Threats to national and global security have evolved from traditional inter-intra state warfare to incognito acts of acts of cyber-terrorism that detrimentally affect the preservation of world peace. Post-Cold-War Estonia has undergone a digital renaissance where 99% of her government services are online, allowing her to cut approximately 2 percent of its GDP in salary and expenses (Hyvarinen, Risius et Friis, 2017). However, this overreliance on digital infrastructure is a double-edged sword for Estonia as it severely enhances her vulnerability to cyber-attacks; evident during the world’s first “state-led” distributed denial of service (DDoS) cyber-attack by Russian political ‘hacktivists’ in 2007 which severely hindered Estonia’s public sector services and exacerbated the inability of existing security governance structures to address this modern threat to both state and human security (Czosseck, Ottis et Taliharm, 2011). Cyber-attacks have become cost effective weapons to undermine a state’s economic sovereignty as South Korea suffered US$867.2 million in economic damages caused by North Korean in 2013 (Shin, Lee et Kim, 2018). The ambiguity of global governance on cyber-crimes has undermined the ability of global actors to address this modern threat to global security and even refrained Estonia from requesting support under Article 5 of NATO as the 2007 cyberattack wasn’t considered an ‘armed attack’ (Karns, Mingst et Stiles, 2010).
The global governance of cyber security
The void in cohesive international policymaking actions to produce any coordinated action to prevent cyber threats has prompted Estonia to collaborate with a myriad of global actors through the NATO Cooperative Cyber Defence Center of Excellence (Czosseck, Ottis et Taliharm, 2011). Considering the growing interdependence of digital economies; states, multinational corporations (MNCs), academic institutions, and non-governmental organisations (NGOs) have reactively formed a coalition of international frameworks to address cyber-crimes through the ‘Bright Internet framework’ and ‘Internet Peace Principles’. These frameworks expand upon the UN Charter’s ‘Responsibility of States’ doctrine and the Geneva and Hague Convention’s articles concerning unlimited prohibitions on warfare methods through the contextual lens of cyber security (Shin, Lee et Kim, 2018). These frameworks are then complemented with additional policy from Estonia’s Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (Tallinn Manual) through an invitation by the NATO Cooperative Cyber Defence Center of Excellence and the Council of Europe Convention of Cybercrime (CECC) to extend international physical conventions of traditional global peace and security governance to cyberspace (Shin, Lee et Kim, 2018).
Why must Estonia enhance her cyber security?
The alleged state-led Russian cyberattacks on Estonia’s neighbours of Georgia in 2008 and Kyrgyzstan in 2009 have undermined the cyber security of East Europe. Given Estonia’s digitally interdependent economy, it is imperative that Estonia enhance assert her role as a leading global governor of cyber security to promote peace and security both domestically and internationally. The 2007 cyber-attack prompted Estonia to pioneer integrating blockchain technology into the security framework of its digital infrastructure even before Satoshi Nakamoto released his/her/its’ Bitcoin whitepaper and referred to it as “hash-linked time stamping” (Heller, 2018). In 2012, Estonia became the first nation-state to utilise Guardtime’s X-Road decentralised, distributed ledger that operates on blockchain technology to promote transparency, prevent fraud, and digitally codify her national health, education and legislative registries (Korjus, 2018). X-Road’s decentralised blockchain technology ensures that digital identity data can never be deleted or duplicated and is maintained by Estonia’s citizens privately through their public and private digital keys as opposed to having their data administered through traditional centralised public-sector institutions (White, Killmeyer et Chew, 2018). This allows Estonia’s ‘e-databases’ both in the public and private sector to save more than 800 years of working time annually (Jirgensons et Kapenieks, 2018).
Despite having its government records encrypted on X-Road’s decentralised network, the data integrity of Estonia’s digital blockchain republic still faces several cyber security threats. As Estonia’s policy to increase its digital immigration through the introduction of its ‘e-residency’ program flourishes, so will the threats to the privacy and digital identity records of its 1.3 million citizens (E-estonia, 2018). Nearly every Estonian citizen has an ID card that operates under a 2048-bit public key encryption that enables them to access state services. Despite having such digital information protected on a theoretically hack and fraudulent proof blockchain network, such data can still be infiltrated if nefarious actors successfully conduct a 51% or ‘double spend’ attack. When an Estonian citizen conducts a transaction, it must achieve consensus by other participants in the system through solving mathematical algorithms before the transaction is added permanently onto X-road’s blockchain, ensuring that the data cannot be manipulated (Shin, Lee et Kim, 2018). A 51% attack occurs when actors concentrate and pool their computing power to verify more than 51% of all transactions conducted on the blockchain, temporarily allowing them to control the network or at a bare minimum, reverse previous transaction recorded on the blockchain (Manski et Manski, 2018). A blockchain is deemed immune to both hacking and forgery due to the unsustainable amount of energy it would cost to implement and maintain a 51% attack. However, Moore’s law suggests that future quantum computers have sufficient processing power to solve cryptographic algorithms exponentially faster than today’s computers. This potentially renders Estonia’s cryptographic digital infrastructure technically obsolete and susceptible to a 51% attack by cyber criminals (Khan, 2018).
A 51% attack would see Estonian citizens risk identity theft and compromise their national security information. Furthermore, the ability of the Estonian government to properly collect taxes and run other governmental duties will be undermined and autonomous smart contracts that operate ‘smart’, self-operating-blockchain-run Estonian objects ranging from civilian and military vehicles can even be weaponised by the cyber criminals. Furthermore, the definition of security can also be extended to encompass ‘financial security’. A 51% attack on Estonia’s proposed cryptocurrency ‘Estcoin’ could threaten the Estonia’s economic security and potentially the EURO zone if Estcoin is widely adopted by both Estonians and European citizens. Hence, increased collaboration between Estonia and existing global governance institutions and actors to adopt mutually beneficial solutions that enhance the cyber security of states worldwide is needed.