated to maintaining the country’s security and preserving its independence.
Aaviksoo says Estonian civilians are willing to be mobilized to defend their country because of their experience of invasion and occupation: by the Soviet Army in 1939, followed by the Germans in 1941 and then again by the Soviet Union, which occupied Estonia until it broke free in 1991.
“Insurgent activity against an occupying force sits deep in the Estonian understanding of fighting back,” Aaviksoo says, “and I think that builds the foundation for understanding total defense in the case of Estonia.”
While a paramilitary force is not required in the U.S. to preserve our independence, the Estonian Total Defense League could be a model for increasing citizen resilience, in particular active participation in prevention, mitigation, preparedness, response, and recovery activities. A Total Resilience League?
CERT is a good, if underfunded and underdeveloped, first start in this direction. The next step should be a concentrated effort to engage those outside of traditional homeland security communities with relevant expertise or experience to participate in resilience-building activities. For example, veterinarians as well as anyone else with a modicum of medical training should be excepted as providers/responders during any catastrophe that overwhelms traditional response organizations (thus helping to create community medical resiliency). Unfortunately, I fear that ingrained attitudes found within those organizations, concerning behavior of the public in general and volunteers in particular during events of all sizes, will be a major impediment. But we can always hope.
