The Estonian government approved the e-Residency 2.0 action plan at a Cabinet meeting on Thursday, with the objective of making the e-Residency program more secure, more beneficial for Estonian entrepreneurs, and more convenient for the e-residency community.
Prime Minister Jüri Ratas (Centre) said that the results of this year’s e-Residency program have proven that the program itself is sustainable and successful in involving entrepreneurs from all over the world.
“Although we are grateful for the support of the e-residency community, there is still a lot to do to make this program even more convenient and beneficial for them,” Ratas said. “The new and ambitious goals of the e-Residency 2.0 program will help us meet the constantly growing expectations of e-residents while also creating higher added value for local entrepreneurs and the Estonian state.”
One of the most important goals of the e-Residency 2.0 action plan is to establish a more secure system to reduce the risks that accompany the use of e-services. A new risk-based pre- and post-control will also be applied when issuing a digital identity document for an Estonian e-resident.
Another primary objective of the action plan is to increase the value created by an e-resident for an ordinary Estonian enterprise.
Since the e-Residency program was introduced, a total of 58,000 e-residents have established 7,200 businesses Estonia, employing approximately 1,300 people. Last year, Estonia collected €8.73 million in tax revenue from e-residents’ businesses, but since the implementation of the e-Residency program has seen a total of €25 million in direct economic gain.
“The new strategy will allow us to work toward the goal of bringing direct or indirect gain from the benefits of this program to as many Estonian people as possible,” Minister of Foreign Trade and IT Kert Kingo (EKRE) said.
First steps already underway
In order to create a more convenient user environment, an online platform will be developed for e-residents that will make it easier to access various services offered by the state and the private sector. Alternatives will also be considered for the current smart card-based authentication and digital signatures.
E-Residency managing director Ott Vatter said that the first steps have already been taking in implementing the new action plan.
“Pursuant to amendments made to the Commercial Code, all entrepreneurs who are e-residents have the opportunity to contribute to the share capital of tehir company and own a bank account in any country in the European Economic Area (EEA),” Vatter explained.
“We have already made it easier for e-residents to obtain their digital IDs,” he continued. “This year, we established additional points of issue in Tokyo and San Francisco, but we are also planning on opening additional points elsewhere as well.”
In 2018, as a result of cooperation between various experts, a number of proposals were made to further develop e-residency, which was ultimately published as “The e-Residency 2.0 White Paper.” Based on these proposals, an action plan for the implementation of these proposals was drawn up in cooperation with several state authorities and the private sector
Josh “Juku” Gold is a research assistant at Citizen Lab, and a 2019 visiting fellow at The Hague Program for Cyber Norms. His bachelor’s thesis (University of Toronto) investigated the 2007 cyberattacks against Estonia and their legacy. Josh is Estonian-Canadian.
How and why does Estonia have so much influence in building international cybersecurity norms?
If you are reading this article, or familiar with e-Estonia, it is likely that you know something about Estonia’s bold and successful digital innovation. You may be aware that—as is necessary for a society reliant on digital technology—Estonia is also very focused on cybersecurity. Yet this focus is not only on ensuring its own national cybersecurity at home. Instead, especially since 2007, Estonia has held a prominent role in leading international cybersecurity efforts – particularly those focused on establishing rules for behaviour in cyberspace.
Punching above its weight: Estonia’s prominence in cyberspace governance
Estonia has been at the centre of global cybersecurity discussions and action since at least 2008. That year saw the establishment of the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn. The Centre is essentially a military think-tank that leads the world in crafting cyber defence solutions through a multinational, interdisciplinary analysis of various cyber issues. As of 2018, the CCDCOE is responsible for identifying and coordinating education and training solutions in cyber defence for all NATO bodies across the Alliance. Today, the CCDCOE comprises 25 states and more are lined up to join, including NATO partner states Japan and Australia.
The Centre is best known for its Tallinn Manual process, a non-binding, academic study on how international law applies to cyber conflicts and cyber warfare. It is the most authoritative and comprehensive of its kind, and is continuously developed by the CCDCOE with input from nearly 50 states.
Estonia is also deeply involved in global efforts focused on security in cyberspace. Most prominent of these is the United Nations Group of Governmental Experts (UN GGE), which has met five times since 2004 to deliberate on developments in information and communications technology (ICT) in the context of international security. Although the size of the GGE is very limited, from 15 members in 2004 to 25 members today, Estonia has been selected to this group for its past four iterations and will be represented at its upcoming set of meetings this year.
Estonia is home to the e-Governance Academy, a non-profit think tank and consultancy that has worked with over 200 organisations and trained more than 5,500 officials in 130 countries on e-government, e-democracy, and cybersecurity solutions.
Upon its founding in 2012, eu-LISA—the EU’s Agency for the Operational Management of Large-Scale IT Systems—has been located in Tallinn.
In October 2018, a speech by then-US Secretary of Defence James Mattis revealed for the first time that Estonia would join the US as one of just four other countries to offer NATO national cyber capabilities to help fight in cyberspace, if necessary.
In June 2019, Estonia was elected for the first time as a non-permanent member of the UN Security Council, which Estonia’s ministers and President say they will use to further action and spread knowledge on cybersecurity and digital governance.
From 2014-2019, former Estonian prime minister Andrus Ansip was in charge of the EU’s Digital Single Market, which among other things deals with security, privacy, and general coordination of the EU’s digitalisation. Upon Ansip’s departure, Estonian bureaucrat Juhan Lepassaar was elected among 80 candidates to become executive director of ENISA, the EU’s cybersecurity agency.
The list goes on and on.
But why is this so? How did Estonia get here, and why do other countries value Estonian opinion? And why should Estonia spend so much effort on this when it has so many other things to worry about?
Learning From Experience
The answer is directly related to Estonia’s experience with cyberattacks in 2007, policy decisions then, and steps forward since.
In spring 2007, during a time of heightened tension between Estonia and Russia, Estonian online services came under a barrage of cyber attacks of varying intensity and sophistication. They continued for three weeks. Luckily—and surprisingly to some Western observers—Estonia was quite successful in defending against the attacks, and direct damage was minimal. But the implications were huge; the attacks demonstrated the risks of political events extending into cyberspace, and the social threat posed by large-scale disruption of the public internet. This was emblematic of the future of war, and a wake-up call for all nations.
And nations did wake up. The NATO CCDCOE, which Estonia had pushed for since 2004, was quickly established. Estonia became one of the world’s first countries to release a National Cyber Security Strategy (2008-2013); essentially a ‘lessons learned’ from its 2007 experience. Other states studied this document closely and it went on to inform NATO and other states’ doctrine.
That Estonian leaders decided to be transparent during and after the attacks brought great dividends. Estonia declassified almost all information about the attacks, turning the country into the global case study for cyber conflict while also, through its openness, maintaining trust of its citizens using e-services.
Small States Need International Rules And Cooperation
Estonia is now one of just a small handful of states globally to have released a third generation National Cyber Security Strategy (2019-2022). Notable throughout all three of these cyber security strategies is a focus on the global nature of threats in cyberspace and the need for international, multilateral action.
To stay at the forefront of digital governance and continue developing its digital society, Estonia must remain a leader in security. As stated in its 2019 Cyber Security Strategy, “For Estonia, cybersecurity does not mean protecting technological solutions; it means protecting digital society and the way of life as a whole.”
Moreover, as a small state, Estonia is particularly reliant on international rules. By setting the agenda and developing norms, Estonia brings countries together to agree on rules for cyberspace, thus working directly in Estonia’s big-picture security interests. A stable, rules-based cyberspace is of critical interest to a digital society like Estonia, which is among the most vulnerable to cyber threats. As is discussed in a recent article by Liisi Adamson and Zine Homburger, Estonia has become a global entrepreneur and pioneer of cyber norms.
What Doesn’t Kill You Makes You Stronger
The 2007 cyberattacks have proven to be a blessing in disguise. Estonia’s successful defence against those attacks, combined with openness, have given Estonia international legitimacy and credibility, thereby allowing it a seat at the grown-ups’ table.
As it advances its digital society and tries new things, Estonia remains something of a digital experiment; an incubator and testing grounds. New technologies and their applications bring new challenges, ensuring that Estonian policymakers stay a few clicks ahead of most of their foreign peers. So long as Estonia’s digital society remains innovative, effective and secure, it can continue to have influence and punch above its weight.
How does the police address cybercrime at a time when more and more of our everyday actions take place in cyberspace? We talked to Oskar Gross, Head of the Cyber Crime Unit at the Estonian Police and Border Guard Board to find out exactly what cybercrime entails, how it’s fought and how we can protect ourselves.
What is the function of the Cyber Crime Unit? How is it positioned relative to other organisations dealing with cybercrime and cyber security?
The Cybercrime Unit (C3) in the Central Criminal Police has two main goals. Firstly, we collect, manage and analyse information about biggest cyber threats and actors. Secondly, we take relevant action based on the former. From time to time we also work on the aspects of prevention, legislation etc.
The biggest difference when compared to other organisations is our monopoly of force, which means that we are successful when we attribute crimes and catch criminals. However, we cannot carry out this fight alone – in our criminal cases, much of the evidence is digital. Thus, cooperation with cyber security companies and other organisations is vital for us. Moreover, this applies to both scenarios, when we ask for information during criminal proceedings and when cyber security companies, CERTs or other organisations, discover something suspicious.
Prevention is also very important in this field, especially when it comes to young people, who might show curiosity towards the dark side of the internet. It is important to direct people back to the legal (and also very exciting) side of the cyber, before it is too late. Some countries in the world have started implementing interesting ideas for rehabilitation. In the coming years, we must also do the same.
The Cyber Crime Unit was established around three years ago. What changes and continuities have you seen in cybercrime trends during this time?
The most obvious aspect is the exponential growth of devices connected to the internet, which creates a wider spectrum of vulnerabilities and ways to use malicious tools against people. From the criminal environment point of view, it seems that the entry barrier has become lower and less computer skills are needed to start committing cybercrimes. One of the reasons for this is that quite a large part of the cybercrime environment has turned into a service-based economy. For example, in order to do a DDOS attack against a Minecraft server, instead of first infecting 1000 computers and then ordering them to make huge amount of requests against the server, you can instead go to a website, copy and paste the domain/IP address to a text field, pay the cost in cryptocurrency and press “play”. Some websites might even offer you free trials. This extends to many services, from infecting machines to money laundering services etc.
There are many discussions how cybercrime is a low-risk high-reward type of crime. Criminals, who in the past have focused on “traditional” types of crimes, might also become interested in cybercrime. As the world moves towards digitalisation, we see that the cyber component has a bigger role also in other types of crimes.
I think it is important not to mystify the cyber realm. It is very simple to make people feel they are not in control and that is a problem with mystifying the internet. We should remember that cybercrime is not something that “just happens”, but there are real people behind these events. People do have control online. Cyber-attacks may seem like a technological mystery, however, they have more to do with being inattentive. Mystification is what makes us think of the internet as a technological chaos, rather than see it for what it really is – a group of people online.
It might also be one of the reasons people tend to believe things they read online, which they would never believe in real life (e.g., an elderly wealthy person has 50 million to spare because their safe is full and they just need somebody to give the money to). If something sounds too good to be true, it probably is not.
Translating crime from the “real” world to the virtual space, what are the differences and similarities in protecting people from harm?
Investigation techniques are slightly different, however, cybercrime investigations involve much more criminal police work than people would imagine.
One of the differences is that in the real world the harm is rarely repairable. For example, physical violence cannot be undone, whereas in cybercrime it is possible to undo the harm in some instances. The No More Ransom Projects aims to provide tools to decrypt files, which have been encrypted with ransomware. A good example where harm can almost be undone.
It is possible to protect people from cyber-crime with preventive work, the same way we do about threats in the “real world”. We advise people not to click on suspicious links the same way we advise everybody to lock their door before leaving.
From the perspective of the police force, what is currently the greatest challenge in tackling cybercrime?
Anonymity is the name of the game in cybercrime. Most probably, one of the biggest challenges is connected to the aforementioned service-based economic model. Namely, for services the anonymity model is often built in and thus it makes it more complicated to investigate separate incidents.
Another challenge is of course hiring – as Estonia is very IT driven country and the sector is big with many opportunities. It is challenging to find people for our technical team. We deal with very versatile topics and each person in the tech unit needs to have quite a large spectrum of skills.
People have been deemed the weakest link in cyber security. What piece of advice would you give regarding cyber behaviour to minimise the threats they pose on themselves and their organisations?
I have always liked the comparison that reasonably safe cyber behaviour is similar to minimising infections in the real world – as we know 80% of the infections can be avoided by simply washing hands regularly. In computer security, unfortunately, it is not only one thing you have to do but many. Important things to remember:
• Use strong, unique passwords and two-factor authentication (if possible) • When offered, always update software • Use antivirus • Make backups regularly • If something looks too good to be true, it probably is
If you follow this advice, you are probably better protected than most people.
How can people’s cyber behaviour be improved through top-down approaches? What kind of prevention initiatives have proven the most effective?
Prevention campaigns definitely work and I am quite sure people perceive threats of the internet much better each day. For instance, even my grandmother forwards me different scam emails which promise great riches.
It is hard to say which initiatives are most effective – the problem of measuring this boils down to estimating the growth of the crimes committed on the internet and then analysing the dynamics of how many people fall victim. I think notification campaigns are always important, but in the future we hope to look into more tailor-made campaigns, where the targets of the messages are carefully chosen. For example, in preventing falling victim to the business email compromise scam, last winter we notified board members of Estonian companies. We received mixed feedback about the campaign, but the amount of notifications to our tip line about BEC frauds increased. The campaign was not perfectly executed, but next time we are smarter.
estoniadigital.wordpress.com 