These are transformative times for Estonian cyber security companies. For weeks, all eyes in the country have been fixed on the ongoing war in Ukraine, but to listen to Raul Rikk, director of national cyber security for the Estonian government, the threat of cyberattacks has only been growing immensely over the past few years, challenges only now magnified by the new war.
“There have been bigger and bigger cyber attacks with a massive impact,” says Rikk. “And of course now the war in Ukraine has put a lot of pressure on cyber management capabilities.”
The solution will be greater vigilance and better solutions, says Rikk, not only from companies already established in the cyber security space, but from all organizations and firms that will need to step up to address these new risks. And as companies invest, providers will need to innovate.
“Companies have to allocate more resources from their ICT budgets to cyber to ensure the sustainability and security of the systems,” says Rikk. “Because cyber attacks will not disappear. They will only become more influential.”
Estonia has a multitude of companies that either focus directly or partially on cyber security. In the case of Cybernetica, the story of the firm is in some ways the story of Estonian cyber security itself. The firm traces its origins to the founding of the Institute of Cybernetics at the Estonian Academy of Sciences in 1960. The institute evolved into Cybernetica in 1997. As such, Cybernetica could be considered the predecessor of the Estonian cyber security community. When the government embarked on digitisation projects in the 2000s, it didn’t have to look farther than Cybernetica for help. This led to the creation of X-Road, the backbone of Estonian digital services. “I like to tell people that Cybernetica is even older than Microsoft,” says Rikk.
According to Sander Valvas, head of the cyber security department at Cybernetica, this background in cryptography, cybernetics, advanced mathematics, and computing, provided a “solid foundation” for Cybernetica and likeminded firms. “From this situation Cybernetica also arose as a strong cyber security player,” Cybernetica also played a role in the development of the Estonian IT Baseline Security System, Valvas points out. And the innovation in cyber continues.
In 2020, the firm announced a cyber threat intelligence sharing platform between the US and Estonia, and continues to work on the platform for the Estonian Ministry of Defense, he says.
There is also the domestic market in Estonia, and Cybernetica is now offering cyber security as a service for companies that lack the know-how to keep an in-house cyber security team, he says.
The new kids
If Cybernetica is the grandfather of Estonia’s cybersecurity sector, then companies like Veriff, CybExer, and RangeForce are some of the new kids. All three were founded in the mid-2010s and, like Cybernetica, evolved out of the country’s existing competencies in cybertechnologies.
Veriff, in some ways, is the quintessential Estonian IT success story. The global online identity verification company started off as an idea in 2015, and is now one of the country’s unicorns, with a market valuation of $1.5 billion, and clients in the fintech, cryptocurrency, gaming, and mobility sectors. Veriff now employs 400 people across sites in Estonia, the US, UK, and Spain.
“As businesses have moved online, identity verification has become an integral part of any business, they need to know who is the person at the other end of the line,” says Kaur Virunurm, its chief information security officer. He notes that the country’s technical higher education and scientific research institutes have also helped to prime the market for innovation, and that some other factors, such as a lack of legacy technology platforms following the Soviet collapse, plus a “surge in patriotism” in the post-1991 years have continued to fuel this development in the area.
This uptake of cybertechnologies also led to security solutions. “The new digital companies had to protect their electronic services from the new and emerging cybercriminal society,” he notes.
The Bronze Night and its aftermath
If Estonia was well positioned to innovate in the cyber security arena at the start of the 2000s, the sector received a jolt in April 2007. After the Estonian government removed a controversial Soviet-era war memorial referred to as the Bronze Soldier to a military cemetery, widespread rioting erupted in the Estonian capital, and some other cities, and the country’s parliament, banks, and media were hit by distributed denial of service attacks, still widely considered one of the most intensive instances of state-sponsored cyber warfare ever. The event led to the establishment of the NATO Cooperative Cyber Defence Centre of Excellence in Tallinn in 2008.
“It was natural that after those events we had to start thinking about how to be resilient as a society also in the cyber domain,” says Andrus Kivisaar, the CEO of CybExer Technologies.
Founded in 2016, CybExer provides cyber security training platforms with a focus on cyber capability development. The firm, headquartered in Tallinn, also offers a plethora of workshops and exercises aimed at a cross section of users, from ordinary users to strategic leadership. Its flagship platform, called Cyber Range, allows users to simulate and respond to cyber attacks.
“Cyber security exercises before 2015 pretty much looked like a bunch of guys sitting in the room sending e-mails,” notes Kivisaar. “We saw clearly what was wrong with those exercises — the difficulties, the inefficiencies, the lack of technological solutions, the lack of awareness.”
The human element
In February, CybXer raised €5 million to develop its Cyber Range platform further, an event that the firm sees as confirmation that more people are appreciating the importance of cyber security.
“The fact that most technical devices around us are computer-controlled and can therefore potentially be manipulated is becoming a common understanding,” says Kivisaar. “Not only defence and critical infrastructures but smart cities, banking, industry, commerce, supply chains – everything needs to be protected and therefore we see a rapid growth of the market,” he says.
Jaanus Kink, COO of RangeForce, which also provides a cyber readiness platform, agrees. The company, founded in Estonia but now headquartered in the US, offers a variety of tools for cyber security skills development. “Our mission is to be the world’s leading human cyber readiness platform,” says Kink, noting that RangeForce engages companies to gauge and improve their cyber security organizations through a “gamified and hands-on experience.”
According to Kink, this human element is key to cyber security. “Everyone is talking about AI at the moment,” he says, “but it is literally the responsibility of every IT professional to ensure security in the cyber world,” he says. Kink notes that there are not enough IT cyber security professionals out there, a shortage of which CybExer’s Kivisaar also says needs to be addressed.
What are the most pressing threats? According to Cybernetica’s Valvas, they are the same that have always existed, only more sophisticated attacks. These can strike either the state or the private sector to paralyze services or extort money from individuals. “We cannot really separate the state’s readiness to withstand cyber attacks from the private sector – the stronger the collective strength of all organizations and institutions, the more resilient we are,” says Valvas.
“The goal of the cyber security industry is thus not to save you, or me, or your business from the villains,” points out Veriff’s Virunurm. “The goal is to provide an environment for everybody that is sufficiently safe to operate in.” Virunurm likens cyber security to law enforcement. “They never try to catch all petty thieves,” says Virunurm, “but they must create a society where people can start a business, earn money and spend it without being afraid of robbers and thieves.”
He notes that just as cyber security firms innovate, criminals and rogue states are working to improve their attacks. Protecting digital assets at the company or state level will require oversight, data mining, service discovery, and automated incident response, says Virunurm. “The attacking side is, of course, working on the same tools and topics, with the same technology applied for the opposite goal,” he says. “It is an arms race with high money and power at stake.”
freelance journalist and writer