War crimes committed through cyberspace must not escape international justice, says Estonian president

TALLINN, ESTONIA — The International Criminal Court should not allow those who commit war crimes or crimes against humanity in cyberspace to escape international justice, said President of Estonia Alar Karis at a conference on cyber conflict last week.

These attacks must always come at a cost to the attacker — and imposing those costs will require nations to cooperate and collectively blame the perpetrators, said Karis, opening the 15th annual International Conference on Cyber Conflict (CyCon) in Tallinn.

“This is about ensuring justice, but also strengthening deterrence by punishing those who violate the most sacred international laws and norms,” the Estonian president said.

He spoke in the wake of numerous cyber and kinetic attacks targeting civilian infrastructure during the Russian invasion of Ukraine, including dozens of critical cyber incidents targeting the country's energy sector last winter, when the daily mean temperature throughout most of the country is below freezing.

“In Ukraine, as in other armed conflicts, we should not think of cyberattacks during armed conflict as something separate from the rest of the military campaign,” said Karis, who added that the amount of distributed denial-of-service (DDoS) attacks targeting Estonia had increased by 300% in 2022.

Back in 2007, just a few years after joining NATO, Estonia was impacted by a wave of such DDoS attacks when it relocated a Soviet war memorial from the center of the capital Tallinn to a military cemetery a few kilometers away. Officials blamed Russia for the incidents, although NATO did not issue a formal attribution.

The digital attempts to hobble the country were groundbreaking. They showed what a nation could face as a result of cyber hostilities and prompted a major research effort into cyberwarfare at NATO, eventually leading to the NATO Cooperative Cyber Defence Center of Excellence (CCDCOE) being founded in Tallinn in 2008.

Last August, Estonia — which had been an independent country before being occupied by the Soviet Union during World War II and has to date provided more military equipment to Ukraine as a proportion of its GDP per capita than any other nation — removed another controversial Soviet-era monument from a city to a military history museum.

“As a result, Estonia was subjected to the largest distributed denial of service attacks in our history,” said Karis. But unlike the groundbreaking disruption caused in 2007, this time “most people in Estonia never even noticed,” said the president, crediting the country’s preparedness.

Estonia's preparedness was also recognized back in March, when its parliamentary elections — which use an internet voting system — were unsuccessfully targeted by hostile actors, as Gert Auväärt, one of the country's leading cybersecurity officials told The Record.

The Estonian president’s call for accountability for international crimes was echoed by Illia Vitiuk, who heads the Security Service of Ukraine's department of cyber and information security, during his keynote in Tallinn.

“There are ten to fifteen serious cyberattacks per day organized or supported by the Russian security services in Ukraine. For us, the cyberwar started in 2014,” he told the audience in Tallinn, making similar points to those raised in his panel discussion at the RSA Conference in San Francisco.

“Russian hackers must pay the price and be brought to justice, just like other criminals,” said Vitiuk, adding that despite sometimes being claimed by hacktivists, the blame for the majority of these attacks lay with professionals within Russia's intelligence services.

“Their goal is to destroy the country and cause suffering among its people,” Vitiuk said, noting that Russia had been unsuccessful in the first of these goals: “Ukraine has debunked the myth of the all-powerful Russian hackers.”