National Cyber Security in Practice National Cyber Security in Practice Publication composed by: Epp Maaten, Toomas Vaks Contributors: Oskar Gross, Lauri Luht, Epp Maaten, Elsa Neeme, Kimmo Rousku, Toomas Vaks Photos by: iStock Design: Dada AD Translation and editing by: Refiner OÜ
Published by: e-Governance Academy Rotermanni 8, 10111 Tallinn ega.ee
The handbook “National Cyber Security in Practice” is financed by the Estonian Ministry of Foreign Affairs from the funds of development cooperation and humanitarian aid.
Tallinn, 2020 ISBN 978-9949-7467-1-2 © e-Governance Academy 2020
All rights reserved. When using or quoting the data included in this issue, please indicate the source. Contents | 3
Contents
Foreword 5
Introduction 6
1. Resilient cyber security 8
2. National strategic planning for cyber security 11
3. Cyber security regulation in Europe 14
4. IT security incident response team 21
5. Law enforcement in the context of cyber security 25
6. Organisation of national cyber security 29
7. Critical infrastructure and cooperation with the private sector 35
8. How to develop a country’s cyber security? 42
Contributors 47 Foreword | 5
Foreword
As governments begin to build an information society, they typically focus on providing more digital services and creating various service envi- This handbook is aimed ronments. Cyber security for a society will only at policymakers, receive more thought after an extensive or dam- legislative experts and aging security incident. At the same time, cyber anyone responsible for security is an integral part of an information soci- ensuring the functioning ety. Electronic services such as e-banking or e-tax and protection of administration are of no use if their functioning, and the confidentiality of the data transmitted, digital services and are in doubt. services essential for the functioning of society. In 2007, Estonian e-services and websites became the target of mass cyberattacks. This was part of modern hybrid warfare. As a result of the attacks, an open debate arose in Estonian society at the time international cooperation. Estonia is contributing on how the state should prepare to defend itself to the United Nations Sustainable Development in case the country comes under attack through Goals through digitalisation and technological cyber channels. The outcome of the debate were advancement, and supports the global develop- agreements between state authorities and the ment of resilient cyber defence capabilities. We private sector, and already in 2008 Estonia’s first wish to express our gratitude to the Estonian Min- cyber security strategy was prepared. istry of Foreign Affairs for supporting the- e-Gov ernance Academy in publishing this handbook There are several international standards and and developing the National Cyber Security Index guidelines for developing the cyber security of (NCSI). a In the following pages, Estonian and - Finn single organisation, but it is difficult to find- ish com cyber security experts share their knowledge prehensive tools for national governments. Thisand practical experience on how to better harness handbook – National Cyber Security in Practice – is globally accumulated NCSI expertise to enhance designed to fill that gap. The articles, written by national cyber security. seasoned experts, will give the reader an overview of the key elements that underpin the cyber secu- The e-Governance Academy wishes to thank Epp rity architecture of any country. Maaten, Toomas Vaks, Oskar Gross, Elsa Neeme, Lauri Luht and Kimmo Rousku for their contribu- This handbook is aimed at policymakers, legislative tion to the preparation of this handbook. experts and anyone responsible for ensuring the functioning and protection of digital services and Happy reading! services essential for the functioning of society. Arvo Ott Cyber security has been a very important area for Chairman of the Management Board Estonia as a digital state, both domestically and in e-Governance Academy 6 | Siia peatüki nimi
Introduction
Epp Maaten | Programme Director of National Cyber Security e-Governance Academy
There are many threats in cyberspace and the The development of cyber security starts with map- measures to counter them are also numerous. This ping the situation and setting strategic goals. In raises the question of where a state should begin the first chapter, we describe a model for resilient in order to better protect itself in cyberspace. The cyber security, which provides a framework for the answer can be found in this handbook, National activities described in the following chapters. Cyber Security in Practice, which describes the key elements of national cyber security and outlines One of the first documents that states prepare the activities that are essential to prevent and when embarking on the development of their respond effectively to cyber threats. cyber security is a strategy paper. We focus on the cyber security strategy in chapter 2. This chapter lists the criteria for a good strategy and describes 00. Introduction | 7
while being effective in preventing and respond - ing to incidents.
In chapter 5, we discuss the objectives and key tasks of a computer security incident response team (CSIRT) and outline the incident response process. Cybercrime is discussed in chapter 6, which describes why it is important for the state to contribute to the establishment of a well-func- tioning cyber police unit and how this can be In this handbook, supported by the legal system and practical coop- National Cyber Security eration at the international level. in Practice, we describe the key elements of In the next chapter, on the organisation of national national cyber security cyber security, we offer a close-up of Finland and and outline the activities Estonia as examples of how to ensure compre- that are essential to hensive coordination at the national level to help prevent and respond achieve the goals established in the strategies and effectively to cyber legislation. In chapter 7, we introduce the con - threats. cepts of essential services and critical infrastruc - ture, discussing the basis for their identification and the role of the state and the private sector in their protection.
In the final chapter, we introduce in some detail a tool for enhancing national cyber security – the e-Governance Academy’s National Cyber Security Index (NCSI). On the one hand, the NCSI acts as a systematic guide for building a secure and reliable information society, and on the other hand, as a description of the current situation, enabling the state to compare itself with other countries and formulate future plans. how to design a strategy, whom to involve, and why a strategy should be comprehensive. Over the years, the NCSI has developed into a sub- stantial public knowledge base, bringing together Regulations are an important tool in building valuable information from over 150 countries cyber security. In chapter 3, we outline the -comworldwide. In addition, we have created a network mon approach of 27 European countries and of contacts to help keep the knowledge we have how their measures for ensuring the cyber secu- up to date and accessible to everyone online. rity of critical services can be harmonised to- pro tect the EU single market. Chapter 4 discusses We hope that this handbook will provide guidance the strategic choices to be addressed when draft- and support for anyone responsible for cyber ing legislation to ensure a legal environment that security. Let us make the information society respects the fundamental rights of the people, secure! Everywhere. 1.
Resilient cyber security
Toomas Vaks | Cyber security expert Head of Cyber Security Branch, Estonian Information System Authority (2011–2017)
By the beginning of the third decade of the 21st brought about profound changes. More than half century, the digital economy will represent a of the world’s population uses the internet and significant and growing part of the global econ- almost 45% are daily users of social media. Along omy, estimated to reach 15.5% of global GDP.1 with changing the way communication works, it The development of information technology has is also changing the way societies function. But affected all aspects of the economy and society, in addition to new opportunities, IT development and the sharing economy and ‘smart agriculture’ brings with it new types of risks that need to be are just a few examples of areas where informa- addressed at the national level. tion and communication technology (ICT) has
1 UNCTAD Resilient cyber security | 9
Key threats to the digital economy and digital society
Widespread malfunctions of IT systems, which may be caused by faults as well as by targeted attacks
Underestimating the technology-related risks and the consequent risk of becoming a victim of cybercrime and fraud
Misinformation campaigns spread and managed through social media that can lead to widespread crises.
Did you know that a widespread malfunction may result from:
accidental unintentional activity, such as device malfunction, usage error, intentional actions, such as unauthorised access, data theft, information system clutter, environmental disturbance, such as a flood in the equipment room, pollution or fire.
It is important to realise that cyber security inci- It is important to identify and understand poten- dents can never be completely prevented. The tial threats (threat intelligence) and the risks asso- rapid development of technology and its acceler- ciated with these threats (risk awareness). There ated spread also increases the potential for secu- is also a need for resources to detect and cope rity incidents. Therefore, in addition to preventing with incidents (incident management) and to plan incidents, the focus must also be on cyber - resilactivities and resources to deal with the damage ience; that is, the control and reduction of - damcaused by incidents (recovery). The existence of age caused by incidents. This requires two types ofsuch measures will, on the one hand, increase action: first, proactive measures aimed at prevent- the ability to prevent incidents by increasing over- ing incidents, and second, reactive ones to control all security and, on the other hand, significantly and reduce damage. reduce the adverse impact of incidents on society. 10 | Resilient cyber security
PROACTIVE MEASURES
Threat intelligence Risk awareness
RESILIENCE
Incident management Incident recovery
REACTIVE MEASURES
Figure 1. Measures to achieve cyber resilience
Means of performing essential functions
Threat intelligence tools Incident management tools establishment of incident response presence of a CSIRT/CERT teams (CSIRTs/CERTs) existence of national and sectoral cooperation and exchange of information incident resolution plans between government agencies and the existence of a police unit specialised private sector to identify cyber threats in cybercrime mapping critical infrastructure and creating a national threat map Incident recovery tools international cooperation, participation existence of national and sectoral crisis in international networks and recovery plans (e.g. Trusted Introducer) crisis exercises creating reserve and backup functions Tools for raising risk awareness information campaigns cyber security training, teaching cyber security as a subject or field of expertise in schools and universities continuing refresher training for officials and critical infrastructure companies on cyber hygiene 2.
National strategic planning for cyber security
Toomas Vaks | Cyber security expert Head of Cyber Security Branch, Estonian Information System Authority (2011–2017)
Strategic planning for cyber security is directly such important aspects as the protection of the linked to the strategic planning of national security population and the security of society as a whole, and the development of the corresponding strate- in contrast to a narrowly state-centred approach. gies. In countries with a broader view of national defence issues, cyber security is seen as an impor- The issues of critical infrastructure protection and tant part of national security and perceived security the provision of vital and essential services have in society. Until the early 1990s, national security emerged in connection with ensuring the security strategies and development plans focused primar- of society as a whole. This is because one method ily on national military defence capabilities. Only used today to undermine national security and afterwards did an understanding of the broader the population’s sense of security involves put- nature of national security emerge that includes ting pressure on the country’s population and dis- 12 | National strategic planning for cyber security
rupting the operation of vital services and critical infrastructure. Cyber security covers all activities Although cyber security strategies also address related to electronic information, national defence issues, cyber security is now- media and services that affect adays part of a much broader approach, which national security. can be called the comprehensive approach. It is therefore advisable to use strategic planning to Cyber safety usually refers to address the field of cyber security in the broad- a situation where risks do not est and most sustainable way possible, by devel- oping a long-term national action plan or cyber materialise and security is provided security strategy. against threats that arise or are created through the operation of ICT equipment and systems. Principles for drawing up national strategies
National strategic planning is often defined as an advisory and structured approach to making of action for future decisions. The strategy also important decisions and implementing impor- includes a high-level action plan on how to achieve tant actions. This approach shapes and underlies the desired goals, as well as metrics against which national arrangements, activities and their pur- to measure the achievements. A strategy is not poses. Strategy development is a continuous and static, but an integrated process for updating and forward-looking process. The final strategy must adapting it to future needs must be foreseen, -dur include informed choices and the resulting pattern ing the drafting stage.
What should we keep in mind when preparing national strategies?
A strategy concerns public institutions, the ported by strategic plans with a narrower private sector and society at large, as well scope or time frames. as the international environment. National strategies have an important Strategic decisions need to be understood role to play in raising awareness of the as affecting overall wellbeing and not just issues and objectives in a particular field, a narrow group of public authorities or a both domestically and internationally. specific area of government. Domestically, these strategies provide A strategy must cover the objectives as an opportunity to explain and justify well as the content of the activities and management decisions. Internationally, the process of achieving the outcome. public strategies provide information to Strategies can be created for different lev- the country’s partners on the country’s els. A national strategy may also be sup- national action plans. National strategic planning for cyber security | 13
Three key issues for a national cyber security strategy
Do you consider cyber security and strate- Do you address the international dimen- gic planning as a nationwide process with sion of the strategic planning of cyber heterogeneous actors? Do you involve the security? Is international cooperation private sector, such as critical infrastruc- necessary? ture and communication companies and other partners, and choose a comprehen- sive approach? Do you base your cyber security strategic planning on the need for extensive coop- The process of designing eration and coordination between govern- and implementing ment agencies? Do you approach cyber strategies allows for the security inclusively across all government systematic management agencies? of the development of the field and is very useful for the country.
Key issues of cyber security strategy
Cyber security strategies have played an impor- The process of designing and implementing strat- tant role in declaring national priorities, explaining egies allows for the systematic management of the them to the public and to those who implement development of the field and is very useful for the the strategy. The National Cyber Security Index2 country, despite the time and resources involved addresses the cyber security strategy as part of in developing and, especially, implementing the cyber policy development. The strategy prepara- strategies. tion process includes the development of policy options, which will be realised during the imple- The cyber security strategy process will also help to mentation of the strategy. generate and maintain a broader interest in cyber security issues and the solutions to them. The Cyber security strategies can be conditionally existence of interest also has a direct impact on the divided into two: national defence-based and civildevelopment of the cyber security field beyond the society-based. The boundary between the twostrategy. For example, according to experts, the has been blurred, however, by the adoption ofprocess a of drafting the three cyber security strate- comprehensive approach to security. Strategic gies in Estonia in 2008–2018 has had a perceptible planning of cyber security should be based onpositive a impact on the actual state of cyber security broader approach to the field and goal-setting, asnot well as on the development of Estonia’s interna- just on the existing organisation of cyber security.tional reputation and competitiveness.
2 National Cyber Security Index (NCSI), https://ncsi.ega.ee. 14 | National strategic planning for cyber security
Creating a strategy can be conditionally divided into the following steps:
1 initiating the strategy process and agreeing on the steps in the process
identifying the people and institutions involved in the development of the strategy, 2 determining the powers of the parties in accordance with legal acts and regulations
3 agreeing on mission and values
assessing the external and internal environment and identifying strengths, 4 weaknesses, opportunities and threats (SWOT analysis)
5 identifying strategic tasks
6 developing a strategy for performing the tasks – a drafting process
7 review and adoption of the strategy
creating an effective organisational vision and process 8 for implementing the strategy
9 evaluating the applied strategy, the strategic planning process and its implementation
Figure 2. Strategy development process
The involvement of stakeholders is key
It is important to involve all stakeholders in the For the strategy to succeed, it is important to iden - process of strategy development. First, success- tify the stakeholders that are relevant to the strat - ful strategic planning requires a clear message egy as precisely as possible. These are individuals, from the national leadership on the need for it, groups of individuals or organisations with a legit- and the active involvement of the leaders of the imate interest in the field or how it is organised. organisations involved in strategy development. Stakeholders may include: The awareness and involvement of managers and 1) implementers of the strategic plan, other employees in the strategy creation process is 2) beneficiaries of the strategic plan, necessary but often complex in practice, as involv - 3) actors that can make a significant contribution to ing a large number of people makes the process or obstruct the implementation of the strategy. slower and more expensive. It is important to strike a reasonable balance, so that people who have the In the absence of a complete overview of all stake- necessary information or on whom the implemen - holders at the time the strategy is initiated, you tation of the plan depends will be involved. should be prepared to involve them later.
Siia peatüki nimi | 15
3.
Cyber security regulation in Europe
Elsa Neeme | Legal adviser Legal expert at the Cyber Security Branch of the Estonian Information System Authority (2016–2018)
What is cyber security? The 2016 European Union Network and Infor- mation Security Directive (EU NIS Directive) does Cyber security is a globally recognised concept not define cyber security, but uses the concept widely used in both expert language and commonof security of network and information sys- usage. However, few European Union member tems instead. It describes the ability of network states have defined cyber security at the level andof information systems to resist, at a given level national law.3 of confidence, any action that compromises the
3 Bulgaria, Czech Republic, Poland, Estonia, Romania, Portugal and Slovakia. 16 | Cyber security regulation in Europe
Risk management Cyber diplomacy
Business continuity Cyber warfare and preparedness CYBER SECURITY
Information security Cyber resilience
Data protection Hybrid Threats
Figure 3. Areas of cyber security
Resilience
Enviromental Malware/ Threats Randsomware C Y Y IT B R E U R C S E E S C
U R E Lack of Technical R B I procedures vulnerabilities T Y Y
C
E-SOCIETY Response Prevention Malicious Human Insiders errors
CY Y Infrastructure BER SECURIT Socially Failures Engineered Attacks
Figure 4. Cyber security forms the defence of a digital society, ensuring that the likelihood of internal and external threats to its operation is low Cyber security regulation in Europe | 17
availability, authenticity, integrity or confidentiality tries. Regulations in European countries have been of data or the related services.4 developed primarily on the basis of the Treaty on the Functioning of the European Union. 7 On the The Estonian Cybersecurity Act5 of 2018 also does one hand, they are based on agreements aimed at not define the concept of cyber security, but the ensuring an integrated approach to freedom, secu- explanatory memorandum to the act explains rity and justice, covering, for example, cooperation cyber security as a state of society characterised in criminal and police investigations into attacks by a low probability of threats to public order, against information systems and cybercrime. On people’s health, property and the environment the other hand, the legislation on cyber security is materialising through network and information based on the objective of ensuring the functioning systems, and the ability to respond to and mitigate of the single internal market. Although each regula- the adverse effects of such threats. tion has a different scope and circle of addressees, they share the common feature that, in order to The EU Cybersecurity Regulation6, which entered ensure the safe functioning of the internal market, into force in 2019, defines cyber security as the these acts require market participants to: activities necessary to protect network and infor- (a) inform the competent authority of security mation systems, the users of such systems, and incidents; other persons affected by cyber threats. -It fol (b) take the necessary security measures. lows from these two examples that cyber secu- rity always involves the well-being of a digitally In the European Union, the 2016 Network and Infor- minded society. mation Security Directive (EU NIS Directive) marks a milestone in the development of cyber security leg- The main objectives of network and information islation. The main driving force behind the EU NIS system security, commonly referred to as the CIA Directive was the growing importance of network triad (confidentiality, integrity, availability), are and information systems for the provision of essen- also the objectives of cyber security legislation. tial services to society, such as power generation, What the above shows is that there is no clear passenger and freight transport, health care, and understanding in the EU as to which term is more more. In order to protect the EU single market, it accurate – ‘cyber security’ or ‘network and informa- was necessary to harmonise national measures to tion system security’. The purpose of the actions ensure the resilience of the network and informa- through which both concepts are defined is simi- tion systems for critical services. There was also a lar, only the level of detail of the definitions differs. need to establish pan-European strategic and oper- ational cooperation mechanisms.
Design of European regulatory models for The EU NIS Directive approaches national cyber cyber security security management in a comprehensive and sys- tematic way, imposing the following obligations on As the internet is cross-border, cyber security leg- member states: islation and strategy cannot develop in isolation, a) develop and implement a national cyber secu- but have to consider the trends in other coun- rity strategy,
4 Article 4(2), Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016. 5 Cybersecurity Act, State Gazette I, 22.05.2018, 1. https://www.riigiteataja.ee/akt/122052018001 6 Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019. 7 Consolidated versions of the Treaty on European Union and the Treaty on the Functioning of the European Union 2012/C 326/01 OJ C 326, 26.10.2012, p. 0001 - 0390. 18 | Cyber security regulation in Europe
b) designate at national level the providers of ser- protection of personal data can be expected. For vices essential for the sustainable functioning example, if a digital service provider12 is not located of society,8 in the European Union but provides services in the c) establish the necessary security measures for EU territory, it must appoint a representative in providers of services essential for society in the EU,13 in which case the company is subject to order to ensure the reliability of network and the jurisdiction of the country of residence of the information systems, representative. As a result, for example, cloud pro- d) ensure the availability of a capable and compe- viders offering services in Europe may simultane- tent CSIRT9, ously be subject to the legal systems of several EU e) designate at least one cyber security authority member states. This happens when the provider of in the country to coordinate activities under an essential service identified in one member state the EU NIS Directive. uses a cloud computing service, the provider of which is under the jurisdiction of another member state, while the data centres for cloud computing Extent of the territorial impact of cyber are located in a third and perhaps a fourth mem- standards ber state. Although in the above example, coop- eration is required between the member states’ Globalisation is increasingly giving rise to ques- competent authorities under the EU NIS Directive, tions about the extent of the territorial impact ofsupervision may prove difficult in practice. legislation. Several legal experts have stressed that the EU rules on the protection of personalGiven the global trend in economic activity, it may data also apply outside the EU. The General Data be said in the light of the above examples that the Protection Regulation (GDPR) unequivocally pro- scope of the cyber security requirements imposed vides that personal data may only be transferred by the EU legislator is not limited to the jurisdiction to third countries and international organisa- of a single country or the EU, but may extend to tions in full compliance with the regulation.10 The third-country operators. cross-border nature of data protection require- ments is also supported by case law. For example, in its judgment in Google v Spain, the European A cyber-secure society and the protection of Court of Justice notes that the European Union leg- human rights islature has prescribed a particularly broad territo- rial (cross-border) scope to ensure individuals the EU data protection rules apply only to the processing protection guaranteed by the GDPR.11 of personal data. The standards for the protection of services essential for society focus on ensuring the The implementation practices of the EU NIS Direc- reliability of the network and information systems tive have not yet been considered by the courts, but directly related to the provision of services. In both similar legal proceedings to those concerning the cases, the EU has committed data controllers and
8 For example, electricity suppliers and producers, airlines, rail infrastructure companies and financial institutions. It is notable that the market participants in such sectors traditionally form the core of the country’s critical infrastructure. 9 CSIRT – computer security incident response team. 10 GDPR, recital 101. 11 Case C-131/12, Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (AEPD), paragraph 54. 12 A company that provides cloud computing services, operates an online marketplace or provides search engine services. 13 Article 17(3). Cyber security regulation in Europe | 19
Access rights, user identification and authorisation
OPO D PR RTIO AN N AT TE E IA M Recovery plan R E Regular back-ups P A or/and actions O S management R U P R
P E
S A *
A CIA S P E P R R O U Threats S Software updates P A R E I or /and anomalies A M management TE E A AT ND ON PROPORTI
System log files
Figure 5. Ensuring confidentiality, integrity and availability are the starting points for implementing appropriate and proportionate security measures
operators of services to implement organisational, assessed level of risk. The Estonian National Cyber IT and physical security measures to ensure the con- Security Strategy emphasises that, despite sep- fidentiality, integrity and availability of data. arate regulations, it is no longer reasonable or feasible for the implementers to separate the -pro The EU NIS Directive requires operators of essen - tection of personal data from ensuring cyber secu- tial services and digital service providers to take rity, but that the legal obligations must be viewed technical and organisational measures to manage in their entirety and in harmony with each other.14 the risks to the security of the network and infor- mation systems that they use in their operations. Both personal data protection, and network and The General Data Protection Regulation imposes information system protection legislation seek to an obligation on data controllers to ensure the promote a risk management culture that directs secure processing of data; that is, the obligation the operators of essential services and data pro- to take appropriate technical and organisational cessors to critically evaluate their activities and the measures in the light of the threat to the rights digital environment risks that affect them, rather and freedoms of the individual. than prescribing precise rules. Depending on the activity and potential environmental risks, pre- Therefore, both regulations are characterised cautionary measures must be taken to prevent or by the obligation to implement appropriate and minimise such risks. proportionate security measures based on the
14 Cyber Security Strategy, p. 22. Available at: https://www.mkm.ee/sites/default/files/kuberturvalisuse_strateegia_2019-2022.pdf. 20 | Cyber security regulation in Europe
Recital 49 of the General Data Protection Regulation When establishing cyber security confirms that network and information security and incident response functions are the responsi- requirements in the digital society, bility of CSIRTs, but it should be noted that the least care must be taken not to sacrifice intrusive means for achieving the objectives should essential human rights and be used and the necessity, scope and lawfulness of fundamental freedoms for the sake personal data processing should be assessed. Any of security. limitations of fundamental rights must: • be provided for by law, • respect the essence of fundamental rights, • genuinely meet the objectives of general inter- Restriction of fundamental rights and free- est or the need to protect the rights and free- doms to ensure cyber security doms of others, • be necessary, When establishing cyber security requirements • be proportionate.16 in the digital society, care must be taken not to sacrifice essential human rights and fundamental Legislation supports the achievement of the coun- freedoms for the sake of security. The privacy of try’s objectives and is an instrument for imple- people is particularly at risk in modern society. But menting the cyber security strategy. The role of freedom also has its limits. The extent to which the legislation is to support strategic choices, and in fundamental rights of individuals are permitted to the process, ensuring a proportionate and human be undermined in order to ensure the safety of rights-based environment, while being effective in society needs to be assessed. preventing and responding to incidents.
In cyber security, this issue arises prominently in the work of computer security incident response teams or CSIRTs. For example, according to the Legislation supports the achievement EU NIS Directive, CSIRTs must provide national of the country’s objectives and is an cyberspace monitoring, risk and incident warnings, instrument for implementing the incident response, and situational awareness.15 cyber security strategy. Therefore, the main task of a CSIRT is to ensure the early detection of threats to the digital society and to respond effectively to cyber incidents resulting from the materialisation of threats. In both cases, In each country, consideration should be given to the processing of personal data is inevitable. Article how much society is willing to yield and surrender 17 of the International Covenant on Civil and Polit- the right to privacy in the exercise of its protection ical Rights (ICCPR) provides for the right of every function. It is a matter of trust and legal order. The person to be protected from arbitrary or unlawful legal system must also support a risk-based and interference with their privacy or correspondence, technology-neutral approach to cyber security. as well as against unlawful attacks on their hon- Therefore, the minimum technological require- our and reputation. This Article requires the state ments should be preferred and the focus should to take legislative and other measures to prohibit be on the goal. The legal system thus designed will interference with a person’s privacy and attacks. provide sufficient mechanisms and tools for- build ing trust and maximum safety in society.
15 Annex I to the NIS Directive. 16 https://edps.europa.eu/sites/edp/files/publication/19-02-25_proportionality_guidelines_en.pdf Siia peatüki nimi | 21
4.
IT security incident response team
Toomas Vaks | Cyber security expert Head of Cyber Security Branch, Estonian Information System Authority (2011–2017)
IT security incident response teams are known CSIRTs are set up by public authorities, private internationally as CSIRTs (computer security companies and universities; other CSIRTs special- incident response teams) or CERTs (computer ise in economic sectors such as banking or e-com- emergency response teams). The name ‘CERT’ ismerce. Their setup can be very different – a CSIRT internationally protected and requires the per- can be a public authority, a private-sector service mission of its owner, Carnegie Mellon University,provider, or a public-private partnership. which is why more and more teams nowadays use the name ‘CSIRT’. 22 | IT security incident response team
Tasks of a CSIRT:
1) providing assistance to its constituency in It is considered good practice for a responding to IT security incidents in an agreed CSIRT to describe and disclose its manner and to an agreed extent, which may constituency, roles and services include technical incident resolution, response in accordance with the RFC 2350 coordination or consulting, format developed by the Internet 2) collecting and analysing information on inci- Engineering Task Force (IETF), which dents and security vulnerabilities, monitoring enables all parties to understand cyberspace, these in a uniform manner. 3) participating in international CSIRT networks and cooperating with other CSIRTs for incident resolution as well as cooperating with other agencies, organisations and the community to resolve incidents, Government CSIRTs (Gov CSIRTs) are primarily 4) informing its constituency and the public about responsible for incident resolution within govern- security threats and incidents. ment agencies. These entities may also have the broader role of protecting critical infrastructure Some CSIRTs have a national role, in which two companies and institutions from cyberattacks. types of approaches can be distinguished. Referred Such CSIRTs are usually either independent pub- to as national CSIRTs, they are responsible for lic authorities or located within a public author- dealing with security incidents in the national ity. As a clear trend in the past decade, national internet domain,17 where the CSIRT usually has a CSIRTs have increasingly cooperated with national mainly coordinating and counselling role and is an defence and security agencies, or even been inte- important national contact point for other CSIRTs. grated into security agencies. Still, such integration depends on the overall national security arrange- A practical example would be a malware-infected ments of the country and the traditional areas of information system in a country’s internet domain the activity of the authorities. that attacks information systems in another coun- try. When this happens, the country under attack The cyberattacks of 2007 and 2008 against Estonia needs to contact the owner of the systems where and Georgia showed that society’s dependence on the attacks originate, so that the owner could fix IT services has grown to the extent that CSIRTs play the systems and stop the attacks. In such cases, an important role in the functioning of essential the national CSIRTs will contact each other through services as well as in the functioning of society in reliable channels and work together to respond to general. Over the past 15 years, the field of activ- the incident. National CSIRTs are usually technical ity for CSIRTs has changed considerably, and so teams that work with both the private and public has their role vis-à-vis the state, the economy and sector, and are often very closely associated with the individual. The role of CSIRTs in responding to academic institutions, sometimes being part of cyberattacks and resolving security incidents is dif- these institutions for historical reasons. ficult to overestimate. It is a well-functioning team of competent professionals with clearly defined tasks, who can reduce the adverse effects of inci- dents, speed up their resolution and even help prevent incidents.
17 For example, the Estonian national domain is .ee. IT security incident response team | 23
The following are key to the successful fulfilment Generally, this community sticks together, and of this role. contacts at the specialist level often transcend the traditional boundaries of transnational 1) Expertise and sufficient resources. The team communication. should include experts in network security, 4) Cooperation with the national IT commu- log analysis, computer forensics and reverse nity. It is important to understand that the engineering, as well as security architecture functioning of the IT services needed by society and advanced information security. It is also is largely dependent on private-sector compa- important for the team to have its own devel - nies. Typically, IT professionals develop their opment resources because the specific nature own spontaneous or organised communities, of a CSIRT’s work means that all the necessary from professional alliances to online forums. It tools cannot be outsourced, but some of them is important for a CSIRT to work with and be have to developed by the team itself. Success visible to these communities. It provides quick in responding to incidents at the national level access to necessary information on security also requires knowledge of the functioning of changes, accelerates information exchange, the state and of critical services, risk and cri- and even outlines the availability of specific sis management and business continuity. The IT expertise or resources that can be used to required hardware and software, communica- respond to incidents in an emergency. tions, a secure location, and other things nec- 5) Clearly defined national working arrange- essary for the job must also be provided. ments for information exchange and inci- 2) Threat intelligence. Continuous gathering dent response. The roles of the various and analysis of information on security- inci organisations and agencies, their coopera- dents both domestically and internationally tion and the arrangements for the exchange makes the rapid identification of threats- pos of information must be clearly defined and sible and the resolution of incidents more organised. IT incidents tend to escalate very effective. The concept of an incident should rapidly. The effectiveness of their resolution be precisely defined along with the process depends largely on the speed of response, in for incident reporting and analysis. In addition which previous planning and agreed working to collecting information from public sources arrangements are key. The public also needs (OSINT), national reporting and information to have a clear understanding of the role of exchange, international information exchange a CSIRT. Given the need for extensive coop- with sister organisations from other countries eration with the private sector, it is advisable is highly desirable. to clearly define the role of the CSIRT and to 3) International cooperation and participation establish clear demarcation lines, for example, in international cooperation networks. As with regard to the role of the police or security cyberattacks and other security incidents are authorities. Giving a CSIRT a public oversight generally global in nature and not bound by role is not desirable; it is preferable that the national borders, it is essential to have good team is perceived as a ‘firefighter helping to contacts and information exchange with the put out the fire’ rather than a ‘police officer that international community. Active participation cuffs your hands’. in networks, such as Trusted Introducer18, 6) Exercises. Regular exercises are required to helps build the reputation and credibility of the test incident resolution plans as well as team team, which in turn allows for faster communi- skills. Exercises should be organised both cation with the international CSIRT community. within teams and at the national level, involv-
18 TF CSIRT, https://www.trusted-introducer.org 24 | IT security incident response team
ing partner institutions as well as private com- rity threats must be a regular activity and there panies. Teams should certainly take part in must be a clear process in place to that end. international exercises, which have become Although information campaigns and media increasingly popular in recent years (e.g. Cyber communication may also be conducted through Europe organised by ENISA and the technical partners, it is advisable to have a corresponding exercise Locked Shields organised by CCDCOE). function within the CSIRT itself. A CSIRT should 7) Communication and visibility. Informing the also be visible in social media and interact with public as well as partner institutions about secu- its constituency as much as possible.
Incident resolution
Communication Monitoring and planning
Threat Analysis intelligence
Figure 6. Tasks of a CSIRT Siia peatüki nimi | 25
5.
Law enforcement in the context of cyber security
Oskar Gross | Head of the Cybercrime Bureau of the Central Criminal Police Police and Border Guard Board
Although cyber and digitalisation have in recent almost as long as the internet, it has changed from years become increasingly popular topics, in some clever enthusiasts testing the limits of the the context of law enforcement these are- nothinternet to a huge underground economy making ing new. As early as 1988, Robert Tappan Morrisit one of the least risky forms of criminal activity. was able to infect the internet with a worm It from is almost impossible to calculate an actual fig- M.I.T campus. He was caught and charged withure for the global losses from cybercrime due violation of the Computer Fraud and Abuse19 Act.to the indirect costs (loss of data, revenue, emo- However, even though cybercrime has existed for tional harm etc.), but for instance considering that
19 United States v. Morris (1991), 928 F.2d 504, 505 (2d Cir. 1991). 26 | Law enforcement in the context of cyber security
haveibeenpwned.com reports 9 billion breached cyber security includes Computer Security Inci- accounts, we can quite safely say that almost dent Response Teams (CSIRTs) and Computer everybody has been a victim of cybercrime in one Emergency Response Teams (CERTs), who actively way or another. Although the Estonian criminal prevent and respond to cyber incidents. The- dif police have quite a long history with cybercrime ference between CSIRTs/CERTs and regular law investigations, the Estonian Police and Border enforcement is that the goal of law enforcement Guard Board decided to create a specialist bureau is to identify and prosecute the people behind for investigating cybercrime in Estonia in 2016. malicious attacks, whereas the work of CSIRTs/ CERTs is to take a cyberattack under control and get systems working normally again. These lines What is cybercrime? of work might seem similar but in practice the overlap is rather limited – some technical details Cybercrime as a term covers an extremely wide are relevant during the investigations, but a large spectrum – essentially all the bad things you can do part of successful cyber cases surprisingly rely on with a computer. There are numerous approaches classical criminal police work. From the societal that try to structure this topic. point of view, the importance of One is to categorise cybercrime law enforcement is deterrence. from the perspective of the point- As long as we are only deactivat- of-failure, either human or com- A large part ing the weapons used by crimi- puter. The term cyber-dependent of successful nals, they will just attack us again is used to describe crimes that cyber cases either with the same or new cannot be carried out without surprisingly rely on weapons. In order to complete a computer (e.g. ransomware, classical criminal the valuable work of CSIRTs/ DDoS attack, RAT, etc.), while police work. CERTs, it is important to find and the term cyber-enabled crimes prosecute the people respon- is used for crimes which can be sible. Considering the speed of scaled to massive proportions digitalisation we have to keep in with the help of computers (e.g. fraud, child- mindsex that it is wise to jump on an accelerating ual exploitation, illegal drug trade etc). Anothertrain rather sooner than later. way is to divide the different modi operandi by type of crime: extortion (e.g. ransomware, -sextor tion), fraud (e.g. CEO fraud, business email- comModel for cyberpolice promise attacks), stealing (e.g. illegally accessing bank information systems or client accounts) and Dealing with cybercrime has a couple of unique so on. In essence, there is no right or wrong way, aspects compared to criminal policing in other but I personally prefer the latter, as I find that it isfields. Most of these stem from the fact that- cyber important to demystify the field. crime is global and a large amount of evidence is located online. This, in turn, means that the tools used by regular criminal police are usually not The role of law enforcement an exact fit for analysing the type and amount of information that cybercrime investigators face. Law enforcement has an important role to play in cyber security. As in real life, we expect that at Technical specialists least to some extent people are also protecting In Estonia we have seen that having highly-skilled themselves (e.g. locking their doors, using seat- technical specialists at the cybercrime unit makes belts, etc.) on the internet (e.g. strong passwords, a big difference – it enables the unit to design their 2 factor authentication, etc.). Another pillar of own tools for searching or (automatically) analys- Law enforcement in the context of cyber security | 27
ing large amounts of information and this makes it much easier to gain an insight into the technical aspects and nuances of cybercrime. Theoretically, The usefulness of a specialist outsourcing the IT skills would be an alternative, digital forensics unit but in the long term, this is not realistic – the eco- system of cybercrime is constantly changing, tech- nologies come and go, and therefore being able to adapt quickly is vital. It seems to be quite common Digital forensics is part of all that half of the cyber units consist of technical spe- investigations and not something cialists and the other half of police officers. specific to cybercrime Cybercrime investigations are Probably one of the most pressing issues with treated more broadly than just technical staff is hiring and the problem is two-fold. conventional disk forensics First, the IT sector around the world is growing and The Cybercrime Bureau can focus the salaries for IT experts are usually higher than on its core responsibilities and for the public sector, which makes it a challenge for capacity building the public sector to accept. Second, our experience shows that you need specialists with a wide spec- trum of skills and an ability to constantly learn and integrate new available technologies. International cooperation It is quite common that cybercrime units also Though international cooperation and experience provide different digital forensic services to otherexchange is important in all fields, investigating criminal police units – providing first responders cybercrimeto in isolation is a short-term solution. It crime scenes/searches, identifying digital devices, is quite unusual for cybercriminals to target their making forensic copies, analysing and document- own country of location, meaning that in most ing findings. cybercrime cases the evidence exists in at least two countries. It is also important to note that to an In Estonia, this is a bit different – extent cybercrime investigations the Cybercrime Bureau focuses are solidary – by investigating only on their own investigations people located in our jurisdiction, and then we have a specialist we are usually protecting people unit in the regular criminal police who are targeted as victims in The stronger we departments to assist with digital other countries. So the stronger are globally on forensics. Although formally, this we are globally on average, average, the safer is just a structural aspect of the the safer cyberspace is. All this cyberspace is. organisation, from the perspective makes it even more important to of awareness, the impact has been have operational level coopera- positive – it has sent a strong mes- tion between countries. sage that digital forensics is part of all investigations and not some- In addition to sharing infor- thing specific to cybercrime and vice versa, the core mation on a query basis, it is also relevant that of cybercrime is not making traditional disk foren- cooperation is happening at an operational and sics. This also means that the IT specialists in the technical level. As mentioned before, the ecosys- Cybercrime Bureau can invest 100% of their time tem of cybercriminals is in constant change, which in increasing our capabilities. also means that at all times we need new tools, approaches and creativity for law enforcement to 28 | Law enforcement in the context of cyber security
stand a chance. This is why it is perfect when coun- tries find common interests and work towards Cyber crime unit is crucial goals together – be they analysis tools or methods, or information sharing.
In the end, good tools and information are the only Although cybercrime is not a new way we can achieve an intelligence-led approach, phenomenon, it is amazing how which enables us to investigate cases that have the versatile the opportunities it affords greatest impact, either on our own country or the criminals – from illegal markets to whole cybercriminal environment. Effectiveness money laundering and extremely and focus are extremely important because the technical methods to obtain illegal amount of noise is huge – even petty crimes and access to computer systems. Although ineffective simplistic frauds are so scalable that they we are investing considerable effort might drive us away from more important targets. to defend against cybercrime, it is cru- cial that we also invest in well-func- Legal aspects tioning law enforcement cybercrime Due to extremely rapid digitalisation, it is impor- units because otherwise there is no tant to keep the legal framework up to date to actual deterrence and the amount of enable law enforcement to do their work. When criminal activity just increases. The pil- countries adopt a similar approach to the criminal- lars of effective cybercrime investiga- isation of cybercrime, it makes the legal process tions are motivated people with skills, clearer and cross-state investigations faster. the right tools, actionable intelligence, supportive legal system, and last but In cybercrime investigations, reaction time might not least practical international coop- have a huge impact. However, it is not only about eration. the officers reacting fast but also the legal frame- work giving them the right tools – whether to obtain data or at least preserve information such that it is later collectable through the legal process. On a more general note, it is also important to consider different privacy related regulations; for The legal framework example, data retention, the right to be forgotten should give the right tools and so on. to investigate cybercrimes.
In terms of data retention – although storing data about people’s actions violates their privacy, in the end we need to consider the balance between security and privacy. In cybercrime cases, a large guess. If the situation becomes too unbalanced, part of the evidence is circumstantial. The problem law enforcement themselves may inevitably vio- with circumstantial evidence is that sometimes the late somebody’s rights much more than they conclusions are wrong – unfortunately, the less would have otherwise. However, finding this bal- historic information we store, the less informa- ance is no trivial task, and unfortunately is out of tion law enforcement has to make their educated the scope of this article. Siia peatüki nimi | 29
6.
Organisation of national cyber security
Elsa Neeme Epp Maaten Kimmo Rousku Legal Advisor Programme General Secretary Legal Expert at the Cyber Director of National Finnish Public Sector Security Branch of Estonia’s Cyber Security Digital Security Information System e-Governance Academy Management Board (VAHTI) Authority (2016–2018)
The organisation of national governance for cyber In its shaping of the legislative field around cyber security is a matter of choice for each country and security, Estonia is guided by the broad concept largely depends on the country’s existing legal envi- of national defence and the principles of Estonia’s ronment. Legal choices may be influenced by factors security policy.20 When looking at other European such as the availability of cyber security expertise, countries, cyber security governance models gen- considerations regarding funding as well as national erally follow either a decentralised or a centralised strategic development plans on topics like national approach. internal security and economic security.
20 National Security Concept of Estonia, p. 2. Available at: https://www.riigiteataja.ee/aktilisa/3060/6201/7002/395XIII_RK_o_Lisa.pdf# 30 | Organisation of national cyber security
The organisation model for A strictly sector-based approach decentralised cyber security is not always beneficial when Regardless is based on the principle of sub- protecting the critical informa- of whether a sidiarity and is characterised by tion infrastructure and ensuring decentralised or a a system of sectoral legislation. the cyber security of essential In this model, there are several centralised model is service providers. A sectoral national authorities competent in used, cooperation approach can lead to conflicting cyber security issues, who coordi- between various legal provisions or, conversely, to nate the implementation of cyber public authorities the emergence of several similar security in their sectors. A decen- in preventing and regulations on the same subject. tralised approach can facilitate responding to cyber In contrast, centrally organised information exchange with mar- incidents is always systems and comprehensive ket participants. The advantage of essential. legal requirements for providers this approach is the inclusion of of essential services help- to pre network and information security vent the uneven and incomplete measures in existing sectoral leg- implementation of regulatory islation, already familiar to the sector’s industry, provisions. Moreover, it is irrelevant whether the making it easier for them to adopt and effectively responsibilities to ensure cyber security are dis- comply with new requirements. persed across several pieces of legislation or laid down in one single legal act. In countries with centralised cyber security, a single authority with broad expertise in many, or Regardless of whether a decentralised or a central- even all, critical sectors is designated to ensure ised model is used, cooperation between various the cyber security of essential social services. public authorities in preventing and responding to These countries also establish comprehensive cyber incidents is always essential. The legal bases cyber security legislation. The tasks of the- cenfor national administrative cooperation can be tral authority sometimes also include preparation established either by law or by an administrative for emergencies and crisis management21 and it act or contract. Responsibilities for cross-border often includes a national unit for cyber incident cooperation must also be clearly defined when response. developing an administrative model.
21 In France, for example, the Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI) has been desig- nated as the supervisory authority for critical operators that has the power to oblige critical operators to comply with security measures and is also authorised to conduct security audits. In addition, ANSSI acts as the emer- gency authority for the protection of critical information infrastructures. Estonia applies the more commonly used decentralised approach to the management of critical infrastructure protection. According to the Cybersecurity Act, the coordinating authority in Estonia is the Information System Authority. Under the Emergency Act, the same organisation also manages the emergency response to a cyber incident. Source: Communication COM(2017) 476 final/2 from the Commission to the European Parliament and the Council, https://eur-lex.europa.eu/legal-content/ EN-ET/TXT/?uri=CELEX:52017DC0476&from=EN. Organisation of national cyber security | 31
6.1 Organisation of national cyber security in Estonia
Epp Maaten | Programme Director of National Cyber Security e-Governance Academy
The Security Committee of the Government of The Ministry of Economic Affairs and Communi- the Republic analyses and assesses the national cations coordinates cyber security policy develop- security situation and coordinates the activities ment and the implementation of the Cyber Security of the authorities of executive power in planning,Strategy, as well as the cooperation between state developing and organising national defence. The authorities and the wider community. committee is chaired by the Prime Minister, and its members include the Minister of Foreign Trade The Information System Authority, which organ- and Information Technology, the Minister of Jus- ises the development and maintenance of infor - tice, the Minister of Defence, the Minister of Eco- mation systems that ensure the interoperability of nomic Affairs and Infrastructure, the Minister of the state information system, manages activities Finance, the Minister of the Interior and the Min- related to information security and handles cyber ister of Foreign Affairs. The secretary of the com- incidents that occur in Estonian computer net- mission is the director of national security and works. The Information System Authority’s tasks in defence coordination. cyber security include ensuring the security of all network and information systems essential to the The task of theCyber Security Council is to con- operation of the state. tribute to smooth cooperation between various institutions and ensure the implementation of The Government Office ensures that cyber secu- the objectives of Estonia’s Cyber Security Strategy rity is integrated into national defence planning through the planning documents, programmes documents (the national defence development and work plans of the responsible governmentplan and the state defence activity plan). institutions. The council is chaired by the secretary general of the Ministry of Economic Affairs and Communications.
Security Committee of the Government of the Republic
Information System Cyber Security Council Authority
Internal Security Service Financial Super- Defence Forces Office of the Prosecutor General Police and Border Guard Board vision Authority Foreign Intelligence Service Bank of Estonia Defence League
Figure 7. Organisation of national cyber security in Estonia 32 | Organisation of national cyber security
The Ministry of the Interior, in cooperation planning of lifelong learning strategy activities. The with the Police and Border Guard Board and theministry supports the acquisition of basic knowl- Internal Security Service, ensures the prevention edge for coping with cyber threats for graduates of and response to crimes that endanger cyber at all educational levels. The Information Technol- security, and devises policies for the prevention, ogy Foundation for Education (HITSA) supports detection, response and processing of cybercrime, the Ministry of Education and Research in meeting and for digital forensics. The ministry ensures the Cyber Security Strategy objectives in its area of the implementation of the priorities of the Cyber administration. Security Strategy through the activities of the inter- nal security development plan and related pro- The Ministry of Justice, in cooperation with the grammes, and contributes to the establishment Office of the Prosecutor General, which is in charge of mechanisms for cross-sectoral cooperation and of pre-trial criminal proceedings, contributes to coordination, as well as the creation of a unifiedplanning regulatory and criminal justice policy situational picture. throughout the digital sector, and plans sectoral preventative actions through violence prevention The Ministry of Defence, in cooperation with the strategy activities. Among the Ministry of Justice’s Defence Forces, the Defence League and the For- area of administration is an institution that is con- eign Intelligence Service, manages the implemen- sidered important from the standpoint of cyber tation of activities related to the digital aspect of security – the Data Protection Inspectorate (AKI), the military defence side of the national defence which supervises the rights and responsibilities in development plan and contributes to the estab- the field of the protection of personal data. lishment of mechanisms for cross-sectoral coop- eration and coordination, as well as the creation of The Ministry of Finance helps in developing the a unified situational picture. different parts of the strategy, including ensuring sustainability and integration with other strategic The Ministry of Foreign Affairs directs and coor- planning processes. The ministry also ensures dinates the international cooperation activities the involvement of the financial sector. Other related to the strategy. authorities working with cyber security include the Financial Supervision Authority, which moni- The Ministry of Education and Research takes tors financial institutions, and the Bank of Estonia, into consideration the priorities agreed in the which follows the requirements established by the objectives of the Cyber Security Strategy in itsEuropean System of Central Banks.
6.2 Finnish national digital security model
Kimmo Rousku | General Secretary Finnish Public Sector Digital Security Management Board (VAHTI))
Finland does not have a single body responsible This is possible thanks to the excellent coordina- for the centralised management and steering tion, reconciliation and development of activities of digital or cybersecurity at the national level. conducted with businesses across administrative Instead, each administrative branch and com- boundaries, which can be considered an impor- petent authority is for its part responsible in tant its resource for Finland. own area according to that provided in legislation. Organisation of national cyber security | 33
Key roles and responsibilities the availability of data, and to offer services for life events and to guarantee the undisrupted, secure The Prime Minister’s Office is responsible for and smooth operation of services that are impor- monitoring the implementation of the Govern- tant for the functioning of society. The agency pro- ment Programme and assists the Prime Minister vides population information, certification services in the management of the government. The officeand support services for the use of e-services that secures the operating conditions of the Prime Min- contribute to creating the preconditions on which ister and the government in all circumstances. The digitalisation can be built. The agency is responsi- area of responsibility of the Prime Minister’s Office ble for the expert services in digital security and includes government awareness, preparedness and prepares recommendations and instructions. It security, general coordination of the management is also responsible for the operation of the Public of incidents, and joint information and document Sector Digital Security Management Board (VAHTI). management for the government and its ministries. The Ministry of Transport and Communications The Ministry for Foreign Affairs co-ordinates is responsible for the development of information this international cooperation activity. The cyber security in electronic communication services and domain and cybersecurity have become an impor- networks. The ministry develops strategy and reg- tant part of Finland’s foreign and security policy as ulations concerning the information security of cyber threats do not respect national borders. The electronic communication services or networks ministry also acts as the National Security Author- and other general guidance. The Finnish Transport ity (NSA) that is responsible for protection and pro- and Communications Agency Traficom operates cessing of international classified information and, under the Ministry of Transport and Communi- among other things, for the preparation of inter- cations. The Cyber Security Director working at national information security agreements. Traficom is responsible for implementing Finland’s Cyber Security Strategy. The Ministry of Finance is responsible for an eco - nomic policy that strengthens the preconditions The National Cyber Security Centre belongs for stable and sustainable growth, good man- to the Finnish Transport and Communications agement of public finances and effective public Agency and plays a central role in the prepared- administration. The Ministry of Finance is respon- ness of a digital society. Through its activities, the sible for the general principles of information agency ensures the functioning of society and ser- policy, information management and electronic vices, like public communication networks in the services in public administration. To that end, the event of disruptions and emergencies. In addi- Ministry of Finance prepares the general princi- tion, the agency ensures the availability of radio ples and requirements for the digital security of frequencies and cryptographic material and is the ICT infrastructure, digital services and data in responsible for Finland’s national domain exten- public administration as well as the policies, regu- sion .fi, maintaining the fi-root name servers and lations and development programmes for digital monitoring the registrars of domain names. The security in public administration. The ministry also agency also carries out the CERT function (Com- appoints the necessary management groups and puter Emergency Response Team). cooperation networks. For example, the ministry has appointed a strategic management group for The Police are responsible for the prevention, digital security in public administration. detection and investigation of offences and the consideration of charges. Cybercrimes are inves- The task of the Digital and Population Data Ser- tigated by police departments on a regional basis. vices Agency (Finnish Digitalisation Agency) is - National Bureau of Investigation includes the to promote the digitalisation of society, to secure Cyber Crime Centre, which is responsible for 34 | Organisation of national cyber security
the investigation of the most serious cyber- tion of the right to access information and other crimes, internet and network intelligence and fundamental rights in the processing of personal maintenance of situational awareness. data. The Ombudsman processes notifications of data security breaches, approves certification - The Finnish Security Intelligence Service authorities and inspects information systems. (SUPO) is responsible for preventing and com- batting the most serious threats to national The Information Management Board was estab- security, such as terrorism and illegal intelli- lished in 2020 to enhance and implement the infor- gence gathering by foreign states. The Intelli- mation management and information security gence Service also performs these tasks in the requirements. The board may set up temporary digital operating environment. It conducts intel- divisions, publish recommendations and organise ligence analyses to support the government seminars and other events. and other authorities in their decision-making. The National Emergency Supply Agency belongs The Finnish Defence Forces create a compre- to the Ministry of Economic Affairs and Employ- hensive cyber defence capability for their statu- ment. It is responsible for the planning related to tory duties as part of securing the vital functionsthe maintenance and development of security of of society. ‘Cyber defence’ refers to the area ofsupply in Finland and the related operative activ- national cybersecurity related to national defence, ities. In cooperation with other authorities and which consists of the capabilities of intelligence, businesses, the National Emergency Supply Agency influence and protection. The cyber defence capa- ensures the continuity of the most critical systems bilities produce intelligence data to support the in terms of the functioning of society in all circum - government and the defence forces in their deci- stances. The agency manages and allocates the sion-making, while supporting the operations. resources for the Digital Security Programme 2030 aimed at meeting the needs of businesses that are The Security Committee assists the government critical for the security of supply, while improving in broad matters related to comprehensive secu- the security of cyber and digital infrastructures. rity. The committee monitors the development of Finland’s security environment and coordinates Municipalities and unions of municipalities are the proactive preparedness related to compre- responsible for providing basic ICT-services, pro- hensive security. According to the guidelines of thecurement and tendering of information technology, 2013 strategy and of the renewed 2019 strategy,and their development and maintenance. There the Security Committee monitors and coordinates are differences between municipalities and the the implementation of the strategy. The goals of unions of municipalities, and their organisational cybersecurity coordination include the avoidance approach depends on the size of the municipality. of unnecessary duplication, the identification of It is estimated that about one-third of services is possible shortcomings and determining the com- outsourced, but often these outsourced services petent entities. The competent authorities will are provided by companies owned by municipal- make the actual decisions subject to the provisions. ities and the unions of municipalities. The task of the municipal council is to ensure the organizing The Data Protection Ombudsman is a national of risk management. By the end of 2023, munic- supervisory authority overseeing compliance with ipalities are required to implement the minimum data protection legislation. The task of the Data information security requirements in accordance Protection Ombudsman is to promote the realisa- with the Information Management Act. Siia peatüki nimi | 35
7.
Critical infrastructure and cooperation with the private sector
Lauri Luht | Head of National Situation Centre The Estonian Government Office
The concept of critical information tions services, water supply, financial services and infrastructure various transport services.
It is up to the state to ensure that people’s basic Vital services require infrastructure, both on a needs are met and basic services provided, so that daily basis and in times of crisis, and people to society can function. Services that are critical to maintain the infrastructure. The infrastructure the day-to-day functioning of society and/or for that enables a vital service to function is known as dealing with crises are called vital or essential critical infrastructure. Due to process automa- services. Such services include the generation and tion and the transition to digital production equip- distribution of electricity, various telecommunica - ment, a very large part of critical infrastructure is 36 | Critical infrastructure and cooperation with the private sector
dependent on information and communications the security of information systems). The state must technology (ICT). With the addition of ICT, the con- also provide competent, up-to-date information on cept of critical infrastructure protection (CIP) has cyber threats and vulnerabilities. When designing expanded to include critical information infra- the right environment, it is important to engage structure protection (CIIP). Therefore, in addition private-sector companies in activities that increase to the protection of physical processes, digital sys - their preparedness for incidents and crises. tems and processes that are integral to the opera- tion of services must now also be addressed. It is the responsibility of the state to establish trusted and effective cooperation between the competent authority/authorities responsible for cyber security The roles of the state and the private sector and private-sector service providers, and to main- tain a unified and informed community. Setting up The protection of vital and essential services is one various processes, such as regular seminars, threat of the most strategic tasks in the internal security briefings, shared communication channels and con- of states. The transition to automated and digital ferences, will also allow the private-sector providers processes and systems has significantly changed to communicate better and more efficiently among the risks, which also need to be addressed from themselves, and this serves national security. Main- a cyber security perspective. This means that ser- taining and managing an informal cooperation net- vice providers must inevitably apply cyber security work will improve preparedness for handling crises measures to ensure the reliability and resilience of involving multiple stakeholders. the systems as well as national security. The role of service providers is to protect their pro- As a rule, the state is not the sole provider of all cesses and systems to ensure the delivery of the essential services. Therefore, it must work closely service to society. These organisations must, on with private-sector providers of these services to the one hand, follow national requirements, and on society. The role of the state is to design the right the other, rely on international cyber security best environment or ecosystem in which service pro- practices. In addition, they must actively participate viders can operate. Simply put, creating an envi- in networks and events provided by the state. Both ronment means that the state develops legislation, the public and private sector must actively engage policies, frameworks and guidelines (e.g. creating a in trust building to ensure a smooth exchange of cyber security strategy or guidelines for ensuring information, which can prevent many incidents.
CIP
CIIP
Cyber Security
National Cyber Security Strategy
Figure 9. Critical information infrastructure protection brings together cyber security and critical infrastructure protection Critical infrastructure and cooperation with the private sector | 37
The tasks of the state: The tasks of organisations:
1) developing the ecosystem: 1) protect organisational processes legislation, policies, and systems; frameworks and guidelines; 2) provide resilient services to society; 2) provide competent, up-to-date 3) follow national requirements information on cyber threats and international best practices; and vulnerabilities; 4) participate in the work of national 3) involve companies in activities; cooperation networks. 4) organise information events for private organisations and state agencies; 5) create and manage The state must work closely with an informal network. private-sector providers of vital and essential services to society.
Identifying essential services In addition, countries may consider other ser- vices as essential, such as search and rescue, law Each country identifies its essential services in enforcement, environmental protection services, accordance with the needs of the population and or specific services related to the country’s climate known risks. Therefore, no universal list of these or location, such as district heating, sea rescue and services exists, but the most common items on the water level management. lists of different countries are as follows: • energy, Each of the above is further divided into sub - • communications, services. For example, a state can include both • transport, emergency medicine and inpatient specialist care • financial services and banking, among its vital health services, and list either elec- • health, tricity generation or gas supply as its vital energy • food and water supply. services.22
80
60
40
20
0 AT BE BG CY CZ DE DK EE EL ES FI FR HR HU IE IT LT LU LV MT NL PL PT RO SE SI SK UK
Figure 10. Number of essential services identified by EU member states, September 2019.22
22 https://eur-lex.europa.eu/legal-content/ET/TXT/PDF/?uri=CELEX:52019DC0546&from=EN 38 | Critical infrastructure and cooperation with the private sector
Regardless of which services a state identifies as vital, further defining its critical information EU NIS Directive infrastructure (CII) requires an assessment of the extent to which the service is dependent on ICT. An essential service need not always be subject to CIIP. The European Union Network and Infor- mation Security Directive (EU NIS Directive) Once the essential services have been identified, requires all EU member states to identify the companies providing such services must be the operators of essential services as of identified in terms of market share, production 2018. At the same time, the directive leaves capacity, regional coverage or other criteria. In the member states sufficient leeway, so some cases, the service provider may have a 100% that they can identify service providers market share, which will make it easy to identify a according to their needs and risk profiles. service as vital. On the other hand, there are ser- The directive sets out the following criteria vices that may be regionally distributed in a coun- for identifying service providers: try in such a way that no company has a significant the entity provides a service that is market share in the given industry, which may essential for the maintenance of criti- make all the providers vital (e.g. family physicians). cal societal and/or economic activities; the provision of that service depends Essential services and critical (information) infra- on network and information systems; structure should be identified and the require- and ments applying to them specified in collaboration an incident would have significant between the state and the private-sector service disruptive effects on the provision of providers; only then can the parties find a -com that service. mon understanding of what the state’s CIIP capa- bilities are and what should be addressed outside the public sector. 2. risk assessment (the probability and conse- There are two further key questions that the state quence of the risk materialising); should answer with regard to its services: 3. risk control (various controls to mitigate or (1) Which public-sector services should be accept risks); considered as vital? 4. review of controls (a process specifying the (2) What requirements should be established mechanisms that help control risks). for the public-sector services? The risk management process must take into account that different sectors have specific international A risk-based approach to ensuring standards and approaches that should be applied. the continuity of services Service continuity assurance is aimed at finding Every provider of a vital service must have developed ways to maximise the ability of an organisation’s and implemented processes to ensure service secu- systems and processes to function in the event of rity, incident preparedness and incident resolution. incidents and crises, and to recover from disrup- tions as quickly as possible. Continuity assurance The simplest form of risk management process for can be described in four steps: any service provider consists of four components: 1. risk identification (according to the organisa- 1. understanding the organisation (its capabili- tion’s risk profile); ties and potential gaps in them); Critical infrastructure and cooperation with the private sector | 39
The example of Estonia
Estonia established a list of vital services in the tor companies and professional associations. Emergency Act of 2009. The list is rather com- The identification of services was discussed in prehensive, containing 43 vital services from several working groups with the participation electricity distribution to the continuity of the of experts from different fields. This created Government of the Republic. a coherent approach, leading to greater trust and, ultimately, better quality of implementa- This means that the state imposed on itself tion. At the same time, ICT requirements were requirements similar to those it has imposed laid down for all service providers, as Esto- on the private sector. The services were agreed nia’s high level of digitalisation comes with a across the ministries, involving private-sec- dependence on ICT services.
Vital services under the Essential services under Emergency Act the Cybersecurity Act (1) electricity supply, (1) a provider of a vital service (2) natural gas supply, under the Emergency Act, (3) liquid fuel supply, (2) a railway infrastructure manager or rail (4) ensuring the operability transport service provider, of national roads, (3) an aerodrome operator, (5) telephone service, (4) a port service provider, (6) mobile phone service, (5) an electronic communications company, (7) data transmission service, (6) a regional hospital or central hospital (8) digital user identification providing in-patient specialist medical and digital signature, care and an ambulance crew providing (9) emergency care, emergency care, (10) payment services, (7) a family physician, (11) cash circulation, (8) an administrator for the top-level domain (12) district heating, name registry for .ee, (13) ensuring the operability of local roads, (9) a provider of communications services, (14) water supply and sewerage, marine radio communications services and operational communications network services, (10) Estonian Public Broadcasting.
2. ensuring preparedness (for various incidents/ As in risk management programmes, continuity crises); assurance also has sectoral international best 3. responding (to various incidents/crises and practices in place, which are tailored to the sector managing them); but are also applicable to cyber security. 4. adapting and improving (by learning lessons and defining future developments). 40 | Critical infrastructure and cooperation with the private sector
Assess Understand risk organization
RISK BUSINESS Identify Control Adapt Prepare MANAGEMENT CONTINUITY risk risk & improve (proactive) PROCESS STRATEGY
Respond Review (reactive) Controls
Figure 11. The risk management process Figure 12. Four steps to continuity assurance of a service provider
els, both for the management/leadership and for general and technical personnel. Every provider of a vital service must develop and implement The main types of exercise are: processes to ensure service security, • table-top exercises (TTX), incident preparedness and incident • command-post exercises (CPX), resolution. • technical exercises (TE).
Table-top exercises tend to be conducted for sen - ior staff to discuss escalated issues, raise aware - Using the two support processes described above ness and find solutions. – risk management and continuity assurance – it is possible to build an organisation’sresilience , Command-post exercises are primarily designed which enables it to better handle incidents and cri- to test or practise routines established for opera- ses internally. tional teams (such as information exchange, inci- dent management and escalation, or developing and delivering public messages). Ensuring preparedness through exercises and clear crisis management Technical exercises are conducted in technical environments to practise and test incident and The best way to understand and improve the pre- cyberattack response capabilities in systems and paredness of the state or private-sector organisa- information assets. tions is to conduct exercises that focus on testing system performance and identifying deficiencies, Regardless of their different objectives and types, and to make corrections after the exercises. Exer- exercises can involve multiple levels of management cises can and should be conducted at different lev- as well as participants from outside the organisation. Critical infrastructure and cooperation with the private sector | 41
For example, exercises between the national cyber essential for society. Today’s crises affect very many security authorities and other agencies, including stakeholders. Therefore, fast, trust-based coopera- service providers and law enforcement agencies, tion between service providers and the authority are very useful. Such exercises can be either techni- coordinating cyber security and critical information cal, command-post or table-top exercises. infrastructure protection is essential and beneficial.
As a rule, table-top exercises are used first to start building and enhancing collaboration, familiarising the participants with the expectations and actions The lessons learned from exercises in crisis situations; the next step is to move on to and the resulting preparedness, command-post or technical exercises to test and an effective risk management practise the agreed routines. framework and established continuity requirements form a strong basis The lessons learned from exercises and the result- for both the state and the service ing preparedness, an effective risk management providers to be able to handle a crisis. framework and established continuity require- ments, form a strong basis for both the state and the service providers to be able to handle a crisis.
Exercises can also be used to update incident and crisis response plans as well as service recovery Practical recommendations plans. Crisis preparedness requires developing a reasonable selection of alternative solutions to be for the state and private-sector able to provide the best possible access to services service providers in preparing for and during a crisis
The tasks of the state in complicated situations Designate an authorised contact person to be contacted as needed, to agree on further actions. This person must have a mandate to contact the organise high-quality, various staff members of the institu- rapid exchange of information tion to agree on the necessary division maintain an up-to-date situational of labour and communicate this out- picture and communicate it side the institution. to those affected by the crisis Definekey processes and workflows analyse potential developments that trigger in the event of a crisis. The and plan further actions key processes and workflows must be organise or support public practised through exercises, so that communication their functioning and shortcomings define the necessary decisions are known. to be taken by the parties Ensure open communication and support decision-making exchange of information with partner and enforcement institutions and relevant stakeholders. 42 | Siia peatüki nimi
8.
How to develop a country’s cyber security?
Epp Maaten | Programme Director of National Cyber Security e-Governance Academy
Growing threats and a lack of awareness of the the information society and cyber security from field of cyber security usually lead to the follow- different perspectives. One of the best known and ing questions: how secure is the cyberspace of most valued of these is the Global Cybersecurity our state and what should we do to improve the Index developed by the International Telecom- situation? munication Union (ITU).23 This is a survey of all UN members that provides a simple answer to the Several methodologies have been developed question of a country’s position in comparison to around the world that assess the development theof rest of the world when it comes to matters of
23 See https://www.itu.int/en/ITU-D/Cybersecurity/Pages/global-cybersecurity-index.aspx How to develop a country’s cyber security? | 43
Figure 13. A screenshot of the National Cyber Security Index website
The NCSI is one of the most detailed cyber security indices in the world. Its advantage over others is the opportunity it provides for countries to identify areas of cyber security in need of improvement.
cyber security. Despite this comprehensive over- Union found the NCSI to be one of most detailed. view, the survey is not very clear regarding the Its advantage over others is the opportunity it bases on which the countries are ranked. provides for countries to identify areas of cyber security in need of improvement. In recent years, The e-Governance Academy has developed the the National Cyber Security Index has gained National Cyber Security Index (NCSI), which also international recognition and rapidly increased provides an assessment of the state of a country’s the number of countries covered by the index. At cyber security, but in addition offers an opportu- the beginning of 2020, the index contained data nity to see the sources on which the assessment on more than 150 countries. is based. In its 2017 comparison of cyber secu- rity indices, the International Telecommunication 44 | How to develop a country’s cyber security?
Figure 14. The ranking of countries in Asia
How to use the NCSI the Global Cybersecurity Index and the World Eco- nomic Forum Index. The index also confirms the The website of the National Cyber Security Index claim that cyber security supports the country’s (ncsi.ega.ee) displays a world map and a ranking of overall digital development. This means that the countries. The website makes it possible to com- indicators of developed digital nations are balanced pare the rankings of countries globally, at regional as they also focus on developing cyber security. level or within international organisations. When a country’s cyber security indicators are -sig nificantly lower than its digital development indica- For each individual country, the index provides an tors, there is reason to think about how to increase overview of its position based on various commonly that country’s level of cyber security. In addition, used digital indicators such as the International Tel- the website offers an option to see how a country’s ecommunication Union’s ICT Development Index, position in the index has changed over time.
Figure 15. A country’s level of cyber security based on four indicators How to develop a country’s cyber security? | 45
There are a wide variety of factors to consider Measurable Aspects of Cyber Security when assessing cyber security. In addition to the Implemented by the central government usual tasks of the state, such as creating legisla- tion or designating responsible institutions, the Legislation Established Cooperation assessment also surveys activities related to cyber in Force Units Formats defence, such as in planning curricula at different school stages or in public-private interaction. The existence of a reliable digital identity and a means for its identification are also elements of a coun- try’s cyber security, as the use of personalised OUTCOMES/PRODUCTS e-services requires that the services are used only by the person to whom access is granted. There- Figure 16. Measurable activities fore, cyber security can be created through a wide of the National Cyber Security Index range of activities.
The National Cyber Security Index focuses on In the National Cyber Security Index, measura- activities that can be measured. These measurable ble activities are divided into 12 capacities. Each activities include: capacity contains multiple indicators. For example, (1) the existence of legislation; the capacity of cyber security policy includes four (2) organisations responsible for certain activities; indicators that assess whether a country has a (3) forms of cooperation (councils at the national cyber security policy unit, formats of cooperation, level, working groups and other management as well as a cyber security strategy and a plan for structures); its implementation. The other 11 capacities are (4) outcomes of activities, e.g. exercises, policy similarly measurable. The index includes 46 indi- documents. cators in total.
Cyber security Threat Global Education policy analysis cooperation
Protection of Protection of E-identification Protection of digital service essential services and trust services personal data
Cyber incident Cyber crisis Fight against Military cyber response management cybercrime operations
Figure 17. The 12 capacities of the National Cyber Security Index 46 | How to develop a country’s cyber security?
The page that presents an overview of a country’s data provides a more detailed description of all indicators along with the evidence on which the Would you like to update your specific scores are based. We consider evidence country’s data in the NCSI? to be, for example, a link to a law or strategy, to a Interested in developing your website of a competent authority, to a news article country’s cyber security in a about a training activity or another relevant doc- comprehensive manner? ument. Therefore, the website of the Cyber Secu- rity Index is one large database of references to a Get in touch with the NCSI team country’s cyber security documents and activities. [email protected]! Maintaining such a public database and present- ing the evidence transparently on the web distin- guishes the National Cyber Security Index from other methodologies in the same field. The unique feature of the NCSI is that its data Submitting data to the National Cyber Security is continuously updated. Unlike other indices, Index is voluntary. National data may be providedwhich generally publish assessments once a year, by representatives of the state or other compe- the National Cyber Security Index updates data tent organisations. In addition, experts from the on a rolling basis – as soon as new country data e-Governance Academy who work on the index onbecomes available and is reviewed by experts. a daily basis collect data from public and official sources. At the same time, our team aims to findThe National Cyber Security Index is a valuable partners in each country who are up-to-date onsource of data that each country can use - to pro local developments and able to update their coun- tect the security of its digital services. Check out try’s data on an ongoing basis. The update history the index at ncsi.ega.ee and see what you, as a and the sources of updates are available on each country, should do to improve the level of your country’s page. cyber security.
1. Cyber security policy development 6 7 86%
1.1. Cyber security policy unit 3
REQUIREMENTS EVIDENCE
Criteria https://www.mkm.ee/kontakt?tid_with_depth%5B0%5D=223
A central government entity (ministry or equivalent) has a specialised official or unit responsible for national cyber security policy
Accepted references
Official website or legal act
Figure 18. An example of a National Cyber Security Index indicator and the linked evidence Contributors | 47
Contributors
Oskar Gross Epp Maaten
Oskar Gross has been working as Epp Maaten is Programme Direc- head of the Cybercrime Bureau of tor of National Cyber Security the Central Criminal Police at the at the e-Governance Academy. Police and Border Guard Board since its establish- Maaten has 20 years of experience from Estonian ment in 2016. From 2010–2015 he studied at the public sector institutions. She worked as Advisor University of Helsinki focusing on language inde- and Deputy Head of the Electronic Voting Commit- pendent word association analysis, and obtained tee. She has advised the President of Estonia and a PhD in computer science in 2016. the Chancellor of Justice on information society related matters. Previously, Maaten served at the Estonian Information System Authority and man- Lauri Luht aged government policy and projects concerning critical infrastructure protection and IT risk man- Lauri Luht has led the National agement. Epp has also been an auditor at Eesti Situation Centre at the Estonian Energia and the National Audit Office. Until 2007, Government Office since January she coordinated the IT projects of the National 2020. Between 2018 and 2019 he worked at theElectoral Committee, including Internet voting. NATO Cooperative Cyber Defence Centre of Excel- She is a certified IT auditor (CISA). lence as head of Cyber Exercises. Before that he was head of the Crisis Management Department at the Estonian Information System Authority, where Elsa Neeme his main responsibility was for national cyber -secu rity policy and legal issues, cyber emergency pre- Elsa Neeme is a Legal Advisor paredness and situational awareness development at the NATO Cooperative Cyber at the national level. As part of his job Luht has Defence Centre of Excellence been responsible for planning national and inter- (CCDCOE) based in Estonia since October 2018. national cyber exercises, plans and procedures Prior to joining the CCDCOE she worked at the for emergency preparedness and international Cyber Security Branch of Estonia’s Information cooperation. Between 2007 and 2013, Luht worked System Authority (RIA) providing in-house legal in the Estonian Ministry of the Interior, where he advice and supporting the execution of RIA’s tasks was responsible for supporting the Government in ensuring cyber security, ranging from incident Crisis Committee, organising national emergency response to cooperation with private sector service preparedness and response planning as well as providers. Neeme has been a member of Estonia’s international co-operation issues in the field ofNetwork and Information Systems Directive (EU) civil protection. He is one of the authors of the first2016/1148 transposition working group and one of Estonian Emergency Act in 2009, and the first - Esto the co-authors of Estonia’s Cyber Security Act. nian Cyber Security Act in 2018. Luht has carried out capacity building for enhancing digital societies, cyber security and critical information infrastruc- ture protection in Ukraine and Georgia, but also in Central and South America and African countries. 48 | Writers
Kimmo Rousku Toomas Vaks
Kimmo Rousku has been working Toomas Vaks has worked in secu- for the Finnish Public Sector Digi- rity and risk management posi- tal Security Management Board tions in the public and private (VAHTI) as an expert since 2004, and as Generalsector for over 25 years. In 2011, he transferred Secretary since 2015. From 2020, he works as Chieffrom the position of Chief Risk Officer of Bank Special Expert at the Finnish Digital Agency. RouskuCards in the Swedbank Group to the position of has worked in the ICT sector since 1985 and Deputy has Director-General at the National Informa- exceptionally wide ranging expertise in ICT andtion System Authority (RIA) and began to lead the security. He has broad work experience as CIO,cyber security unit. The unit performed the tasks CISO and CRO in the Finnish government adminis- of the national CERT, coordinated the cyber secu- tration. Over the last 10 years, he has specialised in rity of the state information system and essential developing information, digital and cyber security, services, and monitored the compliance with secu- risk management and data protection and develop- rity requirements. Since the end of 2017, he has ing and utilizing the potential of digitalisation in the worked in the private sector, but continues to con- public sector. Rousku was nominated as the Chief tribute to the development of the country’s cyber Information Security Officer of the year 2015 by The security sector. He actively participates in the work Association of Information Security in Finland. He of the State Cyber Security Council and various has been listed in the TOP 100 ICT influencers by professional associations. He holds a Master’s Finnish TiVi Magazine every year since 2011. degree in Social Sciences from Tallinn University of Technology. He is also a graduate of the Lon- don Business School and the University of Iceland. Vaks has examined strategic planning and crisis management of cyber safety, and has participated as an expert in various research and development projects. ncsi.ega.ee | [email protected]