How Estonia Might Pave The Way For Reducing Uncertainty In Cyberspace
“Dealing with uncertainty” was the focal topic of the 2019 Cyber Norms conference in The Hague, encouraging debate about potential responses to the risks of uncertainty in cyberspace. The discourse mostly focused on either aggressive signalling or retaliatory hacks to deter potential adversaries from conducting aggressive cyber operations, or discussions regarding potential for norm setting and legal legislation. It reflected the differing approaches to cyber security issues by states. For example, some states, such as Germany, take a more cyber defensive stance, focused on coordination efforts to protect against cyber threats whereas others, such as the United States, pursue a more aggressive “efending forward” approach. Each country’s strategy is uncoordinated from the other and a failure to come to a collective agreement on how to respond to cyber incidents has only reinforced this. However, this might change if we focus on the approach Estonia has taken in recent years.
Being one of the first countries to experience a large scale cyber-attack in 2007, Estonia has worked on developing a way to improve their critical infrastructure in order to prevent a repeat of events and secure their digital systems. One of the ways it has done so is by starting a pilot project in 2017 in Luxembourg, known as “data embassy”. Here, Estonia has set up a data centre which acts as both a backup and an operations centre for critical digital services, should they be taken offline in Estonia. Furthermore, to prevent meddling by Luxembourg (albeit unlikely) or any other nation, the data centre has the same legal rights as any other embassy around the world, granting it diplomatic immunity and being the full property of Estonia. While this pilot is still a work in progress and its effectiveness has yet to be seen, it does offer an alternative from the current approach taken by other states.
In terms of cyber resilience, Estonia has guaranteed to keep its critical operations running by building a backup centre which is harder for a potential attacker to reach, both physically and digitally. A potential attacker might reconsider conducting such a cyber-attack if the intended goal cannot be achieved or if the costs outweigh the benefits due to the number of obstacles encountered. This may provide an increase in a state’s overall cyber deterrence. By becoming more interdependent with an ally’s infrastructure, a collective interest is created in order to keep these systems running. The establishment of “data embassies” means that if an attacker wishes to knock out the critical infrastructure of Estonia it would also have to attack a third country (Luxembourg in this case) in the process. This not only increases the cost (both financial as well as technological) of conducting the attack but also diplomatic costs for a potential attacker.
Estonia’s approach may reduce at least some aspect of dealing with uncertainty in cyberspace. If the pilot project turns out to be a success, it may set the stage for the proliferation of “data embassies” in various other country locations or vice versa with other countries hosting their “data embassies” on Estonian territory. The approach has the potential to not only increase cyber resilience and deterrence against cyber threats, but may also be seen as a trust-building exercise among states with interdependent critical infrastructure. In the long run, such interdependency and cooperation may foster international norm setting with regards to cyberspace.