Estonia’s digital ambassador: Nele Leosk’s journey and insights

April 17, 2024

by Justin Petrone

Nele Leosk, ambassador-at-large for digital affairs at the Estonian Foreign Ministry since 2020, reflects on Estonia and e-Governance.

Nele Leosk has led extensive digital, economic, and governance reforms in various countries around the world. Whether working in academia, as a consultant, or for the government, she has become a highly sought-after expert in e-governance.

We recently interviewed Leosk about her current role as ambassador-at-large for digital affairs, the state of e-governance, and the global role that Estonia continues to play as a pioneer and instigator.

How did you get into GovTech? Was it a personal choice, or did someone encourage you to become an expert?

I have worked developing our digital space for the past 22 years. I got my first glimpse into the area in the early 2000s when I worked at the Estonian Ministry of Economic Affairs and Communications, which is also responsible for digitalisation in Estonia. When I was looking for new opportunities, my colleagues from the digital branch introduced me to the e-Governance Academy that the Estonian government had just founded, the United Nations Development Program, and the Open Foundation. I looked it up, and it seemed interesting, though I didn’t know much about e-governance back then.

It was the time of digital identity, the time of X-Road®, and the time of laying the legal framework that enabled the development of an open, inclusive and safe digital society. In a way, digitalisation gave the impetus for modernising Estonian culture. Quite a bit was happening even before 2000. Several preparations had started earlier, such as the introduction of the eID. We all know about the Tiger Leap and Look at World – the initiatives that introduced Estonian people to the internet and digital technologies. These also happened before then.

So, I started to work at the e-Governance Academy. Initially, I worked closely with questions about digital democracy; then, I served as a program director for digital education and skills. Later, I was involved in different areas of digitalisation. I led economic and government reforms all over the globe, from Haiti to Mongolia, from Tunisia to Ukraine. It was fascinating. Implementing reforms and achieving results in different economies and political, governmental, and cultural environments was also challenging.

Since then, my career path has always involved digital technologies from different fields and regions in other organisations. I have worked with political leaders and high government officials and have been hands-on in developing services and e-participation tools. I have experience in academia, international organisations, and the private sector. After 11 years abroad, I returned to Estonia and started to work on the foreign policy aspects of digital technologies at the Ministry of Foreign Affairs of Estonia.   

What does your current job as ambassador-at-large for digital affairs entail?

Digital diplomacy has been rooted as an essential domain in foreign politics in recent years. The space and scale of technological development and the impacts of these on the economy, democracy and security are immense. For example, comparing current developments to the 2000s is a very different scale. 

Digital technologies do not recognise borders. They bring along opportunities and globalisation. Estonia has benefitted from these. It is not an understatement that digitalisation put Estonia on the world map, with our digital services and startup scene. Estonia is looked up at around the globe, and rightly so. 

But, increasingly, digital technologies bring along risks. Privacy is being violated, and cyber-attacks and technological interdependencies are increasing. What is also a concern is that technological developments are concentrated in very few countries, and big tech and their platforms have increased influence. There is quite a race for digitalisation. 

So, how can we globally ensure technologies are used for good and not for bad? How do we make sure they are used democratically and not autocratically? How do we ensure that everybody benefits from technology, not just a few? How do we make sure that everyone has the necessary skills and capacity to use these technologies: countries, towns, companies, universities, schools, people, also public officials and diplomats? Finding answers to these questions unites diplomats working on tech issues.

But aside from these global issues, I also have the pleasure of representing Estonia globally, our developments, companies, and interests. We recently adopted our digital diplomacy concept paper, which includes several main work streams. Besides global technology governance, it also covers digital cooperation and economic diplomacy. As part of Estonia’s digital diplomacy, e-Estonia still has a substantial role. This is how Estonia is known to the world, and maintaining and increasing Estonia’s global position is one part of Estonia’s digital diplomacy.

Are there special conferences or forums for digital diplomats and cyber attaché where you talk about these issues?

Increasingly so, both in the EU and globally. There is an active network of EU digital ambassadors. We work closely with the European External Action Service, like the European Ministry of Foreign Affairs, and other EU and international organisations, such as the UN. Increasingly, big tech companies are at the table. We have a very close network that I am very grateful for, as this is where we share our views, discuss different topics, and support each other. 

We also gather globally and often attend events around digital and technology governance.

Is Estonia still seen as a pioneer when it comes to GovTech?

Estonia still has a strong global position and is known as a digital leader. And rightfully so. I have not come across a society where everything comes so holistically together. We can conduct most of our public and private business digitally and conveniently. Digital signatures, for example, have made my life so much easier, especially when living abroad, from selling my car to voting via the internet. Still, we also need to be mindful that though Estonia leads in the public sector in digitalisation, we also have to take our industry and companies to higher levels and complexity of the use of technologies. The other aspect we need to understand is that it is increasingly challenging to keep up with the technological developments and investments in infrastructure, as the need for computing power is increasing. But Estonia has always been an intelligent adopter and a brave implementer of technologies, and further investments are needed to keep this going. 

Of course, global expectations for Estonia are high, too. In my field, there are several areas that we need answers for. Estonians are expected to have many answers to these common issues that technology brings. AI governance, data governance, and cross-border data sharing require a lot of resources to understand the problems and what is at stake. 

Estonia has influenced several EU developments, such as the European Interoperability Act and European eIDAS, as Estonia had prior experience here. 

You have advised governments in Europe, Asia, Central Asia, Africa and the Middle East. What sets them apart or makes them similar?

Now that we are many years into digitalisation, we have come to realise that despite our differences, there are so many similarities, joint problems and solutions to these problems. For example, all countries need digital identity, data-sharing solutions, registries, and payment systems. This has put co-creation, sharing and re-use of digital solutions on the global agenda. Digital public infrastructure, digital public goods, and digital commons – these trends support openness, sharing, and building on existing experiences. 

Estonia’s X-Road is a perfect example of a global public good that has been re-used in many countries. GovStack – an initiative that Estonia co-leads with Germany, the International Telecommunication Union, and DIAl, is another excellent example of global cooperation that builds on similarities. Amidst these trends, we should not forget that digitalisation is much more than technology, and solutions comprise only a tiny part of the whole. 

But, of course, there are also differences. Differences in economic level, income, and size of a country influence our digital paths. We see countries in the Middle East moving fast, using cutting-edge technologies. However, some countries must consider illiteracy issues and require more electricity when designing digitalisation programs. 

Still, cooperation is essential, regardless of where we stand. Several of the emerging topics are common to all of us. There are challenges that Estonia, or any country alone, may need help to solve. We must find ways to fight disinformation, protect our citizens’ privacy, and regulate tech companies. The EU has been a pathfinder here, and I am glad that some of what we have done in Estonia or the EU could benefit others and the other way around. 

Resouce: e-estonia

GovTech for sustainable development goals

April 17, 2024 by Peeter Vihma

Governments worldwide are attempting to do their part to fulfill sustainable development goals. How can GovTech help?

Not just any “public good”

The world faces enormous challenges of unsustainable energy and material use, degradation of biodiversity, and crumbling of democracy and global justice. Governments are tackling this by, for example, setting up missions to solve problems in cooperation with the private sector. However, until recently, little attention has been paid to understanding GovTech solutions about the Sustainable Development Goals. This is a gap that Alena Labanava, PhD student at the Institute of Software Science at Tallinn University of Technology, is aiming to fill.

Educational gaps for public sector administrators

One of the first tasks that Ms Labanava set herself was assessing the role of an e-government education programme of TalTech in achieving SDGs. It is the study program where most current and future public administrators in Estonia come in close contact with the potential of GovTech. Her research was done on a cohort of students consisting of current mid-career public sector professionals.

The most significant finding from this research is the growing interest in the contribution of digital government to affordable and clean energy (SDG 7), reduced inequalities (SDG 10), responsible consumption (SDG 12), and climate action (SDG 13). 

“The results show that it is not just any solutions dubbed as “public good” that the administrators are interested in, but they are actively seeking solutions in specific areas,” says Ms Labanava. These areas of digital government education have the potential to improve. }

Evaluating GovTech by SDG-s

Ms. Labanava’s next step in her research is to create a catalogue of GovTech solutions and place them on the map. 

“Inspiration came from the GovTech Catalogue designed by the GovTech Connect project, but I think this can be improved,” says Ms Labanava. “It currently shows only labs and accelerators, but not individual solutions. We also want to classify them by SDGs so that public administrators can easily track what problem they solve.” 

Having assembled a small team, the work on the catalogue has just begun. The plan is to collect a list of companies and check how and where their solutions have been used (success stories and use cases) so that it would become a handy tool.

“The market for GovTech is global. Public sector employees need to know what solutions are being produced not only in their own country, Europe, and elsewhere,” says Ms Labanava.

A global picture is essential for accelerating the adoption of already well-working solutions across geographies and helping public sector procurers make better-informed purchasing decisions.

Addressing the bottleneck of implementation 

Providing a comprehensive overview is crucial, but implementing any solution requires cooperation. This is why governments in Europe and elsewhere are setting up InnovationLabs, Bootcamps, and Accelerators. Their main aim is to catalyse innovation between the private and public spheres. 

In Estonia, one promising initiative is Grab2Go, which aims to improve the health and well-being of vulnerable areas by developing automated pharmacies. For them, the main challenge is not technological but legislative. This is what their cooperation with Accelerate Estonia is focused on.

Grab2Go solution optimizes resources by enabling a single pharmacist to assist patients from any corner of Estonia through video consultations, breaking geographical barriers. It also grants pharmacists more time for face-to-face consultations, allowing them to apply their expertise effectively.

However, even testing automated pharmacies in rural areas requires amendments to the Medicines Act.  “We set up a test machine in one of the rural areas in Estonia, but due to legislative constraints, we were only able to operate it during the opening hours of the actual pharmacy,” says Olari Püvi, head of Accelerate Estonia. “This did not provide us with the necessary advantage nor the data that we required, and that would not bring out the benefits of an automated system.”

Hence, besides conducting risk analyses with mitigation strategies, the collaboration between Accelerate Estonia and Grab2Go is focused on legal changes. It would bring Estonia’s sustainable goals a step closer.

Resouce: e-estonia

Madis Tapupere: the evolution towards a more personalised, complex, and integrated digital state

April 17, 2024

by Peeter Vihma

Article content

Rare is a glance into the head of the Chief Technology Officer of Estonia. Having been in office for three months, Madis Tapupere agreed to share his ideas on some of the country’s challenges. We discussed the “personal state”, the EU integration and the development of systemic capabilities of a digital state of growing complexity.

The challenges for the state as a whole

How have the first three months in the public sector been?

I am settling in. In some respects, a country is unlike a big company with a complex digital system. What is new compared to the private sector is understanding how many activities are rooted in laws. In a private company, the board can decide instantly and move on. Important changes in the whole country, however, need regulation change. And it takes a lot of energy to change a big system. I am trying to get a feel for the suitable methods for driving change. Finding a balance between autocracy and collaboration is the key. I follow the “narrow waistline” principle: I try to focus on the most important things instead of controlling everything.

What is your vision for your time in office?

Although it is still in formation, I see multiple areas where we need to address the bigger challenges for the state as a whole: first, further development of general state capabilities, such as advancing the “personal state”; second, EU integration and, third, developing systemic capabilities to address business, data and technology management challenges, including cybersecurity.

And then, there is the task of finding a suitable approach to dealing with these topics. For example, the “personal state” aim can be tackled using a startup mindset, but several other challenges are like those of large companies. How can we innovate in the face of growing complexity and backlog? The existing must be preserved and renewed at the same time.

Therefore, in some areas, we need streamlining, but in other areas, we need to simplify the business and the process side, and hopefully, this will free up hands to deal with new capabilities.

Taking the idea of a “personal state” to the next level

What is your attitude towards the idea of a “personal state” – event-based, invisible, personalised, and integrated digital services for the citizen?

As a strategic goal, a “personal state” is valuable. It relies on principles such as citizen-centred and easy-to-use state services and the once-only principle of data clarity and findability prevalent in several countries. However, while some countries focus on goals we have already achieved, such as information exchange between databases, we should take it to the next level by improving the user experience.

I also recognise that the “personal state” idea goes a long way for Estonia. I have already mentioned that good information exchange between state systems is the foundation of our digital state. Event-based and as invisible as possible services have also been in the works for several years. The added values resulting from data usage are more future-looking and, therefore, blurrier. The challenge is providing a cross-country service within a distributed organisation like our country. And this is not a technology challenge, at least initially, but a governance challenge. Each register in Estonia has its own responsibility, as specified in the law. A citizen-centred view requires changing these basic principles.

In short, the “personal state” is the vision and the direction along which we are going, and our immediate task is to understand where the low-hanging fruit is. The criterion for finding them is the value to the citizen.

Giving people more control

What are the main challenges for developing the “personal state”?

The privacy control mechanism is one of the central questions in developing a more person-centred and invisible service. The more personal the state services become, the more means of control must be given to the person. Otherwise, there is a risk of growing resentment, because we already see that the digital state is not universally accepted by everyone. This tendency must not be exacerbated. Rather, we must find ways to ensure citizens are in control when interacting with the digital state. This can be done by developing consent services and data trackers.

Do you feel you understand things when you go to FB privacy settings? Using data in a large system is difficult for developers and users. How do you convey this info to people? How do you empower people to go along with it? These are the pressing challenges we need to address.

We have been taking the first steps in constructing consent management in Estonia. For example, everyone will have an overview of the use of their data at the Eesti.ee level. However, as we develop our personal state further, the consent service must also be developed to make the complex world understandable and manageable for people.

Innovators dilemma in integration with the EU

Where do you see the challenges and opportunities for EU digital integration?

I would phrase our biggest issue here as the “innovators dilemma”: what brought us here may not take us further. The prerequisites for Estonia’s success may not be applicable in the wider world, and vice-versa — the solutions of the wider world may not fit well with our digital society. My task is to maintain the prerequisites for our success, such as tightly integrated registries, and fit in other solutions and work methods that address the needs and situations of other European countries.

The Digital Identity Wallet is a good case in point. We have used eID and direct system-to-system integration in Estonia to handle personal data. The wallet introduces a new one whereas the data is carried along in the wallet as certificates. You ask for data directly from the register or transfer them through the wallet certificate. Adopting the Wallet logic in Estonia poses some challenges that must be addressed.

Estonia is developing a wallet as a nationally approved and functional authentication and identity verification method. The next step is to develop its capacity as a platform. We are developing a strategy along with the use cases for this.  We know, for example, that Estonia already supports using a digital driver’s license in the EU and elsewhere. However, making a comprehensive road map of the additional possibilities is too early.

In the bigger picture, I see an analogy with open banking. After forcing the banks to open their APIs, a whole ecosystem of certified startups and fintechs emerged. I suspect a similar pattern will also emerge in conjunction with the Wallet.

Estonia: an evangelist with a sense of empathy

What is Estonia’s role in these developments in the interoperable EU?

Regarding data interoperability at the EU level, we must distinguish between two options. First, where there are specific needs, such as stemming from regulations, the data exchange is built up specifically based on these needs.

Secondly, we are also building the foundation of a more general data exchange.  We are supporting the emergence of a broader data exchange ecosystem in the form of “data spaces”. It is a structured description of workflows, data exchange, and how data is agreed upon and monetised. Estonia is involved in the experiments at the EU level, and the future version of our X-road will integrate in this direction. It is an interesting time of emerging standards and proofs-of-concept, so we are closely monitoring this.

I see Estonia’s role in adding pressure to increase ambition. We have real-life experience of how a well-designed digital state can function. Sure, we must accept that everyone’s ability is not the same, but we can be the ones who say that things are possible if done well. Sort of evangelists in what we believe, but also with a sense of empathy.

Technology as an asset

How to deal with the common problem of all systems: legacy?

We must ensure we direct enough active interest towards managing the legacy. In Estonia, we constantly deal with legacy systems, and it is an accepted justification for current investments. However, there is little cross-national management information on the situation.

One of the sources of difficulties is that “a legacy system” does not have a clear definition. It is at least partly subjective. For example, a way to define a legacy system is “system that works”.

However, legacy needs to be addressed because this allows a country to be clear about its limitations. Strategic choices can be made when there is an understanding of what can and cannot be done. This allows meaningful portfolio management and directing of resources. Instruments for dealing with legacy are diverse: technological innovation, cutting the system into smaller pieces and changing them, or even completely rewriting the business process. In the end, we may even have to shut a system down. We need to ensure the pile of stones is not allowed to get too big so it can no longer be stacked around.

The principle I would like to establish is that technology is an asset. Technology is not only an investment that does something new. It is an asset with characteristics, risks, and costs; therefore, it must be managed so that the risks do not become too high and the costs do not become too high. In this way, we can get the maximum out of our portfolio.

Has digitalisation gone too far?

What is your attitude towards the “twin transitions” approach of aligning digital and sustainable transitions?

We need to take the turn to sustainability as one of the parameters of technological development. Some aspects we already share with it, such as optimisation and resource efficiency.

If we accept that all technology management has a cost and creates complexity, then we can clearly see that, in some places, digitisation has gone too far. We should start at the business process level and pressure our operations to optimise.

This capacity could be improved on the national level. The beginnings are there as the capabilities of service management and service portfolio management are already in place. Activities in this field will continue in the context of the green transition. Having a clear map of the scene is its prerequisite.

Resouce: e-estonia

A year of advanced threats and global tensions: Estonia’s cybersecurity scene in 2023

April 9, 2024

by Blessing Oyetunde

Last year, Estonia’s cybersecurity scene was heavily tested, with the Estonian State Information Authority(RIA) documenting 3,314 cyber incidents that impacted their annual assessment. The report details the growing complexity of threats Estonia faces, including an uptick in DDoS attacks and sophisticated phishing efforts, while reflecting on the nation’s ongoing efforts to bolster its cyber defences.

A year of unrelenting cyber storms

2023 witnessed an alarming surge in Distributed Denial-of-Service (DDoS) attacks, with Estonia grappling with a staggering 484 incidents – 182 more than the previous year. These attacks aimed to cripple critical digital services by flooding servers with excessive requests. A notable case targeted Ridango, disrupting the state-owned Elron train service’s ticket sales system for nearly a day.

Ransomware attacks also emerged as a grave concern, targeting diverse sectors, from healthcare to manufacturing. The Asper Biogene data breach was a particularly high-profile incident where the medical and personal data of approximately 10,000 individuals was compromised. This breach occurred when attackers, exploiting weaknesses in cyber hygiene, illegally accessed and downloaded sensitive information from the genetic testing company’s systems.

Global tensions ripple through cyberspace.

Exacerbating the cyber threats faced by the nation were the ripple effects of global crises, including Russia’s aggression in Ukraine and the Hamas-Israel military conflict. As Gert Auväärt, RIA’s Director of Cyber Security, stated, “Besides Russia’s continuing aggression in Ukraine, 2023 brought an outbreak and escalation of the military conflict between Hamas and Israel. We saw – and will continue to witness – a growth in ideological ‘hacktivism’ expressed in denial-of-service attacks against the government, financial, transport, and media sectors.”

Among others, one incident points to the far-reaching impact of these global tensions. In November, as Estonia grappled with a cold snap, cyberattacks targeting Israeli-made heating controllers disrupted the Estonian district heating network, demonstrating the vulnerability of local infrastructure to digital threats from distant conflicts.

Furthermore, the cyber threats of 2023 exhibited an advanced level of sophistication. For one, DDoS attackers engaged in dual-phase operations, initially probing defences with short attacks followed by more aggressive and sustained assaults. Many of which were, again, politically motivated, linked to Estonia’s support for Ukraine and the imposition of sanctions against Russia.

8.3M euros lost to fraud

The report also revealed a sharp increase in cyber fraud, inflicting financial damages of at least 8.3 million euros, with telephone fraud alone accounting for 3 million euros. This uptick signalled a strategic shift in cybercriminal tactics targeting individuals and corporate organisations. Prevalent schemes included sophisticated phishing emails, deceptive calls pretending to be from trusted authorities, and complex Business Email Compromise (BEC) attacks.

Meanwhile, cybercrime has transitioned from bare, deceptive acts to highly organised, sophisticated operations. Using cutting-edge technologies like AI and machine learning, criminals fine-tuned traditional fraudulent methods while innovating new strategies to exploit their targets effectively. The rise of BEC schemes further complicated the threat scene, where fraudsters executed carefully orchestrated plans to redirect corporate funds.

Proactive defence: Estonia’s cyber resilience strategy

Taking a proactive stance, Estonia reinforced its cybersecurity defences with several key initiatives. The RIA’s Red Team, established to test and enhance the security of information systems, engaged in sophisticated simulations, including phishing emails and physical penetration testing, to uncover vulnerabilities within governmental and corporate infrastructures. This proactive approach proved critical in preempting potential cyberattacks and ensuring the resilience of vital services.

Likewise, the RIA Red Team’s services were offered to government departments and companies aiming to fortify their cyber defences. Over the past year, the team conducted phishing attempts targeting more than 14,000 individuals across central and local government bodies and the private sector, revealing a 30% susceptibility rate among recipients. This, in turn, reiterated the need for continuous cybersecurity awareness and risk mitigation.

Complementing its security measures, Estonia launched comprehensive prevention campaigns to enhance cybersecurity awareness among businesses and the general populace. Additionally, implementing the Estonian Information Security Standard (E-ITS) across approximately 3,500 organisations highlighted a systematic approach to safeguarding the nation’s digital ecosystem.

The global cyber battlefield

As for the broader view, international cyberspace in 2023 was heavily influenced by geopolitical tensions, particularly Russia’s invasion of Ukraine and the escalating conflict between Israel and Hamas. These tensions manifested in a range of cyber activities, from state-sponsored groups engaging in espionage to widespread ransomware attacks disrupting critical infrastructure and businesses globally.

At the same time, the cybercrime scene continued to evolve, with financial motives driving sophisticated schemes like BEC attacks and ransomware campaigns. Notably, attacks on crypto trading platforms showcased the intersection of cybercrime and state funding, while hacktivism sparked DDoS attacks against various sectors in countries engaged in geopolitical disputes.

Ransomware attacks remained a significant threat, with the Lockbit group’s attack on the UK’s Royal Mail disrupting international mail services. At the same time, data breaches posed a serious concern, with T-Mobile admitting a leak affecting 37 million customers and the UK Electoral Commission’s data breach revealing the vulnerability of personal information.

The year, we also witnessed a collaborative international push to enhance cybersecurity measures, focusing on dismantling cyberespionage tools. Alongside these efforts, there was a unified movement toward strengthening cybersecurity protocols, which included restrictions on applications like TikTok on government devices.

Cyberspace in 2024

According to the report, the cyberspace scene in 2024 will be reshaped by two major forces: the pivotal role of artificial intelligence (AI) in cybersecurity and the enduring impact of geopolitical tensions on cyber activities.

AI is emerging as a double-edged sword, with its capabilities being harnessed by both defenders and adversaries. While security experts race to develop innovative AI-driven solutions to outsmart emerging threats, cybercriminals leverage AI to craft increasingly sophisticated cyber attacks.

Concurrently, the persistent geopolitical tensions between Russia and Ukraine, coupled with the escalating Israel-Hamas conflict, continue to cast a long shadow over the global cybersecurity domain. These crises are poised to influence cyber activities on a broader scale, with potential implications for high-stakes events like the European Parliament elections slated for June 2024.

Resource: e-estonia