Tallinn, Estonia’s capital
Tallinn, Estonia’s capital

Estonia's cyber-space estate has been ranked as having the best cyber-security in Europe, and the fifth best in the world.

This recognition of cyber excellence for a country that is seen as being an innovator in internet-enabled government was announced at the World Summit on Information Society Forum 2017 on Thursday, where the International Telecommunication Union (ITU) introduced the latest iteration of its Global Cyber-security Index (GCI).

The GCI says, “Like Georgia, Estonia enhanced its cyber-security commitment after a 2007 attack.”

This refers to a series of cyber-attacks from 2007 which targeted the websites of a wide variety of Estonian organisations, including the Estonian parliament, banks, government ministries and newspapers. The country has a longstanding dispute with Russia about the relocation of the Bronze Soldier of Tallinn, as well as the location of war graves in Tallinn, Estonia's capital.

The GCI explains that following the attack, Estonia introduced “an organisational structure that can respond quickly to attacks as well as a legal act that requires all vital services to maintain a minimal level of operation if they are cut off from the Internet.”

It adds, “The country also hosts the headquarters of the NATO Cooperative Cyber Defence Centre of Excellence (NATO CCD CoE).”

In the world stage, Estonia ranked fifth after Singapore, USA, Malaysia and Oman. The index covers all 195 world countries – the United Kingdom came 14th.

In Europe, Estonia came out on top, followed by France, Norway, the United Kingdom and the Netherlands in the top five.

Liina Areng, director of international public relations at Estonia's Information System Authority and a NATO CCD COE Ambassador told SC Media UK by email: "Estonia's high standing is probably due to a combination of legislative, organisational and technical measures implemented in a whole-of-nation manner. That includes a unified effort by government, businesses and IT enthusiasts/voluntary community (Cyber Defence League). [The] 2007 cyber-attacks clearly helped to raise awareness in society, and most importantly among the decision-makers."

Areng added: "Since 2009, we have been systematically dealing with CIIP and risk management, and are already today compliant with the EU NIS Directive provisions. Building preparedness, mandating the implementation of baseline security standards from all public agencies and vital service providers (including private sector), investing significant attention in trust and community building – collective brain - conducting regular exercises, offering (free) training. As a most recent example -  we have launched a nation-wide cyber hygiene program that enables 50,000 public employees to have access to an online learning and testing platform on cyber-security. The same platform will be also implemented by an increasing number of private sector organisations. The recent WannaCry campaign did not affect Estonia because we have been working for years to raise awareness of the risks of ransomware."

The 2017 ITU paper announcing the results explains that it “measures the commitment of Member States to cyber-security in order to raise awareness. The GCI revolves around the ITU Global Cyber-security Agenda (GCA) and its five pillars (legal, technical, organisational, capacity building and cooperation).”

The paper adds, “For each of these pillars, questions were developed to assess commitment. Through consultation with a group of experts, these questions were weighted in order to arrive at an overall GCI score. The survey was administered through an online platform through which supporting evidence was also collected.”

The United Kingdom was praised for its “five year National Cyber Security Strategy”, which “aims to make the country one of the safest places in the world to carry out online business and doubles investment in cyber-security compared to the first plan.”

Only 38 percent of countries listed in the index have a published cyber-security strategy and only 11 percent have a dedicated standalone one; 12 percent have a cyber-security strategy which is being developed right now.

Brahima Sanou, director of the Telecommunication Development Bureau, said in the paper: “First launched in 2014, the goal of the Global Cyber-security Index (GCI) is to help foster a global culture of cyber-security and its integration at the core of ICTs. This second iteration of the GCI measures the commitment of ITU Member States towards cyber-security in order to drive further efforts in the adoption and integration of cyber-security on a global scale.

Areng concluded: "Apart from the achievements in cyber-security and the current index, Estonia has been quite successful also in other related indexes, such as the Freedom House index on Net freedom where we came No1 this year again. This implies probably the balance we have found in security and freedom dilemma providing public and private e-services based on a secure online national identity and a unique state-citizen transparency system (reverse Big Brother)."