X
Tech

Estonia's cyberattacks: Lessons learned, a year on

The concerted denial-of-service attempts against Estonia's critical national infrastructure have been a wake-up call for governments around the world
Written by Tom Espiner, Contributor

The idea that attacks on computer systems could provide an alternative method of spreading terror and disruption has been a concern for governments since IT systems began to proliferate.

But it wasn't until Estonia suffered a series of concerted attacks in April 2007 that theory became reality. The movement of the Bronze Soldier, a Soviet-era war memorial commemorating unknown Russian soldiers who died fighting the Nazis, from a square in the capital Tallinn to a military cemetery, has been traced as the main flashpoint for the attacks.

Protests and riots involving ethnic Russians living in the country were the immediate result, but what no-one foresaw was the subsequent series of attacks aimed at computer systems managing the country's critical national infrastructure.

Incursions into Estonian government systems began on 27 April, 2007, with denial-of-service attacks and the defacing of government websites. Between 30 April and 3 May, there was a "gathering of botnets like a gathering of armies", according to Mihkel Tammet, the director of ICT for the Estonian Ministry of Defence. These botnets were used to launch attacks against the routers of ISPs hosting Estonian government sites, and their DNS (domain name system) servers, in an attempt to disable email.

The main attack phase saw distributed denial-of-service (DDoS) attacks against the two main banks in Estonia, Hansabank and SEB Eesti Ühispank. According to Tammet, Estonia "is 97 percent dependent on internet banking". The attacks peaked on 10 and 15 May, when some bank terminals were also out of order and foreign money transfers knocked out. Government systems were also attacked on 15 May. Three weeks later, the attacks came to an abrupt end.

According to Heli Tiirmaa-Klaar of the policy-planning department for the Estonian Ministry of Defence, the attacks against Estonia owed at least some of their success to the fact they came out of the blue. "The Estonian case was very unexpected, against selected targets: this is something most countries are not prepared for — attacks against civilian, soft targets," says Tiirmaa-Klaar.

Global impact
The impact of the attacks against Estonia has not been restricted to the country's borders; the attacks have had ramifications for governments around the world, according to IT security experts. The biggest effect on foreign governments and businesses is to have "made them all jittery", according to security expert Dr Richard Clayton of the University of Cambridge.

The US certainly seems to have taken some of the lessons from Estonia to heart. Earlier this month US Homeland Security Secretary Michael Chertoff outlined US plans for a cyber "Manhattan Project" to echo the development of nuclear weapons during the Second World War, partly as a response to the attacks on Estonia.

Chertoff believes the US government needs to work with the private sector to improve the strength of its systems. "Estonian government websites that usually received 1,000 visits a day were inundated with 2,000 visits a second," he says. "This attack went beyond simple mischief. It represented an actual threat to the national security and the ability of the Estonian government to govern its country. We face in the 21st century a very difficult problem: a single individual, a small group of people and certainly a nation state can potentially exact the kind of damage or disruption that in years past only came when you dropped bombs or set off explosives."

Chertoff adds that the "thousands of entry points into federal civilian domains", plus the "uneven" way federal agencies protect their assets and the slow response to intrusions into US government networks means there are constraints as to how efficiently the US government could deal with a cyberattack.

As well as the possibility of attack on federal systems, US security experts are convinced that many private-sector businesses are being probed by foreign powers. Alan Paller, director of research for the Sans Institute, says companies...

...doing business with countries such as China and France will, as a matter of course, be subject to attempts to steal information and intellectual property.

"What we're seeing is every organisation that's doing business with certain countries is being targeted with the same cyber-weaponry that the military is being targeted with," says Paller. "If you're about to do business with a particular country they will not only penetrate your computers, but they'll go after your lawyers, consultants and accountants, looking for all the documents about the deals you're about to make, giving them a competitive weapon. My guess is there are 25 countries being involved in this at some level or another. The commercial side of it seems to be more China and France."

State of denial
However, following the attacks on Estonia and on other country's critical national infrastructures, Paller says critical national infrastructure (CNI) operators in many countries, including power utilities, banks and health services, still had not made adequate security preparations.

"There's still a state of denial," says Paller. "The most difficult problem is to get the energy in place to build defences, as long as your senior leadership wants to believe they wouldn't be targets. One of the reasons the CIA released some data about an actual outage [involving a power company] that was caused by remote cyberattack was to awaken senior management of critical national infrastructure to the idea that being in denial is just stupid, you actually have to start protecting your systems."

According to Paller, problems faced by CNI companies include extortion from criminal gangs that prove they can attack and demand money, which Paller describes as a growing threat. Victims are like to pay up, says Paller, "even if they don't think the bad guys are likely to do what they say they can do."

Paller warns there is also a danger of people "owning" computers to be used later. "They come in, take them over, collect as much information as they can about employees, management systems and passwords, and they hide, just hide," explains Paller.

Control mechanisms
Tiirmaa-Klaar argues that CNI companies have a long way to go before their security is up to scratch. Supervisory Control and Data Acquisition systems (Scada), used in conjunction with human operators to control industrial systems, do not have adequate security in many European countries, she claims.

"Critical national infrastructure organisations should check the gaps where their Scada systems are connected to the internet," says Tiirmaa-Klaar. "In many cases Scada is not secure: it depends on the country. The UK [is probably] safe, but I don't know about all European countries. A lot of critical infrastructure is in private hands, and private companies are always having to update their systems. Private companies are not interested in investing in security unless it's really vital. Governments have to make sure private companies are investing in up-to-date systems — there should be control mechanisms."

John Colley, the managing director of security training organisation ISC2, claims that in the UK the effect on government has been to focus attention on the possibility of politically motivated cyberattack. However, he says businesses have done "very little beyond what they were already doing", although he concedes that most businesses now plan for distributed denial of service (DDoS) attacks.

"My impression is that government is taking it more seriously than industry," says Colley. "It could be that industry is not particularly focused on Estonia."

Other security experts, such as the National Institute of Standards and Technology's manager of systems and network security group Tim Grance, say that assaults...

...by any attackers, including cybercriminals, have made governments start taking action. "Whatever the motivation — organised crime, or a multitude of sources [of attack] — governments and major institutions are keenly aware of protection," says Grance. "If a business [such as a financial institution or government] sells trust, and it's shown to not have the ability to deserve that trust, people ask hard questions."

Grance points to the multitude of data-breach reports as another reason why governments have become more focused on data security.

"Data breaches motivate citizens a lot more than most other issues because it becomes so personal — they think 'that could be my child or my money'," says Grance. "They can be surly and upset when they feel governments are not protecting their interests."

However, while the recognition is there, Grance acknowledges that the size of governments and large institutions can make it difficult to effect change quickly enough to respond to the shifting threats of cyberattack. "People don't always adjust to how long change takes through a large infrastructure," says Grance. "There's the tyranny of the installed base, and to accommodate all interests takes a long time."

'Nothing special'
While experts agree the attacks on Estonia have made governments prick up their ears about IT security, not all IT security experts feel that the Estonia attacks warrant the level of worry they have caused in government circles.

"The data we have about the attack in Estonia tells us it was nothing special," says the University of Cambridge's Clayton, who points to a paper by Michael Lesk of Rutgers University. This paper claims that, at its peak, the amount of bandwidth consumed was approximately 90Mbps, for 10 hours. This, Lesk says, "isn't actually that much data".

"Plenty of corporations have that much bandwidth; in Japan, for example, it costs roughly $50 [£25] per month to obtain 100Mbps," says Lesk. "Estonia's problem is that it's a very small country, and its systems aren't configured for that kind of load."

According to Clayton: "That Estonia had a serious problem tells you more about Estonian infrastructure and network engineering skills than about the attack itself. That said, the surrounding furore, and the quite unjustified claims that governments were involved, has undoubtedly meant that people who want to try harder to make networking infrastructure secure have got more of a hearing. I just hope that when the hype fades and the incident is better understood, it doesn't look like the security industry crying wolf."

However, Estonian Ministry of Defence's Tammet says the attacks on Estonia were a "wake-up call" to governments, as they are all potential targets of politically motivated attacks.

"I agree with many politicians who have described the cyberattacks on Estonia as a wake-up call," says Tammet. "The issue is very topical and more and more governments and international organisations have realised the need to deal more seriously with cybersecurity issues."

"Nobody is safe in cyberspace, and any country with well-developed IT systems is a likely target of attacks that harm vital communication and IT-systems. In short, the likelihood that Estonia is attacked is similar to any other developed country," says Tammet.

Editorial standards