TALLINN — What happens when an entire country suddenly goes offline? When, as in Estonia, the government’s website disappears first, then parliament’s, and finally the public administration’s? When no one knows what’s happening because news portals are unreachable? When online transfers fail, and you barely have any cash left in your wallet? When you dial the national emergency phone number and can’t be sure anyone will answer?
For the latest news & views from every corner of the world, Worldcrunch Today is the only truly international newsletter. Sign up here.
“It was confusing and frightening,” recalls Katrin Vaga, thinking back to Estonia’s internet blackout. “Nobody knew what was going on.”
Vaga, a former journalist, was abroad at the time. For weeks, she couldn’t access her online bank account, and major news outlets remained down. Estonians, she says, “were shocked,” and felt adrift in a world that suddenly did not work without the internet. Was it a technical glitch? Or an attack on the Estonian state?
Vaga used to picture war as tanks rolling in, soldiers marching, a world in flames. But she has come to realize that modern warfare starts with sabotage. The battlefield is not only along borders, it runs through fiber-optic cables. The next war is being fought in cyberspace.
Cyberattack defense
Back in 2007, Estonia suffered one of the first major state-backed cyberattacks in history. The country, already proud of its digital transformation, was suddenly paralyzed. Only later did it become clear that Russia had targeted Estonia’s digital infrastructure. Key websites were flooded with requests from countless computers, so-called DDoS attacks, until they buckled under the load and went offline.
After the attack, Estonia could have turned its back on digitalization and gone back to paper. Instead, it did the opposite. Today it is one of the most advanced e-states in the world. Nearly every administrative task can be handled online: renewing passports, applying for housing benefits, filing taxes, getting married, even filing for divorce, all with just a few clicks.
But does that level of digitalization make Estonia especially vulnerable? Could the next cyberwar wipe out the entire system? Estonia decided to take the risk head-on: cyberattacks are now seen as part of the modern arsenal of warfare. What matters is how well you defend against them.
Worst-case scenario
Behind barbed wire and a metal gate, watched by cameras, inside a gray, unremarkable building in the capital Tallinn, people are training for a crisis, the day that enemy cyber warriors launch a full-scale attack on Estonia, Europe, and NATO.
In the lobby of the NATO Cooperative Cyber Defense Centre of Excellence, a tower of blinking lights hums quietly. Green cables run through it like veins. Warning symbols for power grids and nuclear plants glow. The setup simulates cyberattacks on critical infrastructure such as Estonia’s power grid.
This war is not fought with tanks and guns, but with lines of code.
“We have been at war for a long time,” says Christoph Kühn, Chief of Staff at the NATO Center. “This war is not fought with tanks and guns, but with lines of code.” These digital attacks are meant to test NATO’s defenses, to see how the alliance reacts and whether it is willing to strike back.
Decision makers from across Europe visit to understand how digital defense works, to see how the lessons learned from the 2007 attack are put into daily practice.
When asked about the worst-case scenario, Kühn refers to Marc Elsberg’s novel Blackout. In it, a cyberattack on Europe’s power grid sends life into chaos: power plants shut down, trains stop, elevators trap people, supermarkets close, supplies dwindle, hospitals near collapse, and eventually radios fall silent. People wander the streets cut off from the world.
“That is the worst-case scenario,” Kühn says. “A cyberattack that brings an entire nation to its knees.”
Locked shields, crossed swords
To make sure that never happens, the center runs massive training exercises with names like “Locked Shields” and “Crossed Swords.” Hundreds of IT experts from more than 40 nations defend simulated power grids, banks, and media outlets against tens of thousands of coordinated attacks. The aggressors unleash every trick in the book: malware, disinformation, attacks on control systems. The defenders have to hold the line and decide when and how to hit back. Industrial partners such as Siemens also use these simulations to expose vulnerabilities in their systems.
“We are not just training computer nerds to build firewalls,” Kühn says. Once the cyber specialists trace the origin of an attack, military leaders, lawyers, and politicians step in to practice decision-making in crisis mode. International law is evolving, but it still offers no universally accepted rules for cyberwarfare.
Traditional law deals with visible threats, physical violence, borders, and civilian protection. Cyberattacks, on the other hand, are invisible and hard to trace. It is often unclear who is behind them: a state, a criminal network, or individuals. The consequences are just as murky. When is an attack serious enough to count as “armed” and justify self-defense? Trainers must grapple with all these uncertainties.
Because so much remains undefined in cyberspace, modern defense relies on deterrence. “In the nuclear world, it worked for decades,” Kühn says. “Anyone who pushes the red button knows we are ready to respond immediately.”
How does that translate to cyberspace? “Deterrence means stopping the enemy because they do not know how we will react,” Kühn explains. You must be ready for anything: summon the ambassador of the attacking state, make the incident public, or launch a counterattack. “If necessary,” Kühn adds, “special forces shut down the server where the attack originates.” But how do they do that?
AI changes the game
Colonel René Innos fights every day, around the clock, to defend Estonia’s cyberspace. Over the phone, his tone is steady and serious. Innos leads the Cyber Command of the Estonian Defense Forces, established in 2018 and staffed by around 200 soldiers. His job is not to be the best hacker, he says. “I do not have to write every line of code myself. My task is to see the bigger picture of cyberwarfare.”
Estonia, he explains, has faced every kind of attack imaginable. Criminal hackers steal data and drain accounts, while state actors move more carefully. Russia, China, North Korea, and Iran are especially active, breaking into systems, gathering information, probing for weaknesses.
The war in Ukraine showed how devastating this can be. At the start of Russia’s 2022 invasion, hackers took down the KA-SAT satellite internet with a single strike. Within hours, communication networks in Ukraine and parts of Europe were crippled. The attackers had slipped in unnoticed long before.
Humans will just be watching.
In cyberspace, you rarely know where your enemy is, says Innos. “Attackers hardly ever operate from government buildings.” The server might be in a French hospital. Because the culprits are often untraceable, physical counterstrikes are difficult, sometimes impossible.
The pace of digital warfare is already beyond human control. “In the coming years, AI systems will be fighting each other online,” Innos predicts. “Humans will just be watching.” Attackers can now send personalized phishing emails in bulk, steal identities more easily, and fake voices and faces with alarming precision.
Yet the weakest link in any system remains human. That is why Estonia invests heavily in cybersecurity training for citizens, officials, and soldiers. “Everyone has to be ready for threats in cyberspace,” says Innos. “Otherwise even the best technology is useless.” But what if the real threat does not come from outside?
Reach of autocrats
In Estonia, memories of Soviet oppression still run deep. People were taken away at night by secret police, phones were tapped, and neighbors became informants. Those who saw how information could be used against citizens have learned to stay alert, even in the digital age. Today, countries like China use technology for surveillance. So does Estonia risk the same fate?
“What matters is not the technology itself, but who controls it,” says Luukas Kristjan Ilves, Estonia’s head of digitalization until 2024. “Abandoning modern technology does not protect you from autocrats.” Even in a paper-based bureaucracy, an illiberal regime could build a digital surveillance state, often faster and with fewer checks. “The best protection against abuse,” Ilves says, “is a vigilant civil society and democratic oversight, not the absence of technology.”
The 2007 cyberattacks did not cause lasting damage, but they served as a wake-up call. Estonia was the first country in the world to create a national cybersecurity strategy. Its openness has built citizens’ trust, Ilves explains. “The Estonian government has always been transparent about vulnerabilities in the digital sphere.” When a security flaw was found in 2017 in nearly 750,000 electronic ID cards, the prime minister went public immediately and had the cards replaced.
That openness is built into daily digital life. Every citizen can see what happens to their data. X-Road, the backbone of Estonia’s digital state, runs on blockchain technology. It links databases and strictly controls who can access which data. Every document and every record is traceable, and every access, authorized or not, is logged.
Still, even the most sophisticated digital system is not invincible. Estonia has been occupied before, and many citizens fear Russia could strike again. “Our history shows how easily our statehood has been erased,” Ilves says. “That must never happen again.”
To prepare for the worst, Estonia keeps copies of all critical data in “data embassies” abroad, including one in Luxembourg. Even if Russian troops were to invade again, Estonia’s government would continue to function. In the cloud.
