In a modern twist on old-fashioned war games, the U.S. military dispatched cyber fighters to Estonia this fall to help the small Baltic nation search out and block potential cyber threats from Russia. The goal was not only to help a NATO partner long targeted by its powerful neighbor but also to gain insight on Russian tactics that could be used against the U.S. and its elections.
The U.S. Cyber Command operation occurred in Estonia from late September to early November, officials from both countries disclosed this week, just as the U.S. was working to safeguard its election systems from foreign interference and to keep coronavirus research from the prying reach of hackers in countries including Russia and China.
Estonian officials say they found nothing malicious during the operation.
The mission, an effort analogous to two nations working jointly in a military operation on land or sea, represents an evolution in cyber tactics by U.S. forces who had long been more accustomed to reacting to threats but are now doing more — including in foreign countries — to glean advance insight into malicious activity and to stop attacks before they reach their targets.
The Defense Department has worked to highlight that more aggressive "hunt forward" strategy in recent years, particularly after Russia interfered through hacking and covert social media campaigns in the run-up to the 2016 presidential election. American officials were on high alert for similar interference in 2020 but described no major problems on Nov. 3.
"When we look at the threats that we face, from Russia or other adversaries, it really is all about the partnerships and our ability to expand really the scope, scale and pace of operations in order to make it more difficult for adversaries to execute operations either in the United States, Estonia or other places," Brig. Gen. William Hartman, commander of the Cyber National Mission Force, said in a conference call with a small group of reporters this week.
Estonia, a former Soviet republic, was in some ways a natural fit for a partnership with Cyber Command because in years past it has been a cyber target of nearby Russia, including crippling attacks on government networks in 2007.
Estonian officials say they have since strengthened their cyber defenses, created a cybersecurity strategy and developed their own cyber command, which like the U.S. version is part of the country's military.
While nothing malicious was found on the networks during the exercise, "what we did learn is how the U.S. conducts these kinds of operations, which is definitely useful for us because there are a lot of kind of capability developments that we are doing right now," said Mihkel Tikk, a deputy commander in Estonia's Cyber Command.
Tikk added: "In some areas, it is wise to learn from others than having to reinvent the wheel."
Hartman declined to discuss specifics of the operation but said the networks in Estonia were "very well defended."
"I don't want anyone to leave here with the impression that Estonian networks were full of adversary activity from a broad range of nation states" because that is not the case, he added.
Gen. Paul Nakasone, the commander of Cyber Command and the director of the National Security Agency, has hinted at a more aggressive, proactive federal government approach to cyber threats.
In an August piece for Foreign Affairs magazine, for instance, Nakasone wrote that U.S cyber fighters have moved away from a "reactive, defensive posture" and are increasingly engaging in combat with foreign adversaries online.
Cyber Command has worked in past years with countries including Montenegro and North Macedonia on similar missions. Estonian officials say they believe the partnership could be a deterrent to countries such as Russia.
"These kinds of operations, I think, they will continue," said Undersecretary of Defense Margus Matt. But, he added, "I don't know how much we will speak of them publicly."
U.S. officials say they think the risks of a proactive approach — a country, for instance, could regard such an operation as a provocation toward a broader international cyber conflict — are outweighed by the benefits.
"We believe that inaction in cyberspace contributes to escalation more than reasonable action in cyberspace," said Thomas Wingfield, deputy assistant secretary of defense for cyber policy.