How to back up a country

WIPING a country off the map is one thing. Wiping its data is another. Estonians know what the former is like. They are determined to avoid the latter. Just as computer users back up their laptops in case they break or are lost, Estonia is working out how to back up the country, in case it is attacked by Russia.

Estonia has already shown notable prowess in putting government services online. It has pioneered the use of strong digital identities for every resident, enabling them to sign and encrypt documents, access government services, and conduct e-commerce.

But the latest project, termed “digital continuity”, is the most ambitious yet. It aims to ensure that even if Estonia’s government is sabotaged it will continue to function over the internet, providing services and enabling payments. The lessons will be valuable to any organisation concerned about disaster recovery.

Estonia, which regained independence in 1991 after being occupied by the Soviet Union, was the target of what many regard as the first instance of cyber-warfare. In 2007 its main websites were overwhelmed with traffic from multiple sources in a distributed denial of service attack during a row with Russia over a war memorial. The episode crippled the country’s online banking system and came within a whisker of disabling emergency services. Lately Russian airspace intrusions and propaganda attacks are a constant headache.

Estonia’s first dry run of digital continuity, carried out in September last year in conjunction with Microsoft, had several elements. One was to maintain e-government services by using back-up computers within Estonia. If that became impossible, the services migrated abroad.

One part of the experiment involved the website of the president, Toomas Hendrik Ilves. A digital-savvy, American-educated advocate for e-government—and a hate figure for the Kremlin—his website is a likely target for Russian attack. During the war in Georgia in 2008, unknown hackers defaced the website of that country’s president, Mikheil Saakashvili. Mr Ilves’s website was moved fairly smoothly to the “cloud”—networks of third-party computers—in this case Microsoft data centres in Dublin and Amsterdam.

The load and the stress

A more complicated effort involved the State Gazette—the official repository of all Estonian laws. These do not exist in paper form. As well as backing up the data, the experiment tried to see how accessible it would be in an emergency. It applied two tests: one of load (if an unusually large number of people were trying to access the sites); and the other of stress (if outsiders were, for instance, swamping the system with bogus requests for information).

The result was broadly a success—the experimenters even succeeded, for a brief planned period, to run services from outside Estonia. But it also highlighted numerous obstacles. “It became clear that no matter how ready you think you are, you are never ready enough,” notes a draft report jointly compiled by the Estonian authorities and Microsoft.

One set of issues is legal. Laws on personal data, and public expectations of privacy, are strict in European countries; just as with back-up services for computers, users need to be sure that their data will be properly safeguarded if they are sent abroad. Storing such personal information in “digital embassies”—computers in Estonian diplomatic missions abroad—helps as they are Estonian sovereign territory. But internet law is still unclear.

Technical problems included the way the internet deals with addresses—the Domain Name System (DNS). How would the Estonian authorities ensure that people trying to reach president.ee, for example, would actually get there in an emergency—particularly if a massive cyber-attack were under way? Sorting this out required “extensive manual operations”, the report notes dryly.

Digital continuity would become even trickier if the back-up operation were to include more complex services. Estonia’s public and private databases exchange information over a peer-to-peer network called the X-Road, a kind of information federation. Users give their digital consent, by using their ID card and PIN, to allow one database to get information from another (for example, if a hospital needs to check a patient’s status with a health insurer). So it is not just the data, but also the software that deals with them, that would need to be exported.

The experiment’s designers soon spotted several snags. One was that Estonia’s system uses lots of different software, in multiple versions, some of them out of date. That works fine when they just need to exchange data, but makes it hard to replicate the system in the cloud.

Another was that the architecture of Estonia’s system is poorly documented, and that rules for classification of data as sensitive, personal, secret or public were not suitable for digital continuity: “frequently only a small number of experts understand the workings of the system,” the report notes.

The main conclusion of the exercise is both simple to articulate and difficult to achieve: the better data and networks are organised, the better the system is documented, and the more standardised and up-to-date the software, the easier it is to back up and restore. That may be no surprise to any computer user, but it will be a spur to improvement on top of Estonia’s already impressive efforts.