15 December 2007

Any Country Is Vulnerable

From Whirled View.

The Next War - Updated
by CKR

The military is among the most conservative of societal institutions. Before they use a tactic in a full-up war, they look for ways to test it. Small wars and other minor conflicts frequently provide the opportunity.

One such opportunity seems to have presented itself last spring, when the Estonian government relocated a Soviet war memorial from central Tallinn to a military cemetary. The memorial had been a traffic-stopping center of protests, those protests incited by Russia.

Estonia, a Soviet Republic between 1945 and 1991, sees the internet as a way toward economic success for a small country starting from ‘way behind. Estonians have given us Kazaa, pioneering peer-to-peer file-sharing software, and Skype, the free internet phone service. More than 90% of bank transactions in Estonia are carried out over the internet. A few years ago, my friends’ front yard was trenched along the street. Optical fiber to every home. Estonians vote via the internet, and the government has just opened a virtual embassy in Second Life.

So what better way to send a message and test a tactic than by the internet?

For several days, internet providers and Estonian government, banking and news sites were shut down by denial-of-service attacks, many of thousands of hits arriving in torrents to large for servers to handle. NATO, of which Estonia is now a member, and some of its member countries sent experts to observe and advise.

The attacks appeared to be organized and came in three waves over a well-defined period of time; if they were coming from individuals, a tailing-off would have been expected. Attacks on banks focused on one bank at a time. The source cannot be traced; it is easy to achieve anonymity over the internet, and denial-of-service attacks are organized by commandeering unprotected personal computers, without the awareness of the owners of those computers. The estimate is that one million computers in fifty countries were attacking.

The Center for Strategic and International Studies recently invited Jaak Aaviksoo, Estonia’s Minister of Defense, to speak on lessons learned from that internet battle.

Aaviksoo had more questions than answers. The Estonian government is evaluating the attack and their response. He emphasized that there is much thinking-out to be done. Unlike physical attacks, computer attacks come from everywhere and nowhere. “Boundaries become increasingly dissolved between the international and domestic affairs, between civil and military spheres, between the private and the public, between peace and conflict.” Insufficiently protected personal computers (yours could have been one!) were “zombified” by intruders who then sell the computers for as little as ten cents per computer to those who want to make the attacks.

Should the individual owners who left their computers insufficiently protected and therefore part of the attack be held liable?

How should privately-owned internet resources like those of the banking industry be protected? To what extent should government and the private sector cooperate?

Who is responsible within the government? Commerce? Defense?

The effects of the attack were mainly psychological. At a time when Estonians wanted news of the protests in Tallinn, their internet news sources became unavailable. Being unable to access their bank accounts at the same time was frightening. Some of our more imaginative future-war strategists like to worry about electromagnetic pulse effects from nuclear weapons being used to shut down communications, but here was a much simpler and cost-effective method.

Any country is vulnerable, although an attacker faces the question of how to scale up to larger numbers of computers. Estonia’s population is 1.4 million people.

The Council of Europe has a convention on cyber crime that has been ratified by twenty European countries and the United States. NATO will consider cybersecurity issues at the summit meeting in Bucharest next spring. Clearly these are just beginnings, and evaluation of the Estonian attack will help to clarify what needs to be done relative to treaties and security measures.

Finally, a typically Estonian observation:

We are extremely thankful for the publicity we had due – or thanks to the cyber attacks early April this year. This is the positive side of the story. We have modest resources; we could have never managed that publicity to our cyber activities in Estonia.


Update: Meanwhile, China may be hacking US National Laboratory computer systems.

And is this the botnet that did it? Do you click on e-mail attachments from unknown senders?


Many thanks to RS for bringing the CSIS report to my attention. Posted by Cheryl Rofer on Saturday, 08 December 2007


Source, with links

Only a few posts now show on a page, due to Blogger pagination changes beyond our control.

Please click on 'Older Posts' to continue reading The Rag Blog.