How to manage massive but theoretical ID-card security risk?
In the beginning of September a group of Czech scientists informed Estonia that the chips, which were produced by German company Infineon Technologies AG and provided for Estonia by Gemalto in 2014, include a theoretical security risk. In Estonia about 50% of the population has ID-cards with this chip and it is theoretically possible that their public keys could be used for generating private keys. This potential risk raised a question if the Estonian ID-cards are secure enough and what should Estonia do about this problem.
According to the authorities it seems that the risk is extremely small at the moment – it’s only theoretical and not practical yet. Due to that, Estonia didn’t close any of the e-services and electronic signature system. State agencies, banks, shops and other service providers continue their business as usual, using ID-cards for authorization. Also, the State Election Committee announced that i-voting will not be cancelled during the local government elections in October. However, the Estonian Police and Border Guard closed the public database, which contain ID-cards’ public keys, until a solution will be found for the problem.
Estonia is a pathfinder of the digital society and solutions for similar problem can’t be found in the world. The security of Estonian information society is largely based on the public key cryptography and finding solutions for state-wide public key infrastructure issue is a unique challenge. Estonian information society development is like a “space programme” that includes unpredictable difficulties. The problem management strategies, practices and capabilities are created during the development process.
What can Estonia learn from this case? In order to avoid similar surprises in the fundamental fields of Estonian information society, Estonia needs greater capacity in the cyber security and technological analysis area. It means that the state should own more permanent expertise to deal with critical aspects of information society. The confidence and trust among Estonian public and other countries could be built through reliable risk analysis and comprehensive research.