Category Archives: E-government

Liisa Past, Kaur Virunurm: E-State and Proactive Risk Management

The presentation was given in cybersecurity conference “Cyberchess 2017” held on October 5, 2017 in Riga. The presentation touched upon the recent events such as i-voting and the flaw found in the ID card chip.

The last question from the audience was worth a dime:

Is PPA considering any legal action against the vendor, because, as I understand, you have been informed by the researchers, but the vendor has not informed you.
And the second one: in the new procurement, what are are the lessons learned? Are you planing to change or include some clauses on liability?

The question was not answered in full, but the answer would be interesting indeed.



RIA Cyber Security Report 2016

The Estonian version of the report was released already in March.

One interesting piece of information disclosed in the report is the case of targeted attack against the SCADA system used at Viru Keemia Grupp AS. The case was also widely covered in Estonian media.

In 2016, traffic bearing the hallmarks of malware was spotted in the computer network of Viru Keemia Grupp (VKG), an Estonian group of oil shale, power and public utility companies. Software experts found the Mimikatz malware in the VKG office network, used in Windows systems to extract identity credentials (such as passwords, password hashes etc.). [..] Upon further investigation, it was found that a workstation in the SCADA monitoring segment was infected. The workstation was then removed from the network. Network traffic and examples of malware found on computers all pointed to a targeted attack. The malware and control server used have been linked to the APT28 cyber espionage group.

The report also includes RIA position statement on technology backdoors:

From Estonia’s perspective, strong encryption is vital for ensuring trust in the state’s digital services, as all of the e-services provided by the government and many private sector e-services are based on strong encryption (Estonian digital identity). In the longer term, building in backdoors would thus reduce trust in the digital state, but trust is an extremely important value for Estonia. As a result, Estonia has not supported building backdoors into e-services, and the objective and function of RIA continues to be to ensure the high level of trust in Estonian digital identity.


Checking who has accessed your personal data is a challenge in practice


Peeter Marvet dispels the myth of transparency in finding out who has accessed your data in state databases:

For the past 20 years or so Estonian e-government and the X-Road backbone has been promoted with the promise of transparency. Yes, we keep a lot of data, but it is stored securely and you can always check who has accessed it. This means transparency and trust. Or “trust”, as in this The Guardian interview with Toomas Henrik Ilves.

Problem is, there is no such transparency – no notifications, no place to log in and see who has accessed your data. There was one system with such functionality, but it was shut down like 10 years ago (added: there is one system – E-Health’s “patient portal”). And even when it worked, it displayed only trivial amount of accesses [..].

The rest of the databases? I recall a meeting (in the government residence, no less) where the topic was discussed, possibly on a roundtable arranged by the National Audit Office. After some serious googling I found a contact address where to submit a request to get information about who has accessed my data in the Population Registry. It took some months to get the answer, it supposedly had information about who had requested my data available only in the “comments field” and had to be assembled manually. Promoting the idea to requesting such transparency is a good start for denial-of-service attack on Estonian e-government.

Then there was a case when somebody from the Ministry of the Interior was to promote some new legislation mandating more data storage with the argument, that everybody is able to see who has been accessing the data, so it is not a privacy violation. Our correspondence with her ended after couple of rounds, after she was unable to find any proof of solution where I could view the access log.

And don’t get me started on the question of who can purchase the data from our Population Registry or from Business Register. Want to get contacts of unemployed pensioners? Give us your monies! Want to spam every e-resident who has created a company? Sure, all addresses in registry must be business contacts so spam away (and give us some monies)!

Interesting research to conduct would be to submit bunch of requests for personal data access reports to various state database holders and analyze the response time and the detailedness level of the answers.


RIA Cyber Security Report 2015


Some insights:

2015 proved that the continuity of vital services can be affected, or even crippled, by simple ransomware campaigns that weren’t even intended to disrupt those services.

Around-the-clock manned monitoring of Estonian cyberspace has taken place since the summer of 2015. We also adopted new and improved monitoring technologies.As a result of the around-the-clock monitoring, we have prevented, discovered, and reacted to signifcantly more security incidents than in past years.

In 2015, the lessons learned from the CyberHEDGEHOG 2015 exercise, the amendment of the Emergency Act, and the adoption of the European Union Network and Information Security Directive (NIS) confrmed the need for a clear cyber security law that takes into account modern conditions.

In 2015 we became convinced about the necessity of thoroughly analysing both the legal questions associated with using cloud technologies and the risks connected to the integrity and confidentiality of data being processed in the cloud as well as the need to develop sufficient security measures to minimise those risks.

While European Union structural funds have been a welcome source of support for Estonian cyber security development, and indeed for the whole country’s IT development, it is clear that this situation is not sustainable for the country in the long term.


Health data forwarded to cancer screening register despite user’s will


In the second half of June, she had discovered in the health portal that National Institute for Health Development (TAI) had made 16 inquiries regarding her during this year. Looking into it, turned out the queries came from the cancer screening register launched at the beginning of the year.

«I do not agree with the cancer screening register at TAI, or any other register, systematically collecting my health data. Health data are delicate and cannot be collected without permission by the individual. I request that my health data be immediately closed for TAI,» said Mr Sassian’s application to social ministry. However, as pursuant to Public Health Act data is forwarded to cancer screening register even when an individual has closed her data in the system.

Maarja Kirss, adviser, Data Protection Inspectorate:

Meanwhile, Public Health Act lays down rights of TAI to obtain data from health information system to perform tasks prescribed by law. Thus, an individual can only restrict access to health data when a health service provider is concerned, but not from other data processers who the law obligates to process certain data.

Katrin Merike Nyman-Metcalf, technological law professor at Tallinn University of Technology:

There is no basis to think that the ministry is misinterpreting the law; rather, this is a much broader issue: what’s the worth of an option to lock data if these can still be used? Isn’t the option then just an illusion? Simply put: they do provide the option of privacy of data but in reality they use them anyway.


Estonian Internal Security Service (KaPo) Yearbook 2014


In its work to provide cyber security, the Internal Security Service focuses on cyber threats and attacks initiated by a foreign state or those that can threaten national security. Cyber intelligence operations of foreign states directed at Estonia are persistent, streamlined and techno logically advanced. This type of cyber threat is internationally known as APT – advanced persistent threat.

The cyber security section of the report is mostly a compilation of best practices on how to protect information. This seem to be very much EISA’s field of work. The new bits of information are names of malware seen in the attacks:

In 2014, there were repeated attempts by foreign states to penetrate the computer networks of Estonian government departments and access the information therein. Such attack campaigns as CosmicDuke and Ke3Chang can be mentioned as particular examples of malware that found their targets in Estonia in 2014.


EISA Cyber Security Report 2014


Interesting quotes from the report:

In 2014, RIA aggregated its functions related to guaranteeing cyber security in the cyber security branch. Incident response, risk control and regulation supervision, as well as research and development activities are now determined more clearly, which also allows for a more efficient use of resources.

Skilful phishing of cloud service accounts (e.g. Gmail, Hotmail), which has continued at unprecedented levels at the beginning of 2015 as well. E-mails seem to be coming from a seemingly trustworthy source and have significantly improved in quality both content and Estonian language wise, which means that the receiver of the e-mail has to be even more attentive and critical in order to detect the fraud.

Intrusion into websites is more difficult to identify. It is becoming more common that the infector uploads the malware for a very short time period and takes into consideration, which IP-address is used to visit the site. For instance, if users visit the website from Estonia, they receive a different type of malware than the users who access the website from the USA.

In 2014, there was a slight increase in the percentage of incidents that had actual consequences for the institutions and users. For instance, the use of document management system was disabled or, in more severe cases, digital prescription or Schengen information systems were down.

The incidents at the end of the year were mainly virus outbreaks and well-aimed phishing letters, but also distributed denial of service attacks, many of which did not last for a very long time, but according to RIA’s estimate, seemed to be mapping the resilience of systems.

As the life cycle of all algorithms is limited, the time to act in order to update all the cryptographic methods of services is even more limited. At some point, it might appear that smooth transition period has not been sufficient; e.g., when powerful quantum computers are used to break the cryptography. We need to have an action plan for the scenario when any of the algorithms important for some Estonian e-service has been broken. RIA sees a clear need to have such plans and to rehearse them.

The results of the Eurobarometer 2014 survey showed that Estonians trust the state as the guard of personal data more than in Europe on the average. Estonians are also less worried about the consequences of cyber-attacks and claim to be good at identifying fake e-mails.

On 1 July 2014, the Act for the Amendment and Application of the Law Enforcement Act entered into force. Pursuant to this act, starting from summer 2014, RIA is a law enforcement body. According to the changes, the Technical Regulatory Authority’s supervisory competency of guaranteeing the security and integrity of communication networks and services set in the Electronic Communications Act was transferred to RIA. The same draft also established RIA’s supervisory competency in the Emergency Act and the Public Information Act.

On 11 September, the government approved the “Cyber Security Strategy for 2014–2017” and its implementation plan. The strategy continues to target several goals set in the previous cyber security strategy, but there have also been new risks and requirements added. The dependency of the functioning of the state on information technology has increased and cross-dependencies have also increased, meaning that the provision of several critical services is no longer dependent on the functioning of Estonian IT-systems but also on the infrastructure and e-services in other countries.

In 2014, RIA, in cooperation with its partner organisations, developed common principles of readiness for emergency and cooperation in case of large-scale cyber incidents. An interagency working group lead by RIA prepared the draft for the Government of the Republic’s order “Plan for solving a large-scale cyber incident emergency”.

In addition to reacting to everyday vulnerabilities and risks, the key words for RIA in 2015 are improving the monitoring and resilience of the government network, cooperation with the field of medicine and solutions and risks related to the e-residents programme.


BSA Report: Estonia one of most cyber-secure countries in EU


According to the recently published Business Software Alliance (BSA) report, Estonia, Austria and Netherlands are the most cyber-secure countries in Europe.

Although there are no overall rankings or scores in the study, Estonia comes out on top in terms of having in place the legal foundations and operational entities for tackling cyber-security issues. What it could do next is create sector specific cyber-security plans.

The report also found that while no formalized public-private partnerships exist, public entities do work closely with relevant private sector organisations.


e-Governance Academy planning to create a strategic cybersecurity index


For 2015, the academy has other exciting work underway. As part of a joint project with the Estonian Foreign Ministry, Finland’s Aalto University, and Norway’s Info and Cybersecurity Institute, the academy is planning to create a strategic index to measure cybersecurity performance in different countries.

According to the academy’s cybersecurity program director Raul Rikk, the index should give entrepreneurs, planners, scientists, and other interested parties information about the levels of cybersecurity of a certain state or the levels in specific areas of online security. The specific focus is going to be defined in the first half of 2015 and the pilot project will be tested in a few countries first. If the trial is successful, the index could go global.

“The index would be beneficial with services like e-residency. If Estonia or some other country wanted to provide its e-services outside of its own country to a large number of people, the question – are the e-services of this country secure and reliable? – arises. Can the user be sure that the state is giving enough attention to the protection of its cyberspace?” Rikk said.

It seems that there already exists Global Cybersecurity Index.


Jaan Priisalu director general of EISA resigns


Estonian Information System Authority (EISA) director general Jaan Priisalu submitted an application to leave for personal reasons from his office on 19 January 2015.

“Jaan Priisalu is a reputable international cyber expert who has built up a cyber capacity to world level. I thank him for that,” said the Secretary General of the Ministry of Economic Affairs and Communications Merike Saks via a press release.

The contest will be announced to find a new head of EISA.

Estonian Information System Authority (RIA in Estonian) organizes activities related to cyber security in Estonia.