The Estonian Information System Authority (RIA) recently published the Annual Cyber Security Assessment 2018. Last year was an unusually eventful year in global cyberspace. Malware campaigns caused havoc around the globe, large data leaks took place, and vulnerabilities were found in technologies thought to be secure. We spoke with Taimar Peterkop, Director General of RIA about recent findings, new tendencies and learning points.
There was a record amount, almost 11 000 incidents reported – what are the main causes?
Last year, the Incident Response Department of RIA recorded about 10,923 cyber security cases – one third more than in 2016. Only 122 incidents had a direct impact on a service vital to the functioning of the state and society – the lowest figure in the last three years. Last year, 32 known cyber incidents took place in the Estonian healthcare sector, and ten of these cases had a direct influence on the work of hospitals and general practitioners.
The number of cyber incidents registered in Estonia has been increasing for several years and there are several reasons for that. First of all, criminals take more advantage of our digital lifestyle, meaning that there are more attacks. Secondly, the capability of detecting cases has improved. The more we investigate, the more we discover. Additionally, companies are more aware and put more emphasis on cybersecurity, meaning that more anomalies are reported.
In spite of improved awareness, readiness in various sectors is uneven and the owners of equipment do not discover many incidents that endanger the users of the services in addition to the owner of the systems. The attacks are still targeted at the health sector, energy companies, and public authorities, the functioning of which affects the well-being and people’s lives. Ransomware campaigns, which aim to paralyse systems and blackmail the victims, are well-thought-out attacks, against which it is very difficult to defend oneself fully. We must contribute to information systems and their security in the same way we do, for example, the follow-up training of doctors, because even the skills of the best doctor may not be enough if the medical history and treatment information are unavailable due to an attack on the systems. This can be illustrated with the extensive campaigns from last years, such as WannaCry and NotPetya, which fortunately did not cause major losses for Estonia.
What changes have occurred during last years in the threat landscape?
The majority of the cyber incidents that impacted Estonians and Estonian organizations still involve malware infections. Globally, last year’s most significant cyber incidents included the WannaCry and NotPetya ransomware campaigns, causing losses in the billions of Euros. In Estonia, thanks to prevention and timely response, the losses were minimal. Although cyber incidents can be caused by human behaviour and technological problems or natural events such as storms, about four-fifths in Estonia – 2,500 last year – were caused by intentional activity – i.e. cyber attacks. Next, to this figure, administration errors and service downtime due to technical malfunction caused less than 10% of all cyber incidents. Infected devices can be used for various cyber attacks – denial of service attacks, data theft and spreading fake news. Increasingly computing resources of hijacked devices are used for mining cryptocurrency, and toward the end of the year, such incidents were on the rise in Estonia. Most cybercriminals are unselective, looking for vulnerable devices and careless or gullible users. Typically, outdated software is a contributing factor, allowing attackers to exploit a vulnerability. The victim can be the owner of the system or an unsuspecting user, such as a visitor to a website. Poor or non-existent security does not pose a risk to solely the owner; far from it.
What were the biggest challenges of the past year?
Last year was challenging for Estonia and the world as a whole: weaknesses in popular smart and digital devices were discovered and the personal data and passwords of millions of people were leaked. The Estonian digital state was able to overcome one of the biggest challenges – the security risk of the Estonian ID-card was resolved successfully. People continued to use e-services and have confidence in digital identity. Many other countries were not so lucky. However, such challenges in the cyber world are becoming more and more serious and we need to be well prepared for them. Criminals or hostile nations whose intention is to manipulate information, earn easy money in a criminal way or undermine their opponent’s credibility. We have to be one step ahead of them – we have to do everything possible to be as thorough and careful in the digital world as possible, protect our systems, and, if necessary, ask the state for help.
What were the main learning points from the ID Card incident?
The ID card security vulnerability illustrates how much societies depend on fundamental digital infrastructure – in Estonia’s case, the state, entrepreneurs and users were all impacted. Our crisis management efforts underscored the need to review specific processes – among them the administration of the ID card, risk assessment and mitigation as well as inter-agency cooperation. Beyond that, there is a clear need to view the country’s digital architecture and digital governance as a whole. Not to let a good crisis go to waste, here are the most important lessons learnt from the ID card case:
• Dependence and alternative solutions. The ID card is means of authentication and secure signing for close to 5,000 different public and private sector services. Clearly, in most of these cases, the option of face-to-face authentication and handwritten signatures is no longer an acceptable alternative for the society and thus alternatives to the ID card are, above all, other digital, not physical solutions – mobile ID, Smart ID and new solutions being developed. Their penetration and readiness to use them in services must increase.
• The need for flexible, open architecture poses a challenge for the state’s habitual operating patterns – developing solutions in-house or procuring innovation from the market. Few governments possess the entire necessary skill sets; most of the competence lies in the private sector. With globally used technologies, governments cannot fully solve problems inherent in technologies they are merely a customer of. Major international corporations – representing the greatest capacity in providing solutions and services – operate from their own assessment of business risk, and in the case of such a large-scale security vulnerability, a state is just one customer among many. In our case, the online update service gave us flexibility, which allowed the certificates to be suspended pending a later update. This put us in a better position compared to other countries with the same problem.
• Responding to risk. Estonia and Europe have procedures in place for responding to incidents where the impact is already evident. In the case of a theoretical risk where we hope to find a solution before the impact is realized, there is no reason to apply such measures, and indeed they would not be appropriate in such a case. Thus, we have to develop similar routines for threats and risks where the impacts are still unrealized.
• Openness. Risks arising from vulnerabilities in fundamental digital infrastructure cannot be managed without the involvement of stakeholders – including the public and the media – as these risks affect the entire digital ecosystem. That means that, in order to reduce the societal and economic impacts of technology risks, risk management must not only be capable of solving a complicated technological problem but also be preventive, open and capable of translating the solution into layman’s terms for all of society, in order to respond to the public’s needs.
• Broad-based cooperation between a great range of stakeholders with different roles, expectations and levels of readiness is a sine qua non. A lean government sector should be able to draw on a strong private sector in times of crisis. Hiring additional people in the public sector is not a solution, which is why strengthening our tech industry – above all by means of supporting education and research, to guarantee the existence of knowledge and experts – satisfies the important requirement that they can be called on by the state in times of need.
• A digitally literate society. In today’s digitally dependent society, technological literacy at the individual level (as opposed to offhandedly referring technological issues to an IT department) is now an essential skill. We need more people with multidisciplinary skill sets – those who are simultaneously
proficient in both tech and non-tech fields such as economics, public administration or the law.
Download the Annual Cyber Security Assessment 2018.