Development and application of cryptography in the Estonian public and private sectors

The objective of the current research is to give an overview of the state of art in develop- ment of cryptography in Estonia, and to analyse the technological and economic potential of the field.

First, disruptive and emerging technologies in the field of cryptography are identified. This serves as a background for analysing the specialisation of the Estonian universities and private sector companies and their technological capabilities. Thereafter, the domestic needs, potential market niches and public procurement of innovation are discussed. Finally, a number of actions are proposed for further development of cryptography in Estonia.

As the result of the analysis of the priorities for research and technology development in leading nations, post-quantum cryptography, quantum key distribution, electronic identity, secure computation and privacy-preserving (big) data analysis, radio frequency protocols, Internet of Things (cryptography in limited environments), cryptographic protocol analysis, long-term protection of systems, anonymous networks, and block-chains were identified as particularly promising disruptive and emerging technologies.

There are three companies that conduct world class R&D in the above areas, and form the core of the indigenous cryptography rich industry in Estonia. These companies are, given the nature of their business, strongly integrated with the Estonian and European education and R&D systems. The above companies cater both for domestic and foreign markets, and their labour productivity is significantly higher than the Estonian ICT sector average.

There are, on top of the above, around 10 local companies with own ICT products and services that implement advanced cryptographic solutions. Additionally, a limited num- ber of cryptography intensive early stage start-up companies can be identified in Estonia. Furthermore, Estonia hosts also a number of subsidiaries of foreign owned cryptography- related companies; these companies are weakly connected to the Estonian education and R&D systems.

Estonian universities have offered basic cryptographic education for almost two decades. What is more, cryptography is one of the strongest research fields in the Estonian computer science scene. Hence, one would expect to be able to find well qualified developers of crypto-rich applications on the local labour market. Yet, the supply of cryptography experts falls short of the booming demand, while the cyber security domain continues to gain more and more importance from security and defence points of view. The limited availability of cryptography experts in Estonia holds the companies but also the government itself back from defining and developing cutting edge crypto-rich products and services.

Estonia falls significantly behind its Nordic neighbours in R&D investments. The gross domestic expenditure on R&D was around 3% of GDP in Finland and Sweden, whereas

business sector R&D investment was around 2% of GDP in 2017. Gross domestic expendi- ture on R&D was only 1.3% of GDP in Estonia in 2017. Business sector contributed half of it. In Finland, ICT sector invested into R&D 1.3 billion euros in purchasing power standards (PPS), while the Estonian ICT companies invested only 0.1 billion euros in PPS in 2015.

In conclusion, limited availability of highly specialised workforce, and suboptimal investment into R&D hold back the development of a competitive high-tech industry in Estonia. What is more, lowering of the level of mathematics and science education in high schools has become a major obstacle that undermines preparation of students for a future career in cryptography, or in fact, any mathematically sophisticated field.

Estonia has had a notable success in cryptography and cyber security domain. However, it now needs to do more to be prepared for future opportunities and challenges. Accord- ingly, the following recommendations are given for increasing the competitiveness of the cryptography-related companies, and adoption of advanced cryptographic technologies and services in the Estonian public sector.

• Estonian cryptography and information security companies are tiny on the global scale. Advancement of cluster co-operation is, therefore, inevitable for promoting and supporting the interests of the Estonian enterprises and universities in the field of cryptography and cyber security. The potential joint actions could include develop- ment of a mid- to long-term roadmap for Estonian cryptography and cyber security industry, advancement of collaboration between enterprises and universities in curric- ula development, fostering the participation in European collaborative research and development programmes, promotion of Estonian products and services internation- ally, etc.
• Establishment of a national cryptographic competence centre. The functions of the centre would include advising on the development of cyber security architectures, participating in the analysis phase of all major IT system procurements in Estonia and establishing requirements, carrying out threat intelligence tasks, and establishing requirements for maintenance of cryptographic systems.
• Attestation of cryptographic solutions. There is a need for development of capabil- ity for independent assessment of information security hard- and software products, even if it may not be feasible to immediately establish a fully fledged certification body.
• Capacity building in key emerging technologies. Out of the disruptive and emerg- ing technologies listed above, there are some that require more attention than oth- ers, namely post-quantum cryptography, electronic identity, long-term protection of systems, secure computation and privacy preserving (big) data analysis, and cryp- tographic protocol analysis. Increasing such capacities in important – we know from the recent past that major Estonian innovations in the field of eGovernance (such as X-Road or Public Key Infrastructure) have largely originated from the competent and visionary engineers.
• Industrial R&D and product development. Governmental institutions need to take a more active role in public procurement of innovation. This presumes capacity build- ing within these organisations as well. Products that deserve consideration as candi- dates for innovation procurement include several communication security solutions, quantum-safe eID, federated identity management, cross-jurisdictional data aggrega- tion, and long-term security framework.
• Boosting math and science education on the primary and secondary school level. High-tech R&D can not exist in isolation from the rest of the society. Most notably, many potential employees with strong math and science background are needed. Estonian government needs to considerably rise the priority of math and science education as the core facilitator of R&D (not only in cryptography, but also many other areas of engineering).