Is Estonia’s Approach to Cyber Defense Feasible in the United States?
White House cyber-security coordinator Rob Joyce warned in August that the United States is lacking 300,000 cyber-security experts needed to defend the country. His warning is all the more alarming given ongoing and increasingly sophisticated threats in cyberspace — in addition to resource and talent constraints in the public sector, poor cyber habits and awareness, lack of cooperation between government agencies, and limited coordination frameworks for existing volunteers.
As the United States contends with the acute lack of talent and manpower in the cyber-security realm, it may find some interesting lessons from a small country on NATO’s eastern flank. Over the past decade, Estonia has put itself at the vanguard of NATO’s cyber defense efforts. In particular, Estonia’s voluntary Cyber Defence Unit is made up of average citizens outside of government who are specialists in key cyber-security positions, patriotic individuals with information technology skills, and experts in other fields (e.g., lawyers and economists) who wish to volunteer outside of their daily jobs to protect Estonian cyberspace.
The idea of cyber-security volunteers may seem unconventional. However, the United States has been working for years to identify ways to bridge gaps in its cyber defense efforts and incorporate teams of volunteers with relevant expertise. What can the U.S. government learn in this regard from Estonia’s example?
Estonia’s Volunteer Cyber Defense Unit
In 2007, Estonia was targeted by a three-week long cyber incident attributed to Russia and its supporters. The incident was in response to Estonia’s relocation of a Soviet War Bronze Soldier Statue from the capital city of Tallinn to its suburbs. The following year, Estonia established the NATO Cooperative Cyber Defence Centre of Excellence and, later, the Estonian Defence League’s Cyber Defence Unit (Küberkaitse Üksus). The initiatives had been planned before the cyber incident, but gained new importance in its aftermath.
Estonia’s focus on digital development began roughly two decades ago, when much of its general population did not even have internet access. Initiatives known as ‘e-solutions’ have helped it become one of the most developed digital societies. It now prides itself in being called “the most advanced digital society,” having built a secure digital ecosystem that allows for efficiency and transparency.
The Cyber Defence Unit is part of the Estonian Defence League. The league is a volunteer national defense organization that was created in 1918 (Estonians suggest it was inspired by the American Minutemen of the 17th century) and re-established in 1991. Its voluntary nature allows it to serve as an extended response capability, called upon to assist the main authorities when additional help is needed. These main authorities are the Estonian State Information System Authority and the Estonian Defence Forces, which also coordinate the unit’s support efforts.
The cyber unit’s role is to improve readiness through trainings and exercises, and to be available when called upon for specific situations requiring additional help. Therefore, it is tasked with two broad types of activities: capability building and operations. This includes securing Estonians’ online lifestyle, distributing cyber-security-related knowledge, strengthening cooperation between information security specialists in public and private sectors through the sharing of information, and participating in crisis management by protecting critical infrastructure. For example, if the defended entity is under a sustained cyber-attack campaign, the volunteer experts can bolster the in-house incident handling teams by providing additional analysis capability and niche technical expertise. The main difference between individuals who do this full time and unit volunteers is that the latter serve as an extended response capability when needed.
At the individual level, the unit helps fulfill a member’s sense of duty, particularly for those not ready or unable to join the armed forces or provide service in a standard capacity. It also offers access to personal and professional networks and opportunities to build skills, as Tanel Tetlov, a board member of the unit and technology branch researcher at the NATO cyber center pointed out to me. At the government level, given the flexible nature of the unit, it offers a nucleus of highly qualified professionals and trained specialists who share their knowledge by organizing trainings, information days, and other significant events for increasing wider competence in information security to other volunteers and society at large. As Dr. Rain Ottis, an Estonian cyber-security expert and a founding member of the unit, told me, even private sector cyber-security firms benefit, as some employers are said to encourage their employees to join for the additional training, experience, and networking opportunities (available to their employees at no additional cost to the company).
Ottis explained other benefits with regards to the ﬂexibility of a volunteer system. These include the ability to scale efforts up as circumstances require; the possibility of incorporating the volunteers into the military chain of command, which would easily involve the unit in mission trainings, exercises, planning, and related activities; and lastly, a cost-effective way of building a highly skilled and specialized reserve force. The cost of running this unit is minimal considering the service it provides. In 2015, the budget allocated for the entire Estonian Defence League was approximately 32 million euros, compared to a GDP of roughly 20 billion euros that same year. At last year’s Locked Shields cyber defense exercise, in which the volunteer cyber defense unit is heavily involved, former Estonian President Toomas Hendrik Ilves stated, “we have lots of talented people who work in the private sector and we offered them the possibility of working once a week for a more patriotic cause.”
Why the United States Needs Its Own Volunteer Cyber Defense Unit
The United States has long recognized the need for volunteers to help fill the gaps in its cyber defense efforts. Following the 9/11 attacks, experts were needed to fix damaged computer or telecom equipment and provide high-tech assistance to relief workers. Recognizing the need for a framework to quickly mobilize local volunteers with technology expertise, the Homeland Security Act of 2002 permitted the creation of a volunteer National Emergency Technology Guard (NET Guard) for cyber response. Five years later, the Department of Homeland Security announced it would allocate 320,000 dollars for the creation of NET Guard. Pushed forward by Senator Ron Wyden (D-Ore.) in 2008, the aim was to have willing and available groups of volunteers that could be called upon in times of national crisis. However, it never fully materialized and there remains no coordination framework to engage volunteer experts.
A more recent effort stemmed from a 2013 hearing before the Senate Armed Services Committee, where Gen. Keith B. Alexander, then commander of U.S. Cyber Command, stated he and his team were already in the process of exploring how the National Guard from each state might help support the mission of Cyber Command. Soon after, the National Defense Authorization Act (NDAA) for FY 2014 asked both the Department of Defense and the National Guard for an assessment of the role reserve components of the U.S. military could play in Department of Defense cyber missions. What followed was a framework that engages cyber-security expertise for purposes of protecting critical infrastructure and carrying out cyber missions under what is now referred to as the Cyber Mission Force. Though critical, this effort centers on increasing military capability, lacking societal engagement and offering no way of integrating private-sector talent.
A hypothetical case where volunteer cyber defense units might come into play would be a major cyber incident that requires a state’s governor to declare a state of emergency. This incident might be a transportation disruption, a loss of utilities, or a major attack against state and local government networks. In these scenarios, federal help is not guaranteed as these agencies may be overwhelmed or unable to provide immediate assistance. An effort that already uses this voluntary concept of cyber defense forces is the Michigan Cyber Civilian Corp, established in 2013. It is composed of volunteers from government, academia, and business and serves as a rapid response force against cyber incidents within Michigan.
The need for this kind of capacity was highlighted after Hurricane Sandy, when volunteers could have contributed to building online tools for tracking gasoline, water, and medical supplies. In fact, following the hurricane, more than 900 people from New York’s startup community signed up to help, but lack of coordination prevented them from getting involved, as Andrew Rasiej, chair of NY Tech Alliance, has highlighted. This suggests that the necessary volunteer expert talent exists, but is not being utilized.
More broadly, efforts started by former Secretary of Defense Ashton Carter (i.e., Defense Digital Service, Defense Innovation Unit Experimental, Defense Innovation Advisory Board) attest to the need and holistic interest in strengthening ties between the government and Silicon Valley. Moreover, successful programs that entail crowdsourcing expertise from outside networks — such as “Hack the Pentagon” — prove existing curiosity and the critical role that outside involvement plays in this domain.
Establishing voluntary units similar to the Estonian model would help overcome existing obstacles, including resource and talent constraints in the public sector; competitive private-sector salaries that the government cannot compete with; poor cyber habits and awareness among the public; lack of cooperation within the interagency; and limited coordination of volunteers across sectors. As part of the Estonian unit’s international cooperation efforts, it partnered with the 175th Network Warfare Squadron of the Maryland Air National Guard. This partnership could be used to jumpstart defense units in other U.S. cities and states.
In line with the Estonian model, the American unit would be composed of cyber-security experts across sectors who are willing and able to contribute time and resources on a defensive, voluntary, and situation-dependent basis. In contrast with the Net Guard effort, this would be structured as a cell unit within the respective state’s National Guard and activated under the appropriate authorities. The main responsibility of the state-level volunteer units would be the protection of critical U.S. infrastructure. This would be divided into two categories: ongoing and conditional. Under the ongoing category, the focus would be centered on improving general readiness through trainings, exercises, and strengthening cooperation and synergy between public and private sectors through information sharing. Under the conditional category, the focus would be availability for specific tasks at specific times, providing analysis for certain incidents, and formulating recommendations on courses of action.
U.S. Code provisions permit National Guard forces to support domestic missions related to supporting law enforcement, homeland operations, and defense support of civil authorities. Per this permission, the National Guard proposed in 2014 that its personnel could be used to perform cyberspace missions. As such, the already established National Guard hierarchy model integrated within the Department of Defense would allow for the proposed cyber defense units of civilian expert volunteers to easily adopt a state-level cell model structure. This means that the authority to call upon the volunteer cyber defense unit would reside with the state governor under state active duty status, and with the president or secretary of defense, with the approval and consent of the governor, under Title 32 or Title 10 duty status.
Following Estonia’s framework, U.S. cyber defense units could be federally supported with fractional funding for specific tasks through the respective state’s National Guard. Moreover, civically run organizations within a state could also be approached to sponsor events related to the mission and aims of the units.
To be sure, establishing something similar to the Estonian Cyber Defense Unit would inarguably be more difficult in the United States. The sheer size difference between the two countries, as well as the political, legislative, institutional, and cultural differences, presents challenges. Security-related hurdles include the likely admittance and clearance process for individuals and the increased number of people involved; the human element is famously the weakest link in cyber-security. To mitigate this problem, members would have restricted access to information based on their qualifications and level of participation. In fact, experts with prior experience across sectors often have previously undergone some type of clearance process and could, in theory, contribute in sensitive cases. Moreover, through public–private partnerships, thousands of companies have already entered into special trust relationships with the state, which could help individual members of those firms participate in government efforts.
Given the growing need to protect U.S. cyberspace, volunteer cyber defense units could help the United States tap into much-needed and available societal talent and resources. It would supplement the capabilities of the National Guard, U.S. military, and the Reserves, strengthen ties across sectors, fuel interest and awareness in the field, improve retention in the public sector, and incentivize individuals to contribute to a shared mission. The 1993 Maryland-Estonia National Guard Partnership, and respective Sister Cities partnerships, which have several bilateral projects relating to training and cyber defense, could serve as the foundation for a pilot program aimed at establishing these units. Voluntary defense has worked before, from the Minutemen to the National Guard to the Civilian Air Patrol. It can certainly work again — this time, to defend the country against growing threats in the cyber domain.
Monica M. Ruiz was the first U.S. National Security Education Program (NSEP) David L. Boren Fellowship Recipient sent to Tallinn, Estonia for a year. She researched topics related to cyber-security policy and strategy. Follow her on Twitter at @mruiz12.