The ransomware attack on the HSE has opened Ireland's eyes to the dangers of cyber attack, but the State is more than a decade behind Estonia, which suffered unprecedented attack in 2007.
Then a so-called “botnet” attack by countless infected computers crashed the networks of top banks and media outlets, while hackers defaced prominent websites, including the Baltic state’s president and parliament.
Blamed on Russia, the attacks subsided after a few weeks and left no permanent damage, but it ensured Estonia would never underestimate the value of cyber security or the danger of failing to protect vital assets, including hospitals.
Instead of pulling up the virtual drawbridge to keep dangers at bay, the country of 1.3 million continued to move the vast majority of State services online and forged a digital economy built on success stories such as Skype and TransferWise, while growing into an international hub for developing and sharing cyber security skills.
The year after the attack on its computer systems Estonia became the headquarters of the Nato co-operative cyber defence centre of excellence, which Ireland is now joining as a contributing partner.
"Looking back at the 2007 attack, it could have been seen as an act of war," said Michael Widmann, a US naval officer who is head of the centre's strategy branch.
“But Estonia was able not only to work internally but to reach out to partners and other nations to get help. It is very much a good example to other countries of how to deal with a major cyber incident.”
The centre allows Nato members and contributing partners to share intelligence on cyber threats, and runs “live fire” exercises to help them hone their defences against attacks that could come from nation states or from criminal groups using the kind of ransomware that has crippled HSE systems.
“With ransomware the business model is so beneficial to criminals because the chances of being caught are pretty slim and the potential profits so high,” said Cdr Widmann, who puts the annual cost of cybercrime to the global economy at “trillions of dollars”.
He said online theft of data was now so common that its value to the criminals selling it has gone down. “But it can be used to get credit cards or open other lines of credit...and in some countries the institution that held the data can be held liable [for its loss], so it’s not just the embarrassment factor but compensation can be involved too.
“We need to come at the problem with things like international law, holding people accountable and imposing costs on individuals and states that are doing these things,” he added, noting that certain countries such as Russia were suspected of “turning a blind eye to cyber criminals that operate outside of their borders in the hope that sometime their services could be used for state issues”.
"Western democracies have asked Russia to take a more pro-active role in law enforcement, but we haven't really seen any progress towards that," he told The Irish Times from Tallinn.
Liisa Past, chief information officer for Estonia's interior ministry, remembers the 2007 attack as the "canary in the coalmine" for cyber security in her country, which prompted state agencies and the private sector to work closely to identify and reduce the nation's online vulnerabilities.
She said ransomware attacks can be far more serious than the kind of denial-of-service incident suffered by the Baltic state 14 years ago, because confidential data may be lost and the integrity of critical systems compromised - a threat mitigated in Estonia by its use of blockchain technology to encrypt state records, which are also backed up at the country’s groundbreaking “data embassy” in Luxembourg.
“If such attacks have long-lasting effects, it shows that the attackers are either stronger and more capable [than online defenders] or that the system designers have forgotten about security. Each one is equally likely to happen, unfortunately.”
As Irish officials face uncomfortable questions over how cyber security has been funded, staffed and prioritised over many years, Estonia’s resilience brings to mind the old adage that prevention is better than cure.
“Ireland is a wealthy nation – Estonia couldn’t afford not to see security as an inherent part of every information system and every database. We couldn’t afford to do reactive security, we don’t have the resources or the people,” said Ms Past.
“If you don’t cover all aspects of security ranging from back-up and revert and recovery [of systems], to training of users and putting procedures in place, then you will always be playing catch-up,” she said.
“No system is impossible to breach. But either you make the cost of breaching the system so high that an attack does not make sense for an adversary or you ensure continuity of your business regardless of breach.
“When you digitalise, attacks are inevitable. There is no 100 per cent security, it is a lie and an illusion...But just because no lock cannot be picked it doesn’t mean we shouldn’t have them on all our doors and windows, and have insurance too.”