Estonia redefines national security in a digital age

Estonia’s ambitious plan to protect the digital identity of its citizens and rewrite international cyber-security law.

Estonia is leading innovation in cyber security and protection of digital data [Molly McCluskey/Al Jazeera]

Tallin, Estonia – If the next world war will be fought in cyberspace, recent events have shown the first shots have already been sent across the bow.

With several nations currently recovering from, or preparing for, cyber attacks, one former Soviet republic is launching an ambitious new programme that would protect its people, rewrite international law, and ultimately have wide-scale implications.

As Russian tanks rolled into Crimea last summer, Estonians were also preparing for a possible invasion. Known as the “tech capital of Europe”, officials of the Baltic state put renewed focus on an innovative plan to protect the country’s vast digital identity, through the creation of what they call “data embassies”.

Officials see these data embassies – online storage and remote servers that would be afforded the same protections as traditional embassies – as integral to the nation’s security.

Estonia’s Cyber Security Strategy for 2014-2017, released in early 2014, included a key provision under “Ensuring digital continuity of the state,” that declared: “E-services, processes, and information systems [including digital registers of evidential value] that are essential for the digital continuity of the state are constantly updated and mapped, and they have mirror and backup alternatives. Virtual embassies will ensure the functioning of the state, regardless of Estonia’s territorial integrity.”

 The new Cold War

The project plans to use cloud technology and off-site servers to ensure all Estonian registries – from public records such as property ownership to secure ones like population records – will be duplicated and stored internationally, with an instantaneous, entirely virtualised, back-up process. Born of advancing technology several years ago but bogged down by bureaucracy, the concept was recently renewed by fear.

The past looms large over Estonia, which was occupied by the Soviet Union from 1940-1991.

Its memberships in the EU and NATO couldn’t prevent a wide-scale DDoS attack in 2007 that came close to shutting down Parliament, the president’s office, the country’s largest bank, many news outlets, and other vital services.

A Russian official later publicly confirmed the Kremlin’s connection to the attack.

The past two decades have seen disputes over how and where the border was drawn, allegations of human rights abuses against Russians living in Estonia, and growing tensions as Estonia becomes more integrated into the European Union.

In September, an Estonian counter-intelligence official was kidnapped at the Russian border, and taken to Moscow, where he was put on television and called a spy by Russia’s FSB, the successor to the Soviet Union’s KGB.

‘Crazy neighbour’

People's identities are so important that you have to preserve the cryptographic hash - the knowledge of that person, to say this is the real record, this is the real identity, this is the real DNA.

by Mark Hagerott, US Naval Academy's Centre for Cyber Studies

With such a history of events, both far and near, the threat of a Russian invasion is never far off.

Toomas Vaks, director of cyber security at the Estonian Information System Authority, said in discussions with his colleagues, they asked each other: “What will happen if we were to lose our independence? If somebody, like our crazy neighbour, were to occupy our country? What would happen next?”

If Russia was to occupy Estonia, Vaks said, it was his team’s job to ensure the state could still function. The key to that, he said, was ensuring the integrity of the data.

“This idea of trying to protect knowledge and ideas and people is age-old,” said Mark Hagerott, the deputy director of the US Naval Academy’s Centre for Cyber Studies.

A digitally savvy conquering nation can not only occupy land, they can alter a person’s history – discredit a few of the nation’s most prominent citizens, undermine their research through propaganda, claim they’re plagiarists and thieves, delete records of patents, and the country’s intellectual bank is robbed.

“People’s identities are so important that you have to preserve the cryptographic hash –  the knowledge of that person, to say this is the real record, this is the real identity, this is the real DNA,” Hagerott said.

Taavi Kotka, the deputy secretary general of ICT at Ministry of Economic Affairs and Communications for Estonia, calls himself the country’s chief information officer, and has taken on the data embassies project as his personal mission.

“War has a different meaning now. We have a very aggressive neighbour that is run by a madman,” he told Al Jazeera at his office in Tallinn. “We need to ensure the digital continuity of our people.”

Digital pioneer

That Estonia would be the pioneer of such a project is a result not only of its history with Russia, but also its role in creating some of the most ground-breaking and disruptive technology in Europe.

The country is home to Skype, which revolutionised telecommunications; the international peer-to-peer currency exchange website Transferwise, currently disrupting the banking industry; and the tech incubator Garage 48, which helps entrepreneurs develop a new product or application from idea to prototype over the course of a weekend boot-camp.

Estonian Parliament recently approved “e-residencies” for non-Estonians wishing to establish a digital identity in Estonia to streamline conducting business within the country’s technological infrastructure, the first country to do so.

A sophisticated system manages policing, Estonian Parliament, social welfare and other state services, all through a centralised, identity-based database that is one of its kind in the world.

Nearly all Estonians have an identity card with an encrypted barcode that can be loaded with everything from property records and taxes to library cards and transit passes, and the information is managed and protected through a series of safeguards that ensures no one in the government will access it improperly.

Estonia’s reputation in cyber space transcends European borders.

Taavi Kotka [Molly McCluskey/Al Jazeera] 
Taavi Kotka [Molly McCluskey/Al Jazeera] 

In 2013, Estonia and the United States signed a bilateral agreement, “The US-Estonia Cyber Partnership Statement,” that calls for cooperation in cyber security and cyber defence: exchange of best practices, critical infrastructure protection efforts, and technical information.”

In signing the agreement, Secretary of State John Kerry said, “This is an effort that guarantees that a country like Estonia, which has been a great partner in fighting for internet freedom, is going to help us to build our law enforcement capacity, education capacity, civil society, and provide unfettered access to people for the social media and the internet, even as we manage complex problems in the internet.”  

Like many governments, Estonia already backs up many databases physically, then couriers them to its brick and mortar embassies around the world. But the country’s growing dependence on digital services has made the delay and limited storage capacities of servers at embassies a hindrance.

Future in the cloud

“The goal is to move the servers out of embassies where you don’t have proper cloud storage infrastructure,” Luukas Ilves, counsellor for digital affairs, permanent representative to the EU, and the son of Estonia’s president, told Al Jazeera at the Estonian embassy in Washington, DC.

“You can put a rack in the basement [of an embassy] but that doesn’t have all the security, and most importantly, the standards of safety or liability that you would get in a data centre.” 

Despite the safety standards, data centres are not currently under the jurisdiction of Articles 22 and 25 of the Vienna Convention, which governs diplomatic properties and communications, respectively.

“The legal framework, it will be changed. Definitely. It is going to happen. This is a normal process,” said Vaks.

Once fully functional, the data embassies system will exist outside the scope of a country’s foreign properties, and will live in third-party, often non-governmental, sites.

In the event of a true emergency, such as a ground invasion or cyber attack, the government would flip a metaphorical switch and all data, sensitive or not, would be either uploaded instantaneously or already backed up, so that domestic servers could be removed or destroyed to be kept from enemy hands.

Although on a much grander scale, it will be similar to Dropbox running back-up on a personal laptop – if the laptop is destroyed, the data can still be accessed securely, with the added benefit of being protected by international treaties.

Estonia is not the only country exploring methods of offshoring their public sector and IT platforms.

According to Ilves, neighbouring Baltic countries Latvia and Lithuania have advanced similar programmes, as have the UK, Denmark, and the Netherlands.

However, Estonia’s proposed data embassies are unprecedented in ambition, in that it’s the only programme attempting to gain the full protections granted to traditional embassies, and essentially rewrite international law in the process. 

Once fully realised, the model could benefit countries around the world and help protect digital information from not only hostile neighbours, but also natural disasters, civil war, and mass emigration.

Technology itself is another challenge, as it continues to evolve faster than the project.

You can backup data that is not sensitive. But for sensitive information, I think the world's not ready for that yet.

by Taavi Kotka, Ministry of Economic Affairs and Communications

Keeping up with tech

The security protocols of two years ago now seem antiquated, and a project that relies on today’s technology will be well behind the curve two years from now.

But Sven Kivvistik, cyber security head of risk control at the Republic of Estonia Information System Authority, said having a methodical and deliberate roll-out will ultimately benefit the digital embassy project.

“If we had a complete plan, this phase of deployment, that stage of deployment, etc, this goal is next year, or next month, we would take ourselves hostage. By taking it step by step, we can be flexible,” Kivvistik said.

Most of Estonia’s non-sensitive records are already housed in third-party servers, including Amazon Cloud, which the government has used since 2009.

“You just have to understand what kind of information you can put there,” Kotka said. “You can backup data that is not sensitive. But for sensitive information, I think the world’s not ready for that yet. I think these big companies have to earn some respect and trust before this can happen.”

Despite the lack of trust with larger companies, Kotka said Estonia is working with Microsoft to create a custom programme that will meet all of the country’s security needs, using non-sensitive information as a beta test.

They’ll continue to incrementally trust the company with increasingly sensitive information as the programme develops, until all sides are confident the sensitive data will be fully secured, and protected under the same provisions as filing cabinets of documents in traditional embassies.

The caveat? In case of an invasion, Kotka said he’ll upload all the data at once.

Officials at Microsoft did not return requests for comment.

Ilves said the data embassies project also serves as a benchmark for broader conversations about the nature of tech and security in the European member state known for setting the continent’s digital trends.

“Before we get to the point where we can actually have fully functioning data embassies and we can flip that switch, we’re going to fall through a lot of other problems that we’re still dealing with regarding virtualisation, data infrastructure, encryption, security aspects, and some of the legal issues of the data. So instead of having this general process, we set this very clear benchmark, which makes it easier internally, to get funding and buy-in, to get to this very specific outcome.”

It remains to be seen whether the outcome will be as dramatic as protecting its citizens’ virtual identities from a marauding neighbour, or merely protecting its reputation as the creator of the most ground-breaking technology in Europe.

Regardless of the result, Estonia’s mission to create data embassies is redefining security in the digital age, and the treaties, laws, and players required to keep a nation safe.

Source: Al Jazeera