Various security vulnerabilities in Estonia are not sufficiently recognized, while resources for protecting state secrets are too thin on the ground, the Internal Security Service (ISS) says.
The ISS, also known by its Estonian acronym, Kapo, released its annual Yearbook for 2021-2022, which noted that: "Inspections in recent years have revealed that security threats are not sufficiently recognized, and that the resources allocated to protect information classified as state secrets and to ensure their physical security are insufficient."
The ISS reiterated that one of its activities focuses on the protection of classified state secrets, from both malicious activity and negligence.
"Any measures taken to avoid negligence and in so doing prevent state secrets being disclosed must be adequate and up-to-date," the yearbook continues.
"Often we see that current law is not being adhered to with due diligence. We have to re-state that any breaches of classified information must be reported immediately and not weeks or months later."
The ISS concedes that often the overseeing of state secrets protection takes place in a comfort zone.
"In order to ensure the protection of state secrets, the surrounding security situation and the physical environment need to be constantly analyzed and measures in place for the protection of state secrets must be made more effective pursuant to that," the yearbook goes on.
The ISS also highlights that any individual overseeing state secrets prevention must possess extensive professional knowledge of their specialty, in order to perform their task, but often this comes on top of their primary work or other work duties, hence why sufficient labor resources, time or technical resources are frequently not found for this.
Information in the yearbook also states that protecting classified information covers tech, actual physical security and training.
The technological aspect requires being on top of up-to-date IT solutions, given that most classified information is processed digitally.
Physical security entails IT systems, located in a secure area under the auspices of people familiar with the principles of that security, alarms, surveillance systems etc.
Training requires those overseeing the protection of state secrets being able to provide adequate training to the other employees involved in the same.
Issues also experienced with IT security
The ISS also outlined cyber attacks which took place last year, their consequences, and the fact that many of them could have been avoided had the right organization been in place.
"The cyber incidents that took place in Estonia last year - the leak of corporate data and the theft of 290,000 document photos - were possible due to security vulnerabilities in state systems, plus outdated software. These errors could have been easily avoided," the ISS wrote.
"As state Information System Authority (RIA) itself acknowledges, the Estonian authorities have not been reacting quickly enough to serious security threats," the ISS notes in the yearbook, posing the question: "If we are note accustomed to taking known security vulnerabilities seriously enough, are we then able to identify threats which had up to now gone unnoticed?".
The ISS says this concerns individuals as well as hardware and software, adding that cyber security does not only concern networks and computers but also the efforts of hostile intelligence agencies trying to install people who have been recruited so they will co-operate in the right place.
The ISS also referenced pro-Russian attacks on the cyber-space of western countries, including Estonia, in the context of the Ukraine war.
"Currently we need responsible cyber-behavior, to identify possible security vulns within systems and strong cooperation within and between states, so that Estonia, too, will be protected in cyber-space."
The ISS Yearbook 2021-2022 has published in Estonian and is available here.
The official English-language translation will be available in due course.
Editor: Andrew Whyte