scieee Science in your language
[en] (orig)

Lessons from small and highly-digitalised Estonia: Decision-making in the aftermath of cybersecurity crises

Author: Carmichael, Logan
Publisher: Berlin: Alexander von Humboldt Institute for Internet and Society
Year: 2025
DOI: 10.14763/2025.3.2028
Source: https://www.econstor.eu/bitstream/10419/324164/1/1933553936.pdf
Ca michael, Logan
A icle
Lessons om small and highly-digi alised Es onia:
Decision-making in he a e ma h o cybe secu i y c ises
In e ne Policy Re iew
P o ided in Coope a ion wi h:
Alexande on Humbold Ins i u e o In e ne and Socie y (HIIG), Be lin
Sugges ed Ci a ion: Ca michael, Logan (2025) : Lessons om small and highly-digi alised Es onia:
Decision-making in he a e ma h o cybe secu i y c ises, In e ne Policy Re iew, ISSN 2197-6775,
Alexande on Humbold Ins i u e o In e ne and Socie y, Be lin, Vol. 14, Iss. 3, pp. 1-30,
h ps://doi.o g/10.14763/2025.3.2028
This Ve sion is a ailable a :
h ps://hdl.handle.ne /10419/324164
S anda d-Nu zungsbedingungen:
Die Dokumen e au EconS o dü en zu eigenen wissenscha lichen
Zwecken und zum P i a geb auch gespeiche und kopie we den.
Sie dü en die Dokumen e nich ü ö en liche ode komme zielle
Zwecke e iel äl igen, ö en lich auss ellen, ö en lich zugänglich
machen, e eiben ode ande wei ig nu zen.
So e n die Ve asse die Dokumen e un e Open-Con en -Lizenzen
(insbesonde e CC-Lizenzen) zu Ve ügung ges ell haben soll en,
gel en abweichend on diesen Nu zungsbedingungen die in de do
genann en Lizenz gewäh en Nu zungs ech e.
Te ms o use:
Documen s in EconS o may be sa ed and copied o you pe sonal
and schola ly pu poses.
You a e no o copy documen s o public o comme cial pu poses, o
exhibi he documen s publicly, o make hem publicly a ailable on he
in e ne , o o dis ibu e o o he wise use he documen s in public.
I he documen s ha e been made a ailable unde an Open Con en
Licence (especially C ea i e Commons Licences), you may exe cise
u he usage igh s as speci ied in he indica ed licence.
h ps://c ea i ecommons.o g/licenses/by/3.0/de/deed.en
Volume 14 |
Lessons om small and highly-digi alised
Es onia: Decision-making in he a e ma h
o cybe secu i y c ises
Logan Ca michael Uni e si y o Ta u
DOI: h ps://doi.o g/10.14763/2025.3.2028
Published: 13 Augus 2025
Recei ed: 13 Augus 2024 Accep ed: 13 Decembe 2024
Funding: This wo k was suppo ed by Eu opean Union’s Ho izon 2020 esea ch and
inno a ion p og am unde g an ag eemen No 857622 “ERA Chai in E-Go e nance
and Digi al Public Se ices — ECePS”.
Compe ing In e es s: The au ho has decla ed ha no compe ing in e es s exis ha
ha e in luenced he ex .
Licence: This is an open-access a icle dis ibu ed unde he e ms o he C ea i e
Commons A ibu ion 3.0 License (Ge many) which pe mi s un es ic ed use,
dis ibu ion, and ep oduc ion in any medium, p o ided he o iginal wo k is p ope ly
ci ed. h ps://c ea i ecommons.o g/licenses/by/3.0/de/deed.en
Copy igh emains wi h he au ho (s).
Ci a ion: Ca michael, L. (2025). Lessons om small and highly-digi alised Es onia:
Decision-making in he a e ma h o cybe secu i y c ises. In e ne Policy Re iew, 14(3).
h ps://doi.o g/10.14763/2025.3.2028
Keywo ds: Cybe secu i y go e nance, E-go e nance, Es onia, C isis managemen ,
Cybe secu i y managemen
Abs ac : As go e nmen s ac oss he wo ld inc easingly unde go digi alisa ion p ocesses, ensu ing
cybe secu i y o hese p o isions canno be 100% gua an eed. How, hen, can go e nmen s bes
espond o a cybe secu i y c isis in o de o bols e cybe secu i y in he u u e? E en Es onia, one o
he ea lies and mos pe asi e examples o e-go e nance globally, has no been wi hou
cybe secu i y c ises. Using ou key Es onian examples, his pape examines he componen s o
go e nmen decision-making in he a e ma h o cybe secu i y c ises, which aim o bols e u u e
cybe secu i y. Th ee key app oaches eme ged om he c ises examined: 1) decision-making is
de i ed om p io knowledge and expe ience; 2) communica ions a ound cybe secu i y c ises is
clea , coo dina ed, and anspa en ; and 3) inno a ion and planning should ake place in imes o
non-c isis, as c ises o en expedi e decision-making. Ul ima ely, his pape o e s insigh in o how
go e nmen s can make decisions ollowing cybe secu i y c ises, in con ex s beyond Es onia, as hey
unde go digi alisa ion p ocesses and inc easingly ace cybe a acks.
Issue 3
In oduc ion
Ac oss he wo ld, go e nmen s a e inc easingly digi alising hei se ice p o i-
sions, a p ocess ha has been ongoing o e ecen decades bu was expedi ed in
many places wi h COVID-19 lockdown es ic ions (Hä mand, 2021; Ca michael,
2021). A he same ime, cybe a acks and o he malicious ac i i y in cybe space
ha e been inc easing in equency, sophis ica ion, and se e i y, wi h a ge s ac oss
my iad sec o s, including go e nmen s (see, o example, Tashe a, 2021; P ang-
gono and A abo, 2020). Thus, he opics o cybe secu i y and e-go e nance ha e
become inc easingly in e wined, wi h con e sa ions a ound how digi alised p o i-
sions should be secu ed becoming an inhe en and c ucial pa o he digi alisa-
ion p ocess. Despi e p oac i e measu es o enhance cybe secu i y, c ises – b oad-
ly, ‘dis up i e’ e en s wi h he elemen s o h ea , u gency, and unce ain y – in he
cybe domain can, and do, s ill e en ua e (Boin e al., pp. 5-7). Thus, his pape ad-
d esses he ollowing co e ques ion: how can go e nmen s, and hei minis ies
and agencies esponsible o cybe secu i y, espond in he a e ma h o a cybe se-
cu i y c isis, in o de o bols e he u u e cybe secu i y o hei digi alisa ion ini-
ia i es?
Es onia, a na ion o 1.3 million people on he sou he n sho es o he Bal ic Sea, is
an illumina ing case in bo h he s udy o e-go e nance and cybe secu i y. This is
because o i s ea ly and pe asi e adop ion o e-go e nance p ac ices, including
elec onic iden i ica ion (eID) and na ionwide in e ne o ing (i- o ing) da ing back
o he ea ly 2000s (Al a ez e al., 2009; Vassil e al., 2016). The coun y also aced
one o he ea lies ins ances o a publicly-acknowledged DDoS cybe a ack on a
na ion-s a e in 2007, and c a ed new legisla ion and go e nance s uc u es in i s
a e ma h, p eda ing mos o i s coun e pa s globally. Al hough deemed a global
leade in his space, Es onia has no been wi hou cybe secu i y c ises, e en hose
impac ing i s e-go e nance model. This pape looks a ou key c ises in he Es on-
ian expe ience wi h e-go e nance and i s cybe secu i y: he a o emen ioned 2007
DDoS cybe a acks, impac ing go e nmen , news media, and banking si es; he
2017 ‘eID’ c isis whe e a ulne abili y in eID ca ds was disco e ed; he COVID-19
pandemic, and he cybe secu i y eali ies associa ed wi h a public heal h c isis and
lockdowns; and he 2022 Russian ull-scale in asion o Uk aine, which coincided
wi h cybe a acks agains Uk aine’s allies. Though he la e wo e en s a e no
uniquely cybe secu i y c ises, hey did come wi h unique new cybe secu i y eali-
ies, and along wi h he o me wo e en s, mee he c i e ia se o h in c isis
managemen li e a u e o cons i u e a c isis, in o de o obse e he e olu ion o
decision-making on said opics in he Es onian go e nmen .
2 In e ne Policy Re iew 14(3) | 2025
The Es onian case demons a es he impo ance o lea ning om expe iences,
g ow h, and con inuous imp o emen o cybe secu i y mechanisms, especially in
an ins ance o such pe asi e digi alisa ion. The e was a ime when Es onia was a
unique case pu ely because o he exis ence o i s e-go e nance s uc u e, bu o-
day, o he coun ies ha e ‘caugh up’ in he digi alisa ion p ocess. As an ea lie
adop e o e-go e nance and, in u n, cybe secu i y p ac ices, when aced wi h
c ises in hese spaces, Es onia o en ound i sel c a ing new esponses, a he
han ollowing global p eceden ha did no ye exis , gi en ha go e nmen s did
no ypically publicly acknowledge cybe a acks a ha ime. Thus, he alue o
he Es onian case lies in i s ma u i y, con inuing o lea n om he cybe secu i y
challenges ha can be all digi alised p o isions. As o he go e nmen s, a a ious
le els o go e nance, a e emba king on he ea lie s ages o digi alisa ion and as-
socia ed cybe secu i y conside a ions, hey s and o lea n om he Es onian expe-
ience, whe e he go e nmen has been g appling wi h he opics o cybe secu i y
su ounding digi alised p o isions o mo e han i een yea s, a guably leading o
a mo e secu e e-go e nance sys em o e ime.
FIGURE 1: Es onian cybe secu i y c ises examined in his pape .
S a e o he a
While ‘c isis’ can be desc ibed as a “b oad e m ela ed o dis up ions o some kind”
(Coombs e al., 2019, p. 31), hen c isis managemen is “a se o ac o s designed o
comba c ises and o lessen he ac ual damage in lic ed by” hem (Coombs, 2018,
p. 1). In hei ounda ional wo k on poli ical c isis managemen , Boin and col-
leagues (2017) acknowledge he wide ange o domains – including e o ism, na -
u al disas e s, and humani a ian eme gencies – in which c ises ha e been expe i-
enced o e p io decades (p. 1). Fu he mo e, c isis managemen schola ship has
3 Ca michael
p oposed a numbe o di e en models o c ises hemsel es and o ca ying ou
c isis managemen . This has included Boin and colleagues’ (2017) c i e ia o de-
e mining wha cons i u es a c isis; hese speci ic c i e ia, u ilised in his pape , a e
ou lined in g ea e de ail in he ollowing sec ion. Fu he models in c isis man-
agemen ha e included Pea son and Clai ’s (1998) model o he c isis managemen
p ocess, wi h ocus on he en i onmen al con ex , indi idual and collec i e eac-
ions, si ua ed be o e and a e a igge ing e en , espec i ely (p. 66). Mo e ecen
wo k om Jin e al. (2023) p oposed a ‘ eadiness’ model, as a mul i-le el app oach
o h ea s, isks, con lic s, c ises, and s icky c ises, o bols e p epa edness (pp. 4-5).
The c isis managemen model mos ele an o his pape is Jaques’ (2007) ela-
ional model o c isis managemen , which clus e s pa s o he c isis managemen
p ocess in o ou pa s, si ua ed be o e, du ing, and ollowing a c isis (pp.
150-151). The app oach o c isis esponse unde aken in his pape co esponds o
wha Jaques (2007) calls ‘pos -c isis managemen ,’ namely, he eco e y and busi-
ness esump ion, pos -c isis issue impac s, and e alua ion and modi ica ion (p.
150). As wi h he c ises c i e ia a o emen ioned, u he de ail on his app oach
will be elabo a ed upon in he ollowing sec ion.
Acco ding o Boin e al. (2017), cybe secu i y ep esen s a new domain in which
c isis managemen can be s udied (p. 3). As a esul , he e is a limi ed bu eme g-
ing body o li e a u e in he pa icula ield o cybe secu i y and c isis manage-
men . Va ious wo ks apply elemen s o he b oade s udy o c isis managemen in-
o he cybe a ena. In ea lie li e a u e, A eng (2013) looked a in e na ional mech-
anisms o b oaching cybe c ises, especially is-à- is mo e ‘ adi ional’ oolki s o
c isis managemen . Boeke (2017) simila ly a icula ed ha s a es s uggle o adap
exis ing ins i u ional s uc u es o cope in ins ances o cybe c isis, using he cases
o Es onia, Denma k, he Ne he lands, and he Czech Republic. Con e sely, Back-
man (2020) looked a cybe c isis as i ing wi hin b oade ans-bounda y c isis li -
e a u e. Collie (2017) examined go e nmen al ins i u ional s uc u e o c isis,
NGO in ol emen , and in e na ional ini ia i es.
The Es onian cybe a acks o 2007 p o ided a case s udy in se e al o hese a i-
cles, including A eng, Boeke, Backman, and Collie , while he la e wo ha e com-
pa ed Es onian and Uni ed Kingdom cybe c isis esponse. Boeke (2017) acknowl-
edges ha Es onia has been a p e-eminen case s udy in cybe c isis managemen ,
indeed as one o he i s such ins ances o a s a e needing o de elop a esponse
o a cybe c isis; his a icle also adop s such easoning. Di e gen om his com-
mon case s udy, he wo k o Øs by and Ka (2019) p oposes a model o ole dis i-
bu ion in cybe c isis managemen , compa ed side-by-side wi h con en ional c isis
4 In e ne Policy Re iew 14(3) | 2025

managemen oles, using municipal-le el go e nance in No way as hei case. In
wo k examining he componen s ha shape ins i u ional de ini ions o cybe secu-
i y, Fich ne (2018) asse s ha app oaches can be shaped by h ea s, asse s p o-
ec ed, measu es o policies u ilised, and esponsibili ies gi en o pa icula ac o s,
all go e nance app oaches buil upon in his pape .
In he Es onian con ex , ypically li e a u e b oaches he opics o digi al go e -
nance o cybe secu i y, wi h only a limi ed numbe o wo ks examining hese op-
ics oge he . Fo example, schola s such as E nsdo and Be bec (2007), and Ki s-
ing (2008) looked a he ea ly de elopmen and success o Es onian e-go e nance.
Mo e ecen wo k om schola s including Ke ikmäe e al. (2019), Sol ak e al.
(2019), and S ephany (2020) ha e looked a nuanced aspec s o Es onian e-go e -
nance, such as public pe cep ions, adop ion a es, and elemen s in luencing he
success o he Es onian model. Es onian cybe secu i y has been s udied as an ex-
ample o a global no m-se e (C andall and Allan, 2015), while speci ic a en ion
has been paid in se e al wo ks o he 2007 cybe a acks: he poli ical decision-
making and legal e o ms ha ollowed, as well as he o ic su ounding whe he
his ep esen ed an ins ance o cybe wa a e, by schola s including Czosseck e al.
(2011), He zog (2017), and Rid (2017). Ea ly li e a u e on he s udy o cybe secu i y
and he Copenhagen School o hough ou lined he “sys emic h ea s” in he
p ocess o secu i ising digi al sys ems, encompassing c i ical in as uc u es and a
b oad ange o digi alised p o isions, a p ecu so o e-go e nance (Hansen and
Nissenbaum, 2009, pp. 1160-1161). Wo ks on e-go e nance and cybe secu i y, o-
ge he , in Es onia, ha e come om Pa šo s’ (2020a; 2020b) and Skie ka’s (2023)
s udies o he 2017 eID c isis, a c isis also explo ed in his pape . This pape aims
o make a heo e ical and concep ual con ibu ion a he nexus o hese h ee co e
s ains o li e a u e: c isis managemen , cybe secu i y go e nance, and e-go e -
nance. As such, i con ibu es o he eme ging li e a u e examining c isis manage-
men speci ically in he domain o cybe secu i y and i s go e nance; i does so by
looking a c isis esponses as hey a ec e-go e nance p o isions, speci ically
d awing om a ma u e Es onian con ex , albei one wi h use ul applicabili y o c i-
sis managemen , cybe secu i y, and digi alisa ion con ex s globally.
Theo e ical and concep ual backg ound
Empi ically, his pape employs a his o ical ins i u ionalis heo e ical app oach, as
a use ul means o iew go e nance and decision-making in he wake o cybe secu-
i y inciden s a ec ing he Es onian digi al go e nance s uc u e, hough me hod-
ologically, i akes a cons uc i is app oach, aluing expe iences and ideas de i ed
5 Ca michael
om go e nmen o icials’ encoun e s wi h c isis. Toge he , hese heo e ical
g oundings ame he opics o cybe secu i y and digi al go e nance in an Es onian
con ex h ough ins i u ional pa h dependencies o e ime, wi h cybe secu i y
c ises as c i ical junc u es o s udy, de i ing indings based on he expe iences and
ideas om decision-make s a he o e on o hese junc u es. Mahoney e al.
(2016) de ine c i ical junc u e as “a ela i ely sho pe iod in ime du ing which an
e en o se o e en s occu s ha has a la ge and endu ing subsequen impac ” (p.
77). Indeed, hese concep s play a p ominen ole in his o ical ins i u ionalis
schola ship, as indica ed by Fio e os e al. (2016) ha c i ical junc u es ma k he
s a o pa h-dependen p ocesses, whe eby u u e ou comes, decisions, o
p ocesses a e a esul o hose ha came be o e hem (p. 9).
The app oach o his o ical ins i u ionalism employed in his pape speci ically
d aws upon Pie son and Skocpol’s (2002) idea ha his o ical ins i u ionalis s mus
look o c i ical junc u es and long- e m p ocesses, o unde s and “o e a ching con-
ex s and in e ac ing p ocesses ha shape and eshape s a es, poli ics, and public
policmaking [sic]”. In employing his app oach, his pape examines cybe secu i y
c ises as c i ical junc u es, and he ‘ma ke s’ o pa h dependencies a o emen ioned,
o look a how go e nance p ocesses su ounding cybe secu i y ha e been shaped
and impac ed o e ime. He e, he ou key c ises ha e been selec ed as use ul and
illus a i e o s udy, and hei pa icula ele ance and applicabili y is ou lined in
g ea e de ail below. This a icle looks less so a he c ises hemsel es, bu a he
om a go e nance pe spec i e, looking a how poli ical decision-making was un-
de aken in he a e ma h o said c ises o u he imp o e he secu i y unde pin-
ning Es onia’s digi al in as uc u e. While, in he b oade con ex o he s udy o
c i ical junc u es in his o ical ins i u ionalism, he 15-yea ime pe iod o his p o-
jec is ela i ely sho , conside ing how ecen ly cybe secu i y and digi al go e -
nance ha e de eloped, his app oach is jus i ied gi en ha his comp ises mos o
he his o y o hese opics s udied he e. C ises in he domains o cybe secu i y and
digi al go e nance in Es onia ha e ended o in ol e and impac a ious ac o s
ac oss he poli ical landscape and socie y; hus, hese c ises in he Es onian con-
ex a e pa icula ly illumina ing c i ical junc u es o he s udy o go e nance
p ocesses unde aken in esponse.
This pape employs a comp ehensi e de ini ion o cybe secu i y, encompassing he
secu i y o echnological sys ems and so wa e, ee o manipula ion o dis up ion,
and he p o ec ion o in o ma ion con ained in hese sys ems om al e a ion, co -
up ion, dele ion, unau ho ised access, o dissemina ion (C aigen e al., 2014).
Thus, cybe secu i y go e nance is he ins i u ional and o ganisa ional s uc u e
6 In e ne Policy Re iew 14(3) | 2025
and decision-making ela ed o cybe secu i y, as a o emen ioned (U gessa, 2020;
Von Solms and Von Solms, 2018). This pape de i es i s e minology o e-go e -
nance om he wo k o D’Agos ino e al. (2011), and Bannis e and Conolly (2012),
assuming an ‘in e ac i e dynamic’ be ween he go e nmen and ci izen y, and a
undamen ally digi alised model o go e nance di e ing subs an i ely om i s
analogue p edecesso s.
Speci ically, his pape d aws i s de ini ion and c i e ia o a c isis om Boin e al.
(2017) in The Poli ics o C isis Managemen , a second edi ion ha has been upda ed
o include cybe a acks in a lis also encompassing na u al disas e s, e o a acks,
and collapses o inancial sys ems. They w i e ha such c ises “ ou inely sha e
he peace and o de o socie ies” es ing go e nance oday (p. 3). They se o h
he key c i e ia o a c isis as h ea , a “sense ha he co e alues o li e-sus aining
ea u es o a sys em ha e come unde h ea ,” u gency (al hough his is ypically
socially cons uc ed and can be used ins umen ally, i.e. u gency as a ool in a
hos age si ua ion, and can a y by p oximi y o he c isis), and unce ain y, a lack
o cla i y abou wha will happen nex (pp. 5-7). Fu he mo e, while hese c ises
mee he c i e ia se o h by Boin e al., he pa icula c isis managemen e-
sponse s udied in his pape co ela es wi h he “pos -c isis managemen ” clus e
o Jaques (2007) ela ional model o c isis managemen (p. 150). The ‘c i ical unc-
ion’ o his pos -c isis clus e is “looping back o and p epa ing o and managing
u u e c ises,” by looking a : 1) eco e y and business esump ion (in his case, o e-
go e nance p ocesses in pa icula ), 2) pos -c isis issue impac s, and 3) e alua ion
and modi ica ion, all o which align wi h he co e esea ch ques ion o his pape ,
ocusing on pos -c isis lea ning o bols e u u e cybe secu i y su ounding digi al-
isa ion (Jaques, 2007, p. 150).
This pape uses ou cases, ep esen ing c i ical junc u es in he o e all cybe secu-
i y and e-go e nance his o y o Es onia; hey also all mee he c i e ia o a ‘c isis’
se o h by Boin e al. These cases we e ini ially selec ed based on a e iew o li -
e a u e and examined is-à- is yea ly go e nmen epo s on cybe secu i y. This
was u he alida ed when in e iewees we e asked abou c ises ha should be
s udied, indica ing ha hese we e he p e-eminen c ises impac ing Es onian e-
go e nance h oughou i s his o y, hough some did e e o ex e nal c ises ha
we e also impac ul. Ul ima ely, in e iewing indica ed common hemes ac oss
hese c ises: building upon p io knowledge and expe iences, clea and anspa -
en communica ions, and c isis as an expedi o o change, hus necessi a ing inno-
a ion in imes o non-c isis.
7 Ca michael
2007 cybe a acks
Es onia sha es a complex and ense ela ionship wi h i s much la ge neighbou ,
Russia; he coun y was occupied by he So ie Union du ing he Second Wo ld
Wa and did no egain independence un il 1991. One key his o ical legacy is an
o en-wa y and ‘secu i ised’ ela ionship be ween he coun y’s e hnically-Es onian
majo i y and i s Russian mino i y (Jašina-Schä e and Cheskin, 2019, pp. 1-2). Thus,
a e he emo al o a con o e sial So ie -e a monumen om cen al Tallinn in
Ap il 2007, iolen poli ical p o es e up ed, esul ing in one dea h, ollowed by
h ee weeks o dis ibu ed denial-o -se ice (DDoS) cybe a acks on news media,
banks, and go e nmen and poli icians’ websi es (Ehala, 2009; BBC News, 2007).
These cybe a acks h ea ened he unc ioning o go e nmen websi es, some digi-
al se ices, and banking se ices; hough he e was less digi alisa ion han oday,
unc ionali y was ce ainly signi ican ly impac ed. The e was a sense o u gency o
b ing hese websi es back online, as hey we e c ucial o he e ec i e unc ioning
o se ices. Fu he mo e, he e was unce ain y abou how and when he cybe a -
acks would end, and how an in es iga ion and a ibu ion could occu , especially
as he cybe a acks eached a peak on 9 May 2007, Vic o y Day, and as he Russian
go e nmen e used o coope a e (Pe nik, 2018, p. 57; STRATCOM Cen e o Excel-
lence, 2019, pp. 52, 58).
2017 eID c isis
In he summe o 2017, Czech esea che s ound a e u n-o - he-coppe smi h (RO-
CA) c yp og aphic key gene a ion ulne abili y in app oxima ely wo- hi ds o Es-
onian eID ca ds, alongside echnologies used in o he coun ies including Aus ia
and Spain (Nemec e al., 2017). This posed a majo secu i y h ea , as he eID ca ds
ep esen a co e means o au hen ica ion wi hin he Es onian e-go e nance sys-
em, and his unpa ched ulne abili y could be exploi ed by malicious ac o s a
any ime o my iad ne a ious pu poses. Indeed, Skie ka (2023) main ains ha
elec onic iden i ica ion is “an indispensable pilla o Es onia’s digi al socie y,” wi h
hea y dependence ac oss Es onian socie y o access o public and p i a e digi al
se ices and digi al signa u es; “i s ailu e would ha e d ama ic consequences o
Es onia’s ‘e-s a e’ and la ge pa s o socie y” (p. 2). The e was u gency o ind a
pa ch o he ulne abili y, and o deli e messaging o he gene al public, especial-
ly conside ing ha local elec ions we e coming up, o which eID was i al o o -
e au hen ica ion. Unce ain y exis ed up un il he momen ha a pa ch was de el-
oped, as he eID ca ds, and some o hei unc ions, including elec ions, could be
manipula ed by malicious ac o s.
8 In e ne Policy Re iew 14(3) | 2025
u es and s a egies o ackling cybe a acks we e necessa y mo ing o wa d. The
MOD ook he lead on de eloping a cybe secu i y s a egy, whe eby minis e ial e-
sponsibili y o cybe secu i y should p eeminen ly be a ci ilian a he han mili a y
ask, and he MOD would alloca e his p ima y esponsibili y o he MKM (Fo me
senio MOD o icial, in e iew, n.d.; o me cybe secu i y o icial, in e iew, n.d.).
The ou come was he i s Es onian Na ional Cybe secu i y S a egy, published in
2008 and one o he i s o i s kind globally; o econ igu e go e nance s uc u es
o e seeing cybe secu i y inside he Es onian go e nmen ; and o collabo a e mo e
closely wi h he p i a e sec o . Mul iple esponden s poin ed ou ha he shi in
cybe secu i y pu iew empowe ed bo h RIA and he Es onian Compu e Eme gency
Response Team, CERT (Fo me RIA o icial, in e iew, n.d.; o me cybe secu i y o i-
cial, in e iew, n.d.; L. A eng, in e iew, n.d.; o me senio MOD o icial, in e iew,
n.d.). RIA, home o some o he mos knowledgeable echnical pe sonnel, became
si ua ed unde MKM, and became manda ed o conduc audi s on o he en i ies
wi hin he Es onian go e nmen , o ensu e compliance wi h cybe secu i y equi e-
men s (Fo me senio MOD o icial, in e iew, n.d.).
Se e al esponden s also no ed ha he 2007 cybe a acks p omp ed he c ea ion
o he Cybe De ence League (now he Cybe Uni o he Es onian De ence League),
and opened up my iad new educa ional and aining pa hways o cybe secu i y.
The la e esul ed in he i s cybe secu i y Mas e s p og ammes a Tallinn Techni-
cal Uni e si y and he Uni e si y o Ta u, wi h esou cing om he MOD and, la e ,
he Minis y o Educa ion ( o me RIA o icial, in e iew, n.d.; o me go e nmen
cybe secu i y o icial, in e iew, n.d.; L. A eng, in e iew, Ap il 3, 2023; o me MOD
o icial, in e iew, n.d.). Ano he majo ou come o he 2007 cybe a acks, men-
ioned by almos all o he esponden s, was he es ablishmen o he NATO-ac-
c edi ed Coope a i e Cybe De ence Cen e o Excellence (CCDCoE) in Tallinn in
2008 (Fo me elec o al o icial, in e iew, n.d.; o me MOD o icial, in e iew, n.d.;
T.H. Il es, in e iew, Ma ch 14, 2023). Responden s poin ed ou ha he idea o
he CCDCoE o be based in Tallinn had begun h ee yea s p io o he cybe a acks,
bu sugges ed ha he cybe a acks ga ne ed suppo o his idea o ac ualise
(T.H. Il es, in e iew, Ma ch 14, 2023). The CCDCoE’s main aims a e o p o ide “cy-
be de ence esea ch, aining and exe cises co e ing he ocus a eas o echnolo-
gy, s a egy, ope a ions and law” o NATO allies and hei pa ne s, wi h esea ch
and cybe aining exe cises aking place in Es onia (Coope a i e Cybe De ence
Cen e o Excellence, n.d.).
Re lec ing on he o e all p ocess o pos -2007 cybe a acks decision-making, a o -
me Minis y o De ence o icial (in e iew, n.d.) no ed ha he e we e ‘lessons
15 Ca michael

lea ned’ pape s c a ed in e nally, bu we en’ eleased publicly, like in some la e
cybe secu i y c ises. This ins iga ed a p ocess o go e nmen al in ospec ion ha
would de i e lessons o u u e cybe secu i y c ises.
eID c isis
In e iews wi h decision-make s wi hin he Es onian go e nmen a he ime o
he eID c isis showed ha he ini ial decision-making esponse was h ee old: de-
eloping in e nal communica ions on he opic, c a ing public messaging, and
wo king on es ablishing and deploying a pa ch o he ulne abili y. A e being in-
o med by Czech esea che s o he ulne abili y, which exis ed in he chip ca ds
used no only in Es onia, bu elsewhe e in Eu ope, communica ions began be ween
RIA, whose knowledge o he echnology unde pinning eID was he mos sophis i-
ca ed; he Police and Bo de Gua d, who issued he ca d; and Gemal o, he p i a e
company ha p oduced he physical sma ca d (Fo me RIA o icial, in e iew, n.d.;
T. Pe e kop, in e iew, Ap il 3, 2023). The ini ial esponse included RIA’s endea ou
o es ablish a pa ch o he ulne abili y, as well as in e nal a emp s om RIA pe -
sonnel o exploi he ulne abili y hemsel es, and moni o ing he da k web o see
i an exploi eme ged (T. Pe e kop, in e iew, Ap il 3, 2023). Though he ulne abil-
i y was no exploi ed, an exploi was ul ima ely ound o be sold on he da k web
a e he decision was made o suspend ce i ica es on he ulne able ID ca ds (T.
Pe e kop, in e iew, Ap il 3, 2023).
Fi s ly, i was de e mined ha he go e nmen would ake a clea and coo dina ed
app oach o hei communica ions on he c isis; RIA communica ions pe sonnel
c a ed he e m “ anspa en isk managemen ” o desc ibe hei app oach (Fo -
me RIA o icial, in e iew, n.d.). Ul ima ely, hen-P ime Minis e Jü i Ra as became
he spokespe son o he go e nmen in his c isis, beginning wi h a p ess con e -
ence six days a e he ulne abili y was disclosed by Czech esea che s. Though
he e we e some al e na i e cou ses o ac ion sugges ed, one being ha he head
o he Police and Bo de Gua d deli e he messaging, ul ima ely i was deemed a
“poli ical decision” o Ra as o ake on his ole (Pe e kop, in e iew, Ap il 3, 2023).
Messaging was selec ed ca e ully, a emp ing o ame he c isis in an unde s and-
able and accessible manne o he gene al popula ion, o main ain he public’s
us in he go e nmen and he echnology (Fo me RIA o icial, in e iew, n.d.).
Responden s om ac oss he Es onian go e nmen applauded Ra as’ esponse as
isible, anspa en , and explained he si ua ion in a pala able way, while simul a-
neously aking he si ua ion se iously (Fo me cybe secu i y o icial, in e iew, n.d.;
o me MOD o icial, in e iew, n.d.). While he Es onian go e nmen aced c i i-
cisms o conce ns wi h o he aspec s o he eID c isis, such as in e ne o ing ou -
16 In e ne Policy Re iew 14(3) | 2025
lined below, he esponse o he go e nmen ’s communica ions s a egy was o e -
whelmingly posi i e. One Es onian jou nalis , Ai a Pau, was pa icula ly c i ical o
he communica ions esponse a he ime o he eID c isis, claiming i sowed panic
ha was ‘unjus i ied’ (Pau, 2017a; Pau, 2017b). Howe e , Pau’s wo ks ha e been e-
bu ed by he likes o o me En ep eneu ship and IT Minis e Liisa O ii and o -
me P esiden Toomas Hend ik Il es, who main ained ha in o ming he public o
a cybe secu i y c isis is a na u al cou se o ac ion, while a go e nmen co e -up o
he c isis would ha e been a a wo se op ion (O ii , 2017; Bel adze, 2017). This is
e lec ed in schola ship on he eID c isis as well (Skie ka, 2023, p. 4; Ven sel and
Madisson, 2019, pp. 136-137).
A u he conce n ha a ose was in e ne o ing, as local elec ions we e upcoming
in Oc obe 2017, and eID ca ds we e a key ool o e i ying and au hen ica ing
o e s. A o me elec o al o icial (in e iew, n.d.) no ed ha some inside he Es on-
ian go e nmen ad oca ed agains he use o in e ne o ing in he 2017 local
elec ions, bu hese ideas we e dismissed a he quickly. A o me senio cybe se-
cu i y o icial (in e iew, n.d.) no ed ha he e was less conce n abou comp o-
mised elec o al in eg i y as a esul o he ulne abili y, bu a he , o he o ms o
manipula ion – ie. inancial exploi a ion – p io o he deploymen o a pa ch. Se -
e al esponden s poin ed ou he eID was no “an exclusi e e-se ice” o he pu -
pose o au hen ica ion, ha o he me hods o go e nmen -au ho ised iden i ica-
ion could be used o ha o e s could o e in-pe son on-pape (Fo me MOD o i-
cial, in e iew, n.d.; o me cybe secu i y o icial, in e iew, n.d.; Pe e kop, in e -
iew, n.d.). Despi e conce ns ha i- o ing u nou would dec ease signi ican ly
wi h he eID c isis, he o e all le el o o ing and i- o ing usage did no unda-
men ally change du ing he 2017 local elec ions (Valimised, n.d.).
Ul ima ely, by la e Oc obe and ea ly No embe o 2017, pa ches o he ulne abil-
i y we e de eloped, es ed, and deployed, albei wi h some e en ual queues o e-
cei e new ID ca ds and some online gli ches (Fo me RIA o icial, in e iew, n.d.).
O e all, esponden s conside ed his o be a success ul esponse o a cybe secu i y
c isis, as he ulne abili y was no exploi ed be o e a pa ch was deployed, and also
om a communica ions s andpoin . Mul iple esponden s indica ed ha he p ece-
den o clea and anspa en messaging a ound a cybe secu i y c isis was de i ed
om he 2007 cybe a acks (Fo me cybe secu i y o icial, in e iew, n.d.; T. Pe-
e kop, in e iew, Ap il 3, 2023). Beyond he expe ience gained om he 2007 cy-
be a acks, one esponden no ed ha he e was p epa edness o such a c isis de-
i ed om egula cybe secu i y exe cises and simula ions; ea lie ha yea , a na-
ional exe cise had simula ed a ulne abili y wi h eID, al hough he esponden
17 Ca michael
no ed ha eID o icials had been adaman ha such a scena io would ne e un old
(ERR, 2015; MKM, n.d.; L. A eng, in e iew, Ap il 3, 2023). Mul iple esponden s al-
so d ew a en ion o he ac ha he e was a ‘lessons lea ned’ pape d a ed in e-
sponse o he eID c isis, and unlike he 2007 cybe a acks be o e i , his pape was
made publicly a ailable (RIA, 2018; Fo me cybe secu i y o icial, in e iew, n.d.;
Fo me senio MOD o icial, in e iew, n.d.). Fu he mo e, a o me MoD o icial (in-
e iew, n.d.) sugges ed ha , beyond RIA, o he minis ies and agencies gene ally
made be e c isis plans o hemsel es as a esul o he eID c isis.
COVID-19 pandemic
Ini ially COVID-19 ep esen ed a public heal h eme gency, bu he mo e online ne-
cessi a ed by lockdowns quickly encompassed a ious elemen s o Es onia’s e-go -
e nance and he cybe secu i y o hese p o isions. A he onse o he pandemic, a
esponden om he Na ional Si ua ion Cen e (in e iew, n.d.) no ed ha he go -
e nmen began o colla e in o ma ion and knowledge om ac oss sec o s, espe-
cially in he digi al space, so ha he go e nmen could c a po en ial esponses.
Wi h he mo e online aking place apidly, ini ial issues we e less su ounding cy-
be secu i y, and mo e abou accessibili y and usage issues, such as insu icien
b oadband o ine ec i e VPNs (Fo me cybe secu i y o icial, in e iew, n.d.; Fo -
me elec o al o icial, in e iew, n.d.; Fo me Na ional Si ua ion Cen e o icial, in-
e iew, n.d.; L. A eng, in e iew, Ap il 3, 2023). The e we e also conce ns a ound
he secu i y o popula ideo-calling pla o ms such as Mic oso Teams and Zoom,
a ound espionage o unau ho ised pe sons en e ing hese calls. The emedy o
hese conce ns was a e iew o bes p ac ices in cybe hygiene, which one espon-
den no ed was al eady pa icula ly s ong in Es onia, wi h aining p o ided wi h-
in he go e nmen , as well as made publicly a ailable by companies such as Cy-
bexe Technologies (Fo me cybe secu i y o icial, in e iew, n.d.).
Despi e global up icks in cybe a acks, in Es onia se e al esponden s no ed ha
he e wasn’ a signi ican wa e o cybe a acks om Russian cybe a acke s, as
migh ha e been expec ed, bu a he , “pe y cybe c ime” wi h a qui e s anda d
combina ion o phishing, DDoS, and ansomwa e a acks, expe ienced in many o h-
e coun ies as well (Fo me Na ional Si ua ion Cen e o icial, in e iew, n.d.; Fo -
me cybe secu i y o icial, in e iew, n.d.; L. A eng, in e iew, Ap il 3, 2023). Wha
Es onia was mo e conce ned wi h was he p ospec o “mo e o ganised, s a e-
backed, s a e-o ganised a acks ha could ake down c i ical in as uc u es,” o
a ge he undamen al unc ioning o Es onian digi al go e nance, bu ha his
so o a ack did no e en ua e du ing he pandemic (Fo me cybe secu i y o icial,
in e iew, n.d.). These ideas a e also e lec ed in RIA’s yea book o 2020 (RIA,
18 In e ne Policy Re iew 14(3) | 2025
2021).
While mos e-se ices had been a ailable online in Es onia p io o he pandemic,
he e we e some ha had no ; wo such key se ices we e e-educa ion and eal es-
a e ansac ions. Se e al esponden s ou lined how he mo e online o schooling
was highly decen alised, ha decisions a ound he echnologies used and hei
secu i y mechanisms, we e la gely de e mined on a case-by-case basis in indi id-
ual educa ional se ings (Fo me MOD o icial, in e iew, n.d.; Fo me cybe secu i y
o icial, in e iew, n.d.; L. A eng, in e iew, n.d.). Indeed, li e a u e and epo ing
om ha ime show ha he secu i y o new and decen alised e-educa ion p o i-
sions posed lea ning cu es, as one e-educa ion pla o m e en su e ed DDoS cy-
be a acks and conce ns eme ged abou he unc ionali y o ully-online e-lea ning
and e-heal h (Ca michael, 2021, p. 38; Ees i Eksp ess, 2020; McB ide, 2021). To al-
low eal es a e ansac ions o mo e online, exis ing echnologies om he Es on-
ian company Ve i , used o he Es onian e-Residency p og amme, we e epu -
posed o allow eal es a e ansac ions o ake place emo ely (Ca michael, 2021,
pp. 40-41). Th oughou his p ocess, RIA was consul ed o ensu e op imal secu i y
mechanisms in his p ocess, and he Compu e Secu i y Inciden Response Team
(CSIRT) became in ol ed in assis ing se ice p o ide s (L. A eng, in e iew, Ap il 3,
2023). Fu he mo e, one esponden e isi ed RIA audi s, which we e being ca ied
ou on a egula basis, da ing back o he 2007 cybe a acks, o ensu e cybe secu i-
y compliance and p epa edness ac oss go e nmen (Fo me senio MOD o icial,
in e iew, n.d.).
Russia’s ull-scale in asion o Uk aine
Se e al esponden s no ed ha he Es onian go e nmen ’s cybe secu i y esponse
o Russia’s ull-scale in asion o Uk aine did no nea ly align wi h he 24 Feb ua y
2022 s a o he in asion, bu a he had been ongoing o e he pas decade as
Russian agg ession agains Uk aine escala ed. One esponden , a o me senio cy-
be secu i y specialis (in e iew, n.d.), indica ed ha Es onian o icials had been
playing close a en ion o Russian cybe -ac i i y in Uk aine since 2014 (and pe -
haps e en ea lie , da ing back o he Russian in asion o Geo gia in 2008, abou
which he Es onian go e nmen w o e a lessons lea ned pape , which is s ill no
publicly-a ailable). Funding o enhancing cybe secu i y mechanisms was alloca -
ed in Janua y 2022; conce ns a ound he secu i y escala ion in Uk aine and, ul i-
ma ely, he ull-scale in asion, made i easie o gain esou ces o cybe secu i y
ini ia i es (T. Pe e kop, in e iew, Ap il 3, 2023; Fo me MOD o icial, in e iew,
n.d.). This inc eased unding is clea ly ou lined in o icial go e nmen messaging
and announcemen s a he ime (ERR, 2021; MOD, n.d.).
19 Ca michael
Se e al esponden s exp essed ha cybe a acks aced by Es onian public and p i-
a e sec o en i ies in he immedia e a e ma h o 24 Feb ua y we e less, in bo h
hei equency and se e i y, han hey migh ha e expec ed (Na ional Si ua ion
Cen e pe sonnel, in e iew, n.d.; Fo me elec o al o icial, in e iew, n.d.). As he
wa con inued, cybe a acks did begin o ea nes ly a ge Es onia: hese we e
mos ly DDoS a acks, beginning wi h he NATO Locked Shields cybe secu i y exe -
cise in Ap il 2022, and con inuing h oughou he yea , as RIA’s 2022 yea book
clea ly shows (RIA, 2022). Mul iple esponden s exp essed ha he impac s o
DDoS a acks el less se e e han cybe a acks in he pas , including he 2007 cy-
be a acks, as he echnology o mi iga ing DDoS a acks has imp o ed o e ime,
and he go e nmen has inc eased bo h i s in es men in o cybe secu i y and col-
labo a ion wi h he p i a e sec o (Fo me Na ional Si ua ion Cen e o icial, in e -
iew, n.d.; Fo me senio MOD o icial, in e iew, n.d.).
While esponden s indica ed ha cybe secu i y mechanisms we e al eady qui e
good a he onse o he 24 Feb ua y ull-scale in asion, hey also ou lined ways in
which he Es onian go e nmen unde ook a numbe o decisions in an a emp o
u he bols e cybe secu i y. The e was an exchange o echnology be ween pub-
lic ins i u ions and c i ical in as uc u e p o ide s, and enhanced assis ance p o-
ided by RIA (Fo me MOD o icial, in e iew, n.d.). A RIA o icial con i med his
p ocess; since he onse o he ull-scale in asion, RIA had c a ed a h ee-laye ed
app oach o cybe secu i y: he i s laye in ol es he ic im o a cybe a ack u n-
ing i s o RIA and i s esponse eams o assis ance; he second laye is RIA-sup-
po ed ( ia esou ces and aining) IT houses ac oss he Es onian go e nmen , and
he hi d laye is he Cybe Uni o he Es onian De ence League (L. A eng, in e -
iew, Ap il 3, 2023).
Once again, he e was a key ocus on go e nmen messaging, especially in Augus
2022 as DDoS a acks eached hei highes le els since 2007, as a So ie -e a ank
was emo ed om public display in he bo de own o Na a, con i med by RIA’s
2022 yea book (RIA, 2023). Announcing he cybe a ack, Es onian CIO Luukas Il es
Twee ed: ‘Yes e day, Es onia was subjec o he mos ex ensi e cybe a acks i has
aced since 2007. A emp ed DDoS a acks a ge ed bo h public ins i u ions and
he p i a e sec o ’ (Il es, 2022, n.p.). This Twee was sha ed by high-p o ile Es on-
ian go e nmen o icials including P esiden Ala Ka is and P ime Minis e Kaja
Kallas. Mul iple esponden s acknowledge ha his was, again, an ins ance o clea
and anspa en messaging abou cybe a acks a ge ing Es onia; ano he no ed
ha i ep esen ed an oppo uni y o “p aise” he pe sonnel esponsible o e-
sponding o hese cybe a acks.
20 In e ne Policy Re iew 14(3) | 2025

Some esponden s did, howe e , exp ess conce ns wi h his esponse, ha he
high-p o ile na u e o his messaging could unin en ionally place a a ge on Es o-
nia o u u e cybe a acks, o be manipula ed o pu poses o Russian in o ma ion
wa a e (Fo me MOD o icial, in e iew, n.d.; L. A eng, in e iew, Ap il 3, 2023).
The in insic linkage be ween in o ma ion wa a e and cybe ope a ions by he
Russian s a e – bo h be o e and since he s a o he ull-scale in asion – was
poin ed ou by se e al esponden s as an ongoing conce n. Such a linkage be-
ween in o ma ion wa a e and cybe ope a ions wi hin Russian go e nmen al
doc ine is e lec ed in a g ea deal o li e a u e (see o example, E udo e al.,
2023; Zelenkauskai e, 2022; Why e, 2020). Howe e , one esponden poin ed ou
ha c a ing messaging a ound DDoS a acks is “sa e” is-à- is o he ypes o cy-
be a acks ha may be mo e sophis ica ed, o po en ially emba assing o damag-
ing o a coun y’s epu a ion (Fo me Na ional Si ua ion Cen e o icial, in e iew,
n.d.). The e o e, i may ha e been less isky o Es onian go e nmen o icials o
publicly announce hese DDoS a acks in Augus 2022, as his was deemed less
damaging o ei he i s epu a ion, no echnically o i s digi al go e nance’s unc-
ionali y.
Ex e nal c ises in o ming Es onia
Speaking wi h esponden s also e ealed ha decision-making has no solely been
shaped by Es onian c ises, bu has also been in o med by c ises ha ha e occu ed
beyond i s bo de s. One such example, ou lined by mul iple esponden s, was he
2011 ea hquake in Fukushima, in which he Japanese go e nmen los a small
amoun o na ional da a (T.H. Il es, in e iew, Ma ch 14, 2023; T. Ko ka, in e iew,
Ma ch 28, 2023). Wi h inc eased digi alisa ion and he mo e away om ha d
copies, one esponden emphasised how essen ial i became o in o ma ion – and
e en legisla ion – ha is s o ed solely digi ally o be a ailable in he e en o dis-
as e . While na u al disas e s, like he ea hquake in Fukushima, a e s a is ically
qui e in equen in Es onia, esponden s ecognised he h ea o occupa ion – as
was seen in C imea since 2014, bu which Es onia also expe ienced du ing i s oc-
cupa ion by he So ie Union om he end o he Second Wo ld Wa un il 1991 –
whe eby in o ma ion could be des oyed o undamen ally al e ed. The same is al-
so possible ia cybe a acks. The esul was he es ablishmen o he i s da a em-
bassy, loca ed in Luxembou g, al hough he Es onian go e nmen began s o ing
copies o in o ma ion ou side he coun y as ea ly as 2005 in esponse o his
h ea (T. Ko ka, in e iew, Ma ch 28, 2023).
21 Ca michael
Pa h dependencies ac oss c ises
This pape has ea ed he ou selec ed c ises as c i ical junc u es, de i ed om
his o ical ins i u ionalis heo y ou lined p e iously, which can be used as ma ke s
om which pa h-dependen p ocesses begin, and whe eby ou comes, decisions,
and p ocesses esul om hose ha came be o e hem (Fio e os e al., 2016, p. 9).
Indeed, i can be seen om he analysis abo e ha he pos -c isis esponses and
decision-making p ocesses ou lined by he in e iewees ga e ise o pa h-depen-
den p ocesses in he Es onian con ex . The i s is c isis communica ions espons-
es, which o igina ed wi h he 2007 cybe a acks, when o icials ca e ully consid-
e ed whe he o go public wi h an acknowledgemen o he DDoS a acks, a deci-
sion hey did e en ually unde ake. In e iewees hen asse ed ha subsequen
communica ions s a egies eme ged om his ini ial decision: he ‘ adical ans-
pa ency’ app oach o he eID c isis in 2017, and he acknowledgemen o he
la ges DDoS cybe a acks on Es onia since 2007, publicly dissemina ed on he Es-
onian hen-CIO’s Twi e .
Secondly, new go e nance s uc u es ha eme ged om he 2007 cybe a acks
we e di ec ly ela ed o c isis decision-making in subsequen cybe secu i y c ises.
This included he ele a ion and empowe men o RIA in he a e ma h o he 2007
cybe a acks p io i ised his sophis ica ed echnical expe ise wi hin he Es onian
go e nmen ; RIA played a lead ole in he 2017 eID c isis and de eloping he
pa ch o he ROCA ulne abili y, while RIA audi ing ac oss he whole o Es onian
go e nmen , aimed a ensu ing cybe secu i y compliance, was deployed h ough-
ou he COVID-19 pandemic and beyond. Fu he mo e, RIA’s h ee- ie app oach,
o e ing cybe secu i y se ices o he es o go e nmen , was amped up ollowing
he s a o he ull-scale in asion. In addi ion o RIA, pa h dependencies om he
es ablishmen o he NATO CCDCoE in Tallinn ollowing he 2007 cybe a acks
could be seen wi h Es onian e o s o b ing Uk aine in o CCDCoE membe ship,
wi h he pu pose o exchanging cybe secu i y and cybe de ence expe ise and
knowledge ollowing he s a o he ull-scale in asion. Finally, DDoS p epa ed-
ness, esul ing om o e all imp o emen s and in es men in app op ia e echnol-
ogy, can be aced om he 2007 cybe a acks. Subsequen dis up ions om DDoS
a acks h oughou he COVID-19 pandemic and ollowing he s a o he ull-
scale in asion o Uk aine by Russia in 2022 we e signi ican ly minimised is-à- is
wha was expe ienced wi h he DDoS a acks in 2007. Thus, h ough hese mul i-
ple ins ances, he c i ical junc u es examined in his pape can be used o ace
pa h-dependen p ocesses in cybe secu i y go e nance in he Es onian go e n-
men o e ime.
22 In e ne Policy Re iew 14(3) | 2025
Conclusions
Each o hese e en s ep esen s a dis inc poin and c i ical junc u e in Es onia’s
his o y o cybe secu i y and e-go e nance, each wi h hei own unique and nu-
anced eali ies o he c isis a hand. Howe e , he e a e commonali ies ha exis
ac oss hese c i ical junc u es ha o e lessons in how a coun y, Es onia o be-
yond, can b oach decision-making ollowing cybe secu i y c ises, especially when
hose c ises may po en ially a ec digi alised go e nmen al p o isions. Thus, he e
a e h ee key o e a ching ways in which his pape ’s co e esea ch ques ion –
which asks how go e nmen s and hei esponsible bodies can espond in he a -
e ma h o a c isis o bols e u u e cybe secu i y, especially a ound digi alisa ion
ini ia i es – has been add essed using he Es onian case.
Fi s ly, a common h ead amongs Es onian go e nmen esponses o cybe secu i y
c ises is building on p io knowledge and expe ience, bo h inside o Es onia and
in e na ionally, by moni o ing he cybe secu i y h ea landscape in o he coun ies
and hei expe iences wi h b oaching c ises as well. This is a con inuous p ocess,
one which ecognises ha he cybe secu i y landscape is no s a ic, bu e e -
changing. Es onian go e nmen en i ies, in collabo a ion wi h he p i a e sec o ,
de i ed lessons om ea lie cybe secu i y c ises, like he 2007 cybe a acks and
2017 eID c isis, and applied hese lea nings in u u e c ises, including he
COVID-19 pandemic and he Russian ull-scale in asion o Uk aine, so ha he im-
pac s o cybe a acks we e lessened. Fu he mo e, Es onian au ho i ies moni o ed
he h ea landscape, looking a Japan a e he 2011 Fukushima ea hquake, o
Uk aine since he 2014 annexa ion o C imea, o lea n om he expe iences o
o he coun ies and bols e Es onian cybe secu i y in esponse o such e en s. This
indica es a cons an p ocess o obse ing and lea ning in imes o bo h c isis and
non-c isis, in e nally and looking o ex e nal examples. Indeed, a c isis is no a
sole impe us o change and imp o emen o cybe secu i y, bu se es as a e y
s ong d i e .
Secondly, ac oss hese c ises, he Es onian go e nmen has employed clea , coo di-
na ed messaging and anspa ency a ound imes o c isis. Such an app oach was
ini ially de i ed om he 2007 cybe a acks, a he ime qui e unp eceden ed and
as ye uncha ed whe he he go e nmen would acknowledge a all ha he cy-
be a acks had aken place. Indeed, e en oday, he e y acknowledgemen o cy-
be a acks is o en no gua an eed amongs many go e nmen s globally. Howe e ,
he Es onian go e nmen o he ime unde ook he decision o acknowledge – o
he gene al public and o o he le els o go e nance (i.e., EU and NATO) – ha
hey we e expe iencing DDoS cybe a acks, and his app oach has subsequen ly
23 Ca michael
been aken du ing he eID c isis, h oughou he COVID-19 pandemic, and ollow-
ing cybe a acks since he Russian ull-scale in asion o Uk aine. This messaging
has been coo dina ed by he esponsible go e nmen en i ies, and aken place
h ough channels such as p ess con e ences o eleases and go e nmen igu es’
social media, wi h he speci ic objec i e o in o ming he public o cybe c ises in a
clea , anspa en , and easy- o-unde s and ashion.
Thi dly, while some new solu ions indeed a ose om hese c ises, in many cases,
hese c ises ac ed as expedi o s o o he ideas ha hadn’ gone h ough p io .
Du ing he ea lies days o he COVID-19 pandemic, o example, new solu ions
b oached he mo e o educa ion o a s ic ly online p o ision, bu e en ‘new’ p o i-
sions like online solu ions o eal es a e ansac ions we e de i ed om exis ing
echnologies om Es onian company Ve i , used in he e-Residency p ocess, and
epu posed o no a isa ion on eal es a e ansac ions. Addi ionally, he NATO-ac-
c edi ed CCDCoE in Tallinn had been p oposed since 2004, bu i s es ablishmen
was likely expedi ed by he 2007 cybe a acks. Simila ly, Uk ainian membe ship in-
o he CCDCoE in 2023 and Es onian-Uk ainian coope a ion on cybe secu i y ma -
e s was expedi ed by he ull-scale in asion in Feb ua y 2022. This, he e o e,
shows he di ec linkages be ween imes o c isis and imes o non-c isis, unde -
sco ing he need o c ea i e esponses o c isis in he momen , bu also he need
o inno a ion in imes o non-c isis. New ideas and app oaches, as well as simula-
ions and exe cises o he mos unimaginable o wo s -case scena ios, all con-
ibu e o inc eased p epa edness o i , o mo e likely, when, he nex c isis s ikes.
Es onia ep esen s a unique case in ha i has i een yea s o cybe secu i y his o y
ha can be examined, whe eas mos coun ies ha e no ye de eloped hei cybe -
secu i y p ocesses o e such a leng hy pe iod o ime. The e o e, as a ma u e case,
Es onia has he bene i o lea ning and e ining hei app oach o e ime. D awing
om his case, his pape makes bo h a heo e ical and p ac ical con ibu ion o
he exis ing body o schola ship. Theo e ically, he no el y o his pape lies in he
con ibu ion o c isis managemen li e a u e in he domain o cybe secu i y, look-
ing speci ically a pos -c isis managemen in a highly digi alised and ma u e case.
The use o c ises as c i ical junc u es as sign-pos s dema ca ing pa h-dependen
p ocesses in he Es onian cybe secu i y go e nance p ocess, especially examining
hese p ocesses in he con ex o pos -c isis managemen , is addi ionally no el in
his ega d. These indings ha e p ac ical no el y o go e nmen s globally, who
a e cu en ly unde going digi alisa ion p ocesses, and enac ing cybe secu i y
mechanisms, a a ious s ages and le els o go e nance.
Thus, his case o e s lessons o o he go e nmen s a ound 1) building upon p io
24 In e ne Policy Re iew 14(3) | 2025