Estonia – best target for cyber crook

Aivar Pau
, tehnoloogiaajakirjanik
Please note that the article is more than five years old and belongs to our archive. We do not update the content of the archives, so it may be necessary to consult newer sources.
Photo: Eero Vabamägi

Taimar Peterkop (38), recently appointed head of Estonia’s Information System Authority (RIA), considers it his mission to raise state e-services to a new level and make communication easier between state and citizens. Regarding cyber security, Mr Peterkop says Estonia is among the best targets – having the stuff to attack.

In office now for a month, have you gotten greater clarity about your mission as Estonia’s IT-chief?

We are all concerned for the Estonian state. For such a small nation as Estonians, a state of our own, higher education in native tongue, and the like, is a luxury indeed. We see no other nation in the world so small and having its own full-scale state actually functioning as state in each domain.

Information and communications technology is the only option for us to offer good public services to citizens here. As the people to create that are few indeed, my mission as head of RIA is to offer a service as good as possible with the people that we do have, and good services to citizens and state agencies. Nice high-sounding words, but that’s the way it is.

Each domain matters. In the current security situation, organising public data exchange is important, X-Road is important, cyber security is important. There is an overabundance of important stuff being done in this house, and in many ways the aim is to make our state thinner.

How good is the health of our state information system?

As the freshly appointed director-general, it is difficult for me to immediately pass an assessment. I can say what the others have said. Internationally, Estonian state’s reputation as e-services provider is very high and that has to be based on something. Estonians regard it as very important what others think of us. Through the eyes of foreigners, our e-services are of excellent quality. We ourselves know, of course, that there’s room for improvement.

Both for you and the state, cyber security has these past years been a main area of IT-activity. How capable is Estonia to combat cyber crime, when there are no front lines, virtual state borders and clearly identifiable opponents?

Truly, conventional warfare is a thing of the past; today, this very rarely happens. States are using all available means, to affect another state. War, even conventional war, is only one of them.

In the Ukrainian conflict, for instance, all means have been employed – from diplomacy to economic pressure. The cyber space is a new opportunity to affect other nations while remaining hidden, detached.

For cyber attacks, Estonia is an excellent target, as we have what to attack. We have grown the amount of e-services for citizens so large that it makes us very vulnerable. For other nations, where we are now is the future.

As we intentionally build for us an e-state, we need to consider that the more we use IT, the more vulnerable we are. Thus, we need to simultaneously be building the defence. Estonia has taken a very unique and right decision: RIA, which is e-state’s developer and administrator, is also the builder of its defence. Building, development, administration, and defence – all is logically in one place.

How often is Estonia attacked, currently (holes sought in back door, information queries etc) and who are the attackers (organisations, lone wolves, the not-so-friendly states)?

Our information systems are being attacked constantly. We have quite a good overview of who the attackers are, the competence accumulated at RIA is on a high level indeed.

As for the citizens and their data, the greatest threat is the usual (native or foreign) cyber criminals. The major attacks against Estonian state have come from other states, political interest groups, and lone wolves – in turn, the abundance of attackers of various types makes it difficult to ascribe attacks to a specific source.

As to the state of Eastern neighbours, it does not correspond to our principle of a state with separation of powers, with a functioning civil society, where organised crime also stands separate from the state. Over there, it is all intertwined. Therefore, a cyber attack issued from Russia may come from a criminal organisation or a youth organisation or wherever.

But eve while it is often technically complicated to ascertain the source of an attack, we can always use our common sense and analytical mind: if the attack was politically motivated, there might be someone behind it with political motives.

Actually, the greatest threat to the state is cyber espionage. We have abundant evidence in the world where state secret is snatched by very simple means.

We were very vulnerable in the Bronze Night cyber attack where by relatively banal tricks state agencies, news portals and banks went off the Internet. How prepared are we for a major attack now; does the state have a defence plan, does everybody know what they are supposed to do?

Yes, there is a plan; the requirement is now written in Emergency Act. There is an action plan for a broad-scale cyber attack. The plans are constantly updated and tested. 

The cyber space has already reached into every aspect of life; therefore, for defence state participation is not enough – we must definitely involve private enterprises administrating critical infrastructure and actually all people who need to protect their home network and computer. In traditional war terms: in cyber space, both total and territorial defence need to be applied.

Often, the victim of an attack does not immediately perceive whether the glitch happened due to own human negligence, a technical error, or a cyber attack – initially, the reaction of parties is the same. As RIA has the overview, we have often given counsel to private enterprises who have contacted us, telling them how to react to what happened.

Militarily, Estonia is protected by the army, interior ministry answers for internal protection, and RIA stands for cyber security. As in cyber space one cannot make the difference between a time of peace and a time of war, it is vitally important for all three to have their competencies pinpointed.

An average Estonian has at least ten plastic cards in their purse, to show loyalty to shops, to banks, to filling station chains, and sports clubs; also, occasionally a magnet lock needs to be opened, and health insurance proven in Europe. To what degree are we currently using out ID-card options, and when will the card-era finally end?

Yes, surely he ID-card could be used much more widely. We heartily welcome private enterprises who use ID-card for loyal customer identity. Meanwhile, this may contradict their business plans and they prefer to use their own unique means when communicating with client. There’s room for development.

We can offer the private sector such an easy and comfortable solution to adopt ID-card that it will really become attractive.

The ID-card technology is almost ten years old soon. What next?

While the ID-card was created, people had this big box under their table for a computer, and the interface was an USB-port. With the current technology and software, ID-card cannot be connected to devices for modern actions –the tablet and the mobile phone. Most people use tablet and mobile to communicate with the state, but still prefer the ID-card to mobile ID. Our task is to develop a technology to make mobile and tablet to recognise ID-card.

Estonian e-residency offers foreigners limited-rights ID-cards, to communicate with the Estonian e-state. When will an Estonian working in Finland or the UK let himself be electronically identified in the tax board, say, to check his balance of payments?

We have taken the practical approach and launched close cooperation with Finland, as there our people have the greatest need for communication. The cooperation agreement is completed and waiting to be signed. If everything goes according to plan, Estonia will adopt the new X-Road version in October, and Finland in November – for the first time in Europe, and maybe in the world, this will create a technical option for information systems of two nations to interact, and e-services to function cross-border.

For that, lots of other things need to be altered as well: laws need to be amended, the agencies accustomed to only operate within own nation need to change attitude. However, the political will exists in Finland and Estonia alike.

What new things are in pipeline regarding e-services within Estonia? 

Near-term, we are planning to improve, so that the services therein would be easier to find and better available. The main update perhaps will be that a citizen will soon be able to click a box in environment defining mailbox as his only option for communicating with the state. Regarding state agency proceedings, for instance, information would be sent to that address only. 

The solution should vastly cut the use of paper. I hope that people will use it.

Taimar Peterkop

Age: 38

Earlier employment: legal and administrative issues vice-chancellor at Defence Ministry; defence policy advisor at Estonian Embassy in the USA; national defence teacher and lecturer on international law.

Education: graduated from University of Tartu law faculty, Master’s from US Army War College.

Reserve officer.