President Alar Karis talked to Ramia Farrage of Forbes about the digital journey Estonia has gone through, stressing how easy it is to start and run a business in Estonia and explaining why we have the largest number of unicorn companies per capita.
“It has been a long journey – or actually not that long, a bit more than 20 years,” president Alar Karis said talking to Forbes about the success of Estonia’s digitalisation journey. He explained that both, the leadership’s consistent digital-mindedness and the school system that according to Karis is extremely good in IT teaching, have largely contributed to the success. At the same time, Karis pointed out the role of Estonia’s digital ID system and good cooperation between private and public sectors, developing the services.
Having a digital ID card makes it possible for Estonians to give digital signatures and even vote online. “Basically, you can do every service online, apart from marriage,” Karis said, adding that at one point even this could also be added to the list of online services.
10 unicorn companies hatched from education and ease of doing business
With 10 unicorn companies (two of them being quite recent additions), Estonia is at the world’s top in number of tech startups valued at a billion dollars or more, per capita. “There are several reasons why we are extremely good at that [creating billion-dollar companies],” he said, stressing both, the role of ease of doing business in Estonia and, again, the country’s school system. “Behind these unicorns is our school system,” Karis stressed, mentioning the great results Estonian students have had at the PISA tests, setting Estonia’s education system at the world’s very top and the role of applied IT schools, contributing to the workforce needed by successful tech companies.
Ease of doing business in Estonia
Another reason for Estonia’s recent business success may be a simple one – it is very easy to start and run a company in Estonia. With an ID card or an e-Residency card, this can be done fully online. “Startups are growing – even myself, when I was a professor at the university, I started a new company,” Karis concluded. Estonia is the first country to offer e-Residency, a government-issued digital identity and status that provides access to Estonia’s transparent business environment: a new digital nation for the world.
These are transformative times for Estonian cyber security companies. For weeks, all eyes in the country have been fixed on the ongoing war in Ukraine, but to listen to Raul Rikk, director of national cyber security for the Estonian government, the threat of cyberattacks has only been growing immensely over the past few years, challenges only now magnified by the new war.
“There have been bigger and bigger cyber attacks with a massive impact,” says Rikk. “And of course now the war in Ukraine has put a lot of pressure on cyber management capabilities.”
The solution will be greater vigilance and better solutions, says Rikk, not only from companies already established in the cyber security space, but from all organizations and firms that will need to step up to address these new risks. And as companies invest, providers will need to innovate.
Raul Rikk, Director of National Cyber Security for the Estonian government.
“Companies have to allocate more resources from their ICT budgets to cyber to ensure the sustainability and security of the systems,” says Rikk. “Because cyber attacks will not disappear. They will only become more influential.”
Solid foundations
Estonia has a multitude of companies that either focus directly or partially on cyber security. In the case of Cybernetica, the story of the firm is in some ways the story of Estonian cyber security itself. The firm traces its origins to the founding of the Institute of Cybernetics at the Estonian Academy of Sciences in 1960. The institute evolved into Cybernetica in 1997. As such, Cybernetica could be considered the predecessor of the Estonian cyber security community. When the government embarked on digitisation projects in the 2000s, it didn’t have to look farther than Cybernetica for help. This led to the creation of X-Road, the backbone of Estonian digital services. “I like to tell people that Cybernetica is even older than Microsoft,” says Rikk.
According to Sander Valvas, head of the cyber security department at Cybernetica, this background in cryptography, cybernetics, advanced mathematics, and computing, provided a “solid foundation” for Cybernetica and likeminded firms. “From this situation Cybernetica also arose as a strong cyber security player,” Cybernetica also played a role in the development of the Estonian IT Baseline Security System, Valvas points out. And the innovation in cyber continues.
Sander Valvas of Cybernetica.
In 2020, the firm announced a cyber threat intelligence sharing platform between the US and Estonia, and continues to work on the platform for the Estonian Ministry of Defense, he says.
There is also the domestic market in Estonia, and Cybernetica is now offering cyber security as a service for companies that lack the know-how to keep an in-house cyber security team, he says.
The new kids
If Cybernetica is the grandfather of Estonia’s cybersecurity sector, then companies like Veriff, CybExer, and RangeForce are some of the new kids. All three were founded in the mid-2010s and, like Cybernetica, evolved out of the country’s existing competencies in cybertechnologies.
Veriff, in some ways, is the quintessential Estonian IT success story. The global online identity verification company started off as an idea in 2015, and is now one of the country’s unicorns, with a market valuation of $1.5 billion, and clients in the fintech, cryptocurrency, gaming, and mobility sectors. Veriff now employs 400 people across sites in Estonia, the US, UK, and Spain.
“As businesses have moved online, identity verification has become an integral part of any business, they need to know who is the person at the other end of the line,” says Kaur Virunurm, its chief information security officer. He notes that the country’s technical higher education and scientific research institutes have also helped to prime the market for innovation, and that some other factors, such as a lack of legacy technology platforms following the Soviet collapse, plus a “surge in patriotism” in the post-1991 years have continued to fuel this development in the area.
This uptake of cybertechnologies also led to security solutions. “The new digital companies had to protect their electronic services from the new and emerging cybercriminal society,” he notes.
The Bronze Night and its aftermath
If Estonia was well positioned to innovate in the cyber security arena at the start of the 2000s, the sector received a jolt in April 2007. After the Estonian government removed a controversial Soviet-era war memorial referred to as the Bronze Soldier to a military cemetery, widespread rioting erupted in the Estonian capital, and some other cities, and the country’s parliament, banks, and media were hit by distributed denial of service attacks, still widely considered one of the most intensive instances of state-sponsored cyber warfare ever. The event led to the establishment of the NATO Cooperative Cyber Defence Centre of Excellence in Tallinn in 2008.
“It was natural that after those events we had to start thinking about how to be resilient as a society also in the cyber domain,” says Andrus Kivisaar, the CEO of CybExer Technologies.
Founded in 2016, CybExer provides cyber security training platforms with a focus on cyber capability development. The firm, headquartered in Tallinn, also offers a plethora of workshops and exercises aimed at a cross section of users, from ordinary users to strategic leadership. Its flagship platform, called Cyber Range, allows users to simulate and respond to cyber attacks.
Andrus Kivisaar of CybExer Technologies.
“Cyber security exercises before 2015 pretty much looked like a bunch of guys sitting in the room sending e-mails,” notes Kivisaar. “We saw clearly what was wrong with those exercises — the difficulties, the inefficiencies, the lack of technological solutions, the lack of awareness.”
The human element
In February, CybXer raised €5 million to develop its Cyber Range platform further, an event that the firm sees as confirmation that more people are appreciating the importance of cyber security.
“The fact that most technical devices around us are computer-controlled and can therefore potentially be manipulated is becoming a common understanding,” says Kivisaar. “Not only defence and critical infrastructures but smart cities, banking, industry, commerce, supply chains – everything needs to be protected and therefore we see a rapid growth of the market,” he says.
Jaanus Kink, COO of RangeForce, which also provides a cyber readiness platform, agrees. The company, founded in Estonia but now headquartered in the US, offers a variety of tools for cyber security skills development. “Our mission is to be the world’s leading human cyber readiness platform,” says Kink, noting that RangeForce engages companies to gauge and improve their cyber security organizations through a “gamified and hands-on experience.”
According to Kink, this human element is key to cyber security. “Everyone is talking about AI at the moment,” he says, “but it is literally the responsibility of every IT professional to ensure security in the cyber world,” he says. Kink notes that there are not enough IT cyber security professionals out there, a shortage of which CybExer’s Kivisaar also says needs to be addressed.
Collective strength
What are the most pressing threats? According to Cybernetica’s Valvas, they are the same that have always existed, only more sophisticated attacks. These can strike either the state or the private sector to paralyze services or extort money from individuals. “We cannot really separate the state’s readiness to withstand cyber attacks from the private sector – the stronger the collective strength of all organizations and institutions, the more resilient we are,” says Valvas.
“The goal of the cyber security industry is thus not to save you, or me, or your business from the villains,” points out Veriff’s Virunurm. “The goal is to provide an environment for everybody that is sufficiently safe to operate in.” Virunurm likens cyber security to law enforcement. “They never try to catch all petty thieves,” says Virunurm, “but they must create a society where people can start a business, earn money and spend it without being afraid of robbers and thieves.”
He notes that just as cyber security firms innovate, criminals and rogue states are working to improve their attacks. Protecting digital assets at the company or state level will require oversight, data mining, service discovery, and automated incident response, says Virunurm. “The attacking side is, of course, working on the same tools and topics, with the same technology applied for the opposite goal,” he says. “It is an arms race with high money and power at stake.”
social scientist at the university of helsinki and the estonian university of life sciences
Cyber-attacks against Estonia in 2007 pushed Estonia at the front line of cyber security. One of the results of this cyber-warfare was the wide acknowledgment that cyber security knowledge and skills are part of the information society’s blood circulation.
Today we can report that the Centre for Digital Forensics and Cyber Security at TalTech provides the highest level of cyber security education…starting from first-graders!
Arena for strong cooperation with the world’s best
In general, TalTech’s Department of Software Science, especially its Centre for Digital Forensics and Cyber Security, is materializing the ambition to be the best provider of cyber security bachelor, master’s, and doctoral education in the Nordic countries and the Baltics. Several factors support it: Estonia’s history in leading the mindset that cyber security must grow along with the digitalization of the society; establishment of NATO Cooperative Cyber Defence Centre of Excellence in Tallinn; support from the Estonian Ministry of Defence and a vast network of enterprises that are developing top-end cyber security solutions. Through cooperation with this capable network, the Center can provide each student with the knowledge and skills necessary to excel in cyber security jobs in Estonia and elsewhere. For example, when this article is published, the annual NATO cyber security exercise Locked Shields, the world’s largest of its kind, is taking place in Estonia with students, professors and professionals engaged.
Professor Rain Ottis.
Professor Rain Ottis, Head of the Centre for Digital Forensics and Cyber Security, stresses the strength of this cooperation: “Cyber security requires a holistic approach that covers people, processes, as well as technology. To ignore even one of the three is inviting disaster. Therefore, we tackle the topic from the perspective of different fields and scientific disciplines”.
The Centre’s multidisciplinary and diverse team conducts research along the spectrum of cyber security – from cryptography to network security to education. The Center staff is routinely engaging in cooperative projects with the private sector. One of the examples Mr. Ottis highlighted was the development of “Cyber Range” – a field for exercising defence of cyber-attacks without setting up designated servers. This is a product that a wide range of companies and public entities can use to ramp up their cyber-skills.
Cyber-hygiene starts from childhood
To create a cyber-aware society, Estonian education guidelines suggest students start taking the first steps in kindergarten. Besides official curricula and teaching materials, nonformal informatics curricula and training competitions support the use of digital safety awareness in schools and homes. The Centre for Digital Forensics and Cyber Security has had a significant impact. More than 150,000 students from the age of 7 onwards and 5,000 school teachers have participated in their programs from 2017-to 2021.
They have created (along with their partners) a system of interlinked competition for various school levels that help to educate, support, and inspire young people to be more aware of cyber security. Kids are expected to start with simple sentence calculation tasks at the CyberPin competition for 7-13-year olds and continue with security in social media and programming at CyberDrill and CyberCracker competitions.
A Mechanism to recognize talents
However, Dr. Birgy Lorenz, Senior Researcher and Head of the Cyber Olympics talent program, stresses that with these programs, they aim towards selecting the brightest heads and supporting them in their career paths.
“We are educating about 20 000 young people annually, but our dream is to find 10,000 cyber security talents in the next 10 years, which will help Estonian society become safer and more skilled,” Ms. Lorenz explains.
Dr. Birgy Lorenz.
Talented students are directed to take part in the CyberSpike competition, where the best hackers will also get a boost through cybercamps, meeting with companies, and international experience like Magic CTF or CyberPatriot (USA), European Cyber Security Challenge (EU), and Cyber Security Defence Camp (Singapore). The competitions are topped up with CyberOlympics, which functions as the preliminary round for European Cyber Security Challenge.
From competitions to community leaders
Johannes Kadak is one of the talents that has passed through the variety of programs of the Centre for Digital Forensics and Cyber Security. After successful competitions, he was the captain of the Estonian CyberOlympics team until 2021, when he was selected as the coach for the European team for the International Cybersecurity Challenge (ICC). Now the founder of two IT companies, he has confessed that participation at the competitions inspired him to get involved with the field.
“I think the most important step for young people is to influence their way of thinking, not just providing knowledge because the Internet is full of expertise, but if you don’t have a curious mindset, it is useless,” Mr. Kadak suggests.
The Estonian CyberSpike competition that Mr. Kadak won definitely appeals to young people. The “Capture the Flag”-type exercise simulated a cyber-attack against various organizations at an imaginary City of Blueberry. Tasks ranged from accessing hacked e-mail servers to reverse engineering.
“In addition to guiding talents towards further studies at our programs, we are on the lookout for hackers — young people with the highest skill level in programming. Throughout the years, we have found about 500 hackers through these competitions,” Ms. Lorenz reports. “We focus on them because they are leaders in their communities – schools, and friends – and we see that after participating in our programs, they help their peers steer away from the “grey” or even illegal hacking towards legal activities, like increasing cyber-security.”
Hence, according to Ms. Lorenz, the stakes involved with young people are high.
“The sustainability of every digital country depends on our ability to harness the competence of the young people,” Ms. Lorenz concludes.
estoniadigital.wordpress.com 