Home » Cyber Security » Event in Review: Estonia’s new Cybersecurity Strategy

Event in Review: Estonia’s new Cybersecurity Strategy

On October 20, the GW Cybersecurity Initiative hosted an event, in partnership with the Johns Hopkins University Applied Physics Laboratory, featuring a panel of senior Estonian officials to discuss Estonia’s evolving cybersecurity strategy, highlighted in a new official document entitled “Cyber Security Strategy, 2014-2017”. The event was co-moderated by Timothy J. Evans, a Senior Advisor for Cyber Strategy and Policy at the Johns Hopkins University, and Frank Cilluffo, Director of HSPI and of the GW Cybersecurity Initiative.

Mr. Eerik Marmei, the Estonian Ambassador to the United States, introduced the topic of discussion with a recap of Estonia’s cybersecurity history, since the nationwide cyber attack against Estonia in 2007. He explained the great strides the nation has made in support of cyber defense development, in particular with the Ministry of Defence’s implemented strategy initiatives of 2008-2013 and 2014-2017.

The Head of International Relations at the Estonian Information System Authority (EISA), Liina Areng, examined the two initiatives further. The first strategy was “an attempt to create order out of chaos”, at a time of minimal resources and policy development for cyber security. Estonia’s response to the 2007 attacks paved the way for “e-nations” with strategy development, as one of the first states to generate such awareness. The second strategy has been approved to work with the structures and regulations in place to refine the Estonian cyber shield. Components of the cyber shield allow for proactive risk-management and decision-making, data security through cryptographic solutions, and continuous cooperation between the public and private sectors and across national and international realms.

Sven Kivvistik, the Head of the Risk Control and Advisory Department at EISA, then delved into the inherent risks to which Estonia is subjected, with nation-wide services such as free WiFi, electronic voting for general elections, and over 95% of bank transactions and taxes handled online. Effective risk management, Kivvistik explained, is achieved by “cooperation and coordination among governmental authorities and ministries, private-public partnership as well as building a strong community.”

Lauri Luht continued the conversation with explanation of his department’s role and founding within the EISA Cyber Security Branch. To do so, Mr. Luht, serving as Head of Crisis Management, explored the legal basis and risk management achieved through Estonia’s 2009 Emergency Act. This act, generated for the entire government sector (including cyber) provides two key risk management objectives: emergency response planning and the protection of vital services. Key deliverables such as risk and vulnerability analysis, testing and exercises, guideline development and stakeholder management are constantly in production by the EISA.

Mihkel Tikk, Director of the Cyber Policy Department at the Estonian Ministry of Defence, reflected upon the debilitating effects following the 2007 cyber attack, as felt by the Estonian parliament, banks, media and many other areas of society. Estonia’s swift and far-reaching response demonstrated the country’s ability to develop their cyber defence league, in conjunction with the private sector to protect the e-lifestyle, as it remains “not only the obligation of the government”.

Luukas Ilves, who serves as the Counselor for Digital Affairs and Permanent Representative of Estonia to the EU, concluded the panel dialogue. He noted that as the EU continues to improve circumstances for a cyber-conducive environment, their primary efforts are currently directed towards the adoption of comprehensive cybersecurity legislation.

Christina Parker is an intern with the Homeland Security Policy Institute. She is a senior in the Elliott School of International Affairs at the George Washington University.

1 Comment

  1. Many of the former Soviet satellite regions – and even current EU nations – need to start getting serious about formalizing cyber security initiatives – so this is good to see. This will also help with the growing PCI DSS challenges that businesses are facing throughout the globe. I just also want to add that breaches will continue to happen so long as companies are lax about information security, and that’s unfortunate. What’s needed for helping ensure the safety and security of one’s I.T. environment are the following three (3) mandates: (1). Well-written information security policies and procedures – those that are actually followed! (2). Annual security awareness training for employees – structured training protocol that effectively discussed leading I.T. security threats and challenges, along with best practices. (3). Proper provisioning and hardening of information systems – such as removing default accounts an insecure and unnecessary services and protocols. The very best defense any company can have for ensuring the safety and security of organizational assets are employees who actually care about the organization and are highly trained in regards to identifying threats or concerns to the company as a whole.

Comments are closed.