Post on 08-Aug-2020
Estonia: Protecting the Information Society
Jaan Priisalu
Director General
Context • 100% of schools connected to the internet • 97% of businesses use the internet • 76% of households • Free wifi • 3G, 4G
Key figures
• 99% bank transactions • 94% tax declarations • Electronic vote since 2005 • 66% participated in online census • Digital prescriptions • E-School • Digital police • No paper in government
Pillar #1 Digital Identity
• Created in 2002 • 1 191 500 ID cards • 100 000 000 signatures in 2012 • M-ID
• Environment for data exchange • Secure and standardized • Structured data exchange • Protection of personal data • Cloud-ready
Pillar #2: X-road
Architectural schema
X-road transactions by service provider
8
Critical infrastructure dependency on IT
95% have a dependency
30% have a critical dependency
10% have no low-tech fall-back
Not including cascading effects
Triangle of Critical Infrastructure
Energy
Communications Data
Baltic sea interdependency
Cybersecurity
Supervision
Incident resolution,
analysis
Rules and regulations
et règlements
Layered defence
Individual – hygiene
Community – trust
Organization – processes
Society as whole (countries, EU)
Conclusion
• Cyber security is well organized
• Everyday monitoring
• Government communication networks
www.e-stonia.com
Additional slides
Types of attacks
Spectrum of actors
Threat environment in cyberspace
• No clear dividing line between criminal or terrorist activity and strategic attack
• Cyber attack is low-cost, technologically available, asymmetric, crosses borders
• No attribution for attacks, many 3rd parties
• Civilian critical infrastructure and private sector most vulnerable
• Not a “new threat”, but “new vulnerability”
• Policy goal: extend rule of law and stability into a chaotic domain
No Cyber War (?)
2007 attacks
• DDoS attacks against government services, news portals and banks
• Service disruptions in Estonia ca 1,5h, longer abroad
• Peak traffic exceeded avg by several hundred times
• Attacks carried out in waves, precise timing. Use of botnets • Cyber attacks were just one method used in the larger
political campaign together with other methods (economic sanctions, political pressure)
• Difficulties with verifiable attribution
Estonia’s whole-of-country response
Legislation and regulations up to date National Cybersecurity Council provides cabinet-level and inter-
agency coordination Public-private partnerships with private sector companies, civil
society, individuals Private-private partnerships Contribute internationally
Legislation
National Cyber Security Strategy of 2008 Creation of a cabinet-level National Cyber Security Council
Restructuring of the Estonian Informatics Centre for critical civilian information infrastructure protection and monitoring the country’s cyber space
Emergency Act of 2009 Cyber attacks can constitute a national emergency
Re-definition of critical services and coordinating agencies in light of lessons learned
Compulsory baseline IT security standards for the public sector
Creation of the Cyber Defence League
National Cyber Security strategy 2013
Government
National Security Council
National Cyber Security Council
Private sector stakeholders
Ministry of Economic Affairs
and Communications MoD Ministry of
Interior Affairs
Ministry of Justice
Ministry of Finance
MFA Ministry
of Science & Education
Information security network: CISO-s of critical companies and state agencies which provide or oversee critical services
National organization
EISA
CIIP operational setup in Government
EISA
All Gov networks
CIIP security measures for vital service providers
Regulatory authority over vital service providers and public sector
CERT
Information Board
Protection of Classified networks
Intelligence
Security Police
Counter terrorism
Counter Intelligence
Criminal investigations
Individual citizens, awareness and education
• Graduate and BA programs, modules
• R&D funding
• Primary and secondary education curricula
PPP
• CIIP Council
• Update of Security Regulations, Recommendations and Best Practices
• IT security community (Key Vital Service Providers and Government )hosted by national CERT – 24/7 comm lines, regular meetings etc.
International Organizations
CCD CoE
EU IT Agency
Not just government
Cybersecurity… as an international problem
International cybersecurity
• NATO
• Council of Europe
• Police cooperation
• UN, ITU, OSCE
• Bilateral and minilateral
European Union
31
Cabinet and Multinational Exercises
• Cyber Fever:Table-top exercise was organized by Cyber Defence League January 30-31
Multinational exercises
EU Cyber Europe 2010 & 2012
EU EuroSOPex 2011
EU-US Cyber Atlantic 2011
NATO Cyber Coalition 2010-2013
NATO CCD CoE Locked Shields 2012, 2013