The poster child for cybersecurity done right: How Estonia learnt from being under attack

In 2007, Estonia was the victim of a high profile campaign of state-sponsored online attacks. Now, years later, the country is promoting cybersecurity via a series of initiatives at home and abroad.
Written by Kalev Aasmae, Contributor

In 2007, Estonia became the first country in the world to be targeted by a large-scale co-ordinated international cyberattack. While the offensive, consisting of a series of smaller distributed denial-of-services (DDoS) attacks, did little damage, it did give the country's security industry valuable experience and information in dealing with such incidents.

Tallinn, home to the NATO Cooperative Cyber Defence Centre of Excellence. Image: Shutterstock

Since the 2007 attacks, Estonia's private and public sector, often working together, have heavily increased the security of the country's IT systems and built stronger authentication services, firewalls and back-up systems.

The country is now rated as being one of the most prepared against cyberattacks, according to a recent report by security vendor McAfee.

With so much of the country's government and public services available online — Estonians can even vote in national elections over the internet — cybersecurity is paramount for the country. Estonia's ID card, digital signatures and X-Road system all use 2048-bit encryption, for example, to keep citizens' data secure.

The beginnings of the online state

X-Road underpins Estonia's online government services, by enabling data to be securely exchanged between the state's information systems online. Along with public sector bodies, private sector organisations can also use X-Road to connect their own systems with the state's using X-Road – for example, in order to allow a user to query a company and a government database at the same time.

Estonians can also use their ID card to access government services online. The ID Card, now the primary identity document for Estonian citizens both in the real and digital world, was introduced in 2001. Ten years later, over 86 percent of citizens have ID cards. Holders can use the ID card to provide a digital signature that is as legally valid as a handwritten one in Estonia. Statistics from two years ago showed that approximately 40 percent of ID card owners had used digital ID to authenticate themselves or give a digital signature, and that percentage will only have grown.

With Estonia's adoption of the ID card and digital signature, preconditions for the country's first nationwide elections via the internet were created. In 2009, citizens were able to vote in elections for local government and the European parliament. In 2011, over 140,000 voters cast a ballot in the country's election, meaning that almost every fourth voter gave his or her vote via the internet.

The progress of Estonia as an online-savvy state started largely due to banking, EISA said. Today 99.6 percent of banking transactions are done electronically and the number of users of online banking in Estonia is 1.8 million clients, more than the country's population of 1.3 million.

Estonia's defence forces

With so much of its financial and state infrastructure now online, coupled with being the high-profile victim of online crime, Estonia clearly has an interest in making sure its cybersecurity is up to scratch.

Three years after the 2007 attacks, Estonia founded the Cyber Defence League — a volunteer organisation that operates under the Estonian Ministry of Defence. The body assisted the state during the cyberattacks and its members are mostly IT security specialists from different sectors. The Estonian Police and Border Guard also have their own Cyber Crimes Unit, which investigates and prosecutes online criminal activity.

Around a year later, in 2011, the Estonian Information Systems Authority (EISA) was founded. The body helps both private- and public-sector organisations to maintain the security of their information systems, and it is constantly monitoring cybersecurity threats regarding Estonia.

Estonia has also focused on the availability of education on cybersecurity, and for some years, the Tallinn Institute of Technology has been offering a master's degree programme in cybersecurity, providing opportunities for companies and organisations to gain highly educated workers.

At home and abroad

Estonia is also looking beyond its own borders in the fight against online threats: it has joined and heavily promoted different alliances and arrangements not only in the Baltic states and Nordic countries but also in EU and on a global scale.

And it's not gone unnoticed: in 2008, the Estonian capital Tallinn became the home of the NATO Cooperative Cyber Defence Centre of Excellence and in December last year, the EU's newly founded IT Agency also set up shop in the city.

Estonia's highest officials and representatives have also been championing the cyber-security agenda in Europe.

In November last year, it was announced that Estonia's president Toomas Hendrik Ilves was to chair the steering board of the European Cloud Partnership at the invitation of the European Commission; the function of the Committee is to promote the use of cross-border digital public services in European business and the public sector.

In the same month, European Parliament adopted a report by Tunne Kelam, an Estonian member of the European Parliament, calling for the development of a comprehensive cybersecurity and defence strategy on all levels in the EU.

"We need better co-ordination and more coherence. The EU is currently missing an exhaustive overview of the existing cybersecurity challenges and is also lacking common definitions, standards and a united approach to these threats. Politically motivated cyberattacks are targeting not only the information systems but also critical infrastructures of the member states," said Kelam at the time.

The report urges Europe's member states to press ahead with completing national cyber security and defence strategies and national contingency plans, and also to include cyber crisis management in crisis management plans and risk analyses.

Kelam underlined that cyber security and defence has become one of the core issues in transatlantic relations. The report encourages the EU and the US to deepen their mutual co-operation in countering the cyberattacks. "The 'cyber-dialogue' could be perceived as the new breath of fresh air in transatlantic relations," it concluded.

Editorial standards