Editor’s Note: As the operational landscape for legal discovery professionals expands beyond the traditional core eDiscovery tasks of collection, processing, and review, and moves from the trigger point of audits, investigations, and litigation to the creation of data at the endpoint, many law firms, corporations, and legal service providers are now heavily focused on addressing the increasing challenges and growing opportunities related to cybersecurity. Provided in this post is a compilation of informational article extracts that may be helpful for those seeking to learn more about cybersecurity and how it is approached from strategy and vision to interoperability and architecture by one of the most digitally-advanced and cybersecurity-savvy countries in the world, Estonia. While the information shared originates from a nation-state point of view, many of the elements and frameworks can also be applied at industry and organizational levels, to include the legal services industry and law firms, legal departments, and legal services providers.
Extract from an article by Monica Ruiz as published in WIRED
To Bolster Cybersecurity, the US Should Look to Estonia
The 2007 cyberattacks against Estonia were a turning point for when cybersecurity began to be accepted as an essential part of national security. The incident, a response to the relocation of a Soviet War bronze soldier statue, crippled the websites of banks, government agencies, and media outlets for weeks. Today, the country is on its third National Cybersecurity Strategy (2019–22)—previous strategies ran from 2008–13 and 2014–17. Estonia’s current strategy highlights its innovator role at the vanguard of novel cyber approaches.
The tiny European nation has come a long way after crippling cyberattacks in 2007. Now it offers key lessons in attracting tech talent and educating citizens.
Extract from Estonia’s Third National Cybersecurity Strategy Document
2019-2022 Cybersecurity Strategy for the Republic of Estonia
The Estonian cybersecurity strategy was among the first of its kind globally. Today, national cybersecurity strategies are commonplace, as is the approach that the first Estonian cybersecurity strategy adopted. The 2013 European Union (EU) cybersecurity strategy defined a national cybersecurity baseline (designating national competent authorities, establishing national incident response teams, developing a national cybersecurity strategy); the 2016 EU Network and Information Systems Security Directive established these as a legal obligation. As of the development phase of this document, about fifteen nations and the EU have a second-generation cybersecurity strategy, Estonia among them. With the third cybersecurity strategy, we are among the first countries in the world.
Functioning cybersecurity covers the whole information system and service lifecycle starting from architecture, which is an organic part of service. To allow this principle to have a practical outlet as well, both technical design and process design and regulatory requirements must be considered when developing state information systems and digital services. Security competence and testing must go hand in hand with service design right from the start of the development process.
Estonia’s digital architecture is based on the government-issued secure electronic identity and the X-road data exchange layer, which has helped to enable and leverage the rapid digital innovation and ensures that security is organized in a manner that is convenient and natural for citizens. X-road is the means for securely structuring state services and data exchange and cooperation and the ID card as the obligatory identity documents are the means used by the state to provide its citizens with a digital identity certificate (authentication and signing means) and encryption device, thus spreading secure technology to the general population. More than in just the existence of the technology, Estonia is distinct from other countries in terms of its capability of implementing the technology.
Third Estonian Cybersecurity Strategy Document (PDF)Estonia Cybersecurity Strategy
Extract from X-Road® Fact Sheet as published by e-Estonia
e-Estonia X-Road® Fact Sheet
In Estonia, public organizations have their own information systems to process information relevant to the state and its citizens to provide public services. These often run on different systems that suit the function of the organization. X-Road is a distributed information exchange platform that makes it possible for these different systems to communicate all across the governmental sector; for example, the police can access data from the health system, tax board or business registry and vice versa. But to do this X-Road must satisfy three criteria. First, the platform must be interoperable and technically easy for each member of the system to access the data they need. Second, the data cannot be corrupted in transit by the system or an external third party. And third, the data must be protected from prying eyes so that unauthorized individuals cannot view the content of the data en route. X-Road has satisfied all three criteria since 2001, performing all the required functions for the state and the people of Estonia. It has enabled to increase the depth of cooperation between public organizations and reduced paperwork exponentially so that public employees can concentrate on tasks that require human interaction.
X-Road Fact Sheet (PDF)X-Road Fact Sheet
Extract from the Nordic Institute of Interoperability Solutions
X-Road is an open-source data exchange layer solution that enables organizations to exchange information over the Internet. X-Road is a centrally managed distributed data exchange layer between information systems that provides a standardized and secure way to produce and consume services. X-Road ensures confidentiality, integrity and interoperability between data exchange parties.
X-Road is used nationwide in the Estonian data exchange layer X-tee and the Suomi.fi Data Exchange Layer service in Finland. X-Road is released under the MIT open source license and is available free of charge for any individual or organization.
X-Road implements a set of common features to support and facilitate data exchange. X-Road provides the following features out of the box:
- address management
- message routing
- access rights management
- organization-level authentication
- machine-level authentication
- transport-level encryption
- digital signature of messages
- error handling
The identity of each organization and technical entry point (Security Server) is verified using certificates that are issued by a trusted Certification Authority (CA) when an organization joins an X-Road ecosystem. The identities are maintained centrally, but all the data is exchanged directly between a consumer and provider. Message routing is based on organization and service level identifiers that are mapped to physical network locations of the services by X-Road. All the evidence regarding data exchange is stored locally by the data exchange parties, and no third parties have access to the data. Time-stamping and digital signature together guarantee non-repudiation of the data sent via X-Road.
Two X-Road ecosystems can be joined together, federated. Federation is a one to one relationship between two ecosystems. Members of the federated ecosystems can publish and consume services with each other as if they were members of the same ecosystem. It is possible to create federation connections with multiple ecosystems, but transitive federation relationships are not supported. An ecosystem does not have a federation relationship with another ecosystem that it’s not directly federated with. Federation enables easy and secure cross-border data exchange between X-Road ecosystems.
Extract from Republic of Estonia Information System Authority
Data Exchange Layer X-tee
X-Road® software-based solution X-tee is the backbone of e-Estonia. Invisible yet crucial, it allows the nation’s various public and private sector e-service information systems to link up and function in harmony.
X-tee, the data exchange layer for information systems, is a technological and organizational environment enabling secure Internet-based data exchange between information systems.
To exchange data, a member of X-tee describes the shared data and other members can use that data based on an agreement. Due to the large number of systems that have joined X-tee, all members of X-tee can use the services and data of other members to improve their own business processes.
X-tee has a versatile security solution: authentication, multi-level authorization, a high-level system for processing logs, and data traffic that is encrypted and signed.
How Does X-tee Work?
- X-tee is based on an interoperable ecosystem and a technical ability to exchange data. To exchange data, one member of X-tee describes the shared data and other members are able to use this data based on an agreement.
- Due to the large number of systems that have joined X-tee, all members of X-tee can use the services and data of other members to improve their own business processes.
- One example is a solution by the police for controlling driving licenses. A driver no longer has to carry a physical driver’s license with them, as a police officer can, via X-tee, make an operative inquiry from the database of the Republic of Estonia Road Administration using an identification document to control driving licenses. The Tax and Customs Board has a somewhat similar data service that enables controlling tax arrears of private or legal persons.
- To implement already created services, you must become a member of X-tee, install an X-Road security server, make an agreement with a suitable X-tee service provider, work out a logic to create the internal data for the service you chose, and process the reply. X-Road® has been developed for over ten years now, and a large amount of code is available, which significantly simplifies the creation of new solutions. In the X-Road context, the reusable code is called a reusable component.
- If there is no suitable X-tee service yet, it can be created in cooperation between the parties. Very specific and sensitive data can also be exchanged. We follow the principle that the owner controls the data throughout the whole process, and the X-Road technology only offers a secure data exchange.
- X-tee enables exchanging many types of information: simpler cases involve texts, but you can also exchange files.
Operating Principles of X-tee
- Independence of platform and architecture – X-tee enables the information systems of X-tee members on any software platform to communicate with the information systems of data service providers on any software platform.
- Multilateralism – X-tee members are able to request access to any data services provided through X-tee.
- Availability and standardization – for managing and developing X-Road, international standards and protocols are used where possible.
- Security – exchanging data through X-tee does not affect the integrity, availability or confidentiality of the data.
- The Intersection of International Law and Cyber Operations: An Interactive Cyber Law Toolkit
- Estonia, The Digital Republic