This is the first in a series of conversations with Nick Wilding and leading cyber resilience commentators and practitioners from around the world.
Who should countries and companies learn from when thinking about cyber resilience?
Estonia has been described in tech publication ZDNet as ‘the poster child for cyber security done right’. After 2007, when the country became the world’s first to fall victim to a major, organized cyber-attack, it developed a cyber strategy that has placed it at the forefront of those nations most prepared for future attacks.
Nick Wilding, head of cyber resilience best practice at UK Government and Capita joint venture AXELOS, recently spoke to Estonia’s head of cyber security policy, Karoliina Ainge, about what organizations can learn from the Estonian experience.
Among the many useful insights from Ms Ainge, she cited the greatest challenge in cyber resilience as ‘maintaining a level of awareness when the situation is constantly changing’.
Nick Wilding: Why has Estonia made cyber resilience such a priority?
Karoliina Ainge: We would be doing a bad job of running the country if we weren’t! We are one of the most digitally advanced countries in the world and our people rely on e-government systems, like digital signatures, to conduct their business and interact with the government. We are at the stage where people and government are now reliant on digital systems and we can’t go back to paper-based systems.
The 2007 attack against Estonia’s banking systems and government impeded the normal functioning of some systems for almost a week; this brought cyber resilience to the forefront of our thinking. At the time, most governments didn’t have a cyber resilience strategy – the attack we experienced proved to be the turning point for us and we took the bull by the horns! Now cyber resilience is for everybody in Estonia; it’s a cultural dependency, not just a corporate or governmental one.
Nick Wilding: What are the primary lessons the country has learned from its own cyber experience and that of other states?
Karoliina Ainge: For me it’s all about measuring what’s happening in your systems: knowing what your vulnerabilities are now ‑ and are likely to be in the future ‑ and getting a coherent picture of your systems and their dependencies. You also need to be able to define what an effective response to a cyber attack will look like and whether your actions will have an impact on your overall security. It’s easy to throw money at the problem but this doesn’t guarantee you’ll get the outcome you want. And when spending money during an economic downturn you need to be sure your strategy will be effective.
It’s also about cooperation and collaboration: governments and the private sector need to be talking to each other and sharing lessons learnt and best practice. Effective cyber resilience needs a societal and enterprise-wide response and this will only improve with greater cooperation and collaboration.
Nick Wilding: It’s clear that many organizations continue to struggle to define what good cyber resilience looks like for them. Do they know what information and systems are most critical to their continued success? Do they know the vulnerabilities in their information and systems? We find that within the same organization the absence of a common language for how different people talk about threats, vulnerabilities, risks and impacts often hinders the development of effective collaboration and common resilient behaviours across the enterprise.
I still talk to organizations who wonder why they would be a target for attack and who are not spending enough time on understanding what cyber risks they face and how they would respond and recover as and when an attack happens. Many still think that IT can solve their problems – and it’s true that technology plays an important role ‑ but it’s only part of the solution. People not technology are typically an organization’s greatest vulnerability, so an enterprise-wide response that involves all its people is required. Many CISOs I’ve spoken to say technology is the easy bit; it’s about making people work effectively across the organization that enables true resilience.
Nick Wilding: How can we effectively balance people’s awareness of the need to be more resilient with the opportunities and inherent security vulnerabilities in how we all communicate today?
Karoliina Ainge: Our approach has been to help people use trusted communications. We are very strong proponents of strong encryption and have given all citizens access to encryption tools. We believe that if you give people the ways and means to communicate securely it’s a more positive approach than simply banning things. It’s a more positive reinforcement of the use of technology.
It’s also about making people aware of the threats – for example, phishing emails and text messages that encourage people to phone premium rate numbers. Digital services have to enable people’s trust. We say that e-government is like a racing car: it’s fast and looks cool but – like a racing car – it also needs good brakes on it! And that’s where cyber security comes in.
Nick Wilding: It is all about balancing the opportunities and risks of living and working in the digital age. Recent high profile corporate cyber-attacks have highlighted just how vulnerable we, as individuals and the organizations we work for, all are. The risk is that the inherent trust we have in digital communications starts to erode. For me, I think there’s a great opportunity for organizations to differentiate themselves from their competitors by having a strong cyber resilient culture and the proven ability to protect their sensitive client and commercial data better than anyone else in their markets. There are early signs that this is happening.
Nick Wilding: Why does the current Estonian cyber strategy place such great importance on raising the awareness of the population regarding cyber risk
Karoliina Ainge: The key point of our strategy is that it’s not solely a military issue – cyber encompasses many things and is much more than IT; it’s all around us and we like to describe it as a personal responsibility, which includes someone doing the right thing on their devices at home as well as in the office. The emphasis is on personal responsibility, as we all play a role in keeping the country cyber safe.
Nick Wilding: How is Estonia raising awareness and what are the ‘novel’ cyber solutions mentioned in your strategy?
Karoliina Ainge: We have done a lot of public awareness raising with everyone from school pupils through to the elderly. It’s a holistic approach, incorporating cyber into school curricula to help young people stay secure, as well as training experts to be world class cyber professionals. Going forward, we need to be incorporating private sector companies in this a lot more too.
One new way we’re tackling cyber resilience is through so-called data embassies. These are data centres abroad that store information or systems critical to the functioning of the state. Diplomatic immunity would apply to those locations. So in case there is a cyber attack or natural disaster in Estonia, we could switch to running these crucial systems from abroad. This is vital when services are wholly digital, without a paper-based back up.
Nick Wilding: How can a nation state – and, in turn, organizations within a country – encourage individual responsibility for the safe use of ICT tools?
Karoliina Ainge: Government needs to set an example and show it’s savvy about how it protects people’s data. Nation states carry a heavy burden of responsibility in demonstrating basic cyber hygiene and best practices in safe computing.
In corporate Estonia there is a strong awareness of the need to be more resilient to cyber attacks; we have been lucky not to have had any high profile attacks recently and this says a lot about how much the private sector has taken this on board. Long may it last!
Nick Wilding: As part of our RESILIA™ awareness learning we’ve incorporated learning scenarios that are relevant to working at home, not just at a desk in an office, because we have to be resilient at all times. Attackers need to be lucky only once, whereas we need to be resilient all the time. There’s always a danger in playing on people’s fear and uncertainty but providing the appropriate and engaging learning tools can give all of us the basic skills to respond with confidence to the risks we face.
Read the second part of Nick's conversation with Karoliina.
See our RESILIA section for more information about cyber resilience.