Episode 100: Estonia’s Former CIO talks about engineering a secure electronic vote

In this week’s episode of The Security Ledger Podcast (#100 – woot!): Taavi Kotka spent 4 years as the Chief Information officer for the nation of Estonia – whose government is widely recognized as among the most technologically advanced in the world. He talks about the Estonian model for e-governance and how the U.S. has ruined the term “e-voting” for everyone. Also: what happens when discussions about the security of bits and bytes have consequences measured in flesh and blood? Joshua Corman, the Chief Security Officer at the firm PTC joins us to talk about it, ahead of his featured presentation at next week’s Security of Things Forum in Boston.

Estonia’s former CIO: this is why we can’t have nice things

DEFCON’s Voting Village has made an annual ritual of exposing the insecurity of electronic voting machines. But in Estonia, citizens have been voting electronically since 2005: easily, efficiently and without incident.

Taavi Kotka is the founder of Proud Engineers and the former CIO of Estonia

And voting is just one of a long list of government services that are now provided to Estonians online. Pretty much everything – in fact – can be done electronically, except getting married and divorced, Kotka said.

See also: FDA Medical Device Plan: a Baby Step in the Right Direction

Estonians have been voting electronically for 13 years. Their secret: a secure, well-engineered national identity system.

How? The country’s former CIO, Taavi Kotka said the secret is his country’s engineering-centric approach to tackling e-governance challenges including voting. Building from the foundation of a strong, unique government issued identity, Estonia has moved almost all government services online. In this wide ranging conversation, Taavi talks to me about his country’s ascendence to the vanguard of electronic governance and why he thinks privacy advocated in the U.S. who link electronic governance with privacy and security violations have it backwards.

The goal in Estonia, Kotka told me, isn’t to simply move services to the Internet but, ideally, to have the provisioning of government services so seamless and integrated that, in effect, they disappear completely.

Contrast that with the United States, he said, where conversations about voting technology and election integrity have become politicized and polarized, making it harder to work towards consensus and solutions. How bad is it? Katka’s countrymen don’t even use the word “electronic voting,” Kotka said. The U.S. and its travails with dodgy electronic voting machines has “spoiled” that term, he said. They call it “I voting” instead. Check out our full conversation!

Bits and Bytes, Flesh and Blood with PTC Chief Security Officer Josh Corman

The security of IT systems has long been an abstract problem for technologists steeped in the arcana of hardware, software and communications protocols. The specter of the city of Kiev darkened by cyber attacks against Ukraines electric grid, or of Hollywood presbyterian hospital in the US and National Health Services hospitals in the UK crippled by ransomware are proof that the consequences of cyber attacks – just like kinetic attacks – may now be measured in body counts.

See also: DHS announces New Cybersecurity Strategy

Josh Corman
Corman, of PTC, says that progress is being made on securing critical systems – but maybe not fast enough.

Joshua Corman, the chief security officer at PTC, has been raising the alarm about the rising stakes of cyber insecurity for years. Almost five years ago, he was among a handful of security experts who launched IAmTheCavalry, an effort to get the technology industry itself to take the point on improve the security of safety critical systems.

But he has worked closely within the system: with legislators in the House and Senate to craft draft legislation to provide guidelines for connected device security, and he’s been a strong advocate for companies of all stripes to adopt a “software bill of materials” that allows them to track and manage the various components that go into their products.

So how does he feel? Cautiously hopeful. “Progress isn’t linear,” Corman told me. “I think the hardest victories are the first few.But if you can get some early wins, then you can capture them and turn them to scale.”

The question is whether the information security industry can bring itself to do that. “Cynicism is not helpful,” Corman notes.

What happens when discussions about the security of bits and bytes have consequences measured in flesh and blood? Listen to my conversation with Josh ahead of his featured presentation at next week’s Security of Things Forum in Boston.

Spread the word!