The multi-week denial-of-service attacks in 2007 catapulted Estonia to worldwide attention in the field of cyber security. Since then, criminals, hacktivists, soldiers and spies from near and far have continued to maintain an interest in undermining Estonia’s networked society. Yet they have had no such luck.
Every year, Estonia’s flagship agency responsible for cyber security and e-government releases a report of its efforts to protect citizens and companies in the digital domain. The Estonian Information System Authority’s (RIA) publication is an unusually clear window into the daily threats faced by a digitally advanced country that is located in a geopolitically challenging region.
The report also provides insight into what kinds of actions and policies are necessary to counter them at the personal and national levels. Regular computer users and security professionals alike would benefit from having an overview of its contents.
Four major cyber threats to Estonia
In this year’s report, RIA identified four major cyber threats to Estonia: cybercrime, cyber espionage, cyber weapons and user inadequacies.
Criminals are increasingly using malware to encrypt files on computers and networks and holding them for ransom. This is a problem at the individual level but can become a national security concern if, for example, all the shared server drives of a critical infrastructure company are locked up.
Estonia also has cause to be concerned about the sophisticated activities of foreign intelligence agencies who are interested in, among other things, breaching networks and leaking data to reduce trust between citizens and the government. The recent power outage caused by a cyberattack in Ukraine also drew RIA’s attention as an example of how malicious code can be weaponized and applied in armed conflict.
Finally, RIA laments that most serious computer security incidents have at their heart a lack of knowledge, skills or awareness by everyday users. Basic computer practices (updating software, using strong passwords, not clicking links or attachments in suspicious e-mails, regularly backing up data externally etc.) by individuals and companies can substantially contribute to cyber security at every level. Otherwise, users can just as easily become a major part of the problem.
Staying ahead of the threats
To stay ahead of the threats at the national level, Estonia had to take action on a number of fronts in 2015.
It has implemented an around-the-clock monitoring system that has allowed it to respond to five times as many incidents as before, with notable success stories. To strengthen critical infrastructure protection, Estonia has brought together commissions of sector-specific experts, organised numerous training courses and continued the only country in Europe to test companies’ security itself. RIA also organised realistic security exercises for private and public sector operators to practice cooperation and identify shortcomings. The largest, KüberSIIL 2015, involved over 20 organisations and 100 individuals.
RIA also found that Estonia needs a single, compact cyber security law. The legal framework for cyber security in Estonia at the moment is overly complicated and will become even more so with the proposed changes to the Emergency Act and the entry into force of the European Network and Information Security Directive in 2016.
Finally, Estonia took its international cooperation to the next level by signing a bilateral cooperation agreement with Japan and another one with the Baltic states – Latvia and Lithuania. The latter made history by being the first trilateral intergovernmental agreement to be signed digitally.
E-society is based on strong cryptography
The security of Estonia’s e-society is also based on strong cryptography. It’s often not realised how cryptography underlies so much of what is done online, especially in Estonia.
The country’s e-government is based on the first-of-its-kind national public key infrastructure system. It then integrated that capability into the chips of its ID-cards, thereby enabling secure and private digital identification and authentication. This national implementation, combined with companies like Guardtime and Cybernetica that are producing innovative cryptographic solutions, demonstrates the expertise that Estonia has in this critical subdomain.
Fortunately, Estonia was also not caught off guard when increases in computing power and cryptographic advancements have started to make it theoretically possible to threaten our ID-card system (by attacking the SHA-1 algorithm) in the next several years. In fact, Estonia had already started to prepare a massive remote update campaign to remove the SHA-1 algorithm from our ID-cards in 2015. The success of this pre-emptive initiative, which began in March 2016, will continue to enable Estonians to use well-known browsers to take advantage of the thousands of digital services that have come to play a significant role in their professional and personal lives.
Leadership in cyber security and e-government has paid off in terms of international respectability
All in all, the RIA report continues to show that technological trends and threats are relevant to everyone, from individuals using their ID-cards to ministries protecting the most sensitive data. The so-called “arms race” between defenders and attackers is continuing at a rapid pace, and Estonia needs to stay in front of the threats personally, technically, legally and strategically.
The country has certainly seen how leadership in cyber security and e-government has not only contributed to domestic productivity but has also paid off in terms of international reputation and respectability. Its voice is heard around the world on topics connected to digital economics and security. With political will, sufficient resources and the collective effort of its citizens and officials, Estonia can continue to be a global leader in this field. It’s certainly worth the effort.
I
Cover image courtesy of Wikimedia Commons.
