The e-election taskforce has completed a report which includes 25 proposals for supplementing Estonia’s e-election system, improving its reliability and managing its risks. Minister of Foreign Trade and Information Technology Kaimar Karu said that the report provided a useful overview of the issues surrounding e-elections. “The current e-election system has been in development and use since 2005 already, and, as with any other complex system, it requires continued further development and improvement,” Karu said in a press release on Thursday. The report by the taskforce, which was launched by previous IT minister Kert Kingo (EKRE), will serve as one input in agreeing on further concrete steps in cooperation with other involved ministries and agencies. “The e-election system can definitely be viewed as part of the state’s core infrastructure by now, and its funding and development are an extremely high priority,” he said. “We must continue to be sure that we are using the best technology currently available while also taking into account, to the extent possible, future changes in both cryptography and technology capabilities in general.”
Experts put forward suggestions and recommendations at the second meeting of the e-election working group on Wednesday, commissioned by minister Kert Kingo (EKRE). Over the past month, committee members have submitted 30 suggestions for improvements. At the second meeting suggested proposals were put forward in three areas. Head of the working group Raul Rikk said that firstly more resources should be made available so that several independent auditors can check the processes of e-voting. He said this would increase their credibility in Estonia and around the world. The group is also proposing that the number of people involved in conducting and supervising elections should increase and to raise the number of independent observers at election counts. Rikk said this could be done, for example, by making it obligatory for a representative from each political party to attend the election counts. Experts could also be invited to follow the process or IT students could be encouraged to write reports. These changes would help to increase the number of people in society who have received training in the electoral process and understand the structure of the system, Rikk said.
Minister for Foreign Trade and Information Technology Kert Kingo (EKRE) is convening an e-voting working group for the first time on Thursday. Kingo says that the group’s main aim is to assess the effectiveness of Estonia’s e-voting system in the light of both cybersecurity concerns, and electoral regulations, ERR’s online news in Estonian reports. Tarvi Martens, one of the people behind the e-voting system, has said he regards the move as a political statement. Conservative People’s Party of Estonia (EKRE) members have in the past been critical of e-voting, principally on security issues. For instance, following the 2017 municipal elections, the party mounted an appeal to the Electoral Committee, questioning why the e-vote had gone ahead in October of that year, despite a recently-detected security risk that could have potentially affected up to quarter of a million Estonian ID cards.
Estonia is the first member state in the European Union that might be called Extremely Online. Over the past decade, the Baltic republic of 1.3 million people fully digitized its government services and medical data. More than 30 percent of Estonians voted online in the last elections, and most critical databases don’t have paper backups. To sleep a little better at night, the country has recruited volunteer hackers to respond to the kinds of electronic attacks that have flummoxed the U.S. and other countries in recent years. While many are civilians, these men and women, numbering in the low hundreds, have security clearances and the training to handle such attacks. Their sturdy, bearded commander, Andrus Padar, previously a military reservist and policeman, says the threat is taken as a given: “We have a neighbor that guarantees we will not have a boring life.”
Communications expert Ilmar Raag thinks that Russian meddling in the upcoming general election on 3 March is unlikely, not least because the situation in Estonia is stable, and even a large-scale disinformation effort wouldn’t change much. In a piece for weekly Eesti Ekspress (link in Estonian), Mr Raag writes that given the current political situation and support of political parties in Estonia, Russia is unlikely to make an attempt at influencing the outcome of the 3 March general election—simply because it doesn’t stand to gain much. For a serious attempt at influencing political opinion in Estonia, the main means at the disposal of the Russian state services is the repetition of whatever story they carry. In practice, this would mean at least five major stories about Estonia on Russian state TV, which at the moment isn’t happening.
President Kersti Kaljulaid signed into action the go ahead for the general election in Estonia, due on 3 March 2019. Whilst the date of 3 March has long been talked about, according to § 78 (3) of the Estonian constitution, the president ”calls regular elections of the Riigikogu..” (official English translation), so the move was necessary to make the date official. The deadline for so doing was Sunday, 2 December. Ms Kaljulaid also made a speech at an event in the eastern Estonian town of Jõhvi, giving practical advice and setting out her views on the importance of democratic behaviour.
Tallinn Administrative Court on Thursday rejected an appeal by ID card manufacturer Gemalto AG against Estonia’s Police and Border Guard Board (PPA), which will allow the latter to continue with preparations for the manufacture of new electronic ID cards. “Today’s decision by Tallinn Administrative Court not to satisfy the complaint of Gemalto AG regarding the procurement procedure for the contract to manufacture ID cards means certainty for the PPA that we can move forward with preparations for the fulfilment of the agreement on the manufacture of ID-cards concluded in spring,” said Margit Ratnik, head of the Development Department of the PPA. The police authority is planning to begin issuing electronic ID cards with new security elements and a new design, manufactured by the company Idemia, in fall 2018.
Estonia, where citizens use their digital identity to get access to government services online, has identified a security flaw in 760,000 digital ID cards. Estonia shut down access to online services last weekend due to an encryption vulnerability in the chips of affected smartcards. The security issue was first identified in September, and plagues other cards, chips and systems made by the card manufacturer. While the manufacturer has resolved the problem last month, Estonian owners of affected cards still needed to apply for updated certificates. Police stations and other government offices were packed with citizens trying to update their IDs, mostly due to the fact that the online service for updates kept crashing last week.
For the past two and a half months, Estonia has been facing the biggest security crisis since a wave of cyberattacks hit its banks and critical national infrastructure in 2007. At the heart of the current debacle is the latest version of its national ID card, which has been a mandatory identification document for citizens of Estonia since 2002 and serves as a cornerstone of Estonia’s e-state. The hardware behind the ID cards was found to be vulnerable to attacks, which could theoretically have led to identity thefts of Estonian citizens and also e-residents, something which its government has denied occurring.
Estonia has suspended its digital ID cards for residents and overseas “e-residents” after discovering a security flaw that could lead to identity theft. It is estimated that about 760,000 people in Estonia were affected, or about half of the nation’s population. According to Reuters, the eID chip was manufactured by German semiconductor manufacturer Infineon Technologies. For security reasons, Estonian authorities immediately blocked access to the digital services of the eID card until owners can update to a new security certificate, the Hong Kong Economic Journal reported. They have until March 2018 to do so.
Estonia has frozen the digital ID cards for its popular e-residency programme, two months after discovering a major security flaw that could enable identity theft. The ID cards are used by Estonian citizens and foreign “e-residents” and underpin services like banking, online voting, tax, medical records, and travel. The e-residency programme is also popular with British entrepreneurs who want to set up their company within the EU, particularly after the Brexit vote. According to Wired, more than 1,000 UK entrepreneurs have applied for the programme so far.
Estonia’s residents use their mandatory national IDs to access pretty much anything, from online banking to online voting. So, it was a huge blow to the program when experts found a security flaw in the chip the ID used that makes it possible for bad players to impersonate and steal the identities of all 760,000 affected individuals. That might not sound like a huge number, but that’s half the small country’s population. Now, the country has blocked most of its residents from accessing all its online services for a weekend, so it can go in and and fix the vulnerability.
Estonia plans to block access to the country’s vaunted online services for 760,000 people from midnight on Friday to fix a security flaw in some of the Baltic country’s identity smartcards that was identified earlier this year. Estonia is seen as a leader in providing government services online and has championed the issue within the European Union in recent years, and the security issue leaves it with its much-touted digital IDs in an awkward position. A nation-wide online identity system allows citizens access to most government and private company services via the web, including banking, school reports, health and pension records, medical prescriptions and voting in government elections. But Estonia’s online ID service ran afoul of an encryption vulnerability identified by researchers earlier this year that exposes smartcards, security tokens and other secure hardware chips made by the German company Infineon.
Estonia: A test case for Russian hacking threat – e-voting grows despite tampering concerns | Global Journalist
Tiny Estonia might seem an unlikely place to see the future of technology. With just 1.3 million people, the country has fewer people than San Diego and is just three decades removed from Soviet rule. But “E-stonia,” as its known, has also brought the world Skype as well as up-and-coming startups like robotics firm Starship Technologies and payments provider TransferWise. Yet Estonia’s technology prowess has also made it something of a laboratory for the dangers of the threats posed by hackers backed by neighboring Russia. In a country where 90 percent use online banking, 95 percent file taxes online and 30 percent cast their ballots from a computer, Estonia is a target-rich environment for cyberattacks. Indeed the NATO-member country is the site of what may have been the world’s first politically-motivated digital attack in 2007. In that year, Estonia angered Russia by relocating a World War II era memorial to Soviet troops. Soon, the networks of government ministries, banks and leading Estonian newspapers went down, the result of a massive and sophisticated botnet attack.
The Supreme Court of Estonia rejected the appeal of the Conservative People’s Party of Estonia (EKRE) of the National Electoral Committee’s Sept. 6 decision not to ban electronic voting at the local government council elections taking place next month. The Supreme Court explained that, according to the Local Government Council Election Act, the National Electoral Committee has the right not to start electronic voting if the security or reliability of the electronic voting system cannot be ensured in such way that electronic voting could be conducted pursuant to the requirements of the act. The National Electoral Committee is not, however, required to cancel e-voting if it receives information indicating the possibility of adverse consequences.
The Conservative People’s Party of Estonia (EKRE) has submitted an appeal to Estonia’s National Electoral Committee challenging the committee’s decision to allow e-voting in the local elections this October despite a detected security risk that could affect 750,000 ID cards.
According to EKRE parliamentary group chairman Martin Helme, the party finds that the Sept. 6 decision of the National Electoral Committee to still allow e-voting in the upcoming elections opens them up to vote manipulation and the influencing of election results, party spokespeople said. The party is seeking to have e-voting called off and the elections to be held with paper ballots exclusively.
Estonia suffered an embarrassing blow to its much-vaunted ID cards that underpin everything from electronic voting to online banking, just days before hosting a big EU exercise on cyber warfare. International scientists have informed Estonian officials that they have found a security risk that affects almost 750,000 ID cards and that would enable a hacker to steal a person’s identity. The Baltic country of just 1.3m people stressed there was no evidence of a hack of what it has proclaimed to be the world’s most advanced IT card system. The cards are used to access a wide range of digital services from signing documents to submitting tax returns and checking medical records, as well as by foreigners who are e-residents in the country.
An international team of researchers has informed the Estonian authorities of a vulnerability potentially affecting digital use of Estonian ID cards issued since October 2014; all the cards issued to e-residents are also affected. On 30 August, an international team of researchers informed the Estonian Information System Authority (RIA) of a vulnerability potentially affecting the digital use of Estonian ID cards. The possible vulnerability affects a total of almost 750,000 ID-cards issued starting from October 2014, including cards issued to e-residents. The ID-cards issued before 16 October 2014 use a different chip and are not affected. Mobile-IDs are also not impacted. … In the light of current events, some Estonian politicians called to postpone the upcoming local elections, due to take place on 16 October. In Estonia, approximately 35% of the voters use digital identity to vote online.
Last Thursday, Estonia’s Information System Authority (RIA) was informed by an international group of researchers that a potential security risk had been detected affecting all national ID cards issued in Estonia after October 2014. Estonian experts have determined that the potential risk does indeed exist, affecting 750,000 currently valid ID cards issued after Oct. 17, 2014. ID cards issued prior to this date use a different chip and are unaffected by this risk. Likewise unaffected is the SIM card-based Mobile-ID system, which the government is recommending people sign up for.
A total of 143 election coalitions across Estonia have applied for registration ahead of the local government council elections this fall. “The number of election coalitions may not be final, as if, for example, an election coalition does not include a single candidate’s name, the coalition will not be registered,” explained State Electoral Office director Priit Vinkel.
Estonia, the only country in the world where voters elect their leaders through online balloting, is taking steps to fend off potential hacking attacks as cyber-security fears intensify. A software overhaul for the system, introduced in 2005, is ready for testing before local elections in October, according to Tarvi Martens, the National Electoral Committee’s head of e-voting. The upgrade includes anti-tampering features known as end-to-end verifiability that addresses security concerns from groups such as the Organization for Security and Cooperation in Europe, he said. “End-to-end verifiability is the ‘Holy Grail’ for electronic voting,” Martens said this month in a phone interview. “When we talk about international criticism, the new software now addresses it.”
Estonia: 10 Years After the Landmark Attack on Estonia, Is the World Better Prepared for Cyber Threats? | Foreign Policy
The Estonians just wanted to relocate a statue. Ten years ago today, authorities in Tallinn set out to remove a Soviet World War II memorial from the capital’s downtown. The Russian government had warned that removing the statue would be “disastrous for Estonians,” but since Moscow no longer called the shots in the Baltic state, the statue was duly shipped off to a suburban military cemetery. Soon after, Estonians found that they couldn’t use much of the internet. They couldn’t access newspapers online, or government websites. Bank accounts were suddenly inaccessible. “It was unheard of, and no one understood what was going on in the beginning,” Toomas Hendrik Ilves, then Estonian President, told Foreign Policy. Soon, he was informed that it was not an internal failure — but an attack from the outside. It was a Distributed Denial of Service Attack — an orchestrated swarm of internet traffic that literally swamps servers and shuts down websites for hours or days.
Blockchain technology can safely be used to authenticate e-voting by shareholders at a company’s annual general meeting, Nasdaq said this week, following a pilot project in Estonia. … Voting security experts in the U.S. were skeptical about the pilot project’s wider applicability, especially with regard to national elections. “Blockchain solves a small part of the overall set of problems [with e-voting], but nowhere near all,” said Pamela Smith, president of election integrity advocacy group Verified Voting. “If you have a boat with many leaks, plugging one of them should not make you assume the others won’t swamp you,” she told CyberScoop via email.
Long before Moscow became the prime suspect in the Democratic National Committee data breach, hackers tied to the Russian government have sought to sew political discord via the internet. Most notably, many experts believe that in 2007 Russian operatives unleashed a series of devastating cyberattacks on neighboring Estonia following a dispute with Moscow over a Soviet-era war memorial. At the time, Estonia had the world’s most connected society, giving attackers plenty of targets. They succeeded in taking down government computers, banks, and newspaper sites, trying to paralyze the “e-way of life” Estonians painstakingly crafted after the Soviet Union dissolved in 1991. And now, as a growing number of digital attacks hit countries’ most critical systems, from hospitals to electric utilities to voting infrastructure, Estonia has become a critical voice and an important model when it comes to preparing for escalating conflict in cyberspace.
Estonia’s opposition Center Party has long argued for closer ties with Moscow, but presidential candidate Mailis Reps has broken with that tradition, declaring herself “no friend of Russia.” In the shadow of Moscow’s aggression in Crimea and eastern Ukraine, the largely symbolic Estonian presidency has gained weight partly thanks to incumbent Toomas Hendrik Ilves’ strong arguments for the European Union and NATO to stand by Estonia and its Baltic neighbors. On August 29, the 101 members of Estonia’s parliament gather to vote for a new president. As it is unlikely to produce a clear two-thirds majority for any of the three declared candidates, a 335-strong electoral college of MPs and local leaders will likely be summoned in September to make the choice. According to a poll of MPs for the daily Postimees, the two leading contenders would be former prime minister and European commissioner Siim Kallas and Reps of the Center Party — and relations with Russia would be at the center of the debate.
Fearful of Russian cyber attack or invasion, the Baltic state of Estonia is planning to make a virtual copy of itself — in Britain.
Negotiations are under way between Tallinn and London for Estonia to back up terabytes of data — everything from birth records and the electoral roll to property deeds, banking credentials and the entire government bureaucracy — to deposit in a secure location in the UK, according to Estonian officials. Estonia already uses its embassies abroad to house servers to safeguard copies of government files. But amid an escalation of tensions with Moscow and growing concerns about cyber attacks from its eastern neighbour, Tallinn is now planning a far more ambitious set of contingency measures. It is a project that speaks to anxieties in the region, as well as the nature of statehood itself — and war — in an increasingly digitised world. “We have a very aggressive neighbour and we need to be sure that whatever happens to our territory in the future, Estonia can survive,” said Taavi Kotka, the government’s cyber chief. “In Estonia we already vote over the internet, we pay taxes over the internet — there’s almost nothing now we don’t do digitally.”
Estonia: European human rights court accepts appeal of Estonian e-voting critics | The Baltic Course
NGO Ausad Valimised (Honest Elections) connected with the Estonian Center Party announced that European Court of Human Rights (ECHR) accepted their appeal regarding a fine which was imposed on them by the Consumer Protection Board for a campaign which criticized Estonia’s e-elections, informs LETA/BNS. “The European Court of Human Rights decided to accept the appeal of MTU Ausad Valimised regarding a fine which was imposed on the NGO for a campaign that notified about the dangers and risks of e-election, and proposed to the sides a deal according to which the state would have to pay the NGO 9,000 euros,” said member of the NGO’s board Siret Kotka who is also a member of the Center Party board. According to Kotka, it means that the NGO won against the Estonian state.
Narva, an Estonian town on the Russian border, is tired of hearing it is next. “There simply couldn’t be a repeat of Crimea here,” says Vladislav Ponjatovski, head of a local trade union. Mr Ponjatovski, an ethnic Russian, helped launch a Narva autonomy referendum in 1993. Now he would never consider it. Today’s Estonia offers higher living standards and membership of NATO and the European Union. Nobody in Narva longs to be in Ivangorod, the Russian town over the river. The fear that the Kremlin may test NATO by stirring up trouble in the Baltics haunts the West. Britain’s defence secretary, Michael Fallon, says there is already a “real and present danger”. Russia has violated Baltic airspace and harassed ships in the Baltic Sea. Russian agents crossed the border and kidnapped an Estonian intelligence officer last autumn. The new security environment is “not just bad weather, it’s climate change,” says Lieutenant General Riho Terras, head of the Estonian Defence Forces.
Estonia’s prime minister was preparing to form a new government Monday, a day after his ruling Reform Party won parliamentary elections. Taavi Roivas’ center-right group, which includes the Social Democrats, lost seven seats in the vote and now has 45 lawmakers in the 101-seat Parliament, prompting negotiations with smaller parties to form a majority coalition. Roivas met the country’s head of state before discussions with other party leaders. At their meeting, President Toomas Hendrik Ilves suggested forming a broad coalition, saying the small nation of 1.3 million people “needs a responsible and capable government … (to) maintain Estonia’s security, governance and local government reforms.”
Estonians voted Sunday in an election marked by jitters over a militarily resurgent Russia and a popular pro-Kremlin party, with the security conscious centre-left coalition tipped for a return to power. Moscow’s annexation of Crimea last year and its meddling in eastern Ukraine have galvanised the European Union, including this eurozone member of 1.3 million people, a quarter of whom are ethnic Russian. Military manoeuvres by Moscow on Estonia’s border days ahead of the vote further stoked deep concerns in Europe that the Kremlin could attempt to destabilise countries that were in its orbit during Soviet times. NATO is countering the moves by boosting defences on its eastern flank with a spearhead force of 5,000 troops and command centres in six formerly communist members of the Alliance, including one in Estonia.