Meet GI's Cybersecurity Champion: Liina Areng, Director of EU CyberNet, Information System Authority (RIA), Estonia

This interview is part of GovInsider's inaugural Cybersecurity Champions report featuring public sector cybersecurity officials around the world.

Please give a brief description of your job function as a cybersecurity professional, as well as what your organisation does. 

I am leading EU CyberNet, a project funded by the European Union and implemented by the Estonian Information System Authority.

Project was established five years ago to bridge cyber capacity gaps among EU partner countries while also strengthening EU’s own expertise and coordination for providing external capacity building support.

EU CyberNet brings together cybersecurity experts, key organisations and EU initiatives to foster more comprehensive approach to cybersecurity.   

What kind of cyber threats does your organisation face on a regular basis? 

EU CyberNet is, first and foremost, a project dedicated to strengthening the capacities of European Union partner countries to address and respond to the growing spectrum of cyber threats.

From commonplace phishing schemes targeting individuals and organisations to sophisticated, state-sponsored attacks against critical national infrastructure, the range and impact of cyber incidents are expanding rapidly. 

Rather than focusing on internal or European challenges, EU CyberNet works externally - sharing expertise, building communities and supporting the development of resilient cyber ecosystems worldwide.

To subscribe to the GovInsider bulletin, click here. 

The project mobilises European experts and institutions to assist countries in improving their cyber resilience, whether through policy development, regulatory advisory support or hands-on technical training.  

In your view, what are the biggest threats and challenges (be it in the network layer, and/or in areas such as scams, phishing and identity theft) in the public sector cybersecurity scene globally? 

Public sector faces, indeed, a multitude of cyber threats. However, the greatest challenges are structural: limited funding often hinders investments into cybersecurity, while reliance on external or third-party providers may increase risks.

Additionally, in an interconnected world a breach here may have a cascading spillover there across governments and sectors.  

Addressing these challenges requires sustained investments, stronger public-private collaboration, and a shift towards proactive cybersecurity strategies that puts resilience in priority, threat intelligence sharing and capacity building at all levels.   

Many say that we are entering an age of AI-driven cyberwarfare where both hackers and cybersecurity professionals use AI tools for attack and defence. What is your view? 

Of course this is the case. AI-driven cyberwarfare is no longer a distant threat, it is already part of today’s threat landscape. We are increasingly witnessing a paradoxal digital battlefield of machine vs machine.  

Both attackers and defenders are leveraging AI for automation, efficiency and scale, but AI is only as effective as the humans directing it. At the moment, AI remains a tool not an autonomous force working without human input.

The challenge lies in how to use AI smartly and responsibly, and by the end of day, AI should enhance our defences not replace our critical thinking and strategic guidance.   

Cybersecurity is often described as a team sport whereby a network's vulnerability is often defined by its weakest link. In this context, how important is having a whole-of-government or whole-of-country cybersecurity posture?

A wholistic cybersecurity posture is essential because cybersecurity is only as strong and effective as its weakest link. Governments, businesses and society must work together to protect critical infrastructure, public services and digital economy.

Imagine, just a breach in one government agency can compromise an entire government. However, cybersecurity does not recognize borders – neither institutional nor geographical. Threats emerge and spread globally, making national security dependant on international cooperation.

Strengthening cybersecurity requires unified approach at home and close collaboration with international partners, ensuring resilience against threats that no country can tackle alone.   

An often-repeated point in the cybersecurity sector is what your Plan B is after your network is breached. Can you share your point of view on this aspect?

Resilience is the key: prepare and prevent. The real questions is not if a breach happens, but when it happens. The ability to bounce back defines true strength of organisational cybersecurity. 

Plan B in this case may even be multiple backup plans to fall back on with clear incident response protocols, reliable backup systems and recovery strategy. Organisations must be ready to detect, contain and recover quickly while minimising damage.

Regular exercises, cross-sectoral and international coordination and learning from past incidents helps to build capacity and resilience when systems are put to test.   

If your organisation gave you an unlimited budget for cyber defence, what would you spend it on?

Throwing money at cybersecurity won’t guarantee cyber defence. It’s about strategy and people, not about getting the latest tools and gadgets.

Technology is important, but without skilled people to manage, understand, analyse and respond, even the best systems money can buy fall into inefficiency.

Cyber resilience starts with human capability: the real challenge is attracting diverse talent, training and retaining skilled professionals, because no amount of funding can instantly create expertise.

Technology matters, but defence is built on skilled people working together. Thus, budgets must be spent smart for lasting impact.  

What brought you to this profession and what do you love the most in your job and what would you like to improve?

Like many Estonians of my generation, my path into cybersecurity was shaped by the 2007 large-scale cyberattacks on Estonia.

At the time, I was starting as a diplomat in NATO, and my portfolio unexpectedly expanded to include a “cyber package”. That twist of fate turned into a wonderful career opportunity, as I was fortunate to contribute to the development of NATO’s first-ever cyber defence policy. 

Once you enter this field, it’s hard to leave. Cybersecurity is exciting, complex, constantly evolving and never boring, offers continuous opportunities to learn and develop.

What I particularly love about my job is internationality. Through helping to build cyber capacity, you get to appreciate vastly different experiences, pathfinders and enthusiastic leaders, countries that are leapfrogging in their digital development.   

The lack of qualified cybersecurity professionals is a global problem, how do you think this can be overcome?

Addressing global shortage of qualified labour requires both short- and long-term solutions.

In the short term, upskilling and reskilling professionals from related fields and professions can help fill critical gaps. Long-term success, on the other hand, depends on the education system, especially early education.

Digitally aware citizens can be raised by putting focus on digital skills and integrating cyber matters into curricula as well as supporting hobby education like coding club, robotics or cyber competitions.

These can spark interest and help to identify talent early. Importantly, we must take conscious effort to engage girls and women – by providing relatable role models, suitable learning environments and targeted campaigns – to ensure that we include full potential of our collective talent, including the other 50% of the brain pool.

Developing strong cyber workforce requires continuous learning opportunities and a culture that encourages curiosity and problem-solving from a young age. 

If you had a chance to restart your career from scratch, would you still want to be cybersecurity professional and why?

I have always wanted to be a doctor - saving lives – but I’m not emotionally strong enough for that kind of heroism. So instead, I ended up in cybersecurity - where I may not save lives, but I like to think I help change them. It’s digital first aid :)