In a damning report published on Tuesday, the National Audit Office writes that Estonia's local governments do not sufficiently acknowledge the risks related to their IT infrastructure. This means that IT security requirements established more than a decade ago still aren't implemented, the audit office wrote.
The state's financial support allocated to improving the security of local systems hasn't brought the desired results, the National Audit Office pointed out. None of the audited local governments have assessed the security requirements for their databases.
Not even lowest security level established across all local systems
In some cases local governments even struggle with the application of security measures of the lowest level. Access is granted too quickly and easily, security patches to be installed are left for individual users to deal with, password management is inadequate, and there mostly is no overview of who has access to what exactly.
According to Auditor-General Janar Holm, plenty of people have been going about their business as if they have never heard about the requirements for public information systems in Estonia.
"The risks related to IT security still are not acknowledged, although there are numerous examples of local government computers being targeted by denial-of-service attacks, systems being infected with malware and damage caused to website," the National Audit Office wrote in its Tuesday press release.
The sloppy attitude to IT security is apparent across all ranks and positions. There often are no guidelines at all for the use of IT infrastructure, or then they haven't been introduced to employees. And where this was done, people often don't follow the guidelines.
Auditors: Data protection about as important to officials as "trip to Mars"
"The biggest concern is that the auditors met officials to whom the need to implement a system of security measures, including data protection, was about as sensible as the need to invest in a holiday trip to Mars – something distant that won't happen in their lifetime," Holm said.
"At a time where the number of known cyber incidents in Estonia already exceeds 10,000 per year, it is naive and dangerous to keep thinking that this won't happen to us or that our data isn't important," he added.
Overall, the situation is bleak: the local councils don't feel responsible for any of the data they deposit with external servers of the state's X-Road system, and they don't demand anything of the sort from the people they work with either.
"This explains to some extent why there is no comprehensive overview of the data collected by local governments, their security has not been analysed, the approval process that gives them the right to collect the data has not been passed, and the accessibility of data in other databases is not considered," the audit office wrote.
Among other things, this also means that there are occasions where personal data has to be submitted more than once, which goes against the single-entry principle of Estonia's e-government system.
Present situation a combination of lack of money, checks
Part of the reason for the dismal state of IT at the local councils is an apparent lack of qualified staff. In most cases, local systems are in the responsibility of a staff member who lacks proper training. Where local government is bigger, one to two specialists are typically hired, but they are system administrators and technicians rather than data security specialists.
As hiring a dedicated staff member responsible for data security often times doesn't make sense financially, the National Audit Office recommends that local governments either outsource this to a private service provider, or then cooperate with each other to address the issue.
Part of the blame is with the state as well. In actual practice, not every database is checked, as according to the Data Protection Inspectorate such diligence would be "a pointless waste of time." Instead, checks are done sporadically, and database infrastructure procedures approved in packages, as the software used is generally the same across different systems.
National Audit Office: State needs to shift from providing funding to actual supervision
As in most of the cases in question local databases are set up because the different ministries require it, the National Audit Office recommends that the ministries could play a role in improving the situation. "The relevant ministries could give local governments guidelines about keeping databases (incl. information security guidelines) in all of the issues that interest them. The National Audit Office finds that the ministry itself could also develop the software for the performance of this function and take the role of the controller – this way, the state can determine the security needs of data, order compliance audits, and so on," the audit office wrote.
Minister of Entrepreneurship and IT Urve Palo (SDE) agrees with the National Audit Office that the duplication of procedures should be reduced as far as possible, and that the same rules should apply for similar systems across Estonia's e-government solutions.
The audit office also reported that it has recommended to the State Information System Authority (RIA) to step up its checks and controls, since plenty of local government employees pointed out during the audit that the current lack of security requirements doesn't force anyone to make an effort in the right direction.
RIA in turn confirmed that it will do what it can to improve the supervision of local authorities "according to priorities and possibilities" and that it is already planning a round of inspections to be carried out once the currently ongoing administrative reform is completed.
However, the National Audit Office thinks a paradigm shift is needed. Instead of simply providing funding and information, actual supervision and checks need to be implemented.
"The reason why the situation in local governments is not better can be that the present target group that attended training consisted of IT specialists, not the management of agencies. RIA stated in its response that senior managers have very little interest in attending such training. The National Audit Office emphasises in its report that attending such training is actually not optional for the heads of agencies," the audit office wrote.
Final recommendations to local governments include appointing a specific employee to "perform the duties of an information security manager," establishing requirements for the standard software used, and making sure that it is possible to cross-connect any database with the state's X-Road system where needed to get rid of the need for multiple data entries.
Editor: Dario Cavegn