top of page

Ten Years After the Estonian Cyberattacks: Defense and Adaptation in the Age of Digital Insecurity

Stephen Herzog, Yale University, explains how to prevent such attacks from happening in the future and examines the international impact of the Stonian cyberattack.


This article revisits the cyberattack suspected of being carried out by Russia against Estonia in 2007 as well as the events that led up to the attack. It then dives into the question of how to prevent such attacks from happening again in the future, makes note of what steps Estonian lawmakers and society have taken to safeguard themselves from another such attack, and then examines the international impact of this attack. The article ends with takeaways from the example of Estonia that can be applied to any state concerned about the threat of cyberwarfare.

Just a decade ago, cybersecurity was a somewhat emergent field in global affairs. Much has changed in terms of public awareness, political and corporate discourse, and the availability of policy and academic literature. From the Clinton and Macron hacks, to allegations of Russian-controlled Twitterbots spreading “fake news,” to the WannaCry ransomware attacks, threats emanating from the Internet have gone mainstream. But has the media attention given to political disinformation campaigns, digital vandalism, and industrial espionage come at a cost? Have we simply forgotten that anonymous and sophisticated hackers—often employed or supported by states—may have the ability to threaten power grids, online banking, and strategic weapon systems?

Ten years ago, the small Baltic state of Estonia fell victim to a state-sanctioned, or state-sponsored, cyberattack by Russian hackers. The 2007 strikes on Estonia were comparatively different than other incidents involving state actors. Titan Rain entailed coordinated cyberespionage of Chinese origin on US government information systems. The Stuxnet worm unleashed a precision attack on Iran’s centrifuges for uranium enrichment at the Natanz nuclear facility. And the North Korean hacks on Sony inflicted punitive damage on the Sony Corporation for its cinematic depiction of Kim Jong-un. In sharp contrast, what happened in Estonia was a gateway attack; by disabling services used by nearly all Estonians, the hackers gave the world a preview of the future extremes of cyberwarfare. While it is overblown to refer to what happened in Estonia as full-fledged cyberwar, the attacks raised the specter of digital targeting of a state’s critical infrastructure. It is this chilling possibility that prompted a multitude of complementary initiatives by Estonia to protect its population from a cyber redux.

This article explores the Estonian government’s efforts to safeguard their state from a future cyberattack of an equivalent or greater magnitude than the 2007 hacking. After reviewing the events of 2007, I discuss four different policy arenas: national cyber defense, legal modifications, societal adaptation, and international collaboration. I argue that the changing nature of Estonia’s national capabilities and readiness to counter disruptive Internet strikes sets the global standard. Looking back at Tallinn’s activities over the past decade, there is much for the international community to admire and emulate.

Revisiting the Estonian Cyberattacks

The 1996 announcement of Project Tiger Leap foreshadowed Estonia’s emergence as the most tech-savvy country in Europe through state investment in information and communication technology (ICT).(1) By 2007, 60 percent of Estonians were daily Internet users, while 97 percent of banking took place online.(2) Additionally, the Estonian national identification card made possible a digital signature for paying taxes, submitting social service requests, and even voting—all entirely over the Internet.(3) Tallinn also relied on the Internet for its critical infrastructure, including the power grid and water supply. “E-Estonia” is thus a paradoxical case for understanding contemporary digital security, as beneficial technological advancements opened the door to pronounced strategic vulnerabilities.

It is no secret that Estonia-Russia relations are fraught with tension. A former imperial Russian governorate, Estonia won independence from the nascent Soviet Union in 1920, only to face twin occupations in 1940 and 1944, lasting until the USSR dissolved. Moscow ruled with an iron first and relocated hundreds of thousands of ethnic Russians to Estonia to “Russify” the state’s culture.(4) After the Cold War, Tallinn deprived these transplants of opportunities for citizenship, while Russia issued them passports.(5) Estonia then joined the North Atlantic Treaty Organization (NATO) in 2004 to gain protection against Russia and obtained formal Atlantic Alliance defense contingency planning in 2010.6 It even took until 2014 before the two countries adopted a treaty delineating their geopolitical borders.(7)

The intersection of Tallinn’s ICT reliance and sour relations with Moscow set the stage for the Bronze Night protests. Following victory in the March 2007 parliamentary elections, the conservative government of Prime Minister Andrus Ansip prepared to relocate Bronze Soldier, a statue commemorating the Soviet liberation of Estonia from the Nazis, on April 30. The plan was to move the memorial—seen as a hallmark of oppression by many Estonians—from Tõnismägi Park in central Tallinn to the secluded Defense Forces Cemetery of Tallinn. Among Estonia’s large Russian minority (26 percent of the national population at the time), the move smacked of further ethnic discrimination, prompting largescale riots from April 27 to 29 and smaller demonstrations thereafter.(8) When the dust settled, there were more than 1,300 arrests, one hundred injuries, and one fatality.(9)

This conflict was not simply ethnopolitics and Molotov cocktails—the accompanying cyberattacks were more frightening than the physical riots themselves. For three weeks, “hacktivists” targeted “the government, the president, the parliament, police, banks, Internet service providers (ISPs), online media, as well as many small businesses and local government sites.”(10) The culprits took control of computers in Egypt, Russia, and the United States and used them against Estonian servers and routers with email spam and ping and user datagram protocol flooding attacks.(11) In this distributed denial of service (DDoS) attack, websites normally handling 1,000 hits a day crashed upon receiving 2,000 hits per second.(12) Online banking, credit card, and ATM transactions ground to a halt, while government email servers and websites went offline or were defaced.(13) Estonian news media websites lost the ability to upload articles, while false Russian-language media reports streamed in describing the destruction of the Bronze Soldier and the graves of Russian veterans.(14) Te Estonian Computer Emergency Response Team (CERT) needed to collaborate with private-sector volunteers; the governments of Finland, Germany, Israel, and Slovenia; and NATO and European Union (EU) institutions to restore normal network operations.(15) This process involved temporary disconnection from international data links, allowing Estonia to “keep communications running domestically” as the CERT repaired infected systems.(16)

Assessing the Events of April 2007

Definitive attribution was unsuccessful owing to the hackers’ ability to control remote networks and hide behind masked Internet protocol (IP) addresses. What is clear is that Russian-language Internet forums urged on the activities.(17) While the Kremlin denied culpability, “Estonian officials like Foreign Minister Urmas Paet quickly accused Russia of perpetrating the attacks, but European Commission and NATO technical experts were unable to find credible evidence of Kremlin participation in the DDoS strikes.”(18) This lack of evidence came despite many experts, including NATO officials, asserting that the attacks were beyond nonstate actor capacities.(19) However, Moscow refused to cooperate on attribution, accused Tallinn of human rights violations, and called on Ansip to resign.(20) As the DDoS raged on, Russian president Vladimir Putin condemned the Bronze Soldier’s relocation: “Those who desecrate monuments to the heroes of the war are insulting their own people and sowing discord and new distrust between states and people.”(21) Te Kremlin declined to intervene in violent protests outside the Estonian embassy in Moscow, which even saw an assault on Tallinn’s ambassador.(22) In the end, Estonia made a few token arrests, with a single conviction carrying a minor fine.

Keep reading and access the full article here.

Stephen Herzog is a PhD candidate in political science at Yale University, where he is also a graduate fellow with the European Studies Council. He previously worked on science diplomacy projects across the former Soviet Union region for the U.S. Department of Energy.


bottom of page