Cities are becoming smarter every day, and many state and local governments are pushing towards the digitalization of public services. Some North American cities are working hard to integrate online services and manage cybersecurity risk at the same time. Meanwhile, perhaps the best example of a digital city is in fact a digital country.

The Republic of Estonia is well on its way to setting itself up as a fully digital society. As the world’s most digitally enabled nation, most government functions operate online — including health care and voting. The country is almost entirely cashless and was the first to implement smart parking. In 2017 Estonia legalized testing of autonomous vehicles. In the country’s 2019 elections, nearly half of Estonians voted online.

None of this is possible without a cybersecurity-first mindset.

How is Estonia pulling this off? What is the country doing to foster so much trust in the system? And how can the country’s collective mindset provide a potential blueprint for success?

Estonia’s Decades-Long Digital Growth

Estonia’s national cybersecurity strategy has evolved since its inception in 2008, encompassing everything from protecting critical infrastructure, fighting against cyber crime and boosting information security competence. That’s on top of an effort in place since the early 2000s to set up online voting and other services.

The government created the current cybersecurity strategy (2019-2022) with the goal of establishing Estonia as the most resilient digital society.

Anett Numa, digital transformation advisor for e-estonia, consults and advises foreign governments about lessons Estonia has learned since implementing its digital society and how governments can collaborate on a national level.

According to Numa, there are several ways Estonia can meet its cybersecurity strategy objectives. The government needs to be able to adapt to change, maintain and build the trust of its residents, encourage education and cyber literacy and share information whenever possible.

Adapting to Cybersecurity Risk

We hear it all the time: the threat landscape is evolving, and it’s more challenging to keep up than ever before. How can governments keep up?

“Hackers are getting smarter and smarter all the time,” Numa says. “You’re seeing more and more various methods of influencing people, and the impact has increased.”

She explained that with this change, the country has increased its cybersecurity sector budget in a major way.

That might not work for every town on a limited budget, but there are many cost-effective strategies.

For example, Numa suggests that tailoring the message to the right audience can make a significant impact.

“We don’t need to be reminded that hackers are not sleeping,” she says. “They’re working even harder today because more people are online.” Numa points to a Global Web Index survey reporting that 80% of consumers are accessing more content since the pandemic.

The Estonian government tries to account for the country’s diverse demographics, who all consume media very differently.

“Governments should do more research about who are the most vulnerable groups and how to talk with them,” she says. “You might not reach everybody, but find the platforms that they actually use so that you can send your message to the right audience.”

It’s a Question of Cybersecurity Risk Versus Trust

Building or maintaining digital services cannot happen without trust in the system.

Consider these numbers:

• 70% of Estonians use their digital ID card often
• 99% of state services are online
• Citizens can use over 2,600 services via X-road, e-estonia’s backbone. It allows the nation’s public and private sector information systems to communicate.

Numa estimates that the number of Estonians that trust its digital systems is about 80%.

“We have, since the early days, been investing in raising awareness around digital literacy and of all the systems,” she says.

Transparency is paramount, she added, which the government deploys to answer questions like:

• How has everything been built, and what is the background?
• How does the system work?
• In what way do we store information?
• How and when is information exchanged?

But the most critical element to this type of trust is the transparent messaging with which the government handles data.

“You can log into the portal and you can see the list of government institutions, or even private institutions, that have been looking at your private information,” Numa says. “The power over your information is actually in your hands. You can decide if you don’t agree with it,  or if you want to know why a specific institution has been looking for your personal information.”

Plus, whenever the country experiences a cyber incident or cybersecurity risk, it is open with the public about the details. In fact, a 2017 ID card crisis prompted Prime Minister Jüri Ratas to appear on television and other media to explain the details and discuss how to prevent it from happening again.

Knowledge Is Key

In Estonia, there is a huge importance placed on digital and cyber knowledge. That’s true among the younger people and the elderly alike. Students begin their learning about online services and safety in elementary school, and continue into post-secondary education. There, partnership exists between universities and the Ministry of Defense and Ministry of Education and Research to increase the awareness of cyber threats.

For example, Estonian company Cybexer has joined forces with the Ministry of Defense to organize cyber range exercises for students as young as 10 years old starting in the fall.

“These cyber battles give students the knowledge about what the cyber field is about,” Numa says. “We’re trying to get them involved in such an early age. The competition [to take part] is just crazy right now; it seems like everybody wants to be a part of it.”

Numa explained that these lessons don’t stop at the university level. The Estonian Defense League Cyber Unit, a volunteer-based organization, works closely with IT professionals to raise the level of cybersecurity for critical information infrastructure. “They’re working in different IT companies… to organize different exercises and cybersecurity expert training,” she says.

Building Trust

None of the examples set by Estonia can provide enough value for other governments or municipalities without sharing information. Much like Information Sharing and Analysis Centers, when public and private sectors work together to share best practices and lessons learned, everyone wins.

“We work hard, but we can’t do it alone,” says Numa. “It’s pretty clear that when we talk about cybersecurity, it does not have any national borders anymore. It’s happening every other second.”

Numa hopes countries can learn from each other’s mistakes so they aren’t repeated, and success stories can also be shared.

Hopefully, the successes will outweigh the mistakes. But that can’t happen if your residents don’t believe in the systems or programs. It can’t happen if they believe the cybersecurity risk is too great.

“Be very honest with the citizens and they will trust you,” Numa says. “It’s definitely about transparency, education and communication. This is how we get people to trust the system.”