Estonia Leads the Way in NATO's Cyberdefense - Baltic country's response to 2007 cyberattacks has pu

By Thomas Grove The Wall Street Journal

April 30, 2017 7:00 a.m. ET

TALLINN, Estonia—A hotel conference room in the Baltic republic of Estonia recently became the front line in a rehearsal for cyberwarfare, in an exercise that tested the North Atlantic Treaty Organization’s readiness to repel hackers.

Last week, nearly 900 cybersecurity experts from across Europe and the U.S. participated in an event hosted in Tallinn to focus on defending a fictional country against a simulated cyberattack. The defenders faced real-world scenarios: a knocked-out email server, fake news accusing a NATO country of developing drones with chemical weapons, and hackers compromising an air base’s fueling system.

The exercise—dubbed Locked Shields 2017—was unprecedented in complexity, organizers say. And for the Estonian cybersecurity team hosting the event, it marked the 10-year anniversary of cyberattacks that crippled the Baltic nation’s nascent digital infrastructure. The attacks, blamed on Russia, swamped Estonian banking and government websites and threatened to take the country offline.

Since the 2007 cyberattacks, the former Soviet republic of 1.3 million has transformed into one of Europe’s most tech-savvy countries. Its importance to NATO is vast: As well as playing a central role in hosting the alliance’s deterrent force in the Baltic region, Estonia is at the forefront of the alliance’s defenses against hacking.

Following Russia’s alleged hacking of the Democratic National Committee ahead of last year’s U.S. presidential election, the urgency has never been greater.

To establish a stronger line of cyberdefense, Estonia established a volunteer body that can be called on to protect the country’s digital infrastructure. The unit’s volunteers donate their free time to regular training, much like a national guard. And they are responsible for defending everything from online banking to the country’s electronic voting system if an attack occurred. 

Participants work on their tasks during a live-fire cyberdefense exercise in Tallinn. PHOTO: VALDA KALNINA/EUROPEAN PRESSPHOTO AGENCY

“We have lots of talented people who work in the private sector and we offered them the possibility of working once a week for a more patriotic cause,” said Toomas Hendrik Ilves, the former Estonian president who oversaw the creation of the unit. “You basically think of the most dystopian future imaginable and try to defend against that.”

The Russian government consistently maintains that it doesn’t interfere in the internal affairs of other countries, and denies orchestrating cyberattacks. But NATO officials say they have seen an increase in cyberattacks on their networks.

NATO Secretary-General Jens Stoltenberg said earlier this year there were an average of 400 attacks a month on alliance networks, up 60% from the previous year. He didn’t indicate who may have been behind them.

“Our aim is to give [people] the proper mind-set and capabilities to defend against attacks and to protect the lifestyle we are used to,” said Aare Reintam, one of the organizers of the event.

During the exercise—the eighth in an annual series—teams faced not only simulated attacks on computer software, but also on critical infrastructure. Planners introduced another challenge: fake news. Participants in this year’s exercise had to confront questions from a hostile press.

Organizers hope the experience gives other countries a chance to bolster their own defenses against cyberattacks. The Maryland National Guard has consulted with Estonia over its use of a cyber variant of a national guard. Neighboring Latvia, also a NATO member, implemented the cyber national guard model in 2014.

“We’re not gearing up to go and invade anyone, we’re worried about building up our defensive skill set,” said Rain Ottis, a 36-year-old university professor who is a longtime organizer in Locked Shields. “We have much to protect and much to lose in terms of cyberspace and way of life.”

While the event wasn’t an official NATO training exercise, the alliance had an official presence, and its NATO-accredited hosting center has been praised by Mr. Stoltenberg.

For Estonians, the Russian hacking threat is viewed as real and urgent. Earlier this year, Estonian parliamentarian Marko Mihkelson received an email that appeared to be from NATO, offering a link to what claimed to be an official analysis of a North Korean missile launch.

Mr. Mihkelson, who is chairman of the parliamentary foreign-affairs committee, didn’t click the link. Instead, he flagged the email to cyber experts who said it employed the same malware used last year against the DNC by an alleged group of Russian hackers known as Fancy Bear.

“Their activity in cyberspace is more aggressive, and they’re not even hiding it any more,” the lawmaker said, blaming Russia for stepping up hacking attacks.

Some analysts say Fancy Bear’s use of less-sophisticated phishing attacks that use fake links to compromise system networks is meant not to steal data as much as to announce Russia’s growing cyber presence to Western countries.

“Since 2014 we’ve seen a real shift in Russian operations in which they didn’t really care if they got caught,” said Robert M. Lee, founder and chief executive of cybersecurity company Dragos.

Write to Thomas Grove at thomas.grove@wsj.com