Ireland must learn lessons from Estonia on cybersecurity
Expert says huge 2007 attack on his country’s websites changed its attitude to IT education
For Estonia, cybersecurity is far too important to leave only to the experts. There, everyone from schoolchildren to volunteer “cyberwarriors” plays a part in helping some of the world’s best IT defenders keep the country safe.
The hypervigilance is necessary. Nearly every government services is available online, while Estonia has to be constantly vigilant to cyber and other threats from neighbouring Russia.
The ransomware attack on Ireland’s health service is a nightmare scenario, Estonians have learned, that can only be averted by investment in technology and a lifelong education in IT that starts remarkably early.
“The first time my kids saw IT, other than the phones at home, was playing with small robots in the sandpit at kindergarten at age four. So Estonian children are exposed to programming and taking charge of IT systems even before they learn to read and write. It takes away that fear.”
Huge 2007 attack
Jaan Priisalu, a top Estonian researcher in cybersecurity, said a huge 2007 attack on the country’s websites blamed on Russia stirred global debate on how to defend the virtual realm and changed his nation’s attitude to IT education.
“Cybersecurity became part of the curriculum, and now there are exercises in this for young people and organisations...All schools choose a specialisation and some have chosen cybersecurity,” he explained.
“Cyber is hard because people tend to classify it as part of the techies’ world and think techies should take care of it...But hackers are actually attacking processes in society, so this cannot be solved by the techies and the politicians separately.”
Priisalu was head of IT security for Estonia’s biggest bank in 2007 when, during a political row with Moscow, his country suffered what is regarded as the first cyberattack on an entire state, crashing the websites of government ministries, top financial institutions and media outlets.
The attack focused minds and funds on cybersecurity – leading Nato in 2016 to declare the internet a domain of defensive operations alongside land, sea and air – and forced Estonia to reassess how to defend its own sovereignty, which had been lost to the Soviet Union for decades until 1991.
A few months after the 2007 cyberattack, a proposal was made to form a cyberunit of the Estonian Defence League, a volunteer militia that traces its roots to the country’s 1918 declaration of independence from Russia.
In peacetime, Defence League volunteers are on standby to help the Estonian emergency services, while training regularly for the role they would be expected to play during an invasion or other security crisis, swelling the military ranks of the 1.3-million-strong nation and conducting sabotage operations.
“The Defence League is designed to be like the glue that ties people together,” said Priisalu, who helped launch the league’s cyberunit in 2010 and still serves in its arm in the capital, Tallinn, which he co-founded.
The cyberunit brings together IT experts and other volunteers from the state and private sectors, who train their comrades in cybersecurity, give talks in schools and organisations and take part in military exercises.
“It is part of Defence League culture. Some people go out into the forests to learn how to shoot, and we learn and teach how to do the cyber stuff,” Priisalu said.
“It’s a mix of rookies and teachers. Exercises are an essential part of preparation...and we also try to educate our members simply, giving lectures and talking to people about things like forensic (computing), how to dissect a computer, what to look for and how to be careful and not make mistakes,” he added.
“In a conflict, the cyber (element) could happen two months before the kinetic conflict. It is often a warning sign.”
The online infrastructure guarded by Estonia’s multilayer defence is among the most advanced in the world, and could serve as a model for Ireland’s drive to move many public services online as part of its “civil service renewal 2030 strategy”.
Estonia’s 30-year push to become a “digital-first” society means its citizens now enjoy an almost paper-free relationship with the state, allowing them to do everything from voting, to filing court claims, to receiving prescriptions online.
Estonians access public services with a personal digital identification card, and data sent between individuals and state agencies is protected by asymmetric encryption; information is stored in the government’s cloud and backed up at a “data embassy” in Luxembourg, far from any threat to hardware in the Baltic state.
Undermined by mistakes
Yet there is no hint of complacency from Raul Rikk, Estonia’s director of national cybersecurity, who says every system can be undermined by the mistakes and carelessness of its users – and the determination and skill of some hackers.
“Of course, there has been innovation in Estonia based on technology that allows us to exchange data securely between the private sector, public sector and the citizens. And it is really well protected,” he told The Irish Times.
“But when we talk about ransomware in the health sector, like the Irish story, then it’s something different...I can say I hope most government organisations in Estonia are well protected, but when it comes to semigovernmental organisations like hospitals and schools, they might not have implemented cybersecurity so well.”
Rikk says Estonia’s rule of thumb is that 10-15 per cent of every organisation’s IT budget should be spent on cybersecurity – but a slip by a single computer operator can still undo the best-laid plans.
“We pay a lot of attention to cyber, and in certain areas we are very well organised. But every organisation has responsibilities that depend on them...Cyberattacks are becoming more and more complex, more and more sophisticated, so we have to make changes constantly,” he explained.
“Attempts (to breach systems) have become many, many times bigger than even five years ago. Now it’s like someone walking down the street trying all the doors...so the question is whether the house owner has a strong enough lock to stop something bad happening. That’s why every organisation must implement a very systematic approach to cyber security.”
Ireland is now in the process of becoming a contributing partner in the Tallinn-based Nato co-operative cyberdefence centre of excellence, where Nato states and allies develop and share IT security skills and run exercises.
“Information exchange (on threats) in the EU and Nato happens on a daily basis and is very good,” said Rikk.
“But everyone has recognised that if something really large-scale happens across Europe or in the EU then we need much better crisis-management measures than we have at the moment.”
Ominously for Ireland and the HSE, both Rikk and Priisalu warned that a ransomware attack can hide a deeper intelligence-gathering operation by state security agencies, which are often hard to distinguish from criminal groups.
“Ransomware is a very visible attack. It is also the perfect thing to cover your tracks,” said Priisalu, a former director general of his nation’s main IT agency, the Estonian information system authority.
“You encrypt everything and let everyone believe this was the only thing you did. The target is occupied with the consequences of the ransomware attack and with resolving that situation – and so the crime provides the perfect cover for an intelligence operation.”