The Estonian government is launching an innovative defense project based on a public-private partnership, in close collaboration with other European states. Partially crowdfunded, it promises to deliver cutting-edge technology at an historic moment in time.
Just what you’d expect from one of the world’s most connected nations, right? Except the year is 1936 and the project is Lembit, a Kalev-class submarine which was funded by public subscriptions and built in the UK. Today, Lembit is retired and the star attraction of the Estonian Maritime Museum in Tallinn. But it’s proof that, from its earliest days, the Baltic nation has understood the power of thinking differently, embracing technology, and involving citizens.
“Estonia’s approach to cyber security is driven by public-private partnership, and a sense that everyone has a role to play – much like when they all pitched in for the country to buy its own submarines,” says Luukas Ilves, Counsellor for Digital Affairs at the Permanent Representation of Estonia to the EU. “It’s also one more episode in a long history of Estonian defense cooperation with the wider world.”
Estonia, patrolled by Lembit, was forcibly subsumed into the USSR during World War 2 until regaining its independence in 1991. As the country emerged peacefully from the collapse of communism, it took a bold choice: rather than continuing to use outdated paper systems, the country decided to embrace digital technology. A key component of the journey to e-Estonia was the “Tiger Leap Program”, launched in 1996. It put computers in schools, connected students to the internet, and trained educators to teach coding.
By the late 1990s, all Estonian schools were online and large investments had been made in computer networks and infrastructure. It wasn’t just for the benefit of children though. Estonia’s public libraries soon became internet hubs, enabling older people to access government services online. Fast-forward twenty years, and the country is now a byword for digital leadership worldwide.
“The Tiger Leap project ingrained itself into our culture. It’s become second nature to every Estonian that things are digital,” says Ilves. It’s a busy time for the Perm Rep, as the embassy to the EU institutions is informally known – Estonia holds the presidency of 28 countries for the second half of 2017, for the first time ever.
Estonia’s EU Presidency is a time for e-evangelism, and working on everything from opening data embassies abroad, to using tech in soil management. “For the last 20 years, Estonia has witnessed the transformative effect of digitalization on society,” the official literature explains. “Many are now calling the Estonian Presidency ‘the digital Presidency’ because of our ambition to realize the benefits of a digital society for every European.” But the journey here wasn’t straightforward.
In April 2007, Estonia was subjected to an unprecedented cyberattack which shut down government, bank and media websites. In what Wired magazine called “Web War One,” crucial websites were bombarded with Distributed Denial of Service (DDoS) attacks, where websites are suddenly swamped with traffic. Bank machines stopped working and crucial internet infrastructure ground to a halt. Over several weeks, the country learnt vital lessons about cybersecurity.
Marina Kaljurand was the Estonian Ambassador to Russia at the time. “My role was to find ways of co-operating with Russian officials, on attribution and on stopping the attacks coming from Russian territory,” she recalls. “Unsurprisingly, it was impossible.”
But Ms. Kaljurand, who later became Foreign Minister, notes that Estonia learnt three lessons from the episode, which now influence the cyber policies of countries worldwide.
“First, each country has to have their own house in order,” with clear laws and strategies for the obligations and responsibilities of ministries and institutions. Nations “should have an action plan, a strategy or a law that clearly defines what the obligations and responsibilities of specific institutions.”
Secondly, although governments have major responsibilities in terms of exchanging, authenticating and protecting the integrity of data, they can’t do it alone. “In 2007, the private sector came to assist the Estonian government,” Kaljurand explains. “They were mainly IT geeks employed by banks, who were so well-paid that we couldn’t afford them.”
These experts assisted the government voluntarily, advising them on how to respond to the attacks in the immediate aftermath. This experience led to the creation of a unique institution, the Estonian cyber defense unit. This is a voluntary military organization which is ready to respond to online attacks. “They are lawyers, economists, IT experts, united in their readiness and willingness to operate with government,” Kaljurand says. She compares them to the Forest Brothers, Second World War guerrillas who fought against the Nazis in the Baltic States.
The third lesson is international cooperation. Let’s not forget, the submarine Lembit was built in the UK. “You can do miracles at home,” but it’s meaningless if countries don’t forge links with other countries when it comes to digital issues. “Cyber does not have borders,” adds Kaljurand. International cooperation on cyber issues is something Estonia has been at the forefront of changing. “When we joined the EU and NATO in 2004 and brought up the topic of cybersecurity, nobody took it seriously.” They do now.
Kaljurand is also pondering the question of how countries can respond to future attacks. “What is the diplomatic toolkit in the case of cyberattacks? How do you respond? In the offline world, there are sanctions and political statements, but now we need to bring this closer to online life.” Even within the EU, she adds, there is division. Some countries are seizing the opportunities offered by digital while others see them as an inconvenience.
“There is a digital divide and an ideological divide,” she adds. “I see discussions in the UN where on the one hand like-minded countries see the benefits of using digital services…. and others do not.”
2007 was a wakeup call for Estonia, Kaljurand concludes. It increased digital awareness and accelerated the digital transformation of society. Nowadays, first graders are already learning programming and the basics of cyber hygiene. But the transformation is even more profound. Two years ago, Estonia became the first country in the world to offer e-Residency, a “transnational digital identity that anyone in the world can apply for”. But world firsts need solid foundations.
In 2011, the Estonian Information System Authority (RIA) was established to administer the country’s information systems. “What makes us unique is that we are not only a cybersecurity agency, we are also responsible for the core e-government systems,” explains Taimar Peterkop, Director-General of the RIA since 2015. “We are using these platforms to build security by design, with different layers in our services.”
Those services include digital identity, digital signature infrastructure and X-Road, a data exchange layer for information systems. This doesn’t sound very sexy, but it’s one of the reasons Estonian citizens trust their government: they’ll never be asked for the same piece of information twice.
“We don’t have a centralized database, it’s quite the opposite,” adds Peterkop. “RIA doesn’t hold citizens’ data, the data is all in different databases,” such as the vehicle registry or another relevant department. “When a government agency needs some data, and another government agency already has it, they don’t ask the citizen for it again.” By law, this data must be securely retrieved via X-Road.
Since 2005, digital identity technology also ensures that citizens have been able to vote online. The system is more secure because there’s no correspondence via email or SMS, and the same ID cards can be used for digital signatures. “The use of digital signatures saves 2% of GDP annually,” says Marina Kaljurand. “Imagine if the whole of the EU was to adopt them.”
One of the Presidency’s many digital firsts came on October 25th, when the European Parliament signed a Regulation electronically. “We should use the momentum of the Estonian Presidency to promote more digital solutions,” said the President of the European Parliament, Antonio Tajani. “This signature is a demonstration of how digital solutions can work in practice.”
Are these systems infallible? No. And knowing that is partly why they are successful. Some of the code for the ID cards is public, meaning anyone, from security researchers to hackers, can examine it. Earlier this year, an issue was discovered. “We were approached by Czech scientists who said that there were likely to be vulnerabilities in the chips we were using on our ID cards,” says Kaljurand.
These theoretical vulnerabilities affected 750,000 ID cards, but a software update was soon issued. Other countries and companies using the same chips have also fixed their systems. The RIA continues to issue detailed updates on the situation. In Estonia, it seems honesty is the best policy. As a result, trust in the system is unbroken – and the spirit of innovation that created Lembit over 70 years ago endures.
“We are like pioneers, we are discovering new things but we are also facing new vulnerabilities,” concludes Kaljurand. “That’s OK, that’s life. There will always be challenges. We’ll overcome them, and we’ll continue on our digital journey.”