June 18, 2015

Sensitive Personal Data as a National Security Risk

The director general of the Estonian State Information System Authority (RIA) recently said Estonia was very vulnerable to cyber attacks because of the country’s heavy reliance on e-services. The official, Taimar Peterkop, said that the greatest threat for ordinary computer users was cyber criminals, while the state was most at risk from cyber espionage. Indeed, the world has plenty of examples of, as Peterkop put it, “state secrets being stolen by very simple means.”

That is exactly what happened recently to allies from Europe and North America. It was probably Russia’s special services that breached the German Bundestag’s information system recently, sending infected email from Chancellor Angela Merkel’s account to members of parliament. They were able to gain access to the contents of MPs’ computers, including their e-mail correspondence. Due to security considerations, it hasn’t been divulged how much and what type of sensitive information was compromised. Meanwhile, in June the US announced that personal data of likely all federal employees, former employees and many subcontractors (estimated at 4 to 14 million people all told), including dates of birth, addresses and social security numbers, had been stolen, likely by China. The data could potentially be used for identity theft, taking loans or defrauding other people. The data go back to 1985.

Even worse, security clearance forms with detailed personal information were likely taken as well. The information on the forms could potentially be used to compromise the friends and close family members of people cleared for state secrets, and, it is believed, to identify undercover agents. If the data should fall into the hands of cyber criminals, the victims could sustain major financial losses. The state could face lawsuits from millions of people for failing to protect their personal data.

The situation is so serious that the representatives of the US were recently summoned to testify before the Senate (the leaks also involve data on congressional staffers) and US President Obama has stood by the relevant personnel management official after she was grilled by a House committee. The questions from American politicians as to why databases so important for national security were not sufficiently protected come after an audit conducted last year showed that security measures were insufficient (a lack of multi-factor personal identity authentication was cited). These and many earlier incidents in Europe and elsewhere show that often both government agencies and private contractors only learn of intrusions much later (the average detection time is more than 200 days).

In the early years of the Internet, few could have foreseen security becoming such a big issue as, in the beginning, cyber communication took place in a limited, mutually trusting circle. 100% cyber security is only possible in an ideal Platonic world, but not in cyberspace, because technology cannot be trusted completely. Anyone who has, say, worked out in a gym sports knows that pulse sensors don’t always display correctly, and likewise every IT architect knows that any human-built system can theoretically be compromised (true, to this point the Estonian ID card’s authentication function has been secure). Evildoers stay several steps ahead of defenders – for one thing, developers of new commercial products do not design them to be secure, as this would increase the price of the product, extend the time to market – and in fact ordinary users don’t demand that type of security. To reduce the vulnerability of new technologies, many governments are imposing increasing security requirements on procurements of commercial products (supply chain security), and as a result government information systems at least should be more secure than our personal consumer devices.

Cyber experts are agreed that total cyber security is not possible. The goal of the protection is to increase the resistance or resilience of information systems. Considering intruders will breach information systems one way or another, a good defence strategy should separate particularly sensitive data so that they would not be easy to steal.

Why were Germany and US; which allocate colossal sums of money for developing cyber defence capabilities, unable to defend the most likely targets – sensitive personal data and the content of politicians’ computers – from hostile state and cyber criminals? Did these countries spend the resources in the wrong places, developing military cyber capabilities and protecting vital services from sabotage, but neglecting to make government agency information system and databases a priority? Registers are a part of critical infrastructure, and should be subject to stricter security requirements. Critics are already exposing how poor US federal government information system security really is – other than the Pentagon’s computer networks, only 41% of the federal government institutions have implemented the minimum level of security standards.

Estonia, too, is vulnerable to cyber threats, as Estonia’s embrace of all things “e” means records are largely not backed up on paper and if a state database is compromised either by cyber or physical means, and the contents stolen or destroyed, it will probably not be easy to restore them easily. Fortunately, the Estonian cyber security strategy calls for activities to address the vulnerabilities (though it is a separate matter whether all state and local government institutions will actually implement them) and hopefully Estonia will not be as attractive a target for cyber criminals and hostile state actors as the world’s leading countries.

Filed under: CommentaryTagged with: