The Estonian government is negotiating with the UK to back up terabytes of data that includes birth records, the electoral roll, property deeds, banking credentials and the entire government bureaucracy.
The FT reports that concerns over cyber attacks from Russia have led the small, but highly digital, Baltic nation to consider a backup data center in the UK.
“We have a very aggressive neighbor and we need to be sure that whatever happens to our territory in the future, Estonia can survive,” Taavi Kotka, Estonia’s cyber chief told the FT.
“In Estonia we already vote over the internet, we pay taxes over the internet — there’s almost nothing now we don’t do digitally.”
Estonia, which has a virtually paperless society that uses a unique encrypted digital identity for everything from travel, to bills, to hospital check ins, is seen as one of the most digitally advanced nations in the world. While this has been seen as a positive by many, it makes the country particularly vulnerable to cyber attack.
Negotiations with the UK are still in their early stages, with issues such as who is responsible for defending the data should Estonia be digitally attacked still up for debate, but Britain’s vote to leave the EU is also thought to have complicated matters. Due to Brexit, Estonia is also negotiating with Luxembourg - which is also the site of NATO’s digital backup.
The news comes at a time of heightened tensions between Russia, Estonia and the rest of NATO. This summer, with sanctions still underway over its actions in Ukraine, Russia is set to carry out over 2,000 armed forces exercises, some involving more than 100,000 troops.
Russia is also set to send 3 new divisions, totaling 30,000 troops, to its western and southern borders, while NATO is sending more than 4,000 troops to defend Estonia, Latvia, Lithuania and Poland.
In a 2014 speech in Estonia, US President Obama said: “I say to the people of Estonia and the people of the Baltics, today we are bound by our treaty Alliance. We have a solemn duty to each other. Article 5 is crystal clear: An attack on one is an attack on all. So if, in such a moment, you ever ask again, ’who will come to help,’ you’ll know the answer – the NATO Alliance, including the Armed Forces of the United States of America, ’right here, [at] present, now!’ We’ll be here for Estonia.”
But if Russia were to attack Estonia purely with a cyber attack, it is unclear whether that would trigger Article 5. Last month, cyber was designated an official operational domain of warfare, along with air, sea, and land.
Secretary General Jens Stoltenberg said: “NATO has made it clear that cyber-attacks can potentially trigger an Article 5 response. We need to detect and counter cyber-attacks early; improve our resilience; and be able to recover quickly. A more active cyber policy should be a focus as we plan for Warsaw. Cyber defense is just one of the capabilities we need in order to deal with the changed security environment.”
However, cyber attacks are not as easy to trace as conventional warfare - for example, the US’ NSA and CIA, and Israel’s Unit 8200 are heavily believed to have been behind Stuxnet, the first known case of a cyber attack destroying physical infrastructure, but this has yet to be officially confirmed.
With the country behind certain cyber attacks uncertain, it is not known if NATO would be able to effectively retaliate against an unconfirmed assailant.
Russia has excelled at this hybrid unconventional warfare, using a mixture of cyber attacks, government backed-insurgencies and propaganda to augment its traditional military actions.
In 2007, amid a dispute between Russia and Estonia over a Soviet-era grave marker and war graves, Estonian banks, ministries, newspapers, broadcasters and parliament websites were brought down by a massive distributed denial of service type attack, while the Estonian Reform Party website was defaced. Russia said that allegations of its guilt were “unfounded.”
Ahead of and during the 2008 Russo-Georgian war, DDoS attacks and defacements on Georgian government and media sites led to mass confusion, with fake news articles seen as a combination of cyberwarfare and psy-ops.
Russia denied involvement in the cyber attacks, pointing the finger at cyber crime organization the Russian Business Network (RBN). In 2009, security researchers from Greylogic concluded that there was “a strong likelihood of GRU/FSB planning and direction at a high level while relying on Nashi intermediaries and the phenomenon of crowdsourcing to obfuscate their involvement and implement their strategy.”
Cyber security firm FireEye in 2014 said that ATP28, a hacker group responsible for hacking military targets such as NATO, the EU and government ministries, was actually state cyber espionage group supported by the Russian government. Russia denies the allegation.
Ukraine, which is currently locked in a bitter civil war thought to be funded by the Russian governments, saw mobile phone network and internet connections severely hampered, government websites DDoSed and social networks hacked.
It is also believed that the Russian government was behind the massive cyber attack on Germany’s lower house of parliament in 2015.
A Baltic problem
Estonia, and its fellow Baltic States Lithuania and Latvia, are seen by some as Russia’s next potential expansion target. With large Russian ethnic minorities, the countries have been subject to intense pro-Russian propaganda, thought to emanate from the Kremlin.
While a full on physical attack is viewed as unlikely, many reacted with alarm at a RAND Corporation study that earlier this year stated that Russia could overwhelm the Baltic States in as little as three days.
Further concerns over NATO were raised after US Republican presidential nominee Donald Trump made comments suggesting America would only come to a member state’s aid “If they fulfill their obligations to us.”
Immediately after the comments were published, Estonian President Toomas Hendrik tweeted the country’s commitment to the alliance.
Estonia is 1 of 5 NATO allies in Europe to meet its 2% def expenditures commitment. Fought, with no caveats, in NATO’s sole Art 5 op. in Afg— toomas hendrik ilves (@IlvesToomas) July 21, 2016