Data security meets diplomacy: Why Estonia is storing its data in Luxembourg

Estonia is entrusting terabytes of information on its citizens to an ally in the hope of improving the security of its crucial government systems.
Image: People look at visualizations at a cyber defense exercise organize by NATO Cooperative Cyber Defence Centre of Excellence in Estonia on April 10, 2019.
People look at visualizations at a cyberdefense exercise organized by the NATO Cooperative Cyber Defence Centre of Excellence in Estonia on April 10, 2019.Ints Kalnins / Reuters file

Breaking News Emails

Get breaking news alerts and special reports. The news and stories that matter, delivered weekday mornings.
SUBSCRIBE
By Yuliya Talmazan

Decades of political stability and prosperity have made the tiny European nation of Luxembourg a trusted destination for the storage of sensitive data.

The country boasts 23 high-tech data centers, the majority of which were built in the last 10 years, and high-speed international connectivity. For several years now, it has been entrusted with storing data for NATO and the European Union — and now, the country of Estonia.

In early June, Estonia transferred four core databases of information, including land and business registries, to servers at one of Luxembourg’s high-security data centers, the exact location of which was not disclosed to NBC News because of the sensitivity of the matter.

Six more are on the way and should be transferred by September. It is believed to be the world’s first “data embassy.”

“Our government provided data center services along with immunity. This is the innovative part of it,” Patrick Houtsch, director of Luxembourg’s government information technology center, said. “Of course, they could have stored their data in some public cloud or service provider, but they would not have the same guarantees in terms of being able to completely protect and know where the information is.”

At a time when tech giants face growing distrust, Estonia is entrusting terabytes of information on its citizens to an ally in the hope of improving the security of its crucial government systems. The former Soviet republic is one of the most wired nations in the world. Using a system of high-tech national ID cards, Estonia’s 1.3 million citizens can do their taxes, vote, bank, make travel arrangements and access health care records online, often in a matter of minutes.

Estonia’s tech reliance has pushed the country’s leaders to take precautions that few other nations have had to consider. In 2007, Estonia suffered a series of crippling cyberattacks that shut down private and government websites. It blamed the attacks on Russia, but the Kremlin denied involvement.

And when Russia annexed the Crimean Peninsula from Ukraine in 2014, the question of “data continuity” — should a military crisis develop — came to the forefront of public discourse.

So, Estonia looked outside its borders to secure its data in the case of a military attack or other major emergency. Wanting full control and jurisdiction over its data, it opted for a so-called data embassy — no ambassadors or diplomatic missions attached.

Unlike a conventional embassy, it would be nothing more than a room full of servers, storing data essential to keep the Estonian government and its core public services running should the country’s main servers get wiped out back home.

In June 2017, the two countries signed a bilateral agreement guaranteeing that the premises of Estonia’s data embassy inside Luxembourg would be “inviolable,” just like the premises of a regular embassy would be — meaning no Luxembourg official, whether administrative, judicial, military or police, would be able to enter the embassy or access the data without Estonia’s approval.

“The agreement we have with Luxembourg is that it’s our territory, our jurisdiction,” Siim Sikkut, chief information officer for the government of Estonia, said.

The unique arrangement points to a growing realization that the increasing digitization of services and sensitive infrastructure can leave governments vulnerable. And while governments can contract private businesses such as Google and Microsoft for cloud services, such agreements can have shortcomings.

Estonia had considered putting government data in a privately-owned public cloud. The option was tested in 2014 when the country embarked on a trial with Microsoft, but it didn’t provide the level of control that Estonia was looking for.

Estonia is currently paying the government of Luxembourg 200,000 to 300,000 euros ($226,000 to $339,000) a year for hosting its data.

“We didn’t want to use a random cloud that’s somewhere around the world, where we don’t know what sort of rules and laws apply to the data we put there,” Sikkut said. “We wanted to have full jurisdiction over the data. No private cloud partner can really do that.”

For now, Estonia is keeping it simple and storing the data in Luxembourg as a copy of its main servers. Sikkut said the data is being continuously updated, but the frequency of updates is on a case-by-case basis.

Depending on how things go in Luxembourg, he says Estonia could be in the market for more data embassies elsewhere.

Government officials told NBC News that Monaco, another microstate in the middle of Europe, is following in Estonia's footsteps and entered into a digital partnership with Luxembourg in December.

But unlike Estonia, Monaco’s need for data protection comes down to its size.

Monaco is the second smallest nation in the world, at about three-quarters of a square mile, smaller than New York’s Central Park.

Should an emergency wipe out its servers, it’s likely a backup version sitting on its territory would be under threat as well.

“Bearing in mind the small size of the country, the government has considered the importance of backing up sensitive data in a center located several miles from the original site, which is not possible within the principality territory,” the country’s chief digital officer, Frédéric Genta, said.

Monaco’s data embassy in Luxembourg is scheduled to go live next year.

Sikkut says setting up a model framework that others could follow was their plan with Luxembourg all along.

He says many countries, especially those in naturally hazardous areas or conflict-prone zones, or that are simply too small to have their own infrastructure, can benefit from storing their data on the territory of another nation while retaining total control.

Indeed, Luxembourg officials have told NBC News that a number of countries in addition to Estonia and Monaco have expressed interest in the concept.

“The idea is to be this trusted partner, to be this place where you can put your data and where it will be secure,” Luxembourg’s Houtsch said. “You have to have a country you can trust.”