Cyberwar I

What the attacks on Estonia have taught us about online combat.

Illustration by Robert Neubecker. Click image to expand.

In Estonia, you can pay for your parking meter via cell phone, access free Wi-Fi at every gas station, and, as of two months ago, vote in national elections from your PC. The small, wired country can now add another item to this list of technological achievements: It’s the first government to get targeted for large-scale cyberwarfare.

Since late April, the Web sites of various Estonian government entities, banks, and media outlets have been barraged with extraordinary amounts of Web traffic (100 times more than usual), making them very slow and even unusable. The Estonian government has identified as-yet-unknown rogue Russian hackers and the Kremlin as participants in these denial-of-service attacks. Russia has firmly denied these charges.

After the attacks, officials from NATO and the European Union converged on Estonia’s capital, Tallinn, to analyze what had transpired. All the Estonians can point to as tangible evidence of these attacks are gigabytes of server logs. Most of the targeted Web sites, which for a brief time were accessible only to traffic from within Estonia, are now accessible to the vast majority of the world’s Internet users once again. It’s almost as if nothing ever happened. (Indeed, Estonian newspaper Postimees reported that half of those surveyed were not at all affected by the attacks.)

Even in the absence of the physical evidence generated by traditional warfare—charred remains, bombed-out infrastructure—we’ve still learned a lot about the nature of online terrorism in the last few weeks. For one thing, cyberwarfare is efficient. Even the smartest of smart bombs takes out adjacent buildings and kills innocent bystanders. When you wage war online, there doesn’t have to be collateral damage: It’s possible to target a single Web site at a time.

It’s also elementary to focus a cyberattack on the upper crust. In targeting Estonia’s online seats of political and economic power, the perpetrators sent a threatening message to a country where cabinet-level discussions happen online, and documents are signed by digital signatures. Linnar Viik, the architect of many of Estonia’s e-government services and now a government IT consultant, told me that there have been no panicked calls by politicians to completely shut down these online services. If these attacks had happened during March’s national elections, however, a lot of bureaucrats might have rethought the country’s dependence on e-government.

The Estonia case also shows how easy it is to cause massive panic on a shoestring budget. All you need to deploy a cyberattack is some malicious software, a bunch of zombie computers distributed around the world, and an Internet connection. Sure, you may need to pay for a “professional-grade” botnet—a network of computers that have been surreptitiously infected to run nefarious software. But surely that costs orders of magnitude less than the price of heavy artillery, battleships, and nuclear submarines.

Perhaps the most telling lesson here is how difficult it is to catch the perpetrators of online terrorism. Covering one’s fingerprints and footprints online is relatively simple, compared with getting rid of physical evidence. IP addresses can be spoofed, and an attack that appears to come from one place may actually originate somewhere else. As such, the Kremlin (or anyone else) can plausibly deny that they had anything to do with the attacks, even if the Estonians’ server logs show that the attacks first originated from Moscow. If the Russians don’t want to hand over data or documents—or even pick up the phone, for that matter—there’s not much that Estonia, or anyone else, can do to figure out the real story.

So far, only a single Estonian citizen has been detained and released in relation to the attacks. There have been no other arrests, indictments, or accusations made against any hackers inside or outside of Estonia—and there’s no reason to believe that there will be anytime soon. American government and military sites faced cyberespionage by Russian hackers in 1999 (an operation dubbed “Moonlight Maze“) and Chinese hackers in 2005 (“Titan Rain“). To date, no one has been caught for those crimes.

It’s clear that these hackers, whoever they are, understand how easy it is to hide in cyberspace. Consequently, they have no reason to stop. While the initial wave started in late April and early May, the head of the IT department for the Estonian parliament told me that as recently as May 18 the attackers hit the sites of the State Chancellery and the Federal Electoral Committee. This continued assault on Estonian Web sites illustrates that these attackers—be they rogue operators or Russian government agents—are relentless pests, first going after one set of sites, then another, then another.

Despite this grim outlook, Estonian officials and their counterparts in the European Union, NATO, and the United States have at least learned quite a lot about how an attack of this scale progresses. Since it may be a while (if ever) before the perpetrators are caught, the best plan is to fight off the attackers, one denial of service at a time. Perhaps in some sense, it’s good that Estonia was the patient zero for cyberwarfare. The small, tech-savvy country has provided a good blueprint for what to do to keep these attacks at bay.

Today, a team of Estonian computer and network experts from the various affected agencies is working around the clock in a secure chat room, monitoring their networks and sharing information about attacks and their possible attackers. They have also created blacklists of originating IP addresses and networks that are now banned from accessing Estonian Web sites. Until we develop better tools and techniques for catching hackers, that’s the best anyone can do.