Estonia packs a punch in the cyber domain. The country is a world leader in cyber-related innovation, and it has charted that course without compromising security. Estonia initially gained global attention as a cyber-target, seeking to overcome a series of organized attacks in 2007 widely attributed to Russian groups. Estonia emerged energetically from those attacks, going beyond devising a coherent and expansive cyber-strategy calibrated defensively, to being one of the most wired countries in the world.
Estonia’s enterprising initiatives include e-Residency, which recently marked its one-year anniversary. Surpassing official expectations, the program has attracted 7,000 participants, with next to no marketing effort. The digital identity allows individuals to establish and run a business from afar, as well as gain entry into the broader European market; though it does not confer the right of physical entry into Estonia or the European Union. By leveraging the country’s e-services, in particular the means by which to transact securely online, Estonia can effectively “become big,” in a borderless world. At launch, authorities stated that they hoped to have 10 million e-residents by 2025; an ambitious goal for a country of approximately 1.3 million people.
In addition, Estonia has sought to develop the ultimate continuity of operations (“COOP”) plan, designed to ensure digital resilience in the event of a national emergency, triggered either by a cyber or physical attack on the country. The “data embassies” project appears quite prescient, in retrospect, relative to recent Russian activity and saber-rattling, both cyber and kinetic, targeting the Baltics and beyond. Estonia’s initiative, first brought forward early in 2014, leverages cloud technology and aims to secure crucial databases and e-services by replicating them and storing them in friendly foreign countries. The fallback plan is particularly important for a country that is so reliant upon digital infrastructure that it architected deliberately, and implemented extensively, after regaining national independence following the collapse of the Soviet Union. With 95 percent of government services provided online, digital continuity in Estonia is a necessity rather than an option.
Estonia is a leader in cyber-defense, but are its means and methods scalable to other settings, beyond the country’s own highly sophisticated cyber environment? Regarding the data embassies in particular, privacy concerns—which rank among the European Union’s fundamental values—may be minimized when information is stored on Estonia’s sovereign territory in the form of brick and mortar embassies in the physical world. But the same may not be true if government records, which include a good deal of personal information, are stored virtually in friendly but foreign nations. There are also technical issues that appear to require further work, including limitations in existing software and in existing storage architecture in-country. The latter two shortcomings were revealed during a dry-run for the initiative, which Estonia conducted in coordination with Microsoft Corporation.
More encouragingly, the envisioned data embassies necessitate formal agreements with the various host countries, and several such instruments are currently being negotiated. This is not the first time that Estonia has worked to create a multinational community of interest, with a goal of fostering practical progress on cyber-related challenges. Estonia is also a founding member of the Digital 5 or “D5,” a new network launched in December 2014, which aspires to share best practices, improve digital services, and grow participants’ digital economies. Already, the group—which includes the UK, Israel, New Zealand, and South Korea—has committed to collaboration, to foster standards that support interoperable technology and open markets, among other things.
Estonian cyber-policy and practice has been proactive, if not perfect. By piloting programs before necessarily having in hand a 100 percent solution, but grounding this entrepreneurial approach in a mindset and culture that demands robust respect for security from the get-go, the country has carved a leadership role for itself in the digital economy and the broader wired world.
Sharon L. Cardash is Associate Director of the George Washington University Center for Cyber & Homeland Security and previously served as Security Policy Advisor to Canada’s Minister of Foreign Affairs.