Introduction

In the mid-1980s and 1990s, when the term “cyber security” made its appearance in the international arena, the topic tended to be considered either as an internal political issue or an elitist project. Today, however, in the light of the risks and challenges arising from modern warfare techniques, cyber security issues are becoming increasingly important, skilfully combining military aggression, attacks on information and communications systems, dis­information in the international arena as well as at the local level, and psychological pressure. Experience gained over the last decade around the world has shown that threats arising from cyber sphere could negatively affect each and every one of us, and do so rather unexpectedly, in various ways and on a large scale.

The current study focuses on two aspects related to cyber security in the Baltic States. First, how seriously should the Baltic countries take the threats arising from modern cyber warfare? Second, whether and under what circumstances cyber deterrence against Russia is possible and achievable?

How vulnerable are the Baltic countries to threats arising from modern cyber warfare?

Issues related to cyber security and cyber deterrence are, next to the conventional security challenges, particularly important for Estonia, Latvia and Lithuania. Being growingly dependent on ICT-technologies, the Baltic countries are particularly vulnerable to cyber attacks. Moreover, given that cyber attack could pose extensive threats to the society similar to military aggression and that the Baltic countries have linked their national security concepts to NATO membership and collective deterrence as a security guarantee, the question arises of whether the current deterrence concept, toolbox and allocated resources are sufficient to convince potential “enemies” to give up their intentions to attack the information systems, public infrastructure or other critical objects in the Baltic countries.

It is no secret that Estonia, Latvia and Lithuania are feeling increasingly threatened by Russia’s aggressive behaviour in the neighbouring countries. Thus, special attention should be directed to cyber deterrence towards Russia. Recent history has clearly shown that there are good reasons to do so. More specifically, in 2007 Estonia already faced serious cyber attacks and although the organizers of these attacks could not be identified with absolute certainty[1], the evidence and context does not allow much doubt about their origin. Especially in the early phase of the attacks some of the internet addresses of the attackers pointed directly to Russian state institutions, and there is also sufficient proof that these were Russian speakers that were involved in the attacks[2]. In spring 2007, only several hours after Estonia relocated a Second World War memorial dedicated to Soviet soldiers, along with the public protests organised by the local Russian-speaking community for a period of 22 days the country experienced aggressive cyber attacks that hampered the functioning of numerous websites, weakened public infrastructure, harmed telecommunication and the banking sector, causing financial losses. Among various methods, illegal robot networks (or botnets) consisting of 85,000 computers from 178 countries were used in three waves to attack the websites of the Estonian parliament, presidency, ministries, political parties, commercial banks, big news agencies, telecommunication companies and even the emergency call service[3]. On security grounds, these websites were closed to foreign internet addresses over a certain period and were accessible only for domestic users. For example, the website of a major local news agency was inaccessible to international visitors for a week. These actions were also symbolic in being considered as the first incident in the modern cyber warfare (the so-called Web War I), where organized and guided cyber-attacks were used to terrorize a particular country and to destabilize its society. Not surprisingly, while Russia has denied its participation in these cyber incidents, it declined to cooperate in a joint investigation.

Would Russia use “cyber war” techniques again to destabilize the Baltic region?

Based on the strategy Russia has applied in the regional conflicts with its neighbours in the years following the first cyber attack, it is highly unlikely that the elements of “cyber warfare” shall not play an important role also in possible future conflicts fuelled by Russia. Namely, similar or even more advanced pattern compared to the attack on Estonia could be observed during the Russian-Georgian conflict in 2008 and during the Ukrainian conflict from 2013 on. In Georgia, the targeted denial-of-service attacks (DDOS) were combined with military attacks both to impede strategic communication at the national level and to give rise to panic among civilians. During the Russian-Ukrainian conflict, among other methods Russia’s strategy has focused on disinformation and psychological warfare by online media and various webpages, massive internet trolling on social media, and even attacks on mobile phone operators to both destroy the morale of Ukrainian soldiers and attack their families and relatives. Thus, modern cyber war is definitely spreading and assuming worrying dimensions. 

Considering Russia’s current ambitions with regard to Ukraine, it could be assumed that nowadays Estonia, Latvia and Lithuania are not likely, or at least not most important, targets of the cyber attacks initiated or supported by Russia. However, as both the profile and the dimension of the “cyber war” from 2007 have shown, Baltic countries are very vulnerable to threats arising from modern cyber warfare. If there is going to be a change in terms of transatlantic security priorities (e.g. Donald Trump succeeding in the U.S. presidential elections), it may well happen that one of the Baltic countries comes under considerable pressure again.

How to defend oneself against cyber terror?

Following its experience, Estonia has become one of the digital pioneers in international cyber security. Fortunately, contrary to one’s military capabilities and power games, the size of a country does not make much difference here. As regards cyber war, the whole world is the new battlefield, where quality, initiative and position are often more important than brute quantity, playing a crucial role when aiming at victory or deterrence. Waiting for the first moves of the opponent and hoping only for defence can hardly be the option for success. Additionally, standardized and comfortable administrative procedures in combination with the highest possible compliance with international law may offer an advantage compared to an opponent using more flexible command model and selective approach to international law.

However, today the EU as a whole does not seem to feel comfortable to have serious pre-emptive strategy against Russia including actions, as regards Russia’s violation of international norms and country’s unacceptable behaviour both in the military arena and in the cyber world. In this sense, the current deterrence network relying on rhetoric[4] but not on credible retaliatory capacity is basically useless for the Baltic countries. Hereby, the key to success relies on deeper knowledge on (and testing out) when cyber deterrence becomes credible and when not, as well as what would make Russia to withdraw from a conflict.

It is also important to notice that the leading role of the Baltic states in cyber defence could be at risk when the current national initiative will be discouraged by outdated rules, moral dilemmas, inadequate legal procedures, incompetence caused by rotation and unwillingness to contribute to the area financially and in terms of international cooperation.

To win the “game” in terms of deterrence, the Baltic countries should take the initiative from Russia and endeavour to stay a step ahead of it. It is achievable when, first and foremost, the resources and the knowledge of both the private and the public sector will be combined. This would guarantee more flexibility when countering cyber threats.

First, planning, preparations and the toolbox of actions needs to follow pre-emptive aim, since after a first successful attack by Russia there might be no more sufficient resources for further defence or counterattack. There is also no need to stay defence oriented and proportionally reactive, as it only limits the options for success.

Second, organizational structure and procedures of cyber defence units need to combine the best practices from the public, private and military sectors, each having their advantages but also weaknesses. The command chain must be as function-oriented as possible consisting also automatic procedures and flexible power delegation options in crucial situations.

Third, options provided by globalization and limited legal regulation in terms of cyber security must fully be investigated and used. There is no need to limit preparations and actions with traditional geographical locations, “best-practices” of public sector and traditional solutions. Cyber security unit can and should have its cells also outside NATO territories, by employing private contractors and using unexpected retaliation tactics, which would lead to best possible deterrence against the current Russian model of aggressive hybrid warfare.