June 13, 2018

Estonia’s Annual Cyber Security Assessment: What do we learn?


Last week, the 2018 Annual Cyber Security Assessment of the Estonian Information System Authority (RIA) was presented at the ICDS. The presentation of the Assessment was followed with an in-depth conversation over the findings with the Director General of RIA, Mr Taimar Peterkop, and the RIA’s Head of Analysis and Policy, Mr Hannes Krause.

The Assessment provides an overview of current issues effecting the cyber realm not only in Estonia, but also worldwide. It has been published following a year in which, RIA crossed the threshold of 10,000 cyber security cases for the first time.  Significantly, only 122 incidents had a direct impact on the services vital to the functioning of a state.  In the global context, it is noticeable that the WannaCry and NotPetya malware campaigns had little effect on Estonia, but the global impact of the attacks was severe.

This year’s Assessment is an improvement on last year’s Assessment as it offers a more detailed overview of the major trends and incidents related to cyber security.  The Assessment achieved a fitting balance between the cyber issues which effected the Estonian nation specifically, and the issues which have impacted the global security environment.  It is correctly identified that the biggest cyber security challenge that Estonia faced in 2017 was the security vulnerability in the state-issued digital identity, the Estonian ID card.  The vulnerability could have allowed the private key (which is used for digital authentication and signing) to be mathematically calculated from the public key; making it possible to clone the victim’s cryptographic keys and use them for authentication.  In general terms, Estonia handled the crisis better than other countries as its online update service allowed the certificates to be suspended until further notice, whereas other nations were forced to revoke its ID cards.

However, the Assessment fails to highlight the significant time that elapsed between the Estonian CERT-EE being notified about the vulnerability in August, and the impacted cards not being blocked till November.  This provided potential malicious actors with a substantial window of opportunity.  On the other hand, an analysis of the Technical University of Tallinn, “Lessons Learned from The ID Card Case”, devotes significant space for discussing this matter and suggests a number of improvements to  reduce response times.

One of the clear themes that emerges in the Assessment is the topic of attribution. This is a marked change from last year’s Assessment as the subject is not mentioned once.  The topic’s inclusion in this year’s Assessment reflects an important and wider positive trend, which is the readiness of the international community to attribute cyber-attacks to their offenders; may it be state or non-state actors.  Both the US and the UK publicly identified North Korea as responsible for the WannaCry attack and together with some other countries, attributed the NotPetya wipeware disguised as ransomware, to Russian military intelligence (GRU).

Apart from the technical developments in the ability to identify the source of an attack, the act of attribution of a cyber-attack is also a means to signal that a cyber-attack is not considered a trivial or acceptable course of action by a state. This is an important step towards changing the attitudes of states regarding responsible behaviour in the cyber domain and it helps to eradicate the notion that a cyber-attack can be utilised as an easy weapon.

The Assessment claims that the framework on a Joint EU Diplomatic Response to Malicious Cyber Activities, the so-called The Cyber Diplomacy Toolbox (CDT), lays a basis for a collective response to malicious cyber activities by EU member states, and also for the use of all Common Foreign and Security Policy measures. The CDT is not extensively explained in the Assessment which could have provided a deeper insight into this new initiative.  The CDT appears to be an encouraging step towards deterring potential state-actors from targeting EU member states, but it is still not clear how the framework will be operationalised into an effective foreign policy tool.  Difficulties still persist with reliable and effective attribution which could hinder the process of issuing measures and sanctions against the states responsible. The 2018 Assessment offered the opportunity to elaborate more on these issues and could have provided a more in-depth analysis of the benefits and functionality of the CDT for Estonia.  It still remains to be seen if this framework, and the elements attached to it, will prove effective.

Overall, RIA’s 2018 Annual Cyber Security Assessment fulfils its objective of providing an informative overview of the key trends and events that have occurred in the previous calendar year.  Although weaknesses exist where more comprehensive analysis on certain aspects would have been useful, the Assessment offers a broad and well-structured guide to the cyber issues effecting not only Estonia, but also the global environment.