Making digital public services “secure by design”: Lessons from Estonia

The delivery of digital services offers governments many opportunities to increase transparency, inclusivity, and efficiency across the public sector. For example, digitalising the healthcare sector and introducing digital services such as e-prescriptions can help save significant public resources and patients’ time, while offering seamless e-services for businesses such as online registration that can speed up processes and foster entrepreneurship and innovation.

However, e-government infrastructure is also vulnerable to cyber attacks which can compromise data and damage computer systems, costing millions in damages for governments and threatening citizens’ privacy and security. Governments should therefore be prepared for such attacks and adopt preventive measures. Cybersecurity should be an integral part of the design of digital public services.

In this new interview, part of the “Three questions on D4D series”, we talk to Jana Silaškova, Head of Internationalisation at the Estonian ICT Cluster (ITL) – an association of Estonian ICT companies and an implementing partner of the African Union – European Union (AU-EU) Digital for Development (D4D) Hub. Jana draws lessons from the Estonian experience in integrating cybersecurity into its e-governance infrastructure and identifies opportunities for African partners currently engaged in digitalising their public services.

Q: How has Estonia integrated cybersecurity into the design of digital public services?

JS: Being a digital society means being exposed to cyber threats and always staying alert. As an integral part of Estonia’s efforts to make all public services available online, we have invested in cybersecurity infrastructure for many years.

In 2007, Estonia suffered 22 days of cyber attacks on an unprecedented scale against government institutions after the country decided to relocate a Soviet-era statue. This experience made us aware of the importance of stepping up the efforts to secure our digital public services. We understood that cyber resilience should be part of our weaponry to protect ourselves.

In 2022, Estonia has been once again a target of severe cyber attacks, this time related to the Russian aggression in Ukraine. The difference is that we are prepared, and people can continue with their everyday lives. The attacks resulted in short-term service interruptions, but otherwise, e-Estonia stayed up and running – that means that our investments in cybersecurity have paid off.

One of the cornerstones to being resilient is that we have established a distributed architecture of data management where data is maintained by the owners of the databases. An interoperability layer called X-road allows a secure exchange of information between databases and registries. The data cannot be duplicated and there is no central database. The communication between databases is encrypted and sessions leave traces with evidential value because it is only possible to access the registries and make any transactions through digital identification. This means that only people who have been previously authorised to make an inquiry can do so. In case, for example, a doctor accesses data that he or she is not authorised to see, he or she can lose his or her licence.

Q: In your experience, what are the key aspects and challenges to consider for digital services that are secure by default?

JS: First, Estonia’s e-government has been developed in close cooperation with the private sector and NGOs. This has been one of the key success factors of our digital state: a partnership between a forward-thinking government and a proactive information technology and telecommunications sector. New services are always jointly built with the private sector, and they are also consulted when making any changes in the legal framework. A strong legal framework consisting of favourable laws and regulations is another important element for secure digital services, as well as a government with an innovative mindset that supports new ideas about how technology can help us all.

Digital identity is the third factor. Our national ID card is mandatory, and it acts as an access card to every secure e-service in Estonia. We have some other options as well (Mobile ID and Smart ID), but no matter the token, the most important thing is that you can have secure identification when logging into services and giving digital signatures. Once you have logged into the system with your electronic ID, you do not have to repeat logging in when accessing different services.

Ensuring the integrity of the data stored in government registries and secure data exchange between the different registries throughout providing the services (mentioned above) is also of utmost importance to guarantee the secure functioning of the e-State.

The main challenge in keeping the main aspects of secure digital services up and running is the need for constant updates and a permanent budget, so our recommendation is to always plan sufficient funding for all aspects of the digital transformation, including security.

Q: How can the Africa-Europe digital partnership help countries counter and prepare for these challenges?

JS: Many African countries have made important progress in digitalising their public services in recent years – for example Benin, Rwanda or Namibia. The advantage is that Africa can leapfrog in many areas, avoiding the mistakes that European countries have made over the years, and leverage digital services to create an attractive business environment to gain more investment, providing government services through digital to all citizens living in any corner of the country.

ITL is one of the Estonian implementing partners of the AU-EU D4D Hub project, one of the initiatives that allow us to directly contribute to Africa-Europe cooperation by building on our experience and know-how on e-governance built over the past 30 years. Through this project we can share our lessons learned on the importance of secure and transparent digital public services to improve citizen participation and their quality of life, hence contributing to more efficient public service delivery for sustainable development.

Our activities include providing training and implementing pilot initiatives and large-scale projects. We believe that it is very important to strengthen digital skills and raise awareness to build a secure digital framework that is resilient to any cyber attacks – and this is exactly what we aim to support.

Do you want to learn more? ITL is facilitating the workshop “Roadmap for an Effective e-Government Ecosystem” which will take place at the Tanzania Annual ICT Conference from 26-28 October 2022.

About the interviewee

Jana Silaškova is the Head of Internationalisation at the Estonian ICT Cluster (ITL), supporting Estonian ICT companies in their internationalisation ambitions with a strong emphasis on development cooperation and partnerships with international and regional organisations. Prior to joining ITL, she worked for nine years with foreign funding in the Estonian Ministry of Finance, and for five years organising and hosting high-level visits of business delegations to and from developing countries and organising events and training that support companies in their business and export ambitions in the Estonian Chamber of Commerce. Jana holds a Bachelor’s Degree in Business Administration and Languages and a Master’s Degree in Interpretation.