The government of Estonia is one of the most cyber-aware governments in the world. Recent reports have suggested that the country has been in discussion with the UK for the establishment of an overseas data embassy. Those same reports suggest that Britain’s decision to leave the European Union is making Estonia reconsider the UK, and perhaps favor Luxembourg. If this is true, it could make the loss of business with Estonia the first major cyber casualty of the Brexit.
SecurityWeek contacted the Estonian Ministry of Economic Affairs and Communications for clarification, but was told, “Currently I can only confirm that we are assessing different opportunities to establish a data center abroad, but as the project is still in initial stage there isn’t much more to comment publicly just yet. I hope to get more details by the end of this month.”
Although the Ministry here describes the project as simply a data center, it has elsewhere used the term ‘virtual data embassy’. This is to differentiate the concept from simple backups that have been stored in overseas embassies for the last ten years. Estonia is facing an issue now that will be faced by more and more nations as electronic government increases: secure mirrors will be required to ensure that the country itself doesn’t face downtime in a catastrophe. Estonia, of course faces the additional concern of physical incursion from its neighbor and one-time overlord, Russia.
Taavi Kotka, the Government CIO, wrote, “As part of this research project, we have evaluated methods to ensure that the data and services of and for our citizens, e-residents, and institutions are kept safe, secure, and continuously available. Privacy, security, data protection, and data integrity are central to our government services.” He added that after the Snowden revelations, both governments and large corporations are facing a trust-deficit. It is the combination of Snowden’s GCHQ revelations combined with the potential effect of Brexit that makes the UK seem a less privacy-centric destination for Estonian government data.
But is this a valid concern? SecurityWeek spoke to Phil Bindley, CTO at The Bunker, for his views. The Bunker is one of the UK’s most secure co-location data centers, having originally been constructed as a nuclear bunker during the cold war years.
We asked Bindley if he thought the idea of a data embassy is politically feasible. It would, he suggested, “require some level of unilateral legislation to provide for these data embassies. How easy it would be to transpose the agreements already in place for the location of physical embassies and apply this to areas of specific data centers is difficult to accurately answer without making wild assumptions.” But in theory, he added, “with the required level of support and engagement of the national governments in place globally, I see no reason why this could not occur.”
Bindley also believes that it is technically feasible. “The concept of strategically distributing data assets and thus mitigating the risks of having all data stored within one country theoretically would provide a level of resilience to the kind of cyber-attacks that prevent access to the data and systems that are provided to the citizens of Estonia,” he said. He also noted that the existing UK infrastructure is more than suitable “in terms of the density of private data center space and the quality of those data centers. Also, communications from all major carriers are present and relatively economical to supply,” he added.
“However, availability is only one part of the equation and the controls needed to assure both the confidentiality and integrity of the data would also need to be considered.”
This is the crux, and the reason for concerns over the suitability of the UK as a site for an Estonian off-shore data embassy. With the UK leaving the European Union it is possible that it would be illegal to store EU data (that is, Estonian citizen data) within the UK. Bindley considers this to be unlikely. “I believe that it is inevitable, Brexit or not, that the ICO and the UK parliament will put in place legislation that mirrors the GDPR. Without this in place we will find it very difficult to trade with other members of the EU. As the EU is our biggest single trading market currently, I cannot imagine a scenario where, having invoked Article 50 and started negotiations, this is not either offered by the UK or mandated by the EU.”
In short, if the reports are true and that the UK has fallen out of favor as a site for the Estonian data embassy, the reason is as much likely to be emotional as it is technical. Nevertheless, it remains a distinct possibility that a UK/Estonian data embassy might become the first major cyber casualty of the Brexit decision.