For an Estonian, the idea of cyber security goes clearly beyond the sphere of security alone – it is a much broader issue having to do with our daily life, ease of doing business, and communicating with the state we live in. Ensuring this digital way of life also means having to protect devices and systems against cyber attacks and disruptions and ensure data availability, confidentiality and integrity at all times.
Gert Auväärt, Head of International Relations at Estonian Information System Authority
Kadri Kaska, Leading Analyst at Estonian Information System Authority
Estonia was the first country to experience an unprecedented level of coordinated cyber attacks against an entire nation state in 2007. A decade later, these attacks have proven to be an early warning to all nations on how events in the digital domain influence our everyday way of life and the habitual functioning of our societies. While relatively unsophisticated and limited in consequences, the 2007 attacks ultimately helped Estonia to build a more robust digital infrastructure and become a global leader in cyber security matters.
Defending a digital way of life
Why this story of ten years past is still relevant in 2017, is that within it lies the answer to the constantly arising question on the secret to Estonia’s – and not just Estonia’s – success in cyber security. For us it proved that the fundamental approach we took in the beginning of this century for developing our digital society holds up even in a crisis. Taking digitalization seriously with all its implications, including security; educating everyone – starting at elementary school – on cyber hygiene, or how to securely behave in the net; cooperating across the state, private sector, and academia in both service development and security. Estonia has greatly benefited from ICT development as a state, society and economy; it has shaped many if not all areas of our way of life. We need to make sure that this lifestyle is secured so that the whole society is able to trust it in order to continue to benefit from it.
At the global level we have for years now reiterated the message that for Estonia, socio-economic and politico-military aspects of cyber security are intertwined. We consider it elementary that countries must abstain from attacking national critical infrastructure. We also call for responsible behavior towards global communications infrastructure to promote access to information and trust towards ICTs. We consider it a responsibility of every country to draft and enforce national laws that help control malicious uses of ICTs and to seek ways to better formulate, disseminate and promote responsible and active cyber policy. For Estonia, international law is the utmost authority, also in the use of ICTs.
Estonians generally trust their state and its institutions more than the average European. We have been able to build up a well-functioning democratic state, and this trust towards the state extends to e-services. A great deal of this trust comes from the principle backed by law that everyone must be able to have control over the use of their data. Digital services are designed to provide users with the greatest possible confidence and sense of security. Estonian authorities offer around 1500 state services online – marriage, divorce and real-estate transactions are the only cases where one needs to show up in person.
Likewise, the private sector enterprises and NGOs, with a host of various digital services they provide, have been avid contributors to our digital ecosystem for nearly two decades. Estonia’s experience shows that much of the knowledge concerning cyber security, of vulnerabilities and mitigation, is available in the private sector. Securing a country’s digital way of life inevitably depends on not just participation, but close cooperation by both the private and the public sector. An excellent example of public-private cooperation is the cyber defence unit of the Estonian Defence League, Estonia’s volunteer national defence organisation that supports national defence objectives. This initiative pursues national security tasks, along with community building, professional education and awareness raising, setting an example to many other countries.
Resilience for a digital future
Given Estonia’s unique experience, both cyber and digital issues were high on our agenda during the Estonian Presidency of the Council of the EU this year. The three main topics in the realm of cyber issues were the renewed EU Cybersecurity Strategy, the Framework on a Joint EU diplomatic response to Cyber activities (previously called the EU Cyber Diplomacy Toolbox), and the NIS directive implementation process. We consider each a substantial and credible contribution to the cyber security of the European Union and its residents. As the Presidency, we are happy to have achieved these milestones and will continue to support these efforts in the years to come.
We also continue to deem high public trust in Estonia’s digital ecosystem extremely important. For this reason, we consider fundamentally open and transparent risk management the only viable option in dealing with cyber security in society. As an example of our proactively transparent approach is the recently discovered ROCA vulnerability which, among many other targets globally, also affected more than half of Estonian national ID cards which form the cornerstone of Estonian digital identity. Ever since learning of the vulnerability, the Estonian government has openly communicated both the problem and actions for risk mitigation. For one thing, doing so was important because transparency is precisely the factor that underpins people’s trust in digital services. Furthermore, openness was important because security is not merely something done by the government; it also requires aware and active behavior from the user and service provider.
The collaborative effort led to a situation where even after the decision to suspend the digital certificates of about 730,000 ID cards, e-services continued to be up and running and service access for people was not lost. An alternative configuration could be rolled out just in time for users to update their cards, so detrimental impact from the vulnerability was avoided and people could keep using the benefits of a digital society. The release of the new software in less than two months after risk notification was possible due to efficient cooperation between the public and private sectors. As of early December, we can say that Estonia has resolved the so-called ID-card crisis: around 322,000 Estonian ID-cards affected by the vulnerability have been updated since the suspension, which is more than 40% of all cards and the vast majority of active users of ID-card digital options, and digital service usage levels remain the same or even higher than before.
To conclude, we reiterate that the state has a moral and legal obligation to ensure a high level of security to the personal data entrusted to the state. The uncompromised security of digital identity is of fundamental significance to Estonia and the functioning of our digital ecosystem. In order to retain that assurance in the convenient, effective, transparent and secure digital country, we have just started broader discussions on Estonia’s new national cyber security strategy – the third since 2008 – involving stakeholders across society in order to further our resilience and enhance our ability to keep up with the fast evolving landscape of digital threats and opportunities.