Estonia has a lot of IT houses, each doing their own thing to the best of its ability. Is RIA currently responsible for all the pieces of the state’s information system and if not, who is?
MA: The aim of RIA is first and foremost to offer reusable solutions that could be used for all business services. RIA’s portfolio includes electronic identity without which no e-service, X-Road, state portal and network or elections solution could work.
Rather, our clients are other partner agencies, IT houses of other ministries that develop services for their target groups. The big picture is made up of ministries today, but I don’t see why we couldn’t have a single national IT house keeping an eye on all state projects in the future.
Could the current IT houses system be retained, or should Estonia move toward a common IT system developed based on universal standards and rules, with a universal cybersecurity standard? Could we see a State Information Systems Center next to the State Support Service Center?
MA: Consolidation of services could take place where we’re talking about similar services developed by IT houses or ministries – whether it’s system administration, email or server services. These services could be universal to save agencies having to spend additional resources on them.
Talking about business processes and end-user services, we do not support the creation of a hyper system that would pay out social benefits while collecting tax data at the same time. It would be sensible to keep these things separate on the level of owners.
LA: Good cybersecurity practice and the architecture council’s recommendations for new information systems are already in effect. It is a different story when it comes to existing systems and the need to manage information security incidents – that service is universal and comes from RIA.
We have a common code bank. It is not always necessary to physically merge IT houses as it is possible to reuse different parts of developments.
Have you determined the greatest threats to Estonia’s public IT systems? Are they international hackers or hostile states? Perhaps it is the stupidity of officials or something worse still?
LA: The biggest cybersecurity threat by far is the user sitting behind the computer every day. Anyone looking to get into the system will first look to carelessness on the part of officials. It is cheaper and simpler to take advantage of a user’s ignorance than it is to hack IT systems. That is why we have special training for public servants to minimize such risks. The other major threat are global hacking campaigns, mainly for the purposes of extortion.