This could be the case even if the IT workers in question do not agree with the official Russian line on the major political issues of the day, the ISS, known in Estonian by the acronym Kapo, went on.

The ISS noted in its yearbook, published Friday, that: "The obligations arising from citizenship towards a person's country exist regardless of whether individuals align with the views of the current government in their country of citizenship."

The ISS wrote that Russian citizens living in Estonia are in fact obligated by the Russian Federation's constitution to stand up for their country, an obligation which also applies to dual citizens who hold another country's citizenship but have not fully renounced their Russian citizenship, if doing so – as is the case in Estonia – is required.

The ISS highlights in its annual report that each year, hundreds of Russian citizens resident in Estonia attempt to secure positions within Estonia's ICT sector.

Many of these individuals will have had more extensive military exposure than the average Estonian, having undergone military training and been assigned wartime tasks and mobilization duties during their university days, in Russia.

The ISS wrote: "This means that even employees in what are apparently civilian fields, including ICT, may have had military roles and tasks, even during a conflict, which they might have been required to perform at high readiness, due to the obligations arising from their citizenship."

Therefore, Russian and Belarusian citizens studying and working in Estonia's ICT sector tend to come under heightened scrutiny from the Russian intelligence organs. Skilled individuals in particular can be exploited as needed, while their loyalty is demanded when deemed necessary to serve Russia's state interests, the ISS outlined in is yearbook.

The presence of individuals with ICT and cyber security expertise who owe loyalty to a hostile foreign state poses a security risk to Estonia's critical networks, one which must be diligently avoided and mitigated, the ISS emphasized.

This necessitates greater security awareness within Estonian companies and government agencies, in order to mitigate cyber risks stemming from human factors.

The ISS also stressed: "It is especially crucial for Estonian government and military agencies, as well as providers of vital services, to remain aware of their service providers, partners, and their subcontractors, to prevent citizens from potentially hostile third countries from accessing critical networks and systems."

"This means having a clear understanding of who exactly enjoys what level of access to an agency's networks, in the course of providing their services. In the case of a contractual partner, this involves the obligation to coordinate potential subcontractors and other third parties involved during the course of contractual cooperation."

The ISS also highlighted that the most critical component of even the most intricate cyber-attacks is the human link between the screen and the outside world.

Moreover, the ICT sector in Estonia has a particularly board impact, one which is directly connected to crucial and vital services.

Furthermore, IT companies in Estonia form one part of an international network, and are developing products and services for consumers and government agencies responsible for defense. Given the long-standing shortage of specialists in the Estonian ICT sector, it had already become relatively common for government-linked firms to hire citizens from third countries.

"Using the opportunities provided by the Estonian e-residency program, companies were set up here which then helped bring more of their founders' compatriots to Estonia. This was most commonly pressed into use by Russian citizens, for whom Estonia was a convenient choice due to its proximity to Russia, and the overall linguistic environment," the ISS wrote.

"At the same time, cyber domain curricula at Estonian universities became popular, and graduates often stayed on in Estonia to conduct research at universities or to work professionally in companies. In this way they came into contact with Estonian government agencies in any case, via development work and service provision," the ISS went on, detailing how Russian citizens have come to reside in Estonia.

The ISS acknowledged that the threat of cyberattacks remains high due to Russia's ongoing war against Ukraine, meaning warnings over the risk of hostile cyber operations against Estonia remain consistently high.

Their primary targets, too, would be government agencies and the military sector, and also private companies, especially providers of essential services: Logistics and energy companies, for instance.

"Usually, such attacks are carried out by hostile country's military and intelligence cyber units, who consistently work to realize their country's interests," the ISS noted.

The ISS also warned of the increased likelihood of cyber sabotage – cyber-attacks with destructive effects – against Estonia's vital infrastructure, underscoring the urgency for government agencies and essential service providers to recognize that they are targets of such attacks.

The annual report also featured several examples from around the world and Estonia of cyber-attacks where, alongside data theft, the control systems of companies providing vital services were disrupted, causing disturbances in water or heat supply.

The full 2023-2024 ISS Yearbook is below, and is also available here.

--

Follow ERR News on Facebook and Twitter and never miss an update!