“Estonia digitized much earlier than other countries, focusing on things like online training and online government, and taking a more proactive approach to technology,” said Esther Naylor, an international security analyst at Chatham House.
“And it has recognized that it has to be a safe country for citizens to use online systems and for companies to do business in Estonia … and I think that is why Estonia’s approach is often touted as a model.” Approach, “she added .
A new report from the European Union that CNN received last week shows that serious cyberattacks on critical targets in Europe have doubled over the past year. There have also been a number of high profile attacks on US targets in recent weeks. The issue arose on Wednesday during a high-level summit meeting between US President Joe Biden and his Russian counterpart Vladimir Putin.
Biden said he told Putin that certain areas of “critical infrastructure” should be closed to cyberattacks and warned the Russian leader that the US had “significant cyber capabilities” and would respond to further attacks. Putin told reporters the two leaders had agreed to open consultations on the matter.
Estonia is no stranger to Russia’s cyber threat. In 2007, the decision to move a Soviet-era war memorial from central Tallinn to a military cemetery sparked a diplomatic dispute with his neighbor and former overlord. There were protests and angry remarks from Russian diplomats. And just as the removal work began, Estonia became the target of what was then the largest single country cyberattack.
The Estonian government called the incident an act of cyber war and blamed Russia for it. Moscow has denied any involvement.
The attack made it clear to Estonia that it needed to start treating cyber threats in the same way as physical attacks.
At that time, the country was already a leader in e-government and introduced services such as online voting and digital signatures. While no data was stolen in the incident, the websites of banks, media and some government agencies were attacked with distributed denial-of-service attacks for 22 days. Some services were interrupted, others were completely discontinued.
“We saw what would happen if our precious systems that we really loved failed,” said Birgy Lorenz, a cybersecurity researcher at Tallinn University of Technology. “We started to understand that fake news is really important and that people can be manipulated and that we need to better protect our systems – and that it’s not just about the systems, but also about the role of the people in the systems understand.” .”
People are important
In the wake of the attack, the government quickly adopted – and is constantly updating – a far-reaching national cybersecurity strategy. It has partnered with private companies to develop secure systems. It set up a “data message” in Luxembourg, a super-secure data center that contains backups in the event of an attack on Estonian territory.
The country also became an early adopter of blockchain technology and formed a new cyber unit within its voluntary Estonia Defense League. It began to push for more international cooperation through NATO and other organizations.
But perhaps most importantly, it has invested in its people.
“Technology gives us many tools to secure the system, but ultimately the level of security depends on the users,” said Sotiris Tzifas, cybersecurity expert and CEO of Trust-IT VIP Cyber Intelligence. “Even if you build the safest system you can, if the user does something bad, misdirected, or is not allowed to do something, the system gets downgraded very quickly.” He pointed out that some of the most damaging cyberattacks in recent history were caused by a confused insider clicking on a phishing link, rather than a sophisticated hacker deploying the most advanced technology.
Tzifas said the Colonial Pipeline attack, which forced the US company to shut down a key pipeline on the US east coast in April, is a good example of this. “It got a lot of buzz and money, but there was no real complexity, it was no different from any other ransomware attack,” he said.
The Estonian government has invested heavily in education and training programs in recent years. From awareness campaigns and workshops specifically aimed at senior citizens to programming lessons for kindergarten children, the government ensures that every Estonian has access to the training they need to protect the country’s IT systems.
It also wants its teenagers to know how to hack. “We teach defense, but you can’t learn defense if you can’t hack,” said Lorenz. She runs educational camps where teenagers learn to hack in a safe environment. She doesn’t encourage her students to keep trying to hack companies or government agencies, but when they do she is on hand to make sure they are behaving ethically. “I’ll help them put it in a package and then we’ll send it to the company and say, look, the students found this flaw in your system,” she said.
Lorenz is the head behind many Estonian educational programs that aim to teach technology to children, but also to recognize and promote future technology leaders. “In order to get the talent, you need the mass from which the talent can be selected. That’s why we already have training and competitions for elementary school children,” she said.
She says young children are eager to learn more about cybersecurity when they feel they are part of the solution. “They don’t really want to listen to the adults telling them what to do, so we tell them we need their help and ask them to help their parents or younger sister with safety by using all of their devices and check passwords and show them how to do it so they learn the skills and feel empowered to take responsibility, “she said.
Government sponsored hacks on the rise
To understand what a country can do to secure its critical infrastructure, the government needs to understand the motivations of its potential attackers, Tzifas said. “There are government sponsored hackers attacking, then there are the scammers trying to make an economic profit, and then there are the ‘script kiddies’ or low-level hackers trying to see if they can do it, ”he explained.
Some governments and corporations are encouraging the final group to work on their systems by offering awards to the successful ones in hopes that it will help them discover weaknesses they may not be aware of, he added.
In recent years there has been a surge in government sponsored attacks where governments used hacks to disrupt their adversaries. The US and UK last year warned of an increase in government-sponsored cyberattacks against organizations involved in the coronavirus response.
This is where international cooperation becomes crucial – and Estonia, a small country on the fringes of the EU, knows that too.
“Estonia has been very active in cyber diplomacy. It uses its voice to talk about what should and shouldn’t happen in cyberspace,” said Naylor. “Etland did last year when it joined the UN Security Council, and this was the first time on the UN Security Council that it has teamed up with the UK and US to call on Russia to launch a cyber attack on Georgia,” said you. adding that while the move “will not necessarily solve all of our problems in cyberspace, it does send a message”.
The e-Estonia Briefing Center, a publicly funded cybersecurity and digital services information center in Tallinn, is another way for the country to build partnerships. It has been specially set up to offer training programs and workshops to foreign delegations. Visitors include Merkel, the Belgian king as well as numerous foreign ministers and local governments. “We share our success stories and our mistakes so that other countries don’t have to reinvent the wheel,” says Florian Marcus, advisor for digital transformation at the center.
The government infrastructure is based on several layers of security, Marcus continued. “One aspect is that we have always taken care to store as little data as possible and when we store data, we store it as separately as possible,” he said of the government’s “once only” principle.
“There is no duplicate data within the government service, for example only the registration office is allowed to store my address, and if another registry, such as the tax office or the electoral committee, needs my address, they have to ask the population register via an encrypted data exchange that uses blockchain to check data integrity. “
Tzifas said this approach is much more secure than large super-databases that hold all kinds of data – from addresses and ID numbers to dates of birth and health and insurance records – all on one platform.
“We’re talking about the banking system, insurance companies, government databases that collect all of this data, that’s real gold for hackers as this data can very easily be used in impersonation attacks [a] fake identity, you need all this data, “he said.
Estonia has built secure IT systems, promoted international cooperation and spent a lot of time and money training its citizens. But in a world where hackers are mostly one step ahead of governments, the country is constantly trying to find ways to improve its system.
“A pure defensive does not protect you from all possible cyber incidents. Because of the changing techniques used by criminal groups, you need to think about resilience and take proactive countermeasures. Said Naylor.
As an example, she cites Estonia’s focus on responding to cyber incidents. “You simulate cyber attacks either on critical infrastructures or on an industry, with it [they] are better prepared to respond to a possible attack. “
The combination of citizen awareness, monitoring of potential attacks and flexible countermeasures are key elements of a successful cyber defense, said Tzifas, “because whatever technology you install, it will be bypassed in the future.”
For Lorenz, the success of the Estonian cyber program boils down to a simple principle: everyone, from the highest levels of government to school children, makes their contribution.
“In a way, it’s very Estonian,” she said. “We don’t have a leader telling us what to do. We are going to [the] Sauna and one says ‘my neighbor is thinking about it’ and another says ‘my neighbor is thinking about it’ … and nobody talks about what they are going to do and nothing is decided, but then they all go home and do it Thing and somehow everything works. “