This article was published in The Straits Times on August 9, 2018.

The small country is a digital powerhouse, being a world leader in government e-initiatives. And it takes a tough and also unique approach to cyber security, with citizens heavily involved.


Visitors to the small Baltic state of Estonia would be able to recite this phrase by the time they leave: “There are only three things you can’t complete online in Estonia: get married, get a divorce and buy a house.”

It has become the tagline on every marketing material about Estonia’s e-government and on the lips of every tour guide.

In a short span of two decades, the once-repressed society under Soviet Union rule is now a digitally advanced high-income economy. Estonia has a population of only 1.3 million people and a gross domestic product (GDP) per capita of US$18,977 (S$25,890), one-third of Singapore’s.

Its e-initiatives are also well regarded among the ranks of digital governments around the world – something one would not expect of a place dotted with churches and hilltop fortresses.

For instance, in 2005, Estonia became the first state in the world to hold elections over the Internet, thanks to the pervasive use of a national digital identity system, or e-ID. It is still the only country in the world to let citizens vote online. And, in 2014, it was the first state to provide e-residency.

What are the lessons from Estonia’s road to digitalisation, and how does it defend its e-assets in today’s climate of heightened cyber threats?

STRIKING OUT ON ITS OWN

After breaking away from the Soviet Union and regaining its independence in 1991, the timing was right – on the cusp of the new information superhighway, as it was then – for the newly invigorated Estonia to start building digital citizen services. The financial crisis that hit Asia and Russia in the late 1990s provided the extra boost.

Said Mr Siim Sikkut, the government chief information officer of Estonia: “Our government started slashing budgets after 1999. We had some experiments with digital initiatives and decided to go big with them to deliver the cost savings.”

He added in an interview with The Straits Times: “We have to be an efficient economy and government. We are building the country with very few people.”

What ensued was the launch of an electronic tax-filing system in 2000. Then, in 2002, a mandatory e-ID system started providing citizens with safe online access to all e-government services as well as commercial services such as e-banking and utility bill payments. The e-ID system also allows for the secure digital signing of confidential banking and legal documents.

In 2007, a massive distributed denial of service (DDoS) attack believed to be linked to Russia provided a wake-up call for more safeguards to defend the e-assets Estonia had painstakingly built over the years.

DDoS attacks work by having thousands of malware-infected computers accessing and overwhelming a targeted site, causing a huge spike in traffic in the hope of taking the site down.

The attack disrupted e-government and e-banking services in the Baltic state for weeks, said Mr Sikkut, who was formerly digital adviser to the prime minister of Estonia. “It led us to a few conclusions – that a distributed architecture where there is no single point of failure is way more resilient,” he added.

Since then, the Estonian government has located its critical servers and databases in multiple physical sites within the state – so when one site is ravaged, say, by fire, the other locations can take over. Its different databases are stored in different locations. For instance, citizens’ e-health and e-ID records are stored in separate data centres.

It has also built a data centre in the tiny neighbouring country of Luxembourg to ensure that Estonia continues to be operational virtually even if the worst-case scenario happened – that is, if the country were to be physically destroyed, said Mr Sikkut.

Estonia is looking to set up data centres in more overseas locations next year as part of ongoing contingency planning.

Singapore has a similar set-up to provide backup services if one site fails.

But it has not been made known how many government data centres there are, and if databases reside in overseas servers.

TAKING THE CUTTING-EDGE APPROACH

Some observers argue that Estonia benefited from starting out in tandem with the dawn of the Internet age. Thus, it does not have many legacy system problems to deal with.

Because of its smallness, Estonia is also nimbler and is able to be more adventurous with its tech exploits – unlike many more populous nations.

One of its edgy projects is the use of home-grown firm Guardtime’s blockchain technology to establish a tamper-proof audit trail for government IT systems and databases.

A blockchain is a decentralised public digital ledger that is used to record transactions across many computers so that the records cannot be altered retroactively without the consensus of the computer network. The technology has been made popular by the rise of digital currencies such as bitcoin.

A tamperproof audit trail in the e-health database allows patients to track every probe into their electronic health data.

“That is the ultimate safeguard – I can see what happens to my data, who looks at it and why,” said Mr Sikkut, noting that transparency and accountability are what will gain citizens’ trust and buy-in on new digital initiatives.

About 5 per cent of public officials on the Estonian government’s payroll are IT staff, managing and safeguarding the state’s e-assets. This translates to about 1,200 IT staff who keep the systems up and monitor unauthorised intrusions, among other things.

COHESIVE SOCIETY

Estonia’s bumpy road to regaining its independence over the last century and the massive DDoS in 2007 also provided the impetus for greater social cohesion.

It comes in the form of the Estonian Defence League’s Cyber Unit, a voluntary organisation aimed at protecting Estonian cyberspace. Formed in 2010, the unit’s mission is to protect Estonia’s high-tech way of life, supporting its broader national defence objectives. The unit has thousands of patriotic individuals with IT skills.

The volunteers in the unit are governed by the motto “all for one, one for all”, as depicted in the 1844 French novel The Three Musketeers, said Mr Marten Kaevats, who is the current digital adviser to the prime minister of Estonia.

What this means is that the IT professionals will come out in force to defend Estonia even when one sector or organisation is attacked.

“For instance, if one bank is attacked, all the other banks will come and help,” said Mr Kaevats.

This is deemed to be necessary for the survival of any nation amid rising cyberthreats, many of which are politically motivated.

Singapore, too, has been the target of politically motivated attacks.

The most recent one involves the breach of 1.5 million SingHealth patients’ data revealed last month. The Singapore authorities said the attack on the SingHealth group of public hospitals and clinics was the work of a state-linked group.

To be better prepared for such warfare, both Estonia and Singapore have taken a leaf from Israel’s book, having recently started a cyber-security vocation in national service to allow tech prodigies to receive training in hacking techniques and forensic investigations.

Estonia’s digital army of 150 hackers was formalised last Wednesday while Singapore started its cyber warfare training late last year.

“The model of warfare has morphed into cyberspace and we need to be prepared,” said Mr Sikkut.

Estonian citizens have also been marshalled as cyber defenders as the “ultimate backup”, he added.

Here is where the audit trail provided by blockchain technologies comes in handy. By allowing citizens to check who has accessed their data, citizens provide the first line of defence on unauthorised intrusions.

While Singapore has gone ahead to implement a sweeping measure to better safeguard its systems by creating an “air gap” between the Web and the work computers of all 143,000 public servants, Estonia is not too keen to apply the measure broadly.

By air-gapping its systems, the Government has essentially removed Internet surfing on the systems – to prevent data leak and malware infection.

There are trade-offs in efficiency, which Singapore’s Health Minister Gan Kim Yong admitted in Parliament on Monday when asked about the impact of air-gapping the computers of all public hospitals – implemented since the SingHealth cyber attack.

For instance, the reading of diagnostic reports from laboratories and assessments of suspected stroke patients at the emergency department take a longer time.

Mr Uku Sarekanno, the Estonian Information System Authority’s director of cyber security, pointed to more drawbacks.

Employees may find convenient workarounds that may compromise security. Instead of working on the company-issued computer, they may type work-related data into, and work from, an unsecured personal device, Mr Sarekanno said.

In Estonia, an “air gap” is required by law only for systems handling classified information such as those pertaining to national security and international relations. Most of the information used by its 24,000 government officials is not classified.

Some experts view air-gapping every system as an interim solution to buy time to allow one to regroup and strengthen defences. Meanwhile, the benefits of going digital are calling, and there is too much to lose not to answer this call.

Take Estonia. Its e-ID system is estimated to have saved the society 2 per cent in GDP a year by eliminating paperwork from both the public and private sectors.

And as many Singapore politicians have notably said over the past few weeks in the aftermath of the SingHealth breach: “We cannot return to the days of paper and pencil.”


Written by : Irene Tham
Original article can be found here.