Estonia's cyberattacks: Lessons learned, a year on

Summary:The concerted denial-of-service attempts against Estonia's critical national infrastructure have been a wake-up call for governments around the world any attackers, including cybercriminals, have made governments start taking action. "Whatever the motivation — organised crime, or a multitude of sources [of attack] — governments and major institutions are keenly aware of protection," says Grance. "If a business [such as a financial institution or government] sells trust, and it's shown to not have the ability to deserve that trust, people ask hard questions."

Grance points to the multitude of data-breach reports as another reason why governments have become more focused on data security.

"Data breaches motivate citizens a lot more than most other issues because it becomes so personal — they think 'that could be my child or my money'," says Grance. "They can be surly and upset when they feel governments are not protecting their interests."

However, while the recognition is there, Grance acknowledges that the size of governments and large institutions can make it difficult to effect change quickly enough to respond to the shifting threats of cyberattack. "People don't always adjust to how long change takes through a large infrastructure," says Grance. "There's the tyranny of the installed base, and to accommodate all interests takes a long time."

'Nothing special'
While experts agree the attacks on Estonia have made governments prick up their ears about IT security, not all IT security experts feel that the Estonia attacks warrant the level of worry they have caused in government circles.

"The data we have about the attack in Estonia tells us it was nothing special," says the University of Cambridge's Clayton, who points to a paper by Michael Lesk of Rutgers University. This paper claims that, at its peak, the amount of bandwidth consumed was approximately 90Mbps, for 10 hours. This, Lesk says, "isn't actually that much data".

"Plenty of corporations have that much bandwidth; in Japan, for example, it costs roughly $50 [£25] per month to obtain 100Mbps," says Lesk. "Estonia's problem is that it's a very small country, and its systems aren't configured for that kind of load."

According to Clayton: "That Estonia had a serious problem tells you more about Estonian infrastructure and network engineering skills than about the attack itself. That said, the surrounding furore, and the quite unjustified claims that governments were involved, has undoubtedly meant that people who want to try harder to make networking infrastructure secure have got more of a hearing. I just hope that when the hype fades and the incident is better understood, it doesn't look like the security industry crying wolf."

However, Estonian Ministry of Defence's Tammet says the attacks on Estonia were a "wake-up call" to governments, as they are all potential targets of politically motivated attacks.

"I agree with many politicians who have described the cyberattacks on Estonia as a wake-up call," says Tammet. "The issue is very topical and more and more governments and international organisations have realised the need to deal more seriously with cybersecurity issues."

"Nobody is safe in cyberspace, and any country with well-developed IT systems is a likely target of attacks that harm vital communication and IT-systems. In short, the likelihood that Estonia is attacked is similar to any other developed country," says Tammet.

Topics: Security


Tom is a technology reporter for, writing about all manner of security and open-source issues.Tom had various jobs after leaving university, including working for a company that hired out computers as props for films and television, and a role turning the entire back catalogue of a publisher into e-books.Tom eventually found tha... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.