As war thunders in Europe, so are threats in cyberspace on the rise. Nations worldwide are ramping up their cyber security capabilities. According to National Cyber Security Index (NCSI), Estonia does better in cyber security than most of the world. Estonia’s index 90,91 is 48 percentage points above the world’s average and 17 points better than the European average. Estonia is highly ranked also in the ITU Global Cybersecurity Index, holding 3rd place in the world.
In the NCSI, the 15 Eastern European countries are doing well. They reach an average of almost 20% higher (50.82) than the global cybersecurity index average (42.71). Four of them – Estonia, Lithuania, Latvia and Ukraine — rank exceptionally high. Lithuania, with a score of 93.51, is first of the group, and Estonia is second. These two countries’ cybersecurity score is higher than Australia, France, Canada, the US, the UK, and Russia.
The reasons? To start with, cybersecurity becomes important when a country is dependent on many digital tools. Paper bureaucracy countries do not need to deal with this. But the main motivation comes from fighting off Russian cyber threats for decades. An aggressive neighbour is forcing to take cybersecurity seriously, and allocate funds and attention.
Russia itself has not particularly high cyber defences (71.43, 2.5% lower than the European average), but still comparable to Singapore, Austria, Israel and Japan. And its defences are being tested, especially since Russia invaded Ukraine in 2022. It has experienced a 136% spike in data breaches, with close to 3.6 million internet users affected.
History of cyber warfare
Estonia was one of the first to come under attack from the modern form of hybrid warfare by Russia 15 years ago. On the excuse of the removal of a military memorial from the centre of Tallinn, Estonia’s capital, in 2007, Russia instigated riots among Estonia’s Russian-speaking minority. 150 people were injured and one killed. Also, Russia launched a cyber operation that later became colloquially known as Cyber War One. For several weeks, Estonia was targeted with repeated distributed denial of service (DDoS) attacks.
Ever since, Russian hackers target governmental bodies, military, and infrastructure with the full arsenal of tools, from phishing to DDoS attacks and malware. High ranking in the index shows that, as a response, Estonia has developed robust cybersecurity defences. Like during Cyber War One, both government-related and private sector defence mechanisms generally worked also against later attacks.
Cyber Defence League – model to follow?
Besides triggering state-led initiatives, one fundamental outcome of the 2007 incident and the security reassessment that followed, was the creation of the Estonian Cyber Defence League (CDL) as a component of the Estonian Defence League (a volunteer defence organization, something similar to the US National Guard or Peace Corps).
At first, two smaller units were created as a bottom-up initiative. In 2011, these units were reformed as the CDL. The League consists of volunteers, often leading IT experts, who donate their time by preparing for cyberattacks.
The strengths of this kind of engagement are two-fold: while it allows flexible engagement besides regular duties and thus attracts a wide scope of specialists, it is still part of the military chain of command and can thus be easily involved in missions, and training exercises.
A recent article in “Studies in conflict and terrorism” analysed whether such a model would be useful and applicable for the US. Shortage of skilled professionals and gap between needs and resources due to austerity measures are part of the challenges in developing US cyber defence capabilities.
The article found that while there are obvious difficulties due to size and cultural differences between the countries, this kind of volunteer yet a military way of organizing has indeed great potential. It can build on existing engagement of civilians in defence on federal and state level, such as Code Corps working with the New York City Mayor’s Office that helped with the aftermath of Hurricane Sandy, or cybersecurity units at National Guards of some states.
Measuring cyber security capabilities can help develop them
As reliance on digital services increases, so do the associated risks. Measuring cyber security capacity is becoming more important in assessing vulnerabilities. NCSI, the index referenced here, is not the only cybersecurity index in the world. One of the most widely used is the ITU Global Cybersecurity Index. However, the NCSI index, developed by the Estonian e-Government Academy in 2016, is significantly more transparent.
“Countries received regular information about their place in the ITU rankings. But ITU does not disclose on the basis of what information or whose assessment such a place arose. This does not allow reflexive development of capacity,” commented Epp Maaten, Programme Director of Cyber Security.
According to Ms Maaten, the principle of NCSI has been to create an open database of key indicators that anyone can check. In this way, NCSI database becomes a study material for all countries that want to study practices elsewhere and understand how their own capabilities are growing.
The methodology of NCSI is to identify the threats a country faces and the corresponding security measures it takes. The index consists of groupings of values given to legislation, organizations, cooperation formats and outcomes of these parts in defending against cyberattacks.