Estonia is the world’s most digital country. This small, northeast European nation of 1.3 million people has an almost entirely digital government. Estonians can obtain prescriptions, sign documents, pay taxes, transfer property, and vote online. Even those who don’t live in Estonia can apply for e-residency.
Estonia also has the doubtful honor of being one of the first countries to suffer cyberattacks as a form of modern warfare. In 2007, sophisticated DDoS attacks hit broad targets, swamping the websites of banks, newspapers, broadcasters, and the Estonian government, and taking down the internet for regular citizens. Estonian authorities traced the attacks to Russia.
Science Node recently spoke with Liisa Past, Chief Research Officer for Cybersecurity of the Estonian Information System Authority. We asked her about living in a digital nation, voting online, and the future of cyber warfare.
Estonia’s transition to an almost fully digital government is impressive. But isn’t it incredibly risky to store so much infrastructure—including citizens’ personal and confidential information—online?
The digital world doesn’t bring greater risks, just different risks. Take something basic like government archives. If records are kept on paper, they’re hard to back up. If there’s any kind of damage—like fire, flood, or theft—it’s very hard to restore. Digital backup is easier.
Or take confidentiality. If someone accesses your paper archives, especially now that you can have a camera embedded in just about anything, it’s difficult to trace who accesses what, and what they might take out. But with digital records, you can log every single step and movement. If someone breaches the confidentiality, you can trace it back.
Some people find the idea of digital voting scary. How did you reassure Estonians that the process was secure and that they could and should trust the government?
We’ve built trust over the course of fifteen years. The first time i-Voting was offered in Estonia, in 2005, just under two percent of voters opted to use it. But as digital services kept expanding and achieved high penetration across society, trust grew. People banked online more, and they voted online more. They began to prefer to change their population registry records online rather than show up at the office.
i-Voting uses a secure voting app on an internet-connected computer. You sign in and then double-sign your vote with your government-backed ID card. Now one-third of Estonian voters prefer to vote online. It has become so democratized that an i-Voter is an average voter.
No factor predicts i-Voting — not education or political preference, not even computer literacy. The only factor that influences i-Voting is if the trip to the polling place takes more than a half-hour.
One of the lessons we’ve learned is that you don’t just change the system abruptly. You introduce these things slowly as an enhancement. Most people will prefer convenience.
Implementing these systems and technologies must have been expensive. What’s the advantage to the government?
After the initial investment, it’s more cost-effective. We estimate that 2-6 percent of GDP is saved through these digital solutions. There’s also a lot less room for error and a whole lot less duplication.
I can’t help but suspect that Estonia has only been successful with this transition because of its small size. Could the same system work in a large, heterogenous society?
It’s true that if you’re dealing with only 1.5 million people, it’s easier to implement new solutions. But those solutions can be scaled up.
Many organizations have trouble just preventing their employees from responding to phishes. Are Estonians more computer-savvy than the rest of the world?
The biggest attack surface is between the screen and the chair. A lot of security incidents are very basic, due to people clicking on malicious links, being spear-phished, or targeted through very sophisticated social engineering.
But you can’t make the user responsible for everything—you can’t just educate them and hope for the best. We don’t expect people to practice their own medicine or to fix their own teeth. We have specialists to do that.
For a successful digital society, there has to be a legal framework. Government and corporate best practices have to facilitate the user making the right choices. Estonia is one of the champions of the world when it comes to communicating vulnerabilities and incidents very openly.
What about a worst-case scenario? What about hackers or an escalation of cyber-warfare?
One of the things we’ve seen is that nations seem to exercise self-deterrence in cyberspace. They don’t apply full capabilities, partially because they don’t know what are the capabilities of the other nation to respond. So there is deterrence through doubt.
I don’t think cyberwar will happen in isolation. It will be integrated into armed conflict as an extra domain of military operations—and that’s actually the language NATO uses. Just like information operations and the issuing of fake news and misinformation, cyberattacks are another way that a nation tries to assert itself and its interests during peacetime.
What makes cyber operations different from conventional territorial defense is that it’s very good at creating inconvenience. But in a very digital way of life, everything from how food is produced to how you communicate with loved ones to critical infrastructure has an element of computer control.
Take the 2007 attack on Estonia, the DNC hack, the Sony hack, the attacks against the Ukrainian power grid in 2016, to name prominent examples that appear to be either state-sponsored or at least politically-inspired. None of these were anywhere close to the level of warfare, or what international law calls use of force or an armed attack.
But they were inconvenient, and they were enough to get some citizens to doubt their government’s ability to protect their lifestyle. That creates chaos, but it’s not warfare. It’s just something that, as societies, we have to be aware of. These are platforms that politically motivated actors will continue to use.