How did Estonia prepare for a secure cyber security architecture?

How did Estonia prepare for a secure cyber security architecture?

Estonia the small Baltic state in Europe and a member of the European Union is leading the way in cyber security. With international cooperation with several states and organizations like NATO, it also organizes an annual cyber security exercise with as many as 900 participants. But how did Estonia achieve that? 

In 2007 Estonia saw a series of cyberattacks on its internet system. The attack targeted websites of Estonian organizations, including the Estonian parliament other government institutions. It was a denial of service type of attack in which the general public’s use of websites is restricted. However, as happens in cyberattacks the reason which prompted the attack or who organised it is not known surely, the doubt goes towards Russia. The protests against the move of a Bronze soldier originally called “Monument to the liberators of Tallinn” is what prompted the attacks. For Russian speaking residents in Estonia, ‘’Monument to the liberators of Tallinn” represents a symbol of USSR victory over the Nazis. However, for ethnic Estonians, the Bronze Soldier is a painful symbol of half a century of Soviet oppression. As protests gained momentum, the anger among the Russian speakers was palpable. On the 26th of April, 2007 Tallinn erupted into two nights of riots and looting. On 27 April, Estonia was hit by a major cyber attack that disrupted major online activities such as banking, government institutions and media. It is said to be one of the biggest cyber attacks in history almost a decade ago which were studied by major countries and prompted administrative reforms.

Waking up to the gravity of the attack Estonian government started working on the Cyber Security Strategy. It envisioned goals and tasks to make Estonia cyber secure. Cut too many years later Estonia is now a leading player in cyber security architecture. The country now hosts Locked Shields, the world’s largest and most advanced cyber defence exercise.

Let us look at how it prepared for the same.

In 2008 it came with its first cyber security strategy. It laid out principels, goals and methodology to improve the nation’s cyber infrastructure. And not just in government structures but on the general public level. It brought out awareness programmes and dedicated machinery to tackle even tiny cyber issues. In the document, the authorities laid down the following objectives.

  • application of a graduated system of security measures in Estonia;
  • development of Estonia’s expertise in and high awareness of information security to the highest standard of excellence;
  • development of an appropriate regulatory and legal framework to support the secure and seamless operability of information systems;
  • promoting international co-operation aimed at strengthening global cyber security.[1]

With these objectives in mind, Estonia started building its cyber security infrastructure. In 2009 only a Cyber Security Council was established to oversee the implementation of the above mentioned strategic objectives. The Estonian Information System Authority is tasked with supervising over the information system. The methodology of Estonia is first general awareness, second developing critical infrastructure, third focusing on high-end research in the area and lastly cooperation with like -minded international players. It also called out for deepening public-private relationships in the matter.

As the whole country was affected by the 2007 cyber attack, the government needed to explain and prepare the general public about cyber attacks. Hence, the government through its agency the Information Technology Foundation for Education offered training to pre-schoolers as well as older children while also involving parents and teachers in the process. [2]  Media Literacy courses were introduced in elementary and middle schools by the Ministry of Education. It ensures that the kids who use internet understand the how digital content is created and how to use it safely. The course is designed as such that it does not involve any political content but with the help of videos, animation and images kids understand the important lessons. Also, a state-private partnership project to raise the skills and security awareness of smart devices users, developers and vendors was launched in 2013. A Master’s degree in Cyber Security was also launched in cooperation with Tallinn University of Technology in 2009. In addition to that Estonian Cybercrime centre of excellence was also established.

Another way that Estonia strengthened its awareness programme was through the Police and Border Guard Board, a web constable is appointed who is tasked with raising people’s awareness about the security of the Internet and protecting children and young people online.

The country also paid special attention to its Estonian Defence League’s Cyber Unit, which was a collaboration between public, private and third sector. It ensures that through a coordinated exercise, testing of solutions, training, etc of Estonian state agencies and companies the security of these systems be kept in check. It is ensured with the help of volunteers.

Hence awareness of the population is the main task to accomplish, it ensures that the people are aware of the dangers and hence it becomes easier for the authorities to develop the process of change. It also ensures responsibility at the level of an individual.

Estonia has become an example for other NATO countries for its cyber security architecture. It has increased its role in international cooperation for building cyber security, through awareness, exercises, research and development. It also sets an example of how public, private and third sectors should come together in ensuring the safety of all the parties involved. The country has created intrusion detection and protection systems, practised cooperation with both public and private institutions, significantly contributed to the awareness of users, and is participating in intensive international cooperation.[3]

In 2008 a Tallinn based NATO cooperative Cyber Defence Centre of Excellence (CCD COE) – an operationally independent international military organisation, set up in 2008 and funded as well as directed by voluntarily participating states focuses on research, development, training and education in both the technical and non-technical aspects of cyber defence.[4] It also publishes a Tallinn Manual and organises an annual conference and exercises such as Locked Shield that significantly help in the growth of cyber capabilities of all NATO countries.

Estonia a small state of about 1.3 million has become a powerful example of man and technology cooperation providing accessible and secure governance. A cyber attack in 2007 that led to this development for a small country bordering Russia which has been infamous for cyber warfare, has become a region for development and research. Estonia has accused Russia of waging information warfare against it which was evident in the 2016 presidential election where, similar to the US, Facebook and other social media sites were utilised for spreading misinformation.

Conclusion

Estonia has established that educating the population, a partnership among the different agencies of the state and cooperation in the international sphere is now necessary for a secure cyber future of a nation. From small steps like introducing digital literacy courses in the school curriculum to organising a massive cyber-security exercise, Estonia is the state of the future. Estonia was already a digital society but cyber security was taken lightly. The massive attack of 2007 came as a blessing in disguise which pushed the state authorities to take extensive measures in making Estonia a digital society in real terms by also making it resilient to threats. Now the state in comparison to other NATO countries is in a more secure position against the largest national security threat in the region which is Russia.


Notes

[1]  Government of Estonia (2008), “Estonia Cybersecurity Strategy ”, Ministry of Defense, Tallinn. URL: file:///C:/Users/dell/AppData/Local/Temp/EE_NCSS_2008_en-1.pdf

[2] Government of Estonia (2014), “Estonia Cybersecurity Strategy (2014-2017)”, Ministry of Economic Affairs and Communication. URL:file:///C:/Users/dell/AppData/Local/Temp/EE_NCSS_2008_en.pdf

[3] E-Estonia, “How Estonia became a global heavyweight in cyber security”, 14 June 2017, URL:https://e-estonia.com/how-estonia-became-a-global-heavyweight-in-cyber-security/

[4] E-Estonia, “How Estonia became a global heavyweight in cyber security”, 14 June 2017, URL:https://e-estonia.com/how-estonia-became-a-global-heavyweight-in-cyber-security/

 

Pic Courtsey-Shahadat Rahman at unsplash.com

(The views expressed are those of the author and do not represent views of CESCUBE.)