Audit Office: IT security of firms using X-Road not sufficiently checked
The level of information security of private companies using Estonia's X-Road® secure national data exchange is not adequately checked when joining and using the system, the National Audit Office (Riigikontroll) finds, though the system as a whole is reliable, the office says, and updating the stated government requirements on X-Road could fix the issue.
The volume of inquiries made via X-Road – on average, 133 million per month – means the provision of the majority of public services would be rendered either impossible or significantly more difficult should the exchange not be operational, the audit office also found.
Replacing data exchange carried out via X-Road (Estonian: X-Tee) with non-electronic data exchange would be practically impossible or at least very costly, the office adds.
Audit office report published Tuesday
A report entitled "Administration and Reliability of X-Road" published Tuesday found the responsible authority, The Information System Authority (RIA) has generally ensured X-Road's reliability, however.
The report followed an audit of over half-a-dozen government ministries, the local governments of the three largest Estonian towns and several state bodies, and the IT systems of all of these.
The audit report found that measures have been developed to mitigate risks, many of which are being implemented. However, the audit office says it is concerning that, in many cases, state institutions offering data services on the X-Road platform have not entered into agreements on the use of service.
Where contracts have been entered into, none of those state institutions audited had checked before entering into an agreement whether private companies implement adequate measures for mitigating security risks, in order to ensure the integrity, confidentiality and availability of data.
Audit manager: While firms signing up to X-Road testify to their security, this is not always checked
Audit manager Toomas Viira said: "Private members of X-Road confirm that they implement the required measures when entering into a data service contract, but data service providers do not check up on that."
Only by few state institutions providing access to data perform adequate checks into compliance with data service agreements, Viira added in an audit office press release.
He said: "Failure to enter into data service contracts and failure to check the level of security measures of private companies poses a security risk."
"This may allow unauthorised persons to have access to state databases and the ability to make unauthorised changes," he added.
Furthermore, it has not been determined which security measures and at which level should be implemented, the office says.
Audit office: Requirements set out by government regulation too vague
The requirements a government regulation has established for X-Road are sometimes too general, and allow participants to interpret them differently in their implementation, the office added.
The National Audit Office concluded that the central services of the X-Road infrastructure have been relatively reliable: Over the past three years, there has been one significant interruption in the X-Road services caused by the central components of the system, the office says.
RIA has not prepared an operational continuity plan for X-Road, but several measures have been implemented for the continued operation of secure data exchange and requirements have been established in other documents to ensure operational continuity.
Shortcomings include an irregularity of performing recovery tests and failure to document these, as well as the fact that the vitality and sensitivity of information assets relating to X-Road have not been assessed separately.
Regulations need amending
The office recommends that RIA's director general initiate an amendment to the relevant regulation, entitled "Data Exchange Layer for Information Systems", which governs the operation of X-Road, and which could make the established requirements more precise and unambiguous. This would enable data service providers to implement the requirements, the office says.
RIA could then check that these changes had been implemented, the audit office adds, while the necessary guidelines for implementing the requirements arising from the regulation should also be prepared and necessary training should be organised for authorities using X-Road.
The National Audit Office also recommended assessing the risks to the security of databases arising from the failure to enter into data service contracts and implementing activities to mitigate these risks.
Audit Office: X-Road bureaucracy could be cut down too
Consideration should also be given to adding the functionality of entering into data service contracts and petition management to make opening and using the data services of the X-Road portal less bureaucratic, the audit office says.
The National Audit Office also recommends developing a system for auditing private legal persons using the X-Road services to ensure the integrity, confidentiality and availability of data. In addition, the National Audit Office recommends performing regular recovery tests on the central components of X-Road, and documenting these.
The audit examined the organisation of work associated with X-Road and the rules for the development of X-Road by RIA. In addition, the organisation of work associated with X-Road was audited at and by the following authorities: The Ministry of Education and Research, The Ministry of Defence, The Ministry of Economic Affairs and Communications, The Ministry of Culture, The Ministry of the Environment, The Ministry of Rural Affairs, The Ministry of Foreign Affairs, the Tax and Customs Board (MTA), The Road Administration (Maanteeamet - now the Transpordiamet - ed.), The Health and Welfare Information Systems Centre (TEHIK), The IT and Development Centre atthe Ministry of the Interior, The IT Centre atthe Ministry of Finance, and Centre of Registers and Information Systems (RIK).
In addition, three local governments and three state-owned associations were examined: the city governments of Pärnu, Tartu and Tallinn, grid distributor Elering AS, domestic ferry operator TS Laevad and the State Forest Management Centre, (RMK).
What is the X-Road?
X-Road® software is based on the X-tee solution, and forms the backbone of the Estonian e-state. It allows the nation's various public and private sector e-service information systems to link up and function in harmony.
Estonia's e-solution environment includes a full range of services for the general public, and since each service has its own information system, they all use X-Road/X-tee to communicate.
X-Road connects different information systems that may include a variety of services. It has developed into a tool that can also write to multiple information systems, transmit large data sets and perform searches across several information systems simultaneously.
834 institutions have connected to X-Road as at February 2 2021, the audit office says, while in 2020, approximately 1.57 billion inquiries were made via X-Road.
As of December 1 2020, 200 public sector authorities (including local government authorities) and 525 private sector institutions had joined X-Road, and approximately indirectly 52,000 companies and institutions used its services.
To ensure secure transfers, all outgoing data from X-Road is digitally signed and encrypted, and all incoming data is authenticated and logged.
The service has also been implemented in Finland, Kyrgyzstan, the Faroe Islands, Iceland, Japan and several other countries, while similar technology has also been implemented in Ukraine and Namibia.
The full text of the new National Audit Office report on X-Road (in Estonian) is available as a pdf here.
The state e-governance site is here.
--
Follow ERR News on Facebook and Twitter and never miss an update!
Editor: Andrew Whyte