To better strengthen Estonia's cyber defenses, the Information System Authority (RIA) has both started offering bounties to cooperating hackers as well as deployed its own red, or strike, team, which thus far has managed to access the network of every institution tested.
Since March, when the RIA first began paying out bounties to hackers, six people have gotten paid by the Estonian authority.
According to Tõnu Tammer, director of CERT-EE, the RIA department responsible for the management of security incidents in the .ee domain, they have specific rules for vulnerability hunters.
Since March, when the RIA began paying out bounties to hackers, six people have gotten paid by the Estonian authority.
According to Tõnu Tammer, director of CERT-EE, the RIA department responsible for the management of security incidents in the .ee domain, they have specific rules for vulnerability hunters. For example, they may not organize a denial-of-service (DoS) attack or send out phishing emails.
Instead, the RIA wants hackers to seek out website weaknesses that allow for system access or for user data to be stolen.
"When someone finds such a weakness, they write up what they did, allowing us to replicate it as well," Tammer said. "Then these reports are reviewed within a matter of hours, and payouts are typically issued within a matter of days as well."
Thus far, hackers have found simpler issues that don't pose a major threat, for which they have earned €250. The RIA is prepared to pay up to €3,000 for the most critical weaknesses, however.
"A critical weakness means, for example, something that can be used to gain unauthenticated access to someone's data or run malicious code," the department director explained.
The hackers themselves don't come in direct contact with the RIA, however. The entire process is handled via the vulnerability coordination and bug bounty platform HackerOne.
The same platform is also used by several other countries, including the U.K., but also major companies including Lufthansa and Microsoft.
Currently, only specific hackers can report bugs to the RIA via the platform, and Tammer said anyone interested in participating in the program should contact the RIA directly.
They want to go public with the program at some point as well, but not until they're sure that hackers' tools won't overload their systems.
"If a lot of hackers all start working at once, the system may not be able to take the testing," he explained.
The RIA is currently only paying bounties on bugs found in the systems they administer. Estonia wants to expand the program, but before getting the Land Board's information system or e-health services involved, RIA wants to look those over with their own tools first. Tammer noted that there's no point paying bounties for bugs that the RIA can find themselves.
"When we've done random monitoring, we can see that the need for such an additional filter is apparently there," he noted.
Asking nicely sometimes enough to gain access
Meanwhile, the RIA's other program, its Red Team, was assembled specifically to help other institutions.
The currently two-, soon six-member team offers security testing for state institutions, local governments and vital service providers alike.
According to Red Team lead Andres Klemm, no one's systems are being tested behind their backs; it's institutions themselves that are requesting the team's help.
"Working together, we can come up with a testing plan and conduct the testing," Klemm explained. "Afterward, everything needs to be summarized and described to the client, plus recommendations on what should be done to improve the situation."
The Red Team will start conducting complex technical testing once it has expanded in size. Nonetheless, every one of the strike team's clients has already gotten quite a few recommendations, as they are currently focusing primarily on testing people, and security breaches aren't hard to find on the human level.
"You can still find all kinds of interesting emails in your inbox about how to get rich quickly and easily," Klemm said, describing a typical office worker's daily reality. "We likewise imitate such attacks, send emails, make up pages where one might give up their passwords, for example."
The Red Team hasn't left a single client emptyhanded. According to Klemm, all it takes to gain access to a system is for one person to give up their password, and the easiest way to get them is simoly by asking nicely.
"You have to come up with some kind of good excuse, maybe based on the specifics of an institution or what people there do on a daily basis," he explained. "And then at some point use some excuse to log into your spoofed page."
Tests like that aren't requestef or conducted lightly; such human attacks have been used the world over to steal millions of euros and massive amounts of data as well as crash vital systems.
Thus, tested institutions should follow up with thorough training and a tightening up of information system security.
Editor: Aili Vahtla