estonian information system authority annual cyber ...2017 was an unusually eventful year in global...

Estonian Information System AuthorityAnnual Cyber Security Assessment 2018

2 Estonian Information System Authority: Annual Cyber Security Assessment 2018

Contents

Introduction: the state of affairs in Estonia and international cyberspace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Key events in 2017 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2017infigures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 How did the past year stand out? . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Mitigating the security vulnerability on the Estonian ID card . . 9 The Estonian Presidency of the Council of the EU . . . . . . . . . . 17 Municipal council elections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

What has changed in the threat landscape? . . . . . . . . . . . . . . . . . . 21 State-sponsoredcampaignsdidnotpicktheirtargets . . . . . . . 23 Phishing,dataleaks,andsecuredigitalidentity . . . . . . . . . . . . . 26 New password guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Sources, actors and motives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 State-sponsoredcyberattacksagainstvitalservices . . . . . . . . 33 Cyber-enabledattacksagainstdemocraticprocesses . . . . . . . 35 Attribution and responses to cyber attacks . . . . . . . . . . . . . . . 37 Technologicalrisks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 What is “strong cryptography” and why is it important? . . . . . 38

Sectoral cyber risks and preparedness . . . . . . . . . . . . . . . . . . . . . . 41 Centralgovernment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Localgovernments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Essentialservices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Cyber risks in the healthcare sector . . . . . . . . . . . . . . . . . . . . . . 50 The Cyber Security Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Preventingcyber-inducedemergency . . . . . . . . . . . . . . . . . . . . . . 55

Summary: conclusions and assessments for 2018 . . . . . . . . . . . 57

3Estonian Information System Authority: Annual Cyber Security Assessment 2018

Introduction: the state of affairs in Estonia and international cyberspace

Dear reader,2017wasanunusuallyeventfulyearinglobalcyberspace.Malwarecampaignscausedhavocaround theglobe, largedata leaks tookplace,andvulnerabilitieswerefoundintechnologiesthoughttobesecure,providingfodderforpublicdiscussionthroughouttheyear.Generalawarenessofcyberthreatsgrew,asdidtherealizationofthe limitationsofpreviousaccomplishments.Societiesandcoun-triesaredevelopingamorematureunderstandingoftheneedforsubstantial efforts toensurecyber security, goingbeyondmerelytheawarenessthatthereisaproblem.

ForEstoniancybersecurity,2017canbeconsideredagoodyear.Wesucceededinfendingoffseveralmajorchallenges,whichgaveusconfidencethatwehavechosentherightwaytoprotectourselvesincyberspace,andthisinstilledcourageandnecessarylessonsformovingforward.Themost importantachievement inthisfieldwasundoubtedlytheefforttoresolveavulnerabilityontheEstonianIDcardchip.OurresponsetothisIDcardcrisis,whichhadaglobalimpact,showedthattheimageasasuccessfuldigitalsocietyisn’tjusthypebutisexemplifiedbyanagileapproachandahighly-functioningcom-munity–companies,researchinstitutionsandstate–whoareabletoworktogether.Inthissense,therescueeffortwasausefulcrisisinthatitwasapracticalexperienceandwepassedthetest–wewereabletoprotectourdigitalstateandsociety.UseoftheIDcardandser-vicescontinuedasbeforethecrisis;publicconfidenceine-serviceswasnotshaken.Allofoursocietynowhasabetterunderstandingofthenatureofcyberthreatsandoftheirpotentialimpactonourwayoflife.Atthesametime,wegainedreal-lifeexperiencethefactthathowweallhavearoletoplayincybersecurity:ordinaryusers,servicepro-vidersandITinfrastructureoperators.Allofthismeansthelessonslearnt from the IDcardpatcheffortcanbeapplied for thegeneralprotectionofourdigitalwayoflife.

ThesecurityvulnerabilitydiscoveredontheIDcardisnottheonlyoneof itskind.Lastyearsawanumberofcases,allequallysignifi-cant,whereaflawwasdiscoveredinanestablishedtechnology.The


vulnerabilityintheWPA2WiFiprotocoldiscoveredlastautumnandtheflawsaffectingintheprocessorsofnearlyallcomputersinusetodayare justa fewexamplesof thisphenomenon.Researchers,govern-mentsandcriminalsareallsearchingforvulnerabilitiesincommonlyusedsolutions,and it isa fairlysafebet that,proverbiallyspeaking,whatistodayasecuresolutionwillhavetobepatchedtomorrow.

TheWannaCry andNotPetyamalware campaigns, which hadrelatively littledirect impactonEstonia, receivedmassive interna-tionalcoverageandunderscoredoneofthemost importantposi-tivetrendslastyear–thereadinessonthepartoftheinternationalcommunitytoattributecyber-attackstotheirperpetrators.Thegoalofthecyber-attacksorchestratedbyNorthKoreaandRussiawerenot togeneratecriminal incomebut tosupport thepoliticalgoalsoftheirrespectivecountries.Afewyearsago,suchgovernmentalcyber-attackswentunpunished,butsinceWannaCryandNotPetya,thefirstmajorstepshavebeen taken toholdcriminals liableanddeterthemfromanysubsequentattacks.Inthiscontext,theCyberDiplomacy Toolbox approved during the Estonian Presidency oftheCounciloftheEUdeservesmentionasitprovidesameanstorespondtocyber-attacksbystateactors.AlsocoincidingwiththeEstonianPresidency,akeyupgradetotheEuropeancybersecurityenvironmentwasintroduced,receivingaboostfromEstonia’schar-acteristicallygoal-orientedapproach.

Besides all of the above, we also made energetic progressin advancing Estonia’s own cyber security. The most importantachievement in this field is perhaps thedraftCyberSecurityAct,whichiscurrentlybeingdeliberatedbyParliament.

A large part of our everyday lives depends on digital technol-ogy.Weshouldn’t forget thatweallhelp tocreatecybersecurity,whetherasordinaryusers, inadministrativeor leadershiproles, inthepoliticalarenaorinsomeothercapacity.Inadditiontoprovidingareadableoverviewofwhatistakingplaceinthecybersphere,theassessmentyouarereadinglooksathoweachoneofuscanmakeacontributiontoEstoniabeingbetterprotectedincyberspace.

Taimar Peterkop

DirectorGeneral,Estonian

Information System Authority


KEY EVENTS IN 2017

2017 in figuresEven though RIA, for the first time, crossed the threshold of 10,000 cyber security cases in Estonia last year, only 122 incidents had a direct impact on a service vital to the functioning of the state and society, and this was the lowest figure in the last three years.

ThenumberofcybersecuritycasesregisteredinEstoniaexceeded10,000lastyear.In2017,theEstonianInformationSystemAuthority(RIA)dealtwithatotalof10,923 cyber security cases in Estonian computeranddatanetworks.Ofthese,3,162 were considered inci-dents,whichhadadirectimpactontheconfidentiality,integrityoravailabilityofinformationorsystems.

Thereasonsfortheseeventswereverydifferent–fromequip-mentfailurestohumanerrortomaliciousactivities.Asinpreviousyears,themostfrequentoccurrencesinvolvedvariouswebdomainsandemailsthatspreadmalware.Farfromalloftheincidentscouldbeconsideredcyber-attacksandmanyoftheattemptedattacksarehaltedandcausenodamage.

FromthepointofviewofEstoniancybersecurity,servicesthathaveacriticalimpactontheusualfunctioningofsocietyandpeop-le’ssenseofsecurityareconsideredthemostimportant.Lastyearwehadonly122 incidentswithahighpriority– thathadadirectimpactonaservicevitaltothefunctioningofthestateandsociety–thelowestfigureinthelastthreeyears.Amongservicesaffectedwere,forinstance,useofelectronicidentificationanddigitalsigninginmobileoperators’networks,andhealthcareandbankingservices.Moredetailsareprovidedbelow.

2017 IN NUMBERS

10,923 caseshandled

3,162 cyber incidents

122 highpriority incidents


Acybersecurityincidentisaneventthathadadirectimpactontheconfidentiality,integ-rityoravailabilityofinformationorsystems.One or more of the three parameters may be impacted and the reason can be human behaviouroradisruptioncausedbythenat-uralormanmadeenvironment.

Confidentiality refers tohowwell thedataorsystemisprotectedagainstunauthorizedaccess by third parties .

Examples of confidentiality incidents are a data leak affecting credit card data or health data, confidential documents or social media account passwords.

Integrity refers to how well data are pro-tected against unauthorized changes ordestruction .

An integrity incident includes a change made to a prescription in a database or to payment data in a digital invoice sent to a customer.

Availability measures whether a system or dataareupandrunningandfunctioningasexpected .

An example of an availability incident is when access is cut off to a website, or a dig-ital service goes down to a distributed denial of service attack.

WHAT IS A CYBER INCIDENT?

Malware(61%)

Compromise(11%)

Ransomware(8%)

Serviceinterruption(6%)

Phishing(6%)

Defacement(4%)

Administrationerror(3%)

DDoS(1%)Financialfraud(0%)

Scanningandbrute forceattacks(0%)

Dataleak(0%)

Equipmenttheft(0%)

Cases handled in 2017 (compared to 2016)

Incidents handled by category (2017)

3500

3000

2500

2000

1500

1000

500

0

Incidents in 2017

Incidents in 2016Cases in 2017

Cases in 2016

Q1 Q2 Q3 Q4

943

3147

517

2208

675

2463

618

2361

726

2350

515

1987

818

2963

598

2609


Our insight into the cyber domain is constantly improving…Thenumberofcyber incidents registered inEstoniahasbeenontheriseinrecentyears.Therewereseveralreasonsforthis.Oneisthegreaterimportanceofthedigitalenvironmenttosociety:awiderselection of digital services,more customers andmore intensiveuseofservicesallmeanthatorganizationsaremoredependentonthedigitalenvironmentfororganizingeverydayactivity.Theimpactofcyberincidentsfortheorganizationitselfandsocietyasawholeisthusmoreandmoreimportant.Atthesametime,itmeansgrea-terpotentialgainsfortheattacker–andindeed,comparedtolastyear,thenumberofdeliberateattackshasincreased.

Overtheyears,ourabilitytodetectincidentshasimproved–theresultofbettertools,amoresystematicapproachtomonitoringandmoreeffectivecooperationwithpartners.WearenowoftenabletorepelattacksbeforetheyreachEstoniaandsendoutpublicadviso-riesalongwithinstructionsonwhichmeasurestoimplement.Foryears,wehavemadeeffortstomakeEstoniancyberspaceahostileenvironment formaliciousactors– forexample,wehaveworkedwithourpartnersandEstonianserviceproviderstoquicklydetectandtakedownphishingwebsites.Asaresult,thenumberofsucces-sfulphishingincidentsinEstoniahasdecreasedsignificantly.

… yet public awareness and skills are still unevenThecybersecurityskillsoforganizationsarealsoimproving–theviewthatanorganizationshouldhaveanoverviewofwhat isgoingon intheirinformationsystemsandreadinesstopreventtherisksandreactquicklytothem-isgraduallyspreadingupwardbeyondtheITspecial-ist’sdesktop.Incidentsthatusedtobedealtwith–ornot–bytheinfor-mation systemadministrators themselves are nownoticed at otherlevelsand the informationabout them reachesusmoreoften.Thisbenefitstheinformationsystemoperatorsandthestateasawhole:wehavemoreoperationalandintegralinformationaboutthewidespreaddangersorattackcampaigns,whichallowsustogiveearlywarningtothoseinthelineoffire,andwecanalsoofferexpertsupportandconsultationwhenitcomestocorrectinginformation.Theimprovedriskawarenessandearlydetectionofattackshelpstoreduceriskstoservicecontinuityanddamagearisingfrompotentialattacks.

In spite of the improved awareness, it is clear that the level ofreadinessisveryinconsistentfromonesectortothenextandmanyincidentsstillgounnoticed–andtheyalsoposearisktotheother

Scanningandbrute forceattacks(0%)


service users, not only the system owners. We detected close tohalfofthecyberincidentsregisteredlastyearasaresultofourownmonitoring.Theremainderweremainlyreportedtousbycybersecu-rity institutionsofforeigncountries,EstonianvitalserviceprovidersandstateITcentres.Forinstance,thankstoconsistenteffortsoftheMinistryoftheInterior’sITanddevelopmentcentre(SMIT)andgoodcooperation between SMIT and RIA, the state has an operationaloverviewofeventsintheinternalsecurityfieldandresponsecapabi-lity;althoughthesystemsarecritical,onlyfewincidentshaveamoreseriousimpact.Westillhaveourworkcutoutforusinthehealthcaresectorandamongsmallbusinesses,whereacyber-attackisusuallydetectedonlyaftermajordamagehasalreadyoccurred.

RIA’s incident response department, theComputer Emergency Response Team ofEstonia (CERT-EE),monitors network traf-ficin .eenetworkstodetectsignsofmali-ciousactivities.

Information about threats, criticalvulnerabilities and extensive malwarecampaigns is received from cooperationpartners inEstoniaandabroadandpublicsources .

WHAT DOES INCIDENT MONITORING MEAN?

ThenumberofcyberincidentsisgrowingworldwideandEstoniaisnoexceptioninthisregard.Thefollowingindicatorscharacterizethepre-viousyearinternationally:• Thenumberofransomwareincidentsworldwidegrewby36percent

andthenumberofemailsthatspreadmalwaregrewbyone-third.• Thenumberofdistributeddenialofserviceattacksisontherise

–in2017,over7.5millionDDoSattacksoccurredandtheaveragepeakbandwidthoftheattackshasnearlydoubledoverafewyears.

• Thespreadofmalwaremeantformobileappsisstillgrowing–thenumberofmalwareappshasmorethandoubledovertheyearandthenumberofinfectionsdisclosedisintherangeofseveralmillion.Thenumberofsmarthouseholddevices–continuallyincreasing–alsorepresentsarisk.

• Leaksofuser information (usernamesandpasswords)aremas-sive–the1.1billioncasesrecordedin2016wastwicethenumberfromayearearlier.Adatabasecontainingtheinformationof1.4bil-lionuserswasleakedonthedarkwebinlate2017,addingasolidincreasetothesefigures.

• Statistically,ittakestheaveragecompany168daystodiscoverthattheir information system has been compromised . This time is cut to lessthan10%whenthecompanyitselfmonitorsitsnetworks.1


How did the past year stand out? RIA prepared extensively for 2017 – Estonia held the EU Presidency in the second half of the year; local elections took place, with experience of our allies indicating a need for increa-sed vigilance. The resolution of the security vulnerability in the ID card, found in the autumn, became a test of our maturity as a digital society. These events confirmed our conviction that alt-hough cyber incidents cannot be fully prevented, good planning and preparedness can prevent them from having a significantly disruptive, crippling impact.

Mitigating the security vulnerability on the Estonian ID cardState-issueddigitalidentity–theEstonianIDcardanditsderivativesmobileIDanddigitalID–areamongthepillarsofEstonia’sdigitalecosystem.ThefunctioningofEstoniandigitalsocietyispredicatedonthedigitalsignaturehavingequalstatustohandwrittensignatu-resandthepossibilityofelectronicallyauthenticatingoneself.Thus,everyriskconnectedtodigitalidentityisunderheightenedscrutiny.

On the evening of 30 August, a researcher with the Centre forResearchonCryptographyandSecurityatMasarykUniversity2aler-tedustoasecurityvulnerabilityonthechipsusedontheEstonianID card. According to the analysis by the research group, the vul-nerability,internationallyknownasROCA(ReturnoftheCoppersmithAttack),affectsRSAcryptographickeypairgeneration inchipspro-ducedbyoneoftheleadingmanufacturers,Infineon.Overabillionofchipsusedinvariousproductsandserviceswereimpactedglobally,amongthemchipsusedonEstonianIDcardsissuedfromautumn2014,aswellasondigitalIDs,diplomaticIDsande-residentcards.

Theoretically, the security vulnerability could have allowed the


privatekey(whichisusedforauthenticationandsigning)tobemathe-maticallycalculatedfromthepublickey–intheory,makingitpossibletoclonethevictim’scryptographickeysandusethemforauthentica-tion,signdocumentsinsteadofthatperson,ordecryptdocumentsmeantforthatperson,evenwithoutbeinginphysicalpossessionofthe card .

Exploitingthevulnerabilitywouldnothavebeeneasyorinexpen-sive,andtherearenoknowncasesofsuccessfulexploitationoftheIDcardorsimilarchips.Besidesaperson’spublickey,itwouldalsorequiresignificantcryptographicexpertise,specificsoftwareandsig-nificantcomputingpower,estimatedtocostuptoUSD80,000,goingbypricesprovidedbyanAmazoncloudcomputingservices(AWS).Atthesametime,itwasevidentthat,ifthecertificatesremainedvalid,the riskof exploitationwould increasesignificantlyassoonas themethodologyusedbytheresearchgroupbecamepublic.Afterinitialevaluationofthenotification,itwascleartousthattheproblemnee-dedanurgentfix.

Duetothelargenumberofthedigitalcertificatesaffectedandtheirbroaduse inbothstateandprivatesectorservices,revokingthe cardswould havemeant extensive impacts to the availability

• 1,295,844 valid ID cards as of 2018, ofwhich26,199e-residencycards inatotal142 countries

• First document signed by ID card – 7 October 2002

• 481milliondigitalsignaturesand658mil-lionauthentications–a totalofa billion transactions in 15 years

• 747,580IDcardsthatareuseddigitallyatleastonceayear;about42,000peopleusetheirIDcarddigitallyatleast100timesinathree-month period

• Since2016,RIAisresponsibleforthedigi-talelementsontheIDcard.Asanidentitydocument,thecardremainsinthejurisdic-tionofthePoliceandBorderGuardBoard.ThecertificatesfortheIDcardareissuedbySKIDSolutionsAS

• The 2017 new Emergency Act speci-fiesauthenticationby IDcardanddigital

signingasavital service• The cryptographic weakness notified in

latesummerof2017,whichmadetheIDcard theoretically vulnerable, affectedclose to800,000 cards issued between 16 October 2014 and 24 October 2017

• The(remote)updatingoftheIDcard–thereplacementof thecertificateswithnewones – became possible on 25 October2017

• The flawed certificates were suspendedon 3 November 2017

• The renewal of the suspended certifi-cateswaspossibleupto31March2018.Duringthattime,494,000orIDcardswereupdated–94%ofthecardsindigitaluse,ofwhich354,000wereupdatedremotely

• As of the end of 2017, 160,000 peoplewere usingmobile ID and 140,000wereusingSmart-ID

THE ESTONIAN ID CARD: A UNIQUE PLATFORM


ofandaccess todigital services–suchstepwouldhavedisrup-tedtheuseofdigitalhealthcare,theTaxandCustomsBoarddigi-talservices,governmentdocumentexchangeplatform,aswellasfinancial transactions. Disruptionwould have also been posed totheworkingprocessesinandbetweengovernmentagencies.Thesecurityflawdidnotaffectmobile ID,butmobile IDwasusedbyonlyslightlymorethan100,000peopleatthattime,andanumberofdigitalservicesdidnotsupportit.

Estonia’s 800,000 ID cards with the secu-rity vulnerability in question make up a negligible share of ROCA’s global impact. It is estimated that there are at least 1 billion problem chips in use around the world as firmware or software components and on plastic cards. The Infineon chips that led to the vulnerability in the Estonian ID cards are used in driving licences, passports, access passes and other applications.3

The documents of at least 10 count-ries were affected. Chips with the same flaw are known to be used in documentsused for identification inSlovakia,Austria,Poland, Bulgaria, Kosovo, Italy, Taiwan,Spain, Brazil and Malaysia. In Spain, thevulnerability affected 17 million cards.However, none of these countries havea universal digital ID and therefore theydependlessonthecardsthandoesEstoniaandhavefewercorrespondingservices.

Trusted platform modules. TPMs are

the basis formodern computers’ securityarchitecture. The vulnerability is knowntoaffectat leastLenovo,HP,ToshibaandFujitsu computers. TPMs are primarilyused in enterprise client computers, sohomeusersaregenerallynotimpacted.Forexample,inMicrosoftWindows,aTPMpro-tects BitLocker disk encryption and othersecurity mechanisms in the operatingsystem.MicrosofthasissuedatemporarypatchthroughWindowsUpdatethatessen-tially replaces the TPM with a softwaresolution. Other manufacturers have rele-asedsimilarpatches.

Security tokensusedforvirtualprivatenetwork (VPN)access,emailsecurityandothercriticalsecurityoperations.Ofthese,atleastGemaltoandYubicoproductswereaffected,with Yubico replacing the defec-tiveproductsatitsownexpense.

Itispossiblethatsomepayment cards withchipsarealsovulnerable.

WHAT ELSE DOES THE ROCA SECURITY FLAW AFFECT?

Open risk mana-gement on the governmental level: press conference with prime minister and key officials explaining the vul-nerability affecting the Estonian ID card. Photo: Taavi Sepp / Ekspress Meedia


ThesolutiontothesituationhadtorestorethehighsecurityoftheIDcardwithoutdamagingtheavailabilityofservices.Inessence,wefoundourselvesinaraceagainsttimeinearlySeptember,lookingforanewsecuresolutionwiththePoliceandBorderGuardBoardandotherpartners,andpreparingtoimplementitwhileknowingfullwellthatsoo-nerorlater,thecertificatesatriskwouldhavetobesuspended.

Thecrisisresolutionteammadethedecisionearlyontobetrans-parentinitspubliccommunicationandletthepublicknowaboutthefactsweknew.Thisstepshort-circuitedspeculationsandalterna-tiveinterpretationsandensuredthattheworkinggroupcouldfocusonfindingasolutiontotheproblemitself.Ultimately,itmeantthatthenewsolution–basedonellipticcurvecryptography(ECC)ins-teadofanRSAlibrary–wasavailablebeforeweneededtosuspendtheaffectedcertificates.Moreover,userconfidencewaspreservedandelectronicservicesremainedavailable.Forexample,arecordnumberofinternetvoterscastvotesinthe2017localelectionsandthenumberoftransactionsperformedusingIDcardsremainedatanormallevelinthedaysandweeksthatfollowed.Atthesametime,useofmobileIDincreasedsignificantly.

BesidesthebroaduseoftheIDcardinsociety,Estoniaisuniqueinthatitofferedthepossibilityofupdatingcertificatesremotely–peoplewereabletoupdatetheirIDcardsoftwarefromanycompu-terconnectedtotheinternetandequippedwithanIDcardreader–aswellasthepossibilityofsuspendingtheaffectedcertificates.Asexperienceshowed,othercountriesfacingasimilarsituationdidnothavethesetwopossibilitiesandhadtofindawaytoissuenewID cardsor update the existingonesat serviceoutlets.Once thecertificateshadbeenrevoked,itwasn’tpossibletorenewthem.

TIMELINE OF EVENTS

30August19:35

AmemberofaninternationalcryptographyresearchgroupsendsCERT-EEanofficialnoticeregardingasecurityvulnerabilityassociatedwithInfineonchips thataffectsEstonian IDcards.The risk lies inavulnerabilityofacryptographiclibraryusedinRSAkeypairgeneration.

31August RIA’spreliminaryassessmentconfirmsthepossibilityofasecurityvul-nerability.ThePoliceandBorderGuardBoard(PPA)andtheMinistryofEconomicAffairsandCommunicationsarenotified.

1 September The minister of economic affairs and communications is briefed on the matter.RIAinvolvesexternaltechnicalexperts(Cybernetica,Nortal)andpartnersfromthegovernmentandprivatesector.Theheadsof institutionsconvene forameeting–astrategicstaff isformed .


3 September Theprimeministerandotherministersinvolvedholdameeting.RIAandPPAworkinggroupsrunthroughscenariosandassesspotentialoutco-mes. Experts determine the primary impacts on services and makerecommendations .

4 September TheGovernmentof theRepublic holds an extraordinary session.PPAformsastaffthatdealswithmediamonitoring,analysis,inquiriesfromthemedia,RIAandothergovernmentagenciesjointhestaff.Privateandpublicsectorstakeholderslikebanksandtelecomsarenotified.Publicaccesstothecertificatedatabase(LDAP)isclosed.

5 September Theprimeminister,ITminister,andthedirectorsgeneralofRIAandPPAholdajointpressconference.Thepublicandinternationalpartnerswerenotifiedofthevulnerability.An information gateway is opened atwww.id.ee and kept updated, incooperationbetweenRIA,PPAandSKIDSolutions.

September Working groups focusing on technical solutions, crisis management,legalaspectsandcommunicationsmeetregularly.Asneeded,otherins-titutionsandotherexternalexpertsarecalledon.

5-11 October Municipal elections are held. The elections see a record participationamonginternetvoters.Thosevotingovertheinternetmakeup31.7percentofallparticipants–slightlyhigherthaninpastelections.

16 October The global impact of the vulnerability becomes apparent: Microsoft,Google(ChromeOS),Yubico,Gemaltoandanumberoflargercomputermanufacturers(Lenovo,Fujitsu)releasesecurityreports.

25 October TheissuingofnewIDcardsthatrelyonECCencryptionalgorithmbegins.The testingperiod for theonline updatingof Estonian ID cardsbegins.Oversixdaysoftesting,closeto20,000IDcardsaffectedbythevulnerabi-lityareupdated.Everythingisfunctionalandtheupdatesaresuccessful.

30 October The research paper4onthevulnerabilityintheRSAencryptionlibraryispublished.

31 October Cardholdersarecalledontoupdatetheircards.Demandfortheserviceishigh,resultinginextensivedowntime.Systemsstabiliseby2November.Slovakiarevokes60,000certificateswiththeROCAvulnerability,andthecardholdershavetoapplyfornewcards.

1November Spainrevokesitsvulnerablecards,atotalof17millionofthem.2November TheresearchispresentedinfullatanacademicconferenceintheUS.3November Certificatesonatotalof740,000vulnerableEstonianIDcardsarebloc-

ked,butthecardscanbeupdatedonlinetomakethemdigitallyusableagain.Inaddition,PPAopensadditionalserviceoutletsthatwillremainopenuntiltheyear’sendtoprovidetheupdateservice.

5November Serviceusagestatisticsshowthatthesuspensionoftheaffectedcerti-ficatesdidnotresultinadropinthedigitaluseofIDcards.Surprisingly,e-residentactivityhasevenincreased.


End of 2017 Atotalof400,000IDcardshavebeenupdated.ThenumberofmobileIDandSmartIDusersandtheirlevelofactivityhaveincreased.

February AtthebehestofRIA,aTallinnUniversityofTechnologyresearchgroupstartsassessingthelessonslearntforthestateandagencies.

5 February 2009

RIA’seIDdomainmanagerMargusArmandPPA’sKaijaKirch,headofidentitymanagementatPPA,receivestatedecorations.

1April2018 Certificatesthathavenotbeenupdatedarerevokedandcannolongerbeusedelectronically.

LESSONS LEARNED FROM THE ID CARD CASEThe ID card security vulnerability illustrates howmuch societiesdependonfundamentaldigitalinfrastructure–inEstonia’scase,thestate,entrepreneursanduserswereallimpacted.Ourcrisismana-gementeffortsunderscoredtheneedtoreviewspecificprocesses–amongthemadministrationoftheIDcard,riskassessmentandmitigationaswellas inter-agencycooperation.Beyondthat, thereisaclearneedtoviewthecountry’sdigitalarchitectureanddigitalgovernanceasawhole.Theprospectoffurthertechnologicalrisksarisinginfuturewillhavetobefactoredin,andalthoughwedokeepanattentiveeyeontechnologicaldevelopments,unexpectedeven-tualitiescannotberuledout.Theywillrequirearapidresponse.

Soasnot to letagoodcrisisgotowaste,wemakeapoint toseriouslyevaluatethelessonslearntfromtheIDcardcase.• Dependence and alternative solutions.TheIDcardismeans

ofauthenticationandsecuresigning forclose to5,000diffe-rentpublicandprivatesectorservices.Clearly,inmostofthesecases,theoptionofface-to-faceauthenticationandhandwrit-tensignaturesisnolongeranacceptablealternativeforsocietyandthusalternativestotheIDcardare,aboveall,otherdigital,notphysicalsolutions–mobileID,SmartIDandnewsolutionsbeingdeveloped.Theirpenetrationandreadinesstousetheminservicesmustincrease.WewerealsosavedbythefactthatourIDcardalreadyhadseveralencryptionlibraries;thisallowednewsecurekeypairstobegeneratedonthechip.

• The need for flexible, open architectureposesachallengeforthe state’s habitual operating patterns – developing solutionsin-houseorprocuring innovation from themarket. Fewgovern-mentspossesstheentirenecessaryskillsets;mostofthecom-petenceliesintheprivatesector.Withgloballyusedtechnologies,governmentscannotfullysolveproblemsinherentintechnologiestheyaremerelyacustomerof.Major internationalcorporations– representing the greatest capacity in providing solutions andservices–operatefromtheirownassessmentofbusinessrisk,


andinthecaseofsuchalarge-scalesecurityvulnerability,astateisjustonecustomeramongmany.Inourcase,theonlineupdateservicegaveusflexibility,whichallowedthecertificatestobesus-pendedpendinga laterupdate.Thisputus inabetterpositioncomparedtoothercountrieswiththesameproblem.

• Responding to risk. Estonia and Europe have procedures inplaceforrespondingto incidentswherethe impact isalreadyevident. In thecaseof a theoretical riskwhere it is hoped tofindasolutionbeforetheimpactisrealized,thereisnoreasontoapplysuchmeasures,andindeedtheywouldnotbeapprop-riateinsuchacase.Thus,wehavetodevelopsimilarroutinesforthreatsandriskswheretheimpactsarestillunrealized.

• Openness.Risksarisingfromvulnerabilitiesinfundamentaldigi-tal infrastructure cannotbemanagedwithout the involvementof thestakeholders– including thepublicand themedia–astheserisksaffecttheentiredigitalecosystem.Thatmeansthat,inordertoreducethesocietalandeconomicimpactsoftechno-logyrisks,riskmanagementmustnotonlybecapableofresol-vingacomplicatedtechnologicalproblembutalsobepreventive,openandcapableoftranslatingthesolutionintolayman’stermsforallofsociety,inordertorespondtothepublic’sneeds.

• Broad-based cooperationbetweenagreatrangeofstakehol-derswithdifferentroles,expectationsand levelsofreadinessisasinequanon.Aleangovernmentsectorshouldbeabletodrawonastrongprivatesectorintimesofcrisis.Hiringaddi-tional people in the public sector is not a solution, which iswhystrengtheningour tech industry–aboveallbymeansofsupportingeducationandresearch,toguaranteetheexistenceof knowledge and experts – satisfies the important require-mentthattheycanbecalledonbythestateintimesofneed.

• A digitally literate society. In today’s digitally dependentsociety, technological literacyat the individual level (asoppo-sed to offhandedly referring technological issues to an ITdepartment) is now an essential skill.We needmore peoplewithmultidisciplinaryskillsets–thosewhoaresimultaneouslyproficientinbothtechandnon-techfieldssuchaseconomics,publicadministrationorthelaw.

TodrawconclusionsandlessonslearntfromtheIDcardcase,wehavealsocommissionedanindependentstudyfromtheTallinnUniversityofTechnology,whoseresearchgroupwillassessthecasefromthepers-pective of public administration, technologymanagement and datasecurityandsetoutitsrecommendationsinspring2018.

A piece of fake news claiming that Estonian PM Jüri Ratas had expressed support for Catalonian independence found its way on to social media right before the EU Digital Summit in Tallinn.


Prime minister Ratas opening the Estonian Presidency cybersecurity conference on 14.09.2017. Photo: Karolin Köster


The Estonian Presidency of the Council of the EU ForEstoniancivilservants,thegreatestchallengeinthepastyearwasnaturally thePresidencyof theCouncilof theEU,oneof themain topics for which was the European Union’s cyber security.FormemberstateswhohadheldthepreviousEUpresidencies,thenumberofcyberattacksagainststrategicstateandpublicservicesandtargetsincreasedduringthisperiod.Besidesthat,theEstonianPresidencyfocusedondigitaltopics,duetowhichanysuccessfulattackagainstuswouldhavecertainlyhadabroaderimpactthanjustourowncountryandpopulation.

EnsuringthecybersecurityduringthePresidencyrequiredtech-nical preparations, training of officials, developing readiness forthreats, and constantly ensuring situational awareness, runningthroughallscenariosatanexerciseheldinJunetogetherwithourpartner institutions.Fortunately,wewerepreparedforalldevelop-mentsandthemajorityofcyberincidentsrelatedtothePresidencywere of a technical nature (power outages) and human error –discoveredandresolvedquicklywithminimumimpact.

Besides developments on the home front, Brussels had highexpectations that Estonia would advance EU cyber security as awhole.ThemostimportantfundamentaloutcomeofthePresidencywasthefactthataftertheEstonianPresidency,therearenolongeranybureaucraticobstacles for implementinganyof theEU’scom-monforeignandsecuritypolicy(CFSP)measures(includingrestric-tivemeasures)inresponsetocyberattacks.LedbyEstonia,anagree-ment was reached bymember states in Brussels on the relevantprocedures. Now, any foreign government planning, supporting orenablingcyberattackswillhavetokeepinmindthattheworld’smostimportanteconomicblocisabletouseallofitspossibleeconomicandforeignpolicytoolsasaresponsetomaliciouscyberactivities.

Second,anewEuropean Union cybersecurity strategy5 was pre-paredduringourpresidency,layingabasisforseveralmajorinitiativesthatcouldhaveanenduringimpactonthecybersecurityoftheEUasawhole.ThemostimportantamongthemistheproposalforthecreationofanEU-widecybersecuritycertificationframeworkandtheplancreatea network of centres of excellence among the EU’s R&D institutionsinthisfield.It isthelatterthathasgreatpotentialtosupportresearchdevelopmentsonthecyberfrontandtherebyincentivizevarioussmallerR&Dcentrestoengageintogreatercooperationwitheachother.Besidesdeveloping our own cyber security, it should result in a stronger EUeconomyandindustry.TheestablishmentoftheEstonianInformation


SecurityAssociationinlate2017hasaclearimportanceinthatcontext–itispositionedtobecomeamemberoftheEUnetworkandwillprovidealonger-termplatformforthedevelopmentofsolutionsforensuringsecu-rityofEstoniandigitalsocietyincooperationwithEstonianbusinesses.

Third,theEstonianPresidencyalsohadamajorrole ingettingthecooperationnetworksofEUmemberstates’institutionsresponsibleforcybersecurityintomoreactivegearonatechnicalandstrategiclevel.TheEstonianPresidencywastheonethathadtoprovidethesubstancefor thestrategic levelCooperationGroupandEU’sCSIRTsnetwork’s* dailyactivities.Flexibilityandafocusongettingresults–bothqualitiesthathavecometobeassociatedwithEstonians–helpedusleadtheEUeffectivelyinthisregard.InadditiontoeffortstoimplementtheNISDirective,theEUmemberstates’cybersecurityinstitutionsstarted,undertheleadershipofthedirectorgeneralofRIA,tacklingthetopicsofcybersecurityofelectoralprocessesandreducingtherisksfromcross-borderdependencies.Atthetechnical level,ourhard-workingCERTteam, itsleadershipandtechnicalplatforms,helpedtheEU-establishedcoopera-tionnetworktooffervisibleaddedvaluetowardssolvingtheWannaCryand NotPetya incidents .

Municipal council electionsEstoniawasthefirstcountryintheworldtoadoptinternetvoting–forthe2005generalelections.Nineelectioncycles later,Estonia isstilltheonlycountrywherevoterscancastvotesonlinebasedonthestate-issuedsecureelectronicidentityatgeneralelections,withthevoteshavingequalstatustophysicalballotscastonElectionDay.

While in 2005, fewer thanone in 50of voters used theonlineoption,about12yearslater,oneinthreevotedonline(31.3percentat European Parliament elections and 30.5 percent at Estoniangeneralelections).At the localelections inautumn2017, thepre-viousturnoutrecordwasnippedwhen31.7percentofvoteswereonline.

Trust inonlinevotingand itsperceivedandactualsecurityarelargely based on Estonia’s extensive, widespread ecosystem ofsecuredigitalservices.Foronething,peopleinEstoniaareaccus-tomed to usingmany private and public sector services startingfrombankstoPopulationRegisterprocedures,andthustheytendtotrustotherdigitalservicesaswell.Secondly,secureelectionsarealsomadepossiblebyotherwell-developeddigital systems,star-tingfromthePopulationRegister–whichisusedtodrawupvoter

* The EU CSIRTs network consists of the member states’ national cyber incident res-ponse units.


Acting head of the University of Tartu’s Skytte Institute, sen-ior researcher Mihkel Solvak, comments on the spread of online votingDiscussions onwhether onlinevotingmethodsshouldbeena-bled often begin and end withtwo questions – “who will beusing this?” and “who bene-fits?“. The spread and patterns of onlinevoting in Estonia allow us to answer bothquestions thesameway. In thefirst threeelections with online voting, the so-calledi-voters were distinct from typical voters.The former used to be 30-40-year-olds,bettereducated,moreaffluentandclearly

more digitally literate. As timewenton,nearlyallofthesefac-torshavedisappeared,somuchthat there isno longeranysta-tistically significant differencebetween i-voters and paperballotvotersinEstonia.Inotherwords,thatmeansi-votingissowidespread in society that typ-ical i-voters are now similar to

typicalpapervoters.Thestructureofvotersis actually the same, and theonly changehas taken place in the votingmethod. Sowho benefits? Ordinary voters who savetimebynothavingtoundertakethephysi-caltriptothepollingstations.

Typical online voters are no different from typical conventional voters

200 000

180 000

160 000

140 000

120 000

100 000

80 000

60 000

40 000

20 000

0

35 %

30 %

25 %

20 %

15 %

10 %

5 %

0 %

Use of internet voting at elections since 2005

KOV 2005 RK 2007 EP 2009 KOV 2009 RK 2011 KOV 2013 EP 2014 RK 2015 KOV 2017

number of internetvoters

percentageofvoterswhovotedbyinternet

KOV – municipal council elections, RK – general elections, EP – European Parliament elections


lists–tothestate-issueddigitalidentity,onwhichinternetvotingisbased.Furthermore,Estoniahaschosenaconsistenttransparencystrategy,whichmeansthatalargepartoftheelectiondocumentsandsoftwaresourcecodeispublic.Itisself-evidentthatinadditionto technicalmeasures, theworkings of the elections are likewisefounded on security .

Inlightofglobaldevelopments,thecybersecurityofelectiontech-nologywasunderheightenedscrutinyinEstoniaaswell lastyear.In thepast, theassessmentof threatsagainst internetvotinghasfocusedaboveallonthetechnicalrisksinthesystems.Consideringhowtheriskshavechanged,achangewasmadein2017todrawupafullriskassessmentfore-voting,examiningpotentialpoliticallymotivatedcyber attacks, possible risks fromEstonia’s distributedresponsibilitymodelandotherfieldsthatpotentiallycouldinfluencethelegitimacyofvoting.Suchabroad-basedapproachwasbasedontheunderstandingthat the legitimacyofelectionsdependsonmuchmorethanthesecurityofthetechnicalsystemsforcountingand reporting votes but also on trust of thewhole society in theentirestatedigitalecosystem.Theanalysisalsomappedsystemsandsolutionsonwhichelectionsdepend.

Wehavebeenapartner for theStateElectoralOfficeand theNational Electoral Committee in hosting the system for receivingvotescastonlineandwehavetakenpartintheonlinevotingorga-nizingcommittee.Asnewserversoftwarewasintroducedin2017,westoodforthesecuritytestingofthesesystems.Testswerecar-riedoutbytwocompaniesofferingpentestingservices,whorepor-teddifferentfindings.Likewise,theEstonianCyberDefenceLeaguealso tested the online voting solution. The problems found werefixed,yetnotestfoundanycriticalflaws.

Besidestheabove-describedactivities,CERT-EE’selectiontaskforce contributed by tracking network traffic in the online votinginfrastructureandkeepinganeyeoutforanomaliessuchasDDoSattacks.Wetookpartincommunicationworkandplanningofcom-munications in the same capacity .

The close to 186,000 e-votes counted – an all-time record –showed that the trust in online voting remainshighand thiswasnotaffectedbytheROCAvulnerabilityontheIDcardor“hacking”of elections around the world (formore on this, see the chapter“Sources,actorsandmotives“).


The majority of the cyber incidents that impacted Estonians and Estonian organizations still involve malware infections. Globally, last year’s most significant cyber incidents included the WannaCry and NotPetya ransomware campaigns, causing losses in the billions of euros. In Estonia, thanks to prevention and timely response, the losses were minimal.

Althoughcyber incidentscanbecausedbyhumanbehaviourandtechnological problems or natural events such as storms, aboutfour-fifthsinEstonia–2,500lastyear–werecausedbyintentionalactivity–i.e.cyberattacks.Nexttothisfigure,administrationerrorsand service downtime due to technical malfunction caused lessthan10%ofallcyberincidents.

Infecteddevicescanbeusedforvariouscyberattacks–denialofserviceattacks,datatheftandspreadingfakenews.6Increasingly,

Close to one-third of themalware incidentsrecorded in Estonia last year were due totheAvalanchebotnet.Avalanchewasactivefor years, andwas used to spread ransom-ware,andtocommitidentitytheft,bankdatatheft and attacks on financial institutions.Itwasalso rentedout toothercriminals forattack campaigns.* The total damage fromAvalancheisestimatedinthehundredsofmil-lionsofeuros.ThelossesforGermanonlinebankingaloneisestimatedatabout6millioneuros .7Nofigurehasbeenplacedonthedam-agecausedinEstonia.AlthoughtheusersofEstonian bank services are believed to begenerally better protected thanks to secure

* https://www.us-cert.gov/ncas/alerts/TA16-336A

meansofauthentication–theIDcard,mobileID andSmart-ID–widespread risks remainthroughonlineretailandotherservices.

AninternationalpoliceoperationbroughtAvalanchetoanendinDecember20168,yetthemalwarespreadbythebotnetdoesnotdisappearautomatically fromcomputers–deviceswillneedtobedisinfectedtopreventthe same infrastructure from being laterhijackedandbroughttolifefornewattacks.Asthisisalongprocessandmanyusersarenotawarethattheirdevicesareinfected,weworkwithcybersecurityagenciesofmanycountriesonthisissue,andthisworkissettocontinueuntilatleasttheendof2018.9

THE AVALANCHE BOTNET

WHAT HAS CHANGED IN THE THREAT LANDSCAPE?


computingresourcesofhijackeddevicesareusedforminingcryp-tocurrency,andtowardtheendoftheyear,suchincidentswereonthe rise in Estonia .

Most cyber criminals are unselective, looking for vulnerabledevicesandcarelessorgullibleusers.Typically,outdatedsoftwareisacontributingfactor,allowingattackerstoexploitavulnerability.Thevictimcanbetheownerofthesystemoranunsuspectinguser,suchasavisitortoawebsite.Poorornon-existentsecuritydoesnotposearisktosolelytheowner;farfromit.

Web constable Maarja Punak says that sex offenders are increasingly turning to the internet to look for their prey

Webconstablesare receiv-ing more reports of situationswhere someone has been vic-tim of bullying or extortion.Youngpeoplefeellessinhibitedonlineandsharepersonalinfor-mationandrevealingpictures.Theydonotperceivethreatsinthecyberworldthewaytheydoinreallife.

“There’samisconceptionthat‘anythinggoes’becausetheinteractionseemsanon-ymous. Actually, you can never be surewhom you are sharing information withand what your partner’s intentions are. Inthe worst case, the personal informationreceived is propagated further and a jokethatmighthaveseemedinnocuousatonepointcanescalate intoanactualoffence,“saidPunak.

Meanwhile, sex offenders go on chatappsandsocialmediatolookfortheirvic-tims and try to obtain pictures or videosofchildren.Inthisway,childrenhavebeenbaited into a real meeting or the criminaluses web camera footage to stoke theirfantasies .

Lastyearthepolicerecorded557sexcrimes,ofwhichcloseto300–morethanhalf–werecommitted online. It includessexual harassment and childenticement in various envi-ronments . There were 130 cases of child enticement reg-istered, 80of them in internetenvironments.

Recommendations from the web constable:• Don’tdiscloseyourpersonaldatapub-

licly,orsharerevealingpicturesorvideoswithstrangersorcasualacquaintances

• Don’t accept friend invitations fromusersyoudon’tknow

• Review your social media profile set-tings and make sure the only yourfriendslistcanseewhatyouposts

• Always log out of your accounts afterusingapubliccomputerordevice.

• Talktoapersonyoutrust,likeyourpar-ents,aboutanyconcerns

• Ifyouhavefallenvictimtoacrime,con-tactawebconstableorthepolice

Sex offenders stalking victims online


State-sponsored campaigns did not pick their targets Inthespringof2017,twomalwarecampaignswithdisruptiveeffectswereunleashedamonthapart,bothcausinggreatdamage:WannaCryandPetya/NotPetya.BythesecondweekofMay,hundredsofthou-sandsofdeviceshadbeen infectedby theWannaCry ransomware,withvictims in themedical,banking, telecomsand logisticssectors,aswellasmajorindustrialenterprises,acrosssome150countries.ThemostprominentofthesemaybeSpain’slargesttelecommunicationscompany,Telefonica,andRenault’scarfactoriesinFrance,whichwereforcedtostopworkforseveraldays.10OneofthebiggestvictimswastheUK’sNationalHealthService,withoverathirdofitsregionalinsti-tutionsseriouslyaffectedbyWannaCry. In total,WannaCryaffectedover600healthcarefacilitiesintheUnitedKingdom;thousandsofdoc-tors’appointmentsandoperationswerecancelled,andinfiveregions,patientswereforcedtoseekemergencyhelpelsewhere.

WANNACRY PETYA/NOTPETYA150 countries Global spread 65 countries

400 000 Infected devices 20 0004billionUSD Known damage 1,2billionUSDNorthKorea Assumed origin RussianFederation

None Damage in Estonia

Saint-Gobain Estonia (Ehituse ABC construc-tionsupplystores)KantarEmormarketresearchagency

Petya/NotPetyaappearedinlateJuneandspreadviaUkraine-basedaccountingsoftwaretoallcompaniesthatusedthissoftwareandinstalledtheupdatethatcontainedthemalware.Appearingatfirstglancetobeanotherkindofransomware,itinfacthadnoabi-litytodecryptfiles,anddeletedthedatainencryptedsystems.TheattackisbelievedtohavebeenmeantforUkraine’sinstitutionsandmajorenterprises,whichwerethefirsttobecomeinfected.

Although itsspreadwasmore limitedcompared toWannaCry(70percentofvictimswereinUkraine),NotPetya’seconomicimpactwasgreater,astheattackwasmeantforbusinesssystems.11IttookFedEx’sEuropeansubsidiaryTNTExpressoveramonthtorestoreits information systems to normal operations, and the company

-

Photo: pexels.com


announcedthatsomeofthedatalostwaspermanent.12Denmark’sMaerskshippingenterprisehadtoessentiallyreinstalltheentirecor-porate informationsystem in tendays to recover from theattack–allthesoftwareon4,000serversand45,000workstations.BothMaerskandFedExestimatethedamagesatupto300milliondol-lars.13 Major victims also included the pharmaceutical companyMerck,whichwas still experiencing significant problems in retur-ningitsdrugdevelopmentandproductiontofullcapacitytwoweeksaftertheevent,withdrugsuppliestosomemarketsalsoaffected.14

For thehealthandhygieneproductsgiantReckittBenckiser, pro-ductionandsupplydisruptionsstemmingfromtheincidentlastedforovertwomonths,andthecompanysaystheywillsignificantlyaffectitsannualresults.15

REACTION AND CONCLUSIONS Both the WannaCry and NotPetya campaigns used tools leakedinAprilfromtheUSNationalSecurityAgencytoexploitvulnerabi-lities inMicrosoftWindowsoperatingsystems.16Microsoft issuedan update inMarch to protect its users, but unpatched systemsremainedvulnerable,andsinceinfectiondidnotrequireanyactionsfromtheusers,WannaCryspreadquickly.AnemergencypatchwasalsoissuedfortheWindowsXPoperatingsystem,whichhadbeenofficially unsupported since 2014.17 Last fall, Microsoft issued asecurityupdatewithdefencemechanismsagainstattacksof thistype,but itwasmeantfortheWindows10operatingsystem,anddoes not protect otherwidespreadOS types likeWindows7 andWindows 8 .1 .

There was no impact from WannaCry in Estonia. There were attempts made against some twenty systems, but these werealready using a security-patched operating system, so the ran-somwaredidnotstart.NotPetyacauseddamagetoSaint-Gobain’sEstoniansubsidiaries,amongthemEhituseABC,whichhadtocloseallofitsstoresinthecountry.18ConsultancyKantarEmorhaltedthework of its information systems as a precaution, as their parentcompany’snetworkhadexperiencedinfection.19

Damage prevention was a result of both readiness and rapid response. Thelackofimpactfromthosedestructiveattackswaspartlyaresultofourawarenesscampaignstartingalreadyfrom2013urging people to phase outWindowsXP. This campaign succes-sfullyresultedintheuseofthatoperatingsystemdroppingtobelow20percentinEstonia.Throughout2016,wehadalsobeenpayingspecialattentiontoimprovinginformationsecurityinourhealthcare


sector. For both the WannaCry and Petya/NotPetya campaigns,we immediately contacted the potentially endangered institutionstonotifythemofthedangerandadvisedthemonsystemsprotec-tion.Wealso notified the information securitymanagers of stateagenciesandvitalservicesproviders,and issuedpublicwarningsandguidelines.20Althoughincidentscanneverbeentirelyruledout,thereadinessofbothsystemsandpeoplehasasignificantroletoplayinpreventingorminimizingdamage.

InthecontextoftheEUPresidencythenabouttostart,weini-tiatedaEurope-widerapidcooperativeresponseforbothWannaCryandNotPetya,involvingpartnersfromfivememberstatesandtheEuropeanNetworkand InformationSecurityAgencyENISA,coor-dinating and ensuring timely information exchange between theMemberStates.

WANNACRY AND NOTPETYA AS STATE-SPONSORED ATTACKSBoth of 2017’smajor ransomware campaigns damaged busines-ses,stateagenciesandindividualusersindiscriminately,andendan-gerednotonlyproperty,butthelivesandhealthofpeople.Beyondbusinesses,evenmoredamagewaspresumablysufferedbyregu-larusers,andthisisalmostimpossibletotallyup.Bothcampaignsquicklyanduncontrollablyswelledtoaglobalscale.

EvenrightaftertheendofWannaCry’smassspread,somesourcespointed to the possibility that Lazarus, a group affiliatedwithNorthKorea, might be behind it.21 In November, the UK government andMicrosoft issued statements that laid the blame for theWannaCryransomwarewaveonNorthKorea.22Thiswasfollowedbyanofficialstatement fromtheUSon19December,which referred toevidenceproduced in cooperation between US federal agencies and privateenterprises(includingMicrosoftandcybersecuritycompanies)toattri-buteWannaCry toNorthKorea.Thisassessmentwasbasedon thefactthattheattack’stoolsandmethods,andtheinfrastructureused,wereconsistentwithpreviousNorthKoreancyberoperations.23TheUSstatementwasendorsedbytheUK,Australia,NewZealand,andJapan.

SuspicionsaboutNotPetya’soriginsalsocameaboutfairlyquicklyafterthestartofitsspread.Severalsourcesconsideredthemalware’ssignaturetobesimilartoacyberattackundertakenagainstUkraine’spower stations in December 2016.24 Ukraine’s security services saythatthegatheredfactspointtowardstheattackcomingfromRussia,withtheinvolvementofitsspecialservices.25Theinternationalexpertcommunity overwhelmingly believes that the attack’s true purposewastocreatethemaximumamountofdamage,andthattheransom


demandswereonlyacover.26ThisFebruary,thegovernmentsoftheUnited Kingdom, Denmark, US, Australia and New Zealand laid theblameforNotPetyaontheRussiangovernmentandmilitary.AccordingtotheUSstatement,thiswasthemostdestructiveandcostlycyberattackinhistory,causingbillionsindamagesinEurope,AsiaandNorthAmerica .27 The UK statement was also endorsed by the EstonianMinistryofForeignAffairs,whichcondemnedthecyberattackandcal-leduponRussiatobehaveresponsiblyandinaccordancewithinterna-tionalrulesoflawincyberspace.28

Phishing, data leaks, and secure digital identityExtensivedataleakshavebecomesocommonaroundtheworldthatbarelyaweekpasseswithout the internationalmedia reportingonone,andnoonedarestopredictthatthesituationwillimprove.2017’sbiggest data leaks include theUSRepublicanNational Committeeandthecredit ratingbureauEquifax; thefirstof theseexposedthepersonaldataofsome200millionpeople(nearlyallUSvoters),whilethelatterincludedthecreditinformationof150millionAmericans.29 In Europe, a similar data protection disaster befell the SwedishDepartmentofTransport,whereaforeigncompanywasbroughtintomanageadatabasethatcontainedinformationconcerningnationalsecurity,domesticsecurity,andcriminalprosecutions;thatcompanythenuploadedtheinformationtoapubliccloudservice.TheincidentledtoagovernmentcrisisinSweden,resultinginthereplacementofthe minister of the interior and the minister of infrastructure .30

Althoughthecausesoftheseincidentsweredifferent–inonecaseahumanerrorinconfiguringthedatabase,inanotherahope-lesslypoorcorporatedatasecuritypolicy,and inthethird,wilfullyignoringsecurityrequirements–theyallpointtosimilarfundamen-talflawsbothintheservicearchitecture,andinincidentreadinessandresolution.

Estonian state agencies and service providers have not repor-ted any serious data leaks over the past year. The transparent architectureofEstonia’sdigitalstate,theuseofsecureauthentica-tion,andothermethodsforensuringtheintegrityofimportantdata,makedata leaks on this scale very difficult to pull off in Estonia;however,riskmitigationstillrequirescontinuouseffort.

Estonian residents do actively use the services of large inter-national vendors, sometimes creating accounts using workplaceemails.Attheendoflastyear,adatabaseof1.4billionuseridenti-tiesandpasswordsinplaintextwaspublishedonthedarkweb;thisincluded198,000emailaddresseson.eedomains,usedtocreate


thoseaccounts.Althoughthedatabasedoesnotmakeitclearwhichenvironment the usernames and passwords leaked from, it doesinclude user information leaked from LinkedIn,MySpace, Twitter,Tumbler,DropBox,Bitcoinforums,Zomato,Gmail,andYahoo.Thisincluded 2,830 email accounts from Estonia’s public sector, andaround2,600accountsofemployeesofvitalservicesproviders.Wenotifiedtheinformationsecuritymanagersoftheaffectedagenciesoftheleak,withrecommendationstoresettheuserpasswordsandeducateusersonthedangersofpasswordreuse.

New password guidelinesThe impending death of passwords as an authentication met-hodhasbeenpredictedforyears.Multi-factorauthenticationasasecurealternativehasbeenavailableforalongtimeinwidespreadservicessuchasGoogleandsocialnetworks,anditseaseofusehas improved remarkably over the years. User uptake, however,remainsdisappointing:althoughGooglehasbeenofferingtwo-fac-torauthentication(2FA)since2011,lessthantenpercentofGoogleusershaveitconfigured.31Estonia’s15-yearexperiencewithIDcardsanditsalternativesMobileIDandSmartIDshowsbetterresults,buteventhesearefarfromuniversaladoption.Forexample,tologintothestateservicesportalEesti.ee,threeoutoffourvisitorswilluseanIDcardorMobileID;therestwillloginusingabanklink,mostlyfallingbackoncodecards.

Thereforewestillneedtotalkaboutpasswordsin2018.Last year saw an update to password recommendations that

havebeeninplacefor15years.NIST,theUSstandardsauthority,replacedits2003guidelinesthatdescribedasecurepasswordasacombinationofupper-andlowercaseletters,numbers,andspecialcharacters.Thereasonforthechangeissimple:therequirementsandtoocomplex,andtheireffectivenessisquestionable.32 The new recommendationsplacemorerealisticexpectationsonusers,andemphasizeservicedesigntosupportuserdatasecurity.Thecoreoftherecommendationsissimple:thepasswordmustbelong,andtheenvironmentmustsupportmultifactorauthentication.

The 12 most common passwords among Estonian users1 . 1234562. parool3. qwerty4 . 1234567895. lammas6 . 123457 . minaise8. maasikas9. kallis10.killer11 . armastus12. lollakasSource: CERT-EE33


For users Useapassphraseinsteadofapassword.Do not reuse a password in differentservices.

Replaceadeviceorservice’sdefault(ini-tial)passwordwithanew,secureone.

If possible, use two-factor authentica-tion (including an ID card, Mobile ID orSmart ID). Prefer an existing two-factorauthentication method to registering auser account with a new username and password .

Getapasswordmanager (better knownones include LastPass, Bitwarden,1Password,DashlaneandKeePass).Thishelps to generate a unique strong pas-swordforeachwebsite,andreducestheriskof endangering several of your useraccountswithonepasswordleak.

If you suspect that your password is known to third parties, even if they aregood friends of yours, change the pas-swordimmediately.

For service providers Designyourservicetobesecure,andberealisticabouttheuser’sabilities.Insteadofrequiringtheusertoinventanotherori-ginal,complexpassword,enabletwo-fac-torauthenticationinyourservice.

From data security standpoint, it is notreasonable to require a user to createan account to use the service (such asbuyingfromanonlinestore).Consider ifthisisactuallynecessary.

Enable long passwords (pass phrases),between8and64characters,andallowthe use of any characters in them .

Drop the requirements for passwordcomplexity– insteadofhard-to-remem-ber or superficially complex passwords(suchasp@ssw0rD),encouragetheusertohavelongpasswords.

Restrict the use of common weak pas-swords (such as 123456, password,adminorusername)inyoursystem.

Do not require or offer the use of pas-sword hints (such as mother’s maidenname,petname, etc.)– theseareofteneasytoguessorfindoutviasocialmedia.

Drop password expiry deadlines,especially if theyareshort.Assumethatapasswordmustberesetonlywhenitisforgotten or leaked or exposed to otherpersonsorcybercriminals.

Also see:USANISTnewpasswordguidelines:https://pages.nist.gov/800-63-3/ UKNCSCrecommendations:https://www.ncsc.gov.uk/guidance/password-guidance-simplifying-your-approach Togenerateauniqueandmemorablepasswordtemplate,youcanuse https://rabool.eu

RIA GUIDELINES


The EU General Data Protection Regulation will enter into force on 25 May 2018, replac-ing the current Personal Data Protection Act. Viljar Peep, head of the Estonian Data Protection Inspectorate, gives a short overview of what will change and why.

What will change with the new regulation?Theprinciplesofdataprotectionremainthesame, but the rules are significantly morepreciseand thorough, andusea risk-basedapproach.Stricter rulesapply to large-scaledataprocessingorsensitivedata.Ifthatisthecaseforyou,youdefinitelyneedtostudytheregulationindetail,asfulfillingtherulesmayrequiremajorandtime-consumingchangesto your organization’s information systems,customer service, or personnel operations.For example, there is now an obligation toassignaDataProtectionOfficer,keeparegis-terofpersonaldataprocessingactivities,andmuch more .

A company or institution that does not process sensitive data, and has been care-fully following data protection rules so far,doesnotneedtomakemajorchanges.

The biggest substantive change – per-sonaldataportability–mostlyappliestotheprivatesector.Apersonmaytaketheirdigital

data from company A and trans-fer it to company B . The compa-nies ought to review their infor-mation systems to ensure that it ispossibletotransferthedataasquicklyandeasilyaspossible.

Why was this regulation introduced?The reason is the European sin-glemarket: data needs tomoveacross national borders. If each

countryhasadifferentregulation,thisisdif-ficult to do. This iswhy the rules aremoreprecisefortheprivatesector,andmorewig-gleroomwaslefttomemberstatesinpublicsectordataprocessing.

Where should an organization begin?Publicsectoragencies,large-scaledatapro-cessorsandmajorcorporationsshouldbeginwith a comprehensive assessment of theirdataprocessing.Withaneyetothenewdataprotectionlegislation,lookatyouroperationalprocesses, information systems, and docu-menttemplates.StateagenciesalsoneedtoconsiderthePublicInformationAct,andspe-cificlegislationapplicabletothem.

Corporations definitely need to reviewdata portability: information must be keptin a structured form, in a widely usedmachine-readableformat.

Fulfilling GDPR requirements is work- and time-intensive

Photo: Estonian DataProtection Inspectorate


Estonia’s most significant cyber threats still originate from (orga-nized) crime and hostile foreign powers. International experience shows that serious cyber incidents are increasingly orchestrated by state actors.

States are increasingly eager to use the opportunities of digitalenvironmentsnotonlyfortraditionalintelligencecollection,butalsoforinfluencingothersandstrengtheningtheirgeopoliticalactivities.Moreandmorecountriesareconfirmingthattheyareintheprocessofdevelopingoffensivecybercapabilities.

TheNATOalliesstatedatthe2016WarsawSummitthatcyber-space has become awarfare domain, where NATOmust be abletodefend itself effectively, sameas in theair, on land, andat sea.Estonia’snationalsecurityconcept,approvedin2017,envisionsthatthecountrywill implementcybersecurity inthesamemannerandwiththesamestructuralsolutionbothintimesofpeaceandintimesofwar,acknowledgingthatEstoniancyberspaceisdefensibleaslongas thestateand thesocietyparticipate in itsdefence together, thenecessarycompetenceexists,andthesocietyisawareofthethreatsofthedigitalenvironmentandiscapableofoptimallyavoidingthem,andreactingincaseofproblems.

Inadditiontothedevelopmentofnationalcapabilities,thereisanongoinginternationaldebateoverwhichrulesapplytostatesinthecybersphere.Aneweditionofoneofthemostauthoritativesourcesinthisarea,themanualofinternationallawapplicabletocyberope-rations–TheTallinnManual2.0–waspublishedlastFebruary,ledbytheNATOCooperativeCyberDefenceCentreofExcellence.* The manualanalysesall formsofstate-sponsoredcyberoperations–fromcyberespionagetocyberattackscomparabletoarmedattack

* Tallinn Manual 2.0. on International law Applicable to Cyber Operations http://www.cambridge.org/us/academic/subjects/law/humanitarian-law/tallinn-ma-nual-20-international-law-applicable-cyber-operations-2nd-edition

SOURCES, ACTORS AND MOTIVES


In August of this year, the Estonian Defence Forces will establish a Cyber Command, which will achieve full readi-ness over the next few years. Deputy Commander of the Headquarters Support and Signal Battalion, Major Silver Andre explains the background of the Cyber Command.

TheCyberCommandwillbetaskedwithpro-tecting cyberspace within the governancearea of the Ministry of Defence. Today,cyberspace military operations are viewedasthefourthdomain,alongsideland,airandsea.NATOestablished thatofficially at themeetingoftheDefenceMinistersin2016.

Therewillnotbeaseparateservicecrea-ted within the Defence Forces. The CyberCommand is going to be a structural unitformed on the basis of the HeadquartersSupport and Signal Battalion, reportingdirectly to the Commander of the DefenceForcesandbeingpartofNATOnetwork.Thetasks will include the improvement of theDefence Forces’ understanding of cybers-pace and achieving situational awarenesswithin it, identifying cyber threats and pre-ventingthem.Therewillbereadinesstoper-formvariousoperationsincyberspacebothin times of peace and in times of war .

Hostile intelligence andinfluence activities in cybers-pace are an everyday reality.Achievinginfluenceviatheinfor-mation environment is reallycost-effective, as sophisticatedoperations can be conducted from far abroad with minor costs and reasonable security.Cripplinganationthatisdepen-

dentonITsolutionsandbadlyprotected,iseasierthanwithconventionalwarfare.

Cybereventsand incidentsareacons-tantrealityforEstoniandigitalinfrastructure.Asastate,weareinagoodpositionintermsofawarenessandresponse,butasfarasamilitarycyberwarisconcerned,westillhavealottodo.

The Cyber Command will numberaround300peopleinpeacetime.Inadditionto information operations (one part of which iscyberoperations),itwillberesponsibleforproviding ICT services, command supportandstrategiccommunication.Thenewunitwill employ both domain experts alreadyworking in the Defence Forces, and mostdefinitelyspecialistsfromtheprivatesector.TheCyberCommandwillbephysicallyloca-tedinTallinn,butvirtuallylocatedwhereitisneeded,whenitisneeded.

Estonia will get additional military capability in cyberspace

– in the context of applicable international norms of law, whichestablish the rightsandobligationsof states inconductingcyberoperations.DespitetherhetoricoftheRussianFederationandotherstatesofthesamemind,itisobviousthatcyberspaceisnotalegalvacuumwherenormsdonotapply.

Despite this, or perhaps due to this, some states continue toattempttoactwithinthegreyareaoftherules,andtoexpandthatarea .


State-sponsored cyber attacks against vital servicesA turning point for cyber security when it comes to vital services was the cyber attack against a Ukrainian power plant around Christmas 2015, which damaged the plant’s control system and took the plant offline for hours. Suspicion fell on the Russian Federation.34 After this event, the public has learned of a number of cases where cyber attacks targeting a critical service were lin-ked to a hostile foreign country.

In the summer, the US and British mediareported an intrusion into the enterprise networksofUSenergycompaniesand theinformation systems of a manufacturer of industrial controllers used in the energyindustry .35 Phishing emails were used asmeansofattack,andthisattacksurfacewasused togainaccess to theofficenetworksof at least a dozen companies, including anuclearplantinKansas.Personsworkingforaforeigncountryarebelievedtohavebeenresponsible for both of these attacks, withRussiabeingtheprimarysuspect.ThesamegroupwaslinkedtoattacksinlatespringandearlysummeragainstenergycompaniesintheUS,IrelandandTurkey.36Similarthreatsarealsosalient inEstonia– lastyear,RIA’s

annual cyber security assessment coveredan attack against oil shale company ViruKeemiaGrupp(VKG),whichprovidesvariousvitalservicesinIda-ViruCounty.

AlthoughtheincidentsintheUSdidnotdirectly impact energy generation or thefunctioning of energy networks, access tothebusinessnetworkdoesincreasethevul-nerabilityofproductionsystems.Operationalsystems that run energy production areisolated in a separate network segment,but often they do not use modern security solutions. Attacker access to informationprocessed in thebusinessnetworkconcer-ning theorganizationand risks (correspon-dence,documentationofinfrastructureetc.)makesitpossibletoplanlaterattacks.

THE ENERGY SECTOR


Lastyear,theenergy,communicationandbankingsectorsweretheprimetargetsforsuchattacks.

DuringthejointRussian-BelarusianmilitaryexerciseZapad2017inSeptember,DDoSattacksfromRussianandChineseIPaddres-seshitthemobileoperator’snetworkinFinland’sAlandIslands,andsimilarincidentswerereportedintheUKandtheNetherlands.37 The deputyheadofthesecuritycommitteeofLatvia’sParliamentcon-firmed later thataseven-hour-longoutagethathitLatvianmobilenetworksinlatesummerwaslikelycausedbyRussianmilitaryacti-vityontheBalticSea.38

Estonia did not report any DDoS attacks in connection withZapad.However,Norwaydidconfirmradioproblemsatthesametime,originatingfromRussiaandaffectingair trafficandcausingGPSservicemalfunctions.39SimilarincidentsalsooccurredduringpreviousRussianFederationmilitaryexercises.Itislikelythesewerenotdeliberateattacksbutsideeffects–theRussianmilitarywasapparentlyawareofthembutseemstonothavetriedtoavoidthem.

Experts are also becoming increasingly concerned by NorthKorea’s growing cyber attack capability. A number of the cyberattacksthathitthebankingsectorinrecentyearshavebeentracedback to theNorthKorean cyber groups, led by the LazarusAPT-Group. Inadditiontoa large-scalecaseoffraudagainstthecent-ralbankofBangladesh in2016, thesamegroup isconsidered tohavebeenresponsibleforalong-runningcampaignagainstbankingsectortargetsin31countries.40Inthisspecificcase,vulnerabilitieswere exploited through the use of a hitherto unknown malwarevariantthatinfectedthedevicesofvisitingusersthatmetspecificparameters.Amongothers,PolishcommercialbankswereinfectedthroughthewebsiteofthePolishfinancialsupervisionauthority.41

Themain focus of the LazarusAPThas turned to attacks onbanks, online gambling platforms, financial software developersandcryptocurrencybusinessentities:theytrytomanipulateSWIFTinterfacesandtransactionverificationmechanisms,orusemalwarecustomizedforthetarget.42Accountdatastolenusingphishing isusedtoattackcryptocurrencyexchangesandminingservices.


Cyber-enabled attacks against democratic processesResearch conducted in 2017, and still ongoing, has given a good idea of how extensively the Russian Federation attacked infor-mation systems related to the US elections in the run-up to the American presidential elections.

Alreadyinthefirstdaysof2017,USintelligenceagenciesreleasedareportoncyberattacksoriginatingfromtheRussianFederation’sintelligenceservicespriortotheUSpresidentialelections.43 The basic conclusionsofthereportindicatedthattheattackswereorganizedbytheintelligenceagenciesbasedoninstructionsfromthehighestlevels.ThecyberattacksagainsttheUSpresidentialelectionswerepartofanoperationaimedatbreakingintotheDemocraticNationalCommittee’sinformationsystemsandstealinginternaldocumentstomanipulatepublicsentimenttoensureacertaincandidatewouldbe successful in the election. This was accomplished through acombinationofphishingattacks,manipulationandselectiveleaksofsensitiveinformationobtained,feedingRussia’sstate-sponsoredpropagandainmediaandsocialnetworks.

The conclusions also state that theRussian Federation intelli-genceservicesachievedaccesstotheinformationsystemsofelec-toralcommitteesinseveralUSstates,althoughnoproofthatvotesweremanipulatedinelectiondeviceswasfound.Itlaterturnedoutthat attackswere attempted against service provider companiesandsystemsusedforgarneringvotes.

Thisisagoodexampleonhowcyberspaceisoneofthetheatresofoperationsforhostilecountriestotrytoachieveinfluenceoverothercountries.Cyberattacksagainst technologies thatenabledemocra-ticprocessesareoftenopportunistic–thegoalmaynotnecessarily


alwaysbetocripplethefunctioningofsystemsorstealdata,asthepoli-ticalgoalsmayalreadybeachievediftherearepersistentrumoursanddoubtsregardingthelegitimacyoftheelectoralprocess.Furthermore,astheattacksagainsttheUSandFrenchpresidentialelectionsin2016and 2017 demonstrate, the cyber element is always integrated intoabroaderapproachandcyberattacks themselvesmaysignifydatatheftsandleaksandexploitationofvulnerabilitiesinelectoralsystems.

Electiontechnologyisthereforejustifiablyunderheightenedscru-tiny,especiallysincetheattacksarenotoftenaimedatthecentralsys-temsusedforelections(listsofvotersandcandidates,gatheringvotes,countingvotesandpublishingresults)butratheragainstthe(digital)services connected to them, and, aboveall, candidates andparties.Althoughthelastofthesewouldnotdirectlyaffecttheflowandexecu-tionoftheelectionsthemselves,itispossiblethattheperceivedlegiti-macyoftheelectionswouldstillbedealtablow.Furthermore,mostofthe“campaignhacks”ofrecentyearswereaimedspecificallyatauxi-liarysystemsandoftenservedthe longer-termgoalsofsubsequentinformationandinfluenceoperations.

BesidesthecyberattacksagainsttheUSpresidentialcandidates’campaigns,EmmanuelMacron’scampaignteamannounced imme-diatelybefore thesecond roundof theFrenchpresidential electionsthat therehadbeena “massiveandcoordinated”cyberattack invol-ving the release of a large amount of internal correspondence anddocuments via an anonymous environment.44 The leak took placeimmediatelythepre-electionprohibitiononpoliticaldiscussioncameintoforce,whichpreventedthecontentfrombeingcommentedpub-liclyorcovered in themedia,andthusconsignedthe interpretationsandconspiracytheoriestosocialmedianetworks.Likeintherun-uptotheUSpresidentialelections,thematerialsleakedbytheattackerswere combined with misinformation to sow confusion and doubts .45 Earlierinthecampaign,Macron’steamhadmaderepeatedreferencetoattemptstohackintothepartyleaders’emailaccountsandFranceandGermanybothnotifiedthepublicmonthsbeforetheelectionsofasignificantincreaseincyberattacksagainststatedigitalinfrastructure.Bothcountriesadoptedmeasurestopreventincidentsinconnectionwiththeelections,withmoreattentionpaidtotheawarenessofpoli-ticalpartiesaboutcyber risksand looking forwaysofcurtailing thespreadoffakenewsonsocialmedia.46

Cyberattacksagainstelectionsarenotagoaluntoitself,norisitthe onlyway for Russia to influence theWest through cyberspace.TheWesthas tocontendalsowithdirectattacksdesignedtoharmreputationortheonesaimedagainsteconomicorpoliticalinterestsor


infrastructure.ThelikelihoodofattacksagainstinfrastructureislowinEstoniabutclearlynotnon-existent.BasedontheextensiveWannaCryandNotPetyamalwarecampaigns,averylikelyscenarioisonewhereattackerlosescontrolofacyberattackoriginallyundertakenagainstarelativelyspecifictarget.

Tokeep theEstonianstateandsociety functioning thewaypeo-plehavegrownaccustomedto,cyberrisksmustbeandaretakenintoaccountinriskassessmentsandriskscenariosatthestatelevel.Anisolatedphenomenonalsoreferredtoas“ITthreat”isseenexceedinglyrarely,andinmostcases,thesignificanceofcyberthreatsisthattheyenableoramplifybroaderriskscenarios.

ATTRIBUTION AND RESPONSES TO CYBER ATTACKS2017 sawa clear change insofar as cyber attacks committed byforeign countries are now brought to light and their state originsareoftendisclosed.TheattacksagainsttheUSelectioncampaign,WannaCryandNotPetyaweredecisiveinchanginginlaunchingthistrend .

Attributingcyberattacksininternationalrelationsisnotmerelyan evaluation of technical evidence– it is also a clearmeans ofsignallingthatacyberattackisnotconsideredtrivialoranaccep-tablemeansofaction.Inatenseinternationalatmosphere,establis-hingdeterrenceagainstmaliciouscyberactivitiesisaclearneces-sityandinordertoachievethat,attributionhasaclearroletoplay.TheFrameworkonaJoint EUDiplomaticResponse toMaliciousCyber Activities (The Cyber Diplomacy Toolbox47) finalized duringtheEstonianPresidencyof theCouncilofEU laysabasis forcol-lectiveresponsebyEUmemberstatesandfortheuseofallCFSPmeasuresasaresponsetomaliciouscyberactivities.Thereforeitisquiteevidentthattheimportanceofpoliticalandlegalelementsinattributionwillbeincreasedevenmore.


Technological risksAllofsocietydependsonthefunctioningoftheso-calledfunda-mental digital infrastructure– theunderlyingarchitectureof theinternet, internetservicesandprotocols (DNS,BGPetc.)andtheEstonian state’s eID and X-road. An extensive disruption to theentiresystemorcompleteinterruptionofserviceishighlyunlikely,butthepossibilityofchallengessuchastheIDcardvulnerabilitydiscoveredlastautumnmustbetakenintoaccountandpreparedfor. The possibility that a previously unknown critical vulnerabi-litysuchasMeltdownandSpectrethisJanuarywillrearitshead,affecting a greatmany systems and user and necessitating anurgentpatch,shouldbeconsideredaratherprobableoccurrenceonaone-yeartimescale.Governments(whethertheyhaveadefen-siveoroffensivemotivation),researchinstitutionsandcriminalsallcompetetoseekoutsuchvulnerabilities.Itmustalwaysbetakeninto account that technology itself is never 100per cent secureandsecuritychangesovertime.

What is “strong cryptography” and why is it important?The current public debate around the topic of cryptography andbackdoorsfocusesonachoicebetweenstatesecurityandsurveil-lancevs.privacy.ForEstonia,themorefundamentalquestioninthematteristhatoftrustinthestate-backedidentity,thebasisforourentiredigitalsociety’secosystem.

In essence, cryptography entails mathematical methods forensuring confidentiality and integrity of data, naturally includingauthenticandtrusteddigitalidentities.Asasynonymfortrustandsecurity,encryptiontechnologiesaretheunderpinningofthedigi-talstateandsociety.Althoughinthesenseofhavingastate-issued


The head of RIA’s cyber security division’s research and development department, Kaur Virunurm, warns that the technologi-cal environment will not get any better and that we have to get used to coping with that fact.

Theworldisessentiallyheldhostagebyahandfulofmega-corporations.EachITfield–chips,operatingsystems,telephones,ser-vices–isdominatedbytwoorthreemajormanufacturerswhohaveneartotalhegem-onyintheirowntechnologicalsegment.It’saglobalmonopoly,too–thesameelectronicsandsoftwareisusedintheUS,RussiaandEstonia .

Citizens’ and users’ data is also inthe hands of the major services (Google,Facebook). In essence, what we have is amonoculture.AppleandMicrosoft,AMDandIntel, Google and Amazon are monopoliesonwhichtheentireworld’sactivitydepends.

Likewise, security flaws simultaneouslyimpact all systems and services, all overtheworld.Greaterinfluencemeanssecurityflaws come with greater implications andcost. Since increasingly effective solutionsare devised to find the holes, and automa-tionandmachinelearningareused,vulnera-bilitiesarenowbeingfoundinoldersystems,too. The most influential security holescostmillionsofdollarsontheblackmarket.Findingandsharingvulnerabilitieshasthusbecome an industry on its own .

The security vulnerability that affectedtheEstonianIDcard(ROCA)isover10yearsold. In summer 2017,WiFi – thus far con-sideredsecure–wasbroken.Theoriginsofthisvulnerabilityarefromlongagobutitwasdiscovered only now. The security vulnera-bilitiesfoundinIntelandAMDprocessorsinearly2018areover20yearsold.

Patchingoldflaws,however,isexpensiveandcostly.

The Spectre/Meltdown patches failedto meet expectations, and made comput-ers sluggish or non-functional. The patchfor ROCA required a firmware update andlargely went unimplemented. Most olderAndroidphonesreceivenosecurityupdates.

Thevulnerabilitiesareamplifiedbybugtraders.In2016-2017,agroupcalledShadowBrokers published a major package ofexploits(likelyfromtheUSintelligenceagen-cies).TheWannaCryandNotPetyaincidentsstartedfrompreciselytheseleaks.

There are more such groups, andbecause they all use the same technol-ogy that they attack, they are vulnerablethemselves.

Thus,onesetofgroupscollect thevul-nerabilities,asecondfactionattacksthefirstones,stealsandsellstheir“work”,andathirdcontingenttakesadvantageofthem,attack-ingordisruptingtherest.

To sumup,wemust reluctantly acceptthatweliveinaworldwhereallsystemsarevulnerableorwheretoday’ssecuresolutionmay stand completely ajar tomorrow. Wecanonlyhopethataslongastherearemanysecuritylayersprotectingus,someofthemwill hold and stop an attack or allowus torecoverfromit.

If the current conditions persist, therewillbenoreliefinfuture.Technologyanditsweaknesses will spread everywhere, evenin places where they do not yet exist: theadventofself-drivingcarsandsmartroads,data mining, robotics and artificial intelli-genceandquantumcomputingwill lead toasocietythatwescarcelyimagine.Itistobefearedthatthecyberrisksofthenewworldwillbeworsethanthoseof2017.

WE ARE HELD HOSTAGE BY A MONOCULTURE


digital identity, Estonia is still quite unique, cryptography-basedsolutions are inwidespread use at the governmental, corporateandindividuallevel.

The security of the Estonian state-issued digital identitydepends totallyonstrongencryption–meaning that it isobjec-tively possible to have total confidence that a person and theirintent match who they seem to be . Impersonation for the purpose ofconductingatransactionisruledout.TheentireEstoniandigitalecosystem is based on this security .

Anybackdoorinaservicewouldbreakthetrustinthedigitalecosystemanddamageconfidenceinit.Itisimportanttostressthatwearenottalkingaboutprivacyhere,butthefunctioningofservices.Ifcryptographyis“weak”,serviceswillnotfunction.Thesametrustisanunwaveringfoundationfortheentirestatedigitalecosystem and cyber security: if trust in the ecosystem is lost,sowillEstonia’sability to function in itsaccustomedmannerasa state. If digital services are not trustworthy, there must be areturntophysicalprovisionofservice.Inthecaseofoursociety’sresources, this inevitablymeans that the quality and volume ofpublicserviceswilldeclineandthestateasawholewillweaken.

Intoday’sworld,thepossibilitiesfortogenerallyweakencryp-tographyaredisappearing,i.e.,cryptographycannotbeweakenedwithoutcompromisingdigitalsystems. It isn’tpossible tocreateatechnicalmeansforsolelyselectedpersonstoaccessencryp-teddatathatwouldnotalsocreateavulnerabilitythatcriminals,terroristsandhostilestateactorscouldexploit.Leaksofdataper-taining tovulnerabilitiescannotbe ruledouteven in thecaseoforganizationswithveryhighdatasecuritystandards,asshownbytheinformationleakedfromtwosecurityagenciesintheUSregar-dingcyberweapons.

The software market and crime are both fundamentallycross-borderphenomena.Itisthereforeimpossibletopreventthedevelopmentofencryptionandcommunicationsolutionsthatarebeyondthecontrolofgovernments.

Security for state-issued identities is not a matter of state sur-veillanceversusprivacy.Itisaquestionofwhetherpublicservicesfunctionornot–andbyextension,amuchbroaderquestionofsecurity for society .


2018willmarktenyearssincethefirstEstoniancybersecuritystrategyenteredintoforce.Onthewhole, ithasserveduswell.ThefactthatEstonia’sweightinthisfieldrestsonmorethansuccessfulimagebuil-dingorsingleinnovativeachievementsisdemonstratedbytheGlobalCybersecurityIndexcompiledbytheInternationalTelecommunicationUnion(ITU)lastyear48,whichranksEstoniafifthintheworldinitscom-mitmenttocybersecurity.Estonia’spositionderivesfromhighscoresinallfivecategories:legal,technical,organizational,capacitybuildingand cooperation .

Still, rankings remainasuperficialassessmentand it takesmorethangoodpreconditionstoensuresecurity.In2018,Estoniaisoneoftheworld’smost digitally dependent countries. The readinessof thestateandsocietytocontributetocybersecuritycurrentlyfallsshortofthedependencelevel.

• Cybersecuritystrategy:strategicobjectivesanddefinitionofrolesandresponsibilities

• Framework ofminimumsecurity requi-rements: three-tiered baseline securitysystem(ISKE)forstateandlocalgovern-ments;riskassessmentsandcontinuityplansforvitalserviceproviders;securityof Estonia’s fundamental digital infrast-ructure(eID,X-road)

• 24/7nationalincidentpreparednessandresponsecapability(CERT-EE)

• Crisis readiness– integration of cybersecurityintothecomprehensiveconceptofnationalsecurityanddefence

• Awarenessandskills• Cooperationbetweengovernment insti-

tutions, between the public and privatesector,andinternationally

• Impact and trend assessments • Cyberthreatwarningsissuedto – the public concerning salient threats

andsecurityvulnerabilities –vitalserviceprovidersonasectoralor

trend basis, accompanied by analysisand recommendations

• Prevention and preparedness: planningand exercises

• Cyberhygieneandtrainings• Buildingacultureofsecurityandcoope-

ration - strengthening Estonia’s cybersecurity community

FUNDAMENTALS OF ESTONIAN CYBER SECURITY

RIA’S CYBER SECURITY FOCUS FOR 2017: READINESS AND PREVENTION

SECTORAL CYBER RISKS AND PREPAREDNESS


Central government Incidents involving government institutions show that possibili-ties of improving cyber security through awareness building have been exhausted and the focus should be directed at secure archi-tecture and competent personnel.

Globally, government institutions are, along with financial institu-tions, communications operators and healthcare providers, themostprominentattacktargets.49Astodirectthreatsfacinggover-nment institutions, phishing still remains the most widespread,butitshouldberememberedthatcyberattacksareoftenjustonecomponentinanattackagainstpublictrustinthegovernmentasawhole.TokeeptheEstonianstateandsocietyfunctioningaspeopleareaccustomed,itisveryimportanttotakecyberrisksintoaccountinallriskassessmentsandriskscenarios.Asnotedpreviously,anisolatedphenomenonreferredtoas“informationtechnologythreat”isseenexceedinglyrarelyinreality,andinmostcases,thetruesig-nificanceofcyberthreatsisasenablersoramplifiersofabroaderriskscenario.

Estonian government officials have relatively high awareness of cyber security.ThishasbeenaidedbyRIAcybersecuritytrai-nings during the year prior to the Estonian EU Presidency,whichdrewclose to1,200officials. Last spring,weopened theDIgitestlearning environment where cyber knowledge can be tested andsupplemented.

ComparedtotheoverallincidentstatisticsofEstonialastyear,governmentinstitutionssawfewmalwareinfectionsand,e.g.,noransomware infections at all.The biggest point of concern for public sector cyber security is service downtime caused by IT equipment failure or human error. Theseareespeciallycriticalinsystemswhosefunctioningdependsoninternalandstatesecurity


In spring 2017, RIA and CybExer Technologies launched a digital learning platform meant for government institu-tions. To date, it has tested thousands of public servants’ cyber knowledge and identified their cyber risks.

The programme has been licensed totens of private and public sector institu-tions, many universities and authoritiesand companies from a number of foreigncountrieswhoareinterestedinraisingtheirstaff’scybersecurityawareness.Asduetosecurityconsiderations,Digitestresultsareonlyaccessibletoindividualsandagencies

whohavetakenthecourse,itisplannedtodevelopananonymousandsecuremecha-nism for sharing results that would alloweachcompanyoragencytocomparethem-selvestotheoveralloutcomes.

In future,wewould like to seeDIgitestusedevenmorebroadlyinthegovernmentsector. Passing the test might even bemadeobligatoryforstateandlocalgovern-mentofficials.Tolayafoundationforcyberskillsamongthenewgeneration,weplantodistributeDIgitestinschoolstoletschoolc-hildrenreceiveatrainingincyberhygiene.

Thousands of public servants have passed the Digitest course

Digitest provides risk profiles at the user, organiza-tion and state level. This allows more precise risk management with attention devo-ted to specific weaknesses.


–police, border guard or rescue services– or people’s life andhealth, such as the Emergency Response Centre (Häirekeskus)or digital prescriptions. Because no other service provider canofferanalternativetostatefunctions,itisextremelyimportanttoensurethattheseservicesaresufficientlyresourcedtohavefunc-tioningbackupsolutions.Government institutions’centralised ITcentres inparticular havesucceeded in ensuringbetter securityandcontinuity–theyhaveprovedtobecapableofeliminatingser-viceproblemsandinterruptionsrapidlyandrespondingtoattacks.

Estonian government institutions cannot neglect the fact thattheirinformationsystemsarescannedandprobedconstantly.Wekeepacloseeyeontheseactivitiesandletthemknowofanythingoutof theordinary.Oneexampleof suchacasewasaseriesofshort-term, small-scale denial of service attacks that occurred inlate 2017 against several Estonian government and research ins-titutions.Theattacksdidnothavenoteworthy impacton theser-vicesbuttheystoodoutbecauseoftheirtemporalproximitytoeachother,theirlowintensity,andthesimilarpattern–i.e.trafficinpreci-selymeasuredintervals.

Asthisactivitycouldbeusedtopreparelaterattacks,analysisofsuchcasesisalwaysimportantandsuchcasesshouldalwaysbereportedbyemailatcert@cert.ee.

Serviceinterruption(59%)Compromise(18%)

Malware(8%)

Administrationerror(4%)

Phishing(4%)

Dataleak(2%)

Defacement(2%)

Scanningandbrute-forceattacks(2%)

DDoS(1%)

Financialfraud(0%)

Ransomware(0%)

Equipmenttheft(0%)

Cyber incidents at government institutions 2017


Local governmentsCompared to the state, local governments still have an uneven level of cyber security.

As local governments are an integral part of the Estonian digitalstate,iftheirsecurityisweak,itcreatesrisksforthestate’scentraldatabases.Forinstance,localgovernmentsaccessthePopulationRegisterandcentralsocialsecuritydatabases,whichmayputsen-sitivepersonaldataatriskincasetheyneglectcybersecurityrequi-rements.Localgovernmentshaveanobligation to implement theISKEbaselinesecurityframework,butmanyfailtodoso.

AspartoftherecentadministrativereforminEstonia,theMinistryofFinancehassupportedICTconsolidationof localgovernmentsandrunsaplatformfor,amongotherthings,assistinglocalgover-nmentsindevelopinginformationsystemswithsecuritybydesigninmind.Wehighly recommendall localgovernments touse this.Weholdregularinformationeventsandseminarsforthepublicsec-tor,andlocalgovernmentscanalsoparticipate inthis.Appointingapersonresponsiblefordatasecuritywouldalsohelpsignificantlyimprove the situation. There are only a few local governments inEstoniathathavedoneso.

Inautumn2017,anumberofbreak-instookplace intosecuritycameras installed in fourlocalgovernmentsinthecontextoftheHarjuAssociation of Local Governments project,“Secure Harju County”. Unpatched secu-rity holes in the cameras and unrestrictedaccess to the devices were exploited. Thecompromisedcamerasstoppedrecordingor

transmittingfootageforseveraldays.Thankstoanotificationfromadatasecurityemployeeatoneofthemunicipalities,welearnedoftheeventandsentawarningtoothermunicipa-lities, public sector data security managersandvitalserviceprovidersandgaveinstruc-tionsforpatchingthevulnerability.

“SECURE HARJU COUNTY” SURVEILLANCE CAMERAS


Unlikethestate,mostoftheincidentsinlocalgovernmentslastyear involvedmalware infections,hackersexploitingoutdatedsof-tware to defacewebsitesor to carry out attacksonwebsite visi-tors.Forexample,localgovernmentwebsiteswereusedin2017forspammingandphishingforbankdata.

Photo: Arno Mikkor


Essential services The cyber security of society as a whole rests on the private sec-tor, which provides the majority of (digital) services that keeps society functioning normally. While the security of information systems is primarily the responsibility of the system owner, it is the state that must ensure protection of the society as a whole.

Estoniaestablishedtheobligationtoguaranteethecybersecurityofvitalserviceprovidersin2009whentheEmergencyActenteredintoforce.Itmadevitalserviceprovidersresponsibleforassessingtheriskstotheirbusinesscontinuity–includingoneswhosecauseorexpressionliesincyberspace–andtoapplymeasuresforensuringcontinuity.TheEUDirectiveontheSecurityofNetworkandInformationSystems(NISDirective),ofwhichEstoniawasafirmadvocateintheEU,proceedsfromthesameapproach–thefocusmustlieonservicesneededforfunctioningofessentialsocietaloreconomicactivities.TheseservicesareinthescopeofapplicationofthenewEstonianCyberSecurityAct,whichtransposestheNISDirectiveintonationallaw.

A study commissioned by RIA in 2016, described in last year’sannualsummary, found thatprovisionofallvitalservices inEstoniadependsonpowerandcommunicationservices.Besidesthefactthatenergyorcommunicationservicesinterruptionshaveadirectimpacton other vital services, they also affect the functioning of theworkofgovernment institutions.Forexample,a fault in thepowersupplyequipmentatthePärnuhubofacommunicationenterpriselastyearledtoaninterruptionindatacommunicationsthatimpactedservicesprovidedbytheMinistryofSocialAffairsandtheMinistryoftheInterior.Althoughanalternativeexisted,itsoperationreliedonthesamedeviceand for considerationsof cost-effectiveness, the institutionsdidnothaveanagreement for redundantconnectionwithanothercommu-nication infrastructure provider. Also a problemwas that the impor-tanceoftheincidentforthepurposeofthelawisdeterminedbyhowmanycontractualcustomerstheoutageaffects.Ifonlytheworkofoneinstitution–oneclient–isaffected,thereisnobasisforimplementingextraordinarymeasures,eventhoughtheremaybemanyaffectedper-sons–theserviceproviderhasfewoptionsfordetermininghowmanythereare.Itisasimilarsituationwithothergovernmentdepartmentsandcompanies,andalsowithprivateconsumers,whichgenerallyhavemorethanonemembertoahousehold.


Threats and risksIncidents in Estonia,

2017Incidents in Estonia, 2017 Resilience and recovery measures

Energy supply Attempts to enter business systems for thepurposeofaccessingproductioninfrastructure .Spearphishing,includingmalwaredownloademailsforinstallingbackdoorsoftware.Origin:hostilecountriesTrend:

Remoteaccesstoenergysuppliertechnicalutilitynetworkcutoffforshortperiodduetoequipmentfailureofcommunicationserviceprovider.

Improvedsystemmonitoringinadministrativeandproductionnetworks,securitytestingofsystems .Segmentingofficeandproductionnetworks.

Communication services Serviceinterruptionscausedbytechnologicalfaultsandhumanerror.Dependenceonexternalconnections.Trend:

Recurringserviceinterruptionsincommunica-tionserviceprovidernetworks,thelargestofwhichaffectscloseto80,000telephoneser-viceclientsbutfortunatelyoccurredatnight.

Backupsolutionsandcontinuityplans.

Media Propagandaandreputationalattacksviacompromisinginformationsystems.Trend:

Fileserverpasswordleaks. Cyberhygiene.Managingcross-servicedependencies .

eID Availabilityofservicedependsonother (e.g.communications)serviceproviders.Trend:

Mobile-IDserviceinterruptionsincommunica-tionserviceprovidernetworks;disruptionsinavailabilityofwebsitefordownloadingIDsoftware

Backupsolutionsimplementedbycommunica-tionsundertakings,managingcross-sectordependencies .

Health care Impactofransomware,phishing,digitalsupportservices(digitalprescriptions,healthinsuranceinformationsystem)onphysicians’workTrend:

Failuresininformationsystemsandran-somwarecasesthatamongotherthingsdisruptedreceptionofpatientsathospitalsandmadepatientdataunavailableSee separate section

RIAtrainingsforraisingawarenessforhospi-tals,consolidatingITserviceandsecurityatprimaryhealthcareinstitutions,implementingincidentmonitoring

Financial sector Attemptedfinancialfraudtargetingclients,includingforgeryofinvoicesbycybercriminals,phishingforcreditandpasswordcarddata;attemptstomanipulatepartnerbanks’SWIFTsystem .Cryptocurrenciesandplatforms.Trend:

Short-terminterruptions(uptoonehour)infunctioningofbanks’cardpaymentandATMcross-use;disruptionstoforwardingofinter-nationalpayments;aDDoSagainstSEBBankinLithuaniainMaycutoffaccesstoSEBBankwebsitesinallthreeBalticsandpreventeduseoftheonlinebankingservices.

Comparedtomostothercountries,Estonianbanks’clientsarebetterprotectedduetotheuseofsecuremeansofauthentication(IDcardandalternatives),whicharetheonlyoptionforconfirminglargertransactions.Situationalawarenesssharedamongbanksandsuper-visoryinstitutions.

Utility services (district heating, water supply and sewerage)

Ransomware,serviceinterruptionscausedbytechnicalfailuresandhumanerror;administra-tiveerrors.Trend:

Ransomwarecases;administrationerrorallowedunauthorizedaccessbyoutsideper-sonstootherclients’data.

Implementationofincidentmonitoring,backupsolutionsandcontinuityplans.

Transport (air traffic, airports, ports, railway traffic, road network)

Dependenceoninternationalinformationsys-temsandsolutions.Trend:

Delayeddeparturesofflightsduetoequip-mentfailureinpassengerserviceinformationservice.

Backupsolutionsandrecoveryplans.

Education Usershavelowawareness;lackingsecuritypolicyanddearthofemployeeswiththeneces-saryskills.Trend:

Increasinglyfrequentminingofcryptocurrencyinschools’computernetworks,leakofuserdatathroughkeyloggerinstalledonvocationalschool’scomputers.

Administrationrequirementsforinformationsystems,managingaccessprivileges,cyberhygiene.

Sectoral cyber threats, incidents and measures for ensuring security


Threats and risksIncidents in Estonia,

2017Incidents in Estonia, 2017 Resilience and recovery measures

Energy supply Attempts to enter business systems for thepurposeofaccessingproductioninfrastructure .Spearphishing,includingmalwaredownloademailsforinstallingbackdoorsoftware.Origin:hostilecountriesTrend:

Remoteaccesstoenergysuppliertechnicalutilitynetworkcutoffforshortperiodduetoequipmentfailureofcommunicationserviceprovider.

Improvedsystemmonitoringinadministrativeandproductionnetworks,securitytestingofsystems .Segmentingofficeandproductionnetworks.

Communication services Serviceinterruptionscausedbytechnologicalfaultsandhumanerror.Dependenceonexternalconnections.Trend:

Recurringserviceinterruptionsincommunica-tionserviceprovidernetworks,thelargestofwhichaffectscloseto80,000telephoneser-viceclientsbutfortunatelyoccurredatnight.

Backupsolutionsandcontinuityplans.

Media Propagandaandreputationalattacksviacompromisinginformationsystems.Trend:

Fileserverpasswordleaks. Cyberhygiene.Managingcross-servicedependencies .

eID Availabilityofservicedependsonother (e.g.communications)serviceproviders.Trend:

Mobile-IDserviceinterruptionsincommunica-tionserviceprovidernetworks;disruptionsinavailabilityofwebsitefordownloadingIDsoftware

Backupsolutionsimplementedbycommunica-tionsundertakings,managingcross-sectordependencies .

Health care Impactofransomware,phishing,digitalsupportservices(digitalprescriptions,healthinsuranceinformationsystem)onphysicians’workTrend:

Failuresininformationsystemsandran-somwarecasesthatamongotherthingsdisruptedreceptionofpatientsathospitalsandmadepatientdataunavailableSee separate section

RIAtrainingsforraisingawarenessforhospi-tals,consolidatingITserviceandsecurityatprimaryhealthcareinstitutions,implementingincidentmonitoring

Financial sector Attemptedfinancialfraudtargetingclients,includingforgeryofinvoicesbycybercriminals,phishingforcreditandpasswordcarddata;attemptstomanipulatepartnerbanks’SWIFTsystem .Cryptocurrenciesandplatforms.Trend:

Short-terminterruptions(uptoonehour)infunctioningofbanks’cardpaymentandATMcross-use;disruptionstoforwardingofinter-nationalpayments;aDDoSagainstSEBBankinLithuaniainMaycutoffaccesstoSEBBankwebsitesinallthreeBalticsandpreventeduseoftheonlinebankingservices.

Comparedtomostothercountries,Estonianbanks’clientsarebetterprotectedduetotheuseofsecuremeansofauthentication(IDcardandalternatives),whicharetheonlyoptionforconfirminglargertransactions.Situationalawarenesssharedamongbanksandsuper-visoryinstitutions.

Utility services (district heating, water supply and sewerage)

Ransomware,serviceinterruptionscausedbytechnicalfailuresandhumanerror;administra-tiveerrors.Trend:

Ransomwarecases;administrationerrorallowedunauthorizedaccessbyoutsideper-sonstootherclients’data.

Implementationofincidentmonitoring,backupsolutionsandcontinuityplans.

Transport (air traffic, airports, ports, railway traffic, road network)

Dependenceoninternationalinformationsys-temsandsolutions.Trend:

Delayeddeparturesofflightsduetoequip-mentfailureinpassengerserviceinformationservice.

Backupsolutionsandrecoveryplans.

Education Usershavelowawareness;lackingsecuritypolicyanddearthofemployeeswiththeneces-saryskills.Trend:

Increasinglyfrequentminingofcryptocurrencyinschools’computernetworks,leakofuserdatathroughkeyloggerinstalledonvocationalschool’scomputers.

Administrationrequirementsforinformationsystems,managingaccessprivileges,cyberhygiene.


Cyber risks in the healthcare sectorAlthough Estonian healthcare providers escaped major disrup-tionssuchastheWannaCrycampaign,Estonia’shighlydigitalisedhealthcaresectorisextraordinarilydependentonoperationalreliabi-lityofinformationsystems.Lastyear,32knowncyberincidentstookplaceintheEstonianhealthcaresector,andtenofthesecaseshadadirectinfluenceontheworkofhospitalsandgeneralpractitioners.Anumberofthecaseswereamoreextensiveservicedisruptionorinterruption that impacted many doctors and patients – a system fault in theWestTallinnCentralHospital inJanuarydisrupted thehospitalinformationsystemforhours.50However,innoneofthesecaseswerepatientmedicalrecordsleakedtoorotherwiseacquiredbycybercriminals,somethingthathasoccurredindramaticfashionelsewhereintheworld.

Theserviceproblemslastyearalsoincludedinterruptionsindigi-talprescriptioncentre,insuranceregistryandHealthInsuranceFundservices,andoneof thecases lasted longer than24hours.Theseincidentspointedtotheneedtodevotemoreattentiontoevaluatingcyberrisksandsystematicorganizationofinformationsecurity.

Two Estonian primary healthcare centresarealsoknown tohave fallen victim to ran-somware lastyear. Inbothcases, thegene-ral practice’s information system was bro-ken intoremotely,andransomware installedwhich encrypted files containing patienthealthrecords.

Thefirstinstancewasinitiallybelievedtoinvolve a server problem. A couple of dayslater, however, the ransom demand camein: 1.5 bitcoins (thenworth 3,420 euros) forunlocking 4,000 encrypted files. The familymedicine centre notified us of the incidentandtheHealthInsuranceFund,HealthBoardandpolicewerealsonotified.

Duetotheransomwareattack,harddriveshadtobereplacedintheserver,theoperatingsystemre-installedalongwiththeinformationsystemusedforprocessingpatientdata.Theencryptedfileswererescuedbutcouldnotbeopened and recovery frombackupwas not

successfuldue toa technicalerror.Withnoother recourse, themedical centre paid theransomandreceiveddecryptionkeys.

In the other incident, the infection routewas, likewise, by remote access to the ser-ver.Here, too, theransomwastobepaid inbitcoin,withtheamountincreasingovertime.

Indirectly, the incident affected all 4,300patients on the centre’s list. Their data –prescriptionswritten,healthcertificates,digi-talhealthrecords-werenotaccessibleforafewdays.Thecentrealso losttheirappoint-mentlist.Thecentrecametoagreementwithanotherwellnesscentretohelpwriteprescrip-tionsuntiltheproblemwassolved.

Asthemostimportantfileswererestoredfroman unencrypted backupon the server,the losseswere limited.Butpaymentof theransom isnoguaranteeof recoveryofdataanditsendsasignaltoattackersthatmoneycan indeed be made in this manner .

RANSOMWARE CASES AFFECTING GENERAL MEDICAL PRACTICES


Thelessonforusisthatwenowregularlymake backup copies to an external deviceandcertainly also remove it fromour com-putersaftermakingthecopy.Thatistheonlygoodsolutionforkeepingyourselfprotected.

Upondiscoveringtheincident,wecontac-tedthepoliceandRIA’semergencyresponseteamCERT-EE. A good friend ofminewhoworksincybersecurityrecommendedIcon-tactCERT.Ihadn’theardofCERTbeforethat.

A specific guideline for what action totakeforsuchincidentswouldbeneeded.Theinformationcouldbeoutinsomevisibleplace–justliketheemergencytelephonenumber112ispastedasastickereverywhere.

Cooperation with CERT was extremelygood.Wewereincontactfornearlythewhole

24 hours, they provided much help. I can’timaginehowwewouldhavemanagedwith-out them .

Ouropinionisthatsuchdatashouldnotbephysicallyonfileatfamilymedicinecent-resinthefirstplace–it’stoogreatarespon-sibilityforGPs.MostGPsdon’trealizewhatrisksthisinvolvesifaserverisn’tuptodateorthere’snobackupcopy.Andeveniftheydid,theywouldn’thavethecapabilityorresourcestoprotectthedatainaqualitymanner.Thisshould be done by experts.We don’t let ITguysvaccinatepeople,sowhyshouldGPsbetakingcareofserverfirewalls?Bylaw,there’sallsortsofdataprotectionanddatasecurityrequirements, but compliance isa farmorecomplicatedmatter.

Kivimäe healthcare centre GP Karmen Joller on the lessons learnt from the cyber attack


The Cyber Security ActThe purpose of the newly adopted Cyber Security Act is to strengthen the security of services that are essential for society. The Act also sets forth expectations for the networks and information systems used for the functioning of the work of the state and local govern-ment institutions. The focus is on prevention and a more effective response to mitigate and prevent deleterious consequences. The law also transposes the EU’s Directive on Security of Network and Information Systems, the NIS Directive*.

What are the implications of the Act?The legislationconsolidatesand refines theobligationsof essen-tialserviceprovidersforprovidingsecurityofnetworkandinforma-tionsystems.Similarlytotheexistingregulations,serviceprovidersmustassessthesecurityoftheirinformationsystems,cyberrisksposingathreattoservicecontinuity,andtheimpactofrealizationoftherisksontheorganizationandserviceusers.Tomanagetherisks,necessaryandsufficientsecuritymeasuresmustbeadopted.

Inaddition, theserviceprovidermustmonitor itsnetworkandkeeplogsthatwouldmakeitpossibletoidentifyanddocumentvul-nerabilities,manipulation attempts and irregularities jeopardizingtheoperationof thesystems. If a cyber incidentdoesoccur, theessentialserviceprovidermustimplementnecessarymeasurestoreduce the impact and spread of the incident .

TheActwillobligeserviceproviderstonotifyRIAofsignificantcyberincidentsdefinedinthelaw–aboveall, incidentsthathavea significant unfavourable impact onothers and their health andproperty .

Theoptionofvoluntarynotificationremainsaswellandwecon-tinuetopromoteit,asthiswillgiveusthebestwayofearlydetection

* Directive (EU) 2016/1148 of European Parliament and of the Council of 6 July 2016. Estonia’s Cyber Security Act was adopted by the Parliament on 9 May 2018.


oftheemergenceofthreatstoEstonianusersandofattackcam-paigns,andwillenableustowarnthepublicandstakeholdersatrisk–inparticular,theessentialserviceproviders.Wecanalsopro-videconsultationandassistanceforpreventingattacks,andsug-gestmeasurestobeimplementedtoavoidsignificantimpact.

Security measures in state and local govern-ment unit network and information systems Theobligationstoensurethesecurityofnetworkandinformationsystemsandtoreportcyberincidentswithsignificantimpactalsoextendtostateandlocalgovernmentunits.Inessence,theserequi-rementsarenotnewforpublicsectorinstitutionsastheyarefoundinthemeasuresofISKE,thethree-tieredbaselinesecuritysystemapplicabletopublicsectorinstitutions.

Organization of cyber security at the state levelState-levelobligationsthatweregovernedbyseveralpiecesoflegis-lationandtheirimplementingactsarenowsetforthinasinglepieceof legislation.RIAisclearlyassignedthecentralrole inorganizingcybersecurity,anditscompetenceandfunctionsaredefinedasfol-lowsintheCyberSecurityAct:• coordinatingpreventionandresolutionofcyberincidentswithin

theboundsoflaw;

Prevention

• security measures•systemmonitoring

• security documentationServiceproviders

•monitoringof .ee address space•threatnotification

•reportingincidents (toRIA,potentialvictims)

•restrictinguseoforaccessto system

•threatnotificationandguidance

•righttorequestinformation•restrictinguseoforaccess

to system (as a measure oflastresort)

Response

The cybersecurity law just adopted by Riigikogu sets out cybersecurity requirements for the the providers of essential services and clarifies the competences of RIA in reacting to incidents affecting those services.


• adoptingpreventivemeasuresandidentifying,onthebasisofriskassessments,devicesandserviceswithsecurityvulnerabilities;

• forwardingthreatnotificationsforpreventingandresolvingcyberincidents,allowingmeasurestobetakentopreventormitigatethe impact of the cyber incident .In accordance with the legislation, RIA is also assigned the

functionofthecyberincidentresolutionunitasdefinedintheNISDirective.ThisincludesensuringmonitoringofincidentsinEstonia,ensuringearlywarningaboutrisksandincidentsandsharinginfor-mationwithpartners,andensuringresponsetoincidentsandsyste-maticanalysisofrisksandincidents.Wefulfiltheroleofinternatio-nalpointofcontact,beingresponsibleforcoordinatingcross-borderexchangeofinformationandmeasurestakenattheEUlevel.

Performing theobligations imposedonusby theAct requirescooperationwithpartnersintheprivateandpublicsector,functionalexchangeof informationandstipulationofaseparate legalbasisforthispurpose.Alongtheselines,thelawsetsforththepowersforresolving incidents andmonitoring and provides for enforcementmeasuresforprotectionofthepublicorder , includingtherighttotakeactionagainstanelevatedthreatlevelcausedbyacyberinci-dentortoeliminatealegaloffence.

For themoreeffective resolutionofcyber incidents thatcons-tituteabreachofthepublicorder,theActentitlesRIAtoaskcom-municationsundertakingsforanonymizeddataregardingnetworkflowsthatwouldhelptoidentifythedevicethatisspreadingmalwareandascertainthetargetsoftheattack.Itisimportanttostressthatthisisnotpersonaldatabutrathermetadatapertainingtosystemsandneededforresolvingacyberincident.


Preventing cyber-induced emergencyAlongsidesimplerandmorecommoncyberthreats,acyberinci-dentmay also have an extensive impact on significant societalfunctionsandservices,andwemustbepreparedfor theseasastateandsociety.RIA’sobligation toprepareanemergency riskanalysisforacyberincidentderivesfromtheEmergencyAct.Theinstitutionpreparingtheriskanalysisineachfieldproposesthreatscenarios thatmayescalate intoanemergency.On thisbasis, itputstogetheracapacityanalysistoassessthestate’sreadinessforpreventtheemergency,prepareforanemergencyandresolvethesituation.Riskanalysesareabasisforpreparingtheemergency

Photo: Arno Mikkor


resolutionplanandplanningemergencyprevention,readinessandresolutionmeasures,aswellasformationofan institutionalandstateoperationalreserve.

Thecyberincidentriskanalysisassessestheriskscenariosforfourseriousevents:disruptionofelectronicauthenticationservice,loss ormodification of data vital for the functioning of the state,cyber attack that causes extensive power outages, and interrup-tionsindataservices.

Theprobabilityofthesescenariosishighandtheconsequencesmay be very severe. The likelihood is enhanced by the fact thedigitaldomain ischanginganddevelopingrapidlyandthe levelofdependenceon informationsystems isalsogrowing.Estoniahasnothadanemergencyinrecentyears,yettheriskofanextensivecyberincidentisontheriseworldwideandattackerskillsarecons-tantly developing. Our digital dependence and the risks involvedhavegrownsignificantlyandwemustbeawareofthem.Itismoreandmoreimportantto invest intothecybersecurityofourdigitalbaseline infrastructureandassess the risks.Although it iscomp-licatedtomountasevereattackanditrequiresresourcesandmoti-vation,itisnotimpossible.Ifthetrustworthinessandinternationalreputationofonlineelections,theIDcard,theX-roadorstateregis-tersshouldcomeunderfire,itwouldhavesevereandlong-lastingconsequences.

Thestate’sreadinesstopreventandresolveemergenciescau-sedbyacyber incidenthassignificantly improvedovertherecentyears.Ourchallengeisstillinfillingkeypositionsanddevelopinganunderstandingofthecross-dependenciesbetweenkeypublicser-vices,informationsystemanddatabases.

Thevolumeofresourcesdirectedatensuringcybersecuritynolongermeets theneedsof thedevelopingfield,which iswhy it isimportantfortheEstonianstatetoincreaseinvestmentsintoaware-ness-raisinganddevelopment, testingandsecurityof ITsystemsalreadyintheservicedesignphase.


Summary: conclusions and assessments for 2018• There is no such thing as 100% security – readiness matters.

2017was a good year for Estonia, becausewe had preparedaccordingly–toensure thesecurityof theEUPresidencyandthe local elections, to make the digital infrastructure (ID cardecosystem)hardyand robust,and topreventandbepreparedforextensivecyberincidents.Themalwarecampaignsthatglo-ballycausedgreatlossesrangingintothebillionsofeurosandalsoposeddirectdangertopeople’slivesandhealthposedmini-maldamageinEstonia.Weremainedastepaheadofthethreatsthanks toupdatedsystemsandefficientand rapid threatnoti-ficationandinformationexchange.Themalwarecampaignsof2017willnotbethelast,though.Cripplingofmedicalequipment,hospitals,powerplants,airportsandvitalserviceswillsoonerorlaterresultinhumancasualties.Awareness,readinessandrapidresponsedeterminewhetherEstoniawillbehitbythenextwaveandhowsuccessfulwewillbeinminimizingdamage.

• Increasingly, state actors are behind the more serious cyber attacks. It is theeasiestway forsomeregimes to leverage theirpower–theyproduceacompellingeffectwhilebeingaffordableand offering plausible deniability. Attacks on vital services are apersistentandeverydaythreat;andmultifacetedcyberandpropa-gandaattacks for underminingdemocratic processes are a par-ticularlysimplewayto influenceforeigngovernments’policies. InEstonia,thereisgreattrustininternetvoting,andampleknow-howandyearsofexperienceinregardtoensuringcybersecurityofelec-tions . We share our expertise with our partners . In the European Union,weheadupcooperationthatwillresultinrecommendationsbeingdraftedforstrengtheningcybersecurityforelections.


• To change the behaviour of countries that mount cyber attacks, there has to be a political and economic cost for such actions. To prevent increasingly brazen and aggressivecyberattacks,democraciesmustbuildcredibledeterrence.Thisis something that can be created above all through countriesthat share common values and beliefs working together. Onemeansofdeterrenceistostateclearlythroughpublicordiplo-maticchannelsthattheattackercanbeidentifiedandhasbeenidentified. Yet attributionmust also be accompanied bymea-sureswith real political and economic consequences, enoughtochangethecalculationsofthestateswhoarecontemplatingwhethertomountcyberattacks.

• During the Estonian Presidency, a package of diplomatic measures was developed in the EU for responding to cyber attacks.ThisallowsalloftheEU’ssingleforeignpolicymeasu-restobemarshalledinresponsetocyberattacks,fromdiploma-ticstepstoeconomicsanctions.Thecountermeasuresshouldgivepausetoanycountriesorganizingcyberattacksandthosewhosupportsuchcountries,whetheractivelyorpassively.

• The threat of a cyber attack does not depend on whether your data are valuable for the criminals but rather whether your data are valuable to you. Most cyber attacks are unselectivewith regard to the target themselves, but simply hunt for vul-nerabledevicesanduseraccounts. Inthecaseofmostofthecyber incidents that occurred in Estonia last year,we can saythatthelossescouldhavebeenforestalledbykeepingsoftwareupdated,makingbackupcopiesofallimportantdataandmorecarefully restrictingaccess todataanddevices.Another trendisthatcybercriminalsarebecomingmoreandmoreprofessio-nal:althoughcrudephishingattemptsandscamsarestillseen,theprofitmotiveisleadingattackerstoputeffortintotryingtoappearingplausible.Healthyscepticismandattention todetailwillhelpsignificantlycutthelossesfromsuchcases.Ifyourdataareimportanttoyouoryourbusiness,protectthem!

• To improve cyber security at government institutions, we are past talking. Throughouttheworld,governmentinstitutionsareprime targets for cyber attacks. Estonian officials have goodcyber hygiene, but incidents involving government institutionsshow that possibilities of improving cyber security throughawarenessbuildinghavebeenexhaustedandthefocusshouldnow be placed on secure architecture with investments intocompliance with requirements and ensuring the existence of


information security competence at institutions . The way cyber securityisorganizedatgovernmentagencieswithlimitedinfor-mationsecuritycapabilityandmostlocalgovernmentunitsisacauseforconcern.Thestatemustaspiretogreatercentraliza-tionwhenitcomestoorganizingcybersecurity.

• Security is not static. Security vulnerabilities in mainstreamtechnologies are not a one-time shock but endemic to thisenvironment,anditisclearthatattemptswillbemadetoexploitanynewflawsthatemerge.Securitydoesnotendwhenaninfor-mationsystemiscompletedorapieceofequipmentisacquired.Maintainingitmeanscontinualworkandthefirstresponsibilityforthesecurityofadeviceorsystemlieswithitsowner.Theonlykindofeffectivecyberdefenceiscomprehensivedefence–aneffortthateveryonehastocontributeto.

• The Cyber Security Act will bring greater legal clarity but the legislation will not resolve all concerns in the vulnerable sectors.ThenewCyberSecurityActwillbringamorerationalsystemtotheroles,terminologyandresponsibilityinorganizingcybersecurityinEstonia,butbesidesimplementationoftheact,closepartnershipwithstateandprivatesector institutionswillremain important.At thesame time,proceedingson thedraftlegislationhaspointed toanumberof risks that requireatten-tion,suchascybersecurityatEstonianPublicBroadcastingorthe dependency of vital services on service providers outsidethescopeofapplicationoftheAct,andrisksfromcross-borderdependencies .

• In particular, cyber security in the healthcare sector needs more effective support.Inasituationwherehospitalsandfamilymedicinecentresprocessourmostsensitivepersonaldataandtheirworkdependslargelyonthefunctioningofdigitalsystems,they must not be stranded in a situation where cyber security is competingforresourceswithhealthcareprovision.RIAwillcon-tinueadvisinghealthcareinstitutionsandtrainingemployees.Atthesametime,itisessentialthatadministrationsofinstitutionsalsodevoteattentiontocybersecurityandmitigatetherelatedrisks,beitbyoutsourcingcomprehensiveserviceordevelopingcybersecuritycompetenceattheinstitutionsthemselves.


Notes

1 Symantec Internet Security Threat Report 2017, https://www.symantec.com/content/dam/symantec/docs/reports/istr-22-2017-en.pdf; https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf; https://www.infopoint-security.de/open_downloads/Trustwave_Global_Security_Report_2016.pdf

2 https://crocs.fi.muni.cz/3 https://www.infineon.com/TPM-update; https://portal.msrc.microsoft.

com/en-us/security-guidance/advisory/ADV170012; https://safenet.gemalto.com/technical-support/security-updates/; https://www.yubico.com/support/security-advisories/ysa-2017-01/.

4 https://crocs.fi.muni.cz/_media/public/papers/nemec_roca_ccs17_preprint.pdf

5 https://eur-lex.europa.eu/legal-content/ET/TXT/PDF/?uri=CELEX:52017JC0450&from=en

6 https://www.technologyreview.com/s/608561/first-evidence-that-social-bots-play-a-major-role-in-spreading-fake-news/

7 https://www.europol.europa.eu/newsroom/news/%E2%80%98avalanche%E2%80%99-network-dismantled-in-international-cyber-operation

8 https://www.europol.europa.eu/newsroom/news/%E2%80%98avalanche%E2%80%99-network-dismantled-in-international-cyber-operation

9 https://www.bsi-fuer-buerger.de/BSIFB/DE/Risiken/BotNetze/Avalanche/BotNets/botnets_node.html

10 https://www.theguardian.com/technology/2017/may/12/global-cyber-attack-ransomware-nsa-uk-nhs; https://www.theguardian.com/society/2017/may/12/hospitals-across-england-hit-by-large-scale-cyber-attack; https://www.washingtonpost.com/news/the-switch/wp/2017/05/15/how-to-protect-yourself-from-the-global-ransomware-attack/?utm_term=.1de68a198290, http://www.reuters.com/article/us-renault-cybercrime-idUSKBN1890AK

11 https://blogs.technet.microsoft.com/mmpc/2017/06/29/windows-10-platform-resilience-against-the-petya-ransomware-attack/

12 https://www.bleepingcomputer.com/news/security/fedex-says-some-damage-from-notpetya-ransomware-may-be-permanent/

13 https://www.maerskline.com/news/2017/07/25/25th-july-global-update; http://www.zdnet.com/article/petya-ransomware-cyber-attack-costs-could-hit-300m-for-shipping-giant-maersk/; https://www.europol.europa.eu/iocta/2017/index.html

14 http://securityaffairs.co/wordpress/61580/malware/notpetya-disrupted-merck-operations.html; http://www.darkreading.com/attacks-breaches/ransomware-attack-on-merck-caused-widespread-disruption-to-operations/d/d-id/1329503

15 https://www.ft.com/content/f6bc770e-064e-340d-949e-64d2a81216d5


16 https://nakedsecurity.sophos.com/2017/11/15/shadow-brokers-cause-ongoing-headache-for-nsa/

https://www.theregister.co.uk/2017/04/14/latest_shadow_brokers_data_dump/; https://arstechnica.com/security/2017/05/an-nsa-derived-ransomware-worm-is-shutting-down-computers-worldwide/

17 https://blogs.windows.com/windowsexperience/2017/06/28/announcing-windows-10-insider-preview-build-16232-pc-build-15228-mobile/#r8Gmb6yu3id5ZlQq.97

18 https://majandus24.postimees.ee/4160147/ehituse-abc-sulges-kuberrunnaku-tottu-koik-oma-poed

19 http://arileht.delfi.ee/news/uudised/kantar-emor-sulges-kuberrunnaku-tottu-arvutisusteemid?id=78706774

20 https://blog.ria.ee/kas-tahad-nutta/21 https://www.theguardian.com/technology/2017/may/15/wannacry-

ransomware-north-korea-lazarus-group22 http://securityaffairs.co/wordpress/64834/malware/north-korea-

wannacry-attack.html; http://www.independent.co.uk/news/world/asia/north-korea-responsible-wannacry-ransomware-microsoft-brad-smith-cyber-attack-nsa-a8000166.html

23 https://www.whitehouse.gov/briefings-statements/press-briefing-on-the-attribution-of-the-wannacry-malware-attack-to-north-korea-121917/

24 https://threatpost.com/researchers-find-blackenergy-apt-links-in-expetr-code/126662/

25 http://www.theregister.co.uk/2017/07/04/sbu_claims_russia_was_behind_notpetya/

26 https://www.scmagazine.com/cisco-talos-notpetya-analysis-attacker-could-launch-again/article/673392/

27 https://www.wired.com/story/white-house-russia-notpetya-attribution/28 http://vm.ee/et/uudised/valisminister-moistab-hukka-venemaa-

kuberrunde-notpetya-ukraina-vastu 29 https://gizmodo.com/gop-data-firm-accidentally-leaks-personal-

details-of-ne-1796211612?rev=149783480603130 https://www.ria.ee/public/Kuberturvalisus/RIA-KTT-kokkuvote-

juuli-2017.pdf31 http://www.theregister.co.uk/2018/01/17/no_one_uses_two_factor_

authentication/32 https://www.wsj.com/articles/the-man-who-wrote-those-password-

rules-has-a-new-tip-n3v-r-m1-d-150212411833 https://www.ria.ee/ee/tumeveebis-avaldati-14-miljardi-kasutaja-

paroolide-seas-ka-eesti-inimeste-paroolid.html34 https://www.wired.com/2016/03/inside-cunning-unprecedented-

hack-ukraines-power-grid/35 http://uk.businessinsider.com/nuclear-power-plant-breached-

cyberattack-2017-636 https://www.theguardian.com/technology/2017/jul/18/energy-

sector-compromised-state-hackers-leaked-gchq-memo-uk-national-cybersecurity-centre


37 https://svenska.yle.fi/artikel/2017/09/15/overbelastningsattack-mot-alcom

38 https://www.reuters.com/article/us-russia-nato/russia-may-have-tested-cyber-warfare-on-latvia-western-officials-say-idUSKBN1CA142

39 https://www.nrk.no/finnmark/e-tjenesten-bekrefter_-russerne-jammet-gps-signaler-bevisst-1.13721504

40 https://www.wsj.com/articles/cyber-attacks-on-international-banks-show-links-to-hackers-who-hit-sony-1486918801

41 https://badcyber.com/several-polish-banks-hacked-information-stolen-by-unknown-attackers/; https://www.bleepingcomputer.com/news/security/polish-banks-infected-with-malware-hosted-on-their-own-governments-site/

42 https://www.kaspersky.com/about/press-releases/2017_chasing-lazarus-a-hunt-for-the-infamous-hackers-to-prevent-large-bank-robberies; https://www.scmagazine.com/union-bank-of-india-cyberattacked-similar-to-bangladesh-heist/article/649857/

43 https://www.dni.gov/files/documents/ICA_2017_01.pdf44 http://www.reuters.com/article/us-france-election-macron-leaks-

idUSKBN1812AZ45 http://edition.cnn.com/2017/04/24/europe/france-macron-hackers/

index.html46 https://euobserver.com/foreign/136474; http://www.france24.com/

en/20170114-france-vulnerable-cyber-attacks-hacking-presidential-elections; http://www.pcworld.com/article/3158165/software-social/facebook-launches-fake-news-reporting-tool-in-germany.html

47 http://www.consilium.europa.eu/en/press/press-releases/2017/06/19/cyber-diplomacy-toolbox/

48 https://www.itu.int/dms_pub/itu-d/opb/str/D-STR-GCI.01-2017-PDF-E.pdf

49 https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=WGL03140USEN&; http://www.infoguardsecurity.com/5-industries-top-hit-list-cyber-criminals-2017/

50 http://www.delfi.ee/news/paevauudised/eesti/kogu-laane-tallinna-keskhaigla-arvutivork-utles-ules-patsiendid-jaid-hatta?id=77088768

estonian information system authority annual cyber ...2017 was an unusually eventful year in global...

Documents