The amendments in the State Secrets And Classified Information Of Foreign States Act, which will define a state secret any classified information related to cyber security or critical information infrastructure protection, will increase number of officials who will have access to state secrets and their responsibility towards their employers.
Estonian Internal Security Service (KaPo) is responsible for maintaining information about people with state secrets clearance.
“KaPo has never disclosed how many people exactly have the right to access the state secrets and classified information of foreign states. It is clear that these (cyber security) persons now will also need the access, but precise number we will not disclose.” said KAPO spokesman Harrys Puusepp.
“The need to access state secrets is always derived from the particular job description, it is not granted for fun. The employer’s primary responsibility is to protect state secrets, and now he will also have a sufficient possibility to do that. The amendments to the Act will certainly help to do that.” added Puusepp.
According to Interior Ministry spokesperson Toomas Viksi the amendments of the Act primarily concerns employees of Estonian Information System Authority (EISA).
The head of EISA PR department, Rauno Veri said that today EISA staff already have the necessary clearance thus the amendment will not raise the number of people eligible to access the state secrets.
In mid-December the government passed a draft making an obligation for officials having access to state secrets to inform about their private trips abroad. The list of countries will be established by the Ministry of the Interior. Viks noted that the obligation to notify will not apply to European Union, the Schengen Agreement and NATO member countries.
Additions to the current version of the State Secrets And Classified Information Of Foreign States Act:
Paragraph 10 [list of State Secret subcategories] is amended by clause 9 as below:
EISA risk assessments, monitoring data, information gathered during supervisory actions about critical vulnerabilities in information systems; to the extent that such information contains technical data on the critical vulnerabilities of the information systems of: constitutional institutions, government agencies and their subordinated institutions; vital service providers, international organizations which security is provided by Estonia; and, if the revelation of such information to the irrelevant parties could raise the risk of a security incident in these fields, except such information, which, if revealed, will not endanger the security of the Estonian Republic; such information will be classified up to 10 years on “restricted” level.