Cyber Security

Ali Oğuz Diriöz

Cyber Security and new Russian threats to NATO members; the case of Denial-of-Service attack on Estonia

            In April 27, 2007 the North Atlantic alliance faced a new type of threat against one of its new members; that of Denial-of-Service attacks destabilizing the internet connection across Estonia. Being the first case, there was no doctrine on maintaining a position or delivering a response. NATO’s inability to immediately respond was an important shortcoming and the alliance quickly worked on formulating a new policy on cyber defense (NATO Press Release 2008-049; Summit Declaration, 3 April 2008). The question now remains on how the new policy will formulate adequate doctrinal procedures and responses to prevent the repetition of such attacks either by a state or non-state actor.  

            Tensions between Russia and Estonia escalated after the Estonian Government’s decision of moving a World War II memorial away from downtown Tallinn. This caused the furry of ethnic Russian population in Estonia. The decision soon caused riots in Estonia, protests in Russia, and Denial-of-Service (DoS) attacks on government and financial websites of Estonia. While Russians viewed that memorial as reminder of victory in World War II, Estonians viewed it as reminder of oppression. These frictions would need to be treated as a subject of their own. This case’s uniqueness is the massive DoS attacks which seem politically aimed against the official websites of Estonia and effectively destabilizing the internet infrastructure of a country.

            A Denial-of-Service (DoS) attack aims to make computer or internet resources unavailable to their users. DoS attacks overwhelm the carrying capacity of the networks. Imagine university students trying to access their accounts to check their end of term grades after final exams. The university infrastructure probably designed to address certain number of requests at a certain time, say 12,000 in 12 hours, would be overwhelmed if all 12,000 students rush and try to access their accounts in the same two hour period. DoS attacks aim to paralyze a target website, network, or domain by overwhelming it. Hence the aim is not to penetrate to retrieve information but to disturb or paralyze by overwhelming. Thus the security devices such as firewalls or anti-virus software designed to prevent infiltration are not targeted and may not be able to stop the attacks. Often the attacks are carried by virtual or cloned fake accounts that really don’t exist.

A distributed Denial-of-Service attack, by contrast, is not mounted from central locations producing many fake accounts, but from many actual locations by use of “botnets” of real accounts that have been hacked by spam mail or other means. These real accounts and computers used are often unaware that they have been hacked since the malignant software installed in those clients appears benign but tries to access the targets designated by the hackers. These infiltrated computers or “Zombies” are gathered into “botnets” or slave networks and are sometimes traded among hackers in the black market. Unaware users in an Albanian internet café might be sending data to block corporate websites such as HSBC. Often such attacks are against companies and online banking services.

These attacks on Estonia could be the first case for a new type of tactic used to damage the assets of a country. Propaganda and disinformation over internet are used by many groups but internet attacks used as a political tool at the state level is a first. The DoS attacks against Estonia have been termed by Peter Finn as a new battle tactic (“Cyber Assaults on Estonia Typify a New Battle Tactic” Peter Finn, Washington Post, May19, 2007; A01). Allegedly, Russian officials were involved in orchestrating coordinated attacks with instructions on web-forums on how to disable Estonian Official sites by overwhelming them with traffic. Russian officials deny any involvement.

            It is not proved whether this was a covert operation by Russia, or individuals acting independently in an organized manner. It is technically possible that high traffic was a consequence of a massive outrage causing an accumulation of responses. Conversely, if it were a covert operation, it would be made to look like as if caused by independently motivated individuals anyway. 

The outcome, unarguably, was that attacks originating from Russia paralyzed the communications infrastructure of a NATO ally. This act would not be belligerence per se, yet it is a hostile and offensive act of sabotage that destabilized the infrastructure of an entire country, disturbing government e-mailing and shutting down online banking.

DoS attacks are often in the legal realms of cyber crimes and were not the issues of a security doctrine of the North Atlantic Alliance. NATO always had secure Information Technology (IT) systems that aimed at maintaining secure communications. IT security was an issue like all security matters intending at preserving the privacy, while preventing infiltration by hackers to confidential data. The attacks against Estonia are significant because it caused NATO to reconsider its perception on cyber security and have a security doctrine designed at guarding against tactics of cyber warfare.

NATO had already established establishing prior to 2007 national Computer Emergency Response Teams (CERT) (“iWar,” NATO Review, Winter 2007). In January 2008 the NATO military committee adopted the decision to create a Cyber Defense Management Authority to coordinate common approach by alliance members on cyber security. The decision was approved at the April 2008 NATO Summit in Bucharest. A three phase program of re-organizing was adopted. First phase is creation of NATO Computer Incident Response Capability (NCIRC). Second phase is making NCIRC fully operational. And Third Phase is incorporating lessons learned to enhance NATO’s cyber defense posture.

The attacks against Estonia were asymmetrical tactics since the initiators are in a way similar to terrorist organizations in that they operate in secrecy and using illegal and non-conventional means of operations. On the other hand, the situation also fits the description of a covert operation since there is not enough incriminating evidence to suggest direct involvement of the Russian Government. In either case, it is important to consider what NATO member states should do next.

These DoS attacks on Estonia brought a new dimension to both the concept of cyber security and national security. Considering that Estonia’s 2005 elections were held electronically with online voting system, the implications go beyond government e-mail disturbed and on-line banking being shut down. In addition, according to the World Fact Book 2008 of CIA, a large percentage of the population in Estonia files their taxes online. The vulnerability of Estonia’ Internet infrastructure has implications that go beyond communications. In addition to logistical and financial disturbances that may cause considerable financial chaos, there would be vulnerability for manipulation of future electronically held elections. The cyber threats pose new and asymmetric ways the assets of a country could be threatened by a handful of hackers. This situation also has implications on what potential threats non-state actors, such as terrorist organizations like Al-Qaeda may pose to cause havoc in targeted countries. 

Furthermore, this case has implications for countries such as Turkey. Since Estonia has a population of only about 1.3 Million it may seem unlikely that a similar attack could be launched against larger NATO alliance members such as Turkey. Yet if one were to look at the Fiber Optic infrastructure of Estonia one would see a solid infrastructure that had many foreign investors such as from Finland. According to CIA’s World Fact Book, Estonia has more internet hosts than Turkey. Turkey has only some 220,000 internet hosts for 13 million users as opposed to almost 400,000 hosts for around 800,000 users in Estonia. Thus Estonia has 1 host for 2 users, whereas Turkey has 1 host for 7 users and therefore possibly a more vulnerable infrastructure in the event of massive DoS attack from Russia.

The case against Estonia was a first in Denial-of-Service attacks possibility to be used as a political tool to destabilize the IT infrastructure of a country. NATO response was tardy but significant since not only was a new authority created for coordinated effort against future such attacks, but also because the cyber security concept was officially integrated as part of the defense doctrine. It is now time for the alliance to further develop the doctrine and especially on how to deliver an appropriate response or more likely retaliation. For protecting assets, one of the ways would be to distribute the risk. According to F-Secure, a Finnish internet security company monitoring the attacks on Estonia, the best defense is to have strong networks of servers in many countries (“A cyber-riot” Economist, 5/12/2007). Ironically a distributed secure infrastructure is presumed to be the best defense against DoS attacks. Until the attacks on Estonia NATO focused on protecting its own systems, and since May 2007 there is a focus on assisting allies to protect their IT assets. More elaborate planning would be needed. Clear and firm doctrine on possible actions to be taken is imperative to deter any state or non-state actor in the future from resorting to such asymmetric tactics to destabilize alliance members.