In the last 20 years, Estonia has developed into what the World Development report, compiled by the World Bank, last year called “closest to a digital society”. However, being digital and therefore dependent on information and communication technology also creates challenges. One of them is the question of how to secure all the data that could become vulnerable in the case of a cyber or indeed a real military attack.
For example, when Estonia regained its independence from the Soviet Union in 1991, it had to determine who its rightful citizens were. Approximately 80,000 people had fled the country during the last world war and there was the problem of how to return land and property to those whose assets were confiscated during the Soviet occupation. In order to establish this paper records and archives were used. However, in the digital society the country no longer stores this information on paper, raising the question of continuity or as in the case of Estonia today, digital continuity.
The country had its first experience with cyber-conflict back in 2007, when attacks originating from Russia managed to take fifty-eight Estonian websites offline at once, including those of the government, most newspapers and many banks. Although no information was lost during this event, Estonia had been backing up important data outside of its borders even before the attack, storing it in Estonian embassies across the world. Russia’s annexation of Crimea in 2014 brought the question of continuity back to the forefront of public discussions in Estonia and the government’s Cloud Policy stated that, “to ensure service functionality and data continuity, capabilities needed to be developed outside of the country’s borders.” So even if a crisis develops, digital authentication and authorisation services would remain operational. To achieve this aim Estonia considered two options: a physical embassy for data in a friendly foreign country or a virtual embassy for data in a privately owned public cloud.
“One of the most important tasks of any country is to ensure continuity both on a state level as well as in terms of public services. The Estonian digital and information society is already so highly sophisticated that it is no longer possible to move back to a paper era. Therefore, we have to do our utmost to ensure cyber security, including maintaining the digital continuity,” Siim Sikkut, the government’s ICT policy adviser, noted. “We have back-up data storage facilities in Estonia, but in order to be prepared for any occasion, if, for example, the state suffers a large-scale cyber-attack, natural disaster or a conventional attack on a datacentre – we need back-up sites outside our borders,” he added.
One of the two options to achieve the digital continuity – the cloud technology – was tested in late 2014, when Estonia embarked on a research project with Microsoft to see whether a public/private cloud computing partnership model could function. However, Sikkut said that this was not enough. “The cloud technology provides a good opportunity, but the state also wants to maintain the full control and jurisdiction of their data and systems. For this reason the private cloud services are not exactly suitable for us,” he said. “Therefore, we started to develop and enhance the data embassy concept, just like Estonian embassies abroad, these are our sovereign embassies in foreign data centres.”
During the last few years Estonia has held talks with a number of countries and has now succeeded with one of the smallest countries in the European Union. The first data embassy will be based in a high-security data centre in Betzdorf, a commune in eastern Luxembourg. “The Luxembourg site will store the copies of the most critical and confidential data,” Sikkut explained, adding that the first data embassy should become operational by the end of this year, or at the latest, at the start of 2018. “Once the first one is running, we will analyse and evaluate whether we need to enhance our capabilities. It is highly likely that we will set up additional data embassies, but that all depends on the cost and our experience,” he said.
The two countries are expected to sign a mutual agreement this summer, but it is already clear that the Estonian data embassy will have the same protection and immunity as the traditional embassies. “Luxembourg has been a very good partner. In essence, we are creating a new precedent in terms of international law and practice, a kind of innovation. Luxembourg has been keen to think along with and contribute to the creation of the new concept. The ‘physical’ embassies are our sovereign territory under the Vienna Convention. Now we want to bring the same concept to the cyber world and data centres, Sikkut explained. This effectively means that officials from the host country will be barred from accessing the data.
Estonia’s pilot project could, again, set an example to the rest of the world.