This week at the Cyber Security Summit in London, a statement was made by one of the key speakers that caught the attention of delegates, press and other speakers alike.
Major General Jonathan Shaw, head of the defence cyber operations group at the MoD, singled out a Baltic state as a leading light when it comes to cyber readiness and being prepared for "a one-nation response".
His focus was Estonia, a country of just under one and a half million people and which marked 20 years of restored independence in 2011. Its cyber history is well known, with attacks made against it in 2007 when a series of distributed denial-of-service (DDoS) attacks were made over a period of time and government, financial and political party websites taken down.
The blame was placed on Russia, and a Russian Youth group claimed responsibility two years later. However a year after the attacks, seven NATO countries agreed to fund a centre of excellence in Estonia. It was built that year and is one of 15 accredited Centres of Excellence (COEs) for training on technically sophisticated aspects of NATO operations. It conducts research and training on cyber security.
Shaw said: “Estonia represents a country that is in a post-attack mode, not like UK which is in a pre-attack mode. We need a national response with GCHQ as the pillar.”
This led me to think that with so many looking at the MoD or the US Department of Homeland Security, you would assume that one of those would be the pillar of global cyber defence for others to follow. After all, despite its 20 years of independence, there may be some who would view Estonia as somewhat suspicious because of its Soviet heritage, or even because of the arrest and charge of Estonian nationals in cyber-crime-related activities.
I turned to some Estonian government agencies to see what they felt about such high praise. The MoD in Estonia told SC Magazine that its 'cyber leader' role stems from its highly developed information society where the Estonian public and private sector have a long tradition of providing online services, which include e-voting, e-prescriptions, e-schooling and some of the highest adoption rates for online banking and payments in the world.
A statement said: “It naturally follows that we put effort into ensuring the safety and security of our information society. This was already the case prior to cyber attacks against Estonia in 2007. Cyber defence is not merely a military affair, but requires the participation of all sectors of government and society.”
It also claimed that Estonia's approach emphasises that every owner and user of a network is responsible for its security, to include critical service providers particularly in the private sector, but also individual users.
“Citizens should be knowledgeable about cyber security issues from their first contact with networked devices. We currently include basic cyber security training in our elementary school curriculum, though our National Cyber Security Strategy also foresees expanding this to preschool,” it said.
“All IT-related university curricula include a module on cyber security. Two of Estonia's leading universities also jointly offer one of the world's first masters-level programmes in cyber security.”
So cyber security is taught in schools in Estonia and rules on responsibility are well detailed; some in the UK would argue that such an established method is something of a pipe dream here.
I also spoke to the Estonian Information Systems Authority, which helps state, and private and public sector organisations, maintain the security of their information systems.
A spokesperson said: “Being seen as a leader (by any country) has a double effect: first, if attack vectors are being tested, it is reasonable to test them with the strongest opponent you can find. So, the reputation of the leader results in the heavier workload for our cyber security specialists.
“On the other hand, being the 'Test Site Estonia' brings the newest trends in the cyber security field right to us - our experts see the latest.”
It called Shaw's compliments "exceptional", but said that the reason it takes so much interest in cyber security lies within the structure of Estonian society. “As we have 1.4 million inhabitants, the only way to stay effective is to make our society digital. In November 2011, 99.6 per cent of all bank transactions were performed electronically. This spring, 94 per cent of tax declarations were filed electronically; it takes only 15 minutes to establish a company electronically, etc. For Estonia, cyber security is unavoidable to keep our vital services running and maintain our way of life,” it said.
So if Estonia is the key leader in cyber security as a nation state, what advice would it pass on to public and private sector companies when it comes to protecting against an attack?
In short, it said "co-operation and awareness raising". The spokesperson added: “One of the Estonian risk managers once said 'only the strong ones can afford talking about their weaknesses'. There have been large (politically motivated) cyber attacks before 2007 and after, but one reason many know about Estonia is the amount of information.
“We talked about everything we knew: about the assumed motivation, the methods used, the timelines and mitigation. We shared graphs and gave data to be analysed by specialists in other countries. After 2007, people in Estonia were really interested in cyber security, we responded with awareness raising campaigns and activities.
“As the 'weakest link' of cyber security is often seen between the chair and the monitor, the attitude and behaviour of computer users is very important aspect for us.”
The reason Estonia is perceived as a cyber leader by Shaw is that it experienced an attack, dealt with it, learned from it and moved on with this knowledge and education. I am not suggesting that the best way to become stronger is to be a victim of an attack, but Sony, RSA and others will stand stronger in the future due to their experiences in 2011.
Estonia also faces different challenges to the UK and US due to its population size and 'age' as a nation, but to see how to survive and be praised by the MoD, the future may be to go east.