Estonia, both a European Union and NATO member, shares an entire eastern border with Russia but remains firmly embedded in the Western defense alliance. Mariin Ratnik, the head of security policy and transatlantic relations in Estonia’s Foreign Ministry, was recently in Washington for meetings with the Trump administration. The Cipher Brief’s Kaitlin Lavinder sat down with her to discuss international aid and diplomacy aspects of defense, EU-NATO defense cooperation, cyber warfare, and Russia.
The Cipher Brief: Can you give me a broad overview of the defense priorities right now in Estonia?
Mariin Ratnik: I deal with broader security policy, so it’s not only defense. We have as a government since 2010 developed a security policy that is a whole-of-government approach, or comprehensive approach, to security that takes into account all the aspects of society that are important to defense. What I mean by that is you’re not only strengthening the armed forces, but you’re also strengthening your legislation, for example anti-corruption legislation; you do good work on integration; you take into account the vulnerabilities, concerns, and protection of infrastructure; diplomacy is part of it as well; and energy security is a part.
Since 2008, after Georgia was invaded by Russia, defense policy at large has been focusing on the need to develop our own capabilities, build up our defense forces. But the even stronger push was when Russia invaded Ukraine in 2014.
Our defense policy is not only our own, because we are a very small country with a population of 1.3 million and a piece of land about the size of Switzerland. So we need a lot of cooperation with other countries, and for us, one of the key elements in our security policy is belonging to NATO and the EU. A third key element is cooperation with the United States.
TCB: Is part of the whole-of-government approach international development aid?
MR: Yes, it is. It has been for a long time, after we turned from an aid receiver to an aid provider. We do it on a very large scale. Our focus has been, naturally, in the areas where we can provide added value and the countries we know the best: Georgia, Moldova, Ukraine, what we call the eastern partnership countries of the EU.
It’s important to choose which projects we do because, as I said, being a small country, the money or aid in absolute terms that we can provide is limited. There are certain elements we are best at, like e-governance, for example. We help to build up paperless governing systems or try to support countries in building up their digital systems to try to help them have a more transparent and efficient government.
TCB: Is that mostly bilateral, or is that through a multilateral organization like the UN?
MR: There are multilateral projects we do. There are many things we do with, for example, USAID and many projects and through the UN’s different organs. But I think the more visible stuff, what we do practically, are those that we do bilaterally – either we send in experts or we provide the information and knowledge we have to places like Georgia, where we are computerizing the schools, for example. We also send in experts on medical care and help build up medical systems.
TCB: Your Defense Ministry Permanent Secretary, Jonatan Vseviov, recently gave an interview to Politico and he was asked whether cyber is offensive or defensive. In his response, he said you can’t really classify it in that way because that’s like asking if a tank is offensive or defensive – but really, it’s all in the way you use it. There was no clear response as to what the legal framework would be. Legally, in the future, is it going to be OK to use cyber as an offensive weapon?
MR: The Tallinn Manual 2.0 underlines that international law is applicable in cyberspace. For example, when I attack somebody in social media in cyberspace, is it the same kind of attack as if we were face-to-face? We say cyber is just a natural part of our life, and international law should be applicable there too. It’s not so easy, of course, with the issue of cyber wars and how to apply international law there. And we don’t yet have a clear response on the answers to these questions.
One aspect is the defensive capabilities of cyber that you build yourself, in order to protect yourself from possible attacks. The other one is, shouldn’t you have also capabilities where you deter? They aren’t necessarily offensive. They are just showing the fact that you have capabilities that would make an attack in cyberspace not worthwhile because my capabilities to attack you back are existent.
At the NATO Warsaw Summit last year, NATO decided to take cyberspace as an additional domain, besides land, air, and water. So it’s only natural that you take it in as a part of your everyday life and as part of security policy.
TCB: Is NATO – along with the NATO Cyber Centre of Excellence in Tallinn – working toward developing those deterrence capabilities?
MR: They’re working in general to kind of build up what is the cyber domain. First, we have to do that, we have to first start talking about these things. That’s where we build up a broader understanding of cyber defense in the NATO framework. Then we’ll go from there.
TCB: You mentioned earlier that given the size of your country – both geographically and in terms of population – the EU and NATO are really important for your defense. Do you support greater defense cooperation within the EU? The idea of a so-called EU Army has been around for years and is likely far off, if ever a possibility, but would you support something like that?
MR: We would support first stronger cooperation between NATO and the EU. This is something that should be completely natural because one organization has one set of capabilities, the other has another set of capabilities. The EU is very good at civilian crisis management. NATO is clearly more capable in all of the military aspects.
But there has never been real talk about developing an EU Army because the EU functions the same as NATO. NATO doesn’t have any army. The member states do. They have agreed that they provide their military capabilities under the umbrella of NATO, following certain rules and principles, and if needed, NATO can use them. The EU, in that sense, is the same. EU countries have military capabilities; the EU doesn’t have any – no guns, no tanks, no bombs, nothing.
What the talk is about when we discuss stronger defense cooperation in the EU is the countries of the EU working better together in the fields where they want to use or develop each other’s capabilities or share information or for common procurement. There are many technical elements, which I won’t go through, but the main idea is to make those in the EU share more information, experience, and cooperate better in the field of defense.
There is also talk about the EU setting the same aim of defense spending, like NATO, which we very much support. It is important to raise awareness among the EU that we must provide better security for ourselves. This is one of our priorities as Estonia takes over the presidency of the Council of the EU in the second half of this year.
TCB: What are the roadblocks to NATO-EU collaboration, specifically intelligence sharing, and how do you think the UK leaving the EU will affect that? Could Brexit actually help, since the UK will still be a part of NATO but not the EU and it may want to find ways to work better with the EU’s defense resources?
MR: This has been a key element for us, but it’s not only about intelligence sharing; it’s about developing a common awareness of threats, a common situational awareness. We would very much support better NATO-EU collaboration because the threats to NATO and the EU are similar. We should share our threat assessments and, based on that, build our common situational awareness. It sounds logical, but in very practical terms, it’s more difficult because there are limitations on how much information you can share with those who are not NATO members. There are political caveats also. But the main thing is to try to work it out on a very practical level, staff to staff.
On the UK, it’s a very good question, especially today [March 29], when they handed over their wish to leave the EU. All of these talks are ahead of us. But the UK has been very clear in saying they will remain a strong member of European security, maybe even providing more when they leave. This is something that’s very important for us. You were very right in saying that cooperation between NATO and the EU is something that could provide this better link in order to involve the UK in all the security issues of the EU. It will be a very long process, and it’s difficult to foresee how it will end up. But we’ve underlined the point many times that it’s important the UK stays close to the European security order.
TCB: Let’s turn now to Russia. Russia was the impetus for Estonia developing its very good cyber community, and, now, leading that effort in NATO. How big of threat is Russia to Estonia in the cyber field, and how big of a threat is Russia in the conventional field?
MR: Indeed, we learned by doing, so to say, in 2007 when we had this big cyber attack. Since then, I think awareness has been growing significantly about the cyber element as something that can make a state very vulnerable. This might sound bizarre, but I think the fact that we are kind of known as the cyber forward-thinking country puts us in the spotlight and makes us more interesting for those who would like to attack, to test us. I think we are less vulnerable because we have this legislation that supports our buildup of our cyber defense, that maybe some other countries don’t have, but it makes also us a target.
When you ask specifically about Russia, the cyber threat has been growing in general because our digital world is spreading everywhere. This year, there might be more interest in testing our systems because of our EU Council presidency, for example, and because of NATO allies’ presence in our country. But I can’t say whether this will definitely happen.
Talking about the Russian conventional threat, generally we don’t think this is something Russia would do because it’s not very rational to go against a NATO country and because our opinion of the Kremlin, or Russian President Vladimir Putin, is that he thinks rationally. That means, he is deterrable. Therefore, this allied presence is a very good deterrence element. So in general, I would assess the threat of a Russian conventional attack at low. Of course, though, we see Russian forces gathered in Russia’s west, and there will be a big exercise later this year.
TCB: I’m going to ask a bit more of a philosophical question about deterrence and the usefulness of it. At a recent British Foreign and Commonwealth Office event on nuclear deterrence, there was a lot of discussion about grey zone areas, Russia, cyber and different defense domains, and how deterrence really worked during the Cold War, when it was the U.S. against Russia and clear domains of conflict. With today’s more complex world of internationally connected societies and cyber, with attribution harder to figure out, why is having a very small number of NATO troops in Estonia will deter any kind of aggression from Putin?
MR: Of course, militarily you cannot compare a thousand men in every Baltic state to the hundreds of thousands of men on the Russian side. But the fact that there has been a very strong unity of NATO allies in deciding this move is very strong deterrence. We see this unity of allies in this decision and other decisions made after Russia invaded Ukraine, and this has had a very strong deterrence element against the Russians. They didn’t expect that, that the EU and NATO would very clearly say we do not accept his.
So the allied forces in the Baltics signals to Russia that any attack on Estonia would trigger an allied response, in a very concrete way. I think that’s a very strong deterrence element.
TCB: How do you deter on the cyber front – a field that it seems Russia is using more and more – where attribution is difficult?
MR: That’s a good question which is very difficult to answer. You need a broader understanding in your society of cyber threats and information warfare to be resilient.
There’s something we call cyber hygiene. I’m not sure it’s a deterrent element, but it’s a protective element where you raise awareness among the people that you are or might be vulnerable in cyberspace if you don’t follow safety measures.
But the deterring element I think is kind of similar to the conventional thinking, in that you need to make adversaries aware that they know when they attack you, there will be a response, although not necessarily a counterattack. So there’s the question of whether making attribution public would be an appropriate response. These capabilities – how to track these cases to determine attribution – are in development. But when we can show we are able to track you down to the very place you’re sitting, that’s a deterrent factor.
TCB: Are there concerns about Russian involvement – information warfare – in Estonian politics, as there are here in the U.S. and in France and Germany now?
MR: Our elections will be 2019, so nothing concrete at the moment. But, yes, there were some attempts in 2009, for example. I think we will see these elements in the future, but I wouldn’t say it’s worse than before. I would say it’s more visible now, and there is a fear, and probably creating fear is some of the logic in it.
TCB: Are there any internal threats that are high on the threat list right now for Estonia, such as home-grown terrorism?
MR: The assessments are low for the terrorist threat in Estonia. But we are affected from the terrorist attacks in other countries – we lost lives in the Nice attack, for example – so it’s not far from us. But in Estonia, extremism is not an issue.
With regards to foreign fighters, if I’m not mistaken, I think we’ve had two cases which we know of, so that is very limited. Our Islamic community is very small, nonexistent really, so there’s not a big source for Islamic extremism to take hold.
