Estonian Information System Authority Annual Cyber Security Assessment 2018 Contents

Introduction: the state of affairs in Estonia and international cyberspace ...... 3

Key events in 2017 ...... 5 2017 in figures ...... 5 How did the past year stand out? ...... 9 Mitigating the security vulnerability on the Estonian ID card . . 9 The Estonian Presidency of the Council of the EU ...... 17 Municipal council elections ...... 18

What has changed in the threat landscape? ...... 21 State-sponsored campaigns did not pick their targets . . . . . 23 Phishing, data leaks, and secure digital identity ...... 26 New password guidelines ...... 27

Sources, actors and motives ...... 31 State-sponsored cyber attacks against vital services . . . . . 33 Cyber-enabled attacks against democratic processes . . . . . 35 Attribution and responses to cyber attacks ...... 37 Technological risks ...... 38 What is “strong cryptography” and why is it important? . . . . . 38

Sectoral cyber risks and preparedness ...... 41 Central government ...... 42 Local governments ...... 45 Essential services ...... 47 Cyber risks in the healthcare sector ...... 50 The Cyber Security Act ...... 52 Preventing cyber-induced emergency ...... 55

Summary: conclusions and assessments for 2018 ...... 57

2 Estonian Information System Authority: Annual Cyber Security Assessment 2018 Introduction: the state of affairs in Estonia and international cyberspace

Dear reader, 2017 was an unusually eventful year in global cyberspace. Malware campaigns caused havoc around the globe, large data leaks took place, and vulnerabilities were found in technologies thought to be secure, providing fodder for public discussion throughout the year. General awareness of cyber threats grew, as did the realization of the limitations of previous accomplishments. Societies and coun- tries are developing a more mature understanding of the need for substantial efforts to ensure cyber security, going beyond merely the awareness that there is a problem. For Estonian cyber security, 2017 can be considered a good year. We succeeded in fending off several major challenges, which gave us confidence that we have chosen the right way to protect ourselves in cyberspace, and this instilled courage and necessary lessons for moving forward. The most important achievement in this field was undoubtedly the effort to resolve a vulnerability on the Estonian ID card chip. Our response to this ID card crisis, which had a global impact, showed that the image as a successful digital society isn’t just hype but is exemplified by an agile approach and a highly-functioning com- munity – companies, research institutions and state – who are able to work together. In this sense, the rescue effort was a useful crisis in that it was a practical experience and we passed the test – we were able to protect our digital state and society. Use of the ID card and ser- vices continued as before the crisis; public confidence in e-services was not shaken. All of our society now has a better understanding of the nature of cyber threats and of their potential impact on our way of life. At the same time, we gained real-life experience the fact that how we all have a role to play in cyber security: ordinary users, service pro- viders and IT infrastructure operators. All of this means the lessons learnt from the ID card patch effort can be applied for the general protection of our digital way of life. The security vulnerability discovered on the ID card is not the only one of its kind. Last year saw a number of cases, all equally signifi- cant, where a flaw was discovered in an established technology. The

Estonian Information System Authority: Annual Cyber Security Assessment 2018 3 vulnerability in the WPA2 WiFi protocol discovered last autumn and the flaws affecting in the processors of nearly all computers in use today are just a few examples of this phenomenon. Researchers, govern- ments and criminals are all searching for vulnerabilities in commonly used solutions, and it is a fairly safe bet that, proverbially speaking, what is today a secure solution will have to be patched tomorrow. The WannaCry and NotPetya malware campaigns, which had relatively little direct impact on Estonia, received massive interna- tional coverage and underscored one of the most important posi- tive trends last year – the readiness on the part of the international community to attribute cyber-attacks to their perpetrators. The goal of the cyber-attacks orchestrated by North Korea and Russia were not to generate criminal income but to support the political goals of their respective countries. A few years ago, such governmental cyber-attacks went unpunished, but since WannaCry and NotPetya, the first major steps have been taken to hold criminals liable and deter them from any subsequent attacks. In this context, the Cyber Diplomacy Toolbox approved during the Estonian Presidency of the Council of the EU deserves mention as it provides a means to respond to cyber-attacks by state actors. Also coinciding with the Estonian Presidency, a key upgrade to the European cyber security environment was introduced, receiving a boost from Estonia’s char- acteristically goal-oriented approach. Besides all of the above, we also made energetic progress in advancing Estonia’s own cyber security. The most important achievement in this field is perhaps the draft Cyber Security Act, which is currently being deliberated by Parliament. A large part of our everyday lives depends on digital technol- ogy. We shouldn’t forget that we all help to create cyber security, whether as ordinary users, in administrative or leadership roles, in the political arena or in some other capacity. In addition to providing a readable overview of what is taking place in the cyber sphere, the assessment you are reading looks at how each one of us can make a contribution to Estonia being better protected in cyberspace.

Taimar Peterkop Director General, Estonian Information System Authority

4 Estonian Information System Authority: Annual Cyber Security Assessment 2018 KEY EVENTS IN 2017

2017 in figures

Even though RIA, for the first time, crossed the threshold of 10,000 cyber security cases in Estonia last year, only 122 incidents had a direct impact on a service vital to the functioning of the state and society, and this was the lowest figure in the last three years.

The number of cyber security cases registered in Estonia exceeded 10,000 last year. In 2017, the Estonian Information System Authority (RIA) dealt with a total of 10,923 cyber security cases in Estonian computer and data networks. Of these, 3,162 were considered inci- dents, which had a direct impact on the confidentiality, integrity or availability of information or systems. The reasons for these events were very different – from equip- ment failures to human error to malicious activities. As in previous years, the most frequent occurrences involved various web domains and emails that spread malware. Far from all of the incidents could be considered cyber-attacks and many of the attempted attacks are halted and cause no damage. From the point of view of Estonian cyber security, services that 2017 IN NUMBERS have a critical impact on the usual functioning of society and peop- le’s sense of security are considered the most important. Last year 10,923 we had only 122 incidents with a high priority – that had a direct cases handled impact on a service vital to the functioning of the state and society – the lowest figure in the last three years. Among services affected 3,162 cyber incidents were, for instance, use of electronic identification and digital signing in mobile operators’ networks, and healthcare and banking services. 122 More details are provided below. high priority incidents

Estonian Information System Authority: Annual Cyber Security Assessment 2018 5 Cases handled in 2017 (compared to 2016)

3500 3147 3000 2963 2609 2500 2463 2361 2350 2208 1987 Incidents in 2017 2000 Cases in 2017 1500 Incidents in 2016 1000 943 675 726 818 Cases in 2016 517 618 598 500 515 0 Q1 Q2 Q3 Q4

Incidents handled by category (2017)

DDoS (1%) Financial fraud (0%) Administration error (3%) Scanning and brute Defacement (4%) force attacks (0%)

Phishing (6%) Data leak (0%) Equipment theft (0%) Service interruption (6%)

Ransomware (8%)

Compromise (11%)

Malware (61%)

WHAT IS A CYBER INCIDENT? A cyber security incident is an event that had Integrity refers to how well data are pro- a direct impact on the confidentiality, integ- tected against unauthorized changes or rity or availability of information or systems. destruction . One or more of the three parameters may An integrity incident includes a change be impacted and the reason can be human made to a prescription in a database or to behaviour or a disruption caused by the nat- payment data in a digital invoice sent to a ural or manmade environment. customer.

Confidentiality refers to how well the data Availability measures whether a system or or system is protected against unauthorized data are up and running and functioning as access by third parties . expected . Examples of confidentiality incidents An example of an availability incident is are a data leak affecting credit card data or when access is cut off to a website, or a dig- health data, confidential documents or social ital service goes down to a distributed denial media account passwords. of service attack.

6 Estonian Information System Authority: Annual Cyber Security Assessment 2018 Our insight into the cyber domain is constantly improving… The number of cyber incidents registered in Estonia has been on the rise in recent years. There were several reasons for this. One is the greater importance of the digital environment to society: a wider selection of digital services, more customers and more intensive use of services all mean that organizations are more dependent on the digital environment for organizing everyday activity. The impact of cyber incidents for the organization itself and society as a whole is thus more and more important. At the same time, it means grea- ter potential gains for the attacker – and indeed, compared to last year, the number of deliberate attacks has increased. Over the years, our ability to detect incidents has improved – the result of better tools, a more systematic approach to monitoring and more effective cooperation with partners. We are now often able to

Scanning and brute repel attacks before they reach Estonia and send out public adviso- force attacks (0%) ries along with instructions on which measures to implement. For years, we have made efforts to make Estonian cyberspace a hostile environment for malicious actors – for example, we have worked with our partners and Estonian service providers to quickly detect and take down phishing websites. As a result, the number of succes- sful phishing incidents in Estonia has decreased significantly.

… yet public awareness and skills are still uneven The cyber security skills of organizations are also improving – the view that an organization should have an overview of what is going on in their information systems and readiness to prevent the risks and react quickly to them - is gradually spreading upward beyond the IT special- ist’s desktop. Incidents that used to be dealt with – or not – by the infor- mation system administrators themselves are now noticed at other levels and the information about them reaches us more often. This benefits the information system operators and the state as a whole: we have more operational and integral information about the widespread dangers or attack campaigns, which allows us to give early warning to those in the line of fire, and we can also offer expert support and consultation when it comes to correcting information. The improved risk awareness and early detection of attacks helps to reduce risks to service continuity and damage arising from potential attacks. In spite of the improved awareness, it is clear that the level of readiness is very inconsistent from one sector to the next and many incidents still go unnoticed – and they also pose a risk to the other

Estonian Information System Authority: Annual Cyber Security Assessment 2018 7 service users, not only the system owners. We detected close to half of the cyber incidents registered last year as a result of our own monitoring. The remainder were mainly reported to us by cyber secu- rity institutions of foreign countries, Estonian vital service providers and state IT centres. For instance, thanks to consistent efforts of the Ministry of the Interior’s IT and development centre (SMIT) and good cooperation between SMIT and RIA, the state has an operational overview of events in the internal security field and response capabi- lity; although the systems are critical, only few incidents have a more serious impact. We still have our work cut out for us in the healthcare sector and among small businesses, where a cyber-attack is usually detected only after major damage has already occurred.

WHAT DOES INCIDENT MONITORING MEAN? RIA’s incident response department, the Information about threats, critical Computer Emergency Response Team of vulnerabilities and extensive malware Estonia (CERT-EE), monitors network traf- campaigns is received from cooperation fic in .ee networks to detect signs of mali- partners in Estonia and abroad and public cious activities. sources .

The number of cyber incidents is growing worldwide and Estonia is no exception in this regard. The following indicators characterize the pre- vious year internationally: • The number of ransomware incidents worldwide grew by 36 per cent and the number of emails that spread malware grew by one-third. • The number of distributed denial of service attacks is on the rise – in 2017, over 7.5 million DDoS attacks occurred and the average peak bandwidth of the attacks has nearly doubled over a few years. • The spread of malware meant for mobile apps is still growing – the number of malware apps has more than doubled over the year and the number of infections disclosed is in the range of several million. The number of smart household devices – continually increasing – also represents a risk. • Leaks of user information (usernames and passwords) are mas- sive – the 1.1 billion cases recorded in 2016 was twice the number from a year earlier. A database containing the information of 1.4 bil- lion users was leaked on the dark web in late 2017, adding a solid increase to these figures. • Statistically, it takes the average company 168 days to discover that their information system has been compromised . This time is cut to less than 10% when the company itself monitors its networks.1

8 Estonian Information System Authority: Annual Cyber Security Assessment 2018 How did the past year stand out?

RIA prepared extensively for 2017 – Estonia held the EU Presidency in the second half of the year; local elections took place, with experience of our allies indicating a need for increa- sed vigilance. The resolution of the security vulnerability in the ID card, found in the autumn, became a test of our maturity as a digital society. These events confirmed our conviction that alt- hough cyber incidents cannot be fully prevented, good planning and preparedness can prevent them from having a significantly disruptive, crippling impact.

Mitigating the security vulnerability on the Estonian ID card State-issued digital identity – the Estonian ID card and its derivatives mobile ID and digital ID – are among the pillars of Estonia’s digital ecosystem. The functioning of Estonian digital society is predicated on the digital signature having equal status to handwritten signatu- res and the possibility of electronically authenticating oneself. Thus, every risk connected to digital identity is under heightened scrutiny. On the evening of 30 August, a researcher with the Centre for Research on Cryptography and Security at Masaryk University2 aler- ted us to a security vulnerability on the chips used on the Estonian ID card. According to the analysis by the research group, the vul- nerability, internationally known as ROCA (Return of the Coppersmith Attack), affects RSA cryptographic keypair generation in chips pro- duced by one of the leading manufacturers, Infineon. Over a billion of chips used in various products and services were impacted globally, among them chips used on Estonian ID cards issued from autumn 2014, as well as on digital IDs, diplomatic IDs and e-resident cards. Theoretically, the security vulnerability could have allowed the

Estonian Information System Authority: Annual Cyber Security Assessment 2018 9 THE ESTONIAN ID CARD: A UNIQUE PLATFORM • 1,295,844 valid ID cards as of 2018, of signing as a vital service which 26,199 e-residency cards in a total • The cryptographic weakness notified in 142 countries late summer of 2017, which made the ID • First document signed by ID card – card theoretically vulnerable, affected 7 October 2002 close to 800,000 cards issued between • 481 million digital signatures and 658 mil- 16 October 2014 and 24 October 2017 lion authentications – a total of a billion • The (remote) updating of the ID card – the transactions in 15 years replacement of the certificates with new • 747,580 ID cards that are used digitally at ones – became possible on 25 October least once a year; about 42,000 people use 2017 their ID card digitally at least 100 times in a • The flawed certificates were suspended three-month period on 3 November 2017 • Since 2016, RIA is responsible for the digi- • The renewal of the suspended certifi- tal elements on the ID card. As an identity cates was possible up to 31 March 2018. document, the card remains in the jurisdic- During that time, 494,000 or ID cards were tion of the Police and Border Guard Board. updated – 94% of the cards in digital use, The certificates for the ID card are issued of which 354,000 were updated remotely by SK ID Solutions AS • As of the end of 2017, 160,000 people • The 2017 new Emergency Act speci- were using mobile ID and 140,000 were fies authentication by ID card and digital using Smart-ID

private key (which is used for authentication and signing) to be mathe- matically calculated from the public key – in theory, making it possible to clone the victim’s cryptographic keys and use them for authentica- tion, sign documents instead of that person, or decrypt documents meant for that person, even without being in physical possession of the card . Exploiting the vulnerability would not have been easy or inexpen- sive, and there are no known cases of successful exploitation of the ID card or similar chips. Besides a person’s public key, it would also require significant cryptographic expertise, specific software and sig- nificant computing power, estimated to cost up to USD 80,000, going by prices provided by an Amazon cloud computing services (AWS). At the same time, it was evident that, if the certificates remained valid, the risk of exploitation would increase significantly as soon as the methodology used by the research group became public. After initial evaluation of the notification, it was clear to us that the problem nee- ded an urgent fix. Due to the large number of the digital certificates affected and their broad use in both state and private sector services, revoking the cards would have meant extensive impacts to the availability

10 Estonian Information System Authority: Annual Cyber Security Assessment 2018 of and access to digital services – such step would have disrup- ted the use of digital healthcare, the Tax and Customs Board digi- tal services, government document exchange platform, as well as financial transactions. Disruption would have also been posed to the working processes in and between government agencies. The security flaw did not affect mobile ID, but mobile ID was used by only slightly more than 100,000 people at that time, and a number of digital services did not support it.

Open risk mana- gement on the governmental level: press conference with prime minister and key officials explaining the vul- nerability affecting the Estonian ID card. Photo: Taavi Sepp / Ekspress Meedia

WHAT ELSE DOES THE ROCA SECURITY FLAW AFFECT? Estonia’s 800,000 ID cards with the secu- the basis for modern computers’ security rity vulnerability in question make up a architecture. The vulnerability is known negligible share of ROCA’s global impact. It to affect at least Lenovo, HP, Toshiba and is estimated that there are at least 1 billion Fujitsu computers. TPMs are primarily problem chips in use around the world as used in enterprise client computers, so firmware or software components and on home users are generally not impacted. For plastic cards. The Infineon chips that led example, in Microsoft Windows, a TPM pro- to the vulnerability in the Estonian ID cards tects BitLocker disk encryption and other are used in driving licences, passports, security mechanisms in the operating access passes and other applications.3 system. Microsoft has issued a temporary The documents of at least 10 count- patch through Windows Update that essen- ries were affected. Chips with the same tially replaces the TPM with a software flaw are known to be used in documents solution. Other manufacturers have rele- used for identification in Slovakia, Austria, ased similar patches. Poland, Bulgaria, Kosovo, Italy, Taiwan, Security tokens used for virtual private Spain, Brazil and Malaysia. In Spain, the network (VPN) access, email security and vulnerability affected 17 million cards. other critical security operations. Of these, However, none of these countries have at least Gemalto and Yubico products were a universal digital ID and therefore they affected, with Yubico replacing the defec- depend less on the cards than does Estonia tive products at its own expense. and have fewer corresponding services. It is possible that some payment cards Trusted platform modules. TPMs are with chips are also vulnerable.

Estonian Information System Authority: Annual Cyber Security Assessment 2018 11 The solution to the situation had to restore the high security of the ID card without damaging the availability of services. In essence, we found ourselves in a race against time in early September, looking for a new secure solution with the Police and Border Guard Board and other partners, and preparing to implement it while knowing full well that soo- ner or later, the certificates at risk would have to be suspended. The crisis resolution team made the decision early on to be trans- parent in its public communication and let the public know about the facts we knew. This step short-circuited speculations and alterna- tive interpretations and ensured that the working group could focus on finding a solution to the problem itself. Ultimately, it meant that the new solution – based on elliptic curve cryptography (ECC) ins- tead of an RSA library – was available before we needed to suspend the affected certificates. Moreover, user confidence was preserved and electronic services remained available. For example, a record number of internet voters cast votes in the 2017 local elections and the number of transactions performed using ID cards remained at a normal level in the days and weeks that followed. At the same time, use of mobile ID increased significantly. Besides the broad use of the ID card in society, Estonia is unique in that it offered the possibility of updating certificates remotely – people were able to update their ID card software from any compu- ter connected to the internet and equipped with an ID card reader – as well as the possibility of suspending the affected certificates. As experience showed, other countries facing a similar situation did not have these two possibilities and had to find a way to issue new ID cards or update the existing ones at service outlets. Once the certificates had been revoked, it wasn’t possible to renew them.

TIMELINE OF EVENTS 30 August A member of an international cryptography research group sends CERT-EE 19:35 an official notice regarding a security vulnerability associated with Infineon chips that affects Estonian ID cards. The risk lies in a vulnerability of a cryptographic library used in RSA keypair generation. 31 August RIA’s preliminary assessment confirms the possibility of a security vul- nerability. The Police and Border Guard Board (PPA) and the Ministry of Economic Affairs and Communications are notified. 1 September The minister of economic affairs and communications is briefed on the matter. RIA involves external technical experts (Cybernetica, Nortal) and partners from the government and private sector. The heads of institutions convene for a meeting – a strategic staff is formed .

12 Estonian Information System Authority: Annual Cyber Security Assessment 2018 3 September The prime minister and other ministers involved hold a meeting. RIA and PPA working groups run through scenarios and assess potential outco- mes. Experts determine the primary impacts on services and make recommendations . 4 September The Government of the Republic holds an extraordinary session. PPA forms a staff that deals with media monitoring, analysis, inquiries from the media, RIA and other government agencies join the staff. Private and public sector stakeholders like banks and telecoms are notified. Public access to the certificate database (LDAP) is closed. 5 September The prime minister, IT minister, and the directors general of RIA and PPA hold a joint press conference. The public and international partners were notified of the vulnerability. An information gateway is opened at www.id.ee and kept updated, in cooperation between RIA, PPA and SK ID Solutions. September Working groups focusing on technical solutions, crisis management, legal aspects and communications meet regularly. As needed, other ins- titutions and other external experts are called on. 5-11 October Municipal elections are held. The elections see a record participation among internet voters. Those voting over the internet make up 31.7 per cent of all participants – slightly higher than in past elections. 16 October The global impact of the vulnerability becomes apparent: Microsoft, Google (Chrome OS), Yubico, Gemalto and a number of larger computer manufacturers (Lenovo, Fujitsu) release security reports. 25 October The issuing of new ID cards that rely on ECC encryption algorithm begins. The testing period for the online updating of Estonian ID cards begins. Over six days of testing, close to 20,000 ID cards affected by the vulnerabi- lity are updated. Everything is functional and the updates are successful. 30 October The research paper4 on the vulnerability in the RSA encryption library is published. 31 October Card holders are called on to update their cards. Demand for the service is high, resulting in extensive downtime. Systems stabilise by 2 November. Slovakia revokes 60,000 certificates with the ROCA vulnerability, and the card holders have to apply for new cards. 1 November Spain revokes its vulnerable cards, a total of 17 million of them. 2 November The research is presented in full at an academic conference in the US. 3 November Certificates on a total of 740,000 vulnerable Estonian ID cards are bloc- ked, but the cards can be updated online to make them digitally usable again. In addition, PPA opens additional service outlets that will remain open until the year’s end to provide the update service. 5 November Service usage statistics show that the suspension of the affected certi- ficates did not result in a drop in the digital use of ID cards. Surprisingly, e-resident activity has even increased.

Estonian Information System Authority: Annual Cyber Security Assessment 2018 13 End of 2017 A total of 400,000 ID cards have been updated. The number of mobile ID and Smart ID users and their level of activity have increased. February At the behest of RIA, a Tallinn University of Technology research group starts assessing the lessons learnt for the state and agencies. 5 February RIA’s eID domain manager Margus Arm and PPA’s Kaija Kirch, head of 2009 identity management at PPA, receive state decorations. 1 April 2018 Certificates that have not been updated are revoked and can no longer be used electronically.

LESSONS LEARNED FROM THE ID CARD CASE The ID card security vulnerability illustrates how much societies depend on fundamental digital infrastructure – in Estonia’s case, the state, entrepreneurs and users were all impacted. Our crisis mana- gement efforts underscored the need to review specific processes – among them administration of the ID card, risk assessment and mitigation as well as inter-agency cooperation. Beyond that, there is a clear need to view the country’s digital architecture and digital governance as a whole. The prospect of further technological risks arising in future will have to be factored in, and although we do keep an attentive eye on technological developments, unexpected even- tualities cannot be ruled out. They will require a rapid response. So as not to let a good crisis go to waste, we make a point to seriously evaluate the lessons learnt from the ID card case. • Dependence and alternative solutions. The ID card is means of authentication and secure signing for close to 5,000 diffe- rent public and private sector services. Clearly, in most of these cases, the option of face-to-face authentication and handwrit- ten signatures is no longer an acceptable alternative for society and thus alternatives to the ID card are, above all, other digital, not physical solutions – mobile ID, Smart ID and new solutions being developed. Their penetration and readiness to use them in services must increase. We were also saved by the fact that our ID card already had several encryption libraries; this allowed new secure keypairs to be generated on the chip. • The need for flexible, open architecture poses a challenge for the state’s habitual operating patterns – developing solutions in-house or procuring innovation from the market. Few govern- ments possess the entire necessary skill sets; most of the com- petence lies in the private sector. With globally used technologies, governments cannot fully solve problems inherent in technologies they are merely a customer of. Major international corporations – representing the greatest capacity in providing solutions and services – operate from their own assessment of business risk,

14 Estonian Information System Authority: Annual Cyber Security Assessment 2018 and in the case of such a large-scale security vulnerability, a state is just one customer among many. In our case, the online update service gave us flexibility, which allowed the certificates to be sus- pended pending a later update. This put us in a better position compared to other countries with the same problem. • Responding to risk. Estonia and Europe have procedures in place for responding to incidents where the impact is already evident. In the case of a theoretical risk where it is hoped to find a solution before the impact is realized, there is no reason to apply such measures, and indeed they would not be approp- riate in such a case. Thus, we have to develop similar routines for threats and risks where the impacts are still unrealized. • Openness. Risks arising from vulnerabilities in fundamental digi- tal infrastructure cannot be managed without the involvement of the stakeholders – including the public and the media – as these risks affect the entire digital ecosystem. That means that, in order to reduce the societal and economic impacts of techno- logy risks, risk management must not only be capable of resol- ving a complicated technological problem but also be preventive, open and capable of translating the solution into layman’s terms for all of society, in order to respond to the public’s needs. • Broad-based cooperation between a great range of stakehol- ders with different roles, expectations and levels of readiness is a sine qua non. A lean government sector should be able to draw on a strong private sector in times of crisis. Hiring addi- tional people in the public sector is not a solution, which is why strengthening our tech industry – above all by means of supporting education and research, to guarantee the existence of knowledge and experts – satisfies the important require- A piece of fake ment that they can be called on by the state in times of need. news claiming • A digitally literate society. In today’s digitally dependent that Estonian PM society, technological literacy at the individual level (as oppo- Jüri Ratas had sed to offhandedly referring technological issues to an IT expressed support for Catalonian department) is now an essential skill. We need more people independence with multidisciplinary skill sets – those who are simultaneously found its way on proficient in both tech and non-tech fields such as economics, to social media public administration or the law. right before the EU Digital Summit in To draw conclusions and lessons learnt from the ID card case, we have Tallinn. also commissioned an independent study from the Tallinn University of Technology, whose research group will assess the case from the pers- pective of public administration, technology management and data security and set out its recommendations in spring 2018.

Estonian Information System Authority: Annual Cyber Security Assessment 2018 15 Prime minister Ratas opening the Estonian Presidency cybersecurity conference on 14.09.2017. Photo: Karolin Köster

16 Estonian Information System Authority: Annual Cyber Security Assessment 2018 The Estonian Presidency of the Council of the EU For Estonian civil servants, the greatest challenge in the past year was naturally the Presidency of the Council of the EU, one of the main topics for which was the European Union’s cyber security. For member states who had held the previous EU presidencies, the number of cyber attacks against strategic state and public services and targets increased during this period. Besides that, the Estonian Presidency focused on digital topics, due to which any successful attack against us would have certainly had a broader impact than just our own country and population. Ensuring the cyber security during the Presidency required tech- nical preparations, training of officials, developing readiness for threats, and constantly ensuring situational awareness, running through all scenarios at an exercise held in June together with our partner institutions. Fortunately, we were prepared for all develop- ments and the majority of cyber incidents related to the Presidency were of a technical nature (power outages) and human error – discovered and resolved quickly with minimum impact. Besides developments on the home front, Brussels had high expectations that Estonia would advance EU cyber security as a whole. The most important fundamental outcome of the Presidency was the fact that after the Estonian Presidency, there are no longer any bureaucratic obstacles for implementing any of the EU’s com- mon foreign and security policy (CFSP) measures (including restric- tive measures) in response to cyber attacks. Led by Estonia, an agree- ment was reached by member states in Brussels on the relevant procedures. Now, any foreign government planning, supporting or enabling cyber attacks will have to keep in mind that the world’s most important economic bloc is able to use all of its possible economic and foreign policy tools as a response to malicious cyber activities. Second, a new European Union cybersecurity strategy5 was pre- pared during our presidency, laying a basis for several major initiatives that could have an enduring impact on the cyber security of the EU as a whole. The most important among them is the proposal for the creation of an EU-wide cyber security certification framework and the plan create a network of centres of excellence among the EU’s R&D institutions in this field. It is the latter that has great potential to support research developments on the cyber front and thereby incentivize various smaller R&D centres to engage into greater cooperation with each other. Besides developing our own cyber security, it should result in a stronger EU economy and industry. The establishment of the Estonian Information

Estonian Information System Authority: Annual Cyber Security Assessment 2018 17 Security Association in late 2017 has a clear importance in that context – it is positioned to become a member of the EU network and will provide a longer-term platform for the development of solutions for ensuring secu- rity of Estonian digital society in cooperation with Estonian businesses. Third, the Estonian Presidency also had a major role in getting the cooperation networks of EU member states’ institutions responsible for cyber security into more active gear on a technical and strategic level. The Estonian Presidency was the one that had to provide the substance for the strategic level Cooperation Group and EU’s CSIRTs network’s* daily activities. Flexibility and a focus on getting results – both qualities that have come to be associated with Estonians – helped us lead the EU effectively in this regard. In addition to efforts to implement the NIS Directive, the EU member states’ cyber security institutions started, under the leadership of the director general of RIA, tackling the topics of cyber security of electoral processes and reducing the risks from cross-border dependencies. At the technical level, our hard-working CERT team, its leadership and technical platforms, helped the EU-established coopera- tion network to offer visible added value towards solving the WannaCry and NotPetya incidents . 

Municipal council elections Estonia was the first country in the world to adopt internet voting – for the 2005 general elections. Nine election cycles later, Estonia is still the only country where voters can cast votes online based on the state-issued secure electronic identity at general elections, with the votes having equal status to physical ballots cast on Election Day. While in 2005, fewer than one in 50 of voters used the online option, about 12 years later, one in three voted online (31.3 per cent at European Parliament elections and 30.5 percent at Estonian general elections). At the local elections in autumn 2017, the pre- vious turnout record was nipped when 31.7 per cent of votes were online. Trust in online voting and its perceived and actual security are largely based on Estonia’s extensive, widespread ecosystem of secure digital services. For one thing, people in Estonia are accus- tomed to using many private and public sector services starting from banks to Population Register procedures, and thus they tend to trust other digital services as well. Secondly, secure elections are also made possible by other well-developed digital systems, star- ting from the Population Register – which is used to draw up voter

* The EU CSIRTs network consists of the member states’ national cyber incident res- ponse units.

18 Estonian Information System Authority: Annual Cyber Security Assessment 2018 Use of internet voting at elections since 2005

200 000 35 % 180 000 30 % 160 000 140 000 25 % 120 000 20 % 100 000 80 000 15 %

60 000 10 % 40 000 5 % 20 000 0 0 % KOV 2005 RK 2007 EP 2009 KOV 2009 RK 2011 KOV 2013 EP 2014 RK 2015 KOV 2017

number of percentage of voters who voted by internet internet voters KOV – municipal council elections, RK – general elections, EP – European Parliament elections

Typical online voters are no different from typical conventional voters

Acting head of the University more digitally literate. As time of Tartu’s Skytte Institute, sen- went on, nearly all of these fac- ior researcher Mihkel Solvak, tors have disappeared, so much comments on the spread of that there is no longer any sta- online voting tistically significant difference Discussions on whether online between i-voters and paper voting methods should be ena- ballot voters in Estonia. In other bled often begin and end with words, that means i-voting is so two questions – “who will be widespread in society that typ- using this?” and “who bene- ical i-voters are now similar to fits?“. The spread and patterns of online typical paper voters. The structure of voters voting in Estonia allow us to answer both is actually the same, and the only change questions the same way. In the first three has taken place in the voting method. So elections with online voting, the so-called who benefits? Ordinary voters who save i-voters were distinct from typical voters. time by not having to undertake the physi- The former used to be 30-40-year-olds, cal trip to the polling stations. better educated, more affluent and clearly

Estonian Information System Authority: Annual Cyber Security Assessment 2018 19 lists – to the state- issued digital identity, on which internet voting is based. Furthermore, Estonia has chosen a consistent transparency strategy, which means that a large part of the election documents and software source code is public. It is self-evident that in addition to technical measures, the workings of the elections are likewise founded on security . In light of global developments, the cyber security of election tech- nology was under heightened scrutiny in Estonia as well last year. In the past, the assessment of threats against internet voting has focused above all on the technical risks in the systems. Considering how the risks have changed, a change was made in 2017 to draw up a full risk assessment for e-voting, examining potential politically motivated cyber attacks, possible risks from Estonia’s distributed responsibility model and other fields that potentially could influence the legitimacy of voting. Such a broad-based approach was based on the understanding that the legitimacy of elections depends on much more than the security of the technical systems for counting and reporting votes but also on trust of the whole society in the entire state digital ecosystem. The analysis also mapped systems and solutions on which elections depend. We have been a partner for the State Electoral Office and the National Electoral Committee in hosting the system for receiving votes cast online and we have taken part in the online voting orga- nizing committee. As new server software was introduced in 2017, we stood for the security testing of these systems. Tests were car- ried out by two companies offering pentesting services, who repor- ted different findings. Likewise, the Estonian Cyber Defence League also tested the online voting solution. The problems found were fixed, yet no test found any critical flaws. Besides the above-described activities, CERT-EE’s election task force contributed by tracking network traffic in the online voting infrastructure and keeping an eye out for anomalies such as DDoS attacks. We took part in communication work and planning of com- munications in the same capacity . The close to 186,000 e-votes counted – an all-time record – showed that the trust in online voting remains high and this was not affected by the ROCA vulnerability on the ID card or “hacking” of elections around the world (for more on this, see the chapter “Sources, actors and motives“). 

20 Estonian Information System Authority: Annual Cyber Security Assessment 2018 WHAT HAS CHANGED IN THE THREAT LANDSCAPE?

The majority of the cyber incidents that impacted Estonians and Estonian organizations still involve malware infections. Globally, last year’s most significant cyber incidents included the WannaCry and NotPetya ransomware campaigns, causing losses in the billions of euros. In Estonia, thanks to prevention and timely response, the losses were minimal.

Although cyber incidents can be caused by human behaviour and technological problems or natural events such as storms, about four-fifths in Estonia – 2,500 last year – were caused by intentional activity – i.e. cyber attacks. Next to this figure, administration errors and service downtime due to technical malfunction caused less than 10% of all cyber incidents. Infected devices can be used for various cyber attacks – denial of service attacks, data theft and spreading fake news.6 Increasingly,

THE AVALANCHE BOTNET Close to one-third of the malware incidents means of authentication – the ID card, mobile recorded in Estonia last year were due to ID and Smart-ID – widespread risks remain the Avalanche botnet. Avalanche was active through online retail and other services. for years, and was used to spread ransom- An international police operation brought ware, and to commit identity theft, bank data Avalanche to an end in December 20168, yet theft and attacks on financial institutions. the malware spread by the botnet does not It was also rented out to other criminals for disappear automatically from computers – attack campaigns.* The total damage from devices will need to be disinfected to prevent Avalanche is estimated in the hundreds of mil- the same infrastructure from being later lions of euros. The losses for German online hijacked and brought to life for new attacks. banking alone is estimated at about 6 million As this is a long process and many users are euros 7. No figure has been placed on the dam- not aware that their devices are infected, we age caused in Estonia. Although the users of work with cyber security agencies of many Estonian bank services are believed to be countries on this issue, and this work is set generally better protected thanks to secure to continue until at least the end of 2018.9

* https://www.us-cert.gov/ncas/alerts/TA16-336A

Estonian Information System Authority: Annual Cyber Security Assessment 2018 21 Sex offenders stalking victims online

Web constable Maarja Punak Last year the police recorded says that sex offenders are 557 sex crimes, of which close increasingly turning to the to 300 – more than half – were internet to look for their prey committed online. It includes Web constables are receiv- sexual harassment and child ing more reports of situations enticement in various envi- where someone has been vic- ronments . There were 130 tim of bullying or extortion. cases of child enticement reg- Young people feel less inhibited istered, 80of them in internet online and share personal infor- environments. mation and revealing pictures. They do not perceive threats in the cyber world the way Recommendations they do in real life. from the web constable: “There’s a misconception that ‘anything • Don’t disclose your personal data pub- goes’ because the interaction seems anon- licly, or share revealing pictures or videos ymous. Actually, you can never be sure with strangers or casual acquaintances whom you are sharing information with • Don’t accept friend invitations from and what your partner’s intentions are. In users you don’t know the worst case, the personal information • Review your social media profile set- received is propagated further and a joke tings and make sure the only your that might have seemed innocuous at one friends list can see what you posts point can escalate into an actual offence,“ • Always log out of your accounts after said Punak. using a public computer or device. Meanwhile, sex offenders go on chat • Talk to a person you trust, like your par- apps and social media to look for their vic- ents, about any concerns tims and try to obtain pictures or videos • If you have fallen victim to a crime, con- of children. In this way, children have been tact a web constable or the police baited into a real meeting or the criminal uses web camera footage to stoke their fantasies .

computing resources of hijacked devices are used for mining cryp- tocurrency, and toward the end of the year, such incidents were on the rise in Estonia . Most cyber criminals are unselective, looking for vulnerable devices and careless or gullible users. Typically, outdated software is a contributing factor, allowing attackers to exploit a vulnerability. The victim can be the owner of the system or an unsuspecting user, such as a visitor to a website. Poor or non-existent security does not pose a risk to solely the owner; far from it.

22 Estonian Information System Authority: Annual Cyber Security Assessment 2018 State-sponsored campaigns did not pick their targets In the spring of 2017, two malware campaigns with disruptive effects were unleashed a month apart, both causing great damage: WannaCry and Petya/NotPetya. By the second week of May, hundreds of thou- sands of devices had been infected by the WannaCry ransomware, with victims in the medical, banking, telecoms and logistics sectors, as well as major industrial enterprises, across some 150 countries. The most prominent of these may be Spain’s largest telecommunications company, Telefonica, and Renault’s car factories in France, which were forced to stop work for several days.10 One of the biggest victims was the UK’s National Health Service, with over a third of its regional insti- tutions seriously affected by WannaCry. In total, WannaCry affected over 600 healthcare facilities in the United Kingdom; thousands of doc- tors’ appointments and operations were cancelled, and in five regions, patients were forced to seek emergency help elsewhere.

WANNACRY -PETYA/NOTPETYA 150 countries Global spread 65 countries 400 000 Infected devices 20 000 4 billion USD Known damage 1,2 billion USD North Korea Assumed origin Russian Federation

Saint-Gobain Estonia (Ehituse ABC construc- None Damage in Estonia tion supply stores) Kantar Emor market research agency Photo: pexels.com

Petya/NotPetya appeared in late June and spread via Ukraine- based accounting software to all companies that used this software and installed the update that contained the malware. Appearing at first glance to be another kind of ransomware, it in fact had no abi- lity to decrypt files, and deleted the data in encrypted systems. The attack is believed to have been meant for Ukraine’s institutions and major enterprises, which were the first to become infected. Although its spread was more limited compared to WannaCry (70 percent of victims were in Ukraine), NotPetya’s economic impact was greater, as the attack was meant for business systems.11 It took FedEx’s European subsidiary TNT Express over a month to restore its information systems to normal operations, and the company

Estonian Information System Authority: Annual Cyber Security Assessment 2018 23 announced that some of the data lost was permanent.12 Denmark’s Maersk shipping enterprise had to essentially reinstall the entire cor- porate information system in ten days to recover from the attack – all the software on 4,000 servers and 45,000 workstations. Both Maersk and FedEx estimate the damages at up to 300 million dol- lars.13 Major victims also included the pharmaceutical company Merck, which was still experiencing significant problems in retur- ning its drug development and production to full capacity two weeks after the event, with drug supplies to some markets also affected.14 For the health and hygiene products giant Reckitt Benckiser, pro- duction and supply disruptions stemming from the incident lasted for over two months, and the company says they will significantly affect its annual results.15

REACTION AND CONCLUSIONS Both the WannaCry and NotPetya campaigns used tools leaked in April from the US National Security Agency to exploit vulnerabi- lities in Microsoft Windows operating systems.16 Microsoft issued an update in March to protect its users, but unpatched systems remained vulnerable, and since infection did not require any actions from the users, WannaCry spread quickly. An emergency patch was also issued for the Windows XP operating system, which had been officially unsupported since 2014.17 Last fall, Microsoft issued a security update with defence mechanisms against attacks of this type, but it was meant for the Windows 10 operating system, and does not protect other widespread OS types like Windows 7 and Windows 8 1. . There was no impact from WannaCry in Estonia. There were attempts made against some twenty systems, but these were already using a security-patched operating system, so the ran- somware did not start. NotPetya caused damage to Saint-Gobain’s Estonian subsidiaries, among them Ehituse ABC, which had to close all of its stores in the country.18 Consultancy Kantar Emor halted the work of its information systems as a precaution, as their parent company’s network had experienced infection.19 Damage prevention was a result of both readiness and rapid response. The lack of impact from those destructive attacks was partly a result of our awareness campaign starting already from 2013 urging people to phase out Windows XP. This campaign succes- sfully resulted in the use of that operating system dropping to below 20 percent in Estonia. Throughout 2016, we had also been paying special attention to improving information security in our healthcare

24 Estonian Information System Authority: Annual Cyber Security Assessment 2018 sector. For both the WannaCry and Petya/NotPetya campaigns, we immediately contacted the potentially endangered institutions to notify them of the danger and advised them on systems protec- tion. We also notified the information security managers of state agencies and vital services providers, and issued public warnings and guidelines.20 Although incidents can never be entirely ruled out, the readiness of both systems and people has a significant role to play in preventing or minimizing damage. In the context of the EU Presidency then about to start, we ini- tiated a Europe-wide rapid cooperative response for both WannaCry and NotPetya, involving partners from five member states and the European Network and Information Security Agency ENISA, coor- dinating and ensuring timely information exchange between the Member States.

WANNACRY AND NOTPETYA AS STATE-SPONSORED ATTACKS Both of 2017’s major ransomware campaigns damaged busines- ses, state agencies and individual users indiscriminately, and endan- gered not only property, but the lives and health of people. Beyond businesses, even more damage was presumably suffered by regu- lar users, and this is almost impossible to tally up. Both campaigns quickly and uncontrollably swelled to a global scale. Even right after the end of WannaCry’s mass spread, some sources pointed to the possibility that Lazarus, a group affiliated with North Korea, might be behind it.21 In November, the UK government and Microsoft issued statements that laid the blame for the WannaCry ransomware wave on North Korea.22 This was followed by an official statement from the US on 19 December, which referred to evidence produced in cooperation between US federal agencies and private enterprises (including Microsoft and cyber security companies) to attri- bute WannaCry to North Korea. This assessment was based on the fact that the attack’s tools and methods, and the infrastructure used, were consistent with previous North Korean cyber operations.23 The US statement was endorsed by the UK, Australia, New Zealand, and Japan. Suspicions about NotPetya’s origins also came about fairly quickly after the start of its spread. Several sources considered the malware’s signature to be similar to a cyber attack undertaken against Ukraine’s power stations in December 2016.24 Ukraine’s security services say that the gathered facts point towards the attack coming from Russia, with the involvement of its special services.25 The international expert community overwhelmingly believes that the attack’s true purpose was to create the maximum amount of damage, and that the ransom

Estonian Information System Authority: Annual Cyber Security Assessment 2018 25 demands were only a cover.26 This February, the governments of the United Kingdom, Denmark, US, Australia and New Zealand laid the blame for NotPetya on the Russian government and military. According to the US statement, this was the most destructive and costly cyber attack in history, causing billions in damages in Europe, Asia and North America 27. The UK statement was also endorsed by the Estonian Ministry of Foreign Affairs, which condemned the cyber attack and cal- led upon Russia to behave responsibly and in accordance with interna- tional rules of law in cyberspace.28 

Phishing, data leaks, and secure digital identity Extensive data leaks have become so common around the world that barely a week passes without the international media reporting on one, and no one dares to predict that the situation will improve. 2017’s biggest data leaks include the US Republican National Committee and the credit rating bureau Equifax; the first of these exposed the personal data of some 200 million people (nearly all US voters), while the latter included the credit information of 150 million Americans.29 In Europe, a similar data protection disaster befell the Swedish Department of Transport, where a foreign company was brought in to manage a database that contained information concerning national security, domestic security, and criminal prosecutions; that company then uploaded the information to a public cloud service. The incident led to a government crisis in Sweden, resulting in the replacement of the minister of the interior and the minister of infrastructure .30 Although the causes of these incidents were different – in one case a human error in configuring the database, in another a hope- lessly poor corporate data security policy, and in the third, wilfully ignoring security requirements – they all point to similar fundamen- tal flaws both in the service architecture, and in incident readiness and resolution. Estonian state agencies and service providers have not repor- ted any serious data leaks over the past year. The transparent architecture of Estonia’s digital state, the use of secure authentica- tion, and other methods for ensuring the integrity of important data, make data leaks on this scale very difficult to pull off in Estonia; however, risk mitigation still requires continuous effort. Estonian residents do actively use the services of large inter- national vendors, sometimes creating accounts using workplace emails. At the end of last year, a database of 1.4 billion user identi- ties and passwords in plaintext was published on the dark web; this included 198,000 email addresses on .ee domains, used to create

26 Estonian Information System Authority: Annual Cyber Security Assessment 2018 those accounts. Although the database does not make it clear which The 12 most environment the usernames and passwords leaked from, it does common passwords among Estonian include user information leaked from LinkedIn, MySpace, Twitter, users Tumbler, DropBox, Bitcoin forums, Zomato, Gmail, and Yahoo. This 1 . 123456 included 2,830 email accounts from Estonia’s public sector, and 2. parool around 2,600 accounts of employees of vital services providers. We 3. qwerty notified the information security managers of the affected agencies 4 . 123456789 of the leak, with recommendations to reset the user passwords and 5. lammas 6 . 12345 educate users on the dangers of password reuse. 7 . minaise 8. maasikas New password guidelines 9. kallis 10. killer The impending death of passwords as an authentication met- 11 . armastus hod has been predicted for years. Multi-factor authentication as a 12. lollakas secure alternative has been available for a long time in widespread Source: CERT-EE33 services such as Google and social networks, and its ease of use has improved remarkably over the years. User uptake, however, remains disappointing: although Google has been offering two-fac- tor authentication (2FA) since 2011, less than ten percent of Google users have it configured.31 Estonia’s 15-year experience with ID cards and its alternatives Mobile ID and Smart ID shows better results, but even these are far from universal adoption. For example, to log in to the state services portal Eesti.ee, three out of four visitors will use an ID card or Mobile ID; the rest will log in using a bank link, mostly falling back on code cards. Therefore we still need to talk about passwords in 2018. Last year saw an update to password recommendations that have been in place for 15 years. NIST, the US standards authority, replaced its 2003 guidelines that described a secure password as a combination of upper- and lowercase letters, numbers, and special characters. The reason for the change is simple: the requirements and too complex, and their effectiveness is questionable.32 The new recommendations place more realistic expectations on users, and emphasize service design to support user data security. The core of the recommendations is simple: the password must be long, and the environment must support multifactor authentication.

Estonian Information System Authority: Annual Cyber Security Assessment 2018 27 RIA GUIDELINES

For users Enable long passwords (pass phrases), Use a passphrase instead of a password. between 8 and 64 characters, and allow Do not reuse a password in different the use of any characters in them . services. Drop the requirements for password Replace a device or service’s default (ini- complexity – instead of hard-to-remem- tial) password with a new, secure one. ber or superficially complex passwords If possible, use two-factor authentica- (such as p@ssw0rD), encourage the user tion (including an ID card, Mobile ID or to have long passwords. Smart ID). Prefer an existing two-factor Restrict the use of common weak pas- authentication method to registering a swords (such as 123456, password, user account with a new username and admin or username) in your system. password . Do not require or offer the use of pas- Get a password manager (better known sword hints (such as mother’s maiden ones include LastPass, Bitwarden, name, pet name, etc.) – these are often 1Password, Dashlane and KeePass). This easy to guess or find out via social media. helps to generate a unique strong pas- Drop password expiry deadlines, sword for each website, and reduces the especially if they are short. Assume that risk of endangering several of your user a password must be reset only when it is accounts with one password leak. forgotten or leaked or exposed to other If you suspect that your password is persons or cyber criminals. known to third parties, even if they are good friends of yours, change the pas- Also see: sword immediately. USA NIST new password guidelines: https://pages.nist.gov/800-63-3/ For service providers UK NCSC recommendations: Design your service to be secure, and be https://www.ncsc.gov.uk/guidance/ realistic about the user’s abilities. Instead password-guidance-simplifying-your- of requiring the user to invent another ori- approach ginal, complex password, enable two-fac- To generate a unique and memorable tor authentication in your service. password template, you can use From data security standpoint, it is not https://rabool.eu reasonable to require a user to create an account to use the service (such as buying from an online store). Consider if this is actually necessary.

28 Estonian Information System Authority: Annual Cyber Security Assessment 2018 Fulfilling GDPR requirements is work- and time-intensive

The EU General Data Protection data from company A and trans- Regulation will enter into fer it to company B . The compa- force on 25 May 2018, replac- nies ought to review their infor- ing the current Personal Data mation systems to ensure that it Protection Act. Viljar Peep, is possible to transfer the data as head of the Estonian Data quickly and easily as possible. Protection Inspectorate, gives a short overview of what will Why was this regulation change and why. introduced? The reason is the European sin- Photo: Estonian Data What will change with the new Protection Inspectorate gle market: data needs to move regulation? across national borders. If each The principles of data protection remain the country has a different regulation, this is dif- same, but the rules are significantly more ficult to do. This is why the rules are more precise and thorough, and use a risk-based precise for the private sector, and more wig- approach. Stricter rules apply to large-scale gle room was left to member states in public data processing or sensitive data. If that is the sector data processing. case for you, you definitely need to study the regulation in detail, as fulfilling the rules may Where should an organization begin? require major and time-consuming changes Public sector agencies, large-scale data pro- to your organization’s information systems, cessors and major corporations should begin customer service, or personnel operations. with a comprehensive assessment of their For example, there is now an obligation to data processing. With an eye to the new data assign a Data Protection Officer, keep a regis- protection legislation, look at your operational ter of personal data processing activities, and processes, information systems, and docu- much more . ment templates. State agencies also need to A company or institution that does not consider the Public Information Act, and spe- process sensitive data, and has been care- cific legislation applicable to them. fully following data protection rules so far, Corporations definitely need to review does not need to make major changes. data portability: information must be kept The biggest substantive change – per- in a structured form, in a widely used sonal data portability – mostly applies to the machine-readable format. private sector. A person may take their digital

Estonian Information System Authority: Annual Cyber Security Assessment 2018 29

SOURCES, ACTORS AND MOTIVES

Estonia’s most significant cyber threats still originate from (orga- nized) crime and hostile foreign powers. International experience shows that serious cyber incidents are increasingly orchestrated by state actors.

States are increasingly eager to use the opportunities of digital environments not only for traditional intelligence collection, but also for influencing others and strengthening their geopolitical activities. More and more countries are confirming that they are in the process of developing offensive cyber capabilities. The NATO allies stated at the 2016 Warsaw Summit that cyber­ space has become a warfare domain, where NATO must be able to defend itself effectively, same as in the air, on land, and at sea. Estonia’s national security concept, approved in 2017, envisions that the country will implement cyber security in the same manner and with the same structural solution both in times of peace and in times of war, acknowledging that Estonian cyberspace is defensible as long as the state and the society participate in its defence together, the necessary competence exists, and the society is aware of the threats of the digital environment and is capable of optimally avoiding them, and reacting in case of problems. In addition to the development of national capabilities, there is an ongoing international debate over which rules apply to states in the cyber sphere. A new edition of one of the most authoritative sources in this area, the manual of international law applicable to cyber ope- rations – The Tallinn Manual 2.0 – was published last February, led by the NATO Cooperative Cyber Defence Centre of Excellence.* The manual analyses all forms of state-sponsored cyber operations – from cyber espionage to cyber attacks comparable to armed attack

* Tallinn Manual 2.0. on International law Applicable to Cyber Operations http:// www.cambridge.org/us/academic/subjects/law/humanitarian-law/tallinn-ma- nual-20-international-law-applicable-cyber-operations-2nd-edition

Estonian Information System Authority: Annual Cyber Security Assessment 2018 31 Estonia will get additional military capability in cyberspace

In August of this year, the Hostile intelligence and Estonian Defence Forces will influence activities in cybers- establish a Cyber Command, pace are an everyday reality. which will achieve full readi- Achieving influence via the infor- ness over the next few years. mation environment is really Deputy Commander of the cost-effective, as sophisticated Headquarters Support and operations can be conducted Signal Battalion, Major Silver from far abroad with minor Andre explains the background costs and reasonable security. of the Cyber Command. Crippling a nation that is depen- dent on IT solutions and badly protected, is The Cyber Command will be tasked with pro- easier than with conventional warfare. tecting cyberspace within the governance Cyber events and incidents are a cons- area of the Ministry of Defence. Today, tant reality for Estonian digital infrastructure. cyberspace military operations are viewed As a state, we are in a good position in terms as the fourth domain, alongside land, air and of awareness and response, but as far as a sea. NATO established that officially at the military cyber war is concerned, we still have meeting of the Defence Ministers in 2016. a lot to do. There will not be a separate service crea- The Cyber Command will number ted within the Defence Forces. The Cyber around 300 people in peace time. In addition Command is going to be a structural unit to information operations (one part of which formed on the basis of the Headquarters is cyber operations), it will be responsible for Support and Signal Battalion, reporting providing ICT services, command support directly to the Commander of the Defence and strategic communication. The new unit Forces and being part of NATO network. The will employ both domain experts already tasks will include the improvement of the working in the Defence Forces, and most Defence Forces’ understanding of cybers- definitely specialists from the private sector. pace and achieving situational awareness The Cyber Command will be physically loca- within it, identifying cyber threats and pre- ted in Tallinn, but virtually located where it is venting them. There will be readiness to per- needed, when it is needed. form various operations in cyberspace both in times of peace and in times of war .

– in the context of applicable international norms of law, which establish the rights and obligations of states in conducting cyber operations. Despite the rhetoric of the Russian Federation and other states of the same mind, it is obvious that cyberspace is not a legal vacuum where norms do not apply. Despite this, or perhaps due to this, some states continue to attempt to act within the grey area of the rules, and to expand that area .

32 Estonian Information System Authority: Annual Cyber Security Assessment 2018 State-sponsored cyber attacks against vital services

A turning point for cyber security when it comes to vital services was the cyber attack against a Ukrainian power plant around Christmas 2015, which damaged the plant’s control system and took the plant offline for hours. Suspicion fell on the Russian Federation.34 After this event, the public has learned of a number of cases where cyber attacks targeting a critical service were lin- ked to a hostile foreign country.

THE ENERGY SECTOR

In the summer, the US and British media annual cyber security assessment covered reported an intrusion into the enterprise an attack against oil shale company Viru networks of US energy companies and the Keemia Grupp (VKG), which provides various information systems of a manufacturer of vital services in Ida-Viru County. industrial controllers used in the energy Although the incidents in the US did not industry 35. Phishing emails were used as directly impact energy generation or the means of attack, and this attack surface was functioning of energy networks, access to used to gain access to the office networks the business network does increase the vul- of at least a dozen companies, including a nerability of production systems. Operational nuclear plant in Kansas. Persons working for systems that run energy production are a foreign country are believed to have been isolated in a separate network segment, responsible for both of these attacks, with but often they do not use modern security Russia being the primary suspect. The same solutions. Attacker access to information group was linked to attacks in late spring and processed in the business network concer- early summer against energy companies in ning the organization and risks (correspon- the US, Ireland and Turkey.36 Similar threats dence, documentation of infrastructure etc.) are also salient in Estonia – last year, RIA’s makes it possible to plan later attacks.

Estonian Information System Authority: Annual Cyber Security Assessment 2018 33 Last year, the energy, communication and banking sectors were the prime targets for such attacks. During the joint Russian-Belarusian military exercise Zapad 2017 in September, DDoS attacks from Russian and Chinese IP addres- ses hit the mobile operator’s network in Finland’s Aland Islands, and similar incidents were reported in the UK and the Netherlands.37 The deputy head of the security committee of Latvia’s Parliament con- firmed later that a seven-hour-long outage that hit Latvian mobile networks in late summer was likely caused by Russian military acti- vity on the Baltic Sea.38 Estonia did not report any DDoS attacks in connection with Zapad. However, Norway did confirm radio problems at the same time, originating from Russia and affecting air traffic and causing GPS service malfunctions.39 Similar incidents also occurred during previous Russian Federation military exercises. It is likely these were not deliberate attacks but side effects – the Russian military was apparently aware of them but seems to not have tried to avoid them. Experts are also becoming increasingly concerned by North Korea’s growing cyber attack capability. A number of the cyber attacks that hit the banking sector in recent years have been traced back to the North Korean cyber groups, led by the Lazarus APT- Group. In addition to a large-scale case of fraud against the cent- ral bank of Bangladesh in 2016, the same group is considered to have been responsible for a long-running campaign against banking sector targets in 31 countries.40 In this specific case, vulnerabilities were exploited through the use of a hitherto unknown malware variant that infected the devices of visiting users that met specific parameters. Among others, Polish commercial banks were infected through the website of the Polish financial supervision authority.41 The main focus of the Lazarus APT has turned to attacks on banks, online gambling platforms, financial software developers and cryptocurrency business entities: they try to manipulate SWIFT interfaces and transaction verification mechanisms, or use malware customized for the target.42 Account data stolen using phishing is used to attack cryptocurrency exchanges and mining services.

34 Estonian Information System Authority: Annual Cyber Security Assessment 2018 Cyber-enabled attacks against democratic processes

Research conducted in 2017, and still ongoing, has given a good idea of how extensively the Russian Federation attacked infor- mation systems related to the US elections in the run-up to the American presidential elections.

Already in the first days of 2017, US intelligence agencies released a report on cyber attacks originating from the Russian Federation’s intelligence services prior to the US presidential elections.43 The basic conclusions of the report indicated that the attacks were organized by the intelligence agencies based on instructions from the highest levels. The cyber attacks against the US presidential elections were part of an operation aimed at breaking into the Democratic National Committee’s information systems and stealing internal documents to manipulate public sentiment to ensure a certain candidate would be successful in the election. This was accomplished through a combination of phishing attacks, manipulation and selective leaks of sensitive information obtained, feeding Russia’s state-sponsored propaganda in media and social networks. The conclusions also state that the Russian Federation intelli- gence services achieved access to the information systems of elec- toral committees in several US states, although no proof that votes were manipulated in election devices was found. It later turned out that attacks were attempted against service provider companies and systems used for garnering votes. This is a good example on how cyberspace is one of the theatres of operations for hostile countries to try to achieve influence over other countries. Cyber attacks against technologies that enable democra- tic processes are often opportunistic – the goal may not necessarily

Estonian Information System Authority: Annual Cyber Security Assessment 2018 35 always be to cripple the functioning of systems or steal data, as the poli- tical goals may already be achieved if there are persistent rumours and doubts regarding the legitimacy of the electoral process. Furthermore, as the attacks against the US and French presidential elections in 2016 and 2017 demonstrate, the cyber element is always integrated into a broader approach and cyber attacks themselves may signify data thefts and leaks and exploitation of vulnerabilities in electoral systems. Election technology is therefore justifiably under heightened scru- tiny, especially since the attacks are not often aimed at the central sys- tems used for elections (lists of voters and candidates, gathering votes, counting votes and publishing results) but rather against the (digital) services connected to them, and, above all, candidates and parties. Although the last of these would not directly affect the flow and execu- tion of the elections themselves, it is possible that the perceived legiti- macy of the elections would still be dealt a blow. Furthermore, most of the “campaign hacks” of recent years were aimed specifically at auxi- liary systems and often served the longer-term goals of subsequent information and influence operations. Besides the cyber attacks against the US presidential candidates’ campaigns, Emmanuel Macron’s campaign team announced imme- diately before the second round of the French presidential elections that there had been a “massive and coordinated” cyber attack invol- ving the release of a large amount of internal correspondence and documents via an anonymous environment.44 The leak took place immediately the pre-election prohibition on political discussion came into force, which prevented the content from being commented pub- licly or covered in the media, and thus consigned the interpretations and conspiracy theories to social media networks. Like in the run-up to the US presidential elections, the materials leaked by the attackers were combined with misinformation to sow confusion and doubts 45. Earlier in the campaign, Macron’s team had made repeated reference to attempts to hack into the party leaders’ email accounts and France and Germany both notified the public months before the elections of a significant increase in cyber attacks against state digital infrastructure. Both countries adopted measures to prevent incidents in connection with the elections, with more attention paid to the awareness of poli- tical parties about cyber risks and looking for ways of curtailing the spread of fake news on social media.46 Cyber attacks against elections are not a goal unto itself, nor is it the only way for Russia to influence the West through cyberspace. The West has to contend also with direct attacks designed to harm reputation or the ones aimed against economic or political interests or

36 Estonian Information System Authority: Annual Cyber Security Assessment 2018 infrastructure. The likelihood of attacks against infrastructure is low in Estonia but clearly not non-existent. Based on the extensive WannaCry and NotPetya malware campaigns, a very likely scenario is one where attacker loses control of a cyber attack originally undertaken against a relatively specific target. To keep the Estonian state and society functioning the way peo- ple have grown accustomed to, cyber risks must be and are taken into account in risk assessments and risk scenarios at the state level. An isolated phenomenon also referred to as “IT threat” is seen exceedingly rarely, and in most cases, the significance of cyber threats is that they enable or amplify broader risk scenarios.

ATTRIBUTION AND RESPONSES TO CYBER ATTACKS 2017 saw a clear change insofar as cyber attacks committed by foreign countries are now brought to light and their state origins are often disclosed. The attacks against the US election campaign, WannaCry and NotPetya were decisive in changing in launching this trend . Attributing cyber attacks in international relations is not merely an evaluation of technical evidence – it is also a clear means of signalling that a cyber attack is not considered trivial or an accep- table means of action. In a tense international atmosphere, establis- hing deterrence against malicious cyber activities is a clear neces- sity and in order to achieve that, attribution has a clear role to play. The Framework on a Joint EU Diplomatic Response to Malicious Cyber Activities (The Cyber Diplomacy Toolbox47) finalized during the Estonian Presidency of the Council of EU lays a basis for col- lective response by EU member states and for the use of all CFSP measures as a response to malicious cyber activities. Therefore it is quite evident that the importance of political and legal elements in attribution will be increased even more.

Estonian Information System Authority: Annual Cyber Security Assessment 2018 37 Technological risks

All of society depends on the functioning of the so-called funda- mental digital infrastructure – the underlying architecture of the internet, internet services and protocols (DNS, BGP etc.) and the Estonian state’s eID and X-road. An extensive disruption to the entire system or complete interruption of service is highly unlikely, but the possibility of challenges such as the ID card vulnerability discovered last autumn must be taken into account and prepared for. The possibility that a previously unknown critical vulnerabi- lity such as Meltdown and Spectre this January will rear its head, affecting a great many systems and user and necessitating an urgent patch, should be considered a rather probable occurrence on a one-year timescale. Governments (whether they have a defen- sive or offensive motivation), research institutions and criminals all compete to seek out such vulnerabilities. It must always be taken into account that technology itself is never 100 per cent secure and security changes over time.

What is “strong cryptography” and why is it important? The current public debate around the topic of cryptography and back doors focuses on a choice between state security and surveil- lance vs. privacy. For Estonia, the more fundamental question in the matter is that of trust in the state-backed identity, the basis for our entire digital society’s ecosystem. In essence, cryptography entails mathematical methods for ensuring confidentiality and integrity of data, naturally including authentic and trusted digital identities. As a synonym for trust and security, encryption technologies are the underpinning of the digi- tal state and society. Although in the sense of having a state-issued

38 Estonian Information System Authority: Annual Cyber Security Assessment 2018 WE ARE HELD HOSTAGE BY A MONOCULTURE

The head of RIA’s cyber security division’s Patching old flaws, however, is expensive research and development department, and costly. Kaur Virunurm, warns that the technologi- The Spectre/Meltdown patches failed cal environment will not get any better and to meet expectations, and made comput- that we have to get used to coping with that ers sluggish or non-functional. The patch fact. for ROCA required a firmware update and The world is essentially held hostage by a largely went unimplemented. Most older handful of mega-corporations. Each IT field Android phones receive no security updates. – chips, operating systems, telephones, ser- The vulnerabilities are amplified by bug vices – is dominated by two or three major traders. In 2016-2017, a group called Shadow manufacturers who have near total hegem- Brokers published a major package of ony in their own technological segment. It’s a exploits (likely from the US intelligence agen- global monopoly, too – the same electronics cies). The WannaCry and NotPetya incidents and software is used in the US, Russia and started from precisely theseleaks. Estonia . There are more such groups, and Citizens’ and users’ data is also in because they all use the same technol- the hands of the major services (Google, ogy that they attack, they are vulnerable Facebook). In essence, what we have is a themselves. monoculture. Apple and Microsoft, AMD and Thus, one set of groups collect the vul- Intel, Google and Amazon are monopolies nerabilities, a second faction attacks the first on which the entire world’s activity depends. ones, steals and sells their “work”, and a third Likewise, security flaws simultaneously contingent takes advantage of them, attack- impact all systems and services, all over ing or disrupting the rest. the world. Greater influence means security To sum up, we must reluctantly accept flaws come with greater implications and that we live in a world where all systems are cost. Since increasingly effective solutions vulnerable or where today’s secure solution are devised to find the holes, and automa- may stand completely ajar tomorrow. We tion and machine learning are used, vulnera- can only hope that as long as there are many bilities are now being found in older systems, security layers protecting us, some of them too. The most influential security holes will hold and stop an attack or allow us to cost millions of dollars on the black market. recover from it. Finding and sharing vulnerabilities has thus If the current conditions persist, there become an industry on its own . will be no relief in future. Technology and its The security vulnerability that affected weaknesses will spread everywhere, even the Estonian ID card (ROCA) is over 10 years in places where they do not yet exist: the old. In summer 2017, WiFi – thus far con- advent of self-driving cars and smart roads, sidered secure – was broken. The origins of data mining, robotics and artificial intelli- this vulnerability are from long ago but it was gence and quantum computing will lead to discovered only now. The security vulnera- a society that we scarcely imagine. It is to be bilities found in Intel and AMD processors in feared that the cyber risks of the new world early 2018 are over 20 years old. will be worse than those of 2017.

Estonian Information System Authority: Annual Cyber Security Assessment 2018 39 digital identity, Estonia is still quite unique, cryptography-based solutions are in widespread use at the governmental, corporate and individual level. The security of the Estonian state-issued digital identity depends totally on strong encryption – meaning that it is objec- tively possible to have total confidence that a person and their intent match who they seem to be . Impersonation for the purpose of conducting a transaction is ruled out. The entire Estonian digital ecosystem is based on this security . Any back door in a service would break the trust in the digital ecosystem and damage confidence in it. It is important to stress that we are not talking about privacy here, but the functioning of services. If cryptography is “weak”, services will not function. The same trust is an unwavering foundation for the entire state digital ecosystem and cyber security: if trust in the ecosystem is lost, so will Estonia’s ability to function in its accustomed manner as a state. If digital services are not trustworthy, there must be a return to physical provision of service. In the case of our society’s resources, this inevitably means that the quality and volume of public services will decline and the state as a whole will weaken. In today’s world, the possibilities for to generally weaken cryp- tography are disappearing, i.e., cryptography cannot be weakened without compromising digital systems. It isn’t possible to create a technical means for solely selected persons to access encryp- ted data that would not also create a vulnerability that criminals, terrorists and hostile state actors could exploit. Leaks of data per- taining to vulnerabilities cannot be ruled out even in the case of organizations with very high data security standards, as shown by the information leaked from two security agencies in the US regar- ding cyber weapons. The software market and crime are both fundamentally cross-border phenomena. It is therefore impossible to prevent the development of encryption and communication solutions that are beyond the control of governments. Security for state-issued identities is not a matter of state sur- veillance versus privacy. It is a question of whether public services function or not – and by extension, a much broader question of security for society .

40 Estonian Information System Authority: Annual Cyber Security Assessment 2018 SECTORAL CYBER RISKS AND PREPAREDNESS

2018 will mark ten years since the first Estonian cyber security strategy entered into force. On the whole, it has served us well. The fact that Estonia’s weight in this field rests on more than successful image buil- ding or single innovative achievements is demonstrated by the Global Cybersecurity Index compiled by the International Telecommunication Union (ITU) last year48, which ranks Estonia fifth in the world in its com- mitment to cyber security. Estonia’s position derives from high scores in all five categories: legal, technical, organizational, capacity building and cooperation . Still, rankings remain a superficial assessment and it takes more than good preconditions to ensure security. In 2018, Estonia is one of the world’s most digitally dependent countries. The readiness of the state and society to contribute to cyber security currently falls short of the dependence level.

FUNDAMENTALS OF ESTONIAN CYBER SECURITY • Cyber security strategy: strategic objectives • 24/7 national incident preparedness and and definition of roles and responsibilities response capability (CERT-EE) • Framework of minimum security requi- • Crisis readiness– integration of cyber rements: three-tiered baseline security security into the comprehensive concept system (ISKE) for state and local govern- of national security and defence ments; risk assessments and continuity • Awareness and skills plans for vital service providers; security • Cooperation between government insti- of Estonia’s fundamental digital infrast- tutions, between the public and private ructure (eID, X-road) sector, and internationally

RIA’S CYBER SECURITY FOCUS FOR 2017: READINESS AND PREVENTION • Impact and trend assessments • Prevention and preparedness: planning • Cyber threat warnings issued to and exercises – the public concerning salient threats • Cyber hygiene and trainings and security vulnerabilities • Building a culture of security and coope- – vital service providers on a sectoral or ration - strengthening Estonia’s cyber trend basis, accompanied by analysis security community and recommendations

Estonian Information System Authority: Annual Cyber Security Assessment 2018 41 Central government

Incidents involving government institutions show that possibili- ties of improving cyber security through awareness building have been exhausted and the focus should be directed at secure archi- tecture and competent personnel.

Globally, government institutions are, along with financial institu- tions, communications operators and healthcare providers, the most prominent attack targets.49 As to direct threats facing gover- nment institutions, phishing still remains the most widespread, but it should be remembered that cyber attacks are often just one component in an attack against public trust in the government as a whole. To keep the Estonian state and society functioning as people are accustomed, it is very important to take cyber risks into account in all risk assessments and risk scenarios. As noted previously, an isolated phenomenon referred to as “information technology threat” is seen exceedingly rarely in reality, and in most cases, the true sig- nificance of cyber threats is as enablers or amplifiers of a broader risk scenario. Estonian government officials have relatively high awareness of cyber security. This has been aided by RIA cyber security trai- nings during the year prior to the Estonian EU Presidency, which drew close to 1,200 officials. Last spring, we opened the DIgitest learning environment where cyber knowledge can be tested and supplemented. Compared to the overall incident statistics of Estonia last year, government institutions saw few malware infections and, e.g., no ransomware infections at all. The biggest point of concern for public sector cyber security is service downtime caused by IT equipment failure or human error. These are especially critical in systems whose functioning depends on internal and state security

42 Estonian Information System Authority: Annual Cyber Security Assessment 2018 Thousands of public servants have passed the Digitest course

In spring 2017, RIA and CybExer who have taken the course, it is planned to Technologies launched a digital learning develop an anonymous and secure mecha- platform meant for government institu- nism for sharing results that would allow tions. To date, it has tested thousands each company or agency to compare them- of public servants’ cyber knowledge and selves to the overall outcomes. identified their cyber risks. In future, we would like to see DIgitest The programme has been licensed to used even more broadly in the government tens of private and public sector institu- sector. Passing the test might even be tions, many universities and authorities made obligatory for state and local govern- and companies from a number of foreign ment officials. To lay a foundation for cyber countries who are interested in raising their skills among the new generation, we plan to staff’s cyber security awareness. As due to distribute DIgitest in schools to let schoolc- security considerations, Digitest results are hildren receive a training in cyber hygiene. only accessible to individuals and agencies

Digitest provides risk profiles at the user, organiza- tion and state level. This allows more precise risk management with attention devo- ted to specific weaknesses.

Estonian Information System Authority: Annual Cyber Security Assessment 2018 43 Cyber incidents at government institutions 2017 DDoS (1%) Financial fraud (0%) Scanning and brute-force attacks (2%) Ransomware (0%) Defacement (2%) Equipment theft (0%)

Data leak (2%)

Phishing (4%)

Administration error (4%)

Malware (8%)

Compromise (18%) Service interruption (59%)

– police, border guard or rescue services – or people’s life and health, such as the Emergency Response Centre (Häirekeskus) or digital prescriptions. Because no other service provider can offer an alternative to state functions, it is extremely important to ensure that these services are sufficiently resourced to have func- tioning backup solutions. Government institutions’ centralised IT centres in particular have succeeded in ensuring better security and continuity – they have proved to be capable of eliminating ser- vice problems and interruptions rapidly and responding to attacks. Estonian government institutions cannot neglect the fact that their information systems are scanned and probed constantly. We keep a close eye on these activities and let them know of anything out of the ordinary. One example of such a case was a series of short-term, small-scale denial of service attacks that occurred in late 2017 against several Estonian government and research ins- titutions. The attacks did not have noteworthy impact on the ser- vices but they stood out because of their temporal proximity to each other, their low intensity, and the similar pattern – i.e. traffic in preci- sely measured intervals. As this activity could be used to prepare later attacks, analysis of such cases is always important and such cases should always be reported by email at [email protected].

44 Estonian Information System Authority: Annual Cyber Security Assessment 2018 Local governments

Compared to the state, local governments still have an uneven level of cyber security.

As local governments are an integral part of the Estonian digital state, if their security is weak, it creates risks for the state’s central databases. For instance, local governments access the Population Register and central social security databases, which may put sen- sitive personal data at risk in case they neglect cyber security requi- rements. Local governments have an obligation to implement the ISKE baseline security framework, but many fail to do so. As part of the recent administrative reform in Estonia, the Ministry of Finance has supported ICT consolidation of local governments and runs a platform for, among other things, assisting local gover- nments in developing information systems with security by design in mind. We highly recommend all local governments to use this. We hold regular information events and seminars for the public sec- tor, and local governments can also participate in this. Appointing a person responsible for data security would also help significantly improve the situation. There are only a few local governments in Estonia that have done so.

“SECURE HARJU COUNTY” SURVEILLANCE CAMERAS

In autumn 2017, a number of break-ins took transmitting footage for several days. Thanks place into security cameras installed in four to a notification from a data security employee local governments in the context of the Harju at one of the municipalities, we learned of the Association of Local Governments project, event and sent a warning to other municipa- “Secure Harju County”. Unpatched secu- lities, public sector data security managers rity holes in the cameras and unrestricted and vital service providers and gave instruc- access to the devices were exploited. The tions for patching the vulnerability. compromised cameras stopped recording or

Estonian Information System Authority: Annual Cyber Security Assessment 2018 45 Unlike the state, most of the incidents in local governments last year involved malware infections, hackers exploiting outdated sof- tware to deface websites or to carry out attacks on website visi- tors. For example, local government websites were used in 2017 for spamming and phishing for bank data.

Photo: Arno Mikkor

46 Estonian Information System Authority: Annual Cyber Security Assessment 2018 Essential services

The cyber security of society as a whole rests on the private sec- tor, which provides the majority of (digital) services that keeps society functioning normally. While the security of information systems is primarily the responsibility of the system owner, it is the state that must ensure protection of the society as a whole.

Estonia established the obligation to guarantee the cyber security of vital service providers in 2009 when the Emergency Act entered into force. It made vital service providers responsible for assessing the risks to their business continuity – including ones whose cause or expression lies in cyberspace – and to apply measures for ensuring continuity. The EU Directive on the Security of Network and Information Systems (NIS Directive), of which Estonia was a firm advocate in the EU, proceeds from the same approach – the focus must lie on services needed for functioning of essential societal or economic activities. These services are in the scope of application of the new Estonian Cyber Security Act, which transposes the NIS Directive into national law. A study commissioned by RIA in 2016, described in last year’s annual summary, found that provision of all vital services in Estonia depends on power and communication services. Besides the fact that energy or communication services interruptions have a direct impact on other vital services, they also affect the functioning of the work of government institutions. For example, a fault in the power supply equipment at the Pärnu hub of a communication enterprise last year led to an interruption in data communications that impacted services provided by the Ministry of Social Affairs and the Ministry of the Interior. Although an alternative existed, its operation relied on the same device and for considerations of cost-effectiveness, the institutions did not have an agreement for redundant connection with another commu- nication infrastructure provider. Also a problem was that the impor- tance of the incident for the purpose of the law is determined by how many contractual customers the outage affects. If only the work of one institution – one client – is affected, there is no basis for implementing extraordinary measures, even though there may be many affected per- sons – the service provider has few options for determining how many there are. It is a similar situation with other government departments and companies, and also with private consumers, which generally have more than one member to a household.

Estonian Information System Authority: Annual Cyber Security Assessment 2018 47 Sectoral cyber threats, incidents and measures for ensuring security

Incidents in Estonia, Threats and risks Incidents in Estonia, 2017 Resilience and recovery measures 2017 Energy supply Attempts to enter business systems for Remote access to energy supplier technical Improved system monitoring in administrative the purpose of accessing production utility network cut off for short period due to and production networks, security testing of infrastructure . equipment failure of communication service systems . Spear phishing, including malware download provider. Segmenting office and production networks. emails for installing backdoor software. Origin: hostile countries Trend:  Communication services Service interruptions caused by technological Recurring service interruptions in communica- Backup solutions and continuity plans. faults and human error. tion service provider networks, the largest of Dependence on external connections. which affects close to 80,000 telephone ser- Trend:  vice clients but fortunately occurred at night. Media Propaganda and reputational attacks via File server password leaks. Cyber hygiene. Managing cross-service compromising information systems. dependencies . Trend:  eID Availability of service depends on other Mobile-ID service interruptions in communica- Backup solutions implemented by communica- (e.g. communications) service providers. tion service provider networks; disruptions tions undertakings, managing cross-sector Trend:  in availability of website for downloading ID dependencies . software Health care Impact of ransomware, phishing, digital Failures in information systems and ran- RIA trainings for raising awareness for hospi- support services (digital prescriptions, health somware cases that among other things tals, consolidating IT service and security at insurance information system) on physicians’ disrupted reception of patients at hospitals and primary healthcare institutions, implementing work made patient data unavailable incident monitoring Trend:  See separate section Financial sector Attempted financial fraud targeting clients, Short-term interruptions (up to one hour) in Compared to most other countries, Estonian including forgery of invoices by cyber criminals, functioning of banks’ card payment and ATM banks’ clients are better protected due to the phishing for credit and password card data; cross-use; disruptions to forwarding of inter- use of secure means of authentication (ID card attempts to manipulate partner banks’ SWIFT national payments; a DDoS against SEB Bank and alternatives), which are the only option system . in Lithuania in May cut off access to SEB Bank for confirming larger transactions. Situational Cryptocurrencies and platforms. websites in all three Baltics and prevented use awareness shared among banks and super- Trend:  of the online banking services. visory institutions. Utility services (district heating, Ransomware, service interruptions caused by Ransomware cases; administration error Implementation of incident monitoring, backup water supply and sewerage) technical failures and human error; administra- allowed unauthorized access by outside per- solutions and continuity plans. tive errors. sons to other clients’ data. Trend:  Transport (air traffic, airports, ports, Dependence on international information sys- Delayed departures of flights due to equip- Backup solutions and recovery plans. railway traffic, road network) tems and solutions. ment failure in passenger service information Trend:  service. Education Users have low awareness; lacking security Increasingly frequent mining of cryptocurrency Administration requirements for information policy and dearth of employees with the neces- in schools’ computer networks, leak of user systems, managing access privileges, cyber sary skills. data through key logger installed on vocational hygiene. Trend:  school’s computers.

48 Estonian Information System Authority: Annual Cyber Security Assessment 2018 Incidents in Estonia, Threats and risks Incidents in Estonia, 2017 Resilience and recovery measures 2017 Energy supply Attempts to enter business systems for Remote access to energy supplier technical Improved system monitoring in administrative the purpose of accessing production utility network cut off for short period due to and production networks, security testing of infrastructure . equipment failure of communication service systems . Spear phishing, including malware download provider. Segmenting office and production networks. emails for installing backdoor software. Origin: hostile countries Trend:  Communication services Service interruptions caused by technological Recurring service interruptions in communica- Backup solutions and continuity plans. faults and human error. tion service provider networks, the largest of Dependence on external connections. which affects close to 80,000 telephone ser- Trend:  vice clients but fortunately occurred at night. Media Propaganda and reputational attacks via File server password leaks. Cyber hygiene. Managing cross-service compromising information systems. dependencies . Trend:  eID Availability of service depends on other Mobile-ID service interruptions in communica- Backup solutions implemented by communica- (e.g. communications) service providers. tion service provider networks; disruptions tions undertakings, managing cross-sector Trend:  in availability of website for downloading ID dependencies . software Health care Impact of ransomware, phishing, digital Failures in information systems and ran- RIA trainings for raising awareness for hospi- support services (digital prescriptions, health somware cases that among other things tals, consolidating IT service and security at insurance information system) on physicians’ disrupted reception of patients at hospitals and primary healthcare institutions, implementing work made patient data unavailable incident monitoring Trend:  See separate section Financial sector Attempted financial fraud targeting clients, Short-term interruptions (up to one hour) in Compared to most other countries, Estonian including forgery of invoices by cyber criminals, functioning of banks’ card payment and ATM banks’ clients are better protected due to the phishing for credit and password card data; cross-use; disruptions to forwarding of inter- use of secure means of authentication (ID card attempts to manipulate partner banks’ SWIFT national payments; a DDoS against SEB Bank and alternatives), which are the only option system . in Lithuania in May cut off access to SEB Bank for confirming larger transactions. Situational Cryptocurrencies and platforms. websites in all three Baltics and prevented use awareness shared among banks and super- Trend:  of the online banking services. visory institutions. Utility services (district heating, Ransomware, service interruptions caused by Ransomware cases; administration error Implementation of incident monitoring, backup water supply and sewerage) technical failures and human error; administra- allowed unauthorized access by outside per- solutions and continuity plans. tive errors. sons to other clients’ data. Trend:  Transport (air traffic, airports, ports, Dependence on international information sys- Delayed departures of flights due to equip- Backup solutions and recovery plans. railway traffic, road network) tems and solutions. ment failure in passenger service information Trend:  service. Education Users have low awareness; lacking security Increasingly frequent mining of cryptocurrency Administration requirements for information policy and dearth of employees with the neces- in schools’ computer networks, leak of user systems, managing access privileges, cyber sary skills. data through key logger installed on vocational hygiene. Trend:  school’s computers.

Estonian Information System Authority: Annual Cyber Security Assessment 2018 49 Cyber risks in the healthcare sector Although Estonian healthcare providers escaped major disrup- tions such as the WannaCry campaign, Estonia’s highly digitalised healthcare sector is extraordinarily dependent on operational reliabi- lity of information systems. Last year, 32 known cyber incidents took place in the Estonian healthcare sector, and ten of these cases had a direct influence on the work of hospitals and general practitioners. A number of the cases were a more extensive service disruption or interruption that impacted many doctors and patients – a system fault in the West Tallinn Central Hospital in January disrupted the hospital information system for hours.50 However, in none of these cases were patient medical records leaked to or otherwise acquired by cyber criminals, something that has occurred in dramatic fashion elsewhere in the world. The service problems last year also included interruptions in digi- tal prescription centre, insurance registry and Health Insurance Fund services, and one of the cases lasted longer than 24 hours. These incidents pointed to the need to devote more attention to evaluating cyber risks and systematic organization of information security.

RANSOMWARE CASES AFFECTING GENERAL MEDICAL PRACTICES

Two Estonian primary healthcare centres successful due to a technical error. With no are also known to have fallen victim to ran- other recourse, the medical centre paid the somware last year. In both cases, the gene- ransom and received decryption keys. ral practice’s information system was bro- In the other incident, the infection route ken into remotely, and ransomware installed was, likewise, by remote access to the ser- which encrypted files containing patient ver. Here, too, the ransom was to be paid in health records. bitcoin, with the amount increasing over time. The first instance was initially believed to Indirectly, the incident affected all 4,300 involve a server problem. A couple of days patients on the centre’s list. Their data – later, however, the ransom demand came prescriptions written, health certificates, digi- in: 1.5 bitcoins (then worth 3,420 euros) for tal health records - were not accessible for a unlocking 4,000 encrypted files. The family few days. The centre also lost their appoint- medicine centre notified us of the incident ment list. The centre came to agreement with and the Health Insurance Fund, Health Board another wellness centre to help write prescrip- and police were also notified. tions until the problem was solved. Due to the ransomware attack, hard drives As the most important files were restored had to be replaced in the server, the operating from an unencrypted backup on the server, system re-installed along with the information the losses were limited. But payment of the system used for processing patient data. The ransom is no guarantee of recovery of data encrypted files were rescued but could not be and it sends a signal to attackers that money opened and recovery from backup was not can indeed be made in this manner .

50 Estonian Information System Authority: Annual Cyber Security Assessment 2018 Kivimäe healthcare centre GP Karmen Joller on the lessons learnt from the cyber attack The lesson for us is that we now regularly 24 hours, they provided much help. I can’t make backup copies to an external device imagine how we would have managed with­ and certainly also remove it from our com- out them . puters after making the copy. That is the only Our opinion is that such data should not good solution for keeping yourself protected. be physically on file at family medicine cent- Upon discovering the incident, we contac- res in the first place – it’s too great a respon- ted the police and RIA’s emergency response sibility for GPs. Most GPs don’t realize what team CERT-EE. A good friend of mine who risks this involves if a server isn’t up to date or works in cyber security recommended I con- there’s no backup copy. And even if they did, tact CERT. I hadn’t heard of CERT before that. they wouldn’t have the capability or resources A specific guideline for what action to to protect the data in a quality manner. This take for such incidents would be needed. The should be done by experts. We don’t let IT information could be out in some visible place guys vaccinate people, so why should GPs be – just like the emergency telephone number taking care of server firewalls? By law, there’s 112 is pasted as a sticker everywhere. all sorts of data protection and data security Cooperation with CERT was extremely requirements, but compliance is a far more good. We were in contact for nearly the whole complicated matter.

Estonian Information System Authority: Annual Cyber Security Assessment 2018 51 The Cyber Security Act

The purpose of the newly adopted Cyber Security Act is to strengthen the security of services that are essential for society. The Act also sets forth expectations for the networks and information systems used for the functioning of the work of the state and local govern- ment institutions. The focus is on prevention and a more effective response to mitigate and prevent deleterious consequences. The law also transposes the EU’s Directive on Security of Network and Information Systems, the NIS Directive*.

What are the implications of the Act? The legislation consolidates and refines the obligations of essen- tial service providers for providing security of network and informa- tion systems. Similarly to the existing regulations, service providers must assess the security of their information systems, cyber risks posing a threat to service continuity, and the impact of realization of the risks on the organization and service users. To manage the risks, necessary and sufficient security measures must be adopted. In addition, the service provider must monitor its network and keep logs that would make it possible to identify and document vul- nerabilities, manipulation attempts and irregularities jeopardizing the operation of the systems. If a cyber incident does occur, the essential service provider must implement necessary measures to reduce the impact and spread of the incident . The Act will oblige service providers to notify RIA of significant cyber incidents defined in the law – above all, incidents that have a significant unfavourable impact on others and their health and property . The option of voluntary notification remains as well and we con- tinue to promote it, as this will give us the best way of early detection

* Directive (EU) 2016/1148 of European Parliament and of the Council of 6 July 2016. Estonia’s Cyber Security Act was adopted by the Parliament on 9 May 2018.

52 Estonian Information System Authority: Annual Cyber Security Assessment 2018 Prevention Response

• reporting incidents • security measures (to RIA, potential victims) Service providers • system monitoring • restricting use of or access • security documentation to system

• threat notification and • monitoring of guidance ee. address space • right to request information • threat notification • restricting use of or access to system (as a measure of last resort)

The cybersecurity law just adopted by Riigikogu sets out cybersecurity requirements for the the providers of essential services and clarifies the competences of RIA in reacting to incidents affecting those services. of the emergence of threats to Estonian users and of attack cam- paigns, and will enable us to warn the public and stakeholders at risk – in particular, the essential service providers. We can also pro- vide consultation and assistance for preventing attacks, and sug- gest measures to be implemented to avoid significant impact.

Security measures in state and local govern- ment unit network and information systems The obligations to ensure the security of network and information systems and to report cyber incidents with significant impact also extend to state and local government units. In essence, these requi- rements are not new for public sector institutions as they are found in the measures of ISKE, the three-tiered baseline security system applicable to public sector institutions.

Organization of cyber security at the state level State-level obligations that were governed by several pieces of legis- lation and their implementing acts are now set forth in a single piece of legislation. RIA is clearly assigned the central role in organizing cyber security, and its competence and functions are defined as fol- lows in the Cyber Security Act: • coordinating prevention and resolution of cyber incidents within the bounds of law;

Estonian Information System Authority: Annual Cyber Security Assessment 2018 53 • adopting preventive measures and identifying, on the basis of risk assessments, devices and services with security vulnerabilities; • forwarding threat notifications for preventing and resolving cyber incidents, allowing measures to be taken to prevent or mitigate the impact of the cyber incident . In accordance with the legislation, RIA is also assigned the function of the cyber incident resolution unit as defined in the NIS Directive. This includes ensuring monitoring of incidents in Estonia, ensuring early warning about risks and incidents and sharing infor- mation with partners, and ensuring response to incidents and syste- matic analysis of risks and incidents. We fulfil the role of internatio- nal point of contact, being responsible for coordinating cross-border exchange of information and measures taken at the EU level. Performing the obligations imposed on us by the Act requires cooperation with partners in the private and public sector, functional exchange of information and stipulation of a separate legal basis for this purpose. Along these lines, the law sets forth the powers for resolving incidents and monitoring and provides for enforcement measures for protection of the public order , including the right to take action against an elevated threat level caused by a cyber inci- dent or to eliminate a legal offence. For the more effective resolution of cyber incidents that cons- titute a breach of the public order, the Act entitles RIA to ask com- munications undertakings for anonymized data regarding network flows that would help to identify the device that is spreading malware and ascertain the targets of the attack. It is important to stress that this is not personal data but rather metadata pertaining to systems and needed for resolving a cyber incident.

54 Estonian Information System Authority: Annual Cyber Security Assessment 2018 Preventing cyber-induced emergency

Alongside simpler and more common cyber threats, a cyber inci- dent may also have an extensive impact on significant societal functions and services, and we must be prepared for these as a state and society. RIA’s obligation to prepare an emergency risk analysis for a cyber incident derives from the Emergency Act. The institution preparing the risk analysis in each field proposes threat scenarios that may escalate into an emergency. On this basis, it puts together a capacity analysis to assess the state’s readiness for prevent the emergency, prepare for an emergency and resolve the situation. Risk analyses are a basis for preparing the emergency

Photo: Arno Mikkor

Estonian Information System Authority: Annual Cyber Security Assessment 2018 55 resolution plan and planning emergency prevention, readiness and resolution measures, as well as formation of an institutional and state operational reserve. The cyber incident risk analysis assesses the risk scenarios for four serious events: disruption of electronic authentication service, loss or modification of data vital for the functioning of the state, cyber attack that causes extensive power outages, and interrup- tions in data services. The probability of these scenarios is high and the consequences may be very severe. The likelihood is enhanced by the fact the digital domain is changing and developing rapidly and the level of dependence on information systems is also growing. Estonia has not had an emergency in recent years, yet the risk of an extensive cyber incident is on the rise worldwide and attacker skills are cons- tantly developing. Our digital dependence and the risks involved have grown significantly and we must be aware of them. It is more and more important to invest into the cyber security of our digital baseline infrastructure and assess the risks. Although it is comp- licated to mount a severe attack and it requires resources and moti- vation, it is not impossible. If the trustworthiness and international reputation of online elections, the ID card, the X-road or state regis- ters should come under fire, it would have severe and long-lasting consequences. The state’s readiness to prevent and resolve emergencies cau- sed by a cyber incident has significantly improved over the recent years. Our challenge is still in filling key positions and developing an understanding of the cross-dependencies between key public ser- vices, information system and databases. The volume of resources directed at ensuring cyber security no longer meets the needs of the developing field, which is why it is important for the Estonian state to increase investments into aware- ness-raising and development, testing and security of IT systems already in the service design phase.

56 Estonian Information System Authority: Annual Cyber Security Assessment 2018 Summary: conclusions and assessments for 2018

• There is no such thing as 100% security – readiness matters. 2017 was a good year for Estonia, because we had prepared accordingly – to ensure the security of the EU Presidency and the local elections, to make the digital infrastructure (ID card ecosystem) hardy and robust, and to prevent and be prepared for extensive cyber incidents. The malware campaigns that glo- bally caused great losses ranging into the billions of euros and also posed direct danger to people’s lives and health posed mini- mal damage in Estonia. We remained a step ahead of the threats thanks to updated systems and efficient and rapid threat noti- fication and information exchange. The malware campaigns of 2017 will not be the last, though. Crippling of medical equipment, hospitals, power plants, airports and vital services will sooner or later result in human casualties. Awareness, readiness and rapid response determine whether Estonia will be hit by the next wave and how successful we will be in minimizing damage. • Increasingly, state actors are behind the more serious cyber attacks. It is the easiest way for some regimes to leverage their power – they produce a compelling effect while being affordable and offering plausible deniability. Attacks on vital services are a persistent and everyday threat; and multifaceted cyber and propa- ganda attacks for undermining democratic processes are a par- ticularly simple way to influence foreign governments’ policies. In Estonia, there is great trust in internet voting, and ample know-how and years of experience in regard to ensuring cyber security of elec- tions . We share our expertise with our partners . In the European Union, we head up cooperation that will result in recommendations being drafted for strengthening cyber security for elections.

Estonian Information System Authority: Annual Cyber Security Assessment 2018 57 • To change the behaviour of countries that mount cyber attacks, there has to be a political and economic cost for such actions. To prevent increasingly brazen and aggressive cyber attacks, democracies must build credible deterrence. This is something that can be created above all through countries that share common values and beliefs working together. One means of deterrence is to state clearly through public or diplo- matic channels that the attacker can be identified and has been identified. Yet attribution must also be accompanied by mea- sures with real political and economic consequences, enough to change the calculations of the states who are contemplating whether to mount cyber attacks. • During the Estonian Presidency, a package of diplomatic measures was developed in the EU for responding to cyber attacks. This allows all of the EU’s single foreign policy measu- res to be marshalled in response to cyber attacks, from diploma- tic steps to economic sanctions. The countermeasures should give pause to any countries organizing cyber attacks and those who support such countries, whether actively or passively. • The threat of a cyber attack does not depend on whether your data are valuable for the criminals but rather whether your data are valuable to you. Most cyber attacks are unselective with regard to the target themselves, but simply hunt for vul- nerable devices and user accounts. In the case of most of the cyber incidents that occurred in Estonia last year, we can say that the losses could have been forestalled by keeping software updated, making backup copies of all important data and more carefully restricting access to data and devices. Another trend is that cyber criminals are becoming more and more professio- nal: although crude phishing attempts and scams are still seen, the profit motive is leading attackers to put effort into trying to appearing plausible. Healthy scepticism and attention to detail will help significantly cut the losses from such cases. If your data are important to you or your business, protect them! • To improve cyber security at government institutions, we are past talking. Throughout the world, government institutions are prime targets for cyber attacks. Estonian officials have good cyber hygiene, but incidents involving government institutions show that possibilities of improving cyber security through awareness building have been exhausted and the focus should now be placed on secure architecture with investments into compliance with requirements and ensuring the existence of

58 Estonian Information System Authority: Annual Cyber Security Assessment 2018 information security competence at institutions . The way cyber security is organized at government agencies with limited infor- mation security capability and most local government units is a cause for concern. The state must aspire to greater centraliza- tion when it comes to organizing cyber security. • Security is not static. Security vulnerabilities in mainstream technologies are not a one-time shock but endemic to this environment, and it is clear that attempts will be made to exploit any new flaws that emerge. Security does not end when an infor- mation system is completed or a piece of equipment is acquired. Maintaining it means continual work and the first responsibility for the security of a device or system lies with its owner. The only kind of effective cyber defence is comprehensive defence – an effort that everyone has to contribute to. • The Cyber Security Act will bring greater legal clarity but the legislation will not resolve all concerns in the vulnerable sectors. The new Cyber Security Act will bring a more rational system to the roles, terminology and responsibility in organizing cyber security in Estonia, but besides implementation of the act, close partnership with state and private sector institutions will remain important. At the same time, proceedings on the draft legislation has pointed to a number of risks that require atten- tion, such as cyber security at Estonian Public Broadcasting or the dependency of vital services on service providers outside the scope of application of the Act, and risks from cross-border dependencies . • In particular, cyber security in the healthcare sector needs more effective support. In a situation where hospitals and family medicine centres process our most sensitive personal data and their work depends largely on the functioning of digital systems, they must not be stranded in a situation where cyber security is competing for resources with healthcare provision. RIA will con- tinue advising healthcare institutions and training employees. At the same time, it is essential that administrations of institutions also devote attention to cyber security and mitigate the related risks, be it by outsourcing comprehensive service or developing cyber security competence at the institutions themselves.

Estonian Information System Authority: Annual Cyber Security Assessment 2018 59 Notes

1 Symantec Internet Security Threat Report 2017, https://www.symantec. com/content/dam/symantec/docs/reports/istr-22-2017-en.pdf; https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_ Worldwide_Infrastructure_Security_Report.pdf; https://www.infopoint- security.de/open_downloads/Trustwave_Global_Security_Report_2016. pdf 2 https://crocs.fi.muni.cz/ 3 https://www.infineon.com/TPM-update; https://portal.msrc.microsoft. com/en-us/security-guidance/advisory/ADV170012; https://safenet. gemalto.com/technical-support/security-updates/; https://www.yubico. com/support/security-advisories/ysa-2017-01/. 4 https://crocs.fi.muni.cz/_media/public/papers/nemec_roca_ccs17_ preprint.pdf 5 https://eur-lex.europa.eu/legal-content/ET/TXT/ PDF/?uri=CELEX:52017JC0450&from=en 6 https://www.technologyreview.com/s/608561/first-evidence-that- social-bots-play-a-major-role-in-spreading-fake-news/ 7 https://www.europol.europa.eu/newsroom/ news/%E2%80%98avalanche%E2%80%99-network-dismantled-in- international-cyber-operation 8 https://www.europol.europa.eu/newsroom/ news/%E2%80%98avalanche%E2%80%99-network-dismantled-in- international-cyber-operation 9 https://www.bsi-fuer-buerger.de/BSIFB/DE/Risiken/BotNetze/ Avalanche/BotNets/botnets_node.html 10 https://www.theguardian.com/technology/2017/may/12/global- cyber-attack-ransomware-nsa-uk-nhs; https://www.theguardian. com/society/2017/may/12/hospitals-across-england-hit-by-large- scale-cyber-attack; https://www.washingtonpost.com/news/the- switch/wp/2017/05/15/how-to-protect-yourself-from-the-global- ransomware-attack/?utm_term=.1de68a198290, http://www.reuters. com/article/us-renault-cybercrime-idUSKBN1890AK 11 https://blogs.technet.microsoft.com/mmpc/2017/06/29/windows-10- platform-resilience-against-the-petya-ransomware-attack/ 12 https://www.bleepingcomputer.com/news/security/fedex-says-some- damage-from-notpetya-ransomware-may-be-permanent/ 13 https://www.maerskline.com/news/2017/07/25/25th-july-global- update; http://www.zdnet.com/article/petya-ransomware-cyber-attack- costs-could-hit-300m-for-shipping-giant-maersk/; https://www. europol.europa.eu/iocta/2017/index.html 14 http://securityaffairs.co/wordpress/61580/malware/notpetya- disrupted-merck-operations.html; http://www.darkreading.com/attacks- breaches/ransomware-attack-on-merck-caused-widespread-disruption- to-operations/d/d-id/1329503 15 https://www.ft.com/content/f6bc770e-064e-340d-949e- 64d2a81216d5

60 Estonian Information System Authority: Annual Cyber Security Assessment 2018 16 https://nakedsecurity.sophos.com/2017/11/15/shadow-brokers- cause-ongoing-headache-for-nsa/ https://www.theregister.co.uk/2017/04/14/latest_shadow_brokers_ data_dump/; https://arstechnica.com/security/2017/05/an-nsa- derived-ransomware-worm-is-shutting-down-computers-worldwide/ 17 https://blogs.windows.com/windowsexperience/2017/06/28/ announcing-windows-10-insider-preview-build-16232-pc-build- 15228-mobile/#r8Gmb6yu3id5ZlQq.97 18 https://majandus24.postimees.ee/4160147/ehituse-abc-sulges- kuberrunnaku-tottu-koik-oma-poed 19 http://arileht.delfi.ee/news/uudised/kantar-emor-sulges-kuberrunnaku- tottu-arvutisusteemid?id=78706774 20 https://blog.ria.ee/kas-tahad-nutta/ 21 https://www.theguardian.com/technology/2017/may/15/wannacry- ransomware-north-korea-lazarus-group 22 http://securityaffairs.co/wordpress/64834/malware/north-korea- wannacry-attack.html; http://www.independent.co.uk/news/world/asia/ north-korea-responsible-wannacry-ransomware-microsoft-brad-smith- cyber-attack-nsa-a8000166.html 23 https://www.whitehouse.gov/briefings-statements/press-briefing- on-the-attribution-of-the-wannacry-malware-attack-to-north- korea-121917/ 24 https://threatpost.com/researchers-find-blackenergy-apt-links-in- expetr-code/126662/ 25 http://www.theregister.co.uk/2017/07/04/sbu_claims_russia_was_ behind_notpetya/ 26 https://www.scmagazine.com/cisco-talos-notpetya-analysis-attacker- could-launch-again/article/673392/ 27 https://www.wired.com/story/white-house-russia-notpetya-attribution/ 28 http://vm.ee/et/uudised/valisminister-moistab-hukka-venemaa- kuberrunde-notpetya-ukraina-vastu 29 https://gizmodo.com/gop-data-firm-accidentally-leaks-personal- details-of-ne-1796211612?rev=1497834806031 30 https://www.ria.ee/public/Kuberturvalisus/RIA-KTT-kokkuvote- juuli-2017.pdf 31 http://www.theregister.co.uk/2018/01/17/no_one_uses_two_factor_ authentication/ 32 https://www.wsj.com/articles/the-man-who-wrote-those-password- rules-has-a-new-tip-n3v-r-m1-d-1502124118 33 https://www.ria.ee/ee/tumeveebis-avaldati-14-miljardi-kasutaja- paroolide-seas-ka-eesti-inimeste-paroolid.html 34 https://www.wired.com/2016/03/inside-cunning-unprecedented- hack-ukraines-power-grid/ 35 http://uk.businessinsider.com/nuclear-power-plant-breached- cyberattack-2017-6 36 https://www.theguardian.com/technology/2017/jul/18/energy- sector-compromised-state-hackers-leaked-gchq-memo-uk-national- cybersecurity-centre

Estonian Information System Authority: Annual Cyber Security Assessment 2018 61 37 https://svenska.yle.fi/artikel/2017/09/15/overbelastningsattack-mot- alcom 38 https://www.reuters.com/article/us-russia-nato/russia-may-have- tested-cyber-warfare-on-latvia-western-officials-say-idUSKBN1CA142 39 https://www.nrk.no/finnmark/e-tjenesten-bekrefter_-russerne-jammet- gps-signaler-bevisst-1.13721504 40 https://www.wsj.com/articles/cyber-attacks-on-international-banks- show-links-to-hackers-who-hit-sony-1486918801 41 https://badcyber.com/several-polish-banks-hacked-information-stolen- by-unknown-attackers/; https://www.bleepingcomputer.com/news/ security/polish-banks-infected-with-malware-hosted-on-their-own- governments-site/ 42 https://www.kaspersky.com/about/press-releases/2017_chasing- lazarus-a-hunt-for-the-infamous-hackers-to-prevent-large-bank- robberies; https://www.scmagazine.com/union-bank-of-india- cyberattacked-similar-to-bangladesh-heist/article/649857/ 43 https://www.dni.gov/files/documents/ICA_2017_01.pdf 44 http://www.reuters.com/article/us-france-election-macron-leaks- idUSKBN1812AZ 45 http://edition.cnn.com/2017/04/24/europe/france-macron-hackers/ index.html 46 https://euobserver.com/foreign/136474; http://www.france24.com/ en/20170114-france-vulnerable-cyber-attacks-hacking-presidential- elections; http://www.pcworld.com/article/3158165/software-social/ facebook-launches-fake-news-reporting-tool-in-germany.html 47 http://www.consilium.europa.eu/en/press/press-releases/2017/06/19/ cyber-diplomacy-toolbox/ 48 https://www.itu.int/dms_pub/itu-d/opb/str/D-STR-GCI.01-2017- PDF-E.pdf 49 https://www-01.ibm.com/common/ssi/cgi-bin/ ssialias?htmlfid=WGL03140USEN&; http://www.infoguardsecurity. com/5-industries-top-hit-list-cyber-criminals-2017/ 50 http://www.delfi.ee/news/paevauudised/eesti/kogu-laane-tallinna- keskhaigla-arvutivork-utles-ules-patsiendid-jaid-hatta?id=77088768

62 Estonian Information System Authority: Annual Cyber Security Assessment 2018