At the time of the state-wide cyber attacks in 2007, Estonia was one of the most developed nations in Europe regarding the ubiquitous use of information and communication technology (ICT) in all aspects of the society. Relaying on the Internet for conducting a wide range of business transactions was and still is common practice. Some of the relevant indicators include: 99% of all banking done via electronic means, over a hundred public e-services available and the first online parliamentary elections in the world. But naturally, the more a society depends on ICT, the more it becomes vulnerable to cyber attacks. Unlike other research on the Estonian incident, this case study shall not focus on the analysis of the events themselves. Instead it looks at Estonia’s cyber security policy and subsequent changes made in response to the cyber attacks hitting Estonia in 2007. As such, the paper provides a comprehensive overview of the strategic, legal and organisational changes based on lessons learned by Estonia after the 2007 cyber attacks. The analysis provided herein is based on a review of national security governing strategies, changes in the Estonia’s legal framework and organisations with direct impact on cyber security. The paper discusses six important lessons learned and manifested in actual changes: each followed by a set of cyber security policy recommendations appealing to national security analysts as well as nation states developing their own cyber security strategy.
Published in: Proceedings of the 10th European Conference on Information Warfare and Security at the Tallinn University of Technology Tallinn, Estonia 7-8 July 2011. Reprinted in the Journal of Cyber Warfare and Terrorism, Vol 1, Issue 1.