Estonia is set to announce a procurement for a new electronic identification tool for residents and e-residents this year, while people could get the opportunity to vote using mobile devices at the next elections, Lauri Aasmann, head of the State Information System’s Authority’s (RIA) cybersecurity service, and Margus Arm, head of RIA’s state information system service, say.
Estonia has a lot of IT houses, each doing their own thing to the best of its ability. Is RIA currently responsible for all the pieces of the state’s information system and if not, who is?
MA: The aim of RIA is first and foremost to offer reusable solutions that could be used for all business services. RIA’s portfolio includes electronic identity without which no e-service, X-Road, state portal and network or elections solution could work.
Rather, our clients are other partner agencies, IT houses of other ministries that develop services for their target groups. The big picture is made up of ministries today, but I don’t see why we couldn’t have a single national IT house keeping an eye on all state projects in the future.
Could the current IT houses system be retained, or should Estonia move toward a common IT system developed based on universal standards and rules, with a universal cybersecurity standard? Could we see a State Information Systems Center next to the State Support Service Center?
MA: Consolidation of services could take place where we’re talking about similar services developed by IT houses or ministries – whether it’s system administration, email or server services. These services could be universal to save agencies having to spend additional resources on them.
Talking about business processes and end-user services, we do not support the creation of a hyper system that would pay out social benefits while collecting tax data at the same time. It would be sensible to keep these things separate on the level of owners.
LA: Good cybersecurity practice and the architecture council’s recommendations for new information systems are already in effect. It is a different story when it comes to existing systems and the need to manage information security incidents – that service is universal and comes from RIA.
We have a common code bank. It is not always necessary to physically merge IT houses as it is possible to reuse different parts of developments.
Have you determined the greatest threats to Estonia’s public IT systems? Are they international hackers or hostile states? Perhaps it is the stupidity of officials or something worse still?
LA: The biggest cybersecurity threat by far is the user sitting behind the computer every day. Anyone looking to get into the system will first look to carelessness on the part of officials. It is cheaper and simpler to take advantage of a user’s ignorance than it is to hack IT systems. That is why we have special training for public servants to minimize such risks. The other major threat are global hacking campaigns, mainly for the purposes of extortion.
RIA is pursuing more effective supervision of how subjects of the Cybersecurity Act comply with information security requirements. We visited all local governments last year and found very uneven quality. We were forced to resort to control action and fines on a few occasions as local governments were just not motivated to comply otherwise. This year, we will be focusing on family medicine centers and the healthcare system in general.
Has Estonia precisely determined how and to what extent data needs to be protected and encrypted?
MA: We use the X-Road data exchange platform and the requirements there are fixed. If you want to exchange data through the X-Road, you must comply with such and such standards. We are also working on the X-Road self-service program that will make it easier to join the system.
The state took a long time to decide whether to recognize Smart-ID as an official identification tool and whether it would prove too expensive as the service costs twice what Mobile-ID does to run. How did you finally arrive at a contract with service provider SK ID Solutions?
MA: It was a very long process indeed. We had three requirements. They needed to have the technical development ready, acceptable prices and the financial side of things and, finally, the question of the level of authentication we could promise.
The company is paid on a per use basis – the more uses of Smart-ID, the more the state will have to pay. That said, we are offered volume discounts.
LA: Smart-ID is safe, audited and an accepted tool for providing signatures in the European Union. A digital signature given using Smart-ID is equal to Mobile-ID and ID-card signatures.
MA: Smart-ID users outnumber Mobile-ID users two-to-one today. We had 230,000 Mobile-ID users and 430,000 Smart-ID users at the end of last year.
Looking at the trend, is there a future for Mobile-ID as a service based on a plastic card and SMS messages in a situation where its competitor only needs an app and an internet connection.
MA: As a country, we definitely want to have at least two different eID tools. One is the ID-card, while the Mobile-ID contract will expire. We are already looking for its replacement. But we definitely do not want to copy what SK ID Solutions already have in Smart-ID.
We are searching for that new solution. We plan to announce the procurement in cooperation with the Police and Border Guard Board this year. The state’s Mobile-ID contract will expire in 2022.
LA: The solutions of the future are based on biometrics.
Will you be holding a new procurement this year for something other than Mobile-ID?
LA: Mobile-ID is just a name. We want it to be a tool for electronic identification in a mobile device that could be used for authentication and digital signatures.
We will have elections again next year. Why can’t we vote using our mobiles? How is an HP laptop more secure than a Samsung smartphone for example?
MA: We are analyzing the risks of taking elections to iOS and Android. The question is how to ensure separation of devices. Right now, if you vote using a computer, you can check your vote using your phone. What happens when both the voting and the check take place in the same device? If a device has been taken over by a criminal, the process of verifying votes becomes meaningless. We will have an analysis in the first six months of the year, while the final decision rests with the National Electoral Committee.
People’s phones have online banking apps that can be used to move large amounts of money, health apps full of sensitive personal information etc. But for some reason we cannot be allowed to vote for the Center Party or the Reform Party using out smartphones. Seems odd.
LA: Voting is more important than bank transactions from the point of view of the state.
Therefore, let’s have the odds for whether we will have a voting app by next elections.
MA: I would have to go with fifty-fifty. The technology is not the problem.
LA: A lot depends on political decisions.
Ruling parties are increasingly worried about outdated hardware and software of public IT systems. Do you remain optimistic?
MA: The likelihood of something breaking down is growing with each passing day. Funding needs to be consistent and a well-planned process as opposed to isolated campaigns. We cannot live in a perpetual crisis situation. But yes, we remain optimistic today.
Margus Arm, why do I see two phones on the desk in front of you? One is an Android phone and the other an iPhone.
MA: The iPhone is for work.
Is iOS safer than Android?
MA: It is difficult to say at this point, but all our work phones are iPhones. Such was the decision.