This afternoon Estonian Minister of Defense Jack Aaviksoo gave a Statesman talk at CSIS on "Real Threats of the Imaginary World." Why Estonia?
They were taken by surprise on by a cyber-attack on April 21st, 2007. The minister learned about it when he couldn't get online. However, the mid-level unofficial network was already to work by then and had already called in specialists from abroad. There second move was to cut off access from some foreign servers. No formal decision-making to react and its unclear whether the response steps were authorized by existing legislation. After the initial onslaught the third step to get experts from abroad. The later waves were on the 4th and 9th of May and Estonia was able to reduce the volume tenfold.
Most of the attacks were against government websites and servers, new portals, two banks then all banks (one at a time), and internet service providers. The volume raised Estonia internet traffic more than 400 times the normal rate of traffic. This led to some street riots (up to $10M in damage), no access to banking over computers (90% of transactions in Estonia; a few million in damages), and cut off of news. Not just volume but also well coordinated, in a set time, and coordinated with real world demonstrations. The attacks were carried out via botnet of a million zombified computers (maybe 10% from the U.S.) that were rented in advance from illegal groups. Renting one costs ten to fifty cents a computer. Perhaps 1% of any given audience has a zombie computer.
This happened when Estonia displeased Russia by moving an old statue celebrating the Red Army. However, they have no solid evidence of the organizer. All they can note is that they were well-organized and coordinated with diplomatic actions by "their big neighbor." There were minimal long term consequences, some of the attacks were neutralized thanks to friends inside and outside of Estonia. What it did was psychological: Caused confusion, intimidation, cut off information access. More developed are more vulnerable, but it isn't limited to developed countries.
After the cut, what to do on the defense?
He argued that cyber-attack is probably the best term to use. There's no wide agreement on what cyber-warfare or cyber-terrorism. I tend to think that for either war or terrorism you need to directly cause death or serious injury. We need some agreement on what the rules are, right now there's little opportunity for punishing it. Need a comprehensive approach, national-international, public-private, and peace-war boundaries are all broken down.
We can't build some sort of 'Maginot line;' location is rarely known afterwards, let alone beforehand. Attacks start in milli-seconds and develop over hours, so defense must act fast; most countries are only half-way there to having defenses ready in advance. The problem is a risk management exercise. Key questions: How to handle the burden-sharing and splitting responsibilities among stakeholders?
Defense nets are well protected but information networks and critical infrastructure are typically private and often ill-defended. Can these attacks be handled by the individual people, businesses, and agencies involved or is it a national security threat? With guns and cars, owners can be held liable to some damaged done by third parties. Should that be true of computer owners?
Estonia is working on a cyber-security strategy. Conceptualize it, define critical infrastructure, get necessary legislation, establish responsibilities, work with internet and e-service providers to prepare counter-measures. Nato defense ministers have agreed to work on this problem. Estonia was already proposing building a Cyber-Security center of excellence with five participants at this time. There's already an international convention on cyber-crime of the Council of Europe, but that's it and it has few signatories. E.U. could work on commercial cyber-crime and such.
Recent Comments