Professional Documents
Culture Documents
Kuberturvalisuse Kasiraamat ENG
Kuberturvalisuse Kasiraamat ENG
Kuberturvalisuse Kasiraamat ENG
in Practice
National Cyber Security
in Practice
Publication composed by: Epp Maaten, Toomas Vaks
Contributors: Oskar Gross, Lauri Luht, Epp Maaten, Elsa Neeme, Kimmo Rousku, Toomas Vaks
Photos by: iStock
Design: Dada AD
Translation and editing by: Refiner OÜ
Published by:
e-Governance Academy
Rotermanni 8, 10111 Tallinn
ega.ee
The handbook “National Cyber Security in Practice” is financed by the Estonian Ministry of Foreign
Affairs from the funds of development cooperation and humanitarian aid.
Tallinn, 2020
ISBN 978-9949-7467-1-2
© e-Governance Academy 2020
Contents
Foreword 5
Introduction 6
Contributors 47
Foreword | 5
Foreword
Introduction
Epp Maaten | Programme Director of National Cyber Security
e-Governance Academy
There are many threats in cyberspace and the The development of cyber security starts with map-
measures to counter them are also numerous. This ping the situation and setting strategic goals. In
raises the question of where a state should begin the first chapter, we describe a model for resilient
in order to better protect itself in cyberspace. The cyber security, which provides a framework for the
answer can be found in this handbook, National activities described in the following chapters.
Cyber Security in Practice, which describes the key
elements of national cyber security and outlines One of the first documents that states prepare
the activities that are essential to prevent and when embarking on the development of their
respond effectively to cyber threats. cyber security is a strategy paper. We focus on the
cyber security strategy in chapter 2. This chapter
lists the criteria for a good strategy and describes
00. Introduction | 7
By the beginning of the third decade of the 21st brought about profound changes. More than half
century, the digital economy will represent a of the world’s population uses the internet and
significant and growing part of the global econ- almost 45% are daily users of social media. Along
omy, estimated to reach 15.5% of global GDP.1 with changing the way communication works, it
The development of information technology has is also changing the way societies function. But
affected all aspects of the economy and society, in addition to new opportunities, IT development
and the sharing economy and ‘smart agriculture’ brings with it new types of risks that need to be
are just a few examples of areas where informa- addressed at the national level.
tion and communication technology (ICT) has
1 UNCTAD
Resilient cyber security | 9
It is important to realise that cyber security inci- It is important to identify and understand poten-
dents can never be completely prevented. The tial threats (threat intelligence) and the risks asso-
rapid development of technology and its acceler- ciated with these threats (risk awareness). There
ated spread also increases the potential for secu- is also a need for resources to detect and cope
rity incidents. Therefore, in addition to preventing with incidents (incident management) and to plan
incidents, the focus must also be on cyber resil- activities and resources to deal with the damage
ience; that is, the control and reduction of dam- caused by incidents (recovery). The existence of
age caused by incidents. This requires two types of such measures will, on the one hand, increase
action: first, proactive measures aimed at prevent- the ability to prevent incidents by increasing over-
ing incidents, and second, reactive ones to control all security and, on the other hand, significantly
and reduce damage. reduce the adverse impact of incidents on society.
10 | Resilient cyber security
PROACTIVE MEASURES
RESILIENCE
REACTIVE MEASURES
Strategic planning for cyber security is directly such important aspects as the protection of the
linked to the strategic planning of national security population and the security of society as a whole,
and the development of the corresponding strate- in contrast to a narrowly state-centred approach.
gies. In countries with a broader view of national
defence issues, cyber security is seen as an impor- The issues of critical infrastructure protection and
tant part of national security and perceived security the provision of vital and essential services have
in society. Until the early 1990s, national security emerged in connection with ensuring the security
strategies and development plans focused primar- of society as a whole. This is because one method
ily on national military defence capabilities. Only used today to undermine national security and
afterwards did an understanding of the broader the population’s sense of security involves put-
nature of national security emerge that includes ting pressure on the country’s population and dis-
12 | National strategic planning for cyber security
A strategy concerns public institutions, the ported by strategic plans with a narrower
private sector and society at large, as well scope or time frames.
as the international environment. National strategies have an important
Strategic decisions need to be understood role to play in raising awareness of the
as affecting overall wellbeing and not just issues and objectives in a particular field,
a narrow group of public authorities or a both domestically and internationally.
specific area of government. Domestically, these strategies provide
A strategy must cover the objectives as an opportunity to explain and justify
well as the content of the activities and management decisions. Internationally,
the process of achieving the outcome. public strategies provide information to
Strategies can be created for different lev- the country’s partners on the country’s
els. A national strategy may also be sup- national action plans.
National strategic planning for cyber security | 13
Do you consider cyber security and strate- Do you address the international dimen-
gic planning as a nationwide process with sion of the strategic planning of cyber
heterogeneous actors? Do you involve the security? Is international cooperation
private sector, such as critical infrastruc- necessary?
ture and communication companies and
other partners, and choose a comprehen-
sive approach?
Do you base your cyber security strategic
planning on the need for extensive coop- The process of designing
eration and coordination between govern- and implementing
ment agencies? Do you approach cyber strategies allows for the
security inclusively across all government systematic management
agencies? of the development of the
field and is very useful for
the country.
Cyber security strategies have played an impor- The process of designing and implementing strat-
tant role in declaring national priorities, explaining egies allows for the systematic management of the
them to the public and to those who implement development of the field and is very useful for the
the strategy. The National Cyber Security Index2 country, despite the time and resources involved
addresses the cyber security strategy as part of in developing and, especially, implementing the
cyber policy development. The strategy prepara- strategies.
tion process includes the development of policy
options, which will be realised during the imple- The cyber security strategy process will also help to
mentation of the strategy. generate and maintain a broader interest in cyber
security issues and the solutions to them. The
Cyber security strategies can be conditionally existence of interest also has a direct impact on the
divided into two: national defence-based and civil development of the cyber security field beyond the
society-based. The boundary between the two strategy. For example, according to experts, the
has been blurred, however, by the adoption of a process of drafting the three cyber security strate-
comprehensive approach to security. Strategic gies in Estonia in 2008–2018 has had a perceptible
planning of cyber security should be based on a positive impact on the actual state of cyber security
broader approach to the field and goal-setting, not as well as on the development of Estonia’s interna-
just on the existing organisation of cyber security. tional reputation and competitiveness.
1 initiating the strategy process and agreeing on the steps in the process
identifying the people and institutions involved in the development of the strategy,
2 determining the powers of the parties in accordance with legal acts and regulations
9 evaluating the applied strategy, the strategic planning process and its implementation
It is important to involve all stakeholders in the For the strategy to succeed, it is important to iden-
process of strategy development. First, success- tify the stakeholders that are relevant to the strat-
ful strategic planning requires a clear message egy as precisely as possible. These are individuals,
from the national leadership on the need for it, groups of individuals or organisations with a legit-
and the active involvement of the leaders of the imate interest in the field or how it is organised.
organisations involved in strategy development. Stakeholders may include:
The awareness and involvement of managers and 1) implementers of the strategic plan,
other employees in the strategy creation process is 2) beneficiaries of the strategic plan,
necessary but often complex in practice, as involv- 3) actors that can make a significant contribution to
ing a large number of people makes the process or obstruct the implementation of the strategy.
slower and more expensive. It is important to strike
a reasonable balance, so that people who have the In the absence of a complete overview of all stake-
necessary information or on whom the implemen- holders at the time the strategy is initiated, you
tation of the plan depends will be involved. should be prepared to involve them later.
Siia peatüki nimi | 15
3.
What is cyber security? The 2016 European Union Network and Infor-
mation Security Directive (EU NIS Directive) does
Cyber security is a globally recognised concept not define cyber security, but uses the concept
widely used in both expert language and common of security of network and information sys-
usage. However, few European Union member tems instead. It describes the ability of network
states have defined cyber security at the level of and information systems to resist, at a given level
national law.3 of confidence, any action that compromises the
CYBER
SECURITY
Resilience
Enviromental Malware/
Threats Randsomware
Y CY
IT
BE
UR
R
EC
SE
RS
CU
Lack of Technical
CYBE
RITY
procedures vulnerabilities
E-SOCIETY
Response Prevention
Malicious Human
Insiders errors
CYB
Infrastructure E R SE C U RITY Socially
Failures Engineered Attacks
Figure 4. Cyber security forms the defence of a digital society, ensuring that the likelihood of internal
and external threats to its operation is low
Cyber security regulation in Europe | 17
availability, authenticity, integrity or confidentiality tries. Regulations in European countries have been
of data or the related services.4 developed primarily on the basis of the Treaty on
the Functioning of the European Union.7 On the
The Estonian Cybersecurity Act5 of 2018 also does one hand, they are based on agreements aimed at
not define the concept of cyber security, but the ensuring an integrated approach to freedom, secu-
explanatory memorandum to the act explains rity and justice, covering, for example, cooperation
cyber security as a state of society characterised in criminal and police investigations into attacks
by a low probability of threats to public order, against information systems and cybercrime. On
people’s health, property and the environment the other hand, the legislation on cyber security is
materialising through network and information based on the objective of ensuring the functioning
systems, and the ability to respond to and mitigate of the single internal market. Although each regula-
the adverse effects of such threats. tion has a different scope and circle of addressees,
they share the common feature that, in order to
The EU Cybersecurity Regulation6, which entered ensure the safe functioning of the internal market,
into force in 2019, defines cyber security as the these acts require market participants to:
activities necessary to protect network and infor- (a) inform the competent authority of security
mation systems, the users of such systems, and incidents;
other persons affected by cyber threats. It fol- (b) take the necessary security measures.
lows from these two examples that cyber secu-
rity always involves the well-being of a digitally In the European Union, the 2016 Network and Infor-
minded society. mation Security Directive (EU NIS Directive) marks a
milestone in the development of cyber security leg-
The main objectives of network and information islation. The main driving force behind the EU NIS
system security, commonly referred to as the CIA Directive was the growing importance of network
triad (confidentiality, integrity, availability), are and information systems for the provision of essen-
also the objectives of cyber security legislation. tial services to society, such as power generation,
What the above shows is that there is no clear passenger and freight transport, health care, and
understanding in the EU as to which term is more more. In order to protect the EU single market, it
accurate – ‘cyber security’ or ‘network and informa- was necessary to harmonise national measures to
tion system security’. The purpose of the actions ensure the resilience of the network and informa-
through which both concepts are defined is simi- tion systems for critical services. There was also a
lar, only the level of detail of the definitions differs. need to establish pan-European strategic and oper-
ational cooperation mechanisms.
Design of European regulatory models for The EU NIS Directive approaches national cyber
cyber security security management in a comprehensive and sys-
tematic way, imposing the following obligations on
As the internet is cross-border, cyber security leg- member states:
islation and strategy cannot develop in isolation, a) develop and implement a national cyber secu-
but have to consider the trends in other coun- rity strategy,
4 Article 4(2), Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016.
5 Cybersecurity Act, State Gazette I, 22.05.2018, 1. https://www.riigiteataja.ee/akt/122052018001
6 Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019.
7 Consolidated versions of the Treaty on European Union and the Treaty on the Functioning of the European Union
2012/C 326/01 OJ C 326, 26.10.2012, p. 0001 - 0390.
18 | Cyber security regulation in Europe
b) designate at national level the providers of ser- protection of personal data can be expected. For
vices essential for the sustainable functioning example, if a digital service provider12 is not located
of society,8 in the European Union but provides services in the
c) establish the necessary security measures for EU territory, it must appoint a representative in
providers of services essential for society in the EU,13 in which case the company is subject to
order to ensure the reliability of network and the jurisdiction of the country of residence of the
information systems, representative. As a result, for example, cloud pro-
d) ensure the availability of a capable and compe- viders offering services in Europe may simultane-
tent CSIRT9, ously be subject to the legal systems of several EU
e) designate at least one cyber security authority member states. This happens when the provider of
in the country to coordinate activities under an essential service identified in one member state
the EU NIS Directive. uses a cloud computing service, the provider of
which is under the jurisdiction of another member
state, while the data centres for cloud computing
Extent of the territorial impact of cyber are located in a third and perhaps a fourth mem-
standards ber state. Although in the above example, coop-
eration is required between the member states’
Globalisation is increasingly giving rise to ques- competent authorities under the EU NIS Directive,
tions about the extent of the territorial impact of supervision may prove difficult in practice.
legislation. Several legal experts have stressed
that the EU rules on the protection of personal Given the global trend in economic activity, it may
data also apply outside the EU. The General Data be said in the light of the above examples that the
Protection Regulation (GDPR) unequivocally pro- scope of the cyber security requirements imposed
vides that personal data may only be transferred by the EU legislator is not limited to the jurisdiction
to third countries and international organisa- of a single country or the EU, but may extend to
tions in full compliance with the regulation.10 The third-country operators.
cross-border nature of data protection require-
ments is also supported by case law. For example,
in its judgment in Google v Spain, the European A cyber-secure society and the protection of
Court of Justice notes that the European Union leg- human rights
islature has prescribed a particularly broad territo-
rial (cross-border) scope to ensure individuals the EU data protection rules apply only to the processing
protection guaranteed by the GDPR.11 of personal data. The standards for the protection of
services essential for society focus on ensuring the
The implementation practices of the EU NIS Direc- reliability of the network and information systems
tive have not yet been considered by the courts, but directly related to the provision of services. In both
similar legal proceedings to those concerning the cases, the EU has committed data controllers and
8 For example, electricity suppliers and producers, airlines, rail infrastructure companies and financial institutions.
It is notable that the market participants in such sectors traditionally form the core of the country’s critical
infrastructure.
9 CSIRT – computer security incident response team.
10 GDPR, recital 101.
11 Case C-131/12, Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (AEPD), paragraph 54.
12 A company that provides cloud computing services, operates an online marketplace or provides
search engine services.
13 Article 17(3).
Cyber security regulation in Europe | 19
Access rights,
user identification
and authorisation
PROPORTIO
ND NA
TEA TE
Recovery plan A Regular back-ups
RI
M
or/and actions management
OP
EA
SUR
APPR
ES
CIA*
RES
APP
SU
RO
EA
or /and anomalies management
PR
AT
M
I
EA TE
ND NA
P R O P O RTIO
Figure 5. Ensuring confidentiality, integrity and availability are the starting points for implementing
appropriate and proportionate security measures
operators of services to implement organisational, assessed level of risk. The Estonian National Cyber
IT and physical security measures to ensure the con- Security Strategy emphasises that, despite sep-
fidentiality, integrity and availability of data. arate regulations, it is no longer reasonable or
feasible for the implementers to separate the pro-
The EU NIS Directive requires operators of essen- tection of personal data from ensuring cyber secu-
tial services and digital service providers to take rity, but that the legal obligations must be viewed
technical and organisational measures to manage in their entirety and in harmony with each other.14
the risks to the security of the network and infor-
mation systems that they use in their operations. Both personal data protection, and network and
The General Data Protection Regulation imposes information system protection legislation seek to
an obligation on data controllers to ensure the promote a risk management culture that directs
secure processing of data; that is, the obligation the operators of essential services and data pro-
to take appropriate technical and organisational cessors to critically evaluate their activities and the
measures in the light of the threat to the rights digital environment risks that affect them, rather
and freedoms of the individual. than prescribing precise rules. Depending on the
activity and potential environmental risks, pre-
Therefore, both regulations are characterised cautionary measures must be taken to prevent or
by the obligation to implement appropriate and minimise such risks.
proportionate security measures based on the
4.
IT security incident
response team
Toomas Vaks | Cyber security expert
Head of Cyber Security Branch, Estonian Information System Authority (2011–2017)
IT security incident response teams are known CSIRTs are set up by public authorities, private
internationally as CSIRTs (computer security companies and universities; other CSIRTs special-
incident response teams) or CERTs (computer ise in economic sectors such as banking or e-com-
emergency response teams). The name ‘CERT’ is merce. Their setup can be very different – a CSIRT
internationally protected and requires the per- can be a public authority, a private-sector service
mission of its owner, Carnegie Mellon University, provider, or a public-private partnership.
which is why more and more teams nowadays use
the name ‘CSIRT’.
22 | IT security incident response team
Tasks of a CSIRT:
The following are key to the successful fulfilment Generally, this community sticks together, and
of this role. contacts at the specialist level often transcend
the traditional boundaries of transnational
1) Expertise and sufficient resources. The team communication.
should include experts in network security, 4) Cooperation with the national IT commu-
log analysis, computer forensics and reverse nity. It is important to understand that the
engineering, as well as security architecture functioning of the IT services needed by society
and advanced information security. It is also is largely dependent on private-sector compa-
important for the team to have its own devel- nies. Typically, IT professionals develop their
opment resources because the specific nature own spontaneous or organised communities,
of a CSIRT’s work means that all the necessary from professional alliances to online forums. It
tools cannot be outsourced, but some of them is important for a CSIRT to work with and be
have to developed by the team itself. Success visible to these communities. It provides quick
in responding to incidents at the national level access to necessary information on security
also requires knowledge of the functioning of changes, accelerates information exchange,
the state and of critical services, risk and cri- and even outlines the availability of specific
sis management and business continuity. The IT expertise or resources that can be used to
required hardware and software, communica- respond to incidents in an emergency.
tions, a secure location, and other things nec- 5) Clearly defined national working arrange-
essary for the job must also be provided. ments for information exchange and inci-
2) Threat intelligence. Continuous gathering dent response. The roles of the various
and analysis of information on security inci- organisations and agencies, their coopera-
dents both domestically and internationally tion and the arrangements for the exchange
makes the rapid identification of threats pos- of information must be clearly defined and
sible and the resolution of incidents more organised. IT incidents tend to escalate very
effective. The concept of an incident should rapidly. The effectiveness of their resolution
be precisely defined along with the process depends largely on the speed of response, in
for incident reporting and analysis. In addition which previous planning and agreed working
to collecting information from public sources arrangements are key. The public also needs
(OSINT), national reporting and information to have a clear understanding of the role of
exchange, international information exchange a CSIRT. Given the need for extensive coop-
with sister organisations from other countries eration with the private sector, it is advisable
is highly desirable. to clearly define the role of the CSIRT and to
3) International cooperation and participation establish clear demarcation lines, for example,
in international cooperation networks. As with regard to the role of the police or security
cyberattacks and other security incidents are authorities. Giving a CSIRT a public oversight
generally global in nature and not bound by role is not desirable; it is preferable that the
national borders, it is essential to have good team is perceived as a ‘firefighter helping to
contacts and information exchange with the put out the fire’ rather than a ‘police officer that
international community. Active participation cuffs your hands’.
in networks, such as Trusted Introducer18, 6) Exercises. Regular exercises are required to
helps build the reputation and credibility of the test incident resolution plans as well as team
team, which in turn allows for faster communi- skills. Exercises should be organised both
cation with the international CSIRT community. within teams and at the national level, involv-
18 TF CSIRT, https://www.trusted-introducer.org
24 | IT security incident response team
ing partner institutions as well as private com- rity threats must be a regular activity and there
panies. Teams should certainly take part in must be a clear process in place to that end.
international exercises, which have become Although information campaigns and media
increasingly popular in recent years (e.g. Cyber communication may also be conducted through
Europe organised by ENISA and the technical partners, it is advisable to have a corresponding
exercise Locked Shields organised by CCDCOE). function within the CSIRT itself. A CSIRT should
7) Communication and visibility. Informing the also be visible in social media and interact with
public as well as partner institutions about secu- its constituency as much as possible.
Incident
resolution
Communication Monitoring
and planning
Threat
Analysis
intelligence
5.
Although cyber and digitalisation have in recent almost as long as the internet, it has changed from
years become increasingly popular topics, in some clever enthusiasts testing the limits of the
the context of law enforcement these are noth- internet to a huge underground economy making
ing new. As early as 1988, Robert Tappan Morris it one of the least risky forms of criminal activity.
was able to infect the internet with a worm from It is almost impossible to calculate an actual fig-
M.I.T campus. He was caught and charged with ure for the global losses from cybercrime due
violation of the Computer Fraud and Abuse Act.19 to the indirect costs (loss of data, revenue, emo-
However, even though cybercrime has existed for tional harm etc.), but for instance considering that
19 United States v. Morris (1991), 928 F.2d 504, 505 (2d Cir. 1991).
26 | Law enforcement in the context of cyber security
haveibeenpwned.com reports 9 billion breached cyber security includes Computer Security Inci-
accounts, we can quite safely say that almost dent Response Teams (CSIRTs) and Computer
everybody has been a victim of cybercrime in one Emergency Response Teams (CERTs), who actively
way or another. Although the Estonian criminal prevent and respond to cyber incidents. The dif-
police have quite a long history with cybercrime ference between CSIRTs/CERTs and regular law
investigations, the Estonian Police and Border enforcement is that the goal of law enforcement
Guard Board decided to create a specialist bureau is to identify and prosecute the people behind
for investigating cybercrime in Estonia in 2016. malicious attacks, whereas the work of CSIRTs/
CERTs is to take a cyberattack under control and
get systems working normally again. These lines
What is cybercrime? of work might seem similar but in practice the
overlap is rather limited – some technical details
Cybercrime as a term covers an extremely wide are relevant during the investigations, but a large
spectrum – essentially all the bad things you can do part of successful cyber cases surprisingly rely on
with a computer. There are numerous approaches classical criminal police work. From the societal
that try to structure this topic. point of view, the importance of
One is to categorise cybercrime law enforcement is deterrence.
from the perspective of the point- As long as we are only deactivat-
of-failure, either human or com- A large part ing the weapons used by crimi-
puter. The term cyber-dependent of successful nals, they will just attack us again
is used to describe crimes that cyber cases either with the same or new
cannot be carried out without surprisingly rely on weapons. In order to complete
a computer (e.g. ransomware, classical criminal the valuable work of CSIRTs/
DDoS attack, RAT, etc.), while police work. CERTs, it is important to find and
the term cyber-enabled crimes prosecute the people respon-
is used for crimes which can be sible. Considering the speed of
scaled to massive proportions digitalisation we have to keep in
with the help of computers (e.g. fraud, child sex- mind that it is wise to jump on an accelerating
ual exploitation, illegal drug trade etc). Another train rather sooner than later.
way is to divide the different modi operandi by
type of crime: extortion (e.g. ransomware, sextor-
tion), fraud (e.g. CEO fraud, business email com- Model for cyberpolice
promise attacks), stealing (e.g. illegally accessing
bank information systems or client accounts) and Dealing with cybercrime has a couple of unique
so on. In essence, there is no right or wrong way, aspects compared to criminal policing in other
but I personally prefer the latter, as I find that it is fields. Most of these stem from the fact that cyber-
important to demystify the field. crime is global and a large amount of evidence is
located online. This, in turn, means that the tools
used by regular criminal police are usually not
The role of law enforcement an exact fit for analysing the type and amount of
information that cybercrime investigators face.
Law enforcement has an important role to play
in cyber security. As in real life, we expect that at Technical specialists
least to some extent people are also protecting In Estonia we have seen that having highly-skilled
themselves (e.g. locking their doors, using seat- technical specialists at the cybercrime unit makes
belts, etc.) on the internet (e.g. strong passwords, a big difference – it enables the unit to design their
2 factor authentication, etc.). Another pillar of own tools for searching or (automatically) analys-
Law enforcement in the context of cyber security | 27
In the end, good tools and information are the only Although cybercrime is not a new
way we can achieve an intelligence-led approach, phenomenon, it is amazing how
which enables us to investigate cases that have the versatile the opportunities it affords
greatest impact, either on our own country or the criminals – from illegal markets to
whole cybercriminal environment. Effectiveness money laundering and extremely
and focus are extremely important because the technical methods to obtain illegal
amount of noise is huge – even petty crimes and access to computer systems. Although
ineffective simplistic frauds are so scalable that they we are investing considerable effort
might drive us away from more important targets. to defend against cybercrime, it is cru-
cial that we also invest in well-func-
Legal aspects tioning law enforcement cybercrime
Due to extremely rapid digitalisation, it is impor- units because otherwise there is no
tant to keep the legal framework up to date to actual deterrence and the amount of
enable law enforcement to do their work. When criminal activity just increases. The pil-
countries adopt a similar approach to the criminal- lars of effective cybercrime investiga-
isation of cybercrime, it makes the legal process tions are motivated people with skills,
clearer and cross-state investigations faster. the right tools, actionable intelligence,
supportive legal system, and last but
In cybercrime investigations, reaction time might not least practical international coop-
have a huge impact. However, it is not only about eration.
the officers reacting fast but also the legal frame-
work giving them the right tools – whether to
obtain data or at least preserve information such
that it is later collectable through the legal process.
On a more general note, it is also important to
consider different privacy related regulations; for The legal framework
example, data retention, the right to be forgotten should give the right tools
and so on. to investigate cybercrimes.
6.
Organisation of national
cyber security
Elsa Neeme Epp Maaten Kimmo Rousku
Legal Advisor Programme General Secretary
Legal Expert at the Cyber Director of National Finnish Public Sector
Security Branch of Estonia’s Cyber Security Digital Security
Information System e-Governance Academy Management Board (VAHTI)
Authority (2016–2018)
The organisation of national governance for cyber In its shaping of the legislative field around cyber
security is a matter of choice for each country and security, Estonia is guided by the broad concept
largely depends on the country’s existing legal envi- of national defence and the principles of Estonia’s
ronment. Legal choices may be influenced by factors security policy.20 When looking at other European
such as the availability of cyber security expertise, countries, cyber security governance models gen-
considerations regarding funding as well as national erally follow either a decentralised or a centralised
strategic development plans on topics like national approach.
internal security and economic security.
21 In France, for example, the Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI) has been desig-
nated as the supervisory authority for critical operators that has the power to oblige critical operators to comply
with security measures and is also authorised to conduct security audits. In addition, ANSSI acts as the emer-
gency authority for the protection of critical information infrastructures. Estonia applies the more commonly used
decentralised approach to the management of critical infrastructure protection. According to the Cybersecurity
Act, the coordinating authority in Estonia is the Information System Authority. Under the Emergency Act, the same
organisation also manages the emergency response to a cyber incident. Source: Communication COM(2017) 476
final/2 from the Commission to the European Parliament and the Council, https://eur-lex.europa.eu/legal-content/
EN-ET/TXT/?uri=CELEX:52017DC0476&from=EN.
Organisation of national cyber security | 31
The Security Committee of the Government of The Ministry of Economic Affairs and Communi-
the Republic analyses and assesses the national cations coordinates cyber security policy develop-
security situation and coordinates the activities ment and the implementation of the Cyber Security
of the authorities of executive power in planning, Strategy, as well as the cooperation between state
developing and organising national defence. The authorities and the wider community.
committee is chaired by the Prime Minister, and
its members include the Minister of Foreign Trade The Information System Authority, which organ-
and Information Technology, the Minister of Jus- ises the development and maintenance of infor-
tice, the Minister of Defence, the Minister of Eco- mation systems that ensure the interoperability of
nomic Affairs and Infrastructure, the Minister of the state information system, manages activities
Finance, the Minister of the Interior and the Min- related to information security and handles cyber
ister of Foreign Affairs. The secretary of the com- incidents that occur in Estonian computer net-
mission is the director of national security and works. The Information System Authority’s tasks in
defence coordination. cyber security include ensuring the security of all
network and information systems essential to the
The task of the Cyber Security Council is to con- operation of the state.
tribute to smooth cooperation between various
institutions and ensure the implementation of The Government Office ensures that cyber secu-
the objectives of Estonia’s Cyber Security Strategy rity is integrated into national defence planning
through the planning documents, programmes documents (the national defence development
and work plans of the responsible government plan and the state defence activity plan).
institutions. The council is chaired by the secretary
general of the Ministry of Economic Affairs and
Communications.
Information
System
Cyber Security Council
Authority
Internal Security Service Financial Super- Defence Forces Office of the Prosecutor General
Police and Border Guard Board vision Authority Foreign Intelligence Service
Bank of Estonia Defence League
The Ministry of the Interior, in cooperation planning of lifelong learning strategy activities. The
with the Police and Border Guard Board and the ministry supports the acquisition of basic knowl-
Internal Security Service, ensures the prevention edge for coping with cyber threats for graduates
of and response to crimes that endanger cyber at all educational levels. The Information Technol-
security, and devises policies for the prevention, ogy Foundation for Education (HITSA) supports
detection, response and processing of cybercrime, the Ministry of Education and Research in meeting
and for digital forensics. The ministry ensures the Cyber Security Strategy objectives in its area of
the implementation of the priorities of the Cyber administration.
Security Strategy through the activities of the inter-
nal security development plan and related pro- The Ministry of Justice, in cooperation with the
grammes, and contributes to the establishment Office of the Prosecutor General, which is in charge
of mechanisms for cross-sectoral cooperation and of pre-trial criminal proceedings, contributes to
coordination, as well as the creation of a unified planning regulatory and criminal justice policy
situational picture. throughout the digital sector, and plans sectoral
preventative actions through violence prevention
The Ministry of Defence, in cooperation with the strategy activities. Among the Ministry of Justice’s
Defence Forces, the Defence League and the For- area of administration is an institution that is con-
eign Intelligence Service, manages the implemen- sidered important from the standpoint of cyber
tation of activities related to the digital aspect of security – the Data Protection Inspectorate (AKI),
the military defence side of the national defence which supervises the rights and responsibilities in
development plan and contributes to the estab- the field of the protection of personal data.
lishment of mechanisms for cross-sectoral coop-
eration and coordination, as well as the creation of The Ministry of Finance helps in developing the
a unified situational picture. different parts of the strategy, including ensuring
sustainability and integration with other strategic
The Ministry of Foreign Affairs directs and coor- planning processes. The ministry also ensures
dinates the international cooperation activities the involvement of the financial sector. Other
related to the strategy. authorities working with cyber security include
the Financial Supervision Authority, which moni-
The Ministry of Education and Research takes tors financial institutions, and the Bank of Estonia,
into consideration the priorities agreed in the which follows the requirements established by the
objectives of the Cyber Security Strategy in its European System of Central Banks.
Finland does not have a single body responsible This is possible thanks to the excellent coordina-
for the centralised management and steering tion, reconciliation and development of activities
of digital or cybersecurity at the national level. conducted with businesses across administrative
Instead, each administrative branch and com- boundaries, which can be considered an impor-
petent authority is for its part responsible in its tant resource for Finland.
own area according to that provided in legislation.
Organisation of national cyber security | 33
Key roles and responsibilities the availability of data, and to offer services for life
events and to guarantee the undisrupted, secure
The Prime Minister’s Office is responsible for and smooth operation of services that are impor-
monitoring the implementation of the Govern- tant for the functioning of society. The agency pro-
ment Programme and assists the Prime Minister vides population information, certification services
in the management of the government. The office and support services for the use of e-services that
secures the operating conditions of the Prime Min- contribute to creating the preconditions on which
ister and the government in all circumstances. The digitalisation can be built. The agency is responsi-
area of responsibility of the Prime Minister’s Office ble for the expert services in digital security and
includes government awareness, preparedness and prepares recommendations and instructions. It
security, general coordination of the management is also responsible for the operation of the Public
of incidents, and joint information and document Sector Digital Security Management Board (VAHTI).
management for the government and its ministries.
The Ministry of Transport and Communications
The Ministry for Foreign Affairs co-ordinates is responsible for the development of information
this international cooperation activity. The cyber security in electronic communication services and
domain and cybersecurity have become an impor- networks. The ministry develops strategy and reg-
tant part of Finland’s foreign and security policy as ulations concerning the information security of
cyber threats do not respect national borders. The electronic communication services or networks
ministry also acts as the National Security Author- and other general guidance. The Finnish Transport
ity (NSA) that is responsible for protection and pro- and Communications Agency Traficom operates
cessing of international classified information and, under the Ministry of Transport and Communi-
among other things, for the preparation of inter- cations. The Cyber Security Director working at
national information security agreements. Traficom is responsible for implementing Finland’s
Cyber Security Strategy.
The Ministry of Finance is responsible for an eco-
nomic policy that strengthens the preconditions The National Cyber Security Centre belongs
for stable and sustainable growth, good man- to the Finnish Transport and Communications
agement of public finances and effective public Agency and plays a central role in the prepared-
administration. The Ministry of Finance is respon- ness of a digital society. Through its activities, the
sible for the general principles of information agency ensures the functioning of society and ser-
policy, information management and electronic vices, like public communication networks in the
services in public administration. To that end, the event of disruptions and emergencies. In addi-
Ministry of Finance prepares the general princi- tion, the agency ensures the availability of radio
ples and requirements for the digital security of frequencies and cryptographic material and is
the ICT infrastructure, digital services and data in responsible for Finland’s national domain exten-
public administration as well as the policies, regu- sion .fi, maintaining the fi-root name servers and
lations and development programmes for digital monitoring the registrars of domain names. The
security in public administration. The ministry also agency also carries out the CERT function (Com-
appoints the necessary management groups and puter Emergency Response Team).
cooperation networks. For example, the ministry
has appointed a strategic management group for The Police are responsible for the prevention,
digital security in public administration. detection and investigation of offences and the
consideration of charges. Cybercrimes are inves-
The task of the Digital and Population Data Ser- tigated by police departments on a regional basis.
vices Agency (Finnish Digitalisation Agency) is - National Bureau of Investigation includes the
to promote the digitalisation of society, to secure Cyber Crime Centre, which is responsible for
34 | Organisation of national cyber security
the investigation of the most serious cyber- tion of the right to access information and other
crimes, internet and network intelligence and fundamental rights in the processing of personal
maintenance of situational awareness. data. The Ombudsman processes notifications
of data security breaches, approves certification
- The Finnish Security Intelligence Service authorities and inspects information systems.
(SUPO) is responsible for preventing and com-
batting the most serious threats to national The Information Management Board was estab-
security, such as terrorism and illegal intelli- lished in 2020 to enhance and implement the infor-
gence gathering by foreign states. The Intelli- mation management and information security
gence Service also performs these tasks in the requirements. The board may set up temporary
digital operating environment. It conducts intel- divisions, publish recommendations and organise
ligence analyses to support the government seminars and other events.
and other authorities in their decision-making.
The National Emergency Supply Agency belongs
The Finnish Defence Forces create a compre- to the Ministry of Economic Affairs and Employ-
hensive cyber defence capability for their statu- ment. It is responsible for the planning related to
tory duties as part of securing the vital functions the maintenance and development of security of
of society. ‘Cyber defence’ refers to the area of supply in Finland and the related operative activ-
national cybersecurity related to national defence, ities. In cooperation with other authorities and
which consists of the capabilities of intelligence, businesses, the National Emergency Supply Agency
influence and protection. The cyber defence capa- ensures the continuity of the most critical systems
bilities produce intelligence data to support the in terms of the functioning of society in all circum-
government and the defence forces in their deci- stances. The agency manages and allocates the
sion-making, while supporting the operations. resources for the Digital Security Programme 2030
aimed at meeting the needs of businesses that are
The Security Committee assists the government critical for the security of supply, while improving
in broad matters related to comprehensive secu- the security of cyber and digital infrastructures.
rity. The committee monitors the development of
Finland’s security environment and coordinates Municipalities and unions of municipalities are
the proactive preparedness related to compre- responsible for providing basic ICT-services, pro-
hensive security. According to the guidelines of the curement and tendering of information technology,
2013 strategy and of the renewed 2019 strategy, and their development and maintenance. There
the Security Committee monitors and coordinates are differences between municipalities and the
the implementation of the strategy. The goals of unions of municipalities, and their organisational
cybersecurity coordination include the avoidance approach depends on the size of the municipality.
of unnecessary duplication, the identification of It is estimated that about one-third of services is
possible shortcomings and determining the com- outsourced, but often these outsourced services
petent entities. The competent authorities will are provided by companies owned by municipal-
make the actual decisions subject to the provisions. ities and the unions of municipalities. The task of
the municipal council is to ensure the organizing
The Data Protection Ombudsman is a national of risk management. By the end of 2023, munic-
supervisory authority overseeing compliance with ipalities are required to implement the minimum
data protection legislation. The task of the Data information security requirements in accordance
Protection Ombudsman is to promote the realisa- with the Information Management Act.
Siia peatüki nimi | 35
7.
Critical infrastructure
and cooperation
with the private sector
Lauri Luht | Head of National Situation Centre
The Estonian Government Office
The concept of critical information tions services, water supply, financial services and
infrastructure various transport services.
It is up to the state to ensure that people’s basic Vital services require infrastructure, both on a
needs are met and basic services provided, so that daily basis and in times of crisis, and people to
society can function. Services that are critical to maintain the infrastructure. The infrastructure
the day-to-day functioning of society and/or for that enables a vital service to function is known as
dealing with crises are called vital or essential critical infrastructure. Due to process automa-
services. Such services include the generation and tion and the transition to digital production equip-
distribution of electricity, various telecommunica- ment, a very large part of critical infrastructure is
36 | Critical infrastructure and cooperation with the private sector
dependent on information and communications the security of information systems). The state must
technology (ICT). With the addition of ICT, the con- also provide competent, up-to-date information on
cept of critical infrastructure protection (CIP) has cyber threats and vulnerabilities. When designing
expanded to include critical information infra- the right environment, it is important to engage
structure protection (CIIP). Therefore, in addition private-sector companies in activities that increase
to the protection of physical processes, digital sys- their preparedness for incidents and crises.
tems and processes that are integral to the opera-
tion of services must now also be addressed. It is the responsibility of the state to establish trusted
and effective cooperation between the competent
authority/authorities responsible for cyber security
The roles of the state and the private sector and private-sector service providers, and to main-
tain a unified and informed community. Setting up
The protection of vital and essential services is one various processes, such as regular seminars, threat
of the most strategic tasks in the internal security briefings, shared communication channels and con-
of states. The transition to automated and digital ferences, will also allow the private-sector providers
processes and systems has significantly changed to communicate better and more efficiently among
the risks, which also need to be addressed from themselves, and this serves national security. Main-
a cyber security perspective. This means that ser- taining and managing an informal cooperation net-
vice providers must inevitably apply cyber security work will improve preparedness for handling crises
measures to ensure the reliability and resilience of involving multiple stakeholders.
the systems as well as national security.
The role of service providers is to protect their pro-
As a rule, the state is not the sole provider of all cesses and systems to ensure the delivery of the
essential services. Therefore, it must work closely service to society. These organisations must, on
with private-sector providers of these services to the one hand, follow national requirements, and on
society. The role of the state is to design the right the other, rely on international cyber security best
environment or ecosystem in which service pro- practices. In addition, they must actively participate
viders can operate. Simply put, creating an envi- in networks and events provided by the state. Both
ronment means that the state develops legislation, the public and private sector must actively engage
policies, frameworks and guidelines (e.g. creating a in trust building to ensure a smooth exchange of
cyber security strategy or guidelines for ensuring information, which can prevent many incidents.
CIP
CIIP
Cyber Security
80
60
40
20
0
AT BE BG CY CZ DE DK EE EL ES FI FR HR HU IE IT LT LU LV MT NL PL PT RO SE SI SK UK
Figure 10. Number of essential services identified by EU member states, September 2019.22
22 https://eur-lex.europa.eu/legal-content/ET/TXT/PDF/?uri=CELEX:52019DC0546&from=EN
38 | Critical infrastructure and cooperation with the private sector
Estonia established a list of vital services in the tor companies and professional associations.
Emergency Act of 2009. The list is rather com- The identification of services was discussed in
prehensive, containing 43 vital services from several working groups with the participation
electricity distribution to the continuity of the of experts from different fields. This created
Government of the Republic. a coherent approach, leading to greater trust
and, ultimately, better quality of implementa-
This means that the state imposed on itself tion. At the same time, ICT requirements were
requirements similar to those it has imposed laid down for all service providers, as Esto-
on the private sector. The services were agreed nia’s high level of digitalisation comes with a
across the ministries, involving private-sec- dependence on ICT services.
Assess Understand
risk organization
RISK BUSINESS
Identify Control Adapt Prepare
MANAGEMENT CONTINUITY
risk risk & improve (proactive)
PROCESS STRATEGY
Respond
Review
(reactive)
Controls
Figure 11. The risk management process Figure 12. Four steps to continuity assurance
of a service provider
For example, exercises between the national cyber essential for society. Today’s crises affect very many
security authorities and other agencies, including stakeholders. Therefore, fast, trust-based coopera-
service providers and law enforcement agencies, tion between service providers and the authority
are very useful. Such exercises can be either techni- coordinating cyber security and critical information
cal, command-post or table-top exercises. infrastructure protection is essential and beneficial.
8.
Growing threats and a lack of awareness of the the information society and cyber security from
field of cyber security usually lead to the follow- different perspectives. One of the best known and
ing questions: how secure is the cyberspace of most valued of these is the Global Cybersecurity
our state and what should we do to improve the Index developed by the International Telecom-
situation? munication Union (ITU).23 This is a survey of all UN
members that provides a simple answer to the
Several methodologies have been developed question of a country’s position in comparison to
around the world that assess the development of the rest of the world when it comes to matters of
23 See https://www.itu.int/en/ITU-D/Cybersecurity/Pages/global-cybersecurity-index.aspx
How to develop a country’s cyber security? | 43
cyber security. Despite this comprehensive over- Union found the NCSI to be one of most detailed.
view, the survey is not very clear regarding the Its advantage over others is the opportunity it
bases on which the countries are ranked. provides for countries to identify areas of cyber
security in need of improvement. In recent years,
The e-Governance Academy has developed the the National Cyber Security Index has gained
National Cyber Security Index (NCSI), which also international recognition and rapidly increased
provides an assessment of the state of a country’s the number of countries covered by the index. At
cyber security, but in addition offers an opportu- the beginning of 2020, the index contained data
nity to see the sources on which the assessment on more than 150 countries.
is based. In its 2017 comparison of cyber secu-
rity indices, the International Telecommunication
44 | How to develop a country’s cyber security?
How to use the NCSI the Global Cybersecurity Index and the World Eco-
nomic Forum Index. The index also confirms the
The website of the National Cyber Security Index claim that cyber security supports the country’s
(ncsi.ega.ee) displays a world map and a ranking of overall digital development. This means that the
countries. The website makes it possible to com- indicators of developed digital nations are balanced
pare the rankings of countries globally, at regional as they also focus on developing cyber security.
level or within international organisations. When a country’s cyber security indicators are sig-
nificantly lower than its digital development indica-
For each individual country, the index provides an tors, there is reason to think about how to increase
overview of its position based on various commonly that country’s level of cyber security. In addition,
used digital indicators such as the International Tel- the website offers an option to see how a country’s
ecommunication Union’s ICT Development Index, position in the index has changed over time.
There are a wide variety of factors to consider Measurable Aspects of Cyber Security
when assessing cyber security. In addition to the Implemented by the central government
usual tasks of the state, such as creating legisla-
tion or designating responsible institutions, the
Legislation Established Cooperation
assessment also surveys activities related to cyber
in Force Units Formats
defence, such as in planning curricula at different
school stages or in public-private interaction. The
existence of a reliable digital identity and a means
for its identification are also elements of a coun-
try’s cyber security, as the use of personalised OUTCOMES/PRODUCTS
e-services requires that the services are used only
by the person to whom access is granted. There- Figure 16. Measurable activities
fore, cyber security can be created through a wide of the National Cyber Security Index
range of activities.
The National Cyber Security Index focuses on In the National Cyber Security Index, measura-
activities that can be measured. These measurable ble activities are divided into 12 capacities. Each
activities include: capacity contains multiple indicators. For example,
(1) the existence of legislation; the capacity of cyber security policy includes four
(2) organisations responsible for certain activities; indicators that assess whether a country has a
(3) forms of cooperation (councils at the national cyber security policy unit, formats of cooperation,
level, working groups and other management as well as a cyber security strategy and a plan for
structures); its implementation. The other 11 capacities are
(4) outcomes of activities, e.g. exercises, policy similarly measurable. The index includes 46 indi-
documents. cators in total.
REQUIREMENTS EVIDENCE
Criteria https://www.mkm.ee/kontakt?tid_with_depth%5B0%5D=223
Accepted references
Figure 18. An example of a National Cyber Security Index indicator and the linked evidence
Contributors | 47
Contributors
Kimmo Rousku has been working Toomas Vaks has worked in secu-
for the Finnish Public Sector Digi- rity and risk management posi-
tal Security Management Board tions in the public and private
(VAHTI) as an expert since 2004, and as General sector for over 25 years. In 2011, he transferred
Secretary since 2015. From 2020, he works as Chief from the position of Chief Risk Officer of Bank
Special Expert at the Finnish Digital Agency. Rousku Cards in the Swedbank Group to the position of
has worked in the ICT sector since 1985 and has Deputy Director-General at the National Informa-
exceptionally wide ranging expertise in ICT and tion System Authority (RIA) and began to lead the
security. He has broad work experience as CIO, cyber security unit. The unit performed the tasks
CISO and CRO in the Finnish government adminis- of the national CERT, coordinated the cyber secu-
tration. Over the last 10 years, he has specialised in rity of the state information system and essential
developing information, digital and cyber security, services, and monitored the compliance with secu-
risk management and data protection and develop- rity requirements. Since the end of 2017, he has
ing and utilizing the potential of digitalisation in the worked in the private sector, but continues to con-
public sector. Rousku was nominated as the Chief tribute to the development of the country’s cyber
Information Security Officer of the year 2015 by The security sector. He actively participates in the work
Association of Information Security in Finland. He of the State Cyber Security Council and various
has been listed in the TOP 100 ICT influencers by professional associations. He holds a Master’s
Finnish TiVi Magazine every year since 2011. degree in Social Sciences from Tallinn University
of Technology. He is also a graduate of the Lon-
don Business School and the University of Iceland.
Vaks has examined strategic planning and crisis
management of cyber safety, and has participated
as an expert in various research and development
projects.
ncsi.ega.ee | ncsi@ega.ee