Data Embassies: Sovereignty, Security, and Continuity for Nation-States

Signs, with one in the center:  Never give up!  Ukraine, with a heart.

[EDRM Editor’s Note: ComplexDiscovery posted this overview of the emergence of Data Embassies for continuity in light of world conditions. EDRM is grateful for the permission to excerpt from their work, and highly recommend reading it.]

ComplexDiscovery’s Editor’s Note: Data embassies are an innovative approach to the digital continuity of nation-states as they serve as extensions of a nation-state’s cloud through state-owned server resources outside of the nation-state’s physical territorial boundaries. The data embassy approach is unique as nation-states historically have stored their information within their physical territorial boundaries. This recent approach provides the capability for a nation-state to host data and service resources in a secure data center outside its physical territorial borders and operate those resources in times of crisis ranging from large-scale cyberattacks to military invasions by hostile nation-states. This approach is also designed to provide sovereignty, security, and continuity for nation-states in situations where the operation of hosted data and service resources inside physical territorial boundaries is diminished, denied, or destroyed. By having an established data embassy, a nation-state can expatriate government-critical data and services to a diplomatically-secure location, enabling continuity of government with the protections of immunity and inviolability.

Provided in this post is a non-all-inclusive compilation of informational articles, agreements, and reports that may be helpful for those seeking to learn more about the concept of data embassies and the sovereignty, security, and continuity implications of data embassies for cybersecurity, information governance, and legal discovery professionals.


Extract from Wikipedia

Data Embassy [1]

What is a data embassy?

A data embassy is a solution traditionally implemented by nation-states to ensure a country’s digital continuity with particular respect to critical databases. It consists of a set of servers that store one country’s data and are under that country’s jurisdiction while being located in another country.

What is the purpose of a data embassy?

Data embassies are regarded as a tool to ensure a government’s digital continuity, meaning the survival of critical databases to allow the continuation of government even in a situation where governing from within the country’s borders is no longer an option. Among threats that might lead to such situations are natural disasters, large-scale cyberattacks, and military invasion. In the worst-case scenario, a data embassy could enable the government to provide its digital services without the national territory under its control. This makes data embassies particularly attractive to countries that have already digitalized their most crucial databases and are situated in the vicinity of the aforementioned threat vectors. Additionally, data embassies can offer additional computing power for heightened server traffic, for example during election season or the period of electronic tax return filing.

Read the complete article.


Extract from Georgetown Security Studies Review by Nikolai F. Rice (October 10, 2019)

Estonia’s Digital Embassies and the Concept of Sovereignty [2]

In 2017, Estonia opened the world’s first “Data Embassy” in Luxembourg. Unlike a traditional embassy, this Data Embassy does not serve a diplomatic purpose. Rather, it is a cloud data center that backs up Estonian government institutions’ e-governance networks. The Data Embassy presents the first example of a country expatriating government-critical servers to a diplomatically-secure location. An experiment in sovereignty, governance security, and continuity of government, the Data Embassy is a backup for Estonia to reboot from if it ever loses its territorial independence.

Estonia’s move to an expatriated cloud was not accomplished by partnering with a private entity, whose offices or infrastructure might be subject to the jurisdiction of another state. Instead, Estonia partnered with Luxembourg to create an entirely novel institution in international law. The Data Embassy is Estonian sovereign diplomatic territory within Luxembourg—no state, no company, no entity has the right to access its infrastructure or information without the Estonian government’s consent. A cyberattack against Microsoft or AWS cannot bring down Estonia’s e-governance cloud because Estonia’s e-governance cloud is managed by Estonia.

Read the complete article.


Extract from NBC News Article by Yuliya Talmazan

Data Security Meets Diplomacy: Why Estonia is Storing its Data in Luxembourg [3]

Estonia’s tech reliance has pushed the country’s leaders to take precautions that few other nations have had to consider. In 2007, Estonia suffered a series of crippling cyberattacks that shut down private and government websites. It blamed the attacks on Russia, but the Kremlin denied involvement.

And when Russia annexed the Crimean Peninsula from Ukraine in 2014, the question of “data continuity” — should a military crisis develop — came to the forefront of public discourse.

So, Estonia looked outside its borders to secure its data in the case of a military attack or other major emergency. Wanting full control and jurisdiction over its data, it opted for a so-called data embassy — no ambassadors or diplomatic missions attached.

Unlike a conventional embassy, it would be nothing more than a room full of servers, storing data essential to keep the Estonian government and its core public services running should the country’s main servers get wiped out back home.

Read the complete article.


Abstract from Research by Nick Robinson and Laura Cast (2018)

Applicability of the Vienna Convention: An Exploratory Analysis [4]

The Vienna Convention has been long enshrined as the cornerstone of modern diplomacy. However, recent technological advances may have shifted this landscape, with international law requiring to adapt in the face of novel and unique challenges. Taking the case of the Estonian Data Embassy in Luxembourg, we assess the applicability of the Vienna Convention outside of the traditional diplomatic mission and within a government-operated data center. Evaluating the legal challenges and reinterpretations made by the Estonian government so far, this early analysis hopes to invigorate and advance discussions around the wider applicability of the Vienna Convention. Can similar diplomatic protections and inviolability be afforded to State data and information systems, or should such an international legal framework be updated to fit within a digital era?

Read the complete paper.


Parliament of Estonia Press Announcement (February 21. 2018)

The Riigikogu Approved Establishing of Luxembourg Data Embassy [5]

At today’s sitting, the Riigikogu (Parliament of Estonia) passed the Act on the Ratification of the Agreement between the Republic of Estonia and the Grand Duchy of Luxembourg on the Hosting of Data and Information Systems (563 SE), initiated by the Government.

On the basis of the ratified Agreement, the data and critical databases relevant for ensuring the continuity of the Estonian state can be hosted in Luxembourg’s national data center. It will increase the security of the Estonian digital society and the quality of the hosting of data.

The explanatory memorandum notes that Luxembourg has been chosen as a partner in the hosting of data and information systems because it has state-owned high-security data centers that have been certified at Tier 4 level. There are no such data centers in Estonia. Luxembourg is also ready to ensure the immunity of the Estonian data and information systems. Luxembourg is a digitally advanced society with whom it is possible to effectively cooperate in the field of digital services. Besides that, Luxembourg has very good data communication connections.

“The data embassy” is a national cloud solution through which it is possible to host data and services and, if necessary, to operate them from a secure data center outside the territorial borders of the state. This will enable to ensure the functioning of the Estonian state also when the functioning of the data centers located on the territory of the country has stopped or is disturbed.

The concept as a whole is novel, and, as far as is known, no such national system for hosting data have been taken into use yet. As the “data embassy” is not a diplomatic mission on which the same privileges and immunity are applied as on embassies, it was necessary to enter into an agreement. The Agreement determines the obligations and rights of both countries that are necessary to protect the integrity of the critical data and information systems of Estonia.

It is an innovative solution in international relations, and the conclusion of this agreement also constitutes a precedent in international law.

The Agreement was signed by the Prime Minister of Estonia Jüri Ratas and the Prime Minister of Luxembourg Xavier Bettel in Luxembourg on 20 June last year. The document had to be ratified by the parliaments of both countries. Now it has been ratified both by the Parliament of Luxembourg and the Riigikogu.

Read the complete release.


Microsoft Blog Article (December 17, 2017)

Diplomatic Immunity for Data: Estonia Creates a Virtual Embassy [6]

Article Extract

What springs to mind when you think of an embassy? Grand buildings lining Avenue de Tervuren in Brussels, Massachusetts Avenue in Washington D.C., or dotted across Mayfair in London? Perhaps a black-tie reception? Probably not a line of server racks humming away in a data center.

But just as the nature of statehood and sovereignty is undergoing profound change in the digital age, the concept of the embassy is evolving as well. And as with so many other aspects of digital transformation, Estonia is at the leading edge of this change. With no paper records for laws, the land registry, or other key national records, digital continuity is crucial for the Baltic state. That’s why next year they’ll open the world’s first data embassy in Luxembourg.

Estonia is more aware than most countries of the importance of cybersecurity and digital continuity. 
In April 2007, the country was the victim of a cyberattack that shut down government, bank, and media websites. Crucial internet infrastructure ground to a halt — in a country with no paper backup.

“Being close to Russia we know that we have to pay attention to cybersecurity,” says Taimar Peterkop, Director-General of the RIA, the Estonian Information System Authority. “All our digital services have to be secure to work — our resilience is built through not having all our data in only one or two sites.”

Throughout the 20th century, diplomats from countries at war would board a steam train carrying a diplomatic pouch full of documents, seeking refuge in a sympathetic capital. In the 21st century, governments need to stay online as well.

Read the complete article.


Agreement Between Estonia and Luxembourg (June 20, 2017)

Agreement Between the Republic of Estonia and the Grand Duchy of Luxembourg on the Hosting of Data and Information Systems [7]

Complete Agreement (PDF)


Extract and Complete Joint Report by Microsoft and Estonia (February 3, 2015)

Implementation of the Virtual Data Embassy Solution [8]

Summary Report of the Research Project on Public Cloud Usage for Government, Conducted by Estonian Ministry of Economic Affairs and Communications and Microsoft Corporation

In 2013, the Estonian government began pursuing a Data Embassy Initiative, reflective of its innovative approach to e-government and of its need to ensure national digital continuity no matter what. Cloud computing, with its immense opportunities for resilience, security, and continuity in light of physical or cyber emergencies, was a potential solution. In September 2014, the Ministry of Economic Affairs and Communications, the Ministry of Justice (Center of Registers and Information Systems), and the Office of the President of Estonia agreed with Microsoft to work on a research project to assess the feasibility of the virtual aspects of the Data Embassy Initiative. In particular, the collaborative project tested how two separate government services – the official website of the President of Estonia and the Riigi Teataja, or electronic State Gazette – could be migrated and hosted on the Microsoft Azure cloud computing platform.

In the following report, the project team summarizes its research, which took place over three months. It addresses the Estonian Virtual Data Embassy Solution, a key part of the Data Embassy Initiative. It also looks at the current Estonian government ICT architecture, for context, and describes the “data embassy” concept, the website migration process, and the verification testing that was conducted to ensure that the migration was successful and to assess the security and resilience of the cloud computing services.

Particular focus was given to the potential legal protections of a Virtual Data Embassy, as the success of the initiative fundamentally relies on the ability of citizens to trust the security and privacy of such embassies. The latter naturally draws in at least three actors: the Estonian government, the cloud service provider, and the country wherein the cloud provider is headquartered. The technical outcomes are also outlined, i.e. storage, network, and compute architecture, with operational lessons, as well as security, identity, and data architecture findings set out. The report concludes with high-level recommendations, which could be applicable to any government, as they consider cloud computing to achieve their national objectives.

Click Here to Continue Reading at Complex Discovery

Author

  • Rob Robinson

    Rob Robinson is a technology marketer who has held senior leadership positions with multiple top-tier data and legal technology providers. He writes frequently on technology and marketing topics and publish regularly on ComplexDiscovery.com of which he is the Managing Director.

    View all posts