Cyber Attacks Reveal Lessons
By Henry S. Kenyon
Reprinted with permission from SIGNAL Magazine
Estonia is the first nation in history to have experienced massive cyber attacks directed at its government and key infrastructure. The event, which took place over a three-week period in April and May 2007, marked the beginning of a new type of amorphous, hard-to-track threat to international security. Coming in successive waves, the attacks almost shut down the Baltic country's government, which relies extensively upon online transactions and e-commerce. In the aftermath of the incident, the European Union and NATO launched a series of initiatives to strengthen national infrastructures and to improve communications between national and multinational organizations in the event of another cyber attack.
One outcome of the attacks is that they elevated the concept of cyber warfare from the focus of a small circle of defense, intelligence and network security specialists to the attention of decision makers in national governments, says Lauri Almann, former permanent undersecretary of the Estonian Ministry of Defense. Almann, who is now a member of the Aare Raig law firm in Tallinn, Estonia, was involved directly in dealing with the incident and its aftermath.
The attacks coincided with political and social events taking place in Estonia during spring 2007. The government had moved a Russian war memorial statue in central Tallinn to a military cemetery. The statue was a touchstone for civil unrest between Estonians, many of whom see the statue as a symbol of Soviet oppression, and Estonia's ethnic Russian population, who view the monument as a commemoration of Russia's sacrifice during World War II. The dispute set off two nights of riots in Tallinn and saw Russian demonstrators besiege the Estonian embassy in Moscow. The event also generated extensive negative coverage by the Russian media. At the time, Estonia's government and law enforcement agencies were involved fully in trying to calm the situation.
Almann explains that he was at a police situation center when the attacks began. The facility housed a combined task force of personnel from the ministry of defense, the prime minister's office and police public relations. This group was responsible for publishing press releases and government statements reacting to the situation surrounding the statue's relocation. He notes that online briefings were the Estonian government's primary means of informing the public about the situation.
In the early morning hours of April 28, the public relations staff told the situation center that they could not post responses on the government's Web site. Almann concedes that in the heat of the crisis, the inability to post messages first was viewed as a technical difficulty. However, it quickly became evident that the government was under cyber attack. "It sounded like a science fiction movie," Almann recounts. He remembers sending a text message to the minister of defense very early in the morning describing the attacks and wondering if the minister would believe him. Although the Estonian experience now sets the standard for a national-level cyber attack, he explains that at the time, such incidents had only been the subject of panel discussions at network security conferences.
The attacks came in waves, and at their height, the Estonian government's ability to communicate was greatly limited. Almann says that during the first part of the attacks on April 28, government public relations personnel and officials struggled to send their messages out. "If you cannot get your message out, you completely lose your focus. It is a very effective tool in psychological warfare," he concedes.
Estonia is proud of its status as an e-country, which gave the denial-of-service attacks additional psychological weight because Estonians rely heavily on the Internet for their information. Online media outlets were the second target of the attacks, which limited coverage of the event to traditional media such as radio and television.
The most economically serious part of the incident involved attacks on Estonia's banking sector. According to Almann, 97 percent of his country's banking transactions are made online. "It's one thing if a citizen cannot get access to a government Web site or an online media site. But if you can't get access to your money, that's a serious problem," he says.
Those three weeks also saw targeted attacks on Estonia's critical infrastructure nodes. These pinpoint strikes took place late at night and sought to knock out important national communications capabilities. But they were limited in scope and when Estonian officials analyzed the attacks, they determined that their goal was mainly to exhaust cybersecurity personnel.
Much is still not known about the incident. Almann speculates that the attacks could have been an excellent diversion or veil for a more serious type of activity that the Estonian government has not yet detected. During the course of the attacks, the government and the national computer emergency response team (CERT) successfully kept vital national systems operating. As the attacks unfolded, the Estonian national CERT immediately began arranging cooperation via formal and informal channels with international groups. Almann notes that formal communication channels worked well but adds that in many cases, the informal channels proved vital.
Almann says that cooperation between the CERT and private sector firms such as banks and Internet service providers was a key factor in mitigating the attacks. Another lesson learned was the need for more formal arrangements to be in place. However, he cautions that when formal networks are put into place, existing informal networks should not be undone.
In the wake of the cyber attacks, Estonian government officials also asked about the obligations of other NATO or European Union (EU) countries in providing backup hosting of Web sites in such cases This consideration goes beyond Article 5 of the NATO charter, which mandates intervention in the case of an attack on an alliance member, Almann says.
During the attacks, other nations refused many of Estonia's requests for backup hosting out of concern that they might be targeted by whoever was launching the attacks. "What can governments do in this area? Can we have a contingency plan for things like this? If governments can do something, who should pay? Is it good value for money?" Almann asks, noting that these questions still remain unanswered.
As a result of the attacks, Estonia's cyberspace infrastructure is more robust. Almann explains that since 2007, a considerable amount of national-level investment has led to development of policies and regulations for the government and private sector. NATO also has adopted a cybersecurity strategy based on the events in Estonia and established a NATO Cooperative Cyber Defense Centre in Tallinn. He adds that cyberdefense was highlighted as one of the alliance's priorities at a recent NATO summit. The EU also has launched several new initiatives and projects focused on critical infrastructure protection. But he adds that additional work is needed to create more robust networks across Europe and beyond.
Botnets - networks of compromised computers - were the main type of cyberweapon used against Estonia. The botnets launched a massive, distributed denial-of-service attack that swamped e-mail accounts with spam, causing the entire government network to nearly shut down. Almann argues that the threat from botnets has declined since 2007 as cyber attackers have moved on to other methods such as domain name server attacks. But he shares that botnets still can create considerable damage in a widespread attack.
Determining exactly who launched the attack is extremely difficult in cyber war. The attacks on Estonia are believed to have originated in Russia, although the botnets used to deliver the denial-of-service attacks were located all over the planet. The Russian government has denied any responsibility, claiming that private citizens and groups were involved.
Because state borders are meaningless to cyberthreats, international cooperation is key to containing and countering cyber attacks. Almann notes that some nations, such as Russia, have put forward ambitious ideas on cooperation and limiting the use of cyberweapons. However, he believes that the international community should build any initiatives on the basic principles used to fight cybercrime.
Almann maintains that very effective initiatives exist, such as the Council of Europe Convention on Cybercrime, which provides guidelines for governments wishing to develop their own anti-cybercrime legislation. Non-European states can sign onto the convention, which provides a framework for international cooperation on this issue. "It is one of the most effective international instruments existing in that field," he says.
Major nations such as the United States and Japan have signed onto the convention. Almann contends that international cybersecurity cooperation begins with the convention, which he says serves as a litmus test of a country's readiness to cooperate in the cybersecurity area. Russia is not a signatory, and it has withdrawn from joining the convention.
Almann praises the work by the EU, but he adds that much remains to be done. He believes that one of the greatest challenges in the area of critical infrastructure protection in Europe is that EU member nations have different rules and requirements for network security, which is an impediment for any type of cooperation. NATO also is doing good work with its cybersecurity strategy, which he says should be enforced vigorously. International cooperation is another imperative. Almann explains that this coordination should extend to allied nations that are not EU or NATO members, such as Australia and Japan.
On a national level, government/private sector cooperation is key to a cyber emergency response. Denmark, the Netherlands and Estonia are good examples of nations with active public-private sector coordination, Almann says. He adds that another worrisome trend internationally is agency-level competition. He explains that in his government experience, pressure exists for a single agency to provide leadership and oversight. But because of the large and diverse nature of the Internet, a more horizontal approach is necessary to spread responsibility among a number of agencies, allowing them to act effectively. "Responding to cyberthreats cannot, by their nature, be the sole responsibility of a ministry of defense or a department of home affairs or intelligence service," he declares.
Awareness needs to be raised among strategic decision makers, Almann explains. He observes that cybersecurity decisions often are made by politicians or civil servants who may not view network security as an issue affecting all sectors. He adds that national cybersecurity issues cannot be discussed adequately until awareness has been raised among members of world governments. "Among the strategic decision makers, we do not have enough discussion. The cybersecurity discussion should be brought into the mainstream of national security discussions. It's not an area for techies only," he remarks.
It is important not to focus only on the last incident. Almann explains that a variety of cyber attacks exist, ranging from the penetration of sensitive systems to manipulating data. He notes that a distributed denial-of-service attack is not what nations should fear, although it should not be discounted because it still can cause major disruptions. "We shouldn't be focusing on what happened to Estonia because what happens next time is going to be much worse and more dangerous," he warns.
Last Reviewed: May 18, 2012