In these turbulent times where everything we do is increasingly online (thanks, global pandemic!), cybersecurity is a matter to be discussed more in-depth. This is precisely what our speaker Florian Marcus does in the most recent episode of our podcast. He got Lauri Almann, the co-founder of CybExer Technologies, behind the mic to share insights into current threats and trends.
tune in to listen to our podcast:
Lauri Almann is quite a character himself – he has served as one of the highest civil servants in Estonia, namely as the secretary-general of the Estonian Ministry of Defence during the infamous 2007 cyberattacks against Estonia that resulted in the formal establishment of the NATO Cooperative Cyber Defence Centre of Excellence; he is also a full-blown lawyer both in Estonia AND Washington, D.C. (passing the bar exam there is no picnic in the park!), has taught classes at various universities, and co-founded several companies. One of the last being CybExer Technologies that builds cyber capabilities. In particular, cyber ranges – platforms where companies, governments, and individuals can engage in immersive cyber training.
A training platform used by the Estonian government
CybExer teaches cybersecurity skills at both a technological level and on a decision-maker level. Training offerings span from regular users to entire governments who have their requirements for cyber hygiene and cyber awareness courses. They have everyone on board, from teenagers to governments, from corporations to NATO generals. The company claims to have 200,000-250,000 users on the platform. “Among others, the whole Estonian government is using our platform,” says Lauri Almann.
According to Almann, cybersecurity is not only about technology. “It involves decision-making. So what we do is sketch the mindmaps of senior leaders in case of cyber events.”
Our speaker and podcast host Florian Marcus tries to better understand what cyber ranges are and what can be done by using them. “It is a digital/virtual environment where you can launch automated attacks against a specific team that is testing their capabilities. What else is possible?”
Lauri Almann goes on to explain: “It is a training platform that combines hardware and software. There’s an automation layer, which means that we need to create environments where exercises take place automatically. That’s hard to do, but our team has years and years of experience in creating some of the most extensive training in the world. Then you need visualisation, which means you need to tell the story of what is happening there. And finally, you need the library, which is the target that we want to put together and build environments of so-to-speak Lego blocks. And then on top of that, the personal profile of each and every user of CybExer.”
Most talented cyber experts in the region
According to Almann, it is a platform to conduct employee testing and pre-production training, for example.“We had a Microsoft Exchange event a couple of months ago where massive vulnerabilities were discovered worldwide, and they were coupled with automated attacks.”
CybExer has connected complex solutions into their cyber range, starting from SCADA modules that run, for example, heat and ventilation systems.
“Why is that necessary,” our speaker Florian wants to know.
“Hackers can hack into a data centre and cause the heat and ventilation system of the data centre to think that 100°C is perfectly normal. So they manipulate it in a way, which leads to an explosion because they overheat. This is one of the scenarios that we can play through,” Almann replies.
Lauri Almann says that CybExer has one of the most talented groups of cyber experts in the region. “There are approximately 40-50 of us, depending on how we count. And all have their own stories and backgrounds. Mine, of course, is in the Estonian government.”
Cyber is not a part of NATO´s toolbox
Almann takes us back to 2004 when Estonia decided to set up the NATO CCDCOE. “It’s also fitting to remember here General Kert, who passed away some months ago and who was the author of the idea. When the sad news came, I went through my old notebook of the General’s brief in August 2004. That was the first time the decision to set up the centre was on the table, and the General was briefing everybody in the room, and in his briefings were two remarkable sentences. One of them was, “I have made rounds with all NATO embassies, and none of them sees cyber as part of NATO’s toolbox.” And another sentence was, “it’s 99% that NATO is not going to fund it. So, we need to decide to fund it nationally.” And we did it.”
In Almann’s words, this was e-Estonia looking at services and e-Estonia looking at security. “I think this is what we have always been doing. We cannot have these benefits without thinking about security. We realized that pretty early on in 2004, but the world just wasn’t there. Can you imagine the sentence right now, “we don’t see cyber as part of our toolbox”?”
Still, it took four years until the Centre launched. Estonia, of course, joined the EU and NATO in 2004. But it was not until the infamous 2007 cyberattacks that cybersecurity became acute, not only nationally in Estonia but globally.
“I, as the secretary-general of the Estonian Ministry of Defence, was the most senior civil servant at the time and a member of what is called the Estonian Government Crisis Committee. If something bad happened – be it a plane crash, critical hostage situation, or even a snowstorm, then the crisis committee dealt with the situation. And of course, I was representing the Estonia MOD in the Crisis Committee when 2007 happened.”
Almann elaborates how people still want to talk about the events of 2007 and explain the reason behind them. “They always ask – how come after 2007 Estonia’s e-services tripled, even quadrupled? How did people not lose trust?” Because it was 2007. e-Services were not that popular. e-Government wasn’t that popular. It was the transparency by the government to own the attacks and explain everything openly that won people over. And ten years later, the ID card crisis happened, and the government took the same approach under Prime Minister Ratas. Went public with everything and chose not to ignore problems.”
Almann concludes that e-service skepticism can be cured by transparency. “When we have a problem, we talk about it.”
To hear in more detail what happened in 2007; why Almann uses four visuals – the Estonian Old Town, Estonian mentality when buying a summer cottage, how Estonians respect bus lanes, and our Singing Revolution – to explain Estonian e-service and cybersecurity mentality; plus how is CybExer tackling the cyber skills gap before universities can fill it, tune in to listen to our podcast: