Cyber security architecture in Estonia: Drawing lessons for India
Estonia lies in north-eastern Europe, bordering Russia on the east, Latvia to the south, to its west lies the Baltic Sea. The nation with a population of just about 1.3 million first experienced cyber war in 2007. The cybersecurity crisis began in April 2007 lasting about two weeks which pushed the country to not only learn from the incident but also enabled it to become one of flagship states when it comes to cybersecurity matters. Here the rise of Estonia will be investigated to get the hang of how the small nation became a leader when it comes to cybersecurity issues. Furthermore, lessons for New Delhi will be produced from the experience in Tallinn.
Cyberwar of 2007:
The cyberattack did not take place in isolation and was part of wider tensions with Russia as the Estonian government in April 2007 decided to relocate a monument of bronze soldier from the capital Tallinn to a nearby military cemetery. The monument represented Red Army’s victory over Nazism for the Russians, but for the Estonians, the Red Army were not liberators but occupiers. When the government removed the statue there were riots and looting for two nights leading to the death of a person, 156 people were left injured and about 1000 were detained.
On 27th April 2007, Estonia faced the first major cyberattack which meant that citizens could not use cash machines and online banking services could not be accessed. Government employees were not able to communicate through emails, newspapers and broadcasters could not deliver the news. ‘The cyberattacks allegedly were organized by Kremlin with malicious gangs seizing the opportunity to attack the country’ according to an anonymous government official. The disruption in the digital sphere represented a threat to Estonia’s national security and was enough for the government to take the threat seriously and to make strides to protect itself in the cyber realm.
Cybersecurity architecture:
In 2008, NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) was established in the Estonian capital of Tallinn. ‘The international military organisation specifically focuses on research, development, training and education in both technical and non-technical aspects of cyber defence’.
In the same year, Estonia came up with its first national cyber security strategy to bolster defences in the cyber domain. The national cyber security strategy would run from 2008 till 2013. Key policies of the national cybersecurity strategy were:
· The development and large-scale implementation of a system of security measures
· Enhancing competence in cyber security
· Improvement of the legal framework for supporting cyber security
· Bolstering international co-operation
· Raising awareness on cyber security
The following year, in 2009, a joint master’s curriculum was started at the Tallinn university of Technology and the University of Tartu with the principal aim of educating citizens to better protect themselves in the cyber domain. The government is pushing for awareness among the citizens not only through curriculum at the university level, but it has also conducted awareness programs and workshops ranging from elderly citizens who find it difficult to adapt to new technologies to kindergartners who will be the leader tomorrow.
According to Sotiris Tzifas, the chief executive of VIP Cyber Intelligence, the level of security in the system depends on the users, and that is why the government organised various programs to educate the people about cybersecurity and enable them to adapt to the new technology.
In 2009, Cyber Security Council was added to the Security Committee of the government whose task was to foster inter-agency co-operation and implementation of strategic objectives. The CCDCOE began Locked shields in 2010, a scenario-based exercise designed for cybersecurity experts to test skills in defence of national IT systems and critical infrastructure. It has been held annually ever since and this year On April 9 a new format was introduced. The aim was to stress on the need to have cyber defenders and strategic decision-makers to understand the inter-dependencies between the IT systems of various countries.
In 2010 Estonian Cyber Defence League was formed, it is a voluntary organisation made up of IT experts and young people who are trained by the defence ministry and could be utilized in case of a nationwide cyberattack.
In 2011 Critical Information Infrastructure Protection commission was formed specially to bring together cyber security and IT managers in the bid to improve cybersecurity of critical infrastructure. Next year, Police and Border Guard Board’s investigative capabilities were enhanced, and it also had a web-constable whose task was to create awareness about the internet and help people protect themselves.
In September 2014, the government introduced the second cyber security strategy for 2014-2017 with the objective of enhancing state capacity and raising awareness about cyber risks. The strategy had five subgoals and they were:
· Ensuring the protection of information systems underlying important services
· Enhancing of the fight against cybercrime
· Development of national cyber defence capabilities
· Estonia manages evolving cyber security threats
· Estonia develops cross-sectoral activities
In June 2017, Estonia announced that it will set up the first ever data embassy which will be in a high-security data centre in Betzdorf, a commune in eastern Luxembourg. The chief information officer of Estonia, Siim Sikkut explained that the site would store copies of the most critical and confidential data.
In October 2018, Estonia declared its third national cybersecurity strategy for 2019-2022 period. The four objectives intended to achieve are:
· Build a sustainable digital society thanks to strong technological resilience and emergency preparedness
· Support and promote research and development in cybersecurity to foster a globally competitive industry
· Remain a leading international contributor to cyber issues with a reputation as a credible and capable partner
· Foster a cyber-literate society with high public awareness and a sufficient supply of talent
As the UN Security Council President last year, Estonia raised the issue of cybersecurity on 5th March 2020 and brought attention to cyberattacks and cybercrime which have increased during the pandemic.
Lessons for New Delhi:
Need for Open Access: Open access to the internet through free Wi-Fi is essential for a society to fully utilize digitalisation of public services. Cities with free Wi-Fi tend to be limited in India. Areas with Wi-Fi tend to be password protected in places such as restaurants as the municipal council requires password protection to prevent use by terrorists. The main issue with having password protected Wi-Fi is that the level of security is not high, which only leads to inconvenience for the average consumer.
Utilizing ADHAR Card: India has a wonderful opportunity to build ADHAR card as a single multipurpose ID card by learning from Estonia’s experience. Estonians use a single identity card to not only for availing services such as banking, taxation, health, transportation, and parking but also for voting. In November 2019, during Vice President M Venkaiah Naidu’s visit, a memorandum of understanding was signed on cybersecurity and e-governance. Through Tallinn’s assistance New Delhi can surely push for digitalisation in the Indian economy.
Empowering citizens: Dealing with cybersecurity not only means having a cyber cell but empowering citizens is also important as users can make mistakes like clicking on a virus infested link leading to compromised security. During the pandemic cybercrime has increased in the country for example a report by Norton Lifelock, a cybersecurity software company says that over 59 percent of Indians became victim of cybercrime in the past year. This makes learning about securing oneself in cyber domain even more essential. New Delhi can learn from Tallinn’s cyber defence league’s experience.
Transparency: Transparency should be a two-way system which implies that not only can the government access your records only with your permission, but you can check who has accessed your record. So, if someone you do not know has accessed your records, you can check it and have them sacked. Estonia uses blockchain technology to safeguard user data. With digitalisation set to increase in India and around the world, it is important to ensure a two-way transparent system.
Utilising a crisis: Estonia faced a huge crisis in 2007 when majority of the things connected to the services such as banking, emails were compromised due to a cyberattack. The calamity helped the nation beef up its security and become a leader in cybersecurity. Similarly, India too has an opportunity to utilize the pandemic by educating citizens about security in the cyberspace, creating laws to safeguard data. Last but not the least, build a more connected digitalised society with adequate security measures in place.
Final Standpoint:
Estonia’s inroads into cybersecurity are a magnificent example of how a small nation can punch above its weight in the international arena. Tallinn was able to fully utilize the crisis of 2007 not only to bolster its defences in the cyber domain but to be a leader in the sector. Although New Delhi is vastly different in terms of territory, population but India can learn from Estonia in matters of cybersecurity.
In the last decade and a half, Estonia not only formulated policies at the governmental level but it also empowered its citizens to fully grasp the domain and enabled them to ensure security through workshops, training programs, university programs. There are key lessons to be learned for New Delhi in the cyber domain as ensuring protection of citizens would become a part of national interests in the future.
End Notes
1) https://investinestonia.com/estonia-the-rise-of-a-cybersecurity-giant/
2) https://www.bbc.com/news/39655415
3) https://www.forbes.com/sites/francistapon/2018/07/07/the-bronze-soldier-statue-in-tallinn-estonia-give-baltic-headaches/?sh=549ff9fe98c7
4) https://news.err.ee/592070/monument-of-contention-how-the-bronze-soldier-was-removed
5) https://e-estonia.com/how-estonia-became-a-global-heavyweight-in-cyber-security/
6) https://www.circleid.com/posts/estonian_cyber_security_strategy/
7) https://edition.cnn.com/2021/06/18/tech/estonia-cyber-security-lessons-intl-cmd/index.html
8) https://ccdcoe.org/exercises/locked-shields/
9) https://bnn-news.com/estonias-cyber-defence-centre-holds-largest-nato-exercise-this-far-223825#:~:text=The%20exercise%20Locked%20Shields%20will,IT%20systems%20of%20various%20countries.
10) https://www.enisa.europa.eu/topics/national-cyber-security-strategies/ncss-map/Estonia_Cyber_security_Strategy.pdf
11) https://www.enisa.europa.eu/about-enisa/structure-organization/national-liaison-office/news-from-the-member-states/estonia-cyber-security-strategy-2014-2017-now-available
12) https://e-estonia.com/estonia-to-open-the-worlds-first-data-embassy-in-luxembourg/
13)https://www.researchgate.net/publication/344351180_Estonia's_National_Cybersecurity_and_Cyberdefense_Posture
14) https://emerging-europe.com/news/start-ups-invited-to-beef-up-estonian-cyber-security/
15) https://vm.ee/en/estonias-presidency-un-security-council
16) https://medium.com/@rodrigodavies/what-india-and-the-uk-can-learn-from-estonia-2-0-9376034ce039
17) https://www.statista.com/statistics/792074/india-internet-penetration-rate/
18) https://www.newindianexpress.com/nation/2019/sep/27/india-can-benefit-from-estonias-expertise-on-single-id-envoy-2039729.html
19) https://qz.com/1052269/every-country-should-have-a-cyber-war-what-estonia-learned-from-russian-hacking/
20) https://www.livemint.com/technology/tech-news/over-59-of-indian-adults-fell-victim-to-cyber-crime-over-past-12-months-report-11618827697551.html
Pic Courtesy-Gleb Makarov at unsplash.com
(The views expressed are those of the author and do not represent views of CESCUBE.)