Lessons from cyber warfare: strong cryptography is critical

In warfare, critical information has to be delivered to the right place at the right time, one can be only then victorious. No one wants the data they rely on for a strategic advantage to fall into the hands of a competitor or worse  – to hostile intelligence services. Protecting such information requires making deliberate choices and accepting that user convenience may sometimes come after security.

Russian special services continuously attempt to penetrate systems containing sensitive information. During Russia’s war against Ukraine, these efforts have also targeted systems used by Ukraine’s Armed Forces, such as the Delta situational awareness platform. Accessible via both smartphones and computers, Delta aggregates battlefield data from sources like air surveillance, satellites, drones and security cameras. If this information were to fall into Russian hands, it would jeopardise Ukrainian soldiers’ lives and their military successes.

Russia has employed various tactics to breach Delta:

• cyberattacks on smart devices used by Ukrainian soldiers on the front line and physical theft of devices from the battlefield to gain network access;
• creating fake websites mimicking the platform to trick soldiers into entering their data;
• attempting to compromise soldiers’ email accounts.

Significant damage can be avoided by designing sensitive systems intelligently.

Ukraine has identified these attempts and responded with prompt countermeasures. Significant damage can be avoided by designing sensitive systems intelligently, for example, by using strict segmentation (combining need-to-know principle with rigid access control lists) and encrypting information using rigorously evaluated cryptographic solutions.

Estonian state institutions and critical service providers are also targets of Russian cyber espionage. The year 2024 was particularly significant, as Estonia publicly attributed a cyberattack to Russia’s military intelligence service, the GRU, which had accessed tens of thousands of unclassified documents marked for “official use only” in 2020. While these documents did not contain state secrets, it would be naïve to assume that GRU analysts could not piece together information from fragments of “official use only” documents to infer information classified as state secrets in Estonia.

Beyond the immediate cyberespionage threat posed by hostile intelligence services, advancing quantum technologies present a growing challenge to classical cryptographic algorithms and the information they protect. The cybersecurity community has long warned of the “store now, decrypt later” problem, whereby adversaries could collect large volumes of data today with the intent of decrypting it in the future using quantum computers.

To mitigate quantum threat, organisations must adopt post-quantum cryptography – solutions employing algorithms that remain secure even against quantum computers. However, whether using current or quantum-resistant cryptographic solutions, classified systems require methodical, independent evaluations of their security.

Protecting sensitive state information requires systematically standardised evaluation of cryptographic solutions. This involves setting specific requirements for the solutions used in information systems and independently verifying whether these products (cryptographic tools and software) meet those requirements. Evaluations consider the cryptographic algorithms used, the production processes, the internal requirements for handling components, the ultimate beneficiaries of the manufacturers, and the methods of delivery to end users. Trust is not based on a single check but on a recognised, standardised system of product evaluations that accounts for the specific protection needs of critical information, security measures, and their application. Using thoroughly evaluated cryptographic solutions can mitigate both threats from hostile intelligence services and the risks associated with the broader adoption of quantum technologies.

Estonia is neither alone nor isolated in facing these threats; in cyberspace, much like in the physical world, we can also rely on international partnerships, adopt best practices, and engage in trust-building activities, such as establishing criteria and implementing standardised validation or certification processes. Estonia’s security depends on protecting its most sensitive information – a mission supported by advancing education in mathematics and cryptography. This, in turn, opens opportunities for long-term careers, such as at the office of the National Security Authority within the Estonian Foreign Intelligence Service, which is responsible for approving secure state communication solutions. For more information, visit www.valisluureamet.ee/infosec.