Estonia (EE)

Estonia was one of the first countries to develop a national cybersecurity strategy (2008), followed by the publication of an updated strategy in 2014. The 2014 strategy builds on the initial strategy but includes new threats and needs, with a comprehensive assessment of cyber security threats facing Estonia and the capacity to respond to them, both in terms of operational capacity and legal framework. In addition to identifying and managing cyber risks, the 2014 strategy focuses on identifying and managing cyber security risks, ensuring the provision of vital services, increased efficiency on combatting cyber crime, developing national defence capacity, raising awareness and ensuring the availability of experts and solutions for cyber security.

The 2014 strategy has four key objectives:

Obj. 1 - Implement a comprehensive system of security measures, consisting of different levels, will be implemented in Estonia to ensure cyber security at national level. With regard to critical infrastructure, ensure the uninterrupted provision of services and their resilience. The reliability of services and infrastructure, including ensured and perceived high security, represents an important success factor for ensuring the attractiveness of Estonia to foreign investors.

Obj. 2 - Ensure safety in cyber space as an important component of fighting cyber crime, including the anticipation, detection and processing of cyber crimes.

Obj. 3 - Raise awareness among the public of information security risks. Improve the efficiency of fighting cyber crime by ensuring users of computers and smart equipment are able to deal with cyber threats in their everyday life and work.

Obj. 4 - Ensure that proportionate legal regulations serve to support the secure and extensive use of information systems.

Obj. 5 - Support the promotion of international co-operation and promote Estonia as a country with a very high level of information security competence and awareness.

The Estonian Information System Authority provides definitions for both “critical infrastructure” and “critical infrastructure protection”, as well as the term “vital systems”, which is used by the Estonian Government in legislation and policy related to information security: www.ria.ee.

 

 

NATIONAL CYBERSECURITY STRATEGY - NIS Capacities

Year of adoption

2008 for the period 2009-2013.

Revised in 2014 for the period 2014-2017,  Cyber Security, Ministry of Economic Affairs and Communications: www.mkm.ee/en/objectives-activities/information-society/cyber-security.

Updates and revisions

The revised 2014 strategy takes into account the lessons learned from the implementation of the previous strategy, experiences of other states.

Implementation and monitoring

The Ministry of Economic Affairs and Communications implements cyber defence policies in close co-operation with the Cyber defence unit of the Defence League, a voluntary organised group to defend Estonian cyber space; the International Centre for Defence Studies for research and analysis; Estonian Information System’s Authority (EISA), which coordinates the development of information systems: www.kaitseliit.ee/en/cyber-unit; www.ria.ee/en/.

The Ministry of Economic Affairs and Communications works in co-operation with the Ministry of Internal Affairs; the Ministry of Defence; the Ministry of Foreign Affairs; the Ministry of Education and Research and the Association of Information Technology and Telecommunications.

Operational capacity building

Estonia has two CERTs/CSIRTs: national/government and military.

  • National computer emergency response team (CERT) or computer security incident response team (CSIRT)

The Estonia Computer Emergency Response Team (CERT EE) is responsible for managing security incidents in .ee computer networks. English: https://www.ria.ee/en/cert-estonia.html.

  • Year of establishment 2006
  • National competent authority for network and information security (NIS)

CERT-EE assists Estonian Internet users in the implementation of preventive measures in order to reduce possible damage from security incidents and to help them in responding to security threats. CERT Estonia deals with security incidents that occur in Estonian networks, start there, or which it has been notified about by citizens or institutions either in Estonia or abroad. The support provided by CERT Estonia depends on the type and severity of a security incident, on the number of users potentially affected by it and on resources available for the organisation.

Handling incidents: accepting reports, prioritising incidents according to their level of criticality, analysis, responding to incidents and technical support for solving the incidents. For simultaneous incidents, CERT will coordinate the response to such incidents.
Giving warnings/notices: gives the users information about security gaps, which have been discovered in most popular systems and applications in Estonia. Warnings are mainly given to the attacks and security gaps with a high criticality level and for extremely widespread viruses.
Support for institutions and Internet service providers: support for system administrators, network administrators or customer support that the end users should contact in case of security incidents. The extent of CERT Estonia support depends on the type and criticality of the security incident, the extent of the influenced environment and the resources available in the team.
Preventive measures: periodic events and media campaigns for raising awareness about information security.

Information System Authority acts as Estonia’s national competent authority for network and information security: www.ria.ee

  • Other incident response teams

Estonian Defence Forces Cyber Incident Response Capability (EDF CIRC).

  • International co-operation

In June 2016, Estonia joined the list of nations that have signed the new Memorandum of Understanding (MOU) on cyber defence co-operation with NATO: www.nicp.nato.int/estonia-signs-new-mou-on-cyber-defence-cooperation/ind....

This second generation MOU aims to further improve cyber defence cooperation and assistance between NATO and national cyber defence authorities. The Memorandum contributes to the enhancement and interoperability of NATO and national cyber defence capabilities and facilitates information sharing and assistance to improve cyber incident prevention, resilience and response capabilities.

  • National cybersecurity exercises conducted

Estonia conducted two national cyber exercises, Cyber Hedgehog in 2010 and Cyber Fever in 2012. Estonia took part in multi-national cyber exercises organised by NATO in 2013. NATO’s Cooperative Cyber Defence Centre of Excellence is based in Estonia: www.ccdcoe.org.

  • National incident management structure (NIMS) for responding to cybersecurity incidents

Partial coverage.

National incident management procedures are outlined in the Emergency Act 2009. Cyber security incidents are not addressed in particular: www.legaltext.ee/et/andmebaas/tekst.asp?loc=text&dok=XXXXX26&pg=1&tyyp=X....

Legal conditions

Legal measures in place

  • Legislation/policy requiring the establishment of a written information security plan.

Pursuant to the Emergency Act 2009, which compels the government to establish security measures for certain vital information systems by means of regulation, the Regulation on Security Measures for Information Systems of Vital Services and Related Information Assets was adopted in 2013. The NCSS (2014) also sets the objective of providing appropiate legal measures.

  • Legislation/policy requiring an inventory of “systems” and the classification of data.

The State Secrets and Classified Information of Foreign States Act 2007 assigns information deemed appropriate to be treated as state secret a classification level, according to a four-tiered system. The requirements that deem information a state secret are organised by the agency or area to which the information relates:

www. nsa.ee/files/State%20Secrets%20And%20Classified%20Information%20Of%20 Foreign%20States%20Act.pdf.

  • Legislation/policy requiring security practices/requirements to be mapped to risk levels.

The State Secrets and Classified Information of Foreign States Act 2007 maps security practices to the classification level assigned to information deemed a state secret. These classification levels represent the importance of the information to the various functions of the Estonian government and foreign governments, including the level of risk involved in disclosing the information.

  • Legislation/policy requiring (at least) an annual cyber security audit.

The State Secrets and Classified Information of Foreign States Act 2007 requires an annual inspection of the integrity of the storage in which state secrets assign the top or second tier classification level are contained. No further level of auditing or reporting is required by the Act. The Electronic Communications Act 2004, as amended in 2011, entitles the Technical Surveillance Authority of Estonia to require that any communications provider carry out a security audit. There is no timetable that dictates when Technical Surveillance Authority is to require the security audits: www.legaltext.ee/text/en/X90001K4.htm.

  • Legislation/policy requiring a public report on cybersecurity capacity for the government.

The 2008 Cyber Security Strategy requires that the Cyber Security Strategy Committee will monitor the implementation of the Cyber Security Strategy by submitting annual reports to the government, measuring the progress of the implementation against the Implementation Plan. The current Cyber Security Strategy does not include this provision but does state that it retains the goals and objectives of the 2008 strategy.

  • Legislation/policy requiring mandatory reporting of cyber security incidents.

The Regulation on Security Measures for Information Systems of Vital Services and Related Information Assets 2013 requires
entities engaged in “vital services” to each appoint an individual to notify the Estonian Information System Authority in the event of a security incident, including cyber security incidents:

www.ria.ee/public/KIIK/Security_measures_for_information_systems_of_vita...

www.ria.ee

The entity must also submit a report to the Estonian Information System Authority following the resolution of the security incident.

  • Requirements for public and private procurement of cybersecurity solutions based on international accreditation or certification schemes, without additional local requirements.

The 2014 Estonian Cybersecurity Strategy includes a set of “principles and guidelines” for the procurement of national cyber security services and products. One of the principles encourages international cooperation. There are no local procurement requirements in place.

Missing legal measures

  • Legislation/policy that requiring each agency to have a chief information officer (CIO) or chief security officer (CSO)

Business and Public Private Partnerships

  • Defined public-private partnership for cybersecurity

There is not a defined public-private partnership for cybersecurity in Estonia. The Information System Authority (www.ria.ee) operates in close cooperation with private sector. Vaata Maailma (the Look@World Foundation) is public-private partnership (founded in 2001) dedicated to promoting the use of the internet and ICT services. It is composed of Estonian and international telecommunications providers: www.vaatamaailma.ee.

The foundation runs various projects that are primarily educational in nature, covering safe internet and computer use.

  • Industry organised (i.e. business or industry cybersecurity councils)

There are no significant industry-led platform that engages with cyber security. The Estonian National Cyber Defence League comprises IT professionals and representatives from organisations engaged with critical infrastructure and is one of the entities that cooperates with Ministry of Economic Affairs and Communications.

Other capacity-building measures: research and education StudyITin.eehttp://studyitin.ee/en, is funded by the Estonian state (Ministry of Education and Research), managed by the Information Technology Foundation for Education (HITSA), and supported by Skype, for securing necessary labour force for the ICT sector and for creating preconditions for Estonia’s growth through ICT.
The center has a particular focus on cyber security training and has been organizing specific Cyber Security Summer School since 2015.
Other measures

Under the Ministry of Economic Affairs and Communications, its co-operation with other government departments and related entities.

While a security audit is defined in the NCSS (2014), there is no timetable that dictates when Technical Surveillance Authority is to require such audits.

Estonia has signed agreements on developing training and cooperation in cybersecurity with Austria, Luxembourg and South Korea.

In the cyber security domain, the e-Governance Academy (eGA)  focuses on organisational, regulative and technical measures for national cyber security and includes best practice from around the world. eGA assists nations and specific sectors in improving cyber security knowledge, developing policies and legislation, raising organisational and personnel capacity, implementing security technologies, and developing cooperation frameworks.

Overall assessment/best practices

According to the International Telecommunication Union’s Global Cybersecurity index, Estonia ranks fifth in the world and first in Europe in cybersecurity, learning from its past experiences in suffering a cyber attack.

Estonia also hosts the headquarters of the NATO Cooperative Cyber Defence Centre of Excellence (NATO CCD CoE).

Date of last WISER analysis July 2017

 

Compliance with the GDPR and NIS Directive: Report a cyber incident

Report a cyber incident to national CERT/CSIRT

CERT-EE

Guidance and Updates

CERT EE provides regular updates on the threat landscape and other related news through its website: https://www.ria.ee/en/an-id-card-software-update-brings-several-signific....

It also provides information about the protection of critical infrastructures, https://www.ria.ee/en/ciip.html, raising public awareness through EU structural funding, https://www.ria.ee/en/programme.html, and other topics related to cyber security.

Languages Estonian, English
Date of last WISER analysis July 2017.

 

Contact us for more info