GovProfilesCybersecurity
Bookmark

Estonia’s cyber diplomat stresses need for more ‘translators’ to bridge tech and politics

Oleh Si Ying Thian

Estonian Information System Authority (RIA)’s Liina Areng highlights the importance of building trusted networks across borders to close the gap between global policy and frontline responders.

Liina Areng is the European Union’s Cyber Capacity Building Network (EU CyberNet)’s Project Director at Estonia's Information System Authority (RIA). Image: EU CyberNet

For Estonia’s defence policy advisor Liina Areng, her journey into cybersecurity was an accidental one – but later became an intentional one for almost the next two decades. 

 

Areng is the European Union’s Cyber Capacity Building Network (EU CyberNet)’s Project Director at the Estonian Information System Authority (RIA).  

 

For close to a month in 2007, Estonian public and private organisations were hit with a series of cyberattacks.  

 

Back then, Areng was just starting her stint at North Atlantic Treaty Organisation (NATO), and her portfolio had unexpectedly expanded to include cybersecurity. She later became involved in developing NATO’s very first cyber defence policy

 

“The twist of fate turned into a wonderful career opportunity,” she told GovInsider previously.  


Today, she leads the EU Cybernet, an EU-funded initiative managed and ran by Estonia’s RIA to deliver capacity building programmes and strengthen global coordination. 

 

Areng first brought the initiative to the Latin America and Carribean region in 2020, which led to the creation of Latin America and Caribbean Cyber Competence Centre (LAC4) in 2022.  

 

The second phase, which started last year, is focused on the Indo-Pacific region. 

 

GovInsider caught up with her in person to explore the “art” of cyber diplomacy, specifically how to bridge the gap between technical reality and global geopolitics. She also shares her insights on navigating cultural nuances to deliver meaningful capacity building in the Global South. 

The two worlds of cybersecurity 

 

In any specialised field like cybersecurity, it’s easy to get trapped in the “curse of knowledge” where the experts assume everyone knows as much as they do about the field.  

 
Liina Areng and her team at the Estonia's Information System Authority (RIA). Image: Areng

Highlighting this gap between national operational agencies and multilateral UN processes, she says: “We need more translators who can understand at least the core terminology, as well as the regulatory space and international relations. 

 

“I see a big discrepancy between what’s happening in the UN global mechanism and the processes in national cybersecurity agencies,” she explains.  

 

In most countries, the incident responders sitting in the computer emergency response teams (CERTs) or national security agencies have no idea that diplomats in New York are debating the voluntary UN norms for cyberspace.  

 

Areng mentioned Singapore as a potential exception where the Ministry of Foreign Affairs (MFA) and Cyber Security Agency of Singapore (CSA) might be more tightly knitted to share information.  

 

While her role is immersed in cybersecurity, she emphasises that success relies less on deep technical expertise and more on building trusted networks.  

 

For her, the real skill is translating complex cyber concepts into simple terms that unite diverse stakeholders and drive policy forward. 

The value of trusted, cross-border/sector collaborations 

 

While the EU can mandate compliance to enforce cybersecurity standards across its members, intelligence sharing relies on trust.  

 

This sharing thrives best in smaller, sub-regional groups where neighbours may share a common geographic threat landscape, says Areng as she cites the Nordic-Baltic Cyber Consortium (NBCC) as an example. 

 

NBCC is set to begin operations in the cominggin operations in the coming months in Copenhagen, Denmark, she says. 

 

Such trust-based networks move beyond policy compliance to focus on threat intelligence sharing and joint development of solutions, she explains. 

 

Following the 2007 cyberattacks, Estonia began to actively integrate private sector experts to defend the country’s digital infrastructure. 

 

To mitigate talent shortages amid a rising threat landscape, the state established the volunteer-based Cyber Defence Unit as part of the Estonian Defence League. 

 

Rather than viewing the loss of public sector tech talent to the private sector as a setback, Areng sees this mobility as a strategic asset for the country. 

 

As long as the talent remains within the country, it creates a fluid, trust-based network that leverages both public and private sector's expertise. 

 

Public officers understand the inner workings of the government, while private sector specialists can contribute user-centric and agile perspectives back into crisis response, she says. 

 

“We involve the private sector from the very early stage of consulting them. It’s good to have friends and compatriots that understand the government and the obstacles we face. 

 

“The government may not be as good at developing services or may forget its customers.

 

So, it’s good for us to have a mix of both formal and informal communities [to bring together public and private experts],” she explains. 

New rules of foreign capacity building efforts 

 

Estonia used to be on the receiving end of foreign aid in the 1990s, says Areng. She recalls what it felt like to have foreign advisors preaching to them. 

 

Because of this lived experience, she champions an empathetic approach to digital development based on listening first and then co-creating something. 

 
The second phase of EU CyberNet, focused on the Indo-Pacific region, saw the EU team recently conducting a workshop about cloud security and operational tech in Thailand. Image: EU CyberNet

She highlights several key lessons from Estonia’s experience delivering cyber capacity building programmes globally. 

 

In January, the EU CyberNet conducted a workshop partnering the National Cyber Security Agency of Thailand (NCSA), Japan International Cooperation Agency (JICA), and the ASEAN-Japan Cybersecurity Capacity Building Centre for ASEAN government agencies. 

 

The first lesson is demand-driven support. Areng shares that the EU did not decide on the topic of cloud and operational technology (OT) security, but that it was decided through the ASEAN’s broader strategy.  

 

The second lesson is culturally-sensitive delivery. Her team pairs European subject matter experts with local practitioners to ensure that the technical advice accounts for local cultural and systemic realities.  

 

The third lesson is respecting the recipient’s agency to opt for a different approach to doing things.  

 

“We make sure we are not preaching something as the only way to do things. There are already so many different angles they’re already provided with. 

 

“This is just one option. They can either take it, mix it in their own ways, or not take it at all if they see it as completely wrong or if it would not work,” she explains. 

 

Finally, it is empowering local ownership. External partners should act as behind-the-scenes facilitators, Areng says, adding that the local national cyber agency should remain the lead actor to take ownership of the outcomes.  

 

“They are also providing us with a lot of input along the way for the training agenda and what we can try to achieve with it... 

 

“We realised that an angle that the EU is strong in is in its regulations. We were surprised that these regulations are quite well-known across cyber security and General Data Protection Regulation (GDPR).  

 

“And we see there is growing appetite across regions to learn and adapt this approach to local contexts,” she says.  

 

Also read: How Czech’s cyber envoy is building alliances, from Brussels to the Indo-Pacific, October 24, 2025