So lately I’ve been monitoring (for various reasons) the SCADASEC mailing list run by Bob Radvanovsky.  In the course of a mostly unrelated discussion, Gadi Evron linked to the Estonian National Cyber Security Strategy and I decided to look it over.

It was of particular interest because it was written in the wake of the massive DoS attacks against Estonia and it marks probably the first government strategy written by a state that has had to deal with both being attacked as well as the international coordination/input involved in responding to them. We certainly have our own unique issues to deal with, but it’s definitely gives some intriguing insight.

There were a couple of things that stuck out because of their heavy emphasis:

  • Making their legal framework more consistent and interoperable in a way that would allow them to more effectively respond and handle threats. They found it to be decentralised and, in fact, partly contradictory.” This is going to be a huge problem for the US down the line…even more so than it is today.

  • The role of general society (vs government) in responding to threats as well as the importance to the state of the free flow of information to/from society: „Our task rests on a prescient awareness of the need to balance, on the one hand, the risks associated with the use of information systems and, on the other hand, the indispensability of extensive and free use of information technology to the functioning of open and modern societies — and the understanding that this is a challenge confronting not only Estonia but also the rest of the world. The growing threats to cyber security should not hinder the crucial role of information and communications technology in impulsing the future growth of economies and societies.”….” In our modern, globalising world, economic success and a high quality of life can be achieved only through recognising the great importance of the efficient handling of knowledge and information to the proper functioning of our societies. The very term ‘information society’ denotes a setting in which human values of all kinds are created, maintained, manipulated and transmitted in a standardised digital form; it is a further feature of an ‘information society’ that all members have access to such information through a complex data exchange network.” The US tends to address the material and business impacts of the internet and their cyber infrastructure, but we rarely talk about the critical role it plays in defining society itself now.  If we continue to divorce business and government from society, we are going to continue to wonder why everything seems to be sliding away.

Other points I noted:

  • They have a national SOA-like (data exchange layer) backbone with DNSSEC: and „“At the beginning, it was developed as an environment that would facilitate making queries to different databases. By now, a number of standard tools have been developed for the creation of eServices capable of simultaneously using the data of different databases. These services enable to read and write data, develop business logic based on data etc. The X-Road must enable to do any common data processing operation. Proceeding from this principle, several extensions have been developed for the X-Road: writing operations to databases, transmission of huge data sets between information systems, successive search operations of data in different data sheets, possibility to provide services via web portals, etc. The main component of the Estonian public information system architecture is the secure data exchange layer, X-Road, which is based on the public Internet. Although X-Road uses the Internet, it meets all three objectives of information system security – availability, confidentiality and integrity. The number of X-Road’s central components has been minimised and data exchanges between two information systems using X-Road are able to continue in case of its disruption. X-Road’s infrastructure includes countermeasures against both temporary disruptions and attacks aimed at hindering the provision of services. But because new forms of attack and threats in cyberspace are constantly emerging, it is necessary to develop further X-Road’s security measures” Our businesses can’t even seem to get this together, how can they? For god’s sake…we NEED a data interface layer like this in our infrastructure or we’re going to drown in our own unused inefficient data stores without ever being able to synthesize the kind of knowledge we need to in order to function as a society.

  • Their perspective on the nature of current threats: “The current and well known security objectives – confidentiality, availability and integrity of information – are no longer sufficient to ensuring cyber security. To secure the critical infrastructure, it is necessary also to address the severity of disturbances in its functioning, non-repudiation and authenticity of information sources.” I guess all I can say to this is “duh. Why dont we talk more about this publicly on a government level?”