Named ‘the most advanced digital society in the world’ by Wired[1], Estonia is making digital history; developing the IT infrastructure and leading the EU cyber strategy.

It was April 2007 when right after a dispute over a Bronze Soldier – that the Estonian government decided to move from a park of Tallinn to a military cemetery on the outskirts of the city – Estonia was hit by a major cyber-attack, three weeks of D-DoS (distributed denial of service) attack that paralyzed the country and all the major public and private institutions. When this happens, multiple sources send multiple online requests, flooding a service or system and making it unable to function. It’s the digital equivalent of crowding an entrance to a building so that no one can come in or out.[2]

Estonia’s defense minister at the time, Jaak Aaviksoo, told Wired Magazine[3]:

“The attacks were aimed at the essential electronic infrastructure of the Republic of Estonia,” Aaviksoo tells later. “All major commercial banks, telcos[4], media outlets, and name servers — the phone books of the Internet — felt the impact, and this affected the majority of the Estonian population. This was the first time that a botnet threatened the national security of an entire nation.”[5]

According to the Estonian Ministry of Defense, Estonia in 2008 was one of the first countries in the world to adopt a national cyber security strategy. It has to be noted that by 2007, Estonia had started to move its public services online: e-voting, e-taxes, e-banking, e-school etc. Although citizens relied heavily on online services in their daily interaction with government and private companies (for example 95% of banking transactions that year were carried out electronically), the Estonian government did not have an overarching strategy for securing its cyberspace. The main document that regulated the country’s information society was a fairly broad document, known as the Estonian Information Policy Concept[6] adopted in 1998. In 2006 the government adopted a sectoral development program, the Estonian Information Society Development Plan 2007-2013, that mainly dealt with the question on how to promote the use of ICT in society and improve the competitiveness of the IT sector. The only document that specifically addressed information security, known as the Information Security Interoperability Framework, was adopted by Ministry of Economic Affairs and Communications in January 2007. It laid out the general principles for improving information security in Estonia, and established a unified set of standards for the public and private sector with regard to ensuring information security.[7]

Right after the attack National Security Committee tasked the Ministry of Defense with formulating proposals for a cyber security strategy. By launching its first cyber security strategy, Estonia was at the forefront of a new and evolving policy domain – at that time, only three other countries (the United States, Germany, and Sweden) had produced specific strategies for cyber security.[8]

Focusing on the development of IT infrastructures and its cyber security capabilities underling that Cyber security cannot be ensured by the state alone. Even large countries would be unable to do so, because the internet is not controlled by states. The success of efforts to ensure cyber security depend just as much on intergovernmental cooperation as on cooperation of governments with internet service providers and organizations that ensure the operation of the internet.[9] Since 2007 Estonia approved two rounds of cyber security strategy, 2008-2013 and 2014-2017.

By the end of the first round Estonia aims to reduce the vulnerability of cyberspace, preventing cyber-attacks in the first instance and, in the event of an attack, ensuring a swift recovery of the functioning of information systems.[10] In order to do so, Estonia stated in the security strategy the main framework to follow to ensure that its IT infrastructure and all the related IT services developed for the civil use, will be covered and fully protected from a cyber-attack.

Right after the attack the main policies for enhancing cyber security, according to the first document published by the Cyber Security Strategy Committee 2008 were[11]:

· The development and large-scale implementation of a system of security measures

· Increasing competence in cyber security

· Improvement of the legal framework for supporting cyber security

· Bolstering international co-operation

· Raising awareness on cyber security

By the end of this first programme is quite easy to spot the shift in the Estonia’s policy. They started developing and implementing a system of security measures, enhancing inter-agency co-operation and co-ordination, aligning Estonia's legal framework with the objectives and requirements of the Cyber Security Strategy, promoting countries' adopting of international conventions regulating cyber-crime and cyber-attacks, and making the content of such conventions known to the international public, raising awareness of information security among all computer users with particular focus on individual users and SMEs by informing the public about threats existing in the cyberspace and improving knowledge on the safe use of computers.

With the Cyber Security Strategy 2014-2017, Estonia continues the implementation of the national framework focusing on lesson-learned from the previous strategy and adopting new measures and many different approaches to tackle the cyber-attacks. This strategy continues the implementation of many of the goals found in the Cyber Security Strategy 2008-2013. However, new threats and needs which were not covered by the previous strategy have also been added.[12]

With the new framework Estonia is trying not only to defend itself from cyber-attack but also increase cybersecurity capabilities in order to prevent and to be and active actor against cyber criminals. National cyber security is affected by the actors operating in cyberspace with their various skills, targets and motivations. It is often difficult to distinguish between the actors or determine their relationship to national or international organizations. The number of state actors in cyberspace that are involved in cyber espionage targeted at computers connected to the Internet as well as closed networks continues to grow, with their aim being to collect information on both national security as well as economic interests. The amount and activeness of states capable of cyber-attacks are increasing.

In addition to the activation of state actors, the ability of politically motivated individuals and groups with limited means to organize their activities using social networks and carry out denial of service and other types of attacks is growing as well[13].

The main principles of ensuring cyber security:

· Cyber security is an integral part of national security, it supports the functioning of the state and society, the competitiveness of the economy and innovation.

· Cyber security is guaranteed by respecting fundamental rights and freedoms as well as by protecting individual liberties, personal information, and identity.

· Cyber security is ensured on the basis of the principle of proportionality while taking into account existing and potential risks and resources.

· Cyber security is ensured in a coordinated manner through cooperation between the public-, private- and third sectors, taking into account the interconnectedness and interdependence of existing infrastructure and services in cyberspace.

· Cyber security starts with individual responsibility for safe use of ICT tools.

· A top priority in ensuring cyber security is anticipating as well as preventing potential threats and responding effectively to threats that materialize.

· Cyber security is supported by intensive and internationally competitive research and development.

· Cyber security is ensured via international cooperation with allies and partners. Through cooperation, Estonia promotes global cybersecurity and enhances its own competence.

In addition to the main goals of the Cyber Strategy the Estonian government aims to[14]:

· Ensure the protection of information systems underlying important services

· Enhance of the fight against cybercrime

· Develop the national cyber defense capabilities

· Manage evolving cyber security threats

· Develop cross-sectoral activities

From the analysis of the Cyber Strategy documents (2008-13, 2014-17) it emerges that along with all the activities concerning the implementation of the cyber capabilities and the development of the infrastructures, the cooperation with private and public entities in the fight against cyber-crime has a crucial role, that is where Privacy Rules can intervene.

Meaningful and effective cooperation between the public and private sector in the development of cyber security organization as well as in preventing and resolving cyber incidents is becoming increasingly unavoidable. National defense and internal security are dependent on the private sector’s infrastructure and resources, while at the same time the state can assist vital service providers and guarantors of national critical information infrastructure as a coordinator and balancer of various interests.[15]

According to the Recommendations for Public-Private Partnership against Cybercrime by the Word Economic Forum published in January 2016, the recent proliferation of cybercrime on businesses shows no signs of abating and cybersecurity is now a major concern for all business leaders – no matter what the industry, the region in which it operates and its corporate culture. All business is at risk from cybercrime and no industry wants to be targeted. If they are, they all strive to minimize the damage and recover as quickly and efficiently as possible. When speaking of cybercrime, business interests and those of law enforcement authorities are globally aligned. Cybercrime is now an ever-present element of society. It does not discriminate between individuals, entities or governments. Everyone – and everything – is at risk. The problem is exacerbated by the ease and speed of information-sharing among cyber-criminals for perpetrating crime, making it difficult for law enforcement and businesses to keep up. Standard law-enforcement practices are not enough any longer – tailor-made tools are needed. Most importantly, law enforcement and businesses must collaborate to address this pressing issue. The sharing of prosecution experiences as well as technical prevention/protection measures and best practices (especially related to IT education and training) requires a commitment from both the public and private sectors to engage in this as actively as possible. Placing a greater emphasis on real-time sharing of cyber threat indicators to protect against cybercrime increases the costs for cyber criminals, and allows law enforcement authorities to focus

resources on more advanced attacks.[16]

According to Klaid Mägi, head of the Incident Response Department (CERT-EE), Estonia’s preparedness to handle cyber crises has significantly increased over the past decade. The country has created intrusion detection and protection systems, practiced cooperation with both public and private institutions, significantly contributed to the awareness of users, and is participating in intensive international cooperation.

“Estonia’s current cyber security is bolstered by high-functioning e-government infrastructure, reliable digital identity, mandatory security baseline for all government authorities, and a central system for monitoring, reporting and resolving incidents. Vital service providers are obliged to assess and manage their ICT risks. Most importantly, there is a common understanding that cyber security can only be ensured through cooperation and that a joint contribution is required at all levels – state, private sector and individuals,”[17]

With the Digital Revolution Estonia is leading with the e-Residency and all the e-Estonia services[18], after the 2007 cyber-attacks there is another issue to take into consideration the role of NATO and what the Article 5 means in a case of cyber-attack.

Estonia has successfully cooperated with other ICT-advanced countries and international organizations in the field of cyber security. An active role in shaping cyber security policy led to the establishment of the NATO Cooperative Cyber Defense Centre of Excellence in Estonia. Estonia has contributed to cyber security becoming part of NATO and European Union policy, and other countries’ interest towards Estonia’s experience in cyber security has grown significantly.[19]

"Although many of the cyberattacks that we see fall below a level in their seriousness that could trigger NATO's Article 5, it is plausible that a cyberspace event of great magnitude could take place that might lead to the triggering of Article 5 in special circumstances," said Catherine Lotrionte, director of Cyber Project at Georgetown University.

NATO would take a very different and offensive posture if a cyberattack event on the scale of that launched against Estonia in 2007 were to happen now, said Brig. Gen. Christos Athanasiadis, assistant chief of staff cybers at NATO's Supreme Headquarters Allied Power Europe.

Estonia's national intelligence services, including the military branch, suspected that the cyberattack on critical IT infrastructure was launched from Russia and potentially had state backing.

Article 5, according to Athanasiadis, exists to assure all NATO states that they can rely on support from fellow members should they become the subject of an aggressive attack that threatens to undermine their national security. Article 5 could be activated in certain situations if deliberately hostile attacks against a NATO member state happened within a cyberwar scenario, he said.

"We would have rules of engagement. There would be a strong cyber or conventional response if what happened to Estonia were to take place now. We want to develop a strong early-warning capability. We must develop capacities that also serve as a deterrent to aggressors out there," Athanasiadis said.

Estonia’s adoption of a comprehensive cyber strategy and similar initiatives undertaken in neighboring countries provides the best example of how various nations are following Tallinn’s lead. Since Estonia released its Cyber Security Strategy in May 2008, a number of European countries have released similar strategies, including Germany, the Netherlands, France, and the United Kingdom. It is impossible to prove that Estonia’s Strategy was the central catalyst for these new policies, and, indeed, the United States released its own Comprehensive National Cyber Security Initiative in January 2008—four months before the release of Estonia’s document. However, the proliferation of national cyber security strategies shows that many countries are reaching the same conclusion: it is in a nation’s best interest to develop a comprehensive strategy to secure information networks. Estonia was one of the first nations to adopt such a Strategy and continues to lead the way in promoting this trend.[20]

[1] http://www.wired.co.uk/article/estonia-e-resident

[2] “Every country should have a cyber war”: What Estonia learned from Russian hacking - https://qz.com/1052269/every-country-should-have-a-cyber-war-what-estonia-learned-from-russian-hacking/

[3] www.wired.com/politics/security/magazine/15-09/ff_estonia?currentPage=all

[4] Acronym that stands for Telephone Companies

[5] Estonia, six years later - https://www.arbornetworks.com/blog/asert/estonia-six-years-later/

[6] Cyber Space in Estonia: Greater Security, Greater Challenges - Piret Pernik with Emmet Tuohy - 2013

[7] Ibid.

[8] Ibid.

[9] Annual Cyber Security Assessment 2017 Estonian Information System Authority

[10] Cyber Security Strategy Cyber Security Strategy Committee 2008 - 2013

[11] Ibid.

[12] Cyber Security Strategy - Ministry of Economic Affairs and Communication 2014

[13] Cyber Security Strategy - Ministry of Economic Affairs and Communication 2014

[14] Ibid.

[15] Cyber Security Strategy - Ministry of Economic Affairs and Communication 2014

[16] Recommendations for Public-Private Partnership against Cybercrime – World Economic Forum – January 2016

[17] https://e-estonia.com/how-estonia-became-a-global-heavyweight-in-cyber-security/

[18] According to the Interagency Cooperation on Cyber Security: The Estonian Model - Piret Pernik and Emmet Tuohy, International Centre for Defense Studies - In Estonia 99.6% of banking transactions are done electronically. Public and commercial e-services depend on the functioning of ICT systems and the availability of electricity, including from cross-border critical infrastructures. Pursuant to the Emergency Act there are 42 vital services in Estonia and most of them are based on the use of ICT systems. Vital service means a service that is essential for the maintenance of the society, and the health, safety, security, economic or social well-being of people.

[19] Cyber Security Strategy - Ministry of Economic Affairs and Communication 2014

[20] Estonian Cyber Policy after the 2007 Attacks: Drivers of Change and Factors for Success - Camille Marie Jackson