EN
  • Cyber stability
  • Secops
  • Risks management
  • Digital transformation
  • Digital Sovereignty
  • Cybercrime
  • Industry and OT
  • Fraud
  • Digital identity
  • Cyber +
    • INCYBER Defence Interview with Col. René Innos – Estonian Cyber Command
    • Home
    • Cyber stability
    • INCYBER Defence Interview with Col. René Innos – Estonian Cyber Command

    INCYBER Defence Interview with Col. René Innos – Estonian Cyber Command

    Written by
    Adèle Forveille
    01.06.26
    Cyber stability
    11
    MIN
    INCYBER Defence Interview with Col. René Innos – Estonian Cyber Command
    INCYBER Defence Interview with Col. René Innos – Estonian Cyber Command
    INCYBER Defence Interview with Col. René Innos – Estonian Cyber Command
    Image NATO Authorizes the Use of iPhones for Classified Data
    Cyber stability
    03.03.26 Cyber stability
    Next article
    NATO Authorizes the Use of iPhones for Classified Data
    Read
    02
    MIN
    Image Cyber Defense on the Front Line: The French Army Facing New Threats
    Cyber +
    02.26.26 Cyber +
    Next article
    Cyber Defense on the Front Line: The French Army Facing New Threats
    Read
    06
    MIN
    Image Ukraine to block access to Starlink for unauthorized devices
    Cyber stability
    02.03.26 Cyber stability
    Next article
    Ukraine to block access to Starlink for unauthorized devices
    Read
    01
    MIN
    Image Cybersecurity: are the United States really on the brink of collapse?
    Cyber stability
    01.05.26 Cyber stability
    Next article
    Cybersecurity: are the United States really on the brink of collapse?
    Read
    04
    MIN

    Estonia is widely recognized as a pioneer in military cyber defence. Could you briefly introduce the Cyber Command – its creation, evolution, and current role within the Estonian Defence Forces?

    The Cyber Command was established in 2018 to address very pragmatic issues. First, cyber has been growing in importance within the military sphere for about a decade. Yet it wasn’t handled in a mature way, it was developing without real leadership or framework. The decision was made to unite all cyber-related activities under a single structure. Second, all branches of the military were competing for the same talent pool. Consolidating everything into one command would help avoid internal competition and enable more efficient use of personnel.

    All countries define “cyber command” very differently. In Estonia, we include ICT provision of the forces, all communication and information systems provision, defensive and offensive cyber operations, information operations, electronic warfare, and headquarters support for higher-level HQs during peacetime and wartime. Our Cyber Command is therefore broader than just defensive or offensive operations. We believe this integrated model works because cyber is everywhere, there’s no point in dividing it.

    Estonia faces a particularly acute cyber threat environment given its proximity to Russia. How would you characterize the current threat landscape, and how have threats evolved since the 2007 attacks?

    Today, we experience daily attacks at similar and higher levels to 2007, but the attack surface has definitely expanded. From 2007 until the occupation of Crimea [2014], we faced mainly service disruption and DDoS attacks. Until 2020, the military was a popular target. In our understanding, we served as a training base. Nasty attacks were tried on us first, then deployed against other European countries. 

    Since the war in Ukraine began, the focus has shifted away from military targets. The logic is straightforward: our adversary trained us well, so easier targets now exist. I’m not saying that we are resting, but that we see more attacks towards softer targets: governmental institutions, local government, banking, critical infrastructure providers, e-markets, etc. When we do face attacks now, they tend to be new or previously unseen techniques; we’re still used as a trial base in that sense. But attacks against us specifically have become rarer.

    At the same time, on the civilian side, there has been a significant rise in fraud, ransomware, and DDoS. Most governmental institutions now have good DDoS protection, so pressure has shifted to the private sector. We remain constantly targeted, but let’s say our adversaries appear occupied with Ukraine.

    The conflict in Ukraine has demonstrated the integration of cyber operations within hybrid warfare. What lessons has Estonia drawn from observing Russian cyber operations in Ukraine?

    Observing Russia’s effectiveness in information operations is precisely why we integrated this domain into the Cyber Command. Russia excels at hybrid warfare, and more precisely at manipulating populations through social media and digital platforms – a capability inseparable from cyber.

    In Ukraine, it is difficult to pinpoint where cyber was directly involved in an operation. Those linkages are hard to establish now but we’ll probably draw them out after the war when we can analyze the information behind attacks. But we can clearly see that cyber and CIS operations are directly linked to war fighting today, especially through social media for conveying fear or conducting misinformation campaigns.

    The impact of cyberattacks depends heavily on societal digital dependency. Just before the war, Russia successfully brought down Ukrainian power stations through cyber means. But Ukrainians were not so dependent on IT, they still had manual approaches. The attack succeeded, systems went down, but were restored manually. The effect was short-lived.

    In Estonia, we’re very dependent on IT; few people carry cash, shopping systems are highly centralized… If adversaries could compromise the Estonian banking system, it would create confusion for at least a week. We witnessed this spillover when Ukraine was attacked and Maersk got hit, and an Estonian grocery chain was also affected – all their stores went down for four days because the central system was compromised. If an adversary runs down all central shopping systems, they create a week of confusion. It depends on IT dependency, and in some sectors, Estonia is very dependent. We understand this and try to protect those systems.

    The Estonia’s e-governance model relies heavily on digital infrastructure and cloud services. How do you balance digital transformation benefits against technological dependencies?

    We understand we’ll always be dependent due to our size. Building cloud infrastructure comparable to Amazon is impossible for us. Redundancy and risk management have been on our agenda since the Ukrainian war started. Before 2022, we viewed risks as system malfunctions to compensate for. Now, we’ve shifted towards accepting that something can be destroyed completely. The understanding of risk has fundamentally changed.

    Actions towards redundancy – surviving even when something is destroyed – are now priorities. For example, rather than one huge data centre, it may be wiser to build ten small ones distributed across the country, reducing target concentration. Following last year’s cable cuts, we’re examining how to maintain communications when cables are severed.

    Another point to understand is that risk is no longer confined to IT. Without electricity (if plants or transmission lines fail) ICT infrastructure eventually fails too as it runs out of power. The risk landscape has expanded, and understanding of interdependencies has grown accordingly.

    According to your Minister of Defence, Russia is testing limits to see how far it can go before triggering NATO’s Article 5. How does the Cyber Command inform discussions around defining cyber “red lines” and deterrence issues?

    First of all, we have to understand that the declaration of Article 5 is a political decision. And the same applies to attribution of cyber attacks – it is always political. Can cyber initiate Article 5? Honestly, I think we’re not there yet. Of course we’ve tested it in NATO exercises: « What should happen in order to provoke Article 5 » ? But I believe we haven’t reached that point.

    One reason is that thresholds haven’t been defined. NATO collectively receives hundreds of thousands of cyber attacks daily with some kind of impact. The volume makes it hard to distinguish when we’ve reached a point where we can’t withstand anymore. It’s easy to talk about Article 5 when rockets fly in: you can trace where they started, where they landed, identify collateral damage and casualties. But even conventional cases aren’t clear-cut: this year, about twenty drones flew into Polish airspace, some possibly armed. They were adversary drones shot down by NATO aircraft. Did it trigger Article 5? No. So red lines aren’t even clear in conventional warfare. They’re less clear in cyber.

    What makes cyber particularly difficult is its heavy use for crime. Most of those hundreds of thousands of daily hits across 32 NATO countries appear criminally motivated.

    There are academic debates about whether cyber can be part of deterrence. I’m skeptical. Attribution takes at least two to three months minimum. How can that constitute deterrence? If you can’t attribute immediately, it’s pointless. By the time we identify and name the attacker, they’ve achieved their aims and left. Once again, at the end of the day, it’s always a political decision.

    A network of military CERTs has been established across Europe. What role does Estonia play, and what are key requirements for effective cross-border incident response?

    Those response teams were created years ago. The idea was that cyber is a new domain, and our main challenge is cooperation. It’s not that we don’t know what to do – my Cyber Command knows exactly how to repel or conduct attacks – but when it comes to cooperation with other countries, it creates friction because we all operate differently. The main idea behind cyber response teams is making different countries work together and develop common procedures.

    Traditional domains have solved this. Air forces, navies, and land forces have extensive manuals on joint operations. When a French infantry unit arrives in Estonia, we use NATO procedures regardless of national practices. Cyber, being young, hasn’t developed equivalent procedures yet, they’re emerging as the domain matures. Response teams and exercises like Locked Shields accelerate this. There’s now a rule in Locked Shields: you cannot participate alone. You must team with other countries to develop common procedures and standards.

    Are rapid reaction teams effective? They serve a real need. Under attack, you’re overwhelmed with data from analysis tools, protection systems, and logs information. Regardless of size, you face brain power shortages. Running 24/7 operations to repel evolving attacks requires extra hands. The challenge is using these teams properly. Of course, no country grants foreigners deep network access. But those teams are valuable for specific operations and trust-building.


    How does the Cyber Command coordinate with land, air, and naval forces? And with the civilian entities ?

    Our smallness is an advantage here. The Cyber Command is the single focal point for all cyber matters, no separate cyber for sea, air, or land. From our perspective, having one entity responsible for cyber eliminates coordination problems. We have one cyber for everyone in defence, including the Ministry of Defence. The Cyber Command serves as the cyber hub for the entire MOD area.

    In Estonia, responsibilities are clearly divided. The Cyber Command handles MOD cyberspace; the Estonian Information System Authority (EISA) handles civilian critical infrastructure. We have a Cyber Security Act requiring all non-military critical infrastructure providers and governmental institutions to comply. Through it, we enforce European standards like NIS, with mandatory reporting to EISA. Private companies designated as critical infrastructure providers must report and can be required to make changes. Once again, here, our smallness allows us to work in really close cooperation.

    Estonia has a strong tech startup ecosystem, including several cybersecurity companies. What forms of public-private partnership have proven most valuable?

    We cooperate extensively with the private sector but here, smallness works against us. Some cyber disciplines are too costly to maintain in-house, or require such niche expertise that internal capacity would be pointless. We rely on private partners, primarily Estonian, for example, for product testing. We depend almost entirely on external partners for proof-testing products before they enter military networks.

    The Estonian Defence League’s Cyber Unit represents a unique civilian-military cooperation model. How does this volunteer reserve complement your regular forces?

    The Estonian Defence Forces model keeps main units in reserve during peacetime. Active duty units prepare reserves – we take in conscripts, train them for eleven months, then they join reserve units. In wartime, my units would be about four times larger than in peacetime. They sit at the intersection of civilian and military spheres. I call them “chameleons” because they adapt their role to the situation.

    They’re essential for keeping reserves current. Maintaining reservist skills is critical, and we do this through Defence League Cyber Units, where our reserve structure resides. The Defence League has authority to mobilize personnel more easily than regular Defence Forces.

    Our reserve units are organized within the Defence League structure. Although not on active duty, they remain in reserve within Defence League units. When needed, I call them up and they arrive as a unit, primarily for exercises. For two to three years now, my active duty personnel haven’t participated in exercises the way they did six or seven years ago. Instead, I call up reserve units for Locked Shields or Cyber Coalition. 

    The Estonian Information System Authority also maintains its reserve within the Defence League Cyber Unit. Their portion is purely civilian, not combatants, but in the same unit. 

    The Tallinn Manual remains a key reference for international law in cyberspace. What doctrinal or legal gaps still need to be addressed, notably concerning offensive operations ?

    Every legal framework requires practical application to reveal gaps, and we haven’t seen sufficient practice yet. The Manual remains largely theoretical regarding how to perform cyber operations. Without having conducted such operations at scale, comparing the Manual’s provisions against reality is difficult. We obviously need rules of engagement in cyber, and those mostly derive from the Tallinn Manual. But identifying specific gaps requires practice.

    Of course, we use it as a reference for operations. Understanding collateral damage in cyber contexts is essential, and the Manual embeds democratic values; we try to conduct war fairly. I would say that we haven’t stressed-tested the Manual yet. With time, there will be more flesh on the bones.

    From an international perspective, we’re increasingly discussing offensive operations openly. I’ve been in cyber for at least ten years. Initially, discussing offensive capabilities was considered inappropriate, even politically unacceptable. Now, we speak about it freely. This reflects how the domain has evolved. The previous purely defensive mindset has given way to recognition that walls, however thick, can always be breached. It’s wise to maintain offensive capabilities and use them in a controlled manner to deter adversaries or halt attacks. I believe the Manual’s third edition will address those offensive operations more openly.

    Adèle Forveille
    01.06.26
    Articles by the same author:
    1
    10.24.25 Digital transformation
    From Factory of the World to Tech Giant: The Drivers of China’s Rise
    Read
    06
    MIN
    2
    08.19.25 Cyber +
    Fifty Shades of OSINT: from Investigative journalism to economic intelligence
    Read
    05
    MIN
    3
    07.22.25 Risks management
    Lessons Learned: How Eindhoven University of Technology Faced a Major Cyberattack
    Read
    09
    MIN
    4
    04.15.25 Cyber stability
    Military Operations and AI: What Role for Humans in the Decision-Making Loop?
    Read
    05
    MIN
    Image NATO Authorizes the Use of iPhones for Classified Data
    Cyber stability
    03.03.26 Cyber stability
    Next article
    NATO Authorizes the Use of iPhones for Classified Data
    Read
    02
    MIN
    Image Cyber Defense on the Front Line: The French Army Facing New Threats
    Cyber +
    02.26.26 Cyber +
    Next article
    Cyber Defense on the Front Line: The French Army Facing New Threats
    Read
    06
    MIN
    Image Ukraine to block access to Starlink for unauthorized devices
    Cyber stability
    02.03.26 Cyber stability
    Next article
    Ukraine to block access to Starlink for unauthorized devices
    Read
    01
    MIN
    Image Cybersecurity: are the United States really on the brink of collapse?
    Cyber stability
    01.05.26 Cyber stability
    Next article
    Cybersecurity: are the United States really on the brink of collapse?
    Read
    04
    MIN
    Stay tuned in real time
    Subscribe to
    the newsletter
    By providing your email address you agree to receive the Incyber newsletter and you have read our privacy policy. You can unsubscribe at any time by clicking on the unsubscribe link in all our emails.
    Stay tuned in real time
    Subscribe to
    the newsletter
    By providing your email address you agree to receive the Incyber newsletter and you have read our privacy policy. You can unsubscribe at any time by clicking on the unsubscribe link in all our emails.