Podcasts
Special Editions
Ep 90
Special Editions 2.16.26
Ep 90 | 2.16.26

Cyber without borders: How Estonia turned crisis into cyber power.

Show Notes
Transcript

Liz Stokes: Hi everyone. I'm Liz Stokes and I'm thrilled to welcome you to our special three part series. I, alongside my fabulous colleague, Maria Varmazis, had the amazing opportunity to travel to Tallinn, Estonia for the 2025 Cyber Coalition Exercise at NATO Cyber Range. And over the next few episodes, we're taking you behind the scenes of one of the most consequential stories in modern cyber security. Maria will be leading the story, sharing her incredible insights as we explore why Estonia has become a cyber powerhouse, what makes NATO's cyber operations here so critical, and what it's like to witness these exercises up close.

Maria Varmazis: And Liz will be helping us better understand some of the key concepts that we discuss in this story. Deciphering legalese and untangling acronyms so we're all on the same page.

Liz Stokes: Thank you, Maria. So, come along with us, join the ride as we meet the people, see the strategy in action, and uncover the cutting edge work that's shaping the future of cyber defense. [ Music ]

Maria Varmazis: All right, we should be there right on time. It's late in the afternoon, it's cold and damp. Just barely above freezing temperatures. I can barely feel my fingers. And there's that kind of December wind that just cuts right through all of your winter layers and makes your face hurt. Liz and I could be, and frankly we probably should be, inside somewhere warm right now. But we're on a rare assignment quite far from our normal haunts. It is December 2, 2025. And we are in Tallinn, Estonia where the sun just set at 3:26 P.M. And we are here at the exclusive invitation of NATO. To understand what we saw in this international hub of all things cyber security in 2025, and why NATO invited us here specifically, we're going to first rewind to a very specific place in this city and learn the history of the spark in Estonia that ignited modern global cyber defense. [ Music ] Now, the city of Tallinn may be familiar to some of you depending on how keyed in you are to Info-Secte Lore, you may know the Tallinn manual. And your friendly neighborhood cyber security legal team definitely knows what it is. So, Liz, for those that aren't familiar with it -- in a nutshell, what is the Tallinn manual?

Liz Stokes: Yeah, so the Tallinn manual is a research project and foundational study on international cyber security policies and laws, specifically which ones are or aren't applicable during cyber conflict and warfare. It was first published in 2013 and is an initiative led by the NATO Cooperative Cyber Defense Center of Excellence, which yeah, you guessed it, happens to be headquartered in Tallinn.

Maria Varmazis: Outside of cyber security, Tallinn is known for its fantastically preserved medieval old town. Postcard picturesque in the winter during its Christmas market. And being here in December, we were looking forward to all the Glogi and holiday cheer. But no, before we could get to any of that, I dragged poor Liz to a pretty forlorn city park just outside of Central Tallinn. It's a small little city part. It's got lots of trees right now because it is early December. There are some raked leaves in neat little piles, some crows. Not many people here. To understand why the Tallinn manual is named after this city and why NATO's cyber range is also here, we wandered around this empty park, just us and the crows. There is really nothing there anymore. And that is the point. Let's go back in time. It's April 2007. Social media, where it even exists is in its infancy. This niche video first website called "YouTube," yeah, it's only two years old. And the very first iPhone hasn't even been announced to the public yet and it won't be until later this year. Still, the internet has been around long enough now and has matured enough that essential services are increasingly internet first now, like banking, bureaucracy, shopping, and checking the news. This is especially true in Estonia, which declared back in the 1990s that it was going to become the most digitally advanced country in the world, moving its entire government online with internet access for all of its citizens codified in its legislation as a human right. So now, still in April 2007, imagine that you are an ordinary Estonian waking up to find all of those essential services in your very internet savvy country grinding to a halt. Websites are down, banks are unreachable, government portals totally frozen. You can't withdrawal money. You can't talk to government services. You can't even check the local news to find out what the heck is going on. Mass confusion.

Unidentified Speaker: The most violent rioting Estonia has seen since breaking away from the Soviet Union continues into a second night. Gangs shouting pro Russia and pro Estonia slogans shadow each other. All the while, Estonian police fight to reclaim the streets of Tallinn.

Maria Varmazis: In 2007, standing in the forlorn park we were just in, just outside the heart of Tallinn, it all would have felt very different. From 1947 through to 2007, that park held "The Bronze Soldier," which is a Soviet era statue made in tribute to the Red Army. To many Estonians that bronze statue represented oppression under the USSR from which Estonia declared its independence in 1991. But for Estonia's Russian-speaking minority, this statue is a tribute to fallen heroes who fought against the Nazis. So, when the Estonian government decided to relocate the statue from this park, the emotional fault line in Estonian society cracked wide open. Riots erupted. Streets filled. Rocks were thrown. Stores were looted. The physical conflict was intense.

Unidentified Speaker: Rioters smashed bus stops, shop widows, and throw missiles at the police.

Maria Varmazis: But the digital one, unprecedented. This is the place where in theory it all started. The people, the Russian speaking Estonians were really mad about that statue being moved and there was a lot of civil unrest but no sign of it anymore. In response to the Bronze Soldier statue being moved, Estonia became ground zero for a barrage of crippling systemic cyber-attacks. The wave of cyber-attacks were levied against all aspects of Estonian infrastructure and daily life. And it lasted for three weeks. Banks, media outlets, government services, everything that makes the modern world, all brought to a complete stop by massive DDoS attacks. Estonia, this famously digital society was brought to its knees. And those crippling cyber-attacks, they were such a huge catalyst for change in Estonia that they have become simply shorthanded to the 2007 cyber-attacks and everyone here knows what you mean when you say it. In fact, you can hear it from this conversation that Liz had about non-NATO space cyber-security with Kristiina Omri, who is the Director of Special Programs for cyber security firm CybExer Technologies in Tallinn.

Kristiina Omri: Tallinn has a bit of history with cyber. From the 2007, the cyber attacks against Estonia, so against the governmental institutions but not only, also commercials.

Maria Varmazis: In the aftermath of the 2007 cyber attacks, Estonia, which was still a relatively new NATO member, having just joined in 2004, wanted to invoke Article 5 of the NATO Washington Treaty, which is the alliances mutual self-defense clause. It was a bold thought for a moment when the world was still trying to understand what a cyber attack even meant on the global stage. And you might be wondering right now, has Article 5 ever actually been successfully invoked in a cyber context or any context at all? Liz, what is the history there?

Liz Stokes: Yeah, Maria, so only once in NATO's history since 1949 has an Article 5 contingency ever been declared. And that was back in 2001 in response to the 9/11 attacks against the United States.

Maria Varmazis: Okay, so let's fast forward from that and go back to Estonia in 2007. And as Estonia urged NATO allies to consider Article 5, the core problem was the attribution of those cyber attacks. No one could say for certain whether the attacks were coordinated by the Russian state or if they were false flags, or if they were simply a swarm of opportunistic bad actors exploiting all the chaos. And then that opened up an even deeper debate. Our nations directly responsible for cyber criminals operating within their borders, because if a country creates conditions that all but openly encourages cyber mischief, how responsible are they for what inevitably happens? And then what kind of response is justified? No easy answers there but one thing became crystal clear for Estonia after 2007, cyber defense wasn't optional. It was essential. The attacks forced the country to confront one of the biggest unanswered questions in modern security. What exactly counts as a red line in cyberspace? What level of digital aggression is serious enough to trigger NATO's Article 5? To dig into that idea we spoke with Commander Brian Caplan, a U.S. Navy Cyber Operations Expert and one of the key military voices helping NATO think through the future of digital conflict. And he put it bluntly.

Brian Caplan: So, every situation is different. And I think that's where the hard part is to trigger what causes something to be above Article 5. So, it's a touchy topic and I think it's a hard one to define because there's nothing that's black and white. It's really case by case, nation by nation that this determines what that looks like.

Maria Varmazis: So again, what would it take? An explicit message from the head of a nation saying, "Hey, we're going to use our military cyber capabilities against you now to cause large scale loss of life,"? Well, even then, maybe not. As the NATO Secretary General in 2014 said, the criteria for what kind of cyber attack would actually trigger Article 5 has to remain, and I quote, "purposely vague." Short of that red line, whatever it is, nations need to be prepared for their own self-defense on the cyber realm. And boy, did Estonia hear that message loud and clear when being crippled by a 22 day long cyber attack wasn't bad enough to invoke Article 5. But the long-term consequences of 2007 actually benefited Estonia a great deal. A great explanation on that comes from Allar Vallaots, the Chief Strategy Officer at CR14, which is the Estonian facility that hosts the NATO Cyber Range.

Allar Vallaots: On this all starts with Estonia in 2007, when the under the attack of cyber. After that, some political decisions where Estonia began the -- they say, don't speak about cyber. So, and Estonia was also the one asking five when cyber attack happened. So, everything this time we have done some really good decisions and, of course, dedication and hard work.

Maria Varmazis: Putting it another way, as a result of the 2007 cyber attacks, this tiny nation of 1.3 million people is not only an IT marvel with blazing fast internet connectivity and overall technical sophistication that permeates every touch point as an average user -- all the IT admins are very jealous right now -- it is now a cyber security power house on a global scale. And it also gave the world Skype. [ Music ] Within and beyond Estonia's borders, after 2007, NATO allies and partners recognized that they also needed to shore up their cyber defensive capabilities. Afterall, crippling attacks, like what Estonia experienced, could happen to any nation. Remember the NATO Cooperative Cyber Defense Center of Excellence that Liz mentioned at the top of the show?

Liz Stokes: Well, so most people just call it the CCDCOE and it was founded in 2008 in Tallinn at Estonia's urging following the 2007 cyber attacks. The CCDCOE's official mission is to support member nations and NATO with unique interdisciplinary expertise in the field of cyber defense research, training, and exercises covering the focus areas of technology, strategy, operations, and law. And it officially supports many exercises at the NATO Cyber Range throughout the year, including the one we were invited to see.

Maria Varmazis: To use the terrible corporate cliché of "A rising tide lifts all boats," sorry, with the support of the CCDCOE, NATO puts together several yearly cyber security exercises for its allies and partners at its Tallinn based cyber range. The one we were invited to see, at NATO's invitation, as the only U.S.-based podcast by the way, is called "Cyber Coalition." This exercise is pure blue team, defense. The most important because it keeps the lights on quite literally, but arguably it's the hardest to understand and demonstrate to the world because you are proving a negative. It's the cyber defenders perennial dilemma that if you're doing everything right, the average person will never notice. Speaking of never noticing, remember that empty park at the beginning of this episode? While we were walking around there, it struck me that you would never know that this was the site of so much pain for Estonia and the start of a chaotic three weeks, and the impetus for Estonia's world leading cyber security posture. People want to move on with things and get on with life. I get that. And I imagine a lot of people don't want to be reminded of that painful past. But, yeah, this non-descript park is in theory where it all began. And this park is the site that is the reason why Estonia became the cyber powerhouse that it is today. And the Bronze Solider statue? It still exists, of course, it was moved to a military cemetery further out from central Tallinn. So, in a very, very roundabout way, I suppose you could say that the history around the Bronze Soldier is what brought us all to Estonia, but really, what specifically brought us to Tallinn in December 2025 was the Nato Cyber Coalition Exercise. It is a yearly two-week cyber defensive exercise, one of the largest in the world, and during this exercise around 1,300 NATO cyber defenders kicked the tires on their TTPs, try out some new tools, and use the experience to refine coordinated defense, as well as defenses back home. And that's why we found ourselves in a briefing room at Estonia's Ministry of Defense, where Commander Caplan summed up exactly why NATO's Cyber Coalition matters.

Brian Caplan: And just really the key takeaway is about this exercise that differs than other cyber exercises is just the real importance of making sure the collaboration and cooperation and coordination is really what drives this exercise. And it really, the nations do a really good job of testing that, working with each other to really defend against any type of adversary. It's the most important thing. So, hopefully if you take away anything from this, please, those three words are the most important.

Maria Varmazis: Collaboration, cooperation, coordination. Not just for Estonia, not just for NATO, but for every nation trying to defend itself in a world where the line between conflict and chaos is deliberately blurred. After walking through the park where Estonia's modern cyber doctrine was essentially born, sitting in that briefing room made everything click. 2007 forced Estonia to build something resilient, collaborative, forward leaning. And now, the rest of the alliance trains here in Tallinn to do the same. But this is just the beginning of this story. Liz and I didn't' come to Tallinn just to understand the why, we came to see what these teams are preparing for 2025 and beyond, and what threats are shaping the next phase of cooperative cyber defense. In the next episode, we step inside NATO's Cyber Coalition itself and take you onto the exercise floor where hundreds of defenders coordinate to test what it really means to keep the lights on. So, bundle up, grab some glogi and stay with us.' [ Music ] Thank you for listening to this first episode of our three-part series. As we wrap up this special edition, we're leaving you with more questions than answers, by design, what we saw, heard, and experienced during this visit to see Nato Cyber Coalition 2025 is part of a much bigger picture. Stick with us in the next episode as we continue to explore what it all means and why it matters. This episode was written and hosted by me, Maria Varmazis. It was produced by Liz Stokes. Mixing, editing, and sound design by Trey Hester. Our executive producer is Jennifer Eiben with content strategy by Ma'ayan Plaut. Peter Kilpe is our publisher. Thank you so much for listening. [ Music ]

Special Editions
Podcast Info
HOST(S):
Dave Bittner
Maria Varmazis
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Maria Varmazis is a podcast producer and journalist specializing in space, cybersecurity, and emerging technology. She translates complex industry developments into clear, engaging conversations and thoughtful storytelling that connects technical subjects to the people and ideas shaping the future. Maria is the host of T-Minus: Space-Cyber Briefing and co-host of Hacking Humans.
Creator: N2K Networks, Inc.