Estonia: Cyber Superpower

(page 2 of 2)

Estonia has placed the issue on par with energy security as a top priority for its chairmanship of the Baltic Council, an organization of parliamentarians from all three Baltic States. Estonia will hold the chair for a year starting in May 2008. Already, it has lined up eight countries willing to participate in the launch of a NATO Center of Excellence in Cooperative Cyber Defense, which will be located in Tallinn.

The proposal for the center was made in 2004, and the countries now on board include the Unites States, Spain, Germany, Italy, Bulgaria, Lithuania, Latvia, and Poland.

"Estonia has drafted two cooperation agreements, one of which will be signed between the countries that have expressed the wish to take part in the NATO center, and the other between NATO and the countries taking part in the center of excellence," Aaviksoo said in November, while promoting his cyber-security strategy. The eight countries will be asked to sign on formally as partners in January 2008.

Moreover, Estonia called in July for an international convention on combatting computer-based attacks. Global ratification of the convention would establish "a strong legal basis to fight cyber crimes," the Estonian Ministry of Economic Affairs said in a statement. Signatory countries would cooperate in preventing computer-related crimes and tracking down organizers of cyber-attacks.

So strong now is Estonia's reputation in the field that some countries already are trying to poach leading figures in cyber-security development. Hillar Aarelaid, head of the national CERT program, said he has received several lures from overseas, including an "exotic" bid from Singapore.

MONEY IN THE BANK

Along with government websites, Estonian banks came under cyber-attack during the spring showdown with hackers. Hansapank, which is owned by Sweden's Swedbank, was among the main targets, but it managed to keep its infrastructure intact and suffered only minor losses. It had prepared plans to deal with attacks in advance, and Hansapank, like many other Estonian financial instituations, worked closely with the CERT team.

Now that it has weathered an attack, Hansapank is able to serve as a model for financial institutions elsewhere as they prepare to protect themselves aginst threats, according to Toomas Vaks, the bank's internal-supervisory departments director.

"Thanks to that [attack], Estonia has repeatedly been invited to discussions in various international crime fighting seminars," Vaks said. "These so-called test attacks mean that Estonian banks have to be ready for constant wars, during which security systems have to be constantly improved."

Nordea Bank senior analyst Mikka Erkkila said that by specializing in cyber-security, Estonia effectively is creating a new financial services product. It is almost impossible, however, to put a figure on the likely size of the sector. With applications including such diverse areas as communications, database protection, cost savings, and remote military operations, the sector is potentially enormous. Some estimates put the global cost of damage caused by cyber-crime at around 68 billion euros each year, indicating a vast market for prevention and defense strategies.

Since Estonia is a small market, Erkkila said it was essential for Estonia to team up with larger international players to maximize the impact of its expertise in cyber security.

UNCONVENTIONAL DEFENSE

As outsiders look to Estonia for the next stage in security development, observers are picking up on particular trends that could teach valuable lessons. Alexander Ntoko, head of corporate strategy at the International Telecommunication Union, said it was imaginative responses that allowed Estonia to emerge from the spring cyber-attack relatively unscathed.

"In a number of countries, when the presidential website is being attacked, everybody rushes to protect it," Ntoko said, using the head of state's homepage as an example of a high-level government site that was attacked. "In Estonia it was different. They said, 'Well, let them attack and destroy this,' so that it would divert [the hackers] from destroying more critical things. The president basically gave up his own website and let them continue to attack it so that they would not be able to attack other things. That took a lot of political maturity."

Andrus Ansip: The prime minister sees his country as the good cop.

"[Estonian officials] didn't have enough people to be able to deal with the massive nature of the attacks, so they had to see how they could divert attention from other resources," Ntoko continued. "We are still following up on the Estonian experience because we want to be able to learn as much as we can and how to help other countries who might be subject to these types of attacks."

But in the fast-moving worlds of information technology and communications, time is of the essence, Ntoko added. As the use of online technologies balloons, more and more aspects of the physical world are being run by technology. Unless lessons from Estonia are learned quickly while the country presses for cyber-security development, the world could witness scenes that until now have existed only in the realm of Hollywood films or sci-fi dystopia.

"Imagine the types of attacks that could occur," Ntoko said. "Before, we were looking at people destroying information. But soon there will be the possibility of people being able to remotely manipulate industrial machines...[There could be] not just service attacks but real attacks on real infrastructure."

Provided by Transitions Online—Intelligent Eastern Europe