Does Size Matter? What we can Learn from e-Estonia
TLDR: Forget size. Success in digitization depends on national mindset.
The most important letter in “Estonia” is E and for good reason too. I too wondered why the Stanford in Berlin Will program chose the 1.3 million people nation (only slightly bigger than Rhode Island) as our class trip. 4 days of meetings with the country’s CIO, visits to their digital governance centers, and even a trip to the US Ambassador’s house has left me with new insight into the mindsets and innovations of this country (at least more depth than “they founded Skype”)
While our time highlighted the potential of such a digitized governance system, my personal security interest and education has left me pondering complications of such a digitized system, especially as we think about a similar system in America. The bottom line when it comes to transferring this system? Size of the country may not matter. But everything else does. I’ve separated my reflections into three categories:
Learnings
Translation Challenges
Security Risks
1) Learnings: The US can learn from Estonia/NATO integration and education.
Meeting with NATO CCDCOE’s Jacob Galbreath highlighted Estonia’s progress in exploring effective cyber integration tools. The presence of a physical integration center that runs yearly cyber range simulations has allowed EU nations to come together to develop collaborative cyber plans (rather than just domestic ones). The EU, headed by Estonia, therefore, is leading the charge on cyber operations policy with documents like their 2022 Cyber Defense policy. Stanford students who spent the summer at the center echoed this sentiment (shoutout Emma Barrosa!) Jacob’s presentation revealed the following questions as continued discussions in the international community:
What does effective cyber integration look like and what is its potential to help failures in intelligence? This is particularly important as the US works with Israel to understand intelligence failures regarding Hamas’s initial attack on Israel.
What does “proportionality” look like in cyberspace? What cyber actions require kinetic, digital or no response at all?
How do we bridge the central disconnect between information experts (the people who decide what is true vs not true, hate speech vs free speech) and cybersecurity experts (the people who handle the information in the first place) without sacrificing the fundamental integrity of information?
These are questions I am not surprised by (Stanford professors like Herb Lin widely discuss this) but I am excited to continue to explore in my own studies.
Separately, Estonia’s implementation process for their digitized tax and government systems also highlights two key takeaways for the US: the power of transparency and education. First, the e-Estonia briefing center showed us their data logging and requirements platform which allows all citizens to see exactly what organizations are using their information. Although the information is sometimes hard to parse, this system provides a more streamlined and transparent way for users to understand their data trail and therefore (in an ideal world) hold government and private actors accountable.
CIO of Estonia Lukas Ilves highlighted in particular the importance of cyber education in this implementation process. Although I was skeptical over the reception of digitization given Estonia’s aging population, the nation claims over 90% of their population to be digital and cyber literate. To this extent, citizens aged 5 to 95 all take part in various forms of mandatory and optional cyber education. Official school curriculum contains cybersecurity and hygiene courses as part of their eight core pillars. Additionally, The Centre for Digital Forensics and Security in particular has created a series of cyber competitions and programs for students.
In comparison, only 84% of working age adults are said to be digitally literate in the United States and cyber literacy programs have only been implemented at a state-by-state basis. Now one could argue that placing the salad bowl that is the US and Estonia side by side is an unfair comparison. I agree: it is—but not for the reasons you would think.
2) Translation Challenges: It’s not just Size; it’s Culture.
A common theme between speakers on the trip, especially at the e-Estonia cyber briefing center was the size of the country does not matter; all countries should be able to implement a digitized government system following Estonia’s lead. Speakers rightly pointed to success of digitized ID systems in India (not only bigger but more heterogeneous in every way) and Ukraine that prove just this.
The question then remains: what leads to a succesful digitalized system and where is this plausible? This could be a whole article in itself.
In my EU class, we discussed a series of potential shared factors between Ukraine, Estonia, and India: history, culture, necessity and age of government included.
But the one that stood out to me the most was public trust. According to our speakers, Estonian citizens were willing to trust the government and buy into the change. Statistics support this with 80% of the population supporting digitization from the get go (although, I will say that we didn’t meet with enough citizens/users to confirm this on an anecdotal basis). India and Ukraine similarly have high levels of public trust in government (which is certainly not the case with the US).
Furthermore, Estonia’s public trust seems to be rooted in recent history. Although the 2007 cyber attacks on Estonia were in no means a blessing, the silver lining was a a chance for the government to show competence in cyberspace, holding the attention of the entire population.
The impact of the 2007 attacks thus leads us to a more fundamental question:
3) What does digitalization mean for cybersecurity? (and should we even do it in the first place?
The first question I had for many of our e-Estonian proponents was how we preserve effective cybersecurity with the increased data and net flow that comes with digitization.
Estonia serves as a case study for just this, having experienced a cyber attack in the middle of their digitization process in 2007. After the government decided to move a statue out of the center of Russia, angering Estonian Russian speakers, the city erupted not only in physical looting for two days but also were targeted by a series of misinformation and DDoS attacks. For almost a week, many Estonians struggled to conduct online banking transactions or even send emails.
One would then imagine that the Estonian general public may respond with skepticism, fear, and even a craving to return to the pre-cyber land of paper. Instead, the nation sped up their digitization process. How? Lukas Ives hypothesized the public was too distracted by protests and looting to worry about the cyber attacks. Maybe. But if I couldn’t send any emails for a week, I’d be pretty pissed.
My hypothesis? The answer lays in the unique, progressive mindset of the Estonian government. Rather than viewing cyber threats as a reason to prevent digitalization, they framed it as an opportunity to do digitization differently. In other words, they amended to a system that is #SecureByDesign @CISA.
Their digitization process continued hand in hand with the formation of a voluntary Cyber Defense Unit as part of Estonian’s Defense league. The unit serves as an example not only of proactive government action, but also of a whole-of-country effort motivated by higher national consciousness on cyberspace.
The power of the Estonian way seems to lie not in the unique nature of their technology, but rather in their proactive mindset towards digitization and security. Thus, the true challenge of American digitization will lie not in the size of our heterogenous nation, but rather in our ability to execute a process rooted in public trust and security.
—DG