Estonia: Protecting the Information Society

Jaan Priisalu

Director General

Context • 100% of schools connected to the internet • 97% of businesses use the internet • 76% of households • Free wifi • 3G, 4G

Key figures

• 99% bank transactions • 94% tax declarations • Electronic vote since 2005 • 66% participated in online census • Digital prescriptions • E-School • Digital police • No paper in government

Pillar #1 Digital Identity

• Created in 2002 • 1 191 500 ID cards • 100 000 000 signatures in 2012 • M-ID

• Environment for data exchange • Secure and standardized • Structured data exchange • Protection of personal data • Cloud-ready

Pillar #2: X-road

Architectural schema

X-road transactions by service provider

8

Critical infrastructure dependency on IT

95% have a dependency

30% have a critical dependency

10% have no low-tech fall-back

Not including cascading effects

Triangle of Critical Infrastructure

Energy

Communications Data

Baltic sea interdependency

Cybersecurity

Supervision

Incident resolution,

analysis

Rules and regulations

et règlements

Layered defence

Individual – hygiene

Community – trust

Organization – processes

Society as whole (countries, EU)

Conclusion

• Cyber security is well organized

• Everyday monitoring

• Government communication networks

www.e-stonia.com

THANK YOU!

Contact:

ria@ria.ee

+372 663 0200

Additional slides

Types of attacks

Spectrum of actors

Threat environment in cyberspace

• No clear dividing line between criminal or terrorist activity and strategic attack

• Cyber attack is low-cost, technologically available, asymmetric, crosses borders

• No attribution for attacks, many 3rd parties

• Civilian critical infrastructure and private sector most vulnerable

• Not a “new threat”, but “new vulnerability”

• Policy goal: extend rule of law and stability into a chaotic domain

No Cyber War (?)

2007 attacks

• DDoS attacks against government services, news portals and banks

• Service disruptions in Estonia ca 1,5h, longer abroad

• Peak traffic exceeded avg by several hundred times

• Attacks carried out in waves, precise timing. Use of botnets • Cyber attacks were just one method used in the larger

political campaign together with other methods (economic sanctions, political pressure)

• Difficulties with verifiable attribution

Estonia’s whole-of-country response

Legislation and regulations up to date National Cybersecurity Council provides cabinet-level and inter-

agency coordination Public-private partnerships with private sector companies, civil

society, individuals Private-private partnerships Contribute internationally

Legislation

National Cyber Security Strategy of 2008 Creation of a cabinet-level National Cyber Security Council

Restructuring of the Estonian Informatics Centre for critical civilian information infrastructure protection and monitoring the country’s cyber space

Emergency Act of 2009 Cyber attacks can constitute a national emergency

Re-definition of critical services and coordinating agencies in light of lessons learned

Compulsory baseline IT security standards for the public sector

Creation of the Cyber Defence League

National Cyber Security strategy 2013

Government

National Security Council

National Cyber Security Council

Private sector stakeholders

Ministry of Economic Affairs

and Communications MoD Ministry of

Interior Affairs

Ministry of Justice

Ministry of Finance

MFA Ministry

of Science & Education

Information security network: CISO-s of critical companies and state agencies which provide or oversee critical services

National organization

EISA

CIIP operational setup in Government

EISA

All Gov networks

CIIP security measures for vital service providers

Regulatory authority over vital service providers and public sector

CERT

Information Board

Protection of Classified networks

Intelligence

Security Police

Counter terrorism

Counter Intelligence

Criminal investigations

Individual citizens, awareness and education

• Graduate and BA programs, modules

• R&D funding

• Primary and secondary education curricula

PPP

• CIIP Council

• Update of Security Regulations, Recommendations and Best Practices

• IT security community (Key Vital Service Providers and Government )hosted by national CERT – 24/7 comm lines, regular meetings etc.

International Organizations

CCD CoE

EU IT Agency

Not just government

Cybersecurity… as an international problem

International cybersecurity

• NATO

• Council of Europe

• Police cooperation

• UN, ITU, OSCE

• Bilateral and minilateral

European Union

31

Cabinet and Multinational Exercises

• Cyber Fever:Table-top exercise was organized by Cyber Defence League January 30-31

Multinational exercises

EU Cyber Europe 2010 & 2012

EU EuroSOPex 2011

EU-US Cyber Atlantic 2011

NATO Cyber Coalition 2010-2013

NATO CCD CoE Locked Shields 2012, 2013