Crafting a Cybersecurity Governance Ecosystem: Two Decades of Learning in Estonia

Abstract

Cybersecurity is a new but pervasive phenomenon facing governments today, emerging as a global policy concern over recent decades. Governments must craft institutional setups for cybersecurity as the global threat landscape evolves. This paper examines the process of allocating governmental responsibility for cybersecurity inside the Estonian government, among the first to publicly acknowledge cyberattacks against a nation-state in 2007. Furthermore, it looks at how this process has changed over time and how this process can eventuate. It employs a collaborative governance theoretical approach, emphasizing the myriad actors involved with such processes, and qualitative research methodology, via interviews with public officials across the Estonian government. This paper indicates that cybersecurity purview has shifted over time from a military to a civilian one, prioritizing the country's digitalization, and that governmental understandings of cybersecurity are neither codified nor entirely consistent, though this could be expected in a governance environment where myriad actors are involved.