Current status: National Cyber Security Strategy
Estonia was one of the first countries to develop a national cybersecurity strategy in 2008, followed by the publication of an updated strategy in 2014. The 2014 strategy builds on the initial NCSS but includes new threats and needs, with a comprehensive assessment of cyber security threats facing Estonia and the capacity to respond to them, both in terms of operational capacity and legal framework. In addition to identifying and managing cyber risks, the 2014 strategy focuses on identifying and managing cyber security risks, ensuring the provision of vital services, increased efficiency on combatting cyber crime, developing national defence capacity, raising awareness and ensuring the availability of experts and solutions for cyber security.
The 2014 NCSS has four key objectives:
Obj. 1 - Implement a comprehensive system of security measures, consisting of different levels, will be implemented in Estonia to ensure cyber security at national level. With regard to critical infrastructure, ensure the uninterrupted provision of services and their resilience. The reliability of services and infrastructure, including ensured and perceived high security, represents an important success factor for ensuring the attractiveness of Estonia to foreign investors.
Obj. 2 - Ensure safety in cyber space as an important component of fighting cyber crime, including the anticipation, detection and processing of cyber crimes.
Obj. 3 - Raise awareness among the public of information security risks. Improve the efficiency of fighting cyber crime by ensuring users of computers and smart equipment are able to deal with cyber threats in their everyday life and work.
Obj. 4 - Ensure that proportionate legal regulations serve to support the secure and extensive use of information systems.
Obj. 5 - Support the promotion of international co-operation and promote Estonia as a country with a very high level of information security competence and awareness.
Appropriate definition for critical infrastructure protection (CIP): yes. The Estonian Information System Authority provides definitions for both “critical infrastructure” and “critical infrastructure protection”, as well as the term “vital systems”, which is used by the Estonian Government in legislation and policy related to information security.
National Cyber Security Strategy
|Year of adoption||2008 for the period 2009-2013. Revised in 2014 for the period 2014-2017, Cyber Security, Ministry of Economic Affairs and Communications.|
|Updates and revisions||
The revised 2014 strategy takes into account the lessons learned from the implementation of the previous strategy, experiences of other states.
|Implementation and monitoring||
The Ministry of Economic Affairs and Communications implements cyber defence policies in close co-operation with the Cyber defence unit of the Defence League, a voluntary organised group to defend Estonian cyber space; the International Centre for Defence Studies for research and analysis; Estonian Information System’s Authority (EISA), which coordinates the development of information systems.
The Ministry of Economic Affairs and Communications works in co-operation with the Ministry of Internal Affairs; the Ministry of Defence; the Ministry of Foreign Affairs; the Ministry of Education and Research and the Association of Information Technology and Telecommunications.
Legal measures in place
Pursuant to the Emergency Act 2009, which compels the government to establish security measures for certain vital information systems by means of regulation, the Regulation on Security Measures for Information Systems of Vital Services and Related Information Assets was adopted in 2013. The NCSS (2014) also sets the objective of providing appropiate legal measures.
The State Secrets and Classified Information of Foreign States Act 2007 assigns information deemed appropriate to be treated as state secret a classification level, according to a four-tiered system. The requirements that deem information a state secret are organised by the agency or area to which the information relates.
The State Secrets and Classified Information of Foreign States Act 2007 maps security practices to the classification level assigned to information deemed a state secret. These classification levels represent the importance of the information to the various functions of the Estonian government and foreign governments, including the level of risk involved in disclosing the information.
The State Secrets and Classified Information of Foreign States Act 2007 requires an annual inspection of the integrity of the storage in which state secrets assign the top or second tier classification level are contained. No further level of auditing or reporting is required by the Act. The Electronic Communications Act 2004, as amended in 2011, entitles the Technical Surveillance Authority of Estonia to require that any communications provider carry out a security audit. There is no timetable that dictates when Technical Surveillance Authority is to require the security audits.
The 2008 Cyber Security Strategy requires that the Cyber Security Strategy Committee will monitor the implementation of the Cyber Security Strategy by submitting annual reports to the government, measuring the progress of the implementation against the Implementation Plan. The current Cyber Security Strategy does not include this provision but does state that it retains the goals and objectives of the 2008 strategy.
The Regulation on Security Measures for Information Systems of Vital Services and Related Information Assets 2013 requires
The 2014 Estonian Cyber Security Strategy includes a set of “principles and guidelines” for the procurement of national cyber security services and products. One of the principles encourages international cooperation. There are no local procurement requirements in place.
Missing legal measures
Estonia has two CERTs/CSIRTs: national/government and military.
CERT Estonia (CERT EE)
Information System Authority acts as Estonia’s national competent authority for network and information security.
Estonian Defence Forces Cyber Incident Response Capability (EDF CIRC).
In June 2016, Estonia joined the list of nations that have signed the new Memorandum of Understanding (MOU) on cyber defence co-operation with NATO. This second generation MOU aims to further improve cyber defence cooperation and assistance between NATO and national cyber defence authorities. The Memorandum contributes to the enhancement and interoperability of NATO and national cyber defence capabilities and facilitates information sharing and assistance to improve cyber incident prevention, resilience and response capabilities.
Estonia conducted two national cyber exercises, Cyber Hedgehog in 2010 and Cyber Fever in 2012. Estonia took part in multi-national cyber exercises organised by NATO in 2013. NATO’s Cooperative Cyber Defence Centre of Excellence is based in Estonia.
National incident management procedures are outlined in the Emergency Act 2009. Cyber security incidents are not addressed in particular.
|Public Private Partnerships||
There is not a defined public-private partnership for cybersecurity in Estonia. The Information System Authority operates in close cooperation with private sector. Vaata Maailma (the Look@World Foundation) is public-private partnership (founded in 2001) dedicated to promoting the use of the internet and ICT services. It is composed of Estonian and international telecommunications providers. The foundation runs various projects that are primarily educational in nature, covering safe internet and computer use.
There are no significant industry-led platform that engages with cyber security. The Estonian National Cyber Defence League comprises IT professionals and representatives from organisations engaged with critical infrastructure and is one of the entities that cooperates with Ministry of Economic Affairs and Communications.
No new public-private partnerships being planned in Estonia.
|Sector specific cyber-security plans||
Estonia does not have sector-specific joint public private plans in place.
Sector-specific security priorities have not been defined.
|Risk management plan||
There is no evidence that such assessments have been made.
Under the Ministry of Economic Affairs and Communications, its co-operation with other government departments and related entities.
While a security audit is defined in the NCSS (2014), there is no timetable that dictates when Technical Surveillance Authority is to require such audits.
|Date of last WISER analysis||July 2016|
Current status: NIS Directive and national CERTs/CSIRTs
|Computer security incident response teams||
MAIN CERT-EE RESPONSIBILITIES AND ACTIVITIES
CERT-EE is responsible for the management of security incidents in .ee computer networks. Its duty is to assist Estonian Internet users in the implementation of preventive measures in order to reduce possible damage from security incidents and to help them in responding to security threats. CERT Estonia deals with security incidents that occur in Estonian networks, start there, or which it has been notified about by citizens or institutions either in Estonia or abroad.
Handling incidents: accepting reports, prioritising incidents according to their level of criticality, analysis, responding to incidents and technical support for solving the incidents. For simultaneous incidents, CERT will coordinate the response to such incidents.
|Report an incident||
CERT Estonia provides an email-based reporting structure to log cybersecurity incidents.
|Overall assessment & best practices||The NCSS is comprehensive with a thorough assessment of the cyber security threats faced by Estonia and its capability to respond to them, with reference to both operational capacity and the relevant legal framework. Its goals are detailed and implementation structured.|
|Date of last WISER analysis||July 2016.|