Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Estonia’s “Data Embassy” Could be UK’s First Brexit Cyber Casualty

Estonia Internet Flag

Estonia Internet Flag

The government of Estonia is one of the most cyber-aware governments in the world. Recent reports have suggested that the country has been in discussion with the UK for the establishment of an overseas data embassy. Those same reports suggest that Britain’s decision to leave the European Union is making Estonia reconsider the UK, and perhaps favor Luxembourg. If this is true, it could make the loss of business with Estonia the first major cyber casualty of the Brexit.

SecurityWeek contacted the Estonian Ministry of Economic Affairs and Communications for clarification, but was told, “Currently I can only confirm that we are assessing different opportunities to establish a data center abroad, but as the project is still in initial stage there isn’t much more to comment publicly just yet. I hope to get more details by the end of this month.”

Although the Ministry here describes the project as simply a data center, it has elsewhere used the term ‘virtual data embassy’. This is to differentiate the concept from simple backups that have been stored in overseas embassies for the last ten years. Estonia is facing an issue now that will be faced by more and more nations as electronic government increases: secure mirrors will be required to ensure that the country itself doesn’t face downtime in a catastrophe. Estonia, of course faces the additional concern of physical incursion from its neighbor and one-time overlord, Russia.

Taavi Kotka, the Government CIO, wrote, “As part of this research project, we have evaluated methods to ensure that the data and services of and for our citizens, e-residents, and institutions are kept safe, secure, and continuously available. Privacy, security, data protection, and data integrity are central to our government services.” He added that after the Snowden revelations, both governments and large corporations are facing a trust-deficit. It is the combination of Snowden’s GCHQ revelations combined with the potential effect of Brexit that makes the UK seem a less privacy-centric destination for Estonian government data.

But is this a valid concern? SecurityWeek spoke to Phil Bindley, CTO at The Bunker, for his views. The Bunker is one of the UK’s most secure co-location data centers, having originally been constructed as a nuclear bunker during the cold war years. 

We asked Bindley if he thought the idea of a data embassy is politically feasible. It would, he suggested, “require some level of unilateral legislation to provide for these data embassies. How easy it would be to transpose the agreements already in place for the location of physical embassies and apply this to areas of specific data centers is difficult to accurately answer without making wild assumptions.” But in theory, he added, “with the required level of support and engagement of the national governments in place globally, I see no reason why this could not occur.”

Bindley also believes that it is technically feasible. “The concept of strategically distributing data assets and thus mitigating the risks of having all data stored within one country theoretically would provide a level of resilience to the kind of cyber-attacks that prevent access to the data and systems that are provided to the citizens of Estonia,” he said. He also noted that the existing UK infrastructure is more than suitable “in terms of the density of private data center space and the quality of those data centers. Also, communications from all major carriers are present and relatively economical to supply,” he added.

Advertisement. Scroll to continue reading.

“However, availability is only one part of the equation and the controls needed to assure both the confidentiality and integrity of the data would also need to be considered.”

This is the crux, and the reason for concerns over the suitability of the UK as a site for an Estonian off-shore data embassy. With the UK leaving the European Union it is possible that it would be illegal to store EU data (that is, Estonian citizen data) within the UK. Bindley considers this to be unlikely. “I believe that it is inevitable, Brexit or not, that the ICO and the UK parliament will put in place legislation that mirrors the GDPR. Without this in place we will find it very difficult to trade with other members of the EU. As the EU is our biggest single trading market currently, I cannot imagine a scenario where, having invoked Article 50 and started negotiations, this is not either offered by the UK or mandated by the EU.”

In short, if the reports are true and that the UK has fallen out of favor as a site for the Estonian data embassy, the reason is as much likely to be emotional as it is technical. Nevertheless, it remains a distinct possibility that a UK/Estonian data embassy might become the first major cyber casualty of the Brexit decision.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...


Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.


Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Cloud Security

AWS has announced that server-side encryption (SSE-S3) is now enabled by default for all Simple Storage Service (S3) buckets.