Cities are becoming smarter every day, and many state and local governments are pushing towards the digitalization of public services. Some North American cities are working hard to integrate online services and manage cybersecurity risk at the same time. Meanwhile, perhaps the best example of a digital city is in fact a digital country.

The Republic of Estonia is well on its way to setting itself up as a fully digital society. As the world’s most digitally enabled nation, most government functions operate online — including health care and voting. The country is almost entirely cashless and was the first to implement smart parking. In 2017 Estonia legalized testing of autonomous vehicles. In the country’s 2019 elections, nearly half of Estonians voted online.

None of this is possible without a cybersecurity-first mindset.

How is Estonia pulling this off? What is the country doing to foster so much trust in the system? And how can the country’s collective mindset provide a potential blueprint for success?

Estonia’s Decades-Long Digital Growth

Estonia’s national cybersecurity strategy has evolved since its inception in 2008, encompassing everything from protecting critical infrastructure, fighting against cyber crime and boosting information security competence. That’s on top of an effort in place since the early 2000s to set up online voting and other services.

The government created the current cybersecurity strategy (2019-2022) with the goal of establishing Estonia as the most resilient digital society.

Anett Numa, digital transformation advisor for e-estonia, consults and advises foreign governments about lessons Estonia has learned since implementing its digital society and how governments can collaborate on a national level.

According to Numa, there are several ways Estonia can meet its cybersecurity strategy objectives. The government needs to be able to adapt to change, maintain and build the trust of its residents, encourage education and cyber literacy and share information whenever possible.

Adapting to Cybersecurity Risk

We hear it all the time: the threat landscape is evolving, and it’s more challenging to keep up than ever before. How can governments keep up?

“Hackers are getting smarter and smarter all the time,” Numa says. “You’re seeing more and more various methods of influencing people, and the impact has increased.”

She explained that with this change, the country has increased its cybersecurity sector budget in a major way.

That might not work for every town on a limited budget, but there are many cost-effective strategies.

For example, Numa suggests that tailoring the message to the right audience can make a significant impact.

“We don’t need to be reminded that hackers are not sleeping,” she says. “They’re working even harder today because more people are online.” Numa points to a Global Web Index survey reporting that 80% of consumers are accessing more content since the pandemic.

The Estonian government tries to account for the country’s diverse demographics, who all consume media very differently.

“Governments should do more research about who are the most vulnerable groups and how to talk with them,” she says. “You might not reach everybody, but find the platforms that they actually use so that you can send your message to the right audience.”

It’s a Question of Cybersecurity Risk Versus Trust

Building or maintaining digital services cannot happen without trust in the system.

Consider these numbers:

  • 70% of Estonians use their digital ID card often
  • 99% of state services are online
  • Citizens can use over 2,600 services via X-road, e-estonia’s backbone. It allows the nation’s public and private sector information systems to communicate.

Numa estimates that the number of Estonians that trust its digital systems is about 80%.

“We have, since the early days, been investing in raising awareness around digital literacy and of all the systems,” she says.

Transparency is paramount, she added, which the government deploys to answer questions like:

  • How has everything been built, and what is the background?
  • How does the system work?
  • In what way do we store information?
  • How and when is information exchanged?

But the most critical element to this type of trust is the transparent messaging with which the government handles data.

“You can log into the portal and you can see the list of government institutions, or even private institutions, that have been looking at your private information,” Numa says. “The power over your information is actually in your hands. You can decide if you don’t agree with it,  or if you want to know why a specific institution has been looking for your personal information.”

Plus, whenever the country experiences a cyber incident or cybersecurity risk, it is open with the public about the details. In fact, a 2017 ID card crisis prompted Prime Minister Jüri Ratas to appear on television and other media to explain the details and discuss how to prevent it from happening again.

Knowledge Is Key

In Estonia, there is a huge importance placed on digital and cyber knowledge. That’s true among the younger people and the elderly alike. Students begin their learning about online services and safety in elementary school, and continue into post-secondary education. There, partnership exists between universities and the Ministry of Defense and Ministry of Education and Research to increase the awareness of cyber threats.

For example, Estonian company Cybexer has joined forces with the Ministry of Defense to organize cyber range exercises for students as young as 10 years old starting in the fall.

“These cyber battles give students the knowledge about what the cyber field is about,” Numa says. “We’re trying to get them involved in such an early age. The competition [to take part] is just crazy right now; it seems like everybody wants to be a part of it.”

Numa explained that these lessons don’t stop at the university level. The Estonian Defense League Cyber Unit, a volunteer-based organization, works closely with IT professionals to raise the level of cybersecurity for critical information infrastructure. “They’re working in different IT companies… to organize different exercises and cybersecurity expert training,” she says.

Building Trust

None of the examples set by Estonia can provide enough value for other governments or municipalities without sharing information. Much like Information Sharing and Analysis Centers, when public and private sectors work together to share best practices and lessons learned, everyone wins.

“We work hard, but we can’t do it alone,” says Numa. “It’s pretty clear that when we talk about cybersecurity, it does not have any national borders anymore. It’s happening every other second.”

Numa hopes countries can learn from each other’s mistakes so they aren’t repeated, and success stories can also be shared.

Hopefully, the successes will outweigh the mistakes. But that can’t happen if your residents don’t believe in the systems or programs. It can’t happen if they believe the cybersecurity risk is too great.

“Be very honest with the citizens and they will trust you,” Numa says. “It’s definitely about transparency, education and communication. This is how we get people to trust the system.”

More from Cloud Security

Is Your Critical SaaS Data Secure?

4 min read - Increasingly sophisticated adversaries create a significant challenge as organizations increasingly use Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS) to deliver applications and services. This mesh of cloud-based applications and services creates new complexities for security teams. But attackers need only one success, while defenders need to succeed 100% of the time. Organizations are contending with an exponential rise in advanced threats that are not only increasing in volume but also sophistication. The IBM Cost of Data Breach Report 2022 found…

4 min read

Rationalizing Your Hybrid Cloud Security Tools

3 min read - As cyber incidents rise and threat landscapes widen, more security tools have emerged to protect the hybrid cloud ecosystem. As a result, security leaders must rapidly assess their hybrid security tools to move toward a centralized toolset and optimize cost without compromising their security posture. Unfortunately, those same leaders face a variety of challenges. One of these challenges is that many security solutions create confusion and provide a false sense of security. Another is that multiple tools provide duplication coverage…

3 min read

New Generation of Phishing Hides Behind Trusted Services

4 min read - The days when email was the main vector for phishing attacks are long gone. Now, phishing attacks occur on SMS, voice, social media and messaging apps. They also hide behind trusted services like Azure and AWS. And with the expansion of cloud computing, even more Software-as-a-Service (SaaS) based phishing schemes are possible. Phishing tactics have evolved faster than ever, and the variety of attacks continues to grow. Security pros need to be aware. SaaS to SaaS Phishing Instead of building…

4 min read

The Importance of Modern-Day Data Security Platforms

4 min read - Data is the backbone of businesses and companies everywhere. Data can range from intellectual property to critical business plans to personal health information or even money itself. At the end of the day, businesses are looking to grow revenue, innovate, and operationalize but to do that, they must ensure that they leverage their data first because of how important and valuable it is to their organization. No matter the industry, the need to protect sensitive and personal data should be…

4 min read