The rapid development of information and communications technology (ICT) over the past decades has contributed remarkably to the increase in economic competitiveness, citizens’ welfare and governance efficiency. This increasing connectivity and dependence, however, has also brought about a broad range of new challenges, from denial of service attacks and intellectual property theft to attacks against government networks and critical infrastructure.
Estonia has consistently raised cyber issues on the international stage. Not only has this become an integral part of domestic affairs, but also of international and economic relations, as part of the bigger picture. Significantly, cybersecurity was defined as one of NATO’s spheres of activity at the Warsaw Summit. Estonia regards cybersecurity as an integral aspect of broader security; it protects our digital lifestyle.
Information technology and the related and closely intertwined services network have fundamentally changed society over a short period of time. A greater dependence on electronic services has resulted in greater vulnerability in cyberspace. Estonia has addressed these issues in two national cybersecurity strategies (2008–2013 and 2014–2017). The former established domestic procedures and institutions to ensure an efficient division of labour and cooperation between agencies. The latter placed greater emphasis on the protection of critical infrastructure, the fight against cybercrime and the improvement of information security competence. It also developed the legislation environment for ensuring cybersecurity, international cooperation and development of the cybersecurity sector of the economy.
The current strategy was extended to 2018, in order to fully complete the objectives to a high level of quality. Preparations have now begun for the adoption of a third cybersecurity strategy. The strategy will help acknowledge cybersecurity as a wider priority for Estonian society. This new strategy will build on the previous, setting out a clear mission and vision and adding value through cross-sectoral priorities, whilst planning the resources necessary for all activities.
The mutual connectedness of states and the dependence on cyberspace without borders requires international cooperation in the field of cybersecurity. The goal of international cybersecurity cooperation is to ensure high-level national protection against cyber threats. This is achieved through international exchange of information and experience, promotion of mutual trust, protection of human rights and fundamental freedoms in cyberspace and strengthening of alliance and partnership relations. In view of these goals, Estonia
- develops bilateral and multilateral relations with other countries;
- contributes to the joint activities agreed in international organisations (especially the EU and NATO) and new initiatives;
- communicates with the private sector, third sector and academic partners on the global level; and
- uses a ‘helping hand policy’ and secure e-solutions to promote the development of a free and secure cyberspace in states where the third sector lacks freedom of action and the necessary technical competence.
For years, Estonia has been at the forefront of cybersecurity internationally. The NATO Cooperative Cyber Defence Centre of Excellence (CCD CoE) and the EU Agency for large-scale IT systems (EU-LISA) are both based in Tallinn. A number of influential international agreements that have been approved here, in Tallinn.
In February 2017, Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations was published at the initiative of the NATO CCD CoE in Tallinn. The document addresses cyber operations as a part of transnational relations in the context of international law and gives practical guidance to nations for various situations. Tallinn Manual 2.0 is a considerably extended version of the 2013 compilation Tallinn Manual on the International Law Applicable to Cyber Warfare. Tallinn Manual 2.0 covers the entire spectrum of international law concerning cyber operations, from peacetime legal agreements to the law applicable in armed conflicts.
Estonia’s experience shows that much of the knowledge concerning cybersecurity, its vulnerabilities and mitigation, is available in the private sector. An excellent example of public and private sector cooperation is the volunteer cybersecurity unit of the Estonian Defence League. This initiative pursues national security tasks, along with interpersonal communications, professional education and awareness-raising, setting an example to many other countries.
International Law and Norms
As a relatively new domain, cyberspace brings up new issues of how international law is applied and what constitutes responsible state behaviour. Estonia works in international organisations such as the UN and OSCE to affirm the applicability of international law applies to cyberspace and analyses the particulars of its application. Estonia also contributes towards the development of consensus on universally accepted norms, with an emphasis on the applicability of human rights, in cyberspace.
Estonia has been part of the UN Group of Governmental Experts on the Developments in the Field of Information and Telecommunication in the Context of International Security on four occasions. These and other efforts, such as the work being done in the OSCE to increase transparency and build confidence and the promotion of the Council of Europe Convention on cybercrime, will help to mitigate threats and minimise tensions arising from the emergence in this field.
Ensuring Estonia’s cybersecurity requires close cooperation with allies and partners in the spheres of technology, legislative drafting, national defence and diplomacy.
Estonian Presidency of the Council of the EU and Cybersecurity
As a leader in the cyber sphere, Estonia is facing high expectations in connection with the Presidency of the Council of the EU. During the Presidency, the main cybersecurity areas of work will be the new EU cybersecurity strategy, renewal of the ENISA mandate, the certification initiative, the framework for a joint EU diplomatic response to cyber incidents, EU and NATO cooperation, the transposition and implementation of the directive on security of network and information systems (NIS Directive), and cybersecurity exercises.
Combating cybercrime is one of the three priorities of the EU internal security agenda. During Estonia's Presidency of the Council of the EU, increased attention is paid to the acquisition and guarantee of electronic evidence, the fight against fraud related to non-cash means of payment, the technical and legal challenges related to encryption, and the storage of communications data for law enforcement purposes.