Estonian Cyber-War Highlights Civilian Vulnerabilities
Estonian Cyber-War Highlights Civilian Vulnerabilities
-War Highlights Civilian Vulnerabilities">
Editors Note: On April 27, many Estonian Web sites were overwhelmed by a series of cyber attacks. Its unclear where the attacks originated, but there have been reports that they seemed to be initiated after the relocation of the Bronze Soldier, a memorial to the World War II Russian Unknown Soldier, from the center of Tallinnthe capital city of Estoniato a suburban cemetery. Gadi Evron of Beyond Security was in Estonia during the attacks. Following, he provides a postmortem.
The online attacks against Estonia are being referred to as the first Internet war. If this "war" is anything to go by, simple folk such as you and I may end up as the weak links in our countrys defense.
Indeed, the attacks impact was not what we might have expected: It was the civilian infrastructure used by banks, ISPs and home usersnot the militarysthat was under siege.
The Estonian incident is not the first of its kind. Whenever political tensions manifest between different ethnic groups or countries, the aftermath can be seen online shortly thereafter. Often, this involves attacks by groups of hackers who are sympathetic to one side but have no official affiliation with it. Having worked for the Israeli governments ISP, I have observed attacks such as these on a daily basis.
But for Estonia, a quiet state in northeastern Europe, this was new. There was something special about the Estonian attack, which hasnt been seen before on this scale: It wasnt just the hacker groups who attacked, it was the population.
While mobs were rioting in the streets of capital city Tallinn, Russian-language Web sites featuring blogs and forumswhat I like to refer to as the Russian-speaking blogospherecame alive with angry messages, followed by instructions on how readers could attack Estonian computers and network infrastructure on their own. The Estonians coined the term "cyber-riot," and it fits. From this point on, many different kinds of attacks with varying intensity occurred.
Estonia is a small country, but it is an extremely advanced country. With the fall of the Soviet Union, Estonians built their infrastructure from scratch. Since it was the beginning of the Internet age, their designs incorporated Internet connectivity using packet-switched technologies.
In Estonia, online banking and e-government are the norm. All Estonians have identification cards with encrypted identity chips embedded in them, and voting in the last elections was conducted from home, online.
In most of the Western world, acceptance of Internet technologies is not at this amazing level. (I doubt the United States will have voting from home any time soon.) But we are still very reliant on technology and on the Internet itself, and become more so every day. All of these advances increase our vulnerability to attacks, and Estonia is a window into our future.
The former counter-terrorism adviser on the U.S. National Security Council says the Bush administration is leaving holes in cyberspace. Read more here.
A concern people raise when discussing information warfare, cyber-terrorism and other threats is how key systems in our infrastructure such as energy (supervisory control and data acquisition systems) and transportation (air traffic control) can contribute to the collapse of industries and even loss of life. However, in the Estonian attack, these played no role whatsoever.
The only critical infrastructure targeted in Estonia was the civilian one, and while civilian infrastructure is often worried about, it is typically underplayed in the grand scheme of things, especially when compared to airports and power plants. ISPs were the first critical civilian infrastructure targeted. ISPs, of course, are responsible for providing connectivity to the Internet, and if that connectivity disappears, the entire infrastructure based on it ceases to work.
Banking Industry a Critical
Another critical link in the chain of the civilian infrastructure was the banking industry. If several of Estonias banks become unreachable on the Internet, a majority of the countrys online transactions system would be paralyzed. "Gas, milk and bread" is what its all about, to quote Hillar Aarelaid, manager of the Estonian CERT (Computer Emergency Response Team). This is due to banking systems being run over the Internet. If the banks are not reachable, transactions (and other critical actions) cannot be completed.
A third part of the civilian infrastructure that proved to be critical was a less obvious one: the press. Online newspapers were also under attack during this incident. While these attacks were unsuccessful in disabling news sources, they did highlight the importance of online news to the population, especially during emergencies and times of unrest.
Its very likely that all three categories of infrastructure would have ceased operation for the duration of the attacks if it had not been for the efforts of incident responders in both Estonia and abroad, who leveraged cooperation and open information sharing to blunt the attacks.
Led by the Estonian CERT, highly skilled professionals from Estonias ISPs and financial services and news organizations all worked together in a coordinated fashion, sharing information about and responding to attacks and building defenses against them. Others, such as the Estonian police, were also involved in this cooperative effort, which may just have prevented disaster. The Estonian response was nothing short of incredible.
We can agree that incident response, when done in a professional fashion under clear leadership, is useful if not essential, but what of preparation? The private sector is often not regulated regarding information security, integrity and continuity, or it is only regulated in certain aspects and must fill in the gaps based on its own risk assessments and budgets.
Should service providers, financial institutions and others be required by the government to cooperate on security? Should regulation of the private sector be increased?
On the flip side, who will be held accountable for the risk, and how much risk capital will have to be kept in reserve? And when an online attack with an impact similar to the one in Estonia happens, where will the ISPs and the banks go for help?
And how does open cooperation with the press work? Some issues relating to national defense need to remain secret.
Until now, it has been the private sectorthe infrastructure for businessthat we thought of as the civilian infrastructure. In Estonia, another aspect of defense may have been better deserving of the title: The civilians themselves became integral to the defense of their nations economy.
Gadi Evron works as security evangelist for the vulnerability assessment solution vendor Beyond Security, based in McLean, Va.; is the chief editor of the security portal SecuriTeam; and operations manager for the Zeroday Emergency Response Team, or ZERT. Previously, Evron was the Israeli government Internet security operations manager and manager of the Israeli Government CERT, an organization he founded.