How Estonia tackled security flaws in its ID cards

By Shirley Tay

Liisa Past, Estonia’s former Chief National Cyber Risk Officer, shares with GovInsider the biggest lessons learnt from her tenure.

Image: Liisa Past/by Arno Mikkor

Millions of Americans are heading to the polls ahead of the November presidential elections. Lines have reportedly lasted up to 11 hours while the country battles its third wave of infections - again bringing back the case for online voting.

Estonia’s i-voting system has been a model for many, with 44 per cent of Estonians voting online. Its eID is the backbone of online voting and many other digital government services - but was severely tested in 2017 when a security fault was detected in about 800,000 ID cards.

GovInsider spoke to Liisa Past, Estonia’s former Chief National Cyber Risk Officer, to find out how her team tackled security flaws in the ID cards, and the biggest lessons learnt from her tenure in government.

A team of ‘cowboys’ with a common goal

Past was Chief Cybersecurity Research Officer of the Estonian Information System Authority (RIA) when the security flaw in the eID cards was first detected in August 2017.

Her team members then were not the most typical of civil servants, she says. “There might have been many people who saw us as some sort of cowboys. Instead of being very careful and sort of like, ‘maybe we won't make the right decision’, we were very much focused on getting things done, building a view of security.”

The RIA found out that the cards issued since 2014 had a security flaw in its hardware, says Past. It “wasn’t of our making,” she adds, but an algorithmic flaw in the keys provided by German manufacturer Infineon. That could allow hackers to access sensitive information of the users by stealing their digital identity.

Fixing the eID cards was a “race against time”, she says. Her team had to understand the vulnerability and tackle it before it could be exploited. In the months before her team released a security update to the ID cards, the vulnerability was “an existential threat”, Past adds.

But what made it special was that her team “wanted to get things done”, she says. “It would have been so easy to say, ‘This is a supply chain issue down the line, and everyone else has caused it.’”

“But instead we said, ‘we need to fix this. And we need to fix it for us,’” Past says. “That willingness to make decisions rather than stay safe was just an incredible experience.”

Estonia eventually released an update to the affected cards in October. There were no known cases that the security flaw was exploited, it said.

It was all about having each other to rely on, Past says. “The moment you don't have an equal sparring partner who would call you out is when you become less effective at your job.”

Bottom-up communities of trust

As the Internet and tech space grows increasingly competitive, a top-down, global understanding of cybersecurity is no longer realistic, says Past.

“What's happened internationally often is that everyone declares their appetite for collaboration and information sharing. But there's almost a point where there's sort of collaboration fatigue,” she adds.

Knowing that a global treaty on the Internet is not likely to emerge anytime soon, countries have to “start on the operational level”, Past says. That involves sharing actionable insights, and building communities of trust from the bottom-up.

The Baltic nation has made a strategic choice to be “aggressively open and transparent”, she says. The RIA has published an online document and held an international conference to share lessons learnt from the 2017 eID vulnerability.

Estonia has also openly shared about the wave of cyberattacks that targeted its critical infrastructure back in 2007, she says. It was sparked by the movement of the Bronze Soldier, a Soviet-era war memorial.

Information sharing “highlights the threat for everyone else, but it also shows the value of international cooperation and the value of openness,” Past says. Though intelligence sharing centres exist, “a lot more work needs to be done”.

Advice for future cyber risk officers

Past is now head of cyber security business development for Cybernetica, an Estonian ICT company. She had two words when asked for a piece of advice she would give to Estonia’s future Cyber Risk Officers: “play nice.”

The job is a collaborative one, she says, due to the very nature of cybersecurity. The field is often “over-mystified” and seen as a technical area. “It's zeros and ones, and cables, and men with hoodies who don't talk to people.”

That mysterious stereotype was “constructive” earlier when the industry was developing, Past says, because it “got the management off the backs of the innovators”. But cybersecurity is “now an increasingly communicative and human-focused industry.”

“‘It's technical’, ‘you won't understand’, might have been acceptable answers 10 years ago. But it shouldn't be an answer anymore,” she says.

Estonia has made huge advances in its push to create digital government services. As nations across the world accelerate digital transformation, Estonia’s efforts in e-government offer valuable lessons to learn from.