Podcast 🎧 and blog: What should governments do to secure their national cyber space?
Much as in the fight against Covid-19, prevention proves to be a key determinant of our safety on the internet. However, deliberate threats to both citizens and organisations still hide just around the corner. Despite our individual care and attention towards cyber behaviours, malicious actors might intentionally try to hijack personal data or information systems.
As a discipline, cyber security taps into the gaps left uncovered by ordinary cyber hygiene – cybercrime, or the protection of critical cyber infrastructure. Consequently, governments must provide protection against such threats as a way to shelter the public good online, letting citizens and businesses sleep well at night with regard to their internet assets.
Raul Rikk, National Cybersecurity Policy Director at Estonia’s Government CIO office, speaks of what defines the role of government in ensuring cybersecurity for everyone.
The ABC of cyber security – meaning, actors
“Shortly, cybersecurity pertains the protection of the data we have, and the information systems we use to manage this data,” Rikk begins with. Previously as Programme Director for Cyber Security at e-Governance Academy, and now in his new capacity as part of the Estonian Government CIO team, he gained the relevant experience necessary to put it so simply.
Cyber security, however, is not solely a responsibility for the public sector to ensure. Different actors have a stake in keeping the internet safe for users, be them citizens or businesses. It emerges a picture where everybody has a role:
- Single citizens, in terms of cyber hygiene practices;
- Organisations and businesses, with their own measures to protect data and information systems;
- Governments, with regard to the fight against cybercrime and national cybersecurity at large.
As a consequence, the set of players involved in cybersecurity creates a complex system that needs coordination, where everyone holds both power and responsibilities.
Electronic identity is a powerful tool in governments’ hands
Quite naturally, a question arises from such framework – what does national cyber security mean in practice, and what’s concretely the role of government in guaranteeing it?
Although even government’s abilities to prevent cyberattacks can be limited, it can still save citizens’ and businesses’ time and effort when dealing with many fundamental issues. These are mainly related to proving internet users’ identity and signatures, particularly when the latter carry legal value.
“Estonia’s electronic identity and digital signature are an exemplary case study in this sense. The government should implement a system that ensures people’s identity in the digital world. We usually don’t even consider this as a matter of cybersecurity, because in Estonia it is already in place, fostering trust in the whole system,” Rikk explains.
Electronic ID measures, then, are the first defence layer of a national cybersphere. Having digital IDs and signatures is a guarantee of security and one’s legal identity. And the EU as a whole is also increasingly moving towards this direction.
When it comes to threats directed at real-life infrastructure, instead, governments can provide defensive measures and support. “General information security standards are another tool, to which public and private organizations should adhere. Backups and a plan B should also be an ordinary part of these entities’ life. Moreover, the government can advise, support, and push for greater security in critical infrastructure,” Rikk says.
A day in the life of a National Cyber Security Director
Overseeing the national cyber security of a country is no easy task, “but what does it entail in practice, in your case?” moderator Hannes Astok asks.
As it appears, the reliability of technology providers is – at the moment – the most important topic on the table. “Its relevance is increased by the advent of 5G. But also, hardware and software have become so complex that we must figure out how to use securely this equipment, which is the result of the manufacturing work of many different actors at once,” Rikk warns.
This doesn’t mean that technical inspections are Rikk’s main day-to-day duty. It is, instead, the assessment of such technology providers’ trustworthiness. The topic is strictly connected also to other emerging solutions increasingly adopted by the public sector, such as cloud computing – of which he gave an overview (here) in e-Governance Conference 2020.
Challenges for the future matter, indeed, to find a balance between innovation and risks. While learning to handle the complexity of cyber systems will be one of them, the other lies in carrying out appropriate analyses of all new critical issues connected to new technology.
“Artificial intelligence, cloud, quantum, crypto. As segments of governance might increasingly depend on these solutions, we need to be careful with them, assessing risks and coming up with reasonable ways to manage them,” Rikk concludes.