In 2007 Estonia became the first country to experience a large scale campaign of state-sponsored online attacks from Russia. Now, several years later, the country is the leading promoter of various cyber security initiatives at home and abroad.
The cyber-attack on Estonia was more disruptive than harmful since the series of denial-of-services (DDoS) attacks caused little damage, but it gave the country invaluable experience in dealing with similar incidents in the future.
While for both the EU and NATO cyber security is an important issue, cyber security of individual member states remains a national responsibility. The Estonian Cyber Security Strategy is the officially recognized national policy for cyber security. The first strategy in the country was adopted in 2008 and focused on improving the legal framework for supporting cyber security.
In 2014 Estonia published the second Cyber Security Strategy 2014-2017 which is an integral part of Estonia’s broader security strategy. The new Strategy tackles recent threats which were not covered by the previous document, such as: ensuring more effective functioning of digital services, updating the threat landscape and advancing national defence capabilities, which is a new goal against cyber-crime.
The Estonian Cyber Defence League was also established three years after the 2007 attacks. The body operates under the Ministry of Defence and mostly consists of IT security specialists who will assist the state during the cyber-attacks.
One of the main objectives for Estonia is developing international cooperation against cyber-crime. The country started working on this even before the attacks in 2007. Immediately on joining NATO in 2004, Estonia proposed the concept for a cyber-security defence centre to the alliance. Now, the NATO Cooperative Cyber Defence Centre of Excellence – with a mission to enhance cooperation and information sharing among NATO countries – has been set up in Tallinn. Estonia is also a member of the UN’s Group of Governmental Experts (GGE) on Infrastructure Security. In 2014 Estonia coordinated the Nordic-Baltic 8 (NB8), where it continued to give priority to a new area – a closer cooperation on information security of the region.
The importance of establishing cyber security systems and institutions at the national level is clear. However, arguably there is an equally vital element that must be considered; the level of awareness of the general public to the cyber threats that exist. The most technically advanced systems are only as secure as the weakest link and cyber criminals are becoming ever more sophisticated in exploiting the vulnerabilities they find.
We live in an age when the vast majority carry at least one internet-enabled device with them. So much of our daily lives are conducted online and documented in numerous social media services such as Facebook and Twitter. The more this becomes the case and the more people are unaware of the simple online precautions they need to take, the more possibilities there are for people to be subject to a cyber-attack. The Internet of things, whereby more and more of our daily lives and the objects we use are connected to the internet, is no longer science fiction but “science fact” and, once connected, any device can also be hacked into. In 2014, many home appliances around the world, including at least onefridge, were hacked into and used to send malicious emails.
Many countries around the globe are waking up to the issue of promoting personal cyber security. Estonia is no exception, not least because, as proudly noted by staff at the e-Estonia demonstration centre, its use of new technologies means that there are only 4 services that cannot be completed online (getting married and divorced, opening a bank account and buying a house) this is a subject that is taken very seriously.
In addition to its national security priorities, the recently revised Cyber Security Strategy has a general objective of raising the population’s awareness of cyber threats and a number of initiatives launched to achieve this. In particular, developing this awareness from a young age is a key priority. From 2011, Estonia created ‘web constables’ whose job it is to teach personal cyber security to protect children and young people online. The Information Technology Foundation for Education, or HITSA, even offers training to pre-school children, as well as parents and teachers alike.
Separately, the Nutikaitse 2017 project, launched in 2013 to raise awareness amongst smart device users, developers and vendors is a welcome initiative. As Piret Pernik from the International Centre for Defence and Security in Tallinn, noted at the Conference on Regional Security Challenges during the study trip organized by the College of Europe last October, applications for devices were still being developed without cyber security in mind.
The Estonian cyber attack was a wake-up call for the EU. Policy makers now recognise the extent and severity of the cyber challenges. As a result, the European Commission and High Representative’s 2013 Cyber Security Strategy was the EU’s first policy document in this field. The Strategy covers the internal market, justice and home affairs and foreign policy angles of cyberspace. However, it is still questioned how such a complex set of challengescan be addressed at the EU level since this requires a stronger intergovernmental cooperation among the member states. One thing is obvious – “E-stonia”, with its unique expertise in the field, is contributing to shape and strengthen the European Cyber Security Strategy and will be an example for other member states in the future.