One of my favourite topics to discuss in my briefings is electronic identity (eID). And for a particular reason – eID is one of the foundations Estonia laid for the digital services in the early 2000s. From declaring the taxes and registering a business to applying for a benefit or i-Voting, all are tied to the strongest form of authentication, proving it’s the Erika I say it is behind the transactions.
How often does identity theft occur with all public services accessible using the eID in Estonia?
99% of Estonia’s population has a digital identity, which is provided through a mandatory national document. In October 2022, the 20th anniversary of Estonia’s electronic identity and digital signature was celebrated. It might be surprising to learn that throughout the two decades, no identity theft has been reported as the result of the decryption of the technology behind providing digital identity to people. The only instances related to the misuse of one’s electronic identity have occurred when people have voluntarily given access to their private keys to someone else. Ironically, eID abuse has been carried out by relatives and friends.
The weakest link in the use of technology is rarely the unprotected backdoors but almost always the end-user. For example, you could install the strongest locks available on your door to keep yourself safe, but if you rush to open the door whenever someone knocks, then not even the burglar-proof locks prevent you from being robbed. To have high cyber security processes in place is a must, of course, but to prevent (digital) identity theft, you need to educate the user.
- Don’t write your PIN codes on a sticky note and keep it with your ID card
- Don’t use 1234 as your PIN code
- Don’t give your PIN codes to anyone else, even if asked
These suggestions always provoke laughter from my audience because they seem so… simple. But simplicity is the key. There is no magic in it, but just common sense. This is what Estonia’s government has always raised awareness about, sharing easily understandable actions anyone can take to stay safe in cyber space.
Are you cyber-savvy?
Security is not a topic you solve once and then check off your to-do list. It is an ongoing process, which is why the Information System Authority is constantly monitoring the activity in Estonia’s cyberspace and launched a webpage with study materials to help raise awareness in the information society and prevent people or businesses from becoming victims of cybercrime. “Ole IT-vaatlik”, roughly translated into “Be IT-aware” continuous campaign, pays attention to all the possible risks lurking around the digital world, shares tips on maintaining high cyber hygiene, and also offers a cyber audit environment to test user’s cyber-savviness.
Digital is not necessarily safe by default, but it is transparent
Estonia was on the receiving end of the first large-scale cyber attack against a government in 2007, and one of the takeaways from it was the understanding that, even though it was the first time, it would not be the last. The world currently witnesses Russian aggression in Ukraine, also in a hybrid form. Estonia has shown constant support towards Ukraine since February, including sharing the lessons learned from our own experience with cyber-attacks. This aid did not go unnoticed by the aggressor and according to CERT-EE (Computer Emergency Response Team), 2nd and 3rd quarters of this year showed a significant increase in distributed denial-of-service (DDoS) attacks against Estonia’s public authorities and private sector companies.
If the usual count of attempted attacks is around 10 per month, then August hit the roof with 65, and September rose to 31. The most significant wave of attacks happened in the last days of August, when over 27 entities were targeted.
But cyberspace monitoring revealed that not only institutions but also individuals were targeted. A massive amount of people were addressed with scam mail, seemingly from the Police; some of the e-mails held a forged court convocation attached. The motive for phishing or ransomware attacks is to retrieve sensitive information, extort money or disrupt users’ trust while engaging in transactions or services in the electronic environment.
Again, the recommendations from the Information Systems Authority seem pretty common sense:
- If you doubt the authenticity of the mail, call the official authority for confirmation
- Don’t open attachments nor reply to the sender
- Don’t click on suspicious links, as they may transfer you to phishing sites
- Delete the e-mail from your account
Finally, being and staying safe in cyberspace depends mainly on the individual’s actions, and all threats cannot be fully eliminated. But thanks to digital systems and monitoring mechanisms, we can find out what is happening and then warn the end-users of the potential risk.
Cyber battle – a new form of Olympic Games virtually
Estonians have always been firm believers in education and its positive effect. Raising digital competencies also began by including ICT education at the primary level already in the mid-90s. So, no wonder that providing cyber security-related knowledge is also the focus among the youth today.
The third year of Cyber Battle of Estonia was hosted by CTF Tech, where young people aged 15-24 from all over the country teamed up to test their skills in solving real-life cyber security challenges. From eliminating malware from the city government’s server or enabling the paralysed city street lightning system to support a traffic control tower after they suffered an attack encrypting all data. These are the tasks the youth teams are battling over to train themselves to be resilient for future scenarios where many of them will be in charge of the security of public or private processes.
Speakers’ Corner is an article series where the e-Estonia Digital Transformation advisers talk about the digital society and their personal experiences related to using public e-services.