In June 2024, Eoin Byrne from Cyber Ireland had the opportunity to participate in a visit to Estonia with a delegation from Ireland to meet with organisations across the cyber security ecosystem to better understand how Estonia has become a leading country internationally and what learnings we can take for Ireland.
Estonia’s Digital Economy and Society
Estonia, a small Baltic nation of 1.4 million people, has emerged as a global leader in the digital economy, integrating digital technology into everyday life, in particular with citizens engagement with government. At the heart of this digital revolution is a strong cyber security posture, prioritised by the Estonian government as a critical enabler for a secure digital society.
Digital Leadership and E-Government Services
Estonia’s commitment to a digital society is epitomized by its pioneering e-government services. Every Estonian citizen has an electronic ID (eID), which enables secure access to a wide array of government services online. This eID system ensures that citizens can interact with government services efficiently and securely. In recent elections, Estonia achieved a significant milestone: for the first time, more people voted electronically than using traditional paper ballots. This demonstrates the trust in electronic voting system and e-government services.
The 2007 Cyber Attack and Its Impact
Estonia’s journey in cyber security was influenced by the significant cyber attack it faced in 2007. This attack, which targeted government, banking, and media websites, highlighted the vulnerabilities in Estonia’s digital infrastructure. Instead of crippling the nation, it acted as a catalyst for developing a robust cyber security ecosystem. Fast forward to the present day, cyber attacks in Estonia have increased in frequency. Yet the impact on society has been minimal due to the significant improvements in cyber security measures. This resilience is a testament to Estonia’s proactive approach and continuous investment in cyber defense.
Global Leadership in Cyber Security
According to the Global Cybersecurity Index, Estonia consistently ranks among the top countries for its cyber security capabilities. This recognition is not just a reflection of Estonia’s technical expertise but also its comprehensive approach that includes policy-making, international collaboration, public awareness and education.
Estonia’s Cyber Security Ecosystem
Estonia’s cyber security ecosystem is supported by several key organisations that work collaboratively to ensure the nation’s digital resilience.
- Information System Authority (RIA): RIA is responsible for implementing Estonia’s national cyber security policy, managing the national information system, and protecting critical infrastructure – Further information
- Ministry of Foreign Affairs and the Cyber Ambassador: This ministry, with the guidance of the Cyber Ambassador, Mr Tanel Sepp, leads Estonia’s international cyber diplomacy efforts, advocating for global cyber norms and cooperation. – Further information
- CR14 – established by the Ministry of Defence of Estonia, is based on more than 10 years of military-grade cyber range experience and provides a wide range of cyber range solutions, including cyber range training, exercises, testing, validation and experimentation. Further information.
- NATO Cooperative Cyber Defence Centre of Excellence (CCD COE): This international military organisation provides cyber defense capabilities among NATO member countries and partner countries through research, training, and exercises. Further Information
Notable Aspects of Cyber Security in Estonia
Several factors highlight Estonia’s comprehensive approach to cyber security:
Government Prioritisation
The Estonian government’s prioritisation of cyber security is evident in its state budget allocations. Significant investments are made to ensure the development and maintenance of a secure digital infrastructure, recognising cyber security as essential for national security and economic stability.
Increased Cyber Threats and Defense Postures
Since the Russian invasion of Ukraine there has been increased cyber attacks in Estonia. These attacks underscore the importance of a robust cyber defense strategy, as Estonia faces the existential threat of nation-state actors targeting its IT networks.
Non-Technical Aspects: Policy and Diplomacy
Estonia recognizes that effective cyber security extends beyond technical solutions. Cyber policy and diplomacy are crucial components, exemplified by initiatives like the Cyber Policy Micro-Credential course at Tartu University. This course aims to upskill government officials in cyber security, policy, and law, ensuring a well-rounded approach to cyber defense.
Cyber Awareness and Literacy
A cyber-literate society is considered the first line of defence in Estonia. Public awareness campaigns and educational programs emphasize the importance of cyber hygiene, ensuring that citizens are informed and proactive in protecting themselves online.
Cyber Ranges for Training
Estonia has become a leader for Cyber Range training and infrastructure. These platforms are used for national cyber exercises, industry training, and academic research, ensuring a high level of practical experience and preparedness across all sectors.
Culture-Specific Digital Transformation
Estonia’s digital transformation is deeply rooted in its cultural values. The nation’s respect for privacy, efficiency, and rule of law translates into its approach to digital governance. This cultural alignment ensures that digital solutions are tailored to the specific needs and values of Estonian society.
Learnings for Ireland
Given Ireland’s digital leadership and technology sector, we require a strategic focus on cyber security as a foundation for our digital society. Several key learnings can be drawn from Estonia’s experience:
Government Prioritisation and Whole-of-Government Approach
The Irish government must prioritise cyber security as a fundamental enabler of our digital society. This involves a whole-of-government approach, ensuring that all departments and agencies are aligned in their cyber security efforts.
National Cyber Security Standard
Estonia’s RIA has implemented the “Estonian information security standard (E-ITS)” aligning with international standard ISO27001 to ensure a uniform level of cyber security across public and private sectors. A similar standard would benefit Ireland for NIS2 regulation and also more broadly for non-NIS2 regulated entities. Industry could be incentivised through reductions in cyber insurance premiums and increased scoring offered for government tenders to companies who have been certified.
Development of a Cyber Reserve
Inspired by Estonia’s CERT-EE model, Ireland could develop a cyber reserve comprising industry experts who can be mobilized in case of a major cyber incident. This reserve would enhance Ireland’s capacity to respond to significant threats, similar to how Estonia leverages its Cyber Reserve.
Financial Support for SME’s Cyber Resilience
Ireland could adopt a programme similar to the RIA’s cooperation with the Estonian Business and Innovation Agency, offering financial support to small and medium sized business to improving their cyber resilience. Grants and incentives would allow companies to assess and enhance their cyber security, benefiting the overall national security posture.
Cyber Policy Education
While Ireland has over 70 NFQ accredited courses in cyber security nationwide, there is an absence of non-IT courses. A Cyber Policy course, similar to Estonia’s program at Tartu University, could upskill professionals from non-technical backgrounds. This would ensure that policy makers, legal experts, and other stakeholders are well-versed in cyber security issues, facilitating informed decision-making in more areas of government and industry.
Cyber Awareness and Literacy
Learning from Estonia, we need a cyber-literate society to be Ireland’s first line of defence. This can be achieved through a national, coordinated cybersecurity public awareness and education programme.
Joint Parliamentary Committee on Cyber Security
To elevate the importance of cyber security in government, Ireland could establish a joint parliamentary committee focused on identifying key areas for improvement, learning from international leaders like Estonia, and developing national strengths in cyber security. This committee could play a crucial role in shaping Ireland’s cyber security strategy and ensuring sustained attention to this critical area.
In conclusion, Estonia’s leadership in cyber security offers valuable insights for Ireland. By adopting a holistic approach that includes technical, policy, societal and cultural dimensions, Ireland can build a robust digital economy and society, resilient to the evolving cyber threat landscape.