Subscriber Only

What Ireland can learn from Estonia in fixing cyber vulnerabilities

Europe Letter: Robust digital security in the modern state is basic civil defence

At the height of the British government’s sluggish and confused initial reaction to the Covid-19 pandemic, prime minister Boris Johnson’s team were unable to consult digital data, access the internet or use laptops in its emergency council Cobra meetings in a secure room near Downing Street.

The reason was a ban on electronic devices due to concerns about leaks and interception by Russia or China, according to the sacked senior adviser Dominic Cummings, who described the set-up as hampering the government's ability to respond to the crisis in evidence to a parliament committee this week.

He recalled sketching a graph on a whiteboard to demonstrate exponential growth in the number of people in intensive care to Johnson, using his mobile phone to make crude calculations to predict the course of the pandemic.

“We had no testing data, we only had hospital admissions,” to track the course of the virus, – something that gave a picture that was “weeks and weeks out of date”, Cummings told a Westminster inquiry on Wednesday.

It was a stark illustration of how crucial strong digital capabilities and cyber defences are to functioning and security of modern-day states, and how the pandemic has revealed that the richest countries including Ireland are falling woefully short.

The level of interference, whether through spies as we saw recently, or online manipulation, has really become alarming

The calamitous hack of the Health Service Executive (HSE), which has paralysed many aspects of the healthcare system at a drastic moment, is an illustration of the country’s vulnerability when it comes to data.

It is far from unique: just this week Belgium revealed its interior ministry was hacked in an attack suspected to be from China. Hardly a week goes by without some incident of the sort in an EU country. Various state bodies have been also hacked in Spain, France and the Netherlands this spring, to name just a few.

Interception and leaks

The creation of mass datasets is inevitable for a modern state or large organisation. Inadequacies and neglect in the construction, maintenance and security of these systems is a profound civil defence weakness, and neglect is a choice.

This was acknowledged by Italian prime minister Mario Draghi after he emerged from a meeting of the 27 EU national leaders in which electronic devices were removed from the room while they discussed Belarus and Russia, to avoid interception and leaks.

“We need to strengthen ourselves, we need to strengthen ourselves above all in security and cyber security,” Draghi told journalists when asked about how to respond to Russia. “The level of interference, whether through spies as we saw recently, or online manipulation, has really become alarming.”

The problem of who is listening in was a constant concern that hampered discussions between the EU member states when they were held virtually because the health situation prevented physical meetings. EU diplomats assume that anything they say over video calls on sensitive issues such as Ukraine or Hong Kong is listened to in Moscow and Beijing.

Estonia chose to become digital-first, building a system that would allow citizens to do everything from voting to filing taxes to filling prescriptions remotely

Frustratingly, the vulnerabilities have been apparent for well over a decade. What's considered the world's first cyber warfare attack on a state happened to EU member Estonia in 2007, when banks, government ministries, media organisations, telecoms companies, and the Estonian parliament were swamped with waves of hacks during a period of unrest among the country's Russian minority.

Privacy and security

The tiny country of 1.3 million responded by incorporating cyber security into its civil defence, developing robust and digital-first state institutions that are built to be secure, and creating automatic privacy and security by using encryption and distributed blockchain software for citizens’ data, as well as forming its own team of state hackers.

Rather than retreating from the digital realm, Estonia chose to become digital-first, building a system that would allow citizens to do everything from voting to filing taxes to filling prescriptions remotely.

Its position was that it didn’t have a choice: digital was here to stay, and leaning in to invest in purpose-built secure systems was essential for national security reasons.

Estonia also sees other benefits. Efficiency is one. Another is resilience. When I visited the capital, Tallinn, in 2017, an official explained that if ever Estonia’s territory was physically overrun by a larger state, as has happened throughout its history, a digital state would mean it could continue to function and serve citizens as its embassies abroad have “back-up copies”.

There are obvious lessons for Ireland as a fellow small state where such a transition should, in theory, be relatively feasible to roll out.

It’s anachronistic for Ireland to be home to the world’s largest tech companies and yet be naively backward when it comes to digitalisation, particularly in healthcare, to an extent that is unusual among comparatively rich western countries.