Bad actors beware: inside Estonia’s quest to ward off cyberattacks and identity theft


Article content

On a fine April day almost 14 years ago, Lauri Almann found himself huddled around a table with Estonia’s top officials debating whether to go public with the cyberattacks that had crippled state and business websites since the government decided to relocate a Soviet-era war memorial. 

The move had sparked days of riots in the nation’s capital, and the country was under significant political pressure from Russia. The cyberattacks though were a first for the country and seemed to showcase Estonia’s digital architecture’s vulnerability, upon which many people were already dependent. The question was whether or not to address them publicly.

“I was one of the members of the crisis committee,” recalls Almann. “And as we were sitting there in the crisis meeting room, a question on the table was if we were going to talk about it, or try to classify the attacks as much as possible.” At the moment of the attacks, it seemed like an embarrassment for Estonia’s e-government, he notes, but the decision was made to go public.

The result was startling. Rather than seeing the country’s experience as a weakness, it became the battle-hardened poster boy for cybersecurity. They had withstood a major attack and learned the lessons entailed. Estonian cybersecurity experts became highly sought after. “In retrospect, I think it was one of the best things that happened to us,” says Almann. The Estonian people’s trust in e-services also spiked, and the use of e-services doubled after that, he notes.

“It’s all about trust, and people will trust you when they know you will tell the truth,” he says.

A thriving ecosystem

Almann is now co-founder and “chief storytelling officer” for CybExer Technologies, a Tallinn-headquartered cybersecurity firm developing products for an increasingly diverse array of clients. The firm offers cybersecurity training sessions, a military-grade cybersecurity CyberRange platform for organizations, a toolkit for managing cybersecurity exercises, and a product called Cyber Hygiene for mitigating human risk behavior.

“CyberRange is for practical training of IT and cybersecurity personnel,” notes Almann. “We emulate organizations and we offer them a practice ground for people who want to be trained, who want to experience cyberattacks as they are in real life, and to defend infrastructures that look very much like their own,” he says. “It’s extremely practical and extremely engaging.”

His move into the private cybersecurity sector mirrors the development of the industry around Estonian e-governance, especially after the 2007 attacks. In 2008, the NATO Cooperative Cyber Defence Centre of Excellence in Tallinn significantly scaled its activities. The center acts as a think tank on cybersecurity for participating countries. Along with ongoing developments in cybersecurity from the government side, there is also a thriving ecosystem of private firms that draw upon the Estonian experience to design products for the world.

“The community is quite lively,” acknowledges Liisa Past, head of cybersecurity business development at Cybernetica, a Tallinn and Tartu-based company that has developed multiple products and tools around digital identity and secure data exchange, including X-Road, which forms the backbone of Estonian e-governance. “It’s a small market with a relatively small talent pool,” says Past of the community. “You learn to know the people, and you learn to trust the people.”

It’s a sentiment shared by Janer Gorohhov, co-founder and chief product officer at Veriff, a Tallinn-based firm that has developed an AI-powered platform for verifying digital identity. The offering is available in 36 languages that have been so successful, that the privately held firm may soon become the sixth Estonian startup to surpass a $1 billion market value and attain unicorn status. Even with that breadth of impact, the firm is still embedded in Estonia’s cybersecurity community.

“In Estonia, as you know, everyone is a phone call away,” noted Gorohhov. “If different companies or the public sector have common enemies or a common problem that they are trying to solve, it is quite logical that they start to work together toward the same goal.”

The Estonian brand

Estonia’s resourcefulness, innovative mindset, and success in crafting new cybersecurity solutions for export have won the country some reputation abroad. Gorohhov notes. When he and CEO Kaarel Kotkas traveled to California in 2018 to participate in the Y Combinator accelerator program for startups, they thought they might need to take along a map to explain where Estonia was. Instead, they discovered that Estonia was well-known in Silicon Valley, particularly for its e-Residency program, allowing citizens of other countries to become Estonian e-residents and start their own Estonian companies.

“I love e-Residency, personally, and I think it has helped Veriff as well, because if we think about e-Residency, then it’s just another way to give people an e-identity,” he says. Yet these experiences might also be light years’ beyond the experience of those in other countries, which has made developing solutions for different markets a custom business.

“Estonia has built something wonderful with its digital infrastructure,” says Gorohhov. “It’s like Narnia, but it’s often hard to grasp for other governments.”

CybXer’s Almann agrees. “I think the brand of Estonia is extremely strong, and we can do business as a company because we come from Estonia,” he says. “But we also have to keep in mind that the cultures in Germany or the UK, the US or Japan are very different; we can’t just work with a copy-paste model.”

The lessons of 2020

“It is not a question of taking the Estonian model and copying it, but using technology that is contextualised and appropriate for a particular setting,” says Cybernetica’s Past. Yet, the resources to provide high levels of customisation exist. The company has deep roots in academia, dating back to the establishment of the Estonian Institute of Cybernetics in 1960, and has a deep bench of experts engaged in ongoing research programs. “I think 15 to 20 percent of my colleagues at Cybernetica have PhDs,” Past adds.

That know-how also makes them good at anticipating future threats. If the cyberattacks of 2007 were a wake-up call for the field of cybersecurity, then the past year of the COVID-19 pandemic has only reinforced the need for the kinds of tools and expertise that Estonian firms can offer. With more people from all sectors moving to work online, more organisations than ever are vulnerable to cyberattacks. Yet cybersecurity firms were not completely caught off-guard.

“2020 highlighted an accelerated digital transition,” Past points out. “But the bad actors’ behavior, in terms of IP theft, spycraft, phishing, was similar to what we have seen before,” she notes. “There weren’t a lot of new attack types. They mostly took advantage of the opportunities the pandemic posed.”

According to Past, the move to digital has also highlighted the need for improved cybersecurity for all organizations, big and small. Past is currently in charge of developing Cybernetica’s cybersecurity offerings, including a risk management platform.

To keep users abreast of these ongoing threats and new trends in digital security, Veriff this year, for the first time, published a Fraud Report, which also discussed the impact of the pandemic, as well as a forecast for 2021. “It shouldn’t only be us looking at the trends,” notes Veriff’s Gorohhov. “It should be all of our partners looking at where the world is currently heading.”

Still, Gorohhov, Past, and Almann declined to elaborate on some of the tools in their pipelines, preferring to keep new developments close to the vest given the secretive nature of their field.

“We get paid to be paranoid,” Past says of the industry. “We are professionally paranoid.”

Photo courtesy: NATO CCDCOE

CybExer co-founder Lauri Almann, Veriff CPO Janer Gorohhov, and Cybernetica’s Liisa Past will be taking part in e-Estonia digital discussion on how to keep cyberspace secure on 21 January at 11 AM. Reserve your spot here.


Visit us physically or virtually

We host impactful events both in our centre and online for government institutions, companies, and media. You’ll get an overview of e-Estonia’s best practices and build links to leading IT-service providers and state experts to support your digitalisation plans.

Questions? Have a chat with us.

Call us: +372 6273157 (business hours only)

Find us

The Briefing Centre is conveniently located just 2 minutes drive from the airport and 10 to 15 minutes drive from the city centre.

You will find us on a ground floor of Valukoja 8, central entrance behind the statue of Mr Ernst Julius Öpik. Photo of the central entrance.

Valukoja 8
11415 Tallinn, Estonia