As part of my presentations about the advantages of digital services in Estonia, questions about cybersecurity pop up very often – as they should! “Is my data safe online?” I wish the answer were an unambiguous “Yes!”. But the more honest proposition is that nothing is unhackable: Paper files can be edited, replaced, copied, and destroyed forever, and on a fundamental level, the same is valid for digital formats. Recently, Estonia was reminded of this undeniable truth.
On 1st December 2020, the Estonian Information System Authority (RIA) announced that three government ministries had reported cybersecurity incidents in November, which resulted in significant breaches of personal data and other records. The three attacks bore similar signatures and exploited similar weaknesses in the web server infrastructure. 350GB worth of data were lifted from the authorities:
- Data regarding the containment of infectious diseases which affected 9158 people
- Public records and mostly expired “For Official Use Only” and “Restricted” documents
There are indications that the tactics and procedures for the breach are by no means novel, and indeed freely available software was used to accomplish this. The National Criminal Police has initiated an investigation regarding unlawful access to the computer systems, as they should; cyberattacks are a serious crime. Arguably, however, so is criminal negligence. Suppose the investigation report concludes that some specialists in the ministry demonstrably failed to fulfill their duties and keep the safeguards of the databases up-to-date. In that case, there must be consequences to maintain the trustworthiness and international standing of the Estonian e-government system. Losing 350GB of government data, no matter how old or public is not akin to dropping a plate in a restaurant and keeping your job as a waiter anyway.
With all of this being said, there are plenty of good takeaways as well. First of all, RIA has continued to be as proactive and transparent about the state of digital affairs in Estonia. Whether we’re talking about the current case or the theoretical weakness in some of our ID-cards’ chips in 2017, I believe open communication helps retain the trust of the public and also gives us the tools to discuss how to improve the situation. In connection with this, Estonian government institutions are known for their timely dissemination of those facts: the ministries reported the incidents in November, and the press conference was held on 1st December. Most governments try to bury such unpleasant news for as long as possible.
Actually, that’s not quite correct. Most governments don’t even find out about those breaches until it’s way too late. According to IBM, in 2020 the average time to both identify and contain a breach was 280 days. The SolarWinds breach that affected US government authorities and private sector companies alike first took place in March and the issue is still not resolved. The Estonian Health and Welfare Information Systems Centre (TEHIK), meanwhile, was able to block the hackers’ access within 8 hours of discovering the attack. To me, this is remarkable and also a testament both to the safeguards built into the system and the cybersecurity specialists working in the public sector.
Strengthening our collective security
Finally, there is one argument that I personally am still torn on and it goes like this: “We will learn a lot from this incident, and it helps us be better in the future.”. I don’t think that the picture is quite as rosy as that. People messed up. Data was lost. Not their own data, mind you, but in part personal data of other people. Still, I am certain that the authorities will learn from this. Crucially, RIA will share details of this incident with its partners in the European Computer Security Incident Response Team (CSIRT) community. At the end of the day, cyberattacks are quite agnostic towards national boundaries and so the least we can do is talk about our findings as openly and candidly as possible. Every shred of information about the nature of cyberattacks can help strengthen our collective security.
We will be sharing valuable solutions on January 21st
As we at the e-Estonia Briefing Centre want to stay ahead of the curve and help you to do the same we will be hosting a high-quality online seminar on cyber security on January 21st, 2021 at 11 AM (GMT+2). Three leading Estonian cyber security companies Cybernetica, Veriff, and Cybexer will present their solutions for keeping cyberspace secure. Save your spot now 👉 https://e-estonia.com/digital-discussions/