Cyber needs trust, let’s look at Estonia

By Michelle Fang

Cybersecurity is perception. It is red teaming, annual cyber defense exercises, monitoring hashed nodes, but at its core—security is social trust. Earlier this year, I attended CyCon, the 14th International Cyber Conflict Conference, in Tallinn, Estonia. For reference, CyCon is an annual event hosted by the NATO Cooperative Cyber Defense Centre of Excellence (CCDCOE), a cyber research hub with a training and exercise facility. Keynotes aside, I was able to interview cybersecurity government officials, academics, and private sector leaders who worked on policies integral to this small Baltic nation’s digital transformation. Throughout these conversations, what struck me was how Estonia strategically crafted its role in building the European and global cyber community.

Estonia’s communication strategy offers three key insights. In this blog, I will showcase e-Estonia’s effective communication to a local and global audience through examples of transparency at critical junctures, mutually beneficial partnership with other countries, and leadership through hosting international events. As the first in-person CyCon in three years, the energy was palpable during coffee intermissions and dinners in old Soviet industrial complexes. Cybersecurity policymakers, ambassadors, and technical experts from all over Europe exchanged not only intellectual ideas but cultural backgrounds, cuisines, and personal stories—creating a form of transnational social glue in the international cyber community. But how did Estonia become the breeding ground for the cyber community?

The rise of Estonia’s digital system after gaining their independence in 1991 is a familiar story to many.[1] As an underdeveloped post-Soviet state, the small Baltic state saw digitization as a strategy to develop politically and economically. The new nation-state’s desire to get rid of the outdated Soviet communist system effectively freed it from a legacy system’s burden and paired with a small and relatively united population and academic powerhouse freshly liberated under the new democracy—Estonia possessed unique conditions to digitally revolutionize. Each part of the system was born out of need. For instance, the “backbone” of e-Estonia is its digital identity system paired with a data operability platform called X-Road which allows for the interoperability between the various distributed databases of government agencies.[2] X-Road was developed through a public-private partnership with Cybernetica, a private company that spun out of a government research institute, to help decrease costs and out of a necessity for databases to communicate with each other.

This network enables data to be transferred from Estonian citizens to a variety of government agencies. Now, e-Estonia cannot return to analog systems so the government needs to continuously invest in retaining its people’s trust in the system as e-Estonia will only function if citizens trust and use the system. Through understanding Estonia’s digital government system, I tried to draw out lessons the U.S. can learn from Estonia.

Outlined here are three strategies where I believe Estonia effectively builds trust and brand in its digital systems and cybersecurity.

1. Radical transparency

In August of 2017, Estonia was notified by a researcher from Czech Republic that the e-ID card, which was launched in 2001, had a theoretical vulnerability. Over sixty percent of the population were affected by an algorithmic flaw in the RSA library used to generate cryptography keys, which made the keys less randomized than what was expected.[3] Privately, the Information System Authority (RIA) was collaborating with private companies like Cybernetica and Nortal, and publicly, the Prime Minister, Jüri Ratas at the time, issued a statement explaining this vulnerability to local citizens.[4] Trust in this digital society was not damaged because the government chose to go aggressively public as patches were created and made accessible. Inevitably, new vulnerabilities arise in the digital system, but Estonia’s practical and transparent response led to a preservation, if not increase in public trust.

The effectiveness in Estonia’s strategy to address the security flaw publicly is highlighted through statistics of larger participation in i-voting and higher usage of digital signature services in the year following the ID-card crisis.[5] A diplomat at Estonia’s Ministry of Foreign Affairs pointed out that it’s difficult to communicate about cyber because the essence of cyber is abstract. It’s hard for a government to show that they are fulfilling their promise to cyber security when digital infrastructure and interoperability platforms are largely invisible until an issue arises. However, Estonia seems to be in a positive cycle where technology and the government serve to create and reinforce trust in each other during critical moments. Contrastingly, the fragmentation and lack of transparency in American technology policy making diminishes public trust in government institutions and democratic processes, such as during the 2020 national elections.[6] False metanarratives about the elections spread across major internet social media platforms due to the immunity of Section 230 and lack of coherent content moderation policy, which ultimately undermined trust in American democracy. What Estonia does right is fostering an understanding among its policymakers that absent transparency citizens will lose trust, which is the fuel mobilizing this small Baltic nation into an international digital leader.

Cartoon of generals saluting laptop tanks
Figure 1: Cartoon of generals saluting laptop tanks.[7]

2. Marketable solutions

In the tight knit cohort of Estonian policymakers at CyCon, I realized that many senior individuals who used to work in government have now migrated to another organization: the e-Governance Academy (eGA), a non-profit joint initiative between Estonia’s government, Open Society Institute, and the United Nations Development Programme. eGA, the only group in Estonia that has passed the European Commission’s pillar assessment, utilizes a team of seasoned policymakers with first-hand experience of Estonia’s digital reforms to promote the nation’s digital lifestyle globally. By consulting other nations and transforming e-Estonia’s digitization blueprint into solutions implementable in other countries, Estonia is crafting its reputation as a trustworthy digital state.

Only through local trust in the system can Estonia be qualified to promote its systems abroad. Both the public and private sector in Estonia have a collective desire to create marketable and profitable solutions based on its unique position as a digital society.

For example, Estonia’s interoperability platform, X-Road, was developed by Cybernetica in 2001. X-Road is a distributed system with two layers: one allows for peer-to-peer data exchange between different agencies and another grants the government coordination to monitor data access. That same private company partnered with eGA created a solution called Unified eXchange Platform (UXP) and has implemented this peer-to-peer data exchange in Ukraine in 2021 as the Trembita project, which functions the same as X-Road but has been scaled for Ukraine’s population of 44 million.[8] Another example is Cybernetica partnering with Japan’s Sumitomo Mitsui Trust Bank in 2018 to launch UXP and create an additional consent management layer.[9] By consulting the Ukrainian government and the largest trust bank in Asia, eGA has created a global brand for Estonia’s e-society and partnerships for other nations to trust in Estonia’s technological governance solutions. e-Estonia transformed from a method of e-governance to a marketable global solution.

3. International Events

On “Day 0” of CyCon, I attended a workshop to define ‘cyber power’ and debate policy solutions for case studies of developing nations trying to build their cyber capacity. I sat at a table with a Romanian, Norwegian, German, and Naval Academy midshipman. Each discussion involved an intense brainstorming of geopolitical factors potentially affecting our policy proposal but more than that it was a powerful cultural exchange. I couldn’t help but notice that we were all here in Tallinn because the Estonian government hosts CyCon annually. Through this conference, Estonia reinforces its position as the front and center leader connecting NATO’s cyber community.

Estonia hosts events for the international community that strengthens both the alliance and its role as a cyber leader. Politically, CyCon fits within Estonia’s strategy to incentivize nations saddling the middle ground between liberal democracies with aligned values and authoritarian/totalitarian regimes like Russia and China. The purpose of international programming like CyCon is twofold—first, it helps Estonia and other democracies show nations in the “middle” the values and benefits of these norms. Second, these week-long conferences help foster relationships, familiarity, and trust among participating countries.

Applications to US Technology Policy

Ultimately, I hope to draw lessons from Estonia to consider the question of how to rebuild trust in America and what the role of technology may be in improving governance. Every country is different—Estonia’s blueprint cannot be xeroxed in the U.S.—but there are ingredients of this Baltic nation’s success that can be reused and adapted in the states. It’s a severe understatement to claim that “trust is broken” in America. Manipulation of media, technocratic oligarchies, polarization, and unprecedented inequality are all causing people to lose trust in our elections, democracy, and even our neighbors and friends. There is no antidote and this blog does not pretend to give a comprehensive answer to this heavy question.

But I lean on my experience at CyCon as a reminder that transparency holds unparalleled power as the government’s best shot at restoring faith in its unstable democracy. Over the past decade, the U.S. has passed policy to create clear digital identity frameworks that are interoperable—such as the National Strategy Identities in the Cyberspace during the Obama administration—and more recently pushed for the creation of federal task forces that focus on digital governance—such as the Improved Digital Identity Act, which is a bill that was introduced in 2021.[10] However, U.S. policymakers are far from regaining trust and need to coherently and proactively communicate to its constituents on forceful influence of technology in our democratic processes. Can we imagine an America with fewer binaries, where the policymakers and technologists build trust in each other and foster healthy public-private-partnerships for innovation in government technology?

[1] Story - e-estonia, e (2022), https://e-estonia.com/story/ (last visited Oct 19, 2022).

[2] X-road - e-estonia, e (2021), https://e-estonia.com/solutions/interoperability-services/x-road/ (last visited Oct 19, 2022).

[3] Harle Pihlak, What we learned from the e-ID Card Security Risk? (2020), https://e-estonia.com/card-security-risk/ (last visited Oct 19, 2022).

[4] Id.

[5] Id.

[6] Alexa Lardieri, Majority of Americans don’t trust elections, Polls Find U.S. News (2020), https://www.usnews.com/news/elections/articles/2020-02-13/majority-of-americans-dont-trust-elections-poll (last visited Oct 19, 2022).

[7] Küberkaitseüksus, Kaitseliit, https://www.kaitseliit.ee/et/kuberkaitse-uksus (last visited Oct 19, 2022).

[8] Unified Exchange Platform (UXP), Unified eXchange Platform (UXP), https://cyber.ee/products/secure-data-exchange/ (last visited Oct 19, 2022). Dea Paraskevopoulos, Deployment of trembita system in Ukraine a milestone for Estonian digitisation efforts e-Estonia (2021), https://e-estonia.com/deployment-of-trembita-system-in-ukraine-a-milestone-for-estonian-digitisation-efforts/ (last visited Oct 19, 2022).

[9] Estonia Investment Agency (EIA), Estonia's Cybernetica and Japan's Sumitomo Mitsui Trust Bank are developing a next-generation data management platform Invest in Estonia (2021), https://investinestonia.com/estonias-cybernetica-and-japans-sumitomo-mitsui-trust-bank-are-developing-a-next-generation-data-management-platform/ (last visited Oct 19, 2022).

[10] Improving Digital Identity Act of 2021, H.R.4258, 117th Cong. (2021).

About this blog

In addition to academic publications and events, the Wikimedia/Yale Law School Initiative on Intermediaries and Information pursues a diverse research agenda related to emerging issues in internet governance, the right to information, digital rights, privacy and data protection, and content regulation online.

This space is a home for commentary and shorter-form discussions related to these issues, as well as a central repository of written works produced as part of the WIII program.

The views expressed on this blog belong to the author(s) and do not represent the views of Yale Law School or the Information Society Project.