29 September 2018

When this country faced a suspected Russian cyberattack – it took some big steps to stop another

Elizabeth Schulze

It's been called the world's first cyberwar – and it started with the relocation of a Soviet War memorial in Tallinn, Estonia.

When Estonian authorities moved the statue of a Soviet soldier to a less prominent location in April 2007, the country's ethnic Russian population took to the streets to protest.

Then, within days, websites of Estonian parliament, government ministries, banks and newspapers went offline.

Although it hasn't ever been confirmed, it's widely believed Russia was behind the cyberattacks that left large parts of Estonian society at a standstill.

The incident served as a wake-up call for the tiny Baltic nation that was already a highly digitally-advanced society. Estonia decided to take big steps to create a cybersecurity strategy.


International cooperation

"At that time, the approach to cyber was very national-minded or very nation-based," said Siim Alatalu, senior researcher of the Strategy Branch at the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE), which opened in Tallinn in 2008.

Alatalu said the 2007 cyberattacks facilitated the creation of a permanent NATO unit focused on enhancing cybersecurity. The CCDCOE conducts large-scale cyber defense drills, although it's not technically a NATO operational unit.

The NATO Cooperative Cyber Defence Centre of Excellence (CoE) in Tallinn, Estonia.

"Our role is to be a step ahead of NATO," Alatalu said.

The CCDCOE also created a framework for applying existing international law to cyber operations, called the Tallinn Manual. Now in its second edition, the manual brought together legal and cyber experts to offer an international approach toward cyber law.

Regulatory steps

Experts said one of the most frequent problems with cybersecurity policy is coming up with universal definitions for what constitutes cyber threats.

"I'm not convinced that every country has really considered for themselves what they consider an attack to be," said Jessica Ruzic, a cybersecurity fellow at New America, a Washington, D.C.-based think tank.

Ruzic said cooperation between the public and private sectors is vital for developing an effective cybersecurity strategy. The Estonian Cyber Defence League, for example, is a voluntary organization made up of IT experts and young people prepared to mobilize during a national cyberattack.

Recent EU-wide regulation has also upped the penalties against companies that fail to protect online data. The General Data Protection Regulation, or GDPR, that went into effect in May gives regulators the power to fine companies that don't comply with security measures.

Unlike in the past, the fines can be massive: up to 4 percent of global annual turnover or 20 million euros ($23 million), whichever is higher.

Cyber hygiene

Ultimately, no cyber strategy is hacker-proof. The UN ranks Estonia the European country most committed to cyber security, but authorities still responded to more than 10,000 cyber incidents last year.

Experts said that's why public awareness is one of the most crucial steps toward preventing an attack.

"The priority needs to be learning about the issues and then we can discuss how to prevent them from happening again," Ruzic said.

In Estonia, students are educated about "cyber hygiene" from an early age. This includes everything from detecting malware threats to protecting passwords to backing up data.

"The key lesson learned is first that you need to really invest into educating your people," Alatalu said.

No comments: