On June 20th, the prime ministers of Luxembourg and Estonia signed agreement establishing the world’s first data embassy — a secure building where Estonia will store its critical government and institutional data outside of its own borders.
“This is the first data embassy in the world. Its establishment is part of the Estonian general strategy of data management and fundamentally a double guarantee to our data and services,” Estonian Prime Minister Jüri Ratas stated upon its confirmation.
The data embassy will be much like a traditional diplomatic embassy, in accordance with the Vienna Convention adopted in 1961: a piece of foreign territory within another country’s borders. Luxembourg, despite hosting, will not be able to access the data and will not pay any of its costs.
The small Baltic nation bordering Russia is going to such innovative lengths in part in response to the growing risk of cyberattacks upon its critical digital infrastructure. The country has digitised its banking, voting, contracts, taxes and even its garbage.
“In Estonia, we have reached such a high level of digitisation of government and society that for us there’s no more option to go back to paper. It means that we have to do all we can to ensure security of the systems and information we are working with,” said Government Chief Information Officer Siim Sikkut in emailed comments.
Estonia has learned the hard way about why data security matters. The Kremlin has been implicated in hacking, most recently in relation to the US elections, hitting voting systems in 39 states according to recent reports.
But the country had an earlier wakeup call. Back in 2007 Estonia saw a wave of cyberattacks targeting media, government and financial institutions amid a heated dispute with Russia.
Citizens encountered problems with banking systems and prominent media outlets and government ministries were targeted. The attacks followed Estonia’s relocation of a Soviet monument from central Tallinn to a military cemetery on the outskirts of the capital. Estonians viewed Red Army soldiers as occupiers and the statue a reminder of the torment they suffered at the hands of the forces. The EU and NATO did not directly accuse Russia of being involved, although it was widely seen as responsible.
The data embassy will store citizen’s data on the territory of another sovereign state. In the event of another cyberattack, there will be backup “outside our borders,” said Sikkut. “We would want it to be fully under our jurisdiction (including laws) and control – which privately offered clouds don’t really allow.” This means that a physical attack would also be easier to circumvent and a data embassy is not only useful to defend against an online attack — it is helpful in the case of a ground invasion, too, which is something the country still fears.
“We have a very aggressive neighbour,” said Hannes Astok, the Deputy Director of Estonia’s e-Governance Academy. Jaan Priisalu, a former NATO cyber-defence fellow and a researcher at Tallinn University of Technology echoed this concern. “In the first order it’s a defence mechanism, and it’s a deterrence mechanism,” said Priisalu recalling Estonia’s previous experiences with being subjected to Soviet occupation.
“We can continue the government even if we lose the territory,” he added. “One of the goals is to take over or suppress existing institutions. When you’re able to continue those institutions even if the territory is occupied then you’re raising the price of occupation.”
Natural disasters may be another situation in which data embassies could be beneficial, said Astok, especially for smaller nations at high risk. “It is a good role model for countries in the Pacific or Caribbean, that have endless earthquakes or tornadoes or whatever, landslides. But we have other risks,” he said, suggesting that the military threat could be more severe than natural disasters in the Baltics.
Data embassies are not the only unique idea coming from Estonia, which has swiftly marked itself out as a global leader in e-governance in the past few years. Recently, it began offering e-citizenship to residents of other countries (that is, offering foreigners the chance of basing their business in the country), and earning itself the nickname E-stonia. In the wake of Brexit, Estonia saw applications rise, a WIRED report found.
Estonia, according to Sikkut, expects its data embassy to be active by the end of 2017. In the meantime, the idea of a data embassy could easily take hold elsewhere. Estonia is currently helping Jamaica set up a fully digitised government system with the help of the country’s e-Governance Academy, and this new approach to data protection may soon start to spread globally too. However, it might only be applicable to smaller nations.
Priisalu said there are two requirements: “One is that you have to be so small that those kinds of disasters will actually take the whole territory of your country,” he said. Secondly, “you must have electronic government at the level you have something to store.”