The Estonians have a public version of their cyber security strategy translated into English (currently available offline only see update below). The concept of a national strategy for cyber security is one which I am particularly fond of (also see previous post, An Account of the Estonian Internet War).

The following is the Summary section from the document which might be of interest (Estonian Cyber Security Strategy — Cyber Security Strategy Committee, Ministry of Defence, ESTONIA, Tallinn 2008):

The asymmetrical threat posed by cyber attacks and the inherent vulnerabilities of cyberspace constitute a serious security risk confronting all nations. For this reason, the cyber threats need to be addressed at the global level. Given the gravity of the threat and of the interests at stake, it is imperative that the comprehensive use of information technology solutions be supported by a high level of security measures and be embedded also in a broad and sophisticated cyber security culture.

It is an essential precondition for the securing of cyberspace that every operator of a computer, computer network or information system realises the personal responsibility of using the data and instruments of communication at his or her disposal in a purposeful and appropriate manner.

Estonia’s cyber security strategy seeks primarily to reduce the inherent vulnerabilities of cyberspace in the nation as a whole. This will be accomplished through the implementation of national action plans and through active international co-operation, and so will support the enhancement of cyber security in other countries as well.

In advance of our strategic objectives on cyber security, the following policy fronts have been identified:

• application of a graduated system of security measures in Estonia;
• development of Estonia’s expertise in and high awareness of information security to the highest standard of excellence;
• development of an appropriate regulatory and legal framework to support the secure and seamless operability of information systems;
• promoting international co-operation aimed at strengthening global cyber security.

Policies for enhancing cyber security

1. The development and large-scale implementation of a system of security measures

The dependence of the daily functioning of society on IT solutions makes the development of adequate security measures an urgent need. Every information system owner must acknowledge the risks related to the disturbance of the service he or she provides. Up-to-date and economically expedient security measures must therefore be developed and implemented. The key objectives in developing and implementing a system of security measures are as follows:

• to bolster requirements for the security of critical infrastructures in order to increase its resistance, and that of related services, against threats in cyberspace; to tighten the security goals of the information systems and services provided by the critical infrastructure;
• to strengthen the physical and logical infrastructure of the Internet. The security of the Internet is vital to ensuring cyber security, since most of cyberspace is Internet-based. The main priorities in this respect are: strengthening the infrastructure of the Internet, including domain name servers (DNS); improving the automated restriction of Internet service users according to the nature of their traffic, and increasing the widespread use of means of authentication;
• to enhance the security of the control systems of Estonia’s critical infrastructure,
• to improve on an incessant basis the capacity to meet the emergence of newer and technologically more advanced assault methods;
• to enhance inter-agency co-operation and co-ordination in ensuring cyber security and to continue public and private sector co-operation in protecting the critical information infrastructure.

2. Increasing competence in cyber security

In order to achieve the necessary competence in the field of cyber security, the following objectives have been established for training and research:

• to provide high quality and accessible information security-related training in order to achieve competence in both the public and private sectors; to this end, to establish common requirements for IT staff competence in information security and to set up a system for in-service training and evaluation;
• to intensify research and development in cyber security so as to ensure national defence in that field; to enhance international research co-operation; and to ensure competence in providing high-level training;
• to ensure readiness in managing cyber security crises in both the public and private sectors;
• to develop expertise in cyber security based on innovative research and development.

3. Improvement of the legal framework for supporting cyber security

The development of domestic and international legislation in the field of cyber security is aimed at:

• aligning Estonia’s legal framework with the objectives and requirements of the Cyber Security Strategy;
• developing legislation on protection of the critical information infrastructure;
• participating in international law-making in the field of cyber security and taking steps internationally to introduce and promote legislative solutions developed in Estonia.

4. Bolstering international co-operation

In terms of developing international co-operation in ensuring cyber security, the Strategy aims at:

• achieving worldwide moral condemnation of cyber attacks given their negative effects on people’s lives and the functioning of society, while recognising that meeting the cyber threats should not serve as a pretext for undermining human rights and democratic freedoms;
• promoting countries’ adopting of international conventions regulating cyber crime and cyber attacks, and making the content of such conventions known to the international public;
• participating in the development and implementation of international cyber security policies and the shaping of the global cyber culture;
• developing co-operative networks in the field of cyber security and improving the functioning of such networks.

5. Raising awareness on cyber security

Raising public awareness on the nature and urgency of the cyber threats might be achieved by:

• presenting Estonia’s expertise and experience in the area of cyber security at both the domestic and international level, and supporting co-operative networks;
• raising awareness of information security among all computer users with particular focus on individual users and SMEs by informing the public about threats existing in the cyberspace and improving knowledge on the safe use of computers;
• co-ordinating the distribution of information on cyber threats and organising the awareness campaigns in co-operation with the private sector.

Updated 9/26/2008: The Estonian cyber security strategy document is now available online. I must say once again the concept of a national cyber security stance is quite interesting. My contact there specified she’d be happy to answer any questions. To avoid spam of her inbox, email me for her address ([email protected])