Liz Stokes

You're listening to the cyberwire network.

Maria Vermasis

Powered by n2k.

Commercial Narrator

Cyber threats strike in minutes. Your analysis can't take weeks. That's where Velox Reverser from Booz Allen comes in. It's an autonomous malware reverse engineering and threat intelligence product that turns weeks of painstaking manual analysis into minutes of AI powered insight sites. With Velox Reverser security teams can perform deep analysis to learn how malware works and how to stop it. It's an advanced product that works at machine speed if you need to outpace evolving adversaries and strengthen your defense at scale. Request a demo or start your 30 day free trial of Velux Reverser today at Booz Allen.com Reverser.

Liz Stokes

Hi everyone, I'm Liz Stokes and I'm thrilled to welcome you to our special three part series. I, alongside my fabulous colleague Maria Vermasis, had the amazing opportunity to travel to Tallinn, estonia for the 2025 cyber coalition exercise at NATO's cyber range. And over the next few episodes, we're taking you behind the scenes of one of the most consequential stories in modern cybersecurity. Maria will be leading the story, sharing her incredible insights as we explore why Estonia has become a cyber powerhouse, what makes NATO's cyber operations here so critical, and what it's like to witness these exercises up close.

Maria Vermasis

And Liz will be helping us better understand some of the key concepts that we discuss in this story. Deciphering legalese and untangling acronyms. So we're all on the same page.

Liz Stokes

Thank you, Maria. So come along with us. Join the ride as we meet the people, see the strategy in action, and uncover the cutting edge work that's shaping the future of cyber defense.

Maria Vermasis

We should be there right on time. It's late in the afternoon. It's cold and damp, just barely above freezing temperatures. I can barely feel my fingers. And there's that kind of December wind that just cuts right through all of your winter layers and makes your face hurt. Liz and I could be and frankly, we probably should be inside somewhere warm right now. But we're on a rare assignment quite far from our normal haunts. It is December 2, 2025, and we are in Tallinn, Estonia, where the sun just set at 3:26pm and we are here at the exclusive invitation of NATO to understand what we saw in this international hub of all things Cybersecurity in 2025, why NATO invited us here. Specifically, we're going to first rewind to a very specific place in this city and learn the history of the spark in Estonia that ignited modern global cyber defense. Now, the city of Tallinn may be familiar to some of you, depending on how keyed in you are to infosec lore. You may know of the Tallinn Manual and your friendly neighborhood cybersecurity legal team definitely knows what it is. So Liz, for those that aren't familiar with it, in a nutshell, what is the Talon Manual?

Liz Stokes

Yeah, so the Talon Manual is a research project and foundational study on international cybersecurity policies and laws, specifically which ones are or aren't applicable during cyber conflict and warfare. It was first published in 2013 and is an initiative led by the NATO Cooperative Cyber Defense center of Excellence, which, yeah, you guessed it, happens to be headquartered in Tallinn.

Maria Vermasis

Outside of cyber security, Tallinn is known for its fantastically preserved medieval old town postcard picturesque in the winter during its Christmas market and being here in December, we were looking forward to all the gloogie and holiday cheer. But no, before we could get to any of that, I dragged poor Liz to a pretty forlorn city park just outside of central Tallinn. It's a small little city park. It's got lots of trees right now because it is early December. There are some raked leaves and neat little piles, some crows. Not many people here. To understand why the Tallinn Manual is named after the city and why NATO's cyber range is also here, we wandered around this empty park, just us and the crows. There is really nothing there anymore. And that is the point. Let's go back in time. It's April 2007. Social media, where it even exists, is in its infancy. This niche video first website called YouTube. Yeah, it's only two years old and the very first iPhone hasn't even been announced to the public yet and it won't be until later this year. Still, the Internet's been around long enough now and has matured enough that essential services are increasingly Internet first now, like banking, bureaucracy, shopping and checking the news. This is especially true in Estonia, which declared back in the 1990s that it was going to become the most digitally advanced country in the world, moving its entire government online with Internet access for all of its citizens codified in its legislation as a human right. So now still in April 2007, imagine that you are an ordinary Estonian waking up to find all of those essential services in your very Internet savvy country grinding to a halt. Websites are down, banks are unreachable, government portals totally frozen. You can't withdraw money, you can't talk to government services, you can't even check the Local news to find out what the heck is going on. Mass confusion.

Commercial Narrator

The most violent rioting Estonia has seen since breaking away from the Soviet Union continues into a second night. Gangs shouting Pro Russia and Pro Estonia slogans shadow each other. All the while, Estonian police fight to reclaim the streets of Tallinn.

Maria Vermasis

In 2007. Standing in the forlorn park we were just in, just outside the heart of Tallinn, it all would have felt very different. From 1947 through to 2007, that park held the Bronze Soldier, which is a Soviet era statue made in tribute to the Red Army. To many Estonians, that bronze statue represented oppression under the USSR, from which Estonia declared its independence in 1991. But for Estonia's Russian speaking minority, this statue is a tribute to fallen heroes who who fought against the Nazis. So when the Estonian government decided to relocate the statue from this park, the emotional fault line in Estonian society cracked wide open. Riots erupted, streets filled, rocks were thrown, stores were looted. The physical conflict was intense.

Commercial Narrator

Rioters smashed bus stops, shop windows and throw missiles at the police.

Maria Vermasis

But the digital one, unprecedented. This is the place where in theory, it all started. The people, the Russian speaking Estonians, were really mad about that statue being moved. And there was a lot of civil unrest. No sign of it anymore. In response to the bronze soldier statue being moved, Estonia became ground zero for a barrage of crippling systemic cyber attacks. The wave of cyber attacks were levied against all aspects of Estonian infrastructure and daily life, and it lasted for three weeks. Banks, media outlets, government services, everything that makes the modern world, all brought to a complete stop by massive DDoS attacks. Estonia, this famously digital society, was brought to its knees. And those crippling cyber attacks, they were such a huge catalyst for change in Estonia that they have become simply shorthanded to the 2007 cyber attacks. And everyone here knows what you mean when you say it. In fact, you can hear it from this conversation that Liz had about non NATO space cybersecurity with Christina Omri, who is the director of special programs for cybersecurity firm Cybexer Technologies in Tallinn.

Liz Stokes

Tallinn has a bit of history with Cyber from the 2007, the cyber attacks against Estonia, so against the governmental institutions, but not only also commercials.

Maria Vermasis

In the Aftermath of the 2007 cyber attacks, Estonia, which was still a relatively new NATO member, having just joined in 2004, wanted to invoke Article 5 of the NATO Washington Treaty, which is the alliance's mutual self defense clause. It was a bold thought for a moment, when the world was still trying to understand what a Cyber attack even meant on the global stage. And you might be wondering right now, has Article 5 ever actually been successfully invoked in a cyber context or any context at all? Liz, what is the history there?

Liz Stokes

Yeah, Maria, So Only once in NATO's history, since 1949, has an Article 5 contingency ever been declared, and that was back in 2001 in response to the 911 attacks against the United States.

Maria Vermasis

Okay, so let's fast forward six years from that and go back to Estonia in 2007. And as Estonia urged NATO allies to consider Article 5, the core problem was the attribution of those cyber attacks. No one could say for certain whether the attacks were coordinated by the Russian state, or if they were false flags, or if they were simply a swarm of opportunistic bad actors exploiting all the chaos. And then that opened up an even deeper debate. Are nations directly responsible for cybercriminals operating within their borders? Because if a country creates conditions that all but openly encourages cyber mischief, how responsible are they for what inevitably happens? And then what kind of response is justified? No easy answers there. But one thing became crystal clear for Estonia after 2007. Cyber defense wasn't optional. It was essential. The attacks forced the country to confront one of the biggest unanswered questions in modern security. What exactly counts as a red line in cyberspace? What level of digital aggression is serious enough to trigger NATO's Article 5? To dig into that idea, we spoke with Commander Brian Kaplan, a US Navy cyber operations expert and one of the key military voices helping NATO think through the future of digital conflict. And he put it bluntly.

Commander Brian Kaplan

So I'm. Every situation is different, and I think that's where the hard part is to trigger what causes something to be in the article above Article 5. So it's, it's a touchy topic, and I think it's a hard one to find because there's nothing that's black and white. It's really case by case, nation by nation, that this determines what that looks like.

Maria Vermasis

So again, what would it take? An explicit message from the head of a nation saying, hey, we're going to use our military cyber capabilities against you now to cause large scale loss of life? Well, even then, maybe not. As the NATO secretary general in 2014 said, the criteria for what kind of cyber attack would actually trigger Article 5 has to remain, and I quote, purposefully vague. Short of that red line, whatever it is, nations need to be prepared for their own self defense on the cyber realm. And boy, did Estonia hear that message loud and clear. When being crippled by a 22 day long cyber attack wasn't bad enough to invoke Article 5, but the long term consequences of 2007 actually benefited Estonia a great deal. A great explanation on that comes from Alar Valaouts, the Chief strategy officer at CR14, which is the Estonian facility that hosts the NATO cyber range.

Commander Brian Kaplan

This all starts with Estonia in 2007 when the country was under the attack of cyber. There were after that some really good political decisions where Estonia became the, so to say, top speaker about cyber, and Estonia was also the one asking 5 when the cyber attack happened. So ever, ever since this time we have done some really good decisions and of course, dedication and hard work.

Maria Vermasis

Putting it another way, as a result of the 2007 cyber attacks, this tiny nation of 1.3 million people is not only an IT marvel with blazing fast Internet connectivity and overall technical sophistication that permeates every touchpoint. As an average user, all the IT admins are very jealous right now. IT is now a cybersecurity powerhouse on a global scale and IT also gave the world Skype. Within and beyond estonia's borders. After 2007, NATO allies and partners recognized that they also needed to shore up their cyber defensive capabilities. After all, crippling attacks like what Estonia experienced could happen to any nation. Remember the NATO Cooperative Cyber Defense center of Excellence that Liz mentioned at the top of the show?

Liz Stokes

Well, so most people just call it the CCDCOE. And it was founded in 2008 in Tallinn at Estonia's urging following the 2007 cyber attacks. The CCDCOE's official mission is to support member nations and NATO with unique interdisciplinary expertise in the field of cyber defense research, training and exercises covering the focus areas of technology, strategy, operations and law. And IT officially supports many exercises at the NATO cyber Range throughout the year, including the one we were invited to see.

Maria Vermasis

To use the terrible corporate cliche of a rising tide lifts all boats. Sorry. With the support of the CCD CoE, NATO puts together several yearly cybersecurity exercises for its allies and partners at its Tallinn based cyber range. The one we were invited to see at NATO's invitation as the only US based podcast, by the way, is called Cyber Coalition. This exercise is pure blue team defense. The most important because it keeps the lights on. Quite literally, but arguably it's the hardest to understand and demonstrate to the world because you are proving a negative. It's the cyber defender's perennial dilemma that if you're doing everything right, the average person will never notice. Speaking of never noticing Remember that empty park at the beginning of this episode? While we were walking around there, it struck me that you would never know that this was the site of so much pain for Estonia and the start of a chaotic three weeks and the impetus for Estonia's world leading cybersecurity posture. People want to move on with things and get on with life. I get that. And I imagine a lot of people don't want to be reminded of that painful past. But yeah, this nondescript park is, in theory where it all began. And this park is the site that is the reason why Estonia became the cyber powerhouse that it is today. And the bronze soldier statue, it still exists, of course, it was moved to a military cemetery further out from central Tallinn. So in a very, very roundabout way, I suppose you could say that the history around the bronze soldier is what brought us all to Estonia. But really what specifically brought us to Tallinn in December 2025 was the NATO Cyber Coalition exercise. It is a yearly two week cyber defensive exercise, one of the largest in the world. And during this exercise, around 1,300 NATO cyber defenders kick the tires on their TTPS, try out some new tools and use the experience to refine coordinated defense as well as defenses back home. And that's why we found ourselves in a briefing room at Estonia's Ministry of Defense, where Commander Kaplan summed up exactly why NATO's cyber coalition matters.

Commander Brian Kaplan

Just really, the key takeaway is about this exercise that differs than other cyber exercises is just the real importance of making sure the collaboration, cooperation and coordination is, is really what drives this exercise. And it really, the nations do a really good job of testing that, working with each other to really defend against any type of adversary. It's the most important. Hopefully. If you take away anything from my brief, please, those three words are the most important.

Maria Vermasis

Collaboration, cooperation, coordination. Not just for Estonia, not just for NATO, but for every nation trying to defend itself in a world where the line between conflict and chaos is deliberately blurred. After walking through the park where Estonia's modern cyber doctrine was essentially born, sitting in that briefing room made everything click. 2007 forced Estonia to build something resilient, collaborative, forward leaning. And now the rest of the alliance trains here in Tallinn to do the same. But this is just the beginning of this story. Liz and I didn't come to Tallinn just to understand the why. We came to see what these teams are preparing for 2025 and beyond and what threats are shaping the next phase of cooperative cyber defense. In the next episode, we step inside NATO's cyber coalition itself. And take you onto the exercise floor where hundreds of defenders coordinate to test what it really means to keep the lights on. So bundle up, grab some glogi and stay with us. Thank you for listening to this first episode of our three part series. As we wrap up this special edition, we're leaving you with more questions than answers By Design what we saw, heard and experienced during this visit to see NATO Cyber Coalition 2025 is part of a much bigger picture. Stick with us in the next episode as we continue to explore what it all means and why it matters. This episode was written and hosted by me, Maria Varmazes. It was produced by Liz Stokes. Mixing, editing and sound design by Trey Hester. Our Executive producer is Jennifer Ibin with content strategy by Mayan Plout. Peter Kilby is our publisher. Thank you so much for listening. Foreign.

Commercial Narrator

Ever wished you could rebuild your network from scratch to make it more secure, scalable and simple? Meet Meter, the company reimagining enterprise networking from the ground up. Meter builds full stack zero trust networks including hardware, firmware and software, all designed to work seamlessly together. The result? Fast, reliable and secure connectivity without the constant patching, vendor juggling, or hidden costs. From wired and wireless to routing, switching, firewalls, DNS security and vpn, every layer is integrated and continuously protected in one unified platform. And since it's delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles. Meter even buys back your old infrastructure to make switching effortless, transform complexity into simplicity, and give your team time to focus on what really matters, helping your business and customers thrive. Learn more and book your demo@meter.com cyberwire that's M E T E R.com cyberwire.