Banking Industry a Critical
Link"> Another critical link in the chain of the civilian infrastructure was the banking industry. If several of Estonias banks become unreachable on the Internet, a majority of the countrys online transactions system would be paralyzed. "Gas, milk and bread" is what its all about, to quote Hillar Aarelaid, manager of the Estonian CERT (Computer Emergency Response Team). This is due to banking systems being run over the Internet. If the banks are not reachable, transactions (and other critical actions) cannot be completed. A third part of the civilian infrastructure that proved to be critical was a less obvious one: the press. Online newspapers were also under attack during this incident. While these attacks were unsuccessful in disabling news sources, they did highlight the importance of online news to the population, especially during emergencies and times of unrest.Its very likely that all three categories of infrastructure would have ceased operation for the duration of the attacks if it had not been for the efforts of incident responders in both Estonia and abroad, who leveraged cooperation and open information sharing to blunt the attacks. Led by the Estonian CERT, highly skilled professionals from Estonias ISPs and financial services and news organizations all worked together in a coordinated fashion, sharing information about and responding to attacks and building defenses against them. Others, such as the Estonian police, were also involved in this cooperative effort, which may just have prevented disaster. The Estonian response was nothing short of incredible. We can agree that incident response, when done in a professional fashion under clear leadership, is useful if not essential, but what of preparation? The private sector is often not regulated regarding information security, integrity and continuity, or it is only regulated in certain aspects and must fill in the gaps based on its own risk assessments and budgets. Should service providers, financial institutions and others be required by the government to cooperate on security? Should regulation of the private sector be increased? On the flip side, who will be held accountable for the risk, and how much risk capital will have to be kept in reserve? And when an online attack with an impact similar to the one in Estonia happens, where will the ISPs and the banks go for help? And how does open cooperation with the press work? Some issues relating to national defense need to remain secret. Until now, it has been the private sectorthe infrastructure for businessthat we thought of as the civilian infrastructure. In Estonia, another aspect of defense may have been better deserving of the title: The civilians themselves became integral to the defense of their nations economy. Gadi Evron works as security evangelist for the vulnerability assessment solution vendor Beyond Security, based in McLean, Va.; is the chief editor of the security portal SecuriTeam; and operations manager for the Zeroday Emergency Response Team, or ZERT. Previously, Evron was the Israeli government Internet security operations manager and manager of the Israeli Government CERT, an organization he founded.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.