Strategic Impact of Cyber Attacks
05.03.2010 | Jaak Aaviksoo | English news
H.E Jaak Aaviksoo, Estonian Minister of Defence
At the Royal Defence College, United Kingdom
Ladies and gentlemen,
There is no doubt that cyberspace is a very important medium in the modern world. It should not come as a surprise to anyone that more and more countries in the world are using its possibilities for gaining greater efficiency and flexibility, and establishing a true modern society. Just as same, we should not be surprised if there are ways to exploit these new possibilities for malevolent ends. Today I would like to give to you my thoughts about this dual nature and its implications on our security environment.
The new challenges that the international community is facing are not as "clear and present" as they used to be. Terrorist attacks, information warfare and other subversive methods are the preferred tools of modern aggressors. As democratic states are coping with this new reality, one conclusion that can be drawn is that the nature of conflicts has unquestionably shifted. Conventional large-scale wars, especially in Europe, are becoming increasingly improbable. But if large wars are being left to the history books, the question is - how should states adjust to this? Should we be prepared to fight conflicts in cyberspace?
As you undoubtedly have heard, in the spring of 2007 Estonia experienced a heavy barrage of cyber-attacks against our information networks. Cyber-attacks in themselves are not particularly rare, and I believe that there have been cases in every country that has even the slightest "fingerprint" in cyberspace. What made the attacks against Estonia different was the level of organization that was apparent in those assaults.
The attacks took place from the end of April until mid-May. They were politically motivated by the relocation of a Soviet-era monument, the so-called Bronze soldier, which was deemed controversial because of its complicated historical connotations to Estonia. Most of the attacks were carried out against government servers and Estonian news portals, but also the two biggest banks in Estonia came under heavy attack. At the highest moments, the amount of cyber traffic from outside Estonia targeting governmental institutions was 400 times higher than its normal rate.
Some of the attacks were carried out in waves and were executed with very precise timing. They were also unusually well-coordinated and required resources unavailable to common people. At one point, attacks were carried out in a very precise timeframe and included groups of computers - "botnets" - that were possibly rented out earlier for this purpose. This fact would indicate involvement of other actors besides disgruntled or outraged civilians. Had Estonia not been well-prepared and had we not acted in a timely fashion, the impact of these attacks could have ended in much more severe results.
The best way of looking at the impact of this attack is considering the proportions. Taking into account the size of Estonian infrastructure and the scope of the attacks, it was one of the most significant coordinated cyber-attacks against a sovereign state in the world. This made it a quite unique, but not a very pleasant experience.
Although the attack was defeated without any long-term consequences, there were some immediate effects that affected all Estonian people, such as unavailability of online banking or difficulties in communications. In a country where 98% of bank transactions are made online and where majority of citizens fill tax forms online, I am sure that you can realise the impact that such prolonged incidents could have.
The impact of the attack was also amplified by the psychological effect and intimidation that it had on the general populace. Besides directly affecting the target, cyber-attacks created widespread confusion and miscommunication in the general public, as it was impossible to get online information on events in Estonia from abroad. This could have been one of the objectives of the attack.
From this Estonian case, and not only, we can draw a few conclusions applicable to all cyber attacks.
Cyberspace presents us with new vulnerabilities that exhibit a risk unlike anything that we have experienced up until this point. A very unique aspect of cyberspace is that vulnerability is strictly connected to how well-developed and advanced a country is at information technology. Obviously this means that the most vulnerable countries are the ones that have grown to depend on IT in almost every aspect of their societies. This includes most European nations, USA, and other developed countries. Nonetheless, developing countries, too, are using information systems more and more and are thus becoming more susceptible to threats from cyberspace. As time progresses, almost every country in the world is at a risk of becoming a potential target for cyber-attacks.
Furthermore, the threat that comes from cyberspace has a clear potential to be global and thus exceedingly asymmetric. As computers spread worldwide, attacks can appear from any place in the world. Seeing as almost every computer in the world is connected to the internet, perpetrators find it at times very easy to use mal-protected personal computers to participate in attacks by controlling them remotely. This way, a person from Middlesbrough or Essex could be involved in an attack originating from an altogether different continent even without knowing.
In order to provide cyber security, the efforts of a government alone are not enough. This means that it is in the best interests of state authorities to establish closer public-private partnerships. This would result in increased security for citizens as well as companies and enable to better cope with cyber-crime. In addition, we should also consider taking over best civilian practices, because frankly, the leading ideas concerning information and communication technology more often come from the private than the public sector. This is another incentive for deeper cooperation between state actors and private enterprises.
Another important lesson was that we, governments, as hierarchical structures are facing enemies in new conflicts who are non-hierarchical and well networked actors. So, for us it will be very difficult to act effectively against the networked actors with traditional hierarchical command and control mechanisms. One of the most important lessons from the Estonian attacks was, therefore, to make sure that you have your own defensive network ready before you are attacked. A network that will be possible to mobilise quickly in case emergency will be the key element in successful mitigation of cyber attacks.
* * *
An old saying by Zun Tsu - "every battle is won before it is ever fought" applies in all aspects of strategic planning as well as it applies in strategic planning for cyber conflicts. If we start our planning and think what kind of response will work in diminishing the effects of cyber attacks during the conflict, the good start could be to conceptualise what types of conflicts are likely to involve cyber attacks. Then we can also analyse what would be the impact of attacks?
In order to get prepared for the battle before it will be won or lost, it will be useful to categorise which cyber methods will likely be exploited at what levels, as well as what could be the possible consequences. One way to conceptualise the issue would be to divide cyberspace according to the levels of vulnerability.
The conflicts with most far-reaching consequences will occur at the global level. The World Economic Forum estimated in 2008 that there is a 10 to 20% probability of a major Critical Information Infrastructure breakdown in the next 10 years, with a potential global economic cost of approximately 250 billion US$. Although the consequences of this kind of conflicts will be severe, the preventive systems and countermeasures needed for recovering from the technological failure are quite similar to recovering from the man-made catastrophies.
The second category of conflicts occurs at the level of nation states. States are in an increasingly difficult situation since using cyberspace for warfare inhibits the principle of total asymmetry where the well-equipped traditional militaries could be helpless when attacked by a group of professionals with advanced cyber methods. Nation states should be also worrying on the probability of their civilian infrastructure attacked via cyberspace without clear attribution, and they should prepare necessary crises management mechanisms for this kind of attack.
One of the most feared conflicts in cyber space could materialise if a coordinated cyber attack towards country's critical information infrastructure is organized together with physical attacks. Whether it takes place during the military conflict, or not. However, cyber attacks during the (proper) military conflict will be more clearly attributable and during the military conflict, a well-developed framework of international law could be applied that covers the armed conflicts. The Law of Armed Conflicts regulates the humanitarian aspects of a conflict also when cyber attacks are used - to avoid casualties among civilian population, to refrain from non-proportionate responses, to consider secondary and tertiary effects etc.
The difficulty in a conflict between nation states where cyber attacks are used arises when the military methods are not used in kinetic terms, but the damage is achieved by cyber attacks. Although the consequences could be very serious, attribution might be still very difficult. A long discussion has been going on how to solve the attribution issue in a cyber attack. So far we have no clear concept of how this problem could be tackled during a conflict. Although the forensics analysis will show the original sources, and lead to certain people in certain nationalities or equipment, during the conflict when you try to retaliate you will not have time to figure out the exact attack chain. Additionally, nation states or state sponsored actors could use the actors on territories without proper law enforcement, with weak government structures and non-existent national cyber monitoring systems. Lawless "cyber heavens" exist and this is a known fact for nation states as well as for organised crime and the terrorists.
The third category of the conflicts where cyber attacks will be employed, could be agitating, terrorising, propagating or disinforming certain groups in the society. Internet as the largest world-wide medium has already become the most important battleground where fighting for hearts and minds of people occurs. We can envisage more of these types of conflicts happen where cyber attacks will be utilized as a tool in a larger information operation.
The dynamics of modern conflicts have been changing. Most of the conflicts are not occurring for new territories or for spreading ideologies, but they involve a great deal of different ideational factors: collective identities, norms, values and symbols. A major reason for conflict transformation lies in the fact that in industrially advanced post-modern societies the concept of security is perceived beyond the traditional military security.
We have already witnessed cases where military conflicts on the ground with thousands of people actually dying receive less international attention compared to the conflicts, which are carried out with an aim to affect certain symbols, values or lifestyles. In new types of conflicts, attacking a military site or any strategic facility might not provide the same effect compared to attacking something, which has a great cultural or symbolic value.
The fourth category of vulnerability in cyberspace includes economic actors, industries or sectors that are attacked for political reasons. Although the majority of attacks at this level are carried out for economic gains and with criminal motivations, the trend to attack civilian infrastructure during political conflicts will grow and industries might find themselves at an extremely vulnerable position while attacked by state sponsored actors with considerable resources.
A last, but very important category, which will be influenced by an increasing trend of conflicts occurring in cyberspace, are average computer users, or individuals. The individuals represent also a threat in cyberspace if their unprotected computers will be used as part of botnets, which could attack nation states, critical infrastructures and other industries.
The role of human factor cannot be underestimated. Cyber security is very similar to secure traffic where certain security culture is needed for behaving in the streets. Creating cyber security culture can be accomplished only by raising awareness of all computer users and investing to people's e-skills. In this respect, all individuals have a great role to play in creating a more secure information society in the long run.
* * *
After the attacks on Estonian Internet infrastructure, we started to develop a National Cyber Security Strategy, which was adopted in 2008 by the government. The strategy, which is based on the analysis of the consequences of cyber attacks at different levels, that I described briefly, offers a common vision for all actors in society how to reduce vulnerability of cyber space. The strategy envisages specific guidelines for many government and private sector organisations, universities, non-governmental organisations and also citizens.
Cyber security strategy has set a vision that information technology solutions should be supported by a high level of security standards for information systems and general cyber security culture.
One prerequisite for ensuring national cyber security is also an effective civil society, in which each citizen realises his or her responsibility to utilise the information systems at his or her disposal in a purposeful and appropriate way. We believe that a precondition for securing cyberspace is that every owner of a computer, computer network or information system feels responsible for the expedient and prudent use of the information and communication technology.
Reducing the vulnerability of cyberspace in the nation as a whole is accomplished through the implementation of domestic action plans, but also through active international co-operation, which supports the enhancement of cyber security in other nations as well.
(The strategy has set following major objectives:
· to ensure national cyber security, an extensive system of security measures will be employed;
· to increase the level of competence and expertise in information security and to raise public awareness of cyber threats;
· to advance national critical information infrastructure protection system with proportionate regulatory framework;
· to engage actively in international co-operation on cyber security.)
* * *
To conclude this lecture, I would like to draw your attention to three key issues where we, democratic nations, can work together so that the future generations can also enjoy the benefits that information and communication technologies bring to mankind.
First, let me elaborate on the need for extensive international collaboration in cyber security. As we experienced in Estonia in 2007, without the experts in European countries and USA, our information security specialists would not have been so successful in countering the attacks. I am glad to note that after the Estonian attacks, international cooperation on cyber security has become an important element in many countries' and international organisations' policies. Still, it will take huge effort to establish an effective international early warning and assistance system, which we will inevitably need in the future.
Secondly, we have to work on different models in different nations regarding how to build cooperation with private sector actors in this field. The majority of the infrastructure is owned by the private sector, and the majority of Internet users are companies and individuals - these are also the most vulnerable segments if the nation experiences a large-scale cyber attack. Therefore, the most effective response by the governments could be to support building the resilient civilian infrastructure and national capabilities that help to resist in times of crisis.
Third, it will be crucial to educate people how to protect their own computers as well as to guarantee that IT workforce has high level of competence in information security and practical skills. Since we rely on information technology in all spheres of human activities, the human factor is going to be a strategic element in building a secure information society in the future. Advanced education and skills of IT people will also provide for efficient reaction in cyber crises. For instance, in Estonia we have included the information security basic requirements to all IT programs at colleges nation-wide. In addition, our IT specialists have formed a voluntary organization - Cyber Defence League which aims to increase broad information security competence and awareness about the new threats.
In the cyber domain, we are facing a new type of threats. With these new elements we have to be innovative in preparing for future conflicts. I believe that if we are able to move forward with these last three components that help to secure cyber space, we have also moved closer to our final aim of building a more secure society for the future.
Thank you.
