The Estonian data exchange system, called X-Road, helped Estonia save 1407 years of working time last year alone. This is up from 804 years in 2017 and Cybernetica, the European cyber security company behind the solution, is helping countries across the globe achieve the same.
A myriad of challenges
Work on this started in the late 1990’s and early 2000’s: Estonia faced several challenges in economic development, tackling legacy issues and securing a place in the international community. It was evident that overcoming these difficulties required a forward looking, fast paced government.
However, Estonian public administration databases were in isolation and the data exchange between agencies, ministries and organisations was slow and inefficient. Governmental information systems were not taking advantage of the opportunities the internet presented and suffered from poor connectivity. It was clear that establishing new connections between governmental databases and systems was time-consuming and expensive. Both of these currencies Estonia could not really spare at the time.
And that’s not the final set of challenges. Battles were also held around organizational issues, as many legal entities were responsible for different registers and most of them were developed independently. The registers used various database back ends and had interfaces that weren’t standardized.
Despite all of this, the government still had to function efficiently and offer services to citizens. And since most of the registers contained data that was sensitive (or confidential), security of the system had to be built in by design.
Research and development
The government started to investigate ways to organize the communication between government entities already around 1998 — these seminars and debates led to the X-Road project in 2001.
The Estonian Government’s State Information Systems Department commissioned Cybernetica as part of a joint project (in partnership with Assert) to develop the initial pilot, which was launched in 2001. Cybernetica took the leading role in implementing the data exchange solution and developing the X-Road since.
The company was well suited to take on this challenge, as it had branched out from the Estonian Academy of Sciences and its Institute for Cybernetics in 1997. With a long history of working on the front lines of scientific advancement (the Institute of Cybernetics was founded in 1960), the company was able to deliver a state-of-the-art solution to Estonia by using different technologies under a government setup in a novel way.
In 2001, Arne Ansper concluded a deeper scientific research on the e-State“E-State from a Data Security Perspective.” With this, a model for the e-State architecture and the appropriate legal framework was presented. Thanks to the structure, which has security by design and distributed architecture, the data exchange platform has experienced virtually no downtime since its inception.
The paper concluded:
“… there is no single piece of technology or a solution that would guarantee the success of the e-State implementation project. However, there exist a number of technologies that, when not used, guarantee the failure of the project.”
The data exchange technology that enables governmental interoperabilityis one of those in the latter category (this was also highlighted in a World Bank Development Report written in 2016).
Throughout the years, Cybernetica continued development and improvement of the X-Road in Estonia, with X-Road version 6 being the latest. This version improved the integrity of data exchanged between organisations and introduced additional measures to comply with requirements set by eIDAS. It included support for using qualified certificates to certify digital documents.
In 2012 Cybernetica started a research & development project to develop the basis of the next generation interoperability platform, the UXP (Unified eXchange Platform), the core of which is also used in the X-Road version 6.
With the prototype completed in 2013, the basis of UXP was adopted to build X-Road version 6. Work on version 6 was done from 2014–2015. The R&D was carried out with the aim of other countries across the globe having the opportunity to use this foundational technology and pave the way for a smart and secure digital government.
A major change with the new generation interoperability platform was the opportunity to have shared services between governments. Estonia and Finland have connected their data exchange layers for cross-border data interoperability. Because of significant movement of people between the two countries, this opportunity has direct impact on the well-being of citizens in both nations. Estonia and Finland have started several cross-border public services, primarily in healthcare.
A World Bank Development Report in 2016 highlighted two foundational technologies that enable a secure and smart e-government ecosystem: digital identity and data exchange. Cybernetica has developed solutions for both areas (digital identity; secure data exchange) and the main challenge for governmental data exchange has been how to ensure secure and reliable exchange of mission critical data in an adverse, complex and dynamic environment.
The report, written by Kristjan Vassil from the Institute of Government and Politics at the University of Tartu, goes on to describe some of the characteristics of the X-Road: „ … open design is accompanied by rigid security measures — authentication, multilevel authorization, high-level log processing and monitoring, encrypted and time stamped data traffic — the basic functionalities that are covered within the very structure of X-Road.“
Today, the X-Road in Estonia has connected over 670 institutions and enterprises and over 515 public sector institutions. There are roughly 52 000 organisations as indirect users of X-Road services and over 1600 interfaced information systems.
Over 2700 services can be used via the X-Road.
As a result of developing the X-Road and several other complex systems for the Estonian government and its various ministries (such as e-Police, e-Customs, e-Voting), Cybernetica gained invaluable experience in how to build an e-State and develop a digital society.
High security requirements
Secure governmental data exchange is a prerequisite to build seamless services that are used by public servants and citizens. The goal is to have a cross-agency information sharing capability that is effortless so government can offer the best services and be available 24/7. It is one of the fundamental pieces of a functional digital society. And in many cases, the underlying data is used to make decisions with high value and is needed in real time. The nature of personal data that various government bodies use for their services place very high security requirements on the solution.
Security by design therefore is the bedrock of governmental data exchange and several information security principles have been implemented in the data exchange solution.
The CIA Triad is at the heart of information security and is considered a basic building block. It stands for confidentiality, integrity and availability.
The CIA model was in line with what studies indicated in relation to the security requirements of the data exchange solution:
- No third party or intermediary should gain access to the data;
- High value decisions require that the data is accurate and consistent;
- Business processes depend on the infrastructure — there can be no single point of failure or global performance bottleneck.
To achieve confidentiality requirements, all data exchanged over the system is encrypted with a security protocol to create a channel between counterparts. Furthermore, peer to peer data exchange only happens between parties that have reached an agreement to open up their data, which means they communicate directly with each other.
To ensure integrity and evidentiary value, the security server (a local component in the data exchange system) signs all the outgoing messages with the member’s signing key. All of the signed messages are saved to a log that is periodically time-stamped to ensure long-term validity of the signatures. The time-stamped signatures can be extracted from the log and presented to third parties for verification.
A distributed architecture gives the infrastructure high availability with a low number of coordinating services (governing components). Several security mechanisms have been built into the servers to give protection against denial of service (DoS) attacks. Redundancy and load balancing are used for critical components to guarantee continuous functioning of the infrastructure.
Scalability, reliability, non-repudiation, accountability, auditability, to highlight a couple of other principles, have also been built into the data exchange solution to ensure secure and reliable exchange of mission critical data.
Cybernetica’s work in data exchange has gone from Estonia to USA, UK, Japan, Ukraine, Haiti, Namibia, Tunisia, Benin, Greenland to name a few. Development and improvement of the data exchange product, the UXP is a continuous process and there is a clear determination to provide secure data exchange to governments and businesses across the globe.
Greenland — Pitu
In 2019 Cybernetica started deploying the full scale data exchange solution to Greenland. This is approached from a resilient government perspective and with availability in mind. The governing components of the data exchange platform are installed in two sites, including on Azure Cloud.
The modernization of Greenland’s digital government is led by the Agency for Digitization and in the pilot phase, areas like the citizen portal (Sullisivik Portal) as a single window for all e-government functionality were approached. Also, underlining the importance hunting has on the livelihood of the people and economy of Greenland, the Hunters Register was seen as a crucial public service. Other public services that were looked into include Digital Moving, Registries of Medical Practitioners, Digital Post and Digital Patient Journal.
The government of Greenland, Naalakkersuisut established a strong foundation for improving digital government in a strategy document “The digital society — national digitization strategy 2018–2021”. One of the goals was to establish a joint and secure exchange platform for the country’s digital data.
Pitu is the Greenlandic word for the front strap on a dog sled. The front strap creates the link between the dog sled and the dogs. A simple, but absolutely crucial, device that ensures that the dogs’ leads are assembled and secured, so that the musher can steer them in the right direction.
Ukraine — Trembita
Work on Ukraine’s data exchange solution started in 2017. The main challenges in public service delivery were based in transparency and efficiency.
Increasing the capabilities that local municipalities have in delivering e-services to their citizens was an important step towards decentralization in Ukraine. This has been the main goal in the process of creating a data exchange system in Ukraine: strengthening the regions and empowering municipalities with the technical capabilities to offer services online.
Trembita was implemented in close collaboration with the State Agency of Ukraine for e-Government and eGovernance Academy within the support program EGOV4UKRAINE.
The State Agency for e-Governance of Ukraine viewed the implementation of UXP as a key to undertaking a re-engineering of all the administrative processes of the country and acknowledges the system as the chief instrument for reform in several spheres of life.
A significant challenge during the implementation of this project was to modify the Unified eXchange Platform to support Ukrainian cryptographic standards. This required commitment from Cybernetica’s experts in state-of-the-art cryptography and several site visits to ensure a smooth transition of the modified platform.
The trembita is a horn used by Ukrainian highlanders and was a means of communication to bring people together It was used to announce events like weddings, deaths, funerals.
It’s clear that the amount of breached records and loss of data is increasing globally. And this is not happening to ice-cream trucks — some of the most prestigious IT companies in the world have been exploited. Cyber crime is becoming the biggest force threatening business and government — the certainty of future cyber attacks on infrastructure, elections and national security is growing.
If we put the breach of data by the world’s biggest social media platforminto a nation state context, the comparison becomes even more alarming.
And Facebook has the potential to know quite a bit about us (buckle up for this): your name, gender, birthday, phone number, email address, location data, relationship status, work information, income level, education, race/ethnicity, religious views, political views, physical address, facial recognition data, credit card data (if you’ve made purchases on Facebook), IP addresses, your contacts network, your chat conversations, calendar events, search history, browser information, photo and video uploads (including photo metadata), status updates, likes, ads you click, what you’ve hidden from news feed and the devices you use.
With less than 24 hours into the new year, a data breach was reported in Australia, where close to 30 000 Australian civil servants details were stolen.
The affected data contained information about work emails, job titles and work phone numbers. While this is not necessarily the most sensitive information, it is valuable fuel for spam, phishing and social engineering attempts towards public service employees for gaining access to some really sensitive data.
If you’re considering why secure data exchange is so important in the public sector, consider that while companies might potentially lose their value on the stock market over breach of data, countries lose something much more valuable — trust. And that’s not a currency anyone can play around with.
In conclusion, although there is no single solution to this thorny and growing issue, the importance of secure data exchange to nations across the world cannot be overestimated. In Estonia, there are almost no paper documents and certificates that need to be carried from one government agency to another. Instead of relying on documents brought by the citizen, agencies make queries to the source and retrieve the most up to date version of the required information.
The security features of the X-Road in Estonia, the Pitu in Greenland, the Trembita in Ukraine and other developments Cybernetica has done across the globe, guarantee the confidentiality, integrity and availability of data.
Cybernetica is a research and development intensive ICT company that develops and sells mission-critical software systems and products, maritime surveillance and radio communications solutions. Cybernetica has been an active counterpart in developing critical e-Government systems, such as the Estonian X-Road, i-Voting, e-Customs and others. Today Cybernetica delivers its systems to across 35 countries in the world.
As part of its heritage, Cybernetica still focuses on research and development, especially in information security — its stand-alone Institute of Information Security works in collaboration with the top universities from Europe, but also with institutions from the USA and Japan.
Kevin Tammearu is Head of Sales for UXP in the Department of Data Exchange Technologies at Cybernetica.