Annual Cyber Security Assessment 2018 - Estonian Information System Authority
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Estonian Information System Authority Annual Cyber Security Assessment 2018
Contents
Introduction: the state of affairs in Estonia
and international cyberspace . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Key events in 2017 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2017 in figures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
How did the past year stand out? . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Mitigating the security vulnerability on the Estonian ID card . . 9
The Estonian Presidency of the Council of the EU . . . . . . . . . 17
Municipal council elections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
What has changed in the threat landscape? . . . . . . . . . . . . . . . . . 21
State-sponsored campaigns did not pick their targets . . . . . . . 23
Phishing, data leaks, and secure digital identity . . . . . . . . . . . . . 26
New password guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Sources, actors and motives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
State-sponsored cyber attacks against vital services . . . . . . . 33
Cyber-enabled attacks against democratic processes . . . . . . 35
Attribution and responses to cyber attacks . . . . . . . . . . . . . . . 37
Technological risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
What is “strong cryptography” and why is it important? . . . . . 38
Sectoral cyber risks and preparedness . . . . . . . . . . . . . . . . . . . . . . 41
Central government . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Local governments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Essential services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Cyber risks in the healthcare sector . . . . . . . . . . . . . . . . . . . . . 50
The Cyber Security Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Preventing cyber-induced emergency . . . . . . . . . . . . . . . . . . . . . 55
Summary: conclusions and assessments for 2018 . . . . . . . . . . . 57
2 Estonian Information System Authority: Annual Cyber Security Assessment 2018
Introduction: the state
of affairs in Estonia and
international cyberspace
Dear reader,
2017 was an unusually eventful year in global cyberspace. Malware
campaigns caused havoc around the globe, large data leaks took
place, and vulnerabilities were found in technologies thought to be
secure, providing fodder for public discussion throughout the year.
General awareness of cyber threats grew, as did the realization of
the limitations of previous accomplishments. Societies and coun-
tries are developing a more mature understanding of the need for
substantial efforts to ensure cyber security, going beyond merely
the awareness that there is a problem.
For Estonian cyber security, 2017 can be considered a good year.
We succeeded in fending off several major challenges, which gave us
confidence that we have chosen the right way to protect ourselves
in cyberspace, and this instilled courage and necessary lessons for
moving forward. The most important achievement in this field was
undoubtedly the effort to resolve a vulnerability on the Estonian ID card
chip. Our response to this ID card crisis, which had a global impact,
showed that the image as a successful digital society isn’t just hype
but is exemplified by an agile approach and a highly-functioning com-
munity – companies, research institutions and state – who are able
to work together. In this sense, the rescue effort was a useful crisis in
that it was a practical experience and we passed the test – we were
able to protect our digital state and society. Use of the ID card and ser-
vices continued as before the crisis; public confidence in e-services
was not shaken. All of our society now has a better understanding of
the nature of cyber threats and of their potential impact on our way of
life. At the same time, we gained real-life experience the fact that how
we all have a role to play in cyber security: ordinary users, service pro-
viders and IT infrastructure operators. All of this means the lessons
learnt from the ID card patch effort can be applied for the general
protection of our digital way of life.
The security vulnerability discovered on the ID card is not the only
one of its kind. Last year saw a number of cases, all equally signifi-
cant, where a flaw was discovered in an established technology. The
Estonian Information System Authority: Annual Cyber Security Assessment 2018 3
vulnerability in the WPA2 WiFi protocol discovered last autumn and the
flaws affecting in the processors of nearly all computers in use today
are just a few examples of this phenomenon. Researchers, govern-
ments and criminals are all searching for vulnerabilities in commonly
used solutions, and it is a fairly safe bet that, proverbially speaking,
what is today a secure solution will have to be patched tomorrow.
The WannaCry and NotPetya malware campaigns, which had
relatively little direct impact on Estonia, received massive interna-
tional coverage and underscored one of the most important posi-
tive trends last year – the readiness on the part of the international
community to attribute cyber-attacks to their perpetrators. The goal
of the cyber-attacks orchestrated by North Korea and Russia were
not to generate criminal income but to support the political goals
of their respective countries. A few years ago, such governmental
cyber-attacks went unpunished, but since WannaCry and NotPetya,
the first major steps have been taken to hold criminals liable and
deter them from any subsequent attacks. In this context, the Cyber
Diplomacy Toolbox approved during the Estonian Presidency of
the Council of the EU deserves mention as it provides a means to
respond to cyber-attacks by state actors. Also coinciding with the
Estonian Presidency, a key upgrade to the European cyber security
environment was introduced, receiving a boost from Estonia’s char-
acteristically goal-oriented approach.
Besides all of the above, we also made energetic progress
in advancing Estonia’s own cyber security. The most important
achievement in this field is perhaps the draft Cyber Security Act,
which is currently being deliberated by Parliament.
A large part of our everyday lives depends on digital technol-
ogy. We shouldn’t forget that we all help to create cyber security,
whether as ordinary users, in administrative or leadership roles, in
the political arena or in some other capacity. In addition to providing
a readable overview of what is taking place in the cyber sphere, the
assessment you are reading looks at how each one of us can make
a contribution to Estonia being better protected in cyberspace.
Taimar
Peterkop
Director General,
Estonian
Information
System Authority
4 Estonian Information System Authority: Annual Cyber Security Assessment 2018
KEY EVENTS IN 2017
2017 in figures
Even though RIA, for the first time, crossed the threshold of 10,000
cyber security cases in Estonia last year, only 122 incidents had
a direct impact on a service vital to the functioning of the state
and society, and this was the lowest figure in the last three years.
The number of cyber security cases registered in Estonia exceeded
10,000 last year. In 2017, the Estonian Information System Authority
(RIA) dealt with a total of 10,923 cyber security cases in Estonian
computer and data networks. Of these, 3,162 were considered inci-
dents, which had a direct impact on the confidentiality, integrity or
availability of information or systems.
The reasons for these events were very different – from equip-
ment failures to human error to malicious activities. As in previous
years, the most frequent occurrences involved various web domains
and emails that spread malware. Far from all of the incidents could
be considered cyber-attacks and many of the attempted attacks are
halted and cause no damage.
From the point of view of Estonian cyber security, services that 2017
IN NUMBERS
have a critical impact on the usual functioning of society and peop-
le’s sense of security are considered the most important. Last year 10,923
we had only 122 incidents with a high priority – that had a direct cases handled
impact on a service vital to the functioning of the state and society
– the lowest figure in the last three years. Among services affected 3,162
cyber incidents
were, for instance, use of electronic identification and digital signing
in mobile operators’ networks, and healthcare and banking services. 122
More details are provided below. high priority
incidents
Estonian Information System Authority: Annual Cyber Security Assessment 2018 5
Cases handled in 2017 (compared to 2016)
3500
3147
3000 2963
2609
2500 2463 2361 2350
2208 Incidents in 2017
1987
2000
Cases in 2017
1500
Incidents in 2016
1000 943
675 726 818 Cases in 2016
517 618 515 598
500
0
Q1 Q2 Q3 Q4
Incidents handled by category (2017)
DDoS (1%)
Financial fraud (0%)
Administration error (3%)
Scanning and brute
Defacement (4%) force attacks (0%)
Phishing (6%) Data leak (0%)
Equipment theft (0%)
Service interruption (6%)
Ransomware (8%)
Compromise (11%)
Malware (61%)
WHAT IS A CYBER INCIDENT?
A cyber security incident is an event that had Integrity refers to how well data are pro-
a direct impact on the confidentiality, integ- tected against unauthorized changes or
rity or availability of information or systems. destruction.
One or more of the three parameters may An integrity incident includes a change
be impacted and the reason can be human made to a prescription in a database or to
behaviour or a disruption caused by the nat- payment data in a digital invoice sent to a
ural or manmade environment. customer.
Confidentiality refers to how well the data Availability measures whether a system or
or system is protected against unauthorized data are up and running and functioning as
access by third parties. expected.
Examples of confidentiality incidents An example of an availability incident is
are a data leak affecting credit card data or when access is cut off to a website, or a dig-
health data, confidential documents or social ital service goes down to a distributed denial
media account passwords. of service attack.
6 Estonian Information System Authority: Annual Cyber Security Assessment 2018
Our insight into the cyber domain
is constantly improving…
The number of cyber incidents registered in Estonia has been on
the rise in recent years. There were several reasons for this. One is
the greater importance of the digital environment to society: a wider
selection of digital services, more customers and more intensive
use of services all mean that organizations are more dependent on
the digital environment for organizing everyday activity. The impact
of cyber incidents for the organization itself and society as a whole
is thus more and more important. At the same time, it means grea-
ter potential gains for the attacker – and indeed, compared to last
year, the number of deliberate attacks has increased.
Over the years, our ability to detect incidents has improved – the
result of better tools, a more systematic approach to monitoring and
more effective cooperation with partners. We are now often able to
repel attacks before they reach Estonia and send out public adviso-
ries along with instructions on which measures to implement. For
years, we have made efforts to make Estonian cyberspace a hostile
environment for malicious actors – for example, we have worked
with our partners and Estonian service providers to quickly detect
and take down phishing websites. As a result, the number of succes-
sful phishing incidents in Estonia has decreased significantly.
… yet public awareness and skills are still uneven
The cyber security skills of organizations are also improving – the view
that an organization should have an overview of what is going on in
their information systems and readiness to prevent the risks and react
quickly to them - is gradually spreading upward beyond the IT special-
ist’s desktop. Incidents that used to be dealt with – or not – by the infor-
mation system administrators themselves are now noticed at other
levels and the information about them reaches us more often. This
benefits the information system operators and the state as a whole: we
have more operational and integral information about the widespread
dangers or attack campaigns, which allows us to give early warning
to those in the line of fire, and we can also offer expert support and
consultation when it comes to correcting information. The improved
risk awareness and early detection of attacks helps to reduce risks to
service continuity and damage arising from potential attacks.
In spite of the improved awareness, it is clear that the level of
readiness is very inconsistent from one sector to the next and many
incidents still go unnoticed – and they also pose a risk to the other
Estonian Information System Authority: Annual Cyber Security Assessment 2018 7
service users, not only the system owners. We detected close to
half of the cyber incidents registered last year as a result of our own
monitoring. The remainder were mainly reported to us by cyber secu-
rity institutions of foreign countries, Estonian vital service providers
and state IT centres. For instance, thanks to consistent efforts of the
Ministry of the Interior’s IT and development centre (SMIT) and good
cooperation between SMIT and RIA, the state has an operational
overview of events in the internal security field and response capabi-
lity; although the systems are critical, only few incidents have a more
serious impact. We still have our work cut out for us in the healthcare
sector and among small businesses, where a cyber-attack is usually
detected only after major damage has already occurred.
WHAT DOES INCIDENT MONITORING MEAN?
RIA’s incident response department, the Information about threats, critical
Computer Emergency Response Team of vulnerabilities and extensive malware
Estonia (CERT-EE), monitors network traf- campaigns is received from cooperation
fic in .ee networks to detect signs of mali- partners in Estonia and abroad and public
cious activities. sources.
The number of cyber incidents is growing worldwide and Estonia is no
exception in this regard. The following indicators characterize the pre-
vious year internationally:
• The number of ransomware incidents worldwide grew by 36 per cent
and the number of emails that spread malware grew by one-third.
• The number of distributed denial of service attacks is on the rise
– in 2017, over 7.5 million DDoS attacks occurred and the average
peak bandwidth of the attacks has nearly doubled over a few years.
• The spread of malware meant for mobile apps is still growing – the
number of malware apps has more than doubled over the year and
the number of infections disclosed is in the range of several million.
The number of smart household devices – continually increasing –
also represents a risk.
• Leaks of user information (usernames and passwords) are mas-
sive – the 1.1 billion cases recorded in 2016 was twice the number
from a year earlier. A database containing the information of 1.4 bil-
lion users was leaked on the dark web in late 2017, adding a solid
increase to these figures.
• Statistically, it takes the average company 168 days to discover that
their information system has been compromised. This time is cut to
less than 10% when the company itself monitors its networks.1
8 Estonian Information System Authority: Annual Cyber Security Assessment 2018
How did the past year
stand out?
RIA prepared extensively for 2017 – Estonia held the EU
Presidency in the second half of the year; local elections took
place, with experience of our allies indicating a need for increa-
sed vigilance. The resolution of the security vulnerability in the
ID card, found in the autumn, became a test of our maturity as a
digital society. These events confirmed our conviction that alt-
hough cyber incidents cannot be fully prevented, good planning
and preparedness can prevent them from having a significantly
disruptive, crippling impact.
Mitigating the security vulnerability
on the Estonian ID card
State-issued digital identity – the Estonian ID card and its derivatives
mobile ID and digital ID – are among the pillars of Estonia’s digital
ecosystem. The functioning of Estonian digital society is predicated
on the digital signature having equal status to handwritten signatu-
res and the possibility of electronically authenticating oneself. Thus,
every risk connected to digital identity is under heightened scrutiny.
On the evening of 30 August, a researcher with the Centre for
Research on Cryptography and Security at Masaryk University2 aler-
ted us to a security vulnerability on the chips used on the Estonian
ID card. According to the analysis by the research group, the vul-
nerability, internationally known as ROCA (Return of the Coppersmith
Attack), affects RSA cryptographic keypair generation in chips pro-
duced by one of the leading manufacturers, Infineon. Over a billion of
chips used in various products and services were impacted globally,
among them chips used on Estonian ID cards issued from autumn
2014, as well as on digital IDs, diplomatic IDs and e-resident cards.
Theoretically, the security vulnerability could have allowed the
Estonian Information System Authority: Annual Cyber Security Assessment 2018 9
THE ESTONIAN ID CARD: A UNIQUE PLATFORM
• 1,295,844 valid ID cards as of 2018, of signing as a vital service
which 26,199 e-residency cards in a total • The cryptographic weakness notified in
142 countries late summer of 2017, which made the ID
• First document signed by ID card – card theoretically vulnerable, affected
7 October 2002 close to 800,000 cards issued between
• 481 million digital signatures and 658 mil- 16 October 2014 and 24 October 2017
lion authentications – a total of a billion • The (remote) updating of the ID card – the
transactions in 15 years replacement of the certificates with new
• 747,580 ID cards that are used digitally at ones – became possible on 25 October
least once a year; about 42,000 people use 2017
their ID card digitally at least 100 times in a • The flawed certificates were suspended
three-month period on 3 November 2017
• Since 2016, RIA is responsible for the digi- • The renewal of the suspended certifi-
tal elements on the ID card. As an identity cates was possible up to 31 March 2018.
document, the card remains in the jurisdic- During that time, 494,000 or ID cards were
tion of the Police and Border Guard Board. updated – 94% of the cards in digital use,
The certificates for the ID card are issued of which 354,000 were updated remotely
by SK ID Solutions AS • As of the end of 2017, 160,000 people
• The 2017 new Emergency Act speci- were using mobile ID and 140,000 were
fies authentication by ID card and digital using Smart-ID
private key (which is used for authentication and signing) to be mathe-
matically calculated from the public key – in theory, making it possible
to clone the victim’s cryptographic keys and use them for authentica-
tion, sign documents instead of that person, or decrypt documents
meant for that person, even without being in physical possession of
the card.
Exploiting the vulnerability would not have been easy or inexpen-
sive, and there are no known cases of successful exploitation of the
ID card or similar chips. Besides a person’s public key, it would also
require significant cryptographic expertise, specific software and sig-
nificant computing power, estimated to cost up to USD 80,000, going
by prices provided by an Amazon cloud computing services (AWS). At
the same time, it was evident that, if the certificates remained valid,
the risk of exploitation would increase significantly as soon as the
methodology used by the research group became public. After initial
evaluation of the notification, it was clear to us that the problem nee-
ded an urgent fix.
Due to the large number of the digital certificates affected and
their broad use in both state and private sector services, revoking
the cards would have meant extensive impacts to the availability
10 Estonian Information System Authority: Annual Cyber Security Assessment 2018of and access to digital services – such step would have disrup-
ted the use of digital healthcare, the Tax and Customs Board digi-
tal services, government document exchange platform, as well as
financial transactions. Disruption would have also been posed to
the working processes in and between government agencies. The
security flaw did not affect mobile ID, but mobile ID was used by
only slightly more than 100,000 people at that time, and a number
of digital services did not support it.
Open risk mana-
gement on the
governmental level:
press conference
with prime minister
and key officials
explaining the vul-
nerability affecting
the Estonian ID
card. Photo: Taavi
Sepp / Ekspress
Meedia
WHAT ELSE DOES THE ROCA SECURITY FLAW AFFECT?
Estonia’s 800,000 ID cards with the secu- the basis for modern computers’ security
rity vulnerability in question make up a architecture. The vulnerability is known
negligible share of ROCA’s global impact. It to affect at least Lenovo, HP, Toshiba and
is estimated that there are at least 1 billion Fujitsu computers. TPMs are primarily
problem chips in use around the world as used in enterprise client computers, so
firmware or software components and on home users are generally not impacted. For
plastic cards. The Infineon chips that led example, in Microsoft Windows, a TPM pro-
to the vulnerability in the Estonian ID cards tects BitLocker disk encryption and other
are used in driving licences, passports, security mechanisms in the operating
access passes and other applications.3 system. Microsoft has issued a temporary
The documents of at least 10 count- patch through Windows Update that essen-
ries were affected. Chips with the same tially replaces the TPM with a software
flaw are known to be used in documents solution. Other manufacturers have rele-
used for identification in Slovakia, Austria, ased similar patches.
Poland, Bulgaria, Kosovo, Italy, Taiwan, Security tokens used for virtual private
Spain, Brazil and Malaysia. In Spain, the network (VPN) access, email security and
vulnerability affected 17 million cards. other critical security operations. Of these,
However, none of these countries have at least Gemalto and Yubico products were
a universal digital ID and therefore they affected, with Yubico replacing the defec-
depend less on the cards than does Estonia tive products at its own expense.
and have fewer corresponding services. It is possible that some payment cards
Trusted platform modules. TPMs are with chips are also vulnerable.
Estonian Information System Authority: Annual Cyber Security Assessment 2018 11The solution to the situation had to restore the high security of the
ID card without damaging the availability of services. In essence, we
found ourselves in a race against time in early September, looking for a
new secure solution with the Police and Border Guard Board and other
partners, and preparing to implement it while knowing full well that soo-
ner or later, the certificates at risk would have to be suspended.
The crisis resolution team made the decision early on to be trans-
parent in its public communication and let the public know about the
facts we knew. This step short-circuited speculations and alterna-
tive interpretations and ensured that the working group could focus
on finding a solution to the problem itself. Ultimately, it meant that
the new solution – based on elliptic curve cryptography (ECC) ins-
tead of an RSA library – was available before we needed to suspend
the affected certificates. Moreover, user confidence was preserved
and electronic services remained available. For example, a record
number of internet voters cast votes in the 2017 local elections and
the number of transactions performed using ID cards remained at a
normal level in the days and weeks that followed. At the same time,
use of mobile ID increased significantly.
Besides the broad use of the ID card in society, Estonia is unique
in that it offered the possibility of updating certificates remotely –
people were able to update their ID card software from any compu-
ter connected to the internet and equipped with an ID card reader
– as well as the possibility of suspending the affected certificates.
As experience showed, other countries facing a similar situation did
not have these two possibilities and had to find a way to issue new
ID cards or update the existing ones at service outlets. Once the
certificates had been revoked, it wasn’t possible to renew them.
TIMELINE OF EVENTS
30 August A member of an international cryptography research group sends CERT-EE
19:35 an official notice regarding a security vulnerability associated with Infineon
chips that affects Estonian ID cards. The risk lies in a vulnerability of a
cryptographic library used in RSA keypair generation.
31 August RIA’s preliminary assessment confirms the possibility of a security vul-
nerability. The Police and Border Guard Board (PPA) and the Ministry of
Economic Affairs and Communications are notified.
1 September The minister of economic affairs and communications is briefed on the
matter. RIA involves external technical experts (Cybernetica, Nortal) and
partners from the government and private sector.
The heads of institutions convene for a meeting – a strategic staff is
formed.
12 Estonian Information System Authority: Annual Cyber Security Assessment 20183 September The prime minister and other ministers involved hold a meeting. RIA and
PPA working groups run through scenarios and assess potential outco-
mes. Experts determine the primary impacts on services and make
recommendations.
4 September The Government of the Republic holds an extraordinary session. PPA
forms a staff that deals with media monitoring, analysis, inquiries from
the media, RIA and other government agencies join the staff. Private and
public sector stakeholders like banks and telecoms are notified. Public
access to the certificate database (LDAP) is closed.
5 September The prime minister, IT minister, and the directors general of RIA and PPA
hold a joint press conference. The public and international partners were
notified of the vulnerability.
An information gateway is opened at www.id.ee and kept updated, in
cooperation between RIA, PPA and SK ID Solutions.
September Working groups focusing on technical solutions, crisis management,
legal aspects and communications meet regularly. As needed, other ins-
titutions and other external experts are called on.
5-11 October Municipal elections are held. The elections see a record participation
among internet voters. Those voting over the internet make up 31.7 per
cent of all participants – slightly higher than in past elections.
16 October The global impact of the vulnerability becomes apparent: Microsoft,
Google (Chrome OS), Yubico, Gemalto and a number of larger computer
manufacturers (Lenovo, Fujitsu) release security reports.
25 October The issuing of new ID cards that rely on ECC encryption algorithm begins.
The testing period for the online updating of Estonian ID cards begins.
Over six days of testing, close to 20,000 ID cards affected by the vulnerabi-
lity are updated. Everything is functional and the updates are successful.
30 October The research paper4 on the vulnerability in the RSA encryption library is
published.
31 October Card holders are called on to update their cards. Demand for the service
is high, resulting in extensive downtime. Systems stabilise by 2 November.
Slovakia revokes 60,000 certificates with the ROCA vulnerability, and the
card holders have to apply for new cards.
1 November Spain revokes its vulnerable cards, a total of 17 million of them.
2 November The research is presented in full at an academic conference in the US.
3 November Certificates on a total of 740,000 vulnerable Estonian ID cards are bloc-
ked, but the cards can be updated online to make them digitally usable
again. In addition, PPA opens additional service outlets that will remain
open until the year’s end to provide the update service.
5 November Service usage statistics show that the suspension of the affected certi-
ficates did not result in a drop in the digital use of ID cards. Surprisingly,
e-resident activity has even increased.
Estonian Information System Authority: Annual Cyber Security Assessment 2018 13End of 2017 A total of 400,000 ID cards have been updated. The number of mobile ID
and Smart ID users and their level of activity have increased.
February At the behest of RIA, a Tallinn University of Technology research group
starts assessing the lessons learnt for the state and agencies.
5 February RIA’s eID domain manager Margus Arm and PPA’s Kaija Kirch, head of
2009 identity management at PPA, receive state decorations.
1 April 2018 Certificates that have not been updated are revoked and can no longer
be used electronically.
LESSONS LEARNED FROM THE ID CARD CASE
The ID card security vulnerability illustrates how much societies
depend on fundamental digital infrastructure – in Estonia’s case, the
state, entrepreneurs and users were all impacted. Our crisis mana-
gement efforts underscored the need to review specific processes
– among them administration of the ID card, risk assessment and
mitigation as well as inter-agency cooperation. Beyond that, there
is a clear need to view the country’s digital architecture and digital
governance as a whole. The prospect of further technological risks
arising in future will have to be factored in, and although we do keep
an attentive eye on technological developments, unexpected even-
tualities cannot be ruled out. They will require a rapid response.
So as not to let a good crisis go to waste, we make a point to
seriously evaluate the lessons learnt from the ID card case.
• Dependence and alternative solutions. The ID card is means
of authentication and secure signing for close to 5,000 diffe-
rent public and private sector services. Clearly, in most of these
cases, the option of face-to-face authentication and handwrit-
ten signatures is no longer an acceptable alternative for society
and thus alternatives to the ID card are, above all, other digital,
not physical solutions – mobile ID, Smart ID and new solutions
being developed. Their penetration and readiness to use them
in services must increase. We were also saved by the fact that
our ID card already had several encryption libraries; this allowed
new secure keypairs to be generated on the chip.
• The need for flexible, open architecture poses a challenge for
the state’s habitual operating patterns – developing solutions
in-house or procuring innovation from the market. Few govern-
ments possess the entire necessary skill sets; most of the com-
petence lies in the private sector. With globally used technologies,
governments cannot fully solve problems inherent in technologies
they are merely a customer of. Major international corporations
– representing the greatest capacity in providing solutions and
services – operate from their own assessment of business risk,
14 Estonian Information System Authority: Annual Cyber Security Assessment 2018and in the case of such a large-scale security vulnerability, a state
is just one customer among many. In our case, the online update
service gave us flexibility, which allowed the certificates to be sus-
pended pending a later update. This put us in a better position
compared to other countries with the same problem.
• Responding to risk. Estonia and Europe have procedures in
place for responding to incidents where the impact is already
evident. In the case of a theoretical risk where it is hoped to
find a solution before the impact is realized, there is no reason
to apply such measures, and indeed they would not be approp-
riate in such a case. Thus, we have to develop similar routines
for threats and risks where the impacts are still unrealized.
• Openness. Risks arising from vulnerabilities in fundamental digi-
tal infrastructure cannot be managed without the involvement
of the stakeholders – including the public and the media – as
these risks affect the entire digital ecosystem. That means that,
in order to reduce the societal and economic impacts of techno-
logy risks, risk management must not only be capable of resol-
ving a complicated technological problem but also be preventive,
open and capable of translating the solution into layman’s terms
for all of society, in order to respond to the public’s needs.
• Broad-based cooperation between a great range of stakehol-
ders with different roles, expectations and levels of readiness
is a sine qua non. A lean government sector should be able to
draw on a strong private sector in times of crisis. Hiring addi-
tional people in the public sector is not a solution, which is
why strengthening our tech industry – above all by means of
supporting education and research, to guarantee the existence
of knowledge and experts – satisfies the important require- A piece of fake
ment that they can be called on by the state in times of need. news claiming
• A digitally literate society. In today’s digitally dependent that Estonian PM
society, technological literacy at the individual level (as oppo- Jüri Ratas had
sed to offhandedly referring technological issues to an IT expressed support
for Catalonian
department) is now an essential skill. We need more people
independence
with multidisciplinary skill sets – those who are simultaneously found its way on
proficient in both tech and non-tech fields such as economics, to social media
public administration or the law. right before the EU
Digital Summit in
To draw conclusions and lessons learnt from the ID card case, we have Tallinn.
also commissioned an independent study from the Tallinn University of
Technology, whose research group will assess the case from the pers-
pective of public administration, technology management and data
security and set out its recommendations in spring 2018.
Estonian Information System Authority: Annual Cyber Security Assessment 2018 15Prime minister
Ratas opening
the Estonian
Presidency
cybersecurity
conference on
14.09.2017. Photo:
Karolin Köster
16 Estonian Information System Authority: Annual Cyber Security Assessment 2018The Estonian Presidency of the Council of the EU
For Estonian civil servants, the greatest challenge in the past year
was naturally the Presidency of the Council of the EU, one of the
main topics for which was the European Union’s cyber security.
For member states who had held the previous EU presidencies, the
number of cyber attacks against strategic state and public services
and targets increased during this period. Besides that, the Estonian
Presidency focused on digital topics, due to which any successful
attack against us would have certainly had a broader impact than
just our own country and population.
Ensuring the cyber security during the Presidency required tech-
nical preparations, training of officials, developing readiness for
threats, and constantly ensuring situational awareness, running
through all scenarios at an exercise held in June together with our
partner institutions. Fortunately, we were prepared for all develop-
ments and the majority of cyber incidents related to the Presidency
were of a technical nature (power outages) and human error –
discovered and resolved quickly with minimum impact.
Besides developments on the home front, Brussels had high
expectations that Estonia would advance EU cyber security as a
whole. The most important fundamental outcome of the Presidency
was the fact that after the Estonian Presidency, there are no longer
any bureaucratic obstacles for implementing any of the EU’s com-
mon foreign and security policy (CFSP) measures (including restric-
tive measures) in response to cyber attacks. Led by Estonia, an agree-
ment was reached by member states in Brussels on the relevant
procedures. Now, any foreign government planning, supporting or
enabling cyber attacks will have to keep in mind that the world’s most
important economic bloc is able to use all of its possible economic
and foreign policy tools as a response to malicious cyber activities.
Second, a new European Union cybersecurity strategy5 was pre-
pared during our presidency, laying a basis for several major initiatives
that could have an enduring impact on the cyber security of the EU as a
whole. The most important among them is the proposal for the creation
of an EU-wide cyber security certification framework and the plan create
a network of centres of excellence among the EU’s R&D institutions
in this field. It is the latter that has great potential to support research
developments on the cyber front and thereby incentivize various smaller
R&D centres to engage into greater cooperation with each other. Besides
developing our own cyber security, it should result in a stronger EU
economy and industry. The establishment of the Estonian Information
Estonian Information System Authority: Annual Cyber Security Assessment 2018 17Security Association in late 2017 has a clear importance in that context –
it is positioned to become a member of the EU network and will provide a
longer-term platform for the development of solutions for ensuring secu-
rity of Estonian digital society in cooperation with Estonian businesses.
Third, the Estonian Presidency also had a major role in getting the
cooperation networks of EU member states’ institutions responsible for
cyber security into more active gear on a technical and strategic level.
The Estonian Presidency was the one that had to provide the substance
for the strategic level Cooperation Group and EU’s CSIRTs network’s*
daily activities. Flexibility and a focus on getting results – both qualities
that have come to be associated with Estonians – helped us lead the
EU effectively in this regard. In addition to efforts to implement the NIS
Directive, the EU member states’ cyber security institutions started, under
the leadership of the director general of RIA, tackling the topics of cyber
security of electoral processes and reducing the risks from cross-border
dependencies. At the technical level, our hard-working CERT team, its
leadership and technical platforms, helped the EU-established coopera-
tion network to offer visible added value towards solving the WannaCry
and NotPetya incidents.
Municipal council elections
Estonia was the first country in the world to adopt internet voting –
for the 2005 general elections. Nine election cycles later, Estonia is
still the only country where voters can cast votes online based on the
state-issued secure electronic identity at general elections, with the
votes having equal status to physical ballots cast on Election Day.
While in 2005, fewer than one in 50 of voters used the online
option, about 12 years later, one in three voted online (31.3 per cent
at European Parliament elections and 30.5 percent at Estonian
general elections). At the local elections in autumn 2017, the pre-
vious turnout record was nipped when 31.7 per cent of votes were
online.
Trust in online voting and its perceived and actual security are
largely based on Estonia’s extensive, widespread ecosystem of
secure digital services. For one thing, people in Estonia are accus-
tomed to using many private and public sector services starting
from banks to Population Register procedures, and thus they tend
to trust other digital services as well. Secondly, secure elections are
also made possible by other well-developed digital systems, star-
ting from the Population Register – which is used to draw up voter
* The EU CSIRTs network consists of the member states’ national cyber incident res-
ponse units.
18 Estonian Information System Authority: Annual Cyber Security Assessment 2018Use of internet voting at elections since 2005
200 000 35 %
180 000
30 %
160 000
140 000 25 %
120 000
20 %
100 000
80 000 15 %
60 000 10 %
40 000
5%
20 000
0 0%
KOV 2005 RK 2007 EP 2009 KOV 2009 RK 2011 KOV 2013 EP 2014 RK 2015 KOV 2017
number of percentage of voters who voted by internet
internet voters
KOV – municipal council elections, RK – general elections, EP – European Parliament elections
Typical online voters are no different from typical conventional voters
Acting head of the University more digitally literate. As time
of Tartu’s Skytte Institute, sen- went on, nearly all of these fac-
ior researcher Mihkel Solvak, tors have disappeared, so much
comments on the spread of that there is no longer any sta-
online voting tistically significant difference
Discussions on whether online between i-voters and paper
voting methods should be ena- ballot voters in Estonia. In other
bled often begin and end with words, that means i-voting is so
two questions – “who will be widespread in society that typ-
using this?” and “who bene- ical i-voters are now similar to
fits?“. The spread and patterns of online typical paper voters. The structure of voters
voting in Estonia allow us to answer both is actually the same, and the only change
questions the same way. In the first three has taken place in the voting method. So
elections with online voting, the so-called who benefits? Ordinary voters who save
i-voters were distinct from typical voters. time by not having to undertake the physi-
The former used to be 30-40-year-olds, cal trip to the polling stations.
better educated, more affluent and clearly
Estonian Information System Authority: Annual Cyber Security Assessment 2018 19lists – to the state- issued digital identity, on which internet voting is
based. Furthermore, Estonia has chosen a consistent transparency
strategy, which means that a large part of the election documents
and software source code is public. It is self-evident that in addition
to technical measures, the workings of the elections are likewise
founded on security.
In light of global developments, the cyber security of election tech-
nology was under heightened scrutiny in Estonia as well last year.
In the past, the assessment of threats against internet voting has
focused above all on the technical risks in the systems. Considering
how the risks have changed, a change was made in 2017 to draw
up a full risk assessment for e-voting, examining potential politically
motivated cyber attacks, possible risks from Estonia’s distributed
responsibility model and other fields that potentially could influence
the legitimacy of voting. Such a broad-based approach was based
on the understanding that the legitimacy of elections depends on
much more than the security of the technical systems for counting
and reporting votes but also on trust of the whole society in the
entire state digital ecosystem. The analysis also mapped systems
and solutions on which elections depend.
We have been a partner for the State Electoral Office and the
National Electoral Committee in hosting the system for receiving
votes cast online and we have taken part in the online voting orga-
nizing committee. As new server software was introduced in 2017,
we stood for the security testing of these systems. Tests were car-
ried out by two companies offering pentesting services, who repor-
ted different findings. Likewise, the Estonian Cyber Defence League
also tested the online voting solution. The problems found were
fixed, yet no test found any critical flaws.
Besides the above-described activities, CERT-EE’s election task
force contributed by tracking network traffic in the online voting
infrastructure and keeping an eye out for anomalies such as DDoS
attacks. We took part in communication work and planning of com-
munications in the same capacity.
The close to 186,000 e-votes counted – an all-time record –
showed that the trust in online voting remains high and this was
not affected by the ROCA vulnerability on the ID card or “hacking”
of elections around the world (for more on this, see the chapter
“Sources, actors and motives“).
20 Estonian Information System Authority: Annual Cyber Security Assessment 2018WHAT HAS CHANGED
IN THE THREAT LANDSCAPE?
The majority of the cyber incidents that impacted Estonians
and Estonian organizations still involve malware infections.
Globally, last year’s most significant cyber incidents included the
WannaCry and NotPetya ransomware campaigns, causing losses
in the billions of euros. In Estonia, thanks to prevention and timely
response, the losses were minimal.
Although cyber incidents can be caused by human behaviour and
technological problems or natural events such as storms, about
four-fifths in Estonia – 2,500 last year – were caused by intentional
activity – i.e. cyber attacks. Next to this figure, administration errors
and service downtime due to technical malfunction caused less
than 10% of all cyber incidents.
Infected devices can be used for various cyber attacks – denial
of service attacks, data theft and spreading fake news.6 Increasingly,
THE AVALANCHE BOTNET
Close to one-third of the malware incidents means of authentication – the ID card, mobile
recorded in Estonia last year were due to ID and Smart-ID – widespread risks remain
the Avalanche botnet. Avalanche was active through online retail and other services.
for years, and was used to spread ransom- An international police operation brought
ware, and to commit identity theft, bank data Avalanche to an end in December 20168, yet
theft and attacks on financial institutions. the malware spread by the botnet does not
It was also rented out to other criminals for disappear automatically from computers –
attack campaigns.* The total damage from devices will need to be disinfected to prevent
Avalanche is estimated in the hundreds of mil- the same infrastructure from being later
lions of euros. The losses for German online hijacked and brought to life for new attacks.
banking alone is estimated at about 6 million As this is a long process and many users are
euros.7 No figure has been placed on the dam- not aware that their devices are infected, we
age caused in Estonia. Although the users of work with cyber security agencies of many
Estonian bank services are believed to be countries on this issue, and this work is set
generally better protected thanks to secure to continue until at least the end of 2018.9
* https://www.us-cert.gov/ncas/alerts/TA16-336A
Estonian Information System Authority: Annual Cyber Security Assessment 2018 21Sex offenders stalking victims online
Web constable Maarja Punak Last year the police recorded
says that sex offenders are 557 sex crimes, of which close
increasingly turning to the to 300 – more than half – were
internet to look for their prey committed online. It includes
Web constables are receiv- sexual harassment and child
ing more reports of situations enticement in various envi-
where someone has been vic- ronments. There were 130
tim of bullying or extortion. cases of child enticement reg-
Young people feel less inhibited istered, 80of them in internet
online and share personal infor- environments.
mation and revealing pictures. They do not
perceive threats in the cyber world the way Recommendations
they do in real life. from the web constable:
“There’s a misconception that ‘anything • Don’t disclose your personal data pub-
goes’ because the interaction seems anon- licly, or share revealing pictures or videos
ymous. Actually, you can never be sure with strangers or casual acquaintances
whom you are sharing information with • Don’t accept friend invitations from
and what your partner’s intentions are. In users you don’t know
the worst case, the personal information • Review your social media profile set-
received is propagated further and a joke tings and make sure the only your
that might have seemed innocuous at one friends list can see what you posts
point can escalate into an actual offence,“ • Always log out of your accounts after
said Punak. using a public computer or device.
Meanwhile, sex offenders go on chat • Talk to a person you trust, like your par-
apps and social media to look for their vic- ents, about any concerns
tims and try to obtain pictures or videos • If you have fallen victim to a crime, con-
of children. In this way, children have been tact a web constable or the police
baited into a real meeting or the criminal
uses web camera footage to stoke their
fantasies.
computing resources of hijacked devices are used for mining cryp-
tocurrency, and toward the end of the year, such incidents were on
the rise in Estonia.
Most cyber criminals are unselective, looking for vulnerable
devices and careless or gullible users. Typically, outdated software
is a contributing factor, allowing attackers to exploit a vulnerability.
The victim can be the owner of the system or an unsuspecting user,
such as a visitor to a website. Poor or non-existent security does not
pose a risk to solely the owner; far from it.
22 Estonian Information System Authority: Annual Cyber Security Assessment 2018State-sponsored campaigns
did not pick their targets
In the spring of 2017, two malware campaigns with disruptive effects
were unleashed a month apart, both causing great damage: WannaCry
and Petya/NotPetya. By the second week of May, hundreds of thou-
sands of devices had been infected by the WannaCry ransomware,
with victims in the medical, banking, telecoms and logistics sectors,
as well as major industrial enterprises, across some 150 countries. The
most prominent of these may be Spain’s largest telecommunications
company, Telefonica, and Renault’s car factories in France, which were
forced to stop work for several days.10 One of the biggest victims was
the UK’s National Health Service, with over a third of its regional insti-
tutions seriously affected by WannaCry. In total, WannaCry affected
over 600 healthcare facilities in the United Kingdom; thousands of doc-
tors’ appointments and operations were cancelled, and in five regions,
patients were forced to seek emergency help elsewhere.
WANNACRY -PETYA/NOTPETYA
150 countries Global spread 65 countries
400 000 Infected devices 20 000
4 billion USD Known damage 1,2 billion USD
North Korea Assumed origin Russian Federation
Saint-Gobain Estonia
(Ehituse ABC construc-
None Damage in Estonia
tion supply stores)
Kantar Emor market
research agency Photo: pexels.com
Petya/NotPetya appeared in late June and spread via Ukraine-
based accounting software to all companies that used this software
and installed the update that contained the malware. Appearing at
first glance to be another kind of ransomware, it in fact had no abi-
lity to decrypt files, and deleted the data in encrypted systems. The
attack is believed to have been meant for Ukraine’s institutions and
major enterprises, which were the first to become infected.
Although its spread was more limited compared to WannaCry
(70 percent of victims were in Ukraine), NotPetya’s economic impact
was greater, as the attack was meant for business systems.11 It took
FedEx’s European subsidiary TNT Express over a month to restore
its information systems to normal operations, and the company
Estonian Information System Authority: Annual Cyber Security Assessment 2018 23announced that some of the data lost was permanent.12 Denmark’s
Maersk shipping enterprise had to essentially reinstall the entire cor-
porate information system in ten days to recover from the attack
– all the software on 4,000 servers and 45,000 workstations. Both
Maersk and FedEx estimate the damages at up to 300 million dol-
lars.13 Major victims also included the pharmaceutical company
Merck, which was still experiencing significant problems in retur-
ning its drug development and production to full capacity two weeks
after the event, with drug supplies to some markets also affected.14
For the health and hygiene products giant Reckitt Benckiser, pro-
duction and supply disruptions stemming from the incident lasted
for over two months, and the company says they will significantly
affect its annual results.15
REACTION AND CONCLUSIONS
Both the WannaCry and NotPetya campaigns used tools leaked
in April from the US National Security Agency to exploit vulnerabi-
lities in Microsoft Windows operating systems.16 Microsoft issued
an update in March to protect its users, but unpatched systems
remained vulnerable, and since infection did not require any actions
from the users, WannaCry spread quickly. An emergency patch was
also issued for the Windows XP operating system, which had been
officially unsupported since 2014.17 Last fall, Microsoft issued a
security update with defence mechanisms against attacks of this
type, but it was meant for the Windows 10 operating system, and
does not protect other widespread OS types like Windows 7 and
Windows 8.1.
There was no impact from WannaCry in Estonia. There were
attempts made against some twenty systems, but these were
already using a security-patched operating system, so the ran-
somware did not start. NotPetya caused damage to Saint-Gobain’s
Estonian subsidiaries, among them Ehituse ABC, which had to close
all of its stores in the country.18 Consultancy Kantar Emor halted the
work of its information systems as a precaution, as their parent
company’s network had experienced infection.19
Damage prevention was a result of both readiness and rapid
response. The lack of impact from those destructive attacks was
partly a result of our awareness campaign starting already from 2013
urging people to phase out Windows XP. This campaign succes-
sfully resulted in the use of that operating system dropping to below
20 percent in Estonia. Throughout 2016, we had also been paying
special attention to improving information security in our healthcare
24 Estonian Information System Authority: Annual Cyber Security Assessment 2018sector. For both the WannaCry and Petya/NotPetya campaigns,
we immediately contacted the potentially endangered institutions
to notify them of the danger and advised them on systems protec-
tion. We also notified the information security managers of state
agencies and vital services providers, and issued public warnings
and guidelines.20 Although incidents can never be entirely ruled out,
the readiness of both systems and people has a significant role to
play in preventing or minimizing damage.
In the context of the EU Presidency then about to start, we ini-
tiated a Europe-wide rapid cooperative response for both WannaCry
and NotPetya, involving partners from five member states and the
European Network and Information Security Agency ENISA, coor-
dinating and ensuring timely information exchange between the
Member States.
WANNACRY AND NOTPETYA AS STATE-SPONSORED ATTACKS
Both of 2017’s major ransomware campaigns damaged busines-
ses, state agencies and individual users indiscriminately, and endan-
gered not only property, but the lives and health of people. Beyond
businesses, even more damage was presumably suffered by regu-
lar users, and this is almost impossible to tally up. Both campaigns
quickly and uncontrollably swelled to a global scale.
Even right after the end of WannaCry’s mass spread, some sources
pointed to the possibility that Lazarus, a group affiliated with North
Korea, might be behind it.21 In November, the UK government and
Microsoft issued statements that laid the blame for the WannaCry
ransomware wave on North Korea.22 This was followed by an official
statement from the US on 19 December, which referred to evidence
produced in cooperation between US federal agencies and private
enterprises (including Microsoft and cyber security companies) to attri-
bute WannaCry to North Korea. This assessment was based on the
fact that the attack’s tools and methods, and the infrastructure used,
were consistent with previous North Korean cyber operations.23 The US
statement was endorsed by the UK, Australia, New Zealand, and Japan.
Suspicions about NotPetya’s origins also came about fairly quickly
after the start of its spread. Several sources considered the malware’s
signature to be similar to a cyber attack undertaken against Ukraine’s
power stations in December 2016.24 Ukraine’s security services say
that the gathered facts point towards the attack coming from Russia,
with the involvement of its special services.25 The international expert
community overwhelmingly believes that the attack’s true purpose
was to create the maximum amount of damage, and that the ransom
Estonian Information System Authority: Annual Cyber Security Assessment 2018 25demands were only a cover.26 This February, the governments of the
United Kingdom, Denmark, US, Australia and New Zealand laid the
blame for NotPetya on the Russian government and military. According
to the US statement, this was the most destructive and costly cyber
attack in history, causing billions in damages in Europe, Asia and North
America.27 The UK statement was also endorsed by the Estonian
Ministry of Foreign Affairs, which condemned the cyber attack and cal-
led upon Russia to behave responsibly and in accordance with interna-
tional rules of law in cyberspace.28
Phishing, data leaks, and secure digital identity
Extensive data leaks have become so common around the world that
barely a week passes without the international media reporting on
one, and no one dares to predict that the situation will improve. 2017’s
biggest data leaks include the US Republican National Committee
and the credit rating bureau Equifax; the first of these exposed the
personal data of some 200 million people (nearly all US voters), while
the latter included the credit information of 150 million Americans.29
In Europe, a similar data protection disaster befell the Swedish
Department of Transport, where a foreign company was brought in to
manage a database that contained information concerning national
security, domestic security, and criminal prosecutions; that company
then uploaded the information to a public cloud service. The incident
led to a government crisis in Sweden, resulting in the replacement of
the minister of the interior and the minister of infrastructure.30
Although the causes of these incidents were different – in one
case a human error in configuring the database, in another a hope-
lessly poor corporate data security policy, and in the third, wilfully
ignoring security requirements – they all point to similar fundamen-
tal flaws both in the service architecture, and in incident readiness
and resolution.
Estonian state agencies and service providers have not repor-
ted any serious data leaks over the past year. The transparent
architecture of Estonia’s digital state, the use of secure authentica-
tion, and other methods for ensuring the integrity of important data,
make data leaks on this scale very difficult to pull off in Estonia;
however, risk mitigation still requires continuous effort.
Estonian residents do actively use the services of large inter-
national vendors, sometimes creating accounts using workplace
emails. At the end of last year, a database of 1.4 billion user identi-
ties and passwords in plaintext was published on the dark web; this
included 198,000 email addresses on .ee domains, used to create
26 Estonian Information System Authority: Annual Cyber Security Assessment 2018You can also read
