People like German Chancellor Angela Merkel and Belgian King Albert II visit Estonia to learn more about cybersecurity.
The Baltic country is internet-based. Almost everything a person might want or need from the government can be done online, from filing taxes and voting to registering a new baby. It’s a practical solution for Estonia’s 1.3 million residents, but it necessitates a high level of cybersecurity.
Estonia, fortunately for its citizens, is punching well above its weight when it comes to online security. It consistently ranks first in security rankings.
Tallinn, the country’s capital, is home to the Cooperative Cyber Defense Centre of Excellence, NATO’s cyber defense hub. When it assumed the rotating presidency of the United Nations Security Council last year, one of the policy priorities was cybersecurity.
“Estonia digitized a lot sooner than other countries, it was focusing on things like online schooling and online government services and it took a more proactive approach to technology,” said Esther Naylor, an international security research analyst at Chatham House.
“And it recognized that it needs to be a secure country in order for citizens to want to use online systems and for businesses to want to do business in Estonia … and I think that this is why Estonia’s approach is often heralded as the model approach,” she added.
Serious cyberattacks against critical targets in Europe have doubled in the last year, according to a new European Union report obtained by CNN last week. In recent weeks, there have also been a number of high-profile attacks on US targets. On Wednesday, the topic came up during a high-stakes meeting between US President Joe Biden and his Russian counterpart Vladimir Putin.
Biden said he told Putin that certain areas of “critical infrastructure” should be off-limits to cyberattacks, and that the US had “significant cyber capability” and would respond if there were any more. Putin told reporters that the two leaders had agreed to begin talks on the subject.
Chancellor Angela Merkel of Germany became an e-resident of Estonia during a visit to Tallinn in 2016.
The cyber threat posed by Russia is not new to Estonia. A decision to move a Soviet-era war memorial from central Tallinn to a military cemetery sparked a diplomatic spat with the city’s neighbor and former overlord in 2007. Russian diplomats protested and made vehement statements. And, just as the removal work began, Estonia was the target of the largest cyberattack against a single country at the time.
The Estonian government labeled the incident a cyberattack and blamed it on Russia. Moscow has denied any involvement in the incident.
The country was already a leader in e-government at the time, having implemented services such as online voting and digital signatures. While no data was stolen, the incident resulted in 22-day distributed denial of service attacks against banks, the media, and some government services. Some services were hampered, while others were completely shut down.
“We saw what would happen if our precious systems that we really loved were down,” said Birgy Lorenz, a cybersecurity scientist at Tallinn University of Technology. “We started to understand that fake news is really important and that people can be manipulated, and that we have to protect our systems better — and that this is not only about the systems, but also about understanding the role people play in the systems.”
Following the attack, the government quickly implemented — and continues to update — a comprehensive national cybersecurity strategy. It has partnered with private businesses to develop secure systems.
The country was also an early adopter of blockchain technology, forming a new cyber unit within the Estonia Defense League, which is a voluntary organization. Through NATO and other organizations, it began to push for more international cooperation.
“Technology gives us a lot of tools to secure the system, but at the end of the day, the level of security depends on the users,” said Sotiris Tzifas, a cybersecurity expert and chief executive of Trust-IT VIP Cyber Intelligence. “Even if you build the most secure system you can, if the user does something bad or something misguided or something they are not allowed to do, then the system is downgraded very quickly.”
But, perhaps most importantly, it made investments in its employees.
He cited the fact that some of the most damaging cyberattacks in recent history were the result of a confused insider clicking on a phishing link rather than a sophisticated hacker using cutting-edge technology.
The Colonial Pipeline attack in April, which forced the US company to shut down a key US East Coast pipeline, was a good example, according to Tzifas. “It created a lot of buzz and cost a lot of money, but there was no real complexity, it wasn’t different to other ransomware attacks,” he said.
In recent years, the Estonian government has made significant investments in education and training programs. The government is ensuring that every Estonian has access to the training they need to keep the country’s IT systems secure, from awareness campaigns and workshops aimed specifically at the elderly to “coding” lessons for kindergarteners.
During the Locked Shields cyber defense exercise, held in Tallinn by the NATO Cooperative Cyber Defence Centre of Excellence, people look at the visualisation.
Lorenz is the brains behind a number of Estonian educational programs aimed at teaching children about technology as well as identifying and nurturing future technology leaders. “To get the talent you need the mass to choose the talents from, so we have training and competitions already for primary school children,” she said.