“We were lucky to have the attacks of 2007,” says former Estonian foreign Minister Marina Kaljurand.
Speaking at Black Hat Europe, a cyber and information security event in London, Kaljurand discussed the cyberattack on her country that forced the government to change how it thought about cybersecurity.
In 2007 Estonia was hit by a series of major cyber incidents: online banking services were disrupted as well as traditional ATM services, resulting in a week during which Estonians could not withdraw cash or pay for services.
Government departments and agencies were unable to communicate with each as they tried to regain control over their systems. Media outlets were also severely disrupted as they were targeted with DDoS attacks.
The IP addresses of the threat actors’ were all in Russia and the cyber attacks coincided with pro-Russian protests in Estonia over the government’s plans to remove a Bronze statue of a WW2 Russian solider to from a prominent location to a military cemetery.
The attacks were attributed to Russian state threat actors.
A “Wake-Up Call”
In 2007 Marina Kaljurand was the ambassador to Russia and one of her first tasks following the attack was to find ways of cooperation with Russia, however she says: “I failed, it takes two to tango.”
She notes that in Estonia they see the attacks as a lucky early wakeup call before everyone else got the memo. Since 2007 many things have changed and improved: “But there are somethings that today are as important as they were in 2007,” she states.
“We learnt the importance of political decision making, having cyber security high on the political agenda which means appropriate financial and human resources towards the topic.”
As a country they learnt the: “Importance of having your house in order, rules and regulations in place.”
Black Hat Europe
Estonia’s cybersecurity efforts are done in partnership with the private sector: “The collaboration between the private and public sector has in my country been the centre of innovation.”
However, she makes it very clear that there are “No golden rules” when it comes to determining how these two bodies work together.
In Estonia it works in a “patriotic way” with people volunteering their skills in an all-hands-on-deck effort: “People with different backgrounds, IT people, Lawyers, economists, doctors with security clearance are working free for government during their weekends and free time.”
She found that governments like Estonia can’t afford to hire the best in their profession when it comes to these types of skills. Estonia’s population is just under 1.5 million; in contrast over 8 million people live in London alone. The country’s GDP is approximately £20 billion.
The Estonian way will not suit every country, but they have done something more impactful, Kaljurand notes: they have fostered a cultural awareness of cybersecurity. First graders are taught cyber hygiene practices. The country has a voluntary Cyber Defence Unit.
Yet for any government to harvest the benefits within their own country they first “have to overcome mistrust of both private sector and industry. Governments have to understand it is a two-way cooperation.”
“As a foreign minister meeting industry and private sector, I was hearing all the time that government are not listening to us, they are not including us in deliberation, they are not taking us seriously.”
Well Estonia is listening: so much so that they recently held a NATO cybersecurity war game which hosted officials from 28 NATO member states. Estonia is preparing for not if, but when the next major cyber incident occurs and with collaboration from the private sector they expect to be ready for it.