To Bolster Cybersecurity, the US Should Look to Estonia

United States policymakers have long sought ways to boost federal agencies’ capacity to implement cybersecurity and plan for significant cyber incidents. As early as 2002, Senator Ron Wyden of Oregon advocated for the creation of the National Emergency Technology Guard (NETGuard), a corps of volunteers with technology experience who could help following a cyber incident.

Fast forward to 2019, when General Robert Neller, former commandant of the Marine Corps, said that the Marines would create a new cyber auxiliary, where it’s OK for members to have “purple hair,” paving the way to attract, recruit, and retain civilian cyber talent. Other branches of the military have already offered cyber warriors steep bonuses to reenlist and the Army has even created a direct accession program in cyber warfare.

These programs have surfaced as threats emanating from cyberspace continue to outpace the chronic talent gap faced by the public sector along with poor cyber hygiene among the general population (e.g., poor password management, not using two- or multifactor authentication, lack of backups). A 2017 report on Supporting the Growth and Sustainment of the Nation’s Cybersecurity Workforce found that there is an estimated 299,000 active openings for cybersecurity-related jobs in the US and a global projection of a 1.8 million shortage in the cybersecurity workforce by 2022. To counter this, the US will have to do a whole lot more. For some key lessons, we must turn to Estonia.

The 2007 cyberattacks against Estonia were a turning point for when cybersecurity began to be accepted as an essential part of national security. The incident, a response to the relocation of a Soviet War bronze soldier statue, crippled the websites of banks, government agencies, and media outlets for weeks. Today, the country is on its third National Cybersecurity Strategy (2019–22)—previous strategies ran from 2008–13 and 2014–17. Estonia’s current strategy highlights its innovator role at the vanguard of novel cyber approaches.

In 2008 Estonia set up a unit of cyber volunteers composed of average citizens from outside government to protect Estonian cyberspace. Put in place out of need after 2007 cyber incident, and out of historical precedent, since the voluntary national defense organization, the Estonian Defence League (EDL), has existed since 1918 , this unit has endured, but continues to undergo refinements.

Within the EDL’s volunteer Cyber Defence Unit, tasks are crisis management exercises and training the public. This includes conducting exercises for policymakers and civil servants, including members of the government, and cybersecurity awareness courses in Estonian schools. Its two responsibilities that build long-term resilience are capacity building and operations. This includes securing Estonians’ online lifestyle, distributing cybersecurity-related knowledge and strengthening cooperation across sectors.

In August 2018, Estonia also created its Cyber Command, which has caused unstoppable ripple effects throughout the Cyber Defense Unit. The Command will consist of 300 military and civilian personnel, including private sector professionals by 2023. This may trigger shifts in military tasks and responsibilities; result in direct recruitment and integration of the unit; and impact the unit’s civilian nature as it may become back-benched to accommodate the Command’s priorities, hindering the use of its members’ full potential.

Separately, the strategy highlights differences in roles between the Ministry of Defence, where the EDL CDU resides, and the Ministry of Economic Affairs and Communications (MOC), placing the unit at the nexus of both military and civilian groups. While the Ministry of Defence implements activities related to military defense, the MOC manages the implementation of the strategy and develops technological resilience. Against this backdrop, the EDL CDU continues to expand. The unit, composed of over 200 cyber volunteers, has created two additional regional units.

For a small country of 1.3 million people, reallocating existing resources is hard. A pervasive and fundamental challenge is its limited capability for specialization due to its small population. However, their consolidation of cooperation and communication mechanisms and reductions in fragmentation of expertise allow already limited resources to be efficiently used.