Estonia is known as a pioneer in building e-country solutions. Some examples are e-government solutions, e-identity, e-voting, etc. My intention is to add to this list cybersecurity-related solutions, based on the fact that Estonia holds the number one position on the National Cyber Security Index (NCSI) ranking. I am not going to explain what this index is, how countries are ranked and what methodology is used – this explication is available at the National Cyber Security Index.
My story is about how to use this achievement for building better cybersecurity programs. I am highlighting some tangible cybersecurity best practices based on ISO/IEC 27032 – Cybersecurity Management standard and provide some examples from the Estonian case of national solutions, which may be interesting also internationally.
Compliance with Laws and Regulations
Less than year ago Estonia implemented the Cybersecurity Act, which provides the requirements for the maintenance of network and information systems, essential for the functioning of central and local government’s network and information systems, liability and supervision as well as the basis for the prevention and resolution of cyber incidents. Also, other laws and regulations may be considered, like the Critical Infrastructure Protection Act, baseline information security requirements for government institutions, financial services security regulation, obligations of internet service providers, data protection regulation, etc. For cybersecurity management, the laws and regulations may be helpful for initiating cybersecurity programs inside organizations.
Awareness and Training
When it comes to cyber-trainings, the Cyber Hygiene training program is the best option, and it can be organized quite easily for all employees. In Estonia, cybersecurity is also taught at university level, and the biggest technical university is currently proposing international cybersecurity master programs.
Framework of Information Sharing and Coordination
The government of Estonia has established the National Information System Authority (CERT-EE) in 2006. This organization provides assistance to the Estonian Internet users in the implementation of preventive measures in order to reduce possible damage from security incidents and to help them in responding to security threats. Moreover, a quite unique structure in Estonia is the cyber defense league, where voluntary members can share appropriate and up-to-date information about cybersecurity threats and appropriate defense mechanisms.
Testing and Drills
A famous cybersecurity exercise initiated by and used in the military, but now expanding to non-military uses as well, is the Locked Shields exercise; the largest and most advanced international live-fire cyber defense exercise in the world, organized by the NATO Cooperative Cyber Defense Centre of Excellence (CCD COE) in Tallinn. This exercise consists of a cross-border establishment of SOC (Security Operations Centers) where some of the participants are “red” and others are “blue”. Red teams initiate cyber threats and attack scenarios while blue teams act as defenders and incident responders.
In Estonia citizens can use ID cards, mobile ID or smart ID solutions for setting up identification and authentication schemes. According to standards of cybersecurity, at least two authentication mechanisms are needed for a strong authentication and in the case of ID cards the two authentication factors are the card itself (physical or electronic) and the PIN number.
In Estonia the digital signature is legally equal to the written signature. It is a suitable tool to ensure non-repudiation and it adds to the overall electronic usage and functionality of the ID-card and mobile ID. Many online banking solutions use a layered approach where users have to use strong authentication mechanism to get access to a bank account and digital signing as verification of transactions. A similar approach is used in e-voting solutions.
Use of Cryptography
Alongside the ID card, public key cryptography may be used to ensure the confidentiality and integrity of data. The card’s chip stores a key pair, allowing users to encrypt digital documents based on principles of public key cryptography.
Secure Data Exchange
Systems which may be considered part of the state information system, exchange data securely using X-road solution when a similar concept like VPN (virtual private network) is used. To ensure secure transfers, all outgoing data from X-Road is digitally signed and encrypted, and all incoming data is authenticated and logged.
The aforementioned security solutions have been implemented in services that actually work. Another popular e-service which affects the citizens’ life more directly and more often is, for example, the incoming tax refund service – this service consists in collecting the necessary data from different data sources, making the systematic checks and if all is correct, it presents the results to the citizens for confirmation.
Cyber Incidents Response
Estonia gained its first experience in responding to national-level cyber-attacks over ten years ago. During April 2007, several cyber attacks against authorities and companies took place, mostly by means of distributed denial of service – DDOS attacks. This experience has certainly helped stakeholders to prepare a better incident response for similar scenarios in the future.
It goes without saying that existing solutions are updated and continuously improved, while new threats as well as solutions come up all the time. For example, the strength of cryptographic keys is under continuous monitoring in Estonia by competent cryptography experts, the reports of which are sent to the appropriate stakeholders. New developments relate, for example, to blockchain technology, which helps get a higher level of assurance.
Cybersecurity Management System
Coming back to the cybersecurity management system, an ISO/IEC 27032 standard-based approach is considered appropriate for many reasons. First, it gives a comprehensive and complete view regarding the establishment and implementation of solid cybersecurity programs – as cybersecurity seems to be a technical issue (i.e. application level controls, network controls, authentication, encryption, etc.). A standardized approach will not leave aside the organizational (decisions about cybersecurity, cybersecurity program and project management, data classification, etc.) and human aspects out (awareness, training, etc.) of it.
Second, it explains very carefully the integration of different management systems and practices – you can rely on an existing Information Security Management System (ISO/IEC 27001) and seek improvements connected with the cyberspace, but without proper risk analysis and management it is not possible to make meaningful decisions (ISO/IEC 27005). However, cybersecurity controls are not only related to the information security controls (ISO/ IEC 27002), and in order to understand better the services offered in the cyberspace you can refer to the requirements of (ISO/IEC 20000-1) – Service Management System. In order to have an effective management of cybersecurity you have to consider proper incident management (ISO/IEC 27035) and you have to have recovery capabilities (ISO 22301).
It is hard to find a better approach than the combination of standardized management systems and word-class cybersecurity solutions to get reasonable assurance. My proposal is to establish, implement and operate a good Information Security Management System (ISMS), and within it create an appropriate cybersecurity program using proven security practices and improve the management system continually according to the new regulations (i.e. General Data Protection Regulation – GDPR, directive on security of network and information systems NIS Directive, etc.), according to the occurrence of security incidents and threats (not only what happens inside the organization) and so on.