Phone Number +1-202-802-9399 (US)

Thycotic PAM, IT and Cyber Security Podcast
Listen on-demand

401 Access Denied Podcast

Welcome to the 401 Access Denied Podcast, where we dissect what’s really going on in today’s world of cyber security. Topics range from finding a job in cyber security, to dealing with insider threats, to going inside the mind of a hacker, and more.

Bi-weekly, Thycotic’s ethical hacker Joseph Carson and the cyber security training experts from Cybrary will share their insights along with our special guests.

Want to give input on our next cyber security podcast? Give us your topics

Subscribe or listen now on your favorite podcast app:
Apple | Spotify | iHeartRadio

Voted "Best Cybersecurity Podcast" in the 2021 Cybersecurity Excellence Awards
Cyber Security Excellence Awards 2021

Thycotic produces this podcast in partnership with Cybrary, the cyber security and IT career development platform.

401 Access Denied

Episode 17

Digital Identities and Government Innovations

EPISODE SUMMARY

The 401 Access Denied crew is joined today by Raul Rikk, the National Cyber Security Policy Director for the Estonian Government. Raul describes how Estonia transformed into one of the best cyber defense operations in the world after the 2007 coordinated cyber-attacks by Russia that took down Estonian banks, media outlets, and government bodies for up to several weeks. We delve into the culture of transparency and security since established by Estonia’s government that now enables its citizens to trust and utilize more efficient digital services than much of the world.

powered by Sounder

Free Tools

Take the first step to protecting your privileged accounts with Thycotic educational resources and free PAM software products.

→ See All Privilege Management Tools

Secret Server Icon

Secret Server Free

The perfect password management starter tool. 10 Users, 250 Secrets.

Icon - Audit

Password Security Policy Template

Icon - Project

Privileged Account Discovery for Windows

Icon - Test

Customizable Incident Response Template

Icon - Virus

Weak Password Finder for Active Directory

Joseph Carson

  • Chief Security Scientist at Thycotic
  • Over 25 years' experience in enterprise security
  • Author of "Privileged Account Management for Dummies" and "Cybersecurity for Dummies"
  • Cyber security advisor to several governments, critical infrastructure, financial and transportation industries
  • Speaker at conferences globally
mm

Mike Gruen

  • Cybrary VP of Engineering / CISO
  • Manages Cybrary’s engineering and data science teams, information technology infrastructure, and overall security posture
  • 20+ years of experience developing and overseeing the implementation of complex, secure, and scalable software solutions and products
  • Previously served as VP of Engineering and VP of Product & Platform at RedOwl
  • B.S. in Computer Science from the University of Maryland at College Park

Mike Gruen:
You're listening to the 401 Access Denied podcast. I'm Mike Gruen, VP of engineering and CISO at Cybrary. Please join me and my co-host, Joseph Carson, Chief Security Scientist for Thycotic as we discuss the latest news and attempt to make cyber security accessible, usable and fun. Be sure to check back every two weeks for new episodes.

Joseph Carson:
Hello everyone. Welcome back to another awesome podcast that we have for you today. The 401 Access Denied. I'm Joseph Carson, one of your co-hosts, based in Tallinn, Estonia. We have some special guest on the show today to really talk about some important history lessons around cyber war, cyber defense, and some creative innovations. So, I'm Carson, Chief Security Scientist at Thycotic, and I'm joined here with my co-host, the awesome Mike Gruen, MG. So, Mike, you want to take it from here?

Mike Gruen:
Yeah. Sure. So, Mike Gruen, VP of engineering and CISO here at Cybrary. And yeah, I'm here joined by Raul. I'll let him introduce himself from Estonian's government.

Raul Rikk:
Yes. Good day for everyone. I'm Raul Rikk and I work in Estonia in the government sector as a national cyber security policy director. My main responsibility is to take care that Estonian cyberspace is safe and sound.

Joseph Carson:
Awesome. That's a very, very big responsibility you have. It's something that many countries around the world are always challenged with. Just to give a lot of our audience probably that have heard me saying about Estonia many times on our podcast. And talking about some of the great innovations even around the identity system Estonia has. Can you give us just a little bit of background about Estonia as a country, and a little bit about the history, and probably for the audience, maybe a geographical lesson as well into where it's located?

Raul Rikk:
Yes. Estonia is located in the northern Europe. Above us there is Finland. In the left side there is Sweden. In the right side there is a big, nice, good neighbor, Russia. And south side, there is Latvia. So, we consider ourselves being as the Northern European.

Joseph Carson:
Absolutely. I think being here for many years, 19 years now, in Estonia, I do find that from a culture perspective, it is very, very similar to that of Finland and Sweden, so from a culture perspective, I do feel very much in Nordic country. So, that's something kind of from me relation wise.

Joseph Carson:
But Estonia has had a very interesting journey as a digital society. And I always find it very fascinating into some of the innovations. Of course, most people probably are familiar with Estonia from the likes of Skype. They're familiar ... many people are still using and familiar with Skype today. It's helped the through a lot of the remote working. And also, somethings like Pipedrive as well and TransferWise. Some people don't know that those companies are based in Estonia. Can you give us a little bit about Estonia, let's say, the journey as a digital society and some of those lessons learned over the years?

Raul Rikk:
Yeah. Certainly. For us, the digital development started actually in the beginning of '90s when we got our independence back. So, our short history has been that after the Second World War, we were occupied by Russia, by Soviet Union actually. And of course, we were not happy about that. And finally, in the beginning of '90s we were able to get our freedom back. Then we had a big question that how to develop society as a general, but also that what is the most efficient way of doing that because Estonian population is not big. It's only 1.5 million people, so not much. We have to figure out how to get the efficiency and effectiveness in our daily activities.

Raul Rikk:
And during this time, we also see that different systems started to develop, so there were many different innovations happened already. And the '90s were the years where a lot of different things happened. The internet got quicker and the speed got better. And also, we saw different applications going into service, and et cetera. We thought logically that, okay, the ICT systems basically save our time and if we use them, we can compete with other countries.

Raul Rikk:
And of course, Estonia's goals were that we wanted to become part of European Union, the NATO. So, basically we had to compete with the big boys in the lead. So, we were the small one. If you go and play with the big guys, they don't care how big or small you are. You have to be quick and efficient. So, we saw that if you use ICT and if we do it well, we can actually compete with them. So, it was all about transparency, effectiveness, and also competitiveness. Economic competitiveness. And that's why we started to use ICT. It seems to be that we did it quite well. As you mentioned, Skype comes from Estonia and Pipedrive and other ... TransferWise and many other innovations. Bolt as well that competes with Uber, et cetera. So, it was kind of logical way to do things when you're able to start your country all over again. So, that's how our journey started.

Mike Gruen:
Do you think that there was an advantage to the fact that you were smaller? That that made it maybe a little bit easier than if you were larger and starting over? I'm curious.

Raul Rikk:
Actually, I don't think that the ICT development depends on the size of the country. I think it was rather the aspect that our political system was not ... how to say ... matured yet. So, our politicians were able to make decisions that older countries is really, really hard. Like, for example, in the United States, you have certain understanding how you ensure privacy and what are the rights of the normal people. Wear guns and et cetera. But we didn't have that. So, we look at ICT as a possibility and I think because of that, we were able to innovate so quickly in the government sector.

Joseph Carson:
Absolutely. I think that's one thing, Mike, we've always discussed previously when we talked about things from a digital perspective in the US. Because of the political blocking issues there, that it's more likely going to happen in the state level than it will happen in the Federal level. And we see that just ... It's more the more kind of the limitations of the political to be able to agree and move forward. And I think I agree with Estonia that at the time, if you don't have those political barriers, then you can innovate very quickly and adapt and accept change as well quickly as well.

Joseph Carson:
I think, Raul, one of the also factors for me is that it's about two items. One is the government's ability to plan and agree the strategy moving forward. But it's also the ability for the citizens to accept and use it as well and get the advantage and benefits from it. I think that's one of the critical things is that they see it as an enabler for them, versus that something as an additional check that many governments put in place. How accepting has the citizens been of the ICT sector, solutions that the government's been rolling out?

Raul Rikk:
Yeah. Very good question. So, I just comment one aspect that you mentioned that maybe this innovation should or could happen in United States on state level, not in Federal level. I actually don't think that it's possible because the way how we use at least the ICT is that it has to happen at least at the state level. Or not in Estonia, I mean, but in US, in the Federal level because there the systems are connected and you simply don't get the benefits out of the implementation ICT if you keep it only at the state level. So, for example, I think the innovation that we did first was the digital identification. So, it's actually security measure, but the basic problem with the internet connectivity was that nobody trusted really who's the other side. So, we solved the problem on security of the internet. And if you did at the state level, then all this services you can have only at the state level, but that doesn't give the efficiency to you.

Raul Rikk:
What we tried to do is that we started to issue ID cards for digital identification for everybody. So, the companies, the private sector, the public sector, citizens, they were all connected to the same ecosystem. So, everybody was able to identify themselves for the others. So, if you were a businessman you were able to do that for the government. The government was able to give whatever they had to give the authorizations or some licenses or whatever was there to the private sector, and citizens were able to use the whole ecosystem. So, the main innovation was that the securing the internet the way that all different parties, like citizens, government, the public sector, and then, the business sector, was able to use that. So, that was the real innovation.

Joseph Carson:
Awesome. That's great. I think one of the things I think you mentioned that is for me is really important is that everyone's using the same system is really critical. There's no two tier systems that for one, different for businesses, and for government. And also, the transparency as well. I think that was really critical was that the citizens can login to the systems and see their own data and the accuracy. And also, update it themselves. So, that for me is also building the trust between the citizens and the government ... kind of comment around how is that trust being maintained, and what's the government doing around making sure that the transparency and trust is there?

Raul Rikk:
Yeah. I think it started the way that one of the first services was the tax declaration. That governments simplified for the citizens. The government was able to gather all the existing information according to the regulations, and pre-fill the tax declaration for citizens. So, before it was I think there were like hundreds of different pages that we had to fill on paper and it was a really painful process. So, once it was automated and from citizens' point-of-view, it meant simply that they login to the system, I identify myself with a digital identification, so it's a trusted system. And I just checked whether or not everything is correct and I pressed okay. So, my tax declaration was done in five minutes.

Raul Rikk:
And because we didn't see any incidents with the system for many years, people started to trust it. And because it was so simple, people didn't only trust the system, but they started to demand or actually expecting that other government activities happen the same way. So, nobody wanted to go to the service center if there was a system that did the work for you. And then, you just check it as a boss and you pressed okay. So, I think this trustworthiness of the system, and on the other hand, the comfortability that came with this digitalization were the factors that created the trust that created also huge demand.

Mike Gruen:
And I think that's one of the biggest challenges in the US. I mean, I think our country's sort of founded on this notion of don't trust the government. So, there's a cultural ... there's just that that makes it very, very challenging especially at the Federal level when you think about that.

Raul Rikk:
But we actually control the government. The citizens control the government because by the law and regulations, governments always have certain rights to have your data, but if you don't have the digital system, you simply don't know what kind of data government has about you. But we have this oversight. So, the government has responsibility to show me as a citizen what kind of data government has and how they use that. So, I can check from the system when the policeman checked me last, or when they stopped me, or what kind of fine I had got for speeding too much, for example, et cetera. So, I have this overview.

Joseph Carson:
For me, one of the things is that that's what's really critical. And I find that I think Estonia really evolved into the government is really truly become a true service provider to the citizens. That's kind of how I make the comparison is that it has become a government service providers providing services to the citizen. And it's the citizens who are the boss and the ability to see what's happening to their data, keep it up to date, keep it accurate in order for the government to provide better services continuously to citizens. Well, I think that's what's crucial. It's one of the biggest differences that it's not about leaving the government to make decisions, but it's about making sure that the government's doing everything they can to provide better services to the citizens.

Raul Rikk:
Exactly. Actually, when you mentioned that, I started to think that if I have ever thought the way that government has only the right to decide on certain things because I have always thought the way that we had the government because we want certain common services from the government. And I think that's the mentality throughout Estonia that citizens have this perception that the reason why we have the government is because they should provide certain services to us. And digitalization is of course one of the things there.

Joseph Carson:
Absolutely. And along this digital journey, there's always bumps in the road. And there's always sometimes challenges. I think one of the kind of more widely documented and talked about one, even in many conferences that I go to around the world, is the cyber attack that happened back in 2007. And I know being here at the time, I remember there was some even violence in the streets. There was disruptions. There was a major denial of service. Can you talk a bit about the experience that was happening then? And what did the government change as a result of that?

Raul Rikk:
Yes. That's quite famous case. What simply happened was that the Russian government didn't like much that Estonia is an independent state then. They started to organize riots on the streets. And also, as I remember right we had four Russian parliamentarians coming to Estonia and they actually demanded the change of the government. So, it was a bigger situation. Not just the cyber attack against Estonia, but at the same time, when these riots started on the streets organized by Russia, and conducted through the Russian minority in Estonia. At the same time, we started to experience massive cyber attacks. And I have to mention that before that, we already had implemented the electronic identification. And the systems were actually secure, but what the Russian hackers were actually able to do, they were able to conduct denial of service attack against Estonia. So, basically they jammed our network traffic, just like in the physical world. Somebody comes with a lot of different cars and vehicles and this just jams the traffic. So, that's exactly the same thing happened in Estonia. They tried to cut Estonia off from rest of the world, so our internet connectivity didn't work well. And they also tried to intrude certain systems that they were not able to do. But the jamming was the main thing.

Raul Rikk:
And of course, what we did was very simple. We first started to cooperate with other countries. We cut off the bad traffic to Estonia, so we were able to maintain first our internal internet connectivity, but later also the connectivity to the rest of the world.

Raul Rikk:
And the main lessons learned was from this time that, okay, we have to ensure that the basic develop of security, but it's something that that happens, then we need a special and certain capabilities to deal with these bigger attacks against us as well. So, we started to develop our emergency planning in cyber sector. We created certain capabilities for the Minister of Foreign Affairs, so they were able to communicate with other countries about this issue. After that also, the international computer incident, the response teams community started to develop. So, there are many different things that happened after that.

Raul Rikk:
But during 2007 there wasn't this capabilities in place.

Joseph Carson:
Yeah. I remember actually Estonia was one of the first to actually establish that the CERT teams. And actually, that foundation with the CERT teams as well had helped us establish many CERT teams around the world. I know that the Estonia CERT team helped set up the Irish CERT team. Helped setup the New Zealand facility, Australia. So many countries around the world have also gained from that knowledge and have benefited from Estonia's really putting in.

Joseph Carson:
One thing I'd like to mention as well is back then I remember there was two items I remember that one was the establishment of the Cyber Defense League, which came together as a result of that. It has also grown in numbers and in practice since then. So, that was one of them. And there was also around 2008, there was also the setup of the NATO Cyber Defense Center of Excellence. And also, the discussions around with European organizations for security about how to ... There was two items. There was the DDoS attack itself. And it was the second biggest DDoS attack at the time. The first one I think goes back to 2001, which was DDoS attack. And this was the second biggest one since then. It was significant.

Joseph Carson:
As a result of that, the Cyber Defense Center of Excellence was setup, but also you kind of mentioned maybe a little bit around the data embassy concept because that's something I think for me was a great idea in order to become decentralized to have not one target of attack, but allow the country to almost become a true digital society as well.

Joseph Carson:
So, first can you mention a little bit about the Cyber Defense League and how important it is? And maybe should that be an example for other countries to maybe work with the public sector as well?

Raul Rikk:
Yes. First of all the Cyber Defense League, the necessity for the Cyber Defense League comes from the calculation that none of the organizations have enough resources if some big incident, crisis in the cyber sector happens. So, usually if something happens, we need the support. And the question was how to organize the support for these organizations being under attack or experiencing bigger or longer lasting cyber incidents, the crisis.

Raul Rikk:
So, we thought that we have this voluntary military organization in Estonia that we call Defense League. It's similar to US National Guard. And we thought that we use this organization in order to organize these experts that we have in the cyber field who are willing to support other organizations being under attack. And that's how this Cyber Defense League idea started. And so far we have developed it and the main idea is that they organize themselves the way that if somebody needs support being under attack, then they can support. But that's the whole idea and concept. And it has worked quite well.

Raul Rikk:
Regarding the data embassy idea, that's another issue that we all face is that the cyber attacks are global and cyber incidents are global as well. We have all different threats that target our ... or we have to consider ensuring the 60 year of our cyberspace. For example, if the sun gets too active, it might generate electromagnetic pulse and everything ... That is one side of the world or the earth could be harmed. So, the idea is that because we are so dependent on the digital systems, we have to keep our data, not only in Estonia, but other places around the world as well. So, ideally, we would like to keep our data in Estonia, for example, also in US and also in Australia. So, different parts of the world.

Raul Rikk:
And now when we want to do that, there's a question that if we put our data in other country's jurisdiction, then how to ensure that other country's security service or police or whatever is there doesn't have the right to go there and take our data or to do something with it. That's why we started to develop this concept of when we keep our data in another country, that this data has to be considered as part of Estonia or being our property. So, that's how it started.

Joseph Carson:
I remember many discussions around that topic with RV and others at the time. So, one of the things ... I actually never thought about the ... For me, it was always about making sure that Estonia could even from a cyber attack that it also decentralize into multiple countries even would trigger something like Article 5 in NATO as well. If you want to attack Estonia, you had to target all of those locations simultaneously or together. But yeah, never thought about such a bigger concept that I was... Why would the US maybe want to do data embassy idea because they have so much land space as well. So, I never really thought about what happens if a true natural disaster does happen. That scale, how can you continue as a society with that much damage? But yes, major impacts, asteroids would it be or solar flares that can have a significant, let's say, electromagnetic impact. Takes all of that systems out in one side of the planet. So, I never thought of that side of things, so that's an interesting perspective.

Raul Rikk:
And I just want to say that it's related to the digital dependency. If you are truly dependent on the digital systems, like we are, we don't keep our data on the paper. Everything is in digital format in somewhere in the databases. And if you depend on that almost 100%, then the question is how can you actually ensure that nothing happens. Then you start to think what sort of different risks. And of course, suggest the ways how to mitigate this.

Joseph Carson:
Yup. So, around the data embassies, I remember initially they were actually putting the actual Estonian embassy locations for a period of time. They have started moving them into proper data centers because they provide much more resiliency, availability, protection stuff. Where I remember reading the first one was in Luxembourg. Is there plans to scale that out further? Or is it already been happening?

Raul Rikk:
Yes. We have plans because, yes, the first location as the pilot project that was done in Luxembourg, but we also think that the possibility to keep the data close to our embassies or at least on the embassy territory is also a good aspect because at the moment the Luxembourg, we can call it data embassy, but according to the international agreements, it's not considered as the embassy territory. So, it's not Estonian territory. So, for example, physical attacks against the data centers, we can not say that it was attack against Estonian territory. If we keep the data in our embassy territory, then the attack against the embassy is an attack against Estonia. So, there are ...

Raul Rikk:
So, we see still develop the concept further, but the difficulty is that when we have embassies, there is not always the best internet connectivity in those locations. We have to consider the different aspects. So, that we develop further and let's see how we finalize that.

Joseph Carson:
And just on the Cyber Defense League piece, again, one thing a lot of countries have been investing into cyber defense, as well into defensive capabilities and it's been on the increase. Mostly for preemptive type of scenarios. How much does the government working on offensive capabilities? And also including the Cyber Defense League as well. Are they also considered an offensive team?

Raul Rikk:
Yes. Not maybe not so much in the Defense League, but in the Defense Forces certainly. We have cyber command in our Defense Forces. It's already I think several years ago we declared that we consider cyberspace the same way as other physical places, like land, sea and airspaces, so we certainly need military capabilities for cyber operations as well. So, we do that. But of course, I cannot comment to in our specific unit, what kind of capability we have.

Joseph Carson:
Absolutely. No problem. For all the countries, one thing that I've always remembered was around the ROI side of things. I mean, how much is the digital ICT systems for Estonia, how much is it helping the society, other than just doing things online? What's the value to the people? I remember, number of years back, maybe four, five years, around these ... that it was something about six days' GDP per year that was actually saving wasted time. People not having to do queues, not having to wait for days for prescriptions or so forth. Medical appointments with doctors. Where is that right now at the moment? Where is the value and what's that calculation happening today?

Raul Rikk:
Yeah. The value is huge. To calculate very precisely, it's probably not possible but we can do the rough calculation. To illustrate the situation, I can give an example. I had a course ... I went to school in United States. I think it was 2004 when we had the first elections in Estonia. I think it's first time when we were able to elect parliament electronically so over the internet using the electronic identification methods. So, I was in the States. My course mate was from Belgium. And in Belgium, the voting is mandatory. So, if they don't vote, they get the fine. So, my class mate had to vote. But because they didn't have the electronic voting system, he had to travel two times to the Washington DC, first to get the papers in order to fill all sorts of forms, at the second time, to actually vote and that give the vote to the embassy people. So, he said that the whole procedure took about two weeks to do.

Raul Rikk:
Then I showed to him that how we do in Estonia. I just opened my laptop. I logged in with my digital identification card and I did the voting in two minutes. So, you can see. Two minutes versus two weeks.

Joseph Carson:
A lot of money.

Raul Rikk:
And we have calculated the way that ... Yeah, it's a lot of money. If every Estonian uses the digital identification card for giving signatures, the person can probably save at least one week per year, or probably even more. And one week per year is about 2% of GDP. And 2% of GDP is a huge number. It's actually the 2% of GDP is the number that NATO countries, NATO allies are requested to invest to the national defense, so we can say that using digital identification and digital signature, we can afford the military forces.

Joseph Carson:
That's excellent perspective on it. Mike, what of the US ... Something like that to save even 2% GDP per year?

Mike Gruen:
I mean, yeah. I think we can save a lot more probably just based on all the bureaucracy, but again, there's so many considerations I think in the US around privacy, and security, the government that it becomes this intractable problem. As you were talking, I'm trying to think how would something like this happen in the US and how do you make sure that the government is seen as a service provider, which I don't think that ... I think that right there, that's the first hurdle. But yeah, no, I think it would be interesting to see. I think the ROI arguments are definitely very effective.

Mike Gruen:
I also think it's really interesting to think about the ... when you start mapping cyber security and cyberspace onto actual geo location because that's one of the biggest challenges is cyberspace exists in an abstract universe, but then does tie back down into physical systems, whether it's you only have so many connections, this country only has so many connections to other countries coming in on the internet. Like, actual physical connections, or data center, and the rest of it. I think that's a huge challenge for every country moving forward is this sort of globalization of information. At the same time, keeping your citizens' rights protected even as their data exists in other places around the world where maybe those rights don't exist. And I think it's a huge challenge.

Mike Gruen:
I'm curious when you guys are thinking about the digital embassies and how your ... it sounds like that's the reason for putting them in actual physical embassies because you still have that control. Is that fair?

Raul Rikk:
Yes. I think for certain data, like basic registers, like population registry, business registry, it makes a lot of sense because this is the data that we have to ensure the security with all possible ways. But you're really right that there are many services that are provided globally. Like, we probably all use Microsoft Office software to keep the calendar and do some other things, exchange emails, et cetera. The question is always that it's not only the question in the context of Microsoft, but the question is that where the company keeps data. Do they use the different sites globally? Like, maybe they keep in India or in China or in some other country. So, we have to certainly ensure that what the operations that the private businesses do, providing services to us, we have to ensure the security there as well. And the challenge is these days how to do that.

Raul Rikk:
So, one way whole Europe does that, or European Union, is throughout general data protection law. I know that when we mention law as you know it gets really boring. But real question is that we want to make sure that the companies who provide services to our citizens, that wherever these companies are, that it doesn't matter in which jurisdiction, they have to respect the laws or European Union citizens. So, basically our logic is that the data belongs to the citizen and we have to make sure that the businesses respect that.

Joseph Carson:
So, Raul, that's an interesting. It's got me thinking ... Now, my innovation thinking hat is coming on at the moment. And it got me thinking when you say. I remember absolutely the data embassy with the part was around the data that was actually bind to sovereign law. So, citizen's data that was bind by the law in Estonia that had to be maintained. And their whole concept was that you want the law to keep that data outside the ... breaching the law side of things. That was the idea to be able to put in other countries.

Joseph Carson:
But now, it got me thinking about there's two types of data here. There's the data that's bound by the law, that's population registry and other types of specific, whether it be tax returns and so forth. And then, you've got other types of data, which is just simply the type of data that's falling through the likes of technology providers out there, social media and so forth. And it gets into those two concepts. Is one is the absolutely data embassies is when it gets into there's really the legal boundaries. That's really where the framework is.

Joseph Carson:
And I remember a conversation I had many years ago was around the early days of GDPR with one of the ministers in the European courts. And the way that he put it to me was GDPR was like putting a flag on data. That it was like in international waters. That when you put a flag on that data, no matter where it travels in cyberspace, you want to have some type of boundaries of legal binding agreement. And that was the whole idea of GDPR was that as data float from port to port, data center to data center, it didn't really matter where it ended up being located. That flag on that piece of data being GDPR meant that you had a legal framework that was bound to it. And that allowed innovation to happen. It allowed technology to wheel and data to be able keep that ownership as citizens.

Joseph Carson:
And then, it gets into that GDPR and data embassies really work hand in hand with achieving those two concepts, sovereign data and citizen's data, and allowing it to work together. So, it's an interesting kind of ability I think. Many countries around the world can probably ... Even countries within Europe can take that approach looking at sovereign data, plus citizen's data, as two separate arms. But I think this is an idea for many countries to adopt something similar. So, therefore we're not trying to put firewalls up to prevent data from going beyond the firewall. It's more legal frameworks that allows it to work freely.

Mike Gruen:
As someone who has to ... like, as an individual who likes GDPR from my own individual perspective, but then also Cybrary, very global, where we deal with user data around the world, I do find it interesting and somewhat frustration that, like, for example, I firmly believe all of the data of our users belongs to our users. We have a B2B offering, but the idea with Cybrary is your ... it's a career development platform. You're with us for life. We don't really care what company you work for at the time, but we do have a B2B offering where we're selling the ability for a company to provide Cybrary to their employees. And it's frustrating to get into these conversations with these businesses who believe they now own the data. A lot of European countries think of us as a data processor when my feeling is, no, the users are the owners. We're providing you access to this information. That's what you are paying us for. And these users are signing up and saying, "Yes, I agree to allow this company to see my data."

Mike Gruen:
And so, I think there's still all this really gray matter in GDPR because these are arguments I'm not winning with the businesses who are like, "No. These are our employees. That's our data. And yes, they have rights to that data, but it's still our data." It's a little frustrating. And then, I also think about as other countries come online and they create their own versions of GDPR which maybe very, very different than the European and American views of data where they might say things like, "No, as the government, we have every right to ... we have access to that data, not the citizens." And so, how you create that patchwork and framework of understanding who's this user and where they located and where are they a citizen and what laws do we have to map to, it is a little daunting to think about the future if everybody starts coming up with different frameworks that are contradictory. So, I'm curious. Yeah, I mean I think it's one of those interesting things that we'll see play out over the next few years.

Raul Rikk:
Exactly. I think as well that what we're going to see in the future is that different cultures, so different I would say societies think differently about this data ownership and protection as well. And it is very, very possible that we're going to see that how the internet and how the services are going to be split between different cultures. So, maybe there is one logic in ... I don't want to draw very big lines, but let's say, the way that maybe in Asia there is one understanding how to do things, but in western world, there is different. And there is nothing to do. I think there is going to be some kind of boundaries between these different logics.

Mike Gruen:
Yeah.

Raul Rikk:
Of course it's not good for the ... yeah.

Mike Gruen:
Yeah, no, that's what I was going to say. I think when I think about it as an implementer, the easiest solution is just to say, "You know what? We're going to stand up a Cybrary in Europe that's going to adhere to all the European standards. We're going to stand up a Cybrary in Asia and we'll figure out how ... like, when somebody moves from location A to location B to transfer their information." And I think it saddens me a little bit to think about taking this abstract cyber security goes across all the borders, all nations, and then, having to map it back onto a globe for no other reason, but at the same time, good reasons because society is culture. And laws exist to protect citizens and that's ... It'll be an interesting metamorphosis over time of the internet I believe.

Raul Rikk:
Yeah. Exactly. Of course, nobody wants to ... Actually, we don't want that this happens, but it happens because there are different governments and different logics. We have seen it throughout history that at first when new innovation takes place, there is little bit just kind of like a wild west time. And after that the countries start to organize this area. And this is exactly what we're going to see related to the global internet and the electronic systems as well.

Mike Gruen:
Right.

Joseph Carson:
For me, one of the things I came to realize is that things like GDPR and when we talk about data privacy and data rights and data ownership, it ultimately really comes down to for me is a data rights management issue. Just like you do with any other industry, like music or copyrights and so forth in IP. It comes down to "This is the IP of the person." And therefore, rather than it being an industry of selling the data, but it will be an industry of renting. It's more become of a you're giving it for a period of time, just like you're buying music, you're no longer buying music. You're paying for the service of streaming it. You don't own the actual copy. Same as movies and other types of things. You're no longer buying the physical, owning that for whatever generations to come. It gets into that you're going to have it for the period of time that you have that service.

Joseph Carson:
And the same with the citizen and technology providers. It comes into that it gets into that this is really the citizen providing a service agreement for those companies to rent their data for that time they're using the service. Not to sell it. Not to own it. Not to take economical advantage of it, but simply as the product or service they're delivering, they're able to use that for the period of time they subscribe.

Raul Rikk:
But there is only one question. Who is the data owner?

Joseph Carson:
That was a big question I had many years ago when it was the ... So, we had the EU presidency. That was the big question that I raised to the Supreme Court at the time. The data conference that was at the time was who owns the data on their GDPR? And some actually specifically specified in GDPR that it's assumed, it's classified as the data subject. Who's the subject?

Mike Gruen:
It gets even more complicated about ownership when you're talking about not just the data that I own about myself, but then if I as a company start aggregating data and it's about the usage of my service. When you're using my service, I'm collecting this information about you. And you decide to leave my service, that data that is specific about the sort of aggregate and analyzed information that says like, "Hey, these courses were performed really well." However you want to look at it. That's where it starts to really get gray is when somebody says, "I want to delete my information. And I don't want you to have access to it anymore." Does that also mean ... what's the impact to all of these other systems that have been built on aggregating all of this data across our user base?

Joseph Carson:
This isn't in other...

Mike Gruen:
And who owns the aggregated version of the data? And I think that's where it really starts to get messy.

Raul Rikk:
Yeah. But I think at least in Europe it's clear now, according to the GDPR. All data that is related to the person belongs to the person. Simple as that. There is no gray areas. I think where the gray area comes is that different countries have different approaches. Europe has this approach that the person owns the data. As I understand, the US the logic is rather that the company who gathers and collects the data is the data owner. And of course, in some countries, like Russia and China, they promote the idea that the government owns the data because it's in their jurisdiction. So, different ways. But of course, from European perspective, I will say that it's quite clear. At least for us.

Mike Gruen:
You say that, but that's where a lot of the discussions that I have with European companies who ... going back to that B2B example ... where they believe that they own the data about their employees because they're the one paying for this service. And I'm making the argument, no. You don't own that data. You're just getting access to it. It's the data subject who owns it. There's definitely still ... I mean, while there might not be gray area in the law, there's certainly an understanding and people getting to that level of understanding.

Joseph Carson:
Yeah, interpretation of the subjects.

Raul Rikk:
The example you gave sometime ago was very good. That from a European perspective, the data is flagged. Like, putting the flag on the ... when the ship go into the international waters. So, from European perspective the data is flagged. The flag belongs to the person. And wherever this data is belongs to the flag owner. It's a good example.

Joseph Carson:
It was during ... I remember, maybe like 2011, I was at the Ministry of Transportation for Europe. And one of the Supreme Court was there. We were having this discussion for GDPR at the time. And it was like, I was working on a lot of maritime industry at the time. Working things like autonomous shipping. Actually it depends. I was against GDPR at the time. My mindset was like, "Why are you punishing these companies for being attacked by bad people?" And the minister kind of took me aside and say, "Let me explain as I see it." And that's how he explained to me was taking international waters.

Joseph Carson:
Now, ironically, the funny thing was we had a meeting about five, six years later around 2015. It was just getting into the final drafts of GDPR. And we were having a roundtable discussion. At the same time, we were actually having the meeting. And we realized that was the time when we realized that GDPR didn't apply in international waters, which was our whole conversation that we had ... Shortly after that, we came into a crisis meeting with the international maritime organization in order to build this framework for international waters for cyber security and data protection. And the ironic thing was this is when all of the technology providers came out with these data center barges, where they float to international waters in order to try to get around some of the legal aspects and things. So, it was interesting series of events.

Joseph Carson:
But one thing, Raul, I'd like to ... What would you recommend for other countries? If you were to recommend to other countries of what they should do, and taking from the lessons that Estonia has learned over these years? Where should they think about starting? What types of systems or what types of prioritizations they take? What recommendations would you have for other countries if they were to take the same journey?

Raul Rikk:
Mm-hmm (affirmative). Yes. I think that if there is a one thing that I would like to promote that's digital identification because it's like a passport to the digital world. So, we have the physical world, and if we want to travel, we have our passport with us, so we can identify ourselves. In the digital world, there is exactly the same needs. If you don't have this digital passport, it is impossible to identify and do legal activities. So, what we can do with this digital IDs to give legally binding signatures, which means that if I can do all legal operations wherever I am around the world. I can even vote for the parliament or the local elections, et cetera, et cetera. So, I can do everything. And I really cannot imagine anymore that how to ensure the basic current security without having this digital identification. I simply can't. I can't imagine that how it's possible because if you don't have that, then you have to deal with certain incidents on daily basis over and over again. It gets really boring.

Joseph Carson:
Absolutely. The foundation for me is really a strong identity and access management. Foundation. That's really where ... built upon. For some services, you can decide to use it or not to use that don't require ... You can still have some anonymity. But there's certain services that you must have. And many of those today, for many countries just on that physical form. And I think Estonia's really taken that innovation wise.

Joseph Carson:
So, kind of next thing is what next ... Where is Estonia taking it? What's the next phase? I have seen over the years many services, like prescriptions online, logistics has been amazing. I can't tell you how well ... One of the things I've found in the last couple of months is things like ordering things online, home delivery side of things, online school is being increasing significantly. So, a lot of these have allowed the country to continue providing services in a digital sense. So, what next? Where is the next direction? What is the next big thing?

Raul Rikk:
Mm-hmm (affirmative). I think the next big thing is probably the application or apps consolidation. So, it means that at the moment we have different apps, from the government's perspective. So, we have different ministries or agencies who provide different services, but you still need to go to different places to do the thing. But we want to integrate this. That according to the life events, like if you get married, for example, then there is a one procedure. You don't need to go to different digital environments to do the official procedure. You do the one flow. If you get the first child, for example, or if you get the child second or third one, same way. It's a life event. You do this through one application. And et cetera. So, I think that's probably the next big thing.

Raul Rikk:
And of course everything related to the artificial intelligence solution. So, even better automization and effectiveness that comes through that. So, I think these two aspects are the biggest.

Joseph Carson:
Also, I completely agree. For me, I always taken the concept is I remember 10-15 years ago when I was working, we were really focused around it was called software defined networks. Really looking at from a software perspective. And I learned from Estonia that that was the wrong way to view what you're doing. My goal is not to deploy software. My goal is to provide services and thinking about, "Well, what is the top services that I need to provide to people? And how do I make those as seamless as possible? What's the things that people do the most often?" I think it's great starting with the taxes and voting and banking and stuff, but it's really getting to that point where it's really thinking about that I don't need ... There's one process that might affect many different systems. How do I make that process as simple and as intuitive as possible? That doesn't mean I have to go to different places ... marriage and kids, you would have to go to different locations in order to do that flow. But simplifying that is amazing.

Raul Rikk:
But those you know how to make the system more automated and even invisible as well. So, for example, we have a very good case that somebody has asked sometimes how we organize the driving licenses. We don't need driving licenses anymore. We don't have driving licenses in Estonia because why do you have that if all information is in the data center or in the register? So, when the police stops you, they identify you according to the picture that they have in the database. You say your name, they identify you, and then, they know exactly that whether or not you have the driving license or not. So, we don't need to carry that anymore. So, that means that you eliminate the uneffective parts of the process, and you deal only with these effective parts.

Joseph Carson:
Agree. I think what is that it's not about showing as much data as possible. It's about asking the right questions I always find. It's that all that the police officers needs to know is that are you legal to drive? Simply that's the question that they have. And that question might mean, are you old enough? Do you have insurance? Is this car yours? So, their question is are you legal to drive? And all of this different piece of information might...

Raul Rikk:
Exactly.

Joseph Carson:
So, I remember years ago in UK you might get stopped by a police officer and they say, "Show me your driver's license. I want to see your car documents. Where's your insurance forms?" And you would have to have open your dock compartment, and have that pile of documents you'll have to go and show. And that contains lots of information. Like, even what you paid. it might contain other types of sensitive information, telephone numbers. Things that they don't really necessarily need to know. All they need to know is that are those documents valid. And they don't necessarily need to see them. And I think it's always getting down to asking the right questions and providing trusted sources that can provide the answers to those questions.

Raul Rikk:
Exactly.

Joseph Carson:
I have one question though. Is the Estonian bots. We talked about a little bit of going down this automation path. Who come up with the name "Kratt"? And can you tell me what Kratt means in Estonia? As far as I know it's a little devil or something. Some type of elf or something.

Raul Rikk:
Yeah. It comes from our folklore. There was a story. We have one very famous writer in Estonia. He wrote this story that when Estonians were living in the countryside long time ago, they were not very rich. In order to make their work easier, they kind of created a ... how to say? They put together a doll that actually became alive and did the work for them. So, basically it was kind of like a artificial servant that everybody were able to make with wood and nails and create this kind of thing that did all the hard work for them. So that's where this ... And it was called Kraat. Yeah. It's a funny story actually behind it.

Joseph Carson:
Yeah. Maybe that's something I'll have over a coffee with ... to find out what ... But yeah. I have an idea of the story where it came from, but I didn't have enough perspective that way. That it was about having somebody doing the work for you. And now it makes sense. Now it makes sense why it's called Kratt.

Joseph Carson:
But overall, it's been awesome having you on this show. And I think it's been great in listening to some of the amazing things that Estonia is doing. And I hope that this continues and that other countries can really continue. And I completely agree that it doesn't come down to the size of the country. I think it really comes down to the political stability and motivation to make things happen. And ultimately, that other countries can really take a service provider approach. How can we provide better services, not just how we can maintain the status quo, I think that's what critical. So, it's amazing having you on this show. Really thank you. Any last comments, anything you'd like to share with the audience before we close it?

Raul Rikk:
I think it's more that if we can do everything with 1.5 million, that you can imagine what you can do over 300 million.

Joseph Carson:
Absolutely. It's a lesson for the US. So, Mike, any closing words for yourself? Any thoughts? Because this has been educational for you.

Mike Gruen:
Oh yeah, definitely. It's been very interesting. And I've enjoyed the conversation very much. So, I appreciate you joining us. Thank you.

Joseph Carson:
Absolutely. Many thanks, Raul.

Raul Rikk:
Yeah. The pleasure was mine.

Joseph Carson:
Hopefully, I get to catch up with you at some point in the physical world. So, we will see how things evolve, but for the audience, it's amazing to listen to Raul and what Estonia's been doing. And I think for this is something out there that you have a voice to be able to demand similar things and experiences for yourselves. And how important security is and how important identity and access management is really to the foundation. And ultimately, the real goal between is that trust and transparency, and building services that work for us.

Joseph Carson:
I think we do need many more Kratts in the world, something we can get into the ... stories, which I'll put a little bit in the notes and the show notes afterwards. Many thanks for attending the show. Do catch up with us every two weeks. Tune in for the podcast. Subscribe. You get to listen to myself and Mike going on once in a while, but sometimes you get into our ransom tantrums, but I hope it's always a fun discussion. Stay safe and catch up with you soon. And have a safe day. Thank you.