21/01/2025

CybExer, the rise of Estonia as an innovation beacon

By Gordon Fong

CybExer – Lauri Almann, Co Founder

Introduction

Lauri Almann is the co-founder and chair of CybExer Technologies, which is a Cyber Range company that has been in business for seven years and services Government and commercial sectors.

Starting work life as a visa clerk, into a diplomat and ending his career in the Estonian government as Permanent Secretary of Defence and moved into the private sector in 2008. He passed through all the layers of the civil service in about 10 years.

In 2007, Estonian suffered a very large cyber attack, which was a defining moment for Estonia, but also for the global community.

Lauri is also on the board of the Estonian Information Technology and Telecommunications Association, responsible for the cyber security portfolio and initiatives.

Executive Summary

Estonia has come to the fore of innovation and growth through various factors and Lauri explained why through describing Estonia in four pictures.

The Tallinn skyline. The medieval city has been preserved because of poverty. Being poor mean they could not tear down and rebuilding. When it came to IT digital transformation after regaining independence, it was to save money.
The countryside villages. Unlike many western European towns, where there is a centre and houses are closer together in neighbourhood, Estonian houses in the villages don’t like to see the windows of their neighbours. There is a deep sense of privacy.
Traffic jams and people queueing. A belief in order, or more specifically, law and order.
The Estonian Singing Festival. Coming together over one thing, a sense of community, that leads to trust and transparency.

Economic efficiency is also a component of how and why their drive works.

When the country succumbed to cyber attacks that took out banks, media outlets and government bodies, as well as discovering a vulnerability in the ID cards for a parliamentary election, the government decided that the best policy was to be transparent and to openly share as much information as possible.

Innovation in CybExer involves company culture and customers. Also being crazy. Military and defence customers want to push things to the limits, which for everyday corporate users might sound crazy. Innovate with them through being allowed to fail along the journey to find the boundaries.

Even though new innovation districts for living, working and shopping are being built, there’s no doubt in Lauri’s mind that the residents will have their country retreats too, to balance the Estonian sense of privacy.

CybExer engages the next generation of IT/Cyber professionals from an early age through using their cyber range platform to host competitions.

CybExer are riding the wave of cyber ranges.

How would you describe Estonia and its people?

Lauri used four pictures to describe Estonia, its people and approach to IT and understanding the culture is an important part of that.

Picture 1

If you Google Estonia, the main pictures you will see is the skyline of Tallinn, the capital. It is an old and beautiful medieval city, similar to many cities along the Baltic states. One of the reasons why it is preserved in its original state is that it was poor. There simply wasn’t the money to tear down and renovate the old business. It had to survive under those circumstances.

That was the same approach taken when it comes to digital transformation. When Estonia regained its independence in 1991, people ask why it decided to invest in IT. The answer was the same, we were poor. We didn’t have the money to fund a massive bureaucratic machine. IT was a cheaper way to do things.

It wasn’t extra investment; it was to save money.

Picture 2

The second picture to have in mind, is how villages in the countryside are built. Elsewhere in Europe towns and villages are a collection of houses that are built close to each other. People want to live in a community, to go out and work in the fields and return.

Estonian villages are different. We don’t have those sorts of collective villages, our villages are sparse. One house can be at the corner of a field and an important criteria is that we don’t want to see the windows of our neighbour.

When you go to the countryside you will see lots of forest. You will see lots of agriculture, but you will seldom see those villages with everyone together, unlike in the Swiss mountains, or France, or Italy for example.

There is a strong sense of privacy which influences the country’s approach to innovation.

Picture 3

The third picture to picture in your mind is traffic jams in Estonia, or lots of people wanting to do the same thing and the same time. Estonians like to queue, like the British. Estonians consider it very impolite to pass a queue.

The reason for this is that as a small country, we believe in law and order. We don’t have a nuclear weapon. We don’t have a massive army. The law has always been on our side. That’s the only thing we can rely on and people fundamentally trust that.

This trust in process, the trust in the strength of law is another thing that encourages people to experiment.

So when we come up with a regulation that every Estonian should have an ID and this ID should have a microchip and we can use this microchip to actually allow people to participate in elections, then, this law is accepted because it comes with this enormous, level of trust, which also informs our transparency in decisions.

In 2007 when Estonia was attacked, I was part of the crisis response team sitting in the police situation room. We had a debate about whether to publish this, or use a media tactic to divert attention or maybe downplay the event. After a debate, the decision was made, 2007 Estonia attacks we are going to talk about it as much as possible, as often as possible and declassify as many things as possible.

One of our primary concerns was that by that time Estonia was already a leader in e-services, digital transformation and we made a big story out of it. Of course, if you suffer a cyber attack, distributed denial of service cyber attack, which somehow hampers your government websites, not critical services, but is still highly visible then it’s kind of embarrassing. It’s kind of embarrassing to admit. But nevertheless, we decided to talk about it.

The ultimate dividend that we’re seeing was actually the dividend of trust. The public services spiked after that. The public trust spiked after that.

Picture 4

The fourth component, if you haven’t been to Estonia it’s kind of hard to explain, is this sense of transparency, sense of doing things together, sense of community.

You can see that, for example, we have this massive singing festival of tens of thousands of people come together just to sing some of the old songs. That’s very similar to the Irish, for example. We have this strong singing culture, community culture, and also leads to that leads to strong sense of transparency and trust of each other.

How did the country go from the remoteness of villages and privacy, to come together after the attack and put Estonia on an upward trajectory?

There are some components to this. We have a very strong sense of economic efficiency. Efficiency is one component.

We have a very strong sense of privacy. There are people who prefer to do things in their own corner. They are, on average, more informed on security. This privacy aspect is a relatively important comparative advantage, because of when you want to introduce new services.

Every digital service that Estonia introduces has a mandatory percentage that that goes to the security of the service. It could be pen testing, stress testing, or some other things. And then you have this fundamental believing belief in law and and process, which is the sort of vehicle to bring people together and ultimately the sense of transparency and doing things together, trying to punch above our weight. That is also part of the identity.

So it’s not one element taken separately, but I think it’s the combination. It’s the specific mix.

I was having interesting roundtable events recently with Germany, with German companies and also government officials. Their prevailing fear against digital transformation is related to this very strong sense of privacy, private data, people not willing to go online. Yes, to a certain extent, you have that in Estonia, but you also have this very strong sense of community, willingness to experiment because we have this component of process and component of transparency, and component of economic efficiency there as well. So, that’s definitely one of the drivers.

After the 2007 attacks, the public perception did not change, if it changed, it changed more towards the e-services because, the critical e-services: number 1, proved to be very resilient; number 2, e-services actually proved the e-service providers were transparent.

I think people appreciated that we were talking about this. Estonia actually became part of a wider global cyber story. Estonia was not the first country, of course, to suffer a spectacular cyber attack but Estonia was one of the first countries, if not the first country, to talk about it at that scale.

That actually that might be the reason why I’m talking to you right here because it actually empowered our business community, it empowered our digital story even more. It showed very, very powerfully that there are two sides of this coin, of the benefits of digital transformation, but also the need to have security.

The 2019 parliamentary elections of Estonia

Perhaps a better example of a really consequential breach of security came in 2019 during the national election campaigns.

One of the unique features of Estonian society is that they are e-elections, so people can use their ID cards to vote. This has, in my opinion, improved the security of elections massively. If you look at the recent, referendum on the EU in Georgia, you will see that there’s footage of people, attacking the polling stations, cramming ballots into the box, threatening people, beating them up. Somehow, the opposition to e-voting, tries to bring the point that paper ballots are more secure.

Look at what is going on in US elections. You have actual ballot boxes catching fire. These stories show that digital e-voting is more secure. However, we have had our setbacks as well. One of the setbacks we had, the election of parliament. I think it was 2 to 4 months afterward, a group of Czech scientists in a university, came up with a discovery that our ID card and microchip had some kind of vulnerability. Admittedly, something that couldn’t be widely used, but a vulnerability, nevertheless. So, the government approach there was the same as in 2007, more than 10 years ago. They shared every piece of information, every piece of vulnerability.

The context is that we have just had an election, where roughly 30 to 40% of participants cast their votes with the same microchip. Which could have called into question (as was happening in several states in the US) the whole validity of the elections. That did not take place in Estonia.

Being very open, transparent, ready to experiment yet trusting procedures approach. It’s not the whole part of the secret sauce, but definitely an important component.

Does Estonian citizens have a really strong sense of trust in the government?

I think it’s also a healthy mistrust, but there’s a way to channel that mistrust a little bit better.

What you feel is that, in Estonia, you definitely have this feeling that the government is closer, to you and that has been enabled by the digital services that the government have to the public.

It’s not necessarily blind trust. It’s not necessarily a special sense of meekness that you will see in the population. Definitely not. The Estonians are more than ready to challenge the government, more than ready to question the solutions.

Nevertheless, Estonians are also very rational. So, everything that makes sense, doesn’t get so emotionally overused and exploited.

What does the government do to reach out and involve citizens in its transformation?

First and foremost, the government provides quite excellent services.

What you will still see is that Estonians are very critical of the quality of the services. If you look at the Estonian digital story, and the story of Estonian government’s digital services, then that’s definitely a success story.

They are reasonable, available, accessible, and really hurdle free. Then there is also the added benefit that the more services you have online, the less risk you run of meeting a corrupt official because computers are never going to ask for a bribe.

Secondly, we have this permanent ongoing discussion of what government and private sector can do together. We, as a member of the Information Technology and Telecommunications Association board, are very much also supporting the government’s branding efforts of Estonian. It’s not only about brand or only talking about how good we are, it’s also about sharing the story, building an international community.

The third thing, we are so small that every solution that we do, everything, we also do for export. Estonians are, I think, natural natural exporters. For example, if you go to some some countries, for example, a vacation in Greece, then every single person that welcomes you is also a little bit of the country’s ambassador. They want you to feel good and want to promote the tourism. You can really feel that. I think in Estonia, the same applies to the software experts. So, you can find a taxi driver when you land that is going to praise some of the Estonian software solutions to you.

What does innovation mean to you?

I think the word of innovation in the sector where I am means basically three things.

First of all, it means an ability and readiness to face your fear.
Secondly, it means an ability to test the unknown.
And thirdly, it means a readiness to fail.

This altogether gives you what innovation really is, which is an ability to be in control of the future.

I was asked a question during the height of pandemic. There was a CISO summit in Ireland and the summit happened at the height of Irish National Health Service ransomware attack, which is one of the worst ransomware cases. The UK has had the same, but I think the Irish one was especially cruel. It was especially gruelling because it was so long term and took time to solve. One of the members of the Irish parliament asked me this fascinating question, which was, maybe we have gone too far with digital transformation.

Maybe we shouldn’t do all that. Maybe we should scale down the services. Then I found myself thinking that is really not an option. Digital transformation is a megatrend. The ability to try to control technological megatrend, we may have seen some successful attempts, but I think with digital transformation, this is not an option.

The option for us is to face our fears, to test the unknown, and to be courageous enough to fail and find ways where we can fail safely. That’s one of the things that our company does. We offer companies, organisations, and even governments an opportunity to fail safely as they innovate. That puts us in the driver’s seat. Innovation, first and foremost, is courage.

The public work that I’m doing right now in the AI Council, in the Ministry of Education. We are trying to come up with a matrix of how we allow this incredible innovation that is the AI, that are the LLMs, into our schools because we need our students to be able to benefit from it, but also ultimately to control it. The banning of it is not a possibility. But at the same time, do we realise, all the dangers? And how do we do it safely so that we have played out all the scenarios and all the possible scenarios that we might face, so that our our children can manage this future world, successfully and safely.

Again, these are three things: face the fear; test the unknown; and then be courageous to fail.

How do you facilitate innovation in CybExer?

I think the company culture is very important in the innovation and the sort of fundamental brainstorm culture where no idea is a bad idea.

You talk to each other in a straightforward way, in a no nonsense way, so the culture component is very important. Allowing heated debates, allowing experimentation and risk tolerance is also an important component.

The second important component that that really facilitates are our customers.

We are blessed with some of the customers who actually tolerate all that. So you have to have, really risk tolerant customers that actually enable that type of innovation.

This is one of the areas where having, lots of military and defence customers actually pays off. Military and defence customers really like that, where it’s part of their job to test the limits of the unknown and to also sometimes allow us to fail and learn.

I would use the term crazy. Military requirements very often are crazy to the everyday corporate user in some of the solutions we provide.

We need to allow that part of craziness especially because crazy requirement from a military customer may actually become disruptive in a commercial market.

For example, one of the requirements early on when we started doing cyber ranges for military customers was you shouldn’t charge us per user. You give us the software solution, but we don’t want to be charged per user because we don’t know how many users we have. And some of our users are going to go to the battlefield, so they need to need to be rotated against new users. We don’t think that it’s fair that, that we pay twice because those people are already somewhere else.

We now don’t charge per user in the commercial sector. That’s disruptive but it’s much better.

It also makes sense so, if you have a competitor that has based its business model on a user based billing, then you can really disrupt it.

Has Ukraine accelerated anything in your work?

As we have supplied our training platform to Ukraine, training is incredibly important there.

Ukraine is one of the good examples where you have people going on battlefield training, on our platform and then being ready to do digital defense work. Military conflict like this is always a catalyst for development.

I think Ukraine has been incredibly brave, of course, facing this enormous aggression, but they have been also incredibly innovative. I think what we see in Ukraine is the fundamental changes in the battlefield, fundamental changes in the way we use intelligent information, fundamental changes of how some of the conflicts in future are going to play out.

That applies also to cyber warfare. There are a couple of commentators and couple of headlines that ask “where is the missing cyber war in Ukraine?”. Our answer is perhaps we are not looking at the right place.

There is this an expectation of this “Die Hard” kinetic style cyber collapse, the end of the world type of scenario, which is a movie scenario. Cyber warfare doesn’t play out like that.

There is this fundamental difference between the use of kinetic power. The use of kinetic power, the missiles and the tanks, part of them is deterrence, and part of their deterrence is overt use of them. The enemy must see them.

The cyber power is fundamentally covert, and part of the deterrence there is we don’t see that. So, when the headlines claim where is the missing cyber war, the problem is not that, maybe there is no cyber war.

There is a story from the battlefield. You have a sys admin of power plant, at the gunpoint, of a soldier. The soldier holds him at gunpoint and asks him to log into the systems and give over the admin access. Now the question is, was that a cyber attack or was that a kinetic attack? My answer to this is this is a cyber attack. The reason is that you can have the best missile in the world, you can have the best gun in the world or tank in the world, and you cannot counter this attack kinetically. You have to counter this attack in the cyberspace.

Yes, they got in by using, physical violence, but now the thing has moved to the cyberspace. And in cyberspace, they need the network. They don’t want to have the doomsday scenario. [As in if they destroy the networks, then they can’t carry out their own cyber attacks.]

Where we need to look for the cyber warfare in in Ukraine, and I think we are learning massive lessons there, are the electromagnetic spectrum, the warfare, operational technology, all kinds of backdoors, telecommunications services, and satellite. That is all open game for cyber warfare, and we must make sure to learn those lessons.

Krulli Kvartal and the growth of Estonian innovation districts

https://www.krulli.co

[It was said earlier that Estonians like their privacy and the example given was in countryside villages, Estonians don’t like to see the windows of their neighbours, so I asked about Krulli Kvartal, a new innovation district and asked if that was the new thinking of people now.]

I guarantee you that every single person who is going to live in Krulli Kvartal is going to have a summer house where you don’t see the windows of the house.

But it’s not that we are particularly anti-city and anti-community. There is still a strong sense of community and actually at least 90%, if not all of those people, have some place to go in the forest where they don’t see the windows of their neighbours. This doesn’t mean that we are not open to those (innovation) communities.

This is an opportunity to not talk about a smart city, but more about a cognitive city. This is going to be an exciting project.

What is the business entrepreneur vibe like in Estonia and is the infrastructure supported by government?

The IT infrastructure is pretty good and traditionally has been good. That’s one of the key aspects where the public private cooperation is quite good. It usually looks like that private sector is complaining that government is not doing enough and the government is catching up, but that’s very predictable. Sometimes we also say that from the private sector and lobby organizations, that this predictable criticism is always very good.

In the Information Technology and Communications Association, we say that when the government is coming out with new regulations, they already know what we don’t like as a business community.

I think the Estonian government has a relatively good ability to engage the private sector in legislative process, and in export promotion process. We have a government that is very, very close. In Estonia nobody hopes for a handout or a fat government contract, but rather we are talking abou, ways how government always can support exports.

We are like minded there. Estonia is never that big that we can be self-sustaining. For our economy to be successful, we really need to focus on exports. We have always been successful. Throughout centuries, we have been successful when we have the ability to do international trade or commerce. It is true also today and especially in the sector of IT.

We are talking about government measures that, for instance, when a government has received a successful IT project, part of the public procurement rules should be that if that project is accepted and if the project is not classified, then it becomes an automatic reference for export purposes. The government agency would be obliged.

It’s not a law right now, but this is something that we’re working on because we have certain ministries that are very good with references and showing our use cases, how we do digital transformation. Some of the government agencies that do not have this kind of experience, could be more shy, so they they might not know what they can talk about or can they promote another company.

What we want to achieve is when an Estonian company has delivered a successful e-solution, that becomes an official reference so the government would be obliged to show that as a reference and then go opening the market this way.

There are countless other examples how we work together with the government to make Estonia more attractive as a business community. But there are difficulties. The economy is in a challenging state.

I think that we are still seeing the aftermath of the COVID. We are facing the same troubles that the whole world faces with inflation. This is all taking a toll. And then, of course, we need to think about security as well more than ever, which again takes an extra toll on the government and government expenditure.

What is the talent pool or skills gap like in Estonia?

We have to look deeper in the field. We have to put money where our mouth is in terms of talent search.

We really believe that in IT, especially in cybersecurity profession, we need to start earlier. We have a huge skills gap, and we cannot fill it unless we start from very, very early age with cybersecurity education. So, our company is one of the main sponsors of a competition called Cyber Battle of Nordic. We actually engage high school students to a very sophisticated cyber game and competition.

In the process we will identify future talents and provide them a platform to study and develop their skills, because we cannot wait until these talented people graduate from universities with master’s degrees. We have to start now.

Statistics show that the kids are actually very interested. One of the challenges of why we need to start early is the knowledge. There’s just so much knowledge out there, that that you need to study to be successful. So, it’s wise to start early.

Those kids who are really talented in IT, we can reach them early because they probably reach us and it’s a close-knit community. But we want to reach the kids who actually don’t know themselves that they might be interested in cyber. How can we solve that problem? That’s why we need to start early. We need to show them that it’s interesting profession, that there’s lots of challenging stuff happening.

The way we do it is, we have produced something in the format of a TV show. We have hired the same team who produces the equivalent of Estonian Idol.

We did a crossover with the programmes where the cyber stars taught the singing stars the cyber skills to defend their Instagram and Facebook. That got high ratings.

But also very interesting was when the singing stars came to teach our cyber experts, how to present themselves, how to have a little bit of social interface, to be part of the community, that was that was really, really cool and helpful.

I think we need to come up with these ideas to really find the balance early and find the balance in places where the people don’t even know yet that they’re talented.

What are the next 5 year, 10 year goals for CybExer?

The next 5 year goal is to keep up with the wave.

CybExer, as a company, has been riding the wave of cyber range development. We believe that Cyber Range as a technology is the most effective technology to address cyber preparedness management needs. 7 years ago when we started, observers said that cyber ranges are impossible to do in a scalable, off the shelf way. With the help of some of the customers, we actually proved them wrong.

3 years ago, we had our first investment from VC. Then, our challenge was to prove the product market fit. Ever since we have actually posted double digit growth annually. What our company has been doing is, we are actually riding the wave of cyber range market expansion. We definitely want to stay there. We definitely want to stay relevant.

The cyber range market has developed from early military adapters to wider commercial use cases. This comes from the pressure that companies want to be ready to manage their preparedness in a really sophisticated way.

Gartner, Tech Impact Radar, October 2023 is predicting mass adoption of cyber ranges exactly in 5 years. So that’s where we want to be.