National Cyber Security Strategies

The Estonian Approach

Piret Pernik

Research Fellow

International Centre for Defence and Security

22 June 2017

Estonia’s cyber security expertise

ITU index 2017: global rank 5, in Europe 1st

ITU index 2014: global rank 5, in Europe 2nd

NATO CCD COE 2008

Cyber Defence Unit of the Estonian Defence League 2011

Locked Shields from 2012

Cyber Coalition from 2013

NATO Cyber range 2014

Cyber conscription pilot 2016

Cyber Command from 2017

National Cyber Security Strategies

• 95+ countries

developing legislation

• 50+ countries with

defensive capabilities

• 30+ countries with

offensive capabilities

Functional strategy

• Defines and prioritizes national, strategic objectives

• Remains focused on the clearly identified core

issues

• Aligns and is harmonized with other policies and

strategies

• Clearly allocates resources and responsibilities

• Implements international best practices and lessons

learned

• Considers international cyber security directions

• Maintains a long rather than short-term perspective

Kerttunen: 2017

Estonia’s Legal Framework

National Cyber Security Strategy

• I iteration 2008-2013

• II iteration 2014-2017

• III iteration under development

Cyber Emergency response plan 2016

Emergency Act 2009, 2016

Other acts, decrees, orders

Government

Security Committee

Cyber Security Council

GovernmentOffice

Ministry of Economic Affairs

and CommunicationsMoD

Ministry ofthe

Interior Ministry of Justice

Ministry of Finance

MFAMinistry

of Science& Education

Estonian Information System Authority (RIA)

Cyber Security Coordination

Estonian Cyber Security Strategy

Main action areas

1. Protection of information systems underlying

important services

• Alternative solutions and cross-dependency

management

• Ensuring digital continuity of the state – Data

Embassies

• …

Estonian Cyber Security Strategy

Main action areas

2. Fight against cybercrime

• Enhance detection

• Raise public awareness

• …

3. Improve national cyber defence capacity

• Synchronize planning

• …

Estonian Cyber Security Strategy

Main action areas

4. Maintaining and improving the cyber security

capability

• Ensure the next generation of cyber security

professionals

• Support development of enterprises providing

cyber security solutions

• R&D

5. Supporting activities

legal framework, international cooperation, international

policy

Estonia in Comparison with the EU

22 EU/EATA countries

Baseline security requirements (16)

Identified critical infrastructure (15)

Cyber emergency response plans (15)

Institutions for inter-agency cooperation (13)

Public-private partnerships (12)

Incentives to the private sector (3)

ENISA: 2016

Challenges

• Change of culture, mindset

• Competing values, priorities

• Sufficient mandates, clear responsibilities

• Financial and human resources

• Integration with other policies

• Implementation, review, adaptation

Pernik: 2013; Kerttunen: 2017

Conclusion

• National strategy is a useful tool for capacity

building, awareness raising, investment decisons,

prioritizing, inter-agency cooperation, etc.

• Successful implementation is difficult because it

depends on numerous variables

• It reflects a particular constellation of people, values,

interest, etc., in a given time

• It’s a process, assessment, review, forecasting, planning,

etc.

• It’s inevitable for protecting cyber security at a state level

Thank you

piret.pernik@icds.ee

www.icds.ee