The results of an audit conducted by the National Audit Office indicate that considerably more attention must be paid to guaranteeing the safety and preservation of Estonia's critical databases, and identified weaknesses in several areas that need to be addressed.
Among other identified points of concern, Estonia lacks a legal framework for guaranteeing the safety and preservation of the country's critical databases, there are significant deficiencies in guaranteeing information security in several critical databases, and the special requirements needed to protect critical data have not yet been established either, according to a National Audit Office press release.
Estonia has ten databases of critical importance as identified by the National Audit Office:
- e-File, Land Register, Commercial Register and Riigi Teataja — owned by the Ministry of Justice and managed by the ministry's Centre of Registers and Information Systems (RIK);
- Land Cadastre — owned by the Land Board and managed by the Information Technology Centre of the Ministry of the Environment;
- Information Centre of the State Treasury — owned by the Ministry of Finance and managed by the Information Technology Centre of the Ministry of Finance (RMIT);
- Register of Taxable Persons — owned by the Estonian Tax and Customs Board (EMTA) and managed by the RMIT;
- Population Register — owned by the Ministry of the Interior and managed by the ministry's Information Technology and Development Centre;
- Register of Identification Documments — owned by the Police and Border Guard Board (PPA) and managed by the Ministry of the Interior's Information Technology and Development Centre;
- State Pension Insurance Register — owned by the Social Insurance Board (SKA) and managed by the Centre of Health and Wellness Information Systems (TEHIK).
The authority noted, however, that the conditions for selecting critical databases have not been determined, and so there is no certainty that all of the necessary databases are included.
Backups have not been tested
According to the audit, backup copies of five, or half, of the audited databases are physically taken to Estonian embassies on backup media on a quarterly basis, but it has not been tested whether the work of information systems can actually be recovered from them. In the course of the audit, critical database owners said that making these copies functional quickly and easily was more likely to be impossible, as the recovery of work and services also requires functional application software and support services.
In the event of the destruction of local data centres, the preservation of the data required for the functioning of the state would currently not be guaranteed in the case of the other five critical databases, and the audit noted that some authorities have not fully understood the threats from which databases must be protected and the risk scenarios for which they need to prepare.
Estonia to establish data embassy abroad
The Ministry of Economic Affairs and Communications intends to establish a data embassy or its on server room in a national database of a foreign state and begin backing up data to the foreign country electronically, via a data exchange channel, which would also make it possible to guarantee the capability to operate services if e.g. a data centre in Estonia is destroyed.
Steps have been taken to achieve this objective, and a data embassy in Luxembourg is scheduled to be launched in late June. Initially the data embassy will only house backup copies, but the plan is to develop the capability to provide services from there as well.
State lacking risk analysis, action plan
According to the audit, no action plan or requirements have been established for the implementation of the concept of Estonia's critical databases, and the state lacks a detailed risk analysis or action plan for the future. Additional measures agreed upon for the protection of critical databases, including a specific action plan and deadlines, have not been officially determined in any document, there is no legally mandatory set of rules, and current activities are partly based on informal activity.
The National Audit Office presumed that the state has determined the parties related to keeping critical databases, e.g. central coordinator, owner of a critical database, as well as their roles, including their rights and obligations. The audit revealed, however, that thus far, the process has only been described in a memo drawn up by the critical information systems working group in March 2017, and noted that the rules for defining and maintaining critical databases have not been determined or regulated in any legislative act.
Only some necessary audits, tests conducted
According to the National Audit Office, audits of compliance with the information security system ISKE, which are mandatory for Estonian state authorities, have been conducted as frequently as required on just two of ten critical state databases.
There are also significant deficiencies in guaranteeing information security in several critical databases, e.g. in analysing logs, protecting mobile devices, and encrypting hard drives. The National Audit Office found that the use of removable devices in the computer network connected to a critical database should be restricted. Some critical database owners have conducted internal security tests and scanned their intranet, but there were also critical databases where no regular penetration tests had been carried out, meaning that they had not tested whether it is possible to break into the authority's intratnet or database from outside and change or destroy data therein. The National Audit Office stressed that the need to physically protect critical databases as well should not be underestimated.
Auditor General: No reason to panic
"Thre is certainly no reason to panic," Auditor General Janar Holm said, commenting on the results of the audit. "As an e-state, we've set ourselves rather strict requirements in guaranteeing data security, and even these problems don't mean that our critical databases are not secure. However, as we want to belong to the elite of e-states, we must be able to comply with the strict requirements that we set for ourselves."
Holm noted that this was particularly important in the case of critical databases, especially as many of Estonia's databases are now fully digital and the state no longer has data on paper that could be used to recover lost information.
Noting that guaranteeing the security of databases is not as glamorous a topic for ministries as providing support for a project or an attractive new e-service, the auditor general observed that the "invisibility" of information security solutions has created a situation in which officials responsible for information security in many government agencies have told the auditors of the National Audit Office that they cannot make security-related investment needs or even the necessity of simpler prevention measures more visible to political decision-makers.
"The Ministry of Economic Affairs and Communications has defined its present activities as a pilot project, where more suitable techincal and legal solutions for the organisation of a backing up are still being sought," Holm said. "Moving in the right direction would be more successful if those responsible had fixed the objectives and action plan of the project in greater detail. The establishment of a clear legal framework and a longer financial plan would also be good."
Critical database owners given recommendations
The National Audit Office presented its recommendatinos for the improvement of information security in the detailed summaries of checklists sent directly to the owners of critical databases.
Among other suggestions, the National Audit Office recommended the following:
- In information security procedures, determine how often, in what way and to what scope the weaknesses of critical databases must be assessed.
- In order to identify anomalies, regularly check event logs and prepare reports about them at determined intervals.
- Assess the level of information security awareness of the staff of agencies and areas of government, and on the basis thereof, prepare plans for basic information security training and raising awareness.
- In information security procedures, determine how the inspection of the integrity of files will be guaranteed in systems of critical importance.
- Regularly order external and internal penetration tests to identify the weaknesses or security weaknesses of critical databases.
The Working Group on Critical Databases works alongside the Cyber Security Council on the initiative of the Ministry of Economic Affairs and Communications and has begun regulating the protection of the data in databases of critical importance.
In the course of its audit, the National Audit Office checked how the state has selected the data and databases that are critical to guaranteeing national sustainability. It was also checked whether and with which tools the security of said data and databases is guaranteed as well as whether and how the long-term continuity of the databases containing this data is guaranteed.
Editor: Aili Vahtla