Lessons for Europe from the first massive cyber-attack against a country
09.07.2008 | Jaak Aaviksoo | English news
By and large, a year has passed since Estonia suffered under an orchestrated and organized barrage of cyber attacks. The acts themselves lasted for weeks and targeted key governmental and private web sites, and selected critical information infrastructure while using a wide array of offensive techniques. At the highest moments, the amount of cyber traffic from outside Estonia targeting governmental institutions was hundreds of times higher than the "normal" levels.
Already in 2004, an idea regarding the foundation of the NATO Co-operative Cyber Defence Center of Excellence (CCD COE) was proposed in Estonia, to be conceptualized and developed during the coming year. However, it is only fair to agree in hindsight, that the general public and political awareness of cyber threats, both domestic and especially international, rose significantly after the described events took place and that in itself boosted the process of founding the CCD COE and gave it necessary momentum. The relevant memorandum of understanding between all the participating NATO member states (Estonia as well as "donor" countries, who contribute with brains as well as other resources) is due to be signed in May and optimistically, the NATO CCD COE could be accredited within the year. But as importantly, the attacks shed light on a subject that was for long regarded as an issue for scientists and geeks, rather than something, which might have a profound effect on the everyday life of any and every, citizen.
Understandably, it is still hard to place the new asymmetric threat of cyber-terrorism (I knowingly often use different terms for that something, which we still have not found a common definition for - that is one of the first and foremost challenges, i.e to define the terms of this brand new world) on top of our every-day agenda, especially in the realm of defence issues. Technological change and evolution is probably one of the most powerful drivers of change in our societies. Darwin's gradualist view that evolution is a continuous slow process seems to hold only to an extent - it is definitely continuous but not so very slow any more. Of course, whereas Darwin probably referred to mammals, I am referring to the fast development of technology. Ironically, when age and life-experience seemed to be the necessary criteria for mature decision-making, then the rapid speed of change seems to always favour the younger generation. Perhaps that is also one of the reasons why cyber-terrorism and cyber-crimes as credible threats have taken so much time to rise on to the table of political decision-makers. Self-critically speaking - we simply lacked the understanding and knowledge and to be sure, there must be a lot of relieved scientists and officials who are "thankful" for the Estonian cyber attacks as the threats that they have fumed about for years to their superiors have finally materialized. Luckily enough, despite enormously increased traffic in the Estonian case, critical infrastructure was not harmed and the attacks were absorbed and countered in a commendable fashion. So the cost of this lesson was within the boundaries of the acceptable.
On to the decision-making. NATO, among other institutions and stake-holders has responded most forcefully. We are expecting the NATO cyber defence policy framework to be endorsed at the upcoming summit in Bucharest this April. There is a common understanding to set up a body to share information and intelligence and co-ordinate our responses in a unified and standardized manner. It is the intention of the Estonian government, along with the to be founded NATO co-operative cyber defence centre of excellence, headquartered in Tallinn (Estonia), to be on the forefront of these changes to provide clarity and solutions in order to counter these new threats as well as learn and use the technological evolution to help guard our citizens and shield our critical infrastructure from outside manipulation, provocation and direct attacks.
However, we need to recognize, that as is the case with other capabilities, NATO as well as the rest of the international community of liberal democracies is only the sum of its parts. In other words, much of the realization of our common plans lies with the national governments. And the preparedness of national governments to tackle issues related to cyber defence vary, to say the least. Nevertheless we should relentlessly pursue the adoption of mid- to long-term national strategies in order to give our internal discussions and debates (which political budgeting definitely is and the cyber defence cause will prove worthless without the allocations of necessary funds) a framework to exist in. Indeed, framing the discussion, giving it proper definitions and starting out with the right questions is what Estonia has been doing since cyber attacks occurred in April and May 2007.
The Estonian government is shortly going to pass a Cyber Security Strategy for 2008-2013. We will share our findings and ideas with our partners and friends. The vulnerability of cyber space is an asymmetric threat to our security and one of the most important prerequisites for tackling it comfortably is the correct division of responsibility, which in itself demands a high level of and indeed, the willingness for inter-institutional co-ordination. Training issues, increasing the strength and resistance capabilities of our national critical IT infrastructure (how many national governments have already taken the step to define what that is in the first place? I imagine, not too many), increasing the safety and security of different management, control, oversight and support systems, filling today's legal void with the necessary definitions and regulation, spreading more information and fostering international co-operation are all part of the necessary minimum that we must all do in order to restore the confidence of our citizens in our ability to guard them from the very real virtual threats. Because in the age of the information society, that confidence has been severely eroded.
Security has become very much an issue of perceptions. When Estonia's banks, among other institutions, were subjected to cyber attacks, then the daily routines of Estonian citizens were effectively affected. In an age, where a piece of code can down airplanes or delete billions of euros of savings the public perception of security has changed. The actors that threaten state security are becoming less and less identifiable and this is having a deep effect on international relations as well. Also the public perception of national security shifts from outside threats towards internal security and the very credibility of national governments is at stake. It is also true that in our liberal democracies the state's role has been gradually scaled down and the responsibility of the individual has increased. It remains to be seen, how can we manage this "transfer of powers" in the realm of cyber space. When hundreds of thousands of computers of careless owners can be harnessed into botnets that are used to attack the critical it infrastructure of a given country - then what is the responsibility of the owner who's PC has been infected or used because of the owner's neglect? I understand the concern for civil liberties when national governments run to curb them in order to increase national security but I ask the liberal thinkers to help define the responsibility of the individual. This would also surely have to have implications in criminal culpability.
Despite our first steps, cyber security still remains as uncharted waters for many national governments as well as the international audience. The pressure exerted by different interest groups and the reality of politics in liberal democracies means that cyber defence is just one of many priorities for a government and usually becomes a priority for the electorate only when national security is penetrated or breached. So there is all the more reason to co-ordinate and consult each other, share experiences and form active and effective networks to pool our capabilities and resources together. This has to include taking the maximum out of the work of the different networks already at our disposal: international CERT (computer emergency response team) network, NATO Computer Incident Response Capability, Interpol, Europol, international Critical Information Infrastructure Protection network, International Standardization Organisation, International Telecommunications Union, European Network and Information Security Agency, the Common Criteria network. It is alarming that the terrorists and elements of organized crime find it easy to cross ideological chasms or different interests to co-operate whereas national governments seem to keep stumbling across the smallest of possible objects to derail good intentions. Many of the international institutions are already there - we must reach out and use them for our common benefit.
Source: The European Files
