Guests included Ms. Merle Maigre, Senior Cyber Security expert at the e-Governance Academy; Ms. Līga Raita Rozentāle, CISM, Microsoft Senior Director and Team Lead for EU Cybersecurity and Emerging threats; and Mr. Siim Alatalu, CEO of the CR14 foundation.
Topics included resilience, cyber warfare, the role of the private sector, and cooperation between international organisations, such as NATO and the United Nations. But one recurring theme was the importance of people—both professionally involved and not—in developing a country’s cyber resilience. Cybersecurity is as much people-oriented as it is technology-driven, going against the stereotypical idea that machines and hackers are all that make up the field.
Resilience begins with people
While building new cyber weapons and security mechanisms are important for developing a country’s resilience, the first line of defence truly lies in the awareness and education of its population. Let’s say a country develops a powerful, all-encompassing firewall that protects its data and critical infrastructure. “Sooner or later, someone will get through,” says Merle Maigre. Security breaches are not a question of if, but when.
Cybersecurity is therefore a never-ending game of reconsidering what the worst-case scenario is and being prepared for that. It’s a “constantly moving target,” says Siim Alatalu. Citizens must be aware of how to protect themselves when the inevitable happens. More generally, they must be equipped with the knowledge necessary to maintain good cyber hygiene.
Resilience “all starts with people,” says Alatalu. “They need to be aware, have the training, and exercise this training. This is something that Estonia has done at all levels, beginning with young people… Resilience also means knowing procedures, so that even if people are not 100 percent up to date on their training, they are still aware of what to do in certain scenarios. For instance, what the course of action should be if you find a USB stick on the ground or you work in critical infrastructures [and something goes wrong]… You may not be interested in cyber but cyber is interested in you, so it’s important to be prepared.”
Maintaining good cyber hygiene is an individual responsibility. Poor cyber hygiene habits (such as repeatedly using the same password, clicking on phishing scams, positive sensitive information online, etc.) can lead to security incidents, data compromise and data loss. This is especially harmful to those that work in government, as data breaches can lead to financial loss, operational downtime, organisational upheaval, damage to the organisation’s reputation, and legal liability. Poor cyber hygiene at an individual level has the potential to adversely affect national security.
So, what does it mean to be educated in cybersecurity? How can you, as a citizen, maintain good cyber hygiene? Maigre says that at an individual level, you should continuously “update your passwords, software systems, have security backup systems, and use multifactor authentication.”
At the professional level, building cyber resilience also goes back to people. “There is always a human factor at the heart of technology,” says Maigre. Building on this idea, Rozentāle says that governments, civil society, industries, and international organisations alike require “the right people with the right skills to address new challenges that are constantly changing. Those people have to come up with new and innovative ideas. [In this regard, I’m reminded of] Estonia’s data embassy that locates Estonian data outside of the country’s borders. That was a creative solution at the time.”
The “right” people working in cybersecurity
When asked if there were enough cybersecurity professionals available in the market, the panellists unanimously agreed that there weren’t. Perhaps this is because of the commonly shared idea that working in cybersecurity requires a technical, STEM-based background. But this is not always the case.
“When speaking of education, yes, it’s important to promote the study of STEM, but what we also need in cybersecurity are people that are good in other fields, like sociology, philosophy, and law,” said Maigre.
It takes one to know one. To design sufficient cyber defence mechanisms, policies, or legislation, it’s important to understand how an adversary would behave. Areas of discipline that study human behaviour—such as the ones that Maigre described—are valuable towards these ends.
Far from being an area that focuses solely on the technical, cybersecurity encompasses many stakeholders, fields, and areas of life. To develop cyber resilience at both the individual and national levels, it is crucial to understand that cybersecurity is just as people-oriented as it is driven by technology. Solutions in the cyber realm must reflect this nuanced reality.
This article was written by Natalie Jenkins as part of the Local Journalism Initiative.