Merle Maigre: Empowering cyber capacity building: View from Estonia

Merle Maigre
Programme Director of Cybersecurity
e-Govenance Academy
Estonia

Lately, it seems like  the world has collectively jumped from one crisis to another. In response to the COVID pandemic, governments and businesses shifted more to online services and remote working. As a result, the number of people relying on online security skyrocketed. Then, the rolling out of vaccines and digital certificates brought attention to questions related to digital health and data security. Now, over the last year, Russia’s war in Ukraine has demonstrated in a remarkable manner that cyberattacks are not a separate front, but rather a dimension of the conflict. In the context of this rapid digitalisation and exponential growth of cyber-attacks, strengthening cyber resilience has become both an essential enabler of sustainable growth and an urgent precondition for security. As one of the first digital nations, Estonia has learned this from first-hand experience.

This article looks at the relevance of Estonia’s digitalisation and cybersecurity solutions for international capacity building. How can Estonia’s approach to cybersecurity serve as a useful example for other governments and emerging economies?  What is the best practice in this field of e-Governance Academy, one of Estonia’s biggest centres of excellence for sharing digital transformation?

Cyber capacity building – general definitions
Capacity building in general is an overarching concept that relates to efforts to “invent, develop and maintain institutions and organisations that are capable of learning and bringing about their continuing transformation, so that they can better play a dynamic role to sustain national development processes.”[1] In comparison to other fields of international cooperation, cybersecurity capacity building is still relatively young – the first initiatives dating back to the late 1990s, with the field only properly taking off over the past decade. Building national cyber capacity enhances a country’s ability to detect, investigate, and respond to cyber threats. Therefore, supporting cyber capacity-building is essential to creating a cyberspace that works for all, as cybersecurity is a critical enabler of successful and resilient digitalisation.

Estonia’s approach
The development cooperation policy of Estonia is based on the globally agreed UN sustainable development goals.[2] The idea that cybersecurity must be at the core of the digital transformation – in the inception, implementation, and delivery of e-services and solutions has guided Estonia throughout the years. As a second-generation digital society, Estonia has earned its credibility. A whole generation of people has grown up for whom there is no other way for the state to function than digital. Therefore, the Estonian government have a responsibility to develop and maintain cybersecurity capacities that ensure the reliability and safe use of digital services.

Estonia considers digital rights – such as free access to the internet, freedom of expression online, privacy – an integral part of human rights.[3] The country is an active participant in international discussions on internet freedom and a founding member of the Freedom Online Coalition (FOC). In this regard, Estonia has a pioneering role in leading by example of aligning several important goals at the same time: to keep cyberspace free, open, safe, and secure. The country ranks high ranks in international indexes monitoring the foundations of the country's cybersecurity, as well as in those tracking internet freedom. In the Global Cybersecurity Index (GCI), managed by the International Telecommunication Union, Estonia was third in the world and first in the European Union in 2021. Estonia ranked second after Iceland in 2022 US think tank Freedom House report, which analyzes rights and freedoms in public online space.

Estonia believes that commitment to cyber capacity building efforts for partner countries helps to project stability in the EU neighbourhood. The country is setting an example: Estonia’s support in cyber capacity building ranges from strategic advice and institution-building, to education and training. This allows the partner countries to prevent, be prepared for a crisis management and build cybersecurity resilience to the benefit of their population.

As a practical example, Estonia was among the early promoters of introducing mandatory cyber risk management for governmental information systems and essential services. It set an example of cyber threat information sharing, developed and promoted the organisation of cybersecurity reserves, and promoted an understanding of how international law applies to state cyber activities. This is part of the cooperative attitude of Estonia in practice.

E-Governance Academy’s experience
The e-Governance Academy (eGA) is an independent, non-profit centre of excellence in Estonia, acting as an implementer of international development cooperation projects. eGA’s work relies on Estonia’s experience and reflects Estonian values supporting a free, open and secure internet. In its projects, eGA involves top experts from a diversity of backgrounds - civil society organizations, the public and private sectors, research institutions.

The cybersecurity program at eGA started in 2016 reflecting the growing understanding that security is an enabler of effective and reliable digitalization. eGa’s team is currently supporting cyber capacity building in Georgia, Kyrgyzstan, Moldova, Ukraine and in the Western Balkans with the support of EU and other donors. This support ranges from legal advice, cyber institution-building, to providing equipment and tools, as well as training and exercises in cybersecurity.

The conceptual backbone for this activity is the National Cyber Security Index (NSCI) created and managed by eGA since 2016 as a comprehensive tool for capacity building on cybersecurity. The NCSI monitors countries’ performance in 12 cybersecurity capacity areas, grouped into three pillars: (a) strategic capacities, including aspects related to cybersecurity governance and policy, global engagement, education, and innovation; (b) preventive capacities that involve secure digital infrastructure and cyber threat analysis; and (c) responsive capacities related to responsing to cyber threats, to managing cyber incidents and cybercrime.

 

Figure 1. The 12 capacities of the National Cybersecurity Index

Cybersecurity policy	Global cybersecurity contribution	Education and professional development	Cybersecurity research and development
Cybersecurity of critical information infrastructure	Cybersecurity of digital enablers	Cyber threat analysis and awareness raising	Protection of personal data
Cyber indicent response	Cyber crisis management	Fight against cybercrime	Military cyber defence

These 12 capacity areas are further divided into a total of 49 unique indicators, which describe the relevant assessment criteria and the types of evidence used to support the findings. eGA reviews the NCSI indicators and criteria periodically to ensure they remain relevant to current global good practices. The latest version includes new indicators for political leadership, commitment to international law in cyberspace, and cybersecurity research and development under the strategic pillar; cybersecurity of cloud services and the supply chain, and cybersecurity awareness raising coordination under the preventive pillar; and cyber incident reporting tools, participation in international incident response cooperation, procedural law, and military cyber doctrine to ensure the lawful use of capacities, under the responsive pillar.

eGA has used the NCSI to assess countries’ cybersecurity maturity at the national level and to define further roadmaps in various partner countries. For example in 2021, eGA conducted a comprehensive study of cybersecurity in the Western Balkans assessing cybersecurity capacity needs in the region in light of EU acquis, policies and identifying further opportunities for EU engagement.

Often, the basic recommendations to partner countries interested in cyber reforms are similar. It is useful to set up a governance and coordination mechanism and agree on information exchange and protocols on various levels. It is required to arrange the continuity of critical services and functions with a view to resilience against cyber risks and threats, and to agree who is responsible for situational awareness, who provides information into the big threat picture, how often, what are the secure communication channels, and what to do in case of a crisis.

Summing up, cybersecurity is not a mere technological challenge, but a matter of societal resilience and stability. While businesses are responsible for the cybersecurity of the services they provide, and individuals need to take care of their digital assets, the cybersecurity of the country is ultimately the responsibility of the state and of national governments. Cyber capacity building is increasingly being used as a mechanism for international cooperation. Development cooperation has a significant role in advancing an open, free, safe and secure cyberspace internationally andincreasing cyber  resilience.