Estonia's Volunteer Cyber Militia

Interesting -- although short and not very detailed -- article about Estonia's volunteer cyber-defense militia.

Padar's militia of amateur IT workers, economists, lawyers, and other white-hat types are grouped in the city of Tartu, about 65 miles from the Russian border, and in the capital, Tallinn, about twice as far from it. The volunteers, who've inspired a handful of similar operations around the world, are readying themselves to defend against the kind of sustained digital attack that could cause mass service outages at hospitals, banks, and military bases, and with other critical operations, including voting systems. Officially, the team is part of Estonia's 26,000-strong national guard, the Defense League.


Formally established in 2011, Padar's unit mostly runs on about €150,000 ($172,000) in annual state funding, plus salaries for him and four colleagues. (If that sounds paltry, remember that the country's median annual income is about €12,000.) Some volunteers oversee a website that calls out Russian propaganda posing as news directed at Estonians in Estonian, Russian, English, and German. Other members recently conducted forensic analysis on an attack against a military system, while yet others searched for signs of a broader campaign after discovering vulnerabilities in the country's electronic ID cards, which citizens use to check bank and medical records and to vote. (The team says it didn't find anything, and the security flaws were quickly patched.)

Mostly, the volunteers run weekend drills with troops, doctors, customs and tax agents, air traffic controllers, and water and power officials. "Somehow, this model is based on enthusiasm," says Andrus Ansip, who was prime minister during the 2007 attack and now oversees digital affairs for the European Commission. To gauge officials' responses to realistic attacks, the unit might send out emails with sketchy links or drop infected USB sticks to see if someone takes the bait.

EDITED TO ADD (3/11): Here's a brief interview with the current commander -- and one of the founding members of the unit. Here's a longer presentation.

Posted on February 19, 2019 at 6:36 AM • 11 Comments


VinnyGFebruary 19, 2019 8:17 AM

One crucial detail absent from the article is the method used to prevent "moles" from infiltrating the volunteer defense group. Perhaps there is an effective strategy that Estonia does want to reveal for fear of granting an advantage to an adversary, but we should all by now be familiar with the weaknesses of "security by obscurity." Certainly, independent black hats and Putin-affiliated hackers will make efforts to infiltrate, and the latter would likely lay low, learn, and bide their time until some kind of massive surprise offensive is unleashed.

Petre Peter February 19, 2019 8:51 AM

Maybe this is what we need in the US, especially if the volunteers must have some sort of security clearance to deal with potential moles.

Impossibly StupidFebruary 19, 2019 10:11 AM

Sans details, I'm not sure I see the point of this. Low level attacks are happening all the time, and addressing them would go a long way towards stopping bigger, more directed attacks in the future. But if you have people who are still falling for spam and thumb drive attacks, no active "militia" or expert advice is going to do a lick of good.

There really aren't any "Security Lessons for the Rest of Us" here. Nothing about firewalls or networks that are the source of attacks. Nothing about policies that make people unemployable in positions of authority if they don't follow basic security practices. The only takeaway seems to be that they're eager to clean up after a mess, when the smarter approach would be to prevent the mess in the first place.

vass puppFebruary 19, 2019 1:57 PM

Moles could be created out of already lowyal members of militia by applying standard set of MICE tools.Lvoyalty is not static but rather dynamic quality which required loyalty management/monitoring within any security related unit.

bttbFebruary 19, 2019 3:37 PM

OTTOMH: a) Some people, perhaps because 1) of youthful indiscretions or 2) other reasons, may have no interest in security clearances.

b) In countries like the five eyes, BRICS, Israel, Saudi Arabia, smaller countries, etc., who's going to watch the watchers (or allow others to watch the watchers)?

c) In countries like the five eyes, BRICS, Israel, Saudi Arabia, smaller countries, etc., I imagine the spooks, and others, could sometimes use professional input or professionally aquired evidence; or might kill to prevent that.

d) Because of the 1) mole problem, 2) "organizational resistance" to change, perhaps a relatively flat organizational structure may be called for.

In the United States of Amnesia (USA) who might such volunteers report to (perhaps on an ad-hoc basis)? Would they report through secure anonymous channels (to the best of their ability) as leaks to: journalists (msm & non-msm), military organizations, law enforcement organizations, spooks (including TLAs), homeland security, politicians, judges, etc., including president trump? Some of the above? All of the above?

bttbFebruary 19, 2019 4:56 PM


Potential typo

Perhaps "not" works in the following sentence: "Perhaps there is an effective strategy that Estonia does [not] want to reveal for fear of granting an advantage to an adversary, but we should all by now be familiar with the weaknesses of "security by obscurity."

TõnisFebruary 19, 2019 8:18 PM

Interesting. A grass roots style group of enthusiasts who want to help. Yet the NSA with all its resources concerns itself with spying on Americans but can't be bothered to shut down and obliterate cybercriminals who are shaking down hospitals and other critical institutions with ransomware.

JuhaniFebruary 20, 2019 1:52 PM

From what I understand they also learn how to organize and communicate.

Budget 150k, this is a voluntary organization. That 150k is rent etc. Estonian official median salary is in 12k/year range, but foreign companies who expect to hire at 2-3x the median salary have found they could not find anybody qualified to hire. This is not London salary, but even blue-collar builders can take a ferry to Finland and many do. Just look at google streetview on Tallinn cars, in residential areas.

Trust, example H.Simm, head of department of national secrets was a Russian collaborator/spy for 10 years, now in jail for 12y. Trump as a president is under investigation, iirc somebody from his close circle was recently put to jail. Most people are trustworthy and having a very high security clearance reduces risks.

In case of an attack the amount of targets will probably be plentiful, incomprehensible chaos that needs a lot of people working together to get important services up. I doubt anybody would give not employees a full access to eg energy control systems, but they could be given access to a hacked PLC controller. Trust is between individuals.

Maybe the defense league is mostly about building some trust and communication structures between people who know something about it security. Maybe it is already an accomplishment if people trust the head of that league. I do not know.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.