Estonia steps up plan to counter cyber attacks by siting critical systems offshore

To thwart a cyber-attack on its national infrastructure or even an invasion, Estonia is getting ready to open its first data embassy overseas.
Written by Kalev Aasmae, Contributor

In 2014, Estonia introduced initial plans to create 'data embassies' capable of running duplicates of its critical systems, including databases and services, in secure data centers on foreign soil.

Now, three years on, the then seemingly utopian plan is becoming a reality. Estonia has signed its first official contract with Luxembourg to guarantee diplomatic immunity for all the Baltic state's systems that are to be duplicated and run from a data center in the principality.

"Next, we have to sign rental and service contracts to use Luxembourg's national data center and then we can start building the technology and 'furnishing' the data embassy," Mikk Lellsaar, ministry of economic affairs and communications executive specialist tells ZDNet.

"The first data embassy will most probably start working at the beginning of 2018."

He says the embassy in Luxembourg is going to mirror many data systems of critical importance, such as the state treasury information system, state pension insurance registry, identity documents registry, business register, land register, and land cadastre among many others.

"The data embassy in Luxembourg is a pilot project, and the further development and the potential establishment of new data embassies depend on its results," Lellsaar explains, adding that the most important prerequisite to creating the data embassy is that the data center where it is situated belongs to a country that has a longstanding friendly and trusting relationship with Estonia.

"The state that owns the data center must guarantee immunity to the data stored there, and the data center has to also have high security certifications such as Tier 4, ISO 27001," he says.

Obviously, duplicating critical information on foreign soil raises many challenges.

"We have to provide security and standardized encryption for data exchange, and solve many legal and technical problems. For example, we have to figure out what to do when the communication between the systems, the one in situated in Estonia and the other in Luxembourg, breaks down," he says.

"Then we'll have a situation where the two systems are active simultaneously and we have to decide which one is primary and which one is secondary and how to ensure the consistency and integrity of the system."

One of the main goals for the data embassies is to keep Estonia's state systems functioning even in a crisis, when the servers in Estonia don't work for some reason, such as a cyber-attack or the unlikely event of an occupation of Estonian territory.

Eventually, the data embassy in Luxembourg should be able to keep Estonia's state data systems fully operable independently. But it will still take some time until that goal is achieved, according to Lellsaar: "We still need a few years to redesign and develop the critical systems to achieve that level of functionality."

Three years ago, when the initial idea of data embassies was conceived, the then director general of Estonia's information systems authority Jaan Priisalu explained his vision of it to ZDNet.

In his view, in the long term Estonia's critical data and information systems could be scattered and running in various digital embassies situated in the friendly countries all over the world, so that none of the service providers would have access to the encrypted data.

Today this vision still remains in the pipeline, but won't probably become a reality in the next few years.

"Although the blockchain technology has developed significantly, and also Cybernetica [a local firm behind many of Estonia's state systems] has turned its Sharemind technology into a product, these systems still need testing and development," Lellsaar explains.

"Additionally, to implement those technologies, the systems have to be rebuilt."

Read more from Estonia

Editorial standards