When bored kids gain control
It’s no secret that the masterminds behind a lot of cyberattacks are teenagers with nothing better to do. “Curious kids like to test themselves,” says Reintam. “The Internet’s full of information – YouTube, forums, online games and the people you meet playing them. If parents are absorbed in their work and their own lives, then for their kids the Internet becomes this boundless world where you find the best, and the worst, of everything.”
He gives the example of a 14-year-old who seized control of all the family accounts on their ordinary, Windows-based home computer. The girl had full administrator’s rights to each of them, giving her complete digital control over her family’s fortunes (literally and figuratively). “This was only able to happen because her parents didn’t have the time or, to be honest, the nous to deal with it, so she seized power,” Reintam explains.
But this is just one of many such incidents, which have been going on for years. As long ago as 2012 the Security Police were already making it known how they identified young attackers: working with the Information System Authority and a youth work specialist and criminal investigators from the Eastern Prefecture of the Police and Border Guard Board, they unmasked users who, posting online as ‘Anonymous’, called on people to launch cyberattacks against Estonian servers. According to the Security Police, the individuals identified included underage residents of Estonia.
For the most part, kids learn their way around the Internet themselves, gaining skills that should prove useful to them in the future. But they can also learn the hard way if they end up in places they shouldn’t be in or if they get caught up in crime. These in particular are the reasons that make cyber guidance, education and supervision so important.
Reintam outlines another situation – one which might even seem funny at first – wherein kids watch their parents so closely that they eventually gain access, say, to their mobiles. “A good example here is a former colleague of mine who unlocked their iPhone with their fingerprint,” he says. “His six-year-old soon cottoned on to this, and when the boy woke up early one day he went into his parents’ bedroom, grabbed his dad’s phone and, while dad was still asleep, with his arm sticking out from under the pillow, pressed his thumb against the screen and voila!” Dad enjoyed a sleep-in while his son drained the phone’s battery playing games.
Reintam says forming a network for cybersecurity awareness is important in order to share information and best practice, because technology is not confined by national borders. Photo: CybExer Technologies
How can we foster cyber skills in children?
The aforementioned examples show just how smart and capable our kids are, which is something we should waste no time in putting to good use.
Youngsters with an interest in IT and all things cyber should be pointed in the right direction as early as possible, in which Reintam says IT teachers and parents play a big role. “Kids start showing an interest in computers during their first few years at school, and these days that means that kids as young as 10 can already be smarter than their mum and dad,” he smiles. “That’s why it’s important to keep an eye on what they’re looking at online, and to steer them away from anything that’s likely to end in tears for both the kid and the parents.”
Online risks and cyber crime also make it vital for kids to have the skills they need to navigate their way safely and responsibly through the digital world.
From her experience as an adviser to the NCM, Grete Kodi says that with society growing more and more digitalised all the time, digital literacy has become just as important as traditional literacy. “The Internet presents a wealth of opportunities, but just as many risks,” she cautions. “Kids have to be aware of those risks and have to be able to protect themselves against them.”
To this end, the Nordic countries have launched a number of initiatives and programmes to enhance kids’ awareness of cyber risks and to give them the skills they need to guarantee their own digital security and that of others. “The scope of the approaches they’re taking differs, as do the approaches themselves,” says Kodi, “which is why the level of instruction varies so wildly between countries and still makes up such a small proportion of school studies. There’s a lot of room for improvement.”
Reintam agrees, adding that cyber education should (and thankfully in Estonia already does) form part of the primary curriculum. “The kids learn the basics of cyber hygiene and are taught the do’s and don’ts of using IT devices on an everyday basis,” he explains. “In terms of how fundamental it is, it’s little different to teaching them traffic safety.”
Cybercation: the Nordic-Baltic cyber education forum
Kodi says that in mapping the situation in the Nordic countries and Baltic States it was noted that although cybersecurity is listed as a priority in all eight nations’ defence policy strategies, the shaping of cyber experts receives short shrift in official curricula. “It ranges from very little to basically none at all,” she reveals. “If kids are given any sort of training, it’s mostly in groups that are put together on the initiative of their teachers.”
Thankfully, digital literacy and cyber education are often integrated into school study programmes in the Nordic countries, where pupils are taught the basics of online safety, including the need for strong passwords, the ability to identify secure websites and to protect their own privacy, and awareness of the risks posed by social media.
Kodi says the best cyber experts have mostly found their own way to the top. Photo: Jana Laigo
Nevertheless, Kodi says the best cyber experts have mostly found their own way to the top. The Nordic countries have their own ‘private’ initiatives, but a more systematic approach needs to be taken to the fostering of young people’s skills. “We realised that if we wanted to address the dearth of cyber experts in our region, we’d have to work on the problem together,” says Kodi. “That’s why we set up Cybercation, a Nordic-Baltic cyber education forum at which representatives of the education sector and of companies and officials working in the field can share experience and best practice and develop solutions to reverse the shortfall in labour.”
Cybercation is designed to bring together teachers, education specialists and institutions whose mission is to support IT-based teaching in the Nordic-Baltic region. “We want it to promote cyber education more widely and to serve as a more effective growth platform for it, and to foster international contact and interaction not just between students and teachers, but also between teachers and educational institutions, leading to long-lasting partnerships,” Kodi explains.
Rapid digitalisation is not helping to resolve the problem
Kodi admits that cooperation between the Nordic countries in the field of cyber education remains weak. “Digital developments are coming thick and fast, but in keeping up with them there’s been little time to deal with the lack of qualified people and other similar problems,” she says. “So far each country has done what it can to tackle these issues on its own.”
Kodi adds that implementing innovation is not the problem in private enterprise at present, but rather guaranteeing the capacity needed to ensure the security of new [digital] solutions.
All of the Nordic countries and Baltic States are faced with the same problem: meeting demand for qualified cybersecurity specialists. Kodi says that in order to overcome this challenge as quickly as possible, cooperation needs to be undertaken between the public and private sectors as well as between countries. “The education system definitely needs to be changed so that it’s capable of training up the sort of experts the market actually needs,” she remarks. “That said, it would be too much for the education sector to tackle on its own – it would need to work closely with the public and private sectors. And those are the exact sort of partnerships we’re using Cybercation to encourage.”
Cooperation is the key
According to Kodi, the NCM is doing everything it can to promote and facilitate such cooperation. “Cyber crime is a cross-border phenomenon, so an international approach should be taken to solving such crimes,” she says. “It’s so important that we share experience and best practice. That’s why working with the private sector to establish a Nordic-Baltic network for cybersecurity awareness is our number-one priority.”
Reintam agrees that cooperation between the Nordic countries is vital, as collectively they form one region. “They’re closely linked through the movement of people and their economic ties and their security space,” he said. “In cybersecurity terms we here in the Baltic States form a single region as well, and we need to work with one another in that regard. So I’m delighted to see that the NCM is continuing to take the issue so seriously. It’s supporting the Cyber Battle of Estonia (CBOE) – which we’ve renamed the Cyber Battle of the Nordic-Baltics – for the second year running, for which we’ve brought in teams from all eight of our countries.”
Kodi concedes that the lack of qualified cybersecurity specialists is a problem that needs to be attacked from a number of angles. “Educational institutions, governments and companies all have a role to play in boosting the number of specialists, by investing in education and training and by drafting policies that support the development of a strong cybersecurity workforce both within and outside of educational institutions,” she says.
Reintam adds that forming a network for cybersecurity awareness is important in order to share information and best practice, because technology is not confined by national borders. “The threats that could bring these technologies down and affect the economy or critical infrastructure are similar in nature all over the world,” he notes. “That’s why a network is needed – so that our knowledge of the dangers and how to deal with them keeps up with the times.”
Kodi and Reintam feel it is important that young people get the chance to test themselves in competitions
Millions of specialists are needed
According to the Cybersecurity Workforce Study, there is a global shortfall of 3.4 million cybersecurity professionals. This is something that impacts on public-sector organisations and companies in every field. Kodi and Reintam say this is why they aim to popularise ethical hacking among kids in the Nordic countries and Baltic States.
Reintam says that in order to deal with the situation, talented youngsters need to be found and pointed in the right direction, offering them the sort of education that interests them in terms of both what is taught and how it is taught. “Retraining needs to be provided as well, and development opportunities for existing IT and cybersecurity specialists,” he suggests. “The most important thing is finding people who are passionate about it, and really challenging them.”
However, Reintam says the first thing that needs to be done is to separate the teaching of cyber skills to kids as part of their schooling from cyber education which could lead to a career and speciality in the fields of IT and cybersecurity.
“As an area, cyber education is something which arose from the need to overcome the challenges facing digitalised societies,” he explains. “These days you can barely take a single step without coming across devices with computers inside them exchanging information.”
This is why people are needed who understand how such devices work, what opportunities they present and where their weaknesses lie. The need for cybersecurity specialists has grown exponentially alongside this.
Let’s get kids [ethically] hacking!
Kodi nominates one way of giving kids the life skills they need. “It’s called ‘gamified hacking’,” she explains. “It’s about learning, but in a fun way that gets your adrenalin pumping! You can use it show kids the very different sorts of career paths those skills can take them down.”
Instead of hacking into systems for a bit of excitement or just to kill time, the Cyber Battle of the Nordic-Baltics gives the kids the chance to solve real-life situations. “So on the one hand the competition’s introducing them to ethnical hacking, and on the other it’s securing the future of the digital industry,” Kodi smiles.
First held in 2020, CBONB was the brainchild of CybExer, which has been operating in the field of cybersecurity since before it was a thing anyone even talked about. “That’s why we realised before anyone else that kids needed to be properly cyber-educated,” says Reintam.
The competition is designed for young adults between the ages of 15 and 24. It sets them practical hacking tasks in which they find out how they measure up against others. The biggest cyber event for young people in the country, it has been organised since 2021 by the Estonian cyber education company CTF Tech. “Needless to say we specialise in what we do best,” says Reintam. “We’re the tech partner to Cyber Battle, providing the virtual training ground they need for the competition.”
Cyber Battle also has a lot of supporters in both the private and public sectors who have come to the same realisation about the importance of cyber issues and education. “It would be fair to say the competition wouldn’t be possible without the backing of the City of Tartu, the University of Tartu and a whole host of companies,” Reintam admits. “The private sector has certainly shown its initiative, not just in organising the Cyber Battle but other smaller events as well. But the private sector alone won’t be able to keep driving it forward forever.”
Reintam says that in their work his company enjoys close contact with universities and other educational institutions that are interested in their cyber training ground and that are starting to recognise its value as a practical and effective platform for teaching and learning. “The situation’s improving, but there’s a way to go yet,” he cautions. “Digitalisation has outpaced our ability to resolve cybersecurity issues.”
The article is a part of the series "Nordic Sustainable Future".
Listen to the podcast on the same topic.