The Estonian digital society had the merit to overturn the classical relationship between the citizens and the public administration. Since the late 1990s, Estonia has been a proactive state by giving every individual the complete ownership of their data and launching the eID card in 2001 as the unique key to access public services – from healthcare to business registry, from i-voting to e-residency. Such a strong and farsighted political decision placed the state in the position to take responsibility for the security of all digital services.
Every Estonian ID card has a chip for authenticating oneself and digitally sign documents, but also, this might expose the card to possible digital vulnerability. And that’s what happened for the first time on a large scale on 30 August 2017: Petr Venda, a researcher on cryptography and security at Masaryk University in the Czech Republic, notified Estonia about the security risk in the ID cards chips. After investigating 22 different types of library cards and 16 types of smart cards, Venda and his team found that there were small biases. But there was a larger problem: an algorithmic flaw in Infineon RSA Library, meaning that all the keys generated by vulnerable Infineon Library were affected. More than one million chips used for identity documents and produced by the company Infineon were impacted all around the world. In Estonia, all the eID cards (800 000) issued since autumn 2014 were at risk.
In theory, every private key could have been calculated from the public one, thus allowing hackers to access sensitive information of the users by stealing their digital identity. RIA, the governmental organization responsible for the administration and development of the information system, the Police and Border Guard, the Ministry of Economic Affairs and Communications together with private companies as Nortal and Cybernetica, started to work jointly on managing the crisis. That’s probably the reason why today we can define a possible threat to the survival of the digital society, as a case study with important lessons learned to share with all the main stakeholders. During his speech, Taimar Peterkop, head of Information System Authority (RIA), remarked the importance of the involvement of the public: “We need to deal with cyber attacks publicly, not privately, as would be supposed for the defense sector from where I am from. Public debate definitely helps to build trust among citizens”. Statistics clearly confirm the effectiveness of this measure: 10 million digital signatures were given in February 2018, against the 6 million of the same month in previous year. Moreover, during the security flaw crisis, the i-voting system in Estonia registered a new record: 31,7% of the voters chose their candidate with a click from a laptop.
The strategy of Estonia in overcoming this issue was allowing cardholders to update the certificates remotely. Spain, for instance, had to revoke 17 million cards. After the suspension of the certificates of the cards with vulnerable chips on 3 November 2017, 94% of the eID cards which are electronically used have been renewed. Face-to-face authentication and handwritten signatures are no longer acceptable alternatives, as the digital solutions are considered vital services in Estonia. Risk management, continuity planning, and openness are the keywords in overcoming security threats. As was also underlined by the Estonian Prime Minister Juri Ratas: “If we wish to move forward we need to invest much more than before not only in our systems but in our people. Strong cooperation means cooperation between researchers and IT, between public and private sectors.” After lessons learned, Estonia is now more mature to face new challenges.
Photo credits: Annika Haas