TALLINN, 12 June 2018 – The audit of the National Audit Office indicates that the security of the data entrusted to local governments is not guaranteed as required: the risks related to IT security are not acknowledged and therefore, the requirements established by the state are not complied with, even though they have been in effect for almost 10 years now. The provision of information and financial support by the state has not led to the expected developed.

None of the audited local governments had assessed the security needs of the data held in their databases. Occasionally, local governments even struggle with the application of security measures of the lowest level. In many cases, IT users had been gives unrestricted rights too easily, oftentimes there was no overview of who can access what, password management was inadequate, the installation of security patches has largely been left up to users, the legality of software in workplace computers was not checked. Auditor General Janar Holm said when commenting on the audit results: “Sometimes, local governments reminded the auditors of the National Audit Office of the Wild West, where people had not heard anything about the requirements for information systems effective in Estonia.”

The risks related to IT security are still not acknowledged, although there are numerous examples of local government computers being targeted by denial-of-service attacks, systems being infected with malware and damage caused to website.

The National Audit Office found that the overall information security culture of local governments was low among employees and the management alike. Often, there are no guidelines for handling IT facilities, they have not been introduced to the employees or are not followed in real life; there is no training or information provided to support compliance with internal IT requirements. “The biggest concern is that the auditors met officials at local governments to whom the need to implement a system of security measures, incl. for data protection, was about as difficult to understand as the need to invest in a tourist trip to Mars – it’s something distant that will not happen in their lifetime anyway,” said Auditor General Janar Holm. “At a time when the number of known cyber incidents in Estonia already exceeds 10,000 per year, it is naive and dangerous to keep thinking that “this will not happen to us” or “our data are not important”.”

The auditors also found that the audited local governments do not consider themselves responsible for the security of the data held in externally hosted databases, the registration of databases in the administration system of the state information system (RIHA) and interfacing with the X-Road, but don’t demand this from service providers either. This explains to some extent why there is no comprehensive overview of the data collected by local governments, their security has not been analysed, the approval process that gives the right to collect them has not been passed and the accessibility of data in other databases is not considered. To citizens and companies, and often to the employees themselves, this means that the same data have to be submitted twice.

The small number of IT specialists in local governments may be a reason for this. In general, IT has been transferred to area of responsibility of a specialist of another field in small local governments and in medium-size local governments, the IT service consist of one or two specialists. They are mainly able to provide technical IT support, but there is little specialisation (incl. in information security). The appointment of an information security manager or the person who performs these functions is mandatory for local government upon the implementation of a system of security measures. Since hiring a separate person for this would often not be reasonable, the National Audit Office finds that local governments could cooperate more with the private sector or other local governments in this sphere.

The reasons of the problems can also be seen in the state’s activities. For example, the National Audit Office ascertained that the data composition of every database is not checked in the actual practice of approval of databases, but the approval is given in the course of the registration of the packaged product. According to the Data Protection Inspectorate, checking each registration would be a pointless waste of time, because the software solutions are generally the same ones used by several institutions for keeping their databases.

The National Audit Office found that the state’s requirements for keeping databases have not been thought through in respect of packaged products, which is why their implementation creates unreasonable duplication for local government and supervision authorities alike. The National Audit Office finds that ministries could play a role in the improvement of the situation, as they are the ones that required local governments to establish databases. The relevant ministries could give local governments guidelines about keeping databases (incl. information security guidelines) in all of the issues that interest them. The National Audit Office finds that the ministry itself could also develop the software for the performance of this function and take the role of the controller – this way, the state can determine the security needs of data, order compliance audits and so on.

The Minister of Entrepreneurship and Information Technology agreed with the National Audit Office that similar and uniform databases should be kept on the same grounds and the procedures should not duplicate each other. The Minister promised to approach the audit recommendations during the review of the guidelines concerning compliance with the legal requirements of the RIHA, the X-Road and the system of security measures (i.e. regulation of the system of security measures, the guideline on the implementation of ISKE, the ISKE audit guideline).

In addition to this, the National Audit Office found in its audit that considering the current situation of information security in local governments, the supervision exercised by the state cannot be considered adequate. There were local governments among the auditees where the employees themselves pointed out that non-existent supervision does not force the local governments to make an effort. The State Information System Authority (RIA) and the Data Protection Inspectorate both responded to the recommendations made by the National Audit Office by saying that more extensive supervision of local governments will be carried out according to priorities and possibilities. According to the RIA, they are already planning to go to local governments after the administrative reform to inspect them and give them information.

Until now, the state has mostly contributed to raising the level of information security in local governments with the provision of information and financial support. However, the results of the audit do not show that this has led to the expected development in the improvement of the information security situation of local governments.

The audit revealed that neither the Ministry of Economic Affairs and Communications not the Ministry of Finance considers supporting the compliance of the system of security measures of the information systems of the information and communications technology infrastructure of local governments from the support funds of the European Union a sustainable option – data security cannot depend on the availability of support funds.

The National Audit Office is of the opinion that information activities have been accessible to local governments. The reason why the situation in local governments is not better can be that the present target group that attended training consisted of IT specialists, not the management of agencies. The RIA stated in its response that senior managers have very little interest in attending such training. The National Audit Office emphasises in its report that attending such training is actually not optional for the heads of agencies. If there is no internal training, the management can participate in the relevant training organised by the RIA.

The National Audit Office acknowledges the audited local governments that started to considerably improve their attitude towards the performance of the obligation to guarantee data security during the audit.

Recommendation of the National Audit Office to local governments

• to appoint the person who performs the duties of an information security manager or outsource the management of information security;
• to establish requirements for the standard software solutions used to keep databases proceeding from the security needs of the entered data;
• to make sure that it would be possible to interface the solution with the X-Road if necessary; and to agree the organisation of audits of security measures in the contract with the security provider.

IT security incidents in local governments

Some examples of major incidents that have occurred in local governments:

• the security cameras of four Harju County local governments were broken into in 2017. The unpatched security holes in the cameras and the fact that access to the equipment was not restricted were used for the attacks.
• in 2017 an employee of Viljandi Music School gave access to their computer after receiving a phone call in English, where the caller claimed that they were a representative of Microsoft and needed access to the computer, because it was full of viruses. A password had been set on the computer by the time IT specialists got to it. However, the attackers failed to get any data this time.
• Another noteworthy incident that occurred in 2017 was the extensive leak of user data (over 550 user accounts) from the keyboard spy installed in the computers of the Tartu Vocational Education Centre.
• A phishing attack took place in many local governments in 2014, when employees were sent e-mail messages written in good Estonian asking them to update and correct the contact details of themselves, their colleagues and the agency.
• In 2013 several schools had trouble with the porn sites and websites spreading malware and focusing on selling medicines that were planted in the web servers of the schools.
• In 2010 unidentified offenders gained access to the servers of Narva Kesklinna Gümnaasium and used it to redirect ca 3,700 calls of phone users in Miami and Cuba. The school was presented with a bill for ca 24,000 euros, which was paid from the budget of Narva City.

Three of the ten local governments audited by the National Audit Office had experienced ransom attacks. All the data on the workstation computer could be recovered in two cases, but this couldn't be done in one case where data had not been backed up. The website of one auditee was used by offenders to send junk mail, because the software version of the website had not been updated. The auditees also pointed out in interviews that their intranet ports are often scanned to see if they’re open and attempts are made to enter the devices (e.g. firewalls) with preset passwords. There were examples where 4,000 to 5,000 attempts had been made in a month to access the intranet of a local government from various external devices.

Background:

The successful functioning of the public sector is increasingly more based on information technology and data, which are collected by the state and local government agencies. The possibility to develop better, more convenient and cheaper public services increases the quantity of data as well as the risk that the data will end up in the wrong hands, perish, become damaged, etc. Local governments are not immune to this either. The databases of the state and local government exchange data via the X-Road, which means that the weaknesses left without attention in local governments are passed on and may cause damage on a much larger scale.

Various requirements have been established in Estonia for keeping databases in order to guarantee the interoperability of the information systems used in the state – all of them form a comprehensive set for securing the state’s information system. The requirements related to guaranteeing data security are primarily interwoven in the implementation of the following principles:

• It must be possible to find all databases (some of which have also been approved) in the administration system of the state information system (RIHA).
• Data exchange with the databases belonging to the state’s information system and between the databases belonging to the state’s information system must take place via the data exchange layer of the state’s information system (X-Road).
• The implementation (incl. auditing) of the baseline security system of information systems (ISKE) is mandatory in respect of all the databases of the state and the local government (incl. those kept for the internal organisation of work or processing of documents between agencies).

The objective of the audit was to assess the activities of local governments in the implementation of information security measures and the state’s activities in improving the information security situation of local governments. The planning of IT security and the compliance with established requirements (e.g. data backups, password use, giving rights to IT users, the making of security updates, virus protection) was assessed in 10 municipalities, towns and cities. The audited municipalities were Kuusalu Municipality, Rapla Municipality, Viljandi Municipality, Paide Town, Valga Town, Võru Municipality, Audru Municipality, Kohtla-Järve City, Avinurme Municipality, Vihula Municipality.

In the case of four national databases, the auditors analysed what the keeper of the database had done to guarantee the security of the data exchange in which the local government engaged. These databases were the Population Register in the area of responsibility of the Ministry of the Interior, the e-File of the Ministry of Justice, the Estonian Education Information System (EHIS) of the Ministry of Education and Research and the Address Data System (ADS) of the Land Board.

The activities of the State Information System Authority (RIA), the Data Protection Inspectorate (DPI) and the Ministry of Economic Affairs and Communications, who are responsible for effective supervision in IT security issues, were also analysed. The information and support given to local governments were also reviewed.

Toomas Mattson
Communication Manager of the National Audit Office
+372 640 0777
+372 513 4900
[email protected]
[email protected]

• Posted: 6/12/2018 12:20 PM
• Last Update: 6/12/2018 12:30 PM
• Last Review: 6/12/2018 12:30 PM