Cities are becoming smarter every day, and many state and local governments are pushing towards the digitalization of public services. Some North American cities are working hard to integrate online services and manage cybersecurity risk at the same time. Meanwhile, perhaps the best example of a digital city is in fact a digital country.

The Republic of Estonia is well on its way to setting itself up as a fully digital society. As the world’s most digitally enabled nation, most government functions operate online — including health care and voting. The country is almost entirely cashless and was the first to implement smart parking. In 2017 Estonia legalized testing of autonomous vehicles. In the country’s 2019 elections, nearly half of Estonians voted online.

None of this is possible without a cybersecurity-first mindset.

How is Estonia pulling this off? What is the country doing to foster so much trust in the system? And how can the country’s collective mindset provide a potential blueprint for success?

Estonia’s Decades-Long Digital Growth

Estonia’s national cybersecurity strategy has evolved since its inception in 2008, encompassing everything from protecting critical infrastructure, fighting against cyber crime and boosting information security competence. That’s on top of an effort in place since the early 2000s to set up online voting and other services.

The government created the current cybersecurity strategy (2019-2022) with the goal of establishing Estonia as the most resilient digital society.

Anett Numa, digital transformation advisor for e-estonia, consults and advises foreign governments about lessons Estonia has learned since implementing its digital society and how governments can collaborate on a national level.

According to Numa, there are several ways Estonia can meet its cybersecurity strategy objectives. The government needs to be able to adapt to change, maintain and build the trust of its residents, encourage education and cyber literacy and share information whenever possible.

Adapting to Cybersecurity Risk

We hear it all the time: the threat landscape is evolving, and it’s more challenging to keep up than ever before. How can governments keep up?

“Hackers are getting smarter and smarter all the time,” Numa says. “You’re seeing more and more various methods of influencing people, and the impact has increased.”

She explained that with this change, the country has increased its cybersecurity sector budget in a major way.

That might not work for every town on a limited budget, but there are many cost-effective strategies.

For example, Numa suggests that tailoring the message to the right audience can make a significant impact.

“We don’t need to be reminded that hackers are not sleeping,” she says. “They’re working even harder today because more people are online.” Numa points to a Global Web Index survey reporting that 80% of consumers are accessing more content since the pandemic.

The Estonian government tries to account for the country’s diverse demographics, who all consume media very differently.

“Governments should do more research about who are the most vulnerable groups and how to talk with them,” she says. “You might not reach everybody, but find the platforms that they actually use so that you can send your message to the right audience.”

It’s a Question of Cybersecurity Risk Versus Trust

Building or maintaining digital services cannot happen without trust in the system.

Consider these numbers:

  • 70% of Estonians use their digital ID card often
  • 99% of state services are online
  • Citizens can use over 2,600 services via X-road, e-estonia’s backbone. It allows the nation’s public and private sector information systems to communicate.

Numa estimates that the number of Estonians that trust its digital systems is about 80%.

“We have, since the early days, been investing in raising awareness around digital literacy and of all the systems,” she says.

Transparency is paramount, she added, which the government deploys to answer questions like:

  • How has everything been built, and what is the background?
  • How does the system work?
  • In what way do we store information?
  • How and when is information exchanged?

But the most critical element to this type of trust is the transparent messaging with which the government handles data.

“You can log into the portal and you can see the list of government institutions, or even private institutions, that have been looking at your private information,” Numa says. “The power over your information is actually in your hands. You can decide if you don’t agree with it,  or if you want to know why a specific institution has been looking for your personal information.”

Plus, whenever the country experiences a cyber incident or cybersecurity risk, it is open with the public about the details. In fact, a 2017 ID card crisis prompted Prime Minister Jüri Ratas to appear on television and other media to explain the details and discuss how to prevent it from happening again.

Knowledge Is Key

In Estonia, there is a huge importance placed on digital and cyber knowledge. That’s true among the younger people and the elderly alike. Students begin their learning about online services and safety in elementary school, and continue into post-secondary education. There, partnership exists between universities and the Ministry of Defense and Ministry of Education and Research to increase the awareness of cyber threats.

For example, Estonian company Cybexer has joined forces with the Ministry of Defense to organize cyber range exercises for students as young as 10 years old starting in the fall.

“These cyber battles give students the knowledge about what the cyber field is about,” Numa says. “We’re trying to get them involved in such an early age. The competition [to take part] is just crazy right now; it seems like everybody wants to be a part of it.”

Numa explained that these lessons don’t stop at the university level. The Estonian Defense League Cyber Unit, a volunteer-based organization, works closely with IT professionals to raise the level of cybersecurity for critical information infrastructure. “They’re working in different IT companies… to organize different exercises and cybersecurity expert training,” she says.

Building Trust

None of the examples set by Estonia can provide enough value for other governments or municipalities without sharing information. Much like Information Sharing and Analysis Centers, when public and private sectors work together to share best practices and lessons learned, everyone wins.

“We work hard, but we can’t do it alone,” says Numa. “It’s pretty clear that when we talk about cybersecurity, it does not have any national borders anymore. It’s happening every other second.”

Numa hopes countries can learn from each other’s mistakes so they aren’t repeated, and success stories can also be shared.

Hopefully, the successes will outweigh the mistakes. But that can’t happen if your residents don’t believe in the systems or programs. It can’t happen if they believe the cybersecurity risk is too great.

“Be very honest with the citizens and they will trust you,” Numa says. “It’s definitely about transparency, education and communication. This is how we get people to trust the system.”

More from Cloud Security

Risk, reward and reality: Has enterprise perception of the public cloud changed?

4 min read - Public clouds now form the bulk of enterprise IT environments. According to 2024 Statista data, 73% of enterprises use a hybrid cloud model, 14% use multiple public clouds and 10% use a single public cloud solution. Multiple and single private clouds make up the remaining 3%.With enterprises historically reticent to adopt public clouds, adoption data seems to indicate a shift in perception. Perhaps enterprise efforts have finally moved away from reducing risk to prioritizing the potential rewards of public cloud…

AI-driven compliance: The key to cloud security

3 min read - The growth of cloud computing continues unabated, but it has also created security challenges. The acceleration of cloud adoption has created greater complexity, with limited cloud technical expertise available in the market, an explosion in connected and Internet of Things (IoT) devices and a growing need for multi-cloud environments. When organizations migrate to the cloud, there is a likelihood of data security problems given that many applications are not secure by design. When these applications migrate to cloud-native systems, mistakes in configuration…

New cybersecurity sheets from CISA and NSA: An overview

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) have recently released new CSI (Cybersecurity Information) sheets aimed at providing information and guidelines to organizations on how to effectively secure their cloud environments.This new release includes a total of five CSI sheets, covering various aspects of cloud security such as threat mitigation, identity and access management, network security and more. Here's our overview of the new CSI sheets, what they address and the key takeaways from each.Implementing…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today