Estonia has a reputation in Europe as a forward-thinking, tech savvy nation. Nestled in the far northeastern corner of the continent, the former Soviet republic gained independence in 1991, and soon after embraced the world of emerging digital technologies in an effort to prosper.
The country is home to many tech startups, with famous examples including legendary video conferencing service Skype, and ridesharing giant, Bolt. Its reputation in the technology space area has earned Estonia the moniker ‘Unicorn land’, in reference to the sheer number of companies valued at over $1bn that were born within its borders.
Nortal was founded at the turn of the century, and it now provides important digital services to the Estonian government and others around the world. We spoke to Csaba Virág, Director of Cybersecurity Competence Services at the company, to get his views on what makes Estonia a unique place for digital tech, and how it deals with the ever-increasing challenges of cybersecurity and technological innovation.
With a population of just over a million, Estonia is one of the smallest nations in the EU. However Virág says there are advantages from a technological perspective with having a small number of people:
“[it’s easier] safeguarding something that is small, less fragmentation, we're not like a federated state, where each state, for example, has its own approach… just look at the EU, for example: each member state has its own approach to cyber security implementation… even the technologies are different from membership to membership."
"So Estonia, with its population of 1.3 million, is small enough to manage, and it makes this perfect ground for experimenting or introducing and implementing new technology in a safe and secure way.”
Despite the small size, though, there are still regional differences in technology use between its modern capital city, Tallinn, and more rural regions. However, Virág says that overall, the nation is well catered for when it comes state-operated digital services, with most citizens making use of them to some degree at least:
“400,000, if I remember it correctly, of this small nation actually lives in the capital. So, living in the capital or living in the countryside, when it comes to how frequently and what type of digital solutions you use, might differ very much from situation to situation.”
“[But] Smart ID... is the identification solution to identify yourself throughout any type of service - whether you do banking or whether you order a new service, you want to pay for something online or you want to arrange something for your kid at school - you’ll do it via this Smart ID system. That’s something that - I'm not saying everyone, but almost everyone - in Estonia is using.”
And because of this widespread and ubiquitous use of digital services, most people appear to be savvy enough to avoid falling victim to scams and cyberattacks:
“In this sense, because they are exposed to it, they have to use it, they have to learn more about it.”
“Obviously using digital technologies means that people will run into phishing, run into scam, run into situations, and if somebody's Smart ID access is stolen, or the PIN codes are compromised and eventually that ID can be stolen and impersonated, and I know about cases when this happened.”
“It's not just necessarily cybercrime in that sense to click on the phishing link or have a ransomware attack, but also impersonation and similar scams are actually going on, so people have to be aware. And they are doing a good job, so if you look at the news, there are no big news [stories] coming from Estonia that this cyberattack took down that school or banking clients were scammed or robbed.”
In order to realize its vision of becoming an internationally renowned tech hub, Estonia sought - and continues to seek - talent from abroad, not just from within the EU, but from other countries like China, India and Turkey. From 2011 to 2021, the population grew by 15 percent thanks to this influx of foreign employees in the tech industry.
Virág himself is Hungarian, so has a good vantage point from which to evaluate the differences between the tech and cybersecurity culture of Estonia as compared to other nations:
“Nortal is very much an international company. We have our headquarters here in Estonia which employs a couple of hundred people throughout Estonia, but it's very diverse and multicultural… I'm one of those examples.”
“When it comes to incorporating cyber security measures, I believe that whoever is joining Nortal already has a certain approach to cybersecurity or at least the will to comply with certain cybersecurity measures that actual Nortal wishes its employees to follow. So I don't think it's an issue.”
“The issue is rather when working internationally, you will run into clients and you will run into projects where this cultural difference will actually mean that you have to start to think that, ‘okay, what is natural for me?’, because I am spoiled in Estonia. Not just in a cybersecurity way but also in a digitalized way."
"Even when I go to a country like Germany and I get the question, ‘do you have cash? because you cannot pay by card,’ I'm like, ‘I have not seen cash for months... obviously I don't have cash.’ Then you just have to choose another store that actually accepts cards. This is not the case in Estonia; it's weird if you cannot pay for something with your mobile phone.”
“And then you go to the Middle East or you go to Asia where they have significantly different problems. For example, in Africa, I remember when we were doing cyber exercises for the region - twentysomething countries - I think it was something like a PLC-related OT security challenge - and we realized that 40 out of 70 people in the room left for a coffee break without actually locking their computers.”
“And then we realize that in countries where actually it’s an issue how to get access to water… cybersecurity as a matter might not be that vital for survival… so these are the challenges that we encounter, not in Nortal, but let's say when it comes to interacting with different cultures and different levels of development in those cultures.”
The recent AI boom has permeated nearly every industry around the world, and Estonia is no exception. Virág, however, is skeptical of the current crop of AI tools, and thinks that it may take a while for the technology's true potential to be realized:
“Personally, I believe that the majority of the openly available solutions that you're using are actually not AI; they are very good machine-learning algorithms.”
“When it comes to generative AI… I use ChatGPT, I use other solutions - sometimes it's really good not to think about how I would phrase sentences if I already know what the outcome should look like in a specific topic.”
“But obviously, it's like with Wikipedia: you cannot fully trust the content you see there because anybody can add it, you don't know how the learning was done… if you don't know the domain, I would not perform - I don't know - brain surgery based on what ChatGPT recommends to do.”
“So... I'm still expecting to see the true intelligence. And by intelligence, I mean that kind of capability that is not just generative - in the sense that it reads something and then based on what it has read, it gives you an answer… that it believes is most suitable for your question - but eventually coming to a new realization.”
When it comes to cybersecurity, though, Virág explains that Nortal has its own in-house Large Language Model (LLM):
“We developed our in-house LLM, [and] it has a couple of implications already. For example, it helps us to create responses to RFIs, RFPs, understanding what the project is about.”
“But for this kind of work, obviously trusting a third party is a very sensitive topic. So what is the information that I’m willing to share with the model?... Exactly what kind of scope of work we have done, what technology has been implemented, how much money the project costs - that is sensitive information.”
“So we believe that in certain cases it makes sense, if you want to fully exploit and be able to use and harvest benefits of these models, like Large Language Models, then you have it on premise. [However], for the majority of the cases, I believe clouds should be safe and secure, assuming that the service provider actually is doing a good job and working on protecting that data.”
When it comes to AI used by cybercriminals themselves, Virág believes that:
“Cybercriminals are enterprises, so the professional [cybercriminal] looks at it as a business and looks at… the tools that certain criminal gangs can offer to other criminals that can enable them to do whatever they do.”
“If we just lose the moral and ethical and legal concerns of how cybercriminals operate, they do everything basically that we do in the non-criminal world. So if somebody wants to hire a certain consultant, you can do it. If you need to have a platform from which somebody can run DDoS attacks or ransomware attacks, it's available."
"And the same goes for Large Language Models to generate phishing emails or now deep fake videos and deep fake audio attacks, which are actually becoming a real concern and a threat everywhere.”
“So, in this sense, I believe the arms race… has to peak somewhere, where humans… have to be able to differentiate between what is real and what is not real. So I think there will be some kind of technical solution somehow verifying reality and non-reality."
"Whether it's a credibility check or authenticity check - what the overall solution will be, I honestly don't know, because the effects are scarily real, but this is what I would expect."
"How AI will leverage on finding exploits or executing attacks, I would say that algorithms already do that... AI will only amplify the impact and shorten the time that these attacks are being carried out successfully.”
Despite the advances of AI, Virág believes that some of the most problematic threats still come from traditional sources, singling out the failure of companies to upgrade their systems:
“One of the still existing and recurring challenges in the field of cyber security is around legacy systems. And obviously, it's been a long topic, it has been exploited many, many times and many, many newspapers have written about it.”
But more worrying than this, Virág also points out that even when an organization does upgrade their technology, they often confine themselves to a certain path that may prove detrimental further down the line:
“With technical or digital transformation... I believe one of the differentiators between who will be successful [or not] in the future... will be differentiated based on what kind of technical implementations and integrations that organization has.”
“What I mean is that each time an organization implements a technology, it also means that it sets what kind of further enhancement that infrastructure will be able to manage."
“So, simple example is if you choose an Android ecosystem or an Apple ecosystem, most probably it is given what kind of accessories one will buy for iPhone - it will be something from the iPhone ecosystem - from Android it will be something from the Android Ecosystem, and barely ever is it mixed and matched somehow. And in the end it also means that somebody's in the iPhone ecosystem or iOS, or Mac ecosystem that means that that's the limit, which might be good, which might be not good - it's after judgment.”
“But if you look at the large scale organization with hundreds of thousands of employees… around the globe with different jurisdictions, and the decisions being made that might impact global efficiency, then this is actually something that will get amplified in the very near future… so this is something that I see recurring, and this is not just from a cybersecurity perspective but also from a digital transformation perspective.”