With an eye on Russia, Estonia seeks security in computing cloud

After cyber attacks in 2007, tech-friendly Estonia plans to move government data to computing clouds.

TALLINN, ESTONIA (DECEMBER 2, 2015) (REUTERS) – Concerned about its assertive neighbour Russia, Estonia plans to upload much of its government data to computing clouds to guard against security threats, enabling the Baltic state to be run from abroad if necessary.

Estonia is one of the world’s most wired countries with 95 percent of government services online. You can vote, register births and cars, sign official documents and set up businesses online, often in a matter of minutes.

Estonian Prime Minister Taavi Roivas told Reuters on Wednesday (December 2) that the online migration would help in “keeping the services running”.

“From embassies, from virtual embassies, the technical solutions are possible to deliver in different ways. But the idea is that whatever happens to keep the continuity of the services,” he said.

But online progress brings risks. Estonia, a country of 1.3 million people, wants to ensure what it calls “digital continuity” – mainly in the face of cyber attacks, especially from Russia. The government aims to finish the first phase of the data migration in 2016.

The Baltic states of Estonia, Lithuania and Latvia have been especially concerned about Russia since it seized Crimea from Ukraine last year. Memories of Soviet rule, which ended just over two decades ago, remain fresh among politicians and voters in the three countries.

In what officials say was a wake-up call, Estonia was hit by cyber attacks on private and government Internet sites in 2007, which peaked after a decision to move a Soviet-era statue from a square in the capital, Tallinn, provoked street protests by Russian nationals and a diplomatic spat with Moscow.

State websites were brought to a crawl and an online banking site was closed. Estonia at first blamed Russia for the attack, but the Kremlin denied involvement.

But Roivas is confident that the new cloud system will bring greater security.

“It’s very, very unlikely that anyone can hack into the systems. These kind of cyber attacks, I can’t say we’re not worried about, but we have means to address those. But what is somewhat easier to arrange is simply to block the traffic by just overcrowding the traffic. And for those reasons it’s very, very easy to find alternatives where you have the system in the cloud,” Roivas said.

The broad plan is two-fold: cloud technology to back up data from cyber attacks or natural or human-made disasters and possible off-site servers in Estonian embassies abroad.

Every Estonian resident has a digital number that allows access to government services and e-payments. While other European countries, including Germany, have balked at adopting such an idea, in Estonia there is little controversy over citizens having digital “fingerprints”.

“Basically, we like to say that everything below from Denmark is the stone age,” the government’s chief information officer, Taavi Kotka, said.

In the private cloud servers, the government envisages guarding against cyber attacks on digital monuments — websites such as the presidential one which do not hold crucial data but which, if attacked successfully, would mark a symbolic victory for hackers.

Secondly, government data and services would be uploaded into a cloud. By 2016, open data including the land ownership registries and the state gazette of laws are planned to be backed up in commercially available clouds from the likes of Amazon and Microsoft.

Estonia does not keep paper copies of laws and legal acts are valid only after the gazette publishes them online.

But officials are still reluctant to back up sensitive personal information such as medical records on cloud technology run by private companies. Classified police and military files may also never be uploaded.

“I can’t see in the first round, I can’t see medical data, for example, going to the cloud, public clouds,” Kotka said, but added that such information may go up in the “second or third wave”.

“Data integrity is actually the biggest concern. Like, that nobody is able to access and change something like, you know, patient blood types, for example. So those are the like, most important concerns for us. Because we believe that like Google, Microsoft, whoever is the provider they are able to guarantee the physical defence and all those kind of things — but data integrity is an issue,” Kotka added.

Last year, the government successfully experimented with backing up the Estonian president’s website and the electronic State Gazette on a Microsoft cloud computing platform.

The technical hurdles are not huge. The real estate register has no photos or videos, so the text files in this first phase of uploading will need relatively little storage – somewhere between 20 and 40 terabytes.

The plan that allows for government services to be run from servers based in Estonian embassies abroad in case of disasters or attacks will take longer to implement. There are legal uncertainties and technical issues. But the ambition is there — one day, perhaps, even a “country in the cloud”, according to Kotka.