[ARTICLE No. 3 Bulletin] KEVIN TAMMEARU | Head of Business Development for User Experience Platforms in the Department of Data Exchange Technologies at Cybernetica
The Estonian data exchange system, called X-Road, helped Estonia save 1407 years of working time last year alone. This is up from 804 years in 2017 and Cybernetica, the European cyber security company behind the solution, is helping countries across the globe achieve the same.
A myriad of challenges
Work on this started in the late 1990’s and early 2000’s: Estonia faced several challenges in economic development, tackling legacy issues and securing a place in the international community. It was evident that overcoming these difficulties required a forward looking, fast paced government.
However, Estonian public administration databases were in isolation and the data exchange between agencies, ministries and organisations was slow and inefficient. Governmental information systems were not taking advantage of the opportunities the internet presented and suffered from poor connectivity. It was clear that establishing new connections between governmental databases and systems was time-consuming and expensive. Both of these currencies Estonia could not really spare at the time.
And that’s not the final set of challenges. Battles were also held around organizational issues, as many legal entities were responsible for different registers and most of them were developed independently. The registers used various database back ends and had interfaces that weren’t standardized.
Despite all of this, the government still had to function efficiently and offer services to citizens. And since most of the registers contained data that was sensitive (or confidential), security of the system had to be built in by design.
Research and development
The government started to investigate ways to organize the communication between government entities already around 1998 — these seminars and debates led to the X-Road project in 2001.
The Estonian Government’s State Information Systems Department commissioned Cybernetica as part of a joint project (in partnership with Assert) to develop the initial pilot, which was launched in 2001. Cybernetica took the leading role in implementing the data exchange solution and developing the X-Road since.
The company was well suited to take on this challenge, as it had branched out from the Estonian Academy of Sciences and its Institute for Cybernetics in 1997. With a long history of working on the front lines of scientific advancement (the Institute of Cybernetics was founded in 1960), the company was able to deliver a state-of-the-art solution to Estonia by using different technologies under a government setup in a novel way.
In 2001, Arne Ansper concluded a deeper scientific research on the e-State “E-State from a Data Security Perspective.” With this, a model for the e-State architecture and the appropriate legal framework was presented. Thanks to the structure, which has security by design and distributed architecture, the data exchange platform has experienced virtually no downtime since its inception.
The paper concluded:
“… there is no single piece of technology or a solution that would guarantee the success of the e-State implementation project. However, there exist a number of technologies that, when not used, guarantee the failure of the project.”
The data exchange technology that enables governmental interoperability is one of those in the latter category (this was also highlighted in a World Bank Development Report written in 2016).
Throughout the years, Cybernetica continued development and improvement of the X-Road in Estonia, with X-Road version 6 being the latest. This version improved the integrity of data exchanged between organisations and introduced additional measures to comply with requirements set by eIDAS. It included support for using qualified certificates to certify digital documents.
In 2012 Cybernetica started a research & development project to develop the basis of the next generation interoperability platform, the UXP (Unified eXchange Platform), the core of which is also used in the X-Road version 6.
With the prototype completed in 2013, the basis of UXP was adopted to build X-Road version 6. Work on version 6 was done from 2014–2015. The R&D was carried out with the aim of other countries across the globe having the opportunity to use this foundational technology and pave the way for a smart and secure digital government.
A major change with the new generation interoperability platform was the opportunity to have shared services between governments. Estonia and Finland have connected their data exchange layers for cross-border data interoperability. Because of significant movement of people between the two countries, this opportunity has direct impact on the well-being of citizens in both nations. Estonia and Finland have started several cross-border public services, primarily in healthcare.
A World Bank Development Report in 2016 highlighted two foundational technologies that enable a secure and smart e-government ecosystem: digital identity and data exchange. Cybernetica has developed solutions for both areas (digital identity; secure data exchange) and the main challenge for governmental data exchange has been how to ensure secure and reliable exchange of mission critical data in an adverse, complex and dynamic environment.
The report, written by Kristjan Vassil from the Institute of Government and Politics at the University of Tartu, goes on to describe some of the characteristics of the X-Road: „ … open design is accompanied by rigid security measures — authentication, multilevel authorization, high-level log processing and monitoring, encrypted and time stamped data traffic — the basic functionalities that are covered within the very structure of X-Road.“
Today, the X-Road in Estonia has connected over 670 institutions and enterprises and over 515 public sector institutions. There are roughly 52 000 organisations as indirect users of X-Road services and over 1600 interfaced information systems.
Over 2700 services can be used via the X-Road.
As a result of developing the X-Road and several other complex systems for the Estonian government and its various ministries (such as e-Police, e-Customs, e-Voting), Cybernetica gained invaluable experience in how to build an e-State and develop a digital society.
High security requirements
Secure governmental data exchange is a prerequisite to build seamless services that are used by public servants and citizens. The goal is to have a cross-agency information sharing capability that is effortless so government can offer the best services and be available 24/7. It is one of the fundamental pieces of a functional digital society. And in many cases, the underlying data is used to make decisions with high value and is needed in real time. The nature of personal data that various government bodies use for their services place very high security requirements on the solution.
Security by design therefore is the bedrock of governmental data exchange and several information security principles have been implemented in the data exchange solution.
The CIA Triad is at the heart of information security and is considered a basic building block. It stands for confidentiality, integrity and availability.
The CIA model was in line with what studies indicated in relation to the security requirements of the data exchange solution:
- No third party or intermediary should gain access to the data;
- High value decisions require that the data is accurate and consistent;
- Business processes depend on the infrastructure — there can be no single point of failure or global performance bottleneck.
To achieve confidentiality requirements, all data exchanged over the system is encrypted with a security protocol to create a channel between counterparts. Furthermore, peer to peer data exchange only happens between parties that have reached an agreement to open up their data, which means they communicate directly with each other.
To ensure integrity and evidentiary value, the security server (a local component in the data exchange system) signs all the outgoing messages with the member’s signing key. All of the signed messages are saved to a log that is periodically time-stamped to ensure long-term validity of the signatures. The time-stamped signatures can be extracted from the log and presented to third parties for verification.
A distributed architecture gives the infrastructure high availability with a low number of coordinating services (governing components). Several security mechanisms have been built into the servers to give protection against denial of service (DoS) attacks. Redundancy and load balancing are used for critical components to guarantee continuous functioning of the infrastructure.
Scalability, reliability, non-repudiation, accountability, auditability, to highlight a couple of other principles, have also been built into the data exchange solution to ensure secure and reliable exchange of mission critical data.
In conclusion, although there is no single solution to this thorny and growing issue, the importance of secure data exchange to nations across the world cannot be overestimated. In Estonia, there are almost no paper documents and certificates that need to be carried from one government agency to another. Instead of relying on documents brought by the citizen, agencies make queries to the source and retrieve the most up to date version of the required information.
Kevin Tammearu is Head of Business Development for UXP in the Department of Data Exchange Technologies at Cybernetica.
Cybernetica is a research and development intensive ICT company that develops and sells mission-critical software systems and products, maritime surveillance and radio communications solutions. Cybernetica has been an active counterpart in developing critical e-Government systems, such as the Estonian X-Road, i-Voting, e-Customs and others. Today Cybernetica delivers its systems to across 35 countries in the world. As part of its heritage, Cybernetica still focuses on research and development, especially in information security — its stand-alone Institute of Information Security works in collaboration with the top universities from Europe, but also with institutions from the USA and Japan.