An Analysis of the Cyber Security Strategy (2008) of Estonia

Based in part on ITU Q.22/1 Report On Best Practices For A National Approach To Cybersecurity: Building Blocks For

Organizing National Cybersecurity Efforts

By Joseph Richardson

2

National Cybersecurity Strategy

This presentation represents the views of the author and is intended to be used exclusively as a training document.

Elements of Framework

A. Policy (goals) on cyber securityB. Case for actionC. Relationship to other national goals and objectivesD. Security initiatives and actions to be undertaken:

1. Collaboration and information exchange2. Incident management3. Legal framework4. Culture of security5. Other considerations

4

A: Policy (goals) on Cybersecurity

Provided in broad statements:

• Summary (Pg 3): Estonia’s cyber security strategy seeks primarily to reduce the inherent vulnerabilities of cyberspace in the nation as a whole.

• Introduction (pg 6): The protection of a country’s entire cyber assets calls for a comprehensive effort involving all sectors of national society, a clear and efficient allocation of responsibilities therein for the prevention of cyber attacks, and increased general competence and awareness regarding threats in cyberspace.

5

A: Policy (goals) on Cybersecurity

Specific detailed goals:

• Summary (pg 3) and Section 4: Goals and measures (pg 27) 1. The development … of a system of security

measures.2. Increasing competency in cyber security.3. Improving the legal framework for … cyber security.4. Bolstering international co-operation.5. Raising awareness on cyber security.

6

B. Case for actiona.: Role of ICTs in nation

Summary: (Pg 3 Para 5): • The dependence of the daily functioning of

society on IT solutions makes the development of adequate security measures an urgent need.

7

B. Case for actiona.: Role of ICTs in nation

Details in Section 3.1 (Pg 12):

• The development of Estonia’s information society, … has been an important driver in the country’s spectacular economic growth.

• In 2007, 51% of all Estonian households leased high-speed broadband Internet services.

• … the dependence of our daily activities and lifestyle on the security and proper functioning of information technology increases incessantly.

• The functioning of society depends greatly on the seamless operability of the information infrastructure that supports the critical infrastructure and on its resilience against attack.

• The financial sector is one of the most dependent on e-services.

8

B. Case for actionb. Risk associated with ICTs

• Summary (pg 3): The asymmetrical threat posed by cyber attacks and the inherent vulnerabilities of cyberspace constitute a serious security risk confronting all nations.

• Introduction (pg 6): The numerous cyber attacks launched in recent years against advanced information societies … have placed the abuse of cyberspace high on the list of novel threats.

9

B. Case for actionb. Risk to be managed

Includes those in previous slide, plus,• Introduction: (pg 6): The coordinated cyber attacks

against Estonian government agencies, banks, and media and telecommunications companies demonstrated that the vulnerability of a society's information systems is an aspect of national security in urgent need of serious appreciation.

• And those enumerated in Threats in cyberspace (Pg 10)– Attacks against a nation’s critical infrastructure and its

associated information systems. – Attacks for financial gain.

10

C. Relationship to other national goals and objectives

Section 1.2 Cyber Security Strategy and its relation to other national development plans: (pg 8):

• In developing the Cyber Security Strategy, the committee has taken into account national development plans that might also be relevant to information security and the information society, as well as plans relating to internal security and national defence.

• The principles of the current Strategy are in line with the Information Security Interoperability Framework that was adopted by the Ministry of Economic Affairs and Communications on 31st January 2007.

• However, the Cyber Security Strategy does not include– national measures to target cyber crime; (or)– measures to secure the information systems which pertain to national

defence

11

D. Security initiatives and actions to be undertaken:

Summary: (Pg 3), elaborated Section 4 (Pg 27):

Policies for enhancing cyber security:– The development and large-scale implementation

of a system of security measures – Increasing competence in cyber security– Improvement of the legal framework for

supporting cyber security– Bolstering international co-operation – Raising awareness on cyber security

12

D.1. Collaboration and information exchangea. Leadership, key participants and assignment of

rolesSection 1.2 (pg 8): • … the Government has tasked the Ministry of Defence — in co-operation

with the Ministry of Education and Research, the Ministry of Justice, the Ministry of Economic Affairs and Communications, the Ministry of Internal Affairs and the Ministry of Foreign Affairs — to develop a "Cyber Security Strategy for 2008–2013".1

Section 5: (Pg 35) • The responsibility for developing the “Implementation Plan for Cyber

Security Strategy 2008–2010” lies with the Cyber Security Strategy Committee, led by the Ministry of Defence in co-operation with the Ministry of Education and Research, the Ministry of Justice, the Ministry of Economic Affairs and Communications, the Ministry of Internal Affairs, the Ministry of Foreign Affairs and private sector representatives.

13

D.1. Collaboration and information exchangeb. Policy development mechanisms

Footnote (Pg 8): • The development of the Strategy should

follow the Government of the Republic Regulation No. 302 of 13th December 2005 on the types of strategic development plans and the procedures for preparation, amendment, implementation, assessment and reporting thereof.

14

D.1. Collaboration and information exchange

c. Information sharing and operational mechanismsd. Trusted forums and their operationse. Industry to industry cooperation, including among interdependent critical industries

Not specifically addressed, but note that responsibility for implementation was assigned to a committee, with members named that includes the private sector.

15

D.2. Incident Managementa. Coordinator for Incident Management (CIM)b. Roles and responsibilities of CIMc. Establish CSIRT with national responsibilities (N-

CSIRT)d. Obtain CSIRT servicese. Key cooperating participants and roles

• Estonia has a CERT and does not directly address these CERT establishment issues.

16

D.2. Incident Managementf. Protection for government operated systemsg. Proposals for protection of national cyber resources

Section 4.1 (Pg 27) • Estonia will develop a system of security

measures … to ensure national cyber security.Measure 1 (Pg 27):• Protection of the Critical Information

Infrastructure (CII).Measure 2 (Pg 28):• Implementation of security measures in the

public and private sectors.

17

D.2.Incident Management h. Integrated risk management

Section 4.1 (Pg 27) Measure 1:

– The aim is to develop a common methodology for assessing the vulnerability of critical information systems and their support services.

18

D.3. Legal Frameworka. Legal authorities for review and update

Section 3.4 (Pg 17-19) Cyber security and legal framework– Review of law was begun in 2007 and found: – “the need of amending and harmonising the

following elements of national law” • Penal Code, Electronic Communications Act, Personal

Data Protection Act, Public Information Act, Information Society Services Act

19

D.3. Legal Frameworkb. Lead ministries

• Not specifically identified – review began 2007– Ministry of Justice identified as participating in

implementation committee.

20

D.3. Legal Frameworkc. For cybercrime – enforcement initiatives

Section 4.3 (Pg 30) Development of a legal framework for cyber security

• The development of legislation to ensure cyber security is aimed at creating a robust legal framework for combating cyber crime….

21

D.3. Legal Frameworkd. International cooperation

Section 3.5 (Pg 21): International Co-operation: – (At Pg 23): Estonia considers active participation

in international organisations vital for increasing global cyber security.

22

D.4.Culture of Securitya. Awareness and outreach programs

Summary (Pg 5): Policy # 5. Raising awareness on cyber security; by: – presenting Estonia’s expertise and experience in the area of

cyber security at both the domestic and international level, and supporting co-operative networks;

– raising awareness of information security among all computer users with particular focus on individual users and SMEs by informing the public about threats existing in the cyberspace and improving knowledge on the safe use of computers;

– co-ordinating the distribution of information on cyber threats and organising the awareness campaigns in co-operation with the private sector.

23

D.4. Culture of Securitya. Awareness and outreach programs

Section 4.5 (Pg 34) Raising awareness of cyber security. The goals include:– increasing awareness of information security and the

risks stemming from the cyber environment among all computer users;

– spreading awareness of secure computer use and the basic principles of information security among different target groups in society;

– promoting Estonia’s positions on cyber security at both the national and international levels, and supporting the efficient functioning of co-operation networks.

24

D.4. Culture of Securityb. S&T and R&D

Section 4.2 (Pg 29) Increasing competence in information security.– Measure 1: Organisation of Training in

Cybersecurity– Measure 2: Enhancing Research and

Development

25

E. Other considerations1. Budget and financing

Section 5 (Pg 35) Implementation of the Strategy– Attention will be given to the concrete actions and

funds needed to achieve the objectives of the Strategy in its various fields of competence. Implementation Plans will be developed for two periods: 2008–2010 and 2011–2013.

26

E. Other considerations2. Implementation timeframes

Section 5 (Pg 35) Implementation of the Strategy– The Strategy was adopted by the Government on

8 May 2008. – An Implementation Plan for 2008–2010 will be

submitted to the Government for approval within three months of the adoption of the Strategy.

27

E. Other considerations3. Review and reassessment plans

Section 5 (Pg 35) Implementation of the Strategy– The implementation and overall efficiency of the

Strategy in meeting its stated objectives will be assessed by the Cyber Security Council of the Security Committee of the Government of the Republic.

Thank you

Joseph Richardson