Toomas Hendrik Ilves
Cyber-defence: the next challenge
The cyber-attacks on Estonia in 2007 alerted the world to a new challenge. Much remains to be done to address it.
Most accounts of cyber-war, cyber-attacks and the militarisation of the cyber-world begin with a description of the Distributed Denial of Service (or DDoS) attacks on Estonian government sites, banks, newspapers and so on in April-May 2007. With hindsight we can say that while those attacks were certainly disruptive and a nuisance, they posed none of the danger that we face today, when sophisticated worms can be used to cause major damage to critical infrastructure. Moreover, the dangers posed by cyber-attacks can be far more subtle, unnoticed even, but ultimately destructive of national wealth. Escalation has been rapid, akin to the development of air power less than a century ago.
Although aerial bombing had been used earlier, the attacks on English towns on 19 January 1915, during World War I, created wider awareness of the potential of air power. Two German Zeppelins dropped 24 fifty-kilogramme bombs and three-kilogramme incendiaries on the towns of Great Yarmouth, Sheringham, King's Lynn, and the surrounding villages. Four people were killed, 16 injured, and damage was estimated at £7,740. The public and media reaction to what today or even in World War II would be considered a minor bombing was shock.
I would argue that the DDoS attacks on Estonia in 2007 were akin to the Kaiser's two Zeppelins: a hitherto largely unknown weapon, causing an enormous amount of press coverage, but ultimately a minor skirmish. Given the rapid development of weaponised cyber since, a more appropriate analogy might be the thirty years from the Kaiser's Zeppelins to Hiroshima, which in terms of civilian death rate from aerial bombardment constitutes some kind of equivalent of Moore's law. Indeed, I would argue that what we face in the cyber-world are not Zeppelins, but a Predator drone operating in a conflict where everyone else is at the level of the Zeppelin and World War I defensive technology.
Yet the broad outlines of the threats - the far greater threats - we face today were already visible in 2007.
To briefly summarise the attacks of 2007 and why they were significant: first of all, they were primitive. DDoS attacks shut down servers by overloading them with queries.
This is accomplished by botnets, networks of robot or bot computers - computers of everyday users that have been infected by malware and hijacked to send out messages in the case of spam or server-specific queries, without the knowledge of the infected computer user. Most often, bots are downloaded via porn sites but they can just as easily be inadvertently downloaded from thousands of seemingly innocuous sites on the web. Botnets, however, are illegal. Bots are controlled and connected to each other by criminal groups that rent out their services, mostly to send spam. Botnets are rented by the hour or day by spammers.
But botnets can also be used to target specific servers. Before the 2007 attacks on Estonia, this was largely done for extortion: attacking the website of a company highly reliant on the internet and demanding money to end the overloading of their server. DDoS attacks were also occasionally used to target a specific site for other reasons, as we have continued to see in the case of the group Anonymous who, for example, claimed credit for attacking the servers of companies that suspended payment programmes for Wikileaks. As Irina Borogan and Andrei Soldatov note in a recent article in OpenDemocracy, hacking e-mails and DDoS attacks have become common features of political life in Russia, with liberals hacking Kremlin youth organisations like Nashi, who in turn seem to specialise in shutting down opposition sites with DDoS attacks. They conclude: "For Russian cyber-criminals hacking remains first and foremost a business: they will take political orders, but only on a commercial basis, and even then they prefer to work not for the security services, but for Kremlin youth organisations, since this work brings them huge profits without any risk of losing their anonymity."
The 2007 attack on Estonia differed in one degree from the battles of hackers and spammers. It was the first attack to target a country: its government sites, banks, newspapers, even the emergency number 112. While the initial attacks in late April and early May were characteristic of Nashi activists, using DDoS programs to hit various sites in Estonia, the culmination of the attacks on 9 May, coinciding with the day the Russians consider VE-day, already had the signature of cyber-criminals acting on a far more massive level, motivated by profit. It was clearly ordered and paid for: the CERT (Computer Emergency Response Team) histogram of attacks showed not a Gaussian curve but a discrete attack, beginning on 9 May at 00:00:00 GMT and ending at 24:00:00 GMT. When I asked the CERT how that was possible, why not a Gaussian distribution, the head of CERT said, "that's what they paid for." Who, of course, we cannot determine since the hijacked computers were all over the world. We can say there was a strong correlation but we cannot prove cause.
The final point is that the attacks were political. They were a response to the Estonian government's decision to move a statue of a Soviet 'liberator' to a less disruptive location. They used a different means than usual, but were, nonetheless, the continuation of policy by other means; which I need not remind the reader, is von Clausewitz's definition of war.
To sum up, the importance of the attacks and why they are relevant: the cyber-attacks were a first in that they were directed at a country, they were ordered by someone, i.e. they were organised, they were political and were thus, ultimately, an act of war. Few, if any, wanted to admit this at the time.
At the time of the attacks, governments had not yet fully recognised the threats posed by the cyber-world, or the vulnerabilities of modern, liberal democratic states and societies. Or that cyber-attacks were not just something for geeks to be worried about, but rather that as the new 'equaliser', they allowed even small non-state actors to wreak enormous damage on countries and their economies. And most importantly, that had these kind of attacks been carried out with kinetic weaponry, NATO, as a very minimum, would be holding discussions under Article 4, and perhaps even invoking Article 5.
In other respects, there was nothing unusual about the attacks. They were primitive. They were a major nuisance, and could have led to fatalities, such as when the server of the emergency telephone line 112 was attacked, but this lasted only a short time.
The cyber-attacks were also an own-goal as Estonia benefited from them - although this was a one-off; these benefits will accrue to no one else. Cyber-security is today's growth field, with no better testimonial than the fact that both NATO's Cooperative Cyber Defence Centre of Excellence and the European Union's IT Agency are located in Tallinn.
The genuine military capabilities of DDoS attacks became evident a year later during the Georgian-Russian war of 2008. DDoS attacks were found to have been co-ordinated with kinetic attacks in the traditional military domains: air, land and sea. David Hollis, a senior analyst in the U.S. Department of Defense outlined in the January 2011 issue of the Small Wars Journal how Russian military operations were closely co-ordinated with DDoS attacks, targeting specific geographical locations for disruption so as to cause panic among the civilian population. The attacks, Hollis also points out, hindered Georgian strategic communication at the national level. From this, we can safely assume that any military conflict in the future will involve a cyber element.
Yet, if we thought then that DDoS tie-ins to military conflict were a problem, then today we see things altogether differently. Stuxnet brought home to all the enormous vulnerability of SCADA - Supervisory Control and Data Acquisition - systems, which run not just Iranian uranium enrichment centrifuges, but increasingly underlie our day-to-day life: everywhere from stacking our just-in-time delivery of milk in the supermarket to the toner in our copying machines. They run your car, they run hydroelectric dams, air traffic control, and nuclear power plants. The integration of internet-based feedback systems into virtually all aspects of daily life has proceeded without much notice. Only when the Stuxnet virus disrupted an almost airtight computer system did people begin to think more broadly of the implications of attacks on the computer systems that today run much of what we would call modern life. While many remain sceptical, much in the way that one hundred years ago European militaries were sceptical about the use of air power, a simulation in March in the U.S. with President Obama's participation showed how it would be possible to shut down the electrical system of New York.
Meanwhile a new worm, Duqu, thought to be derived from the Stux-net worm and possibly a case of military blowback, or the turnaround of a weapon by the initial recipients, emerged in September 2011 - but no longer specifically designed to operate on Iranian enrichment centrifuges. Clearly a new form of cyber-threat needs to be addressed, one potentially far more dangerous than the DDoS attacks that put Estonia on the map.
Yet, despite all this, I want to stress that we concentrate far too much on the so-called hard security side of cyber in our discussions. Although hard security is important, I am convinced that the real battles are going on and will affect our security and well-being in altogether different ways from those generally discussed. Far more important to us than the asymmetrical nature of DDoS-type cyber-attacks, or the still largely potential threats of Stuxnet/Duqu-style attacks on our critical infrastructure, is our economy. Slowly, the understanding is dawning that warfare need not hit state or civilian infrastructure, but rather our economies, through piracy; perhaps we are too fixated on the militarisation of cyber, rather than state-sponsored theft. In other words, in the immortal words of Bill Clinton, "It's the economy, stupid."
For technologically advanced countries, the theft of intellectual property can cripple or at least severely wound our economies. Let us be clear that much of what makes modern economies function and prosper is the product of huge R&D investments, both public and private. Intellectual property, be it new software or hardware, pharmaceutical products, design or any of the other advanced products that make life today so different from even 1991, is what makes Western economies run. Discussions of the emergence of BRICs and other acronymic economic powerhouses tend to skip the fact that innovation, research, and development are words not often used to assess their rise. Yet innovation is at the heart of what allows the Western liberal democracies to maintain their competitive advantage. Contrast Europe's investment goals in R&D with NATOs defence expenditures. The EU has set a goal for its member states to invest 3% of GDP in R&D, a goal few meet. But then again, few meet the NATO goal of defence expenditure of 2% of GDP.
A company that invests hundreds of millions or even billions of dollars in new products can see it all evaporate if the research is stolen: the value of the product comes from those years of creative work and the dollars invested in developing it. Yet it can all be stolen. At which point someone else somewhere else has obtained for free what your country's best and brightest have developed. You lose the tax revenue, someone else reaps the profits. Testifying before the U.S. Congress in March, Shawn Henry, the outgoing Executive Assistant Director of the FBI, spoke of a company that lost in one weekend ten years-worth of research and development amounting to a billion U.S. dollars of investment. Someone had hacked into the company computers and sucked out all the research work.
This is piracy. Pure and simple. And it is as dangerous and threatening for modern states as piracy in its more primitive forms was off the Barbary Coast at the beginning of the 19th Century, or today off the coast of Somalia.
As is the case with classical, marine piracy, intellectual property piracy is not only a threat to our economies, it is also a threat that falls into the category of Public Private Partnerships, PPP in the standard jargon of government-business financing, where state actors condone or turn a blind eye to it, if it benefits their economies - just as it was to the Barbary States under Ottoman rule. And as with the Barbary pirates, cyber-attacks against our companies can be met head on only with concerted state action.
This leads me to one final point about the challenges we must address, now that we have slowly reached the point where we can recognise that cyber-attacks and cyber-wars are a major threat, and not just the child's play of misguided hacker-geeks.
Today the PPP paradigm that we see in both the militarised cyber-warfare of the botnet type and the systematic theft of our companies' intellectual property should give us pause to rethink our own relations with the private sector. Last year, I shared a talk and panel discussion with Carl Bildt on cyber-security at the Swedish Foreign Policy Institute in Stockholm, where during the Q&A the head of cyber-security for a global IT company stood up and asked point blank: "Why are you [government people] not working with us? We are attacked just as much as you and probably more."
I cannot say who is attacked more, but his point made me rethink my views on cyber-security. A few weeks later, I asked the then head of cyber-security for the British MoD why the UK had suddenly taken such an outspoken position on the need to work jointly on cyber-defence. Her answer was more or less the same: our companies are coming under massive attack.
This is true everywhere in the West, where Intellectual Property is a key component of our national wealth. It may be difficult to steal a country's oil, or its agricultural or even manufacturing wealth, but the billions and billions - as well as the years - invested in intellectual property can all be stolen in a matter of minutes, or a weekend. This is industrial-strength piracy and a genuine security threat, not just the worry of Hollywood film companies.
As an aside, I should mention here that as flawed as parts of the ACTA legislation may be, piracy is a far bigger problem than downloading films for personal use. We certainly would not want to condone piracy against our health records or, here in Estonia, the newest software being developed by Skype. While Freedom House ranks Estonia as number one in the world in internet freedom (followed by the United States and Germany) we need to ensure that this freedom is secure from those who would abuse it.
Cyber-threats have been a source of worry to national defence establishments for years. Unfortunately, for too long cyber-threats have been strictly national concerns, and have remained stuck in the intelligence paradigm (where little is shared), rather than the co-operation and interoperability paradigm of, for example, NATO. We can put an American bomb on a French plane, but we a loath to share knowledge in the cyber domain.
Yet progress has been made. NATO took a significant step forward at its Summit in Lisbon in November 2010, when it incorporated cyber-security into the new Strategic Concept. Estonia certainly hopes that in May in Chicago we will move further beyond this.
Another significant milestone, whose importance I believe cannot be overstated for the future of warfare, is the announcement by the U.S. Department of Defense in Spring 2011 that cyber-attacks can constitute a military attack, and thus are open to a military - perhaps even kinetic - response. This idea of not necessarily using the same methods to counter-attack is a sensible development all around.
We in the democratic West have wobbled and waffled no end on this issue - a tricky one, admittedly, given the difficulty of ascribing responsibility and the even more difficult issue of what constitutes a proportional response. But the U.S. has leapt into the breach; I hope our other Allies will soon do the same.
Clearly the policy makers in NATO have realised that cyber-attacks are attacks, period, and that all the same rules apply to them as they do in other forms of warfare. No longer is it the 'gee-whiz, look at what those geeks can come up with' phenomenon we encountered here five years ago, when our government sites were shut down in a coordinated effort that, ultimately, could only have been activated by a state actor, no matter what the affiliations or lack thereof, of the actual perpetrators.
In short, we have recognised, perhaps a bit belatedly, that an attack is an attack. Yet I would argue that that is only the beginning. We have realised in NATO that we are vulnerable and that cyber can be weaponised. And that we have to do something, together, at the NATO level. The challenge now is what. Let me in broad brushstrokes outline some of what we should be thinking about.
First, we need to understand how computerised, and hence vulnerable, we have become - and only in a matter of three or four years. SCADA systems today control virtually everything. And where we don't use SCADA systems, we in Estonia have made the computerisation of government services not only a priority, but also our leading edge in modernisation. Be it online voting, e-health (I chair the EU Commission on e-health, and I assure you that with our burgeoning demographic and ageing problem, we will no matter what rely evermore on e-health systems), banking or taxes, we become more complex and more vulnerable. We need to pay far more attention to our vulnerabilities
Second, we must look at cyber-threats not through the symmetrical state-state paradigm that we used to view virtually all conflict before 9/11. Cyber-threats, cyber-attacks insofar as we have been able to determine their provenance, are like Al Qaeda, performed by networked non-state actors. The ultimate command and the funding may be a state actor, but it is far more convenient both financially as well as in terms of deniability to subcontract jobs to botnet operators, i.e. quasi-organised crime networks or to the proverbial 'just a bunch of computer science student hackers' or even to a justifiably enraged 'civil society' as we heard during the Estonian and Georgian cyber-attacks. A rather silly line parroted by people who wouldn't know a botnet from a hairnet.
Like terrorists, those who perpetrate cyber-attacks are rarely in uniform and do not even necessarily engage in this as their day job. Often they are linked to organised crime, like Taliban fighters who are perhaps involved in growing poppies or smuggling opium and, when the need arises, will engage militarily. As in the piracy of intellectual property, what we see at least in the case of DDoS attacks, for example in the Georgian-Russian war, is a new form of Public-Private-Partnership.
All of this should sound like the talk of ten years ago about asymmetric warfare and al-Qaeda. This is asymmetric. Small numbers of non-state actors or state contracted non-state actors can wreak havoc on nation-states far in excess of what Al-Qaeda can.Al-Qaeda can immobilise a city, cyber can immobilise a country. But the asymmetry is not only in numbers.
What I suspect, is that we, like the governments in authoritarian mafia-states already have, will need to rethink government-private sector relations. We in the liberal democratic West, in countries with low scores on the Transparency International Corruption Index, have built a solid firewall between the private and public sectors. Even the term Public-Private Partnership attests to the relative separation of the two. No such separation exists in mercantilistic or authoritarian kleptocratic regimes. One serves the other.
If we step up a level from Intellectual Property to more military action, we must accept that in a connected world our vulnerabilities are no longer restricted to military and industrial targets. I have already mentioned SCADA systems controlling, for example, nuclear plants. But consider an attack on the New York Stock Exchange. If the basis of our relative economic success - our private sector - comes under attack from state actors, we have to come up with new ways of talking to and sharing with the private sector. This of course will run against the grain of how we have been doing things. Yet we need to address the problem.
As I see it, there are two issues. First, we need to come up with new ways to talk to the private sector. Security clearances, sharing of sensitive information - in both directions from government to private sector and vice versa - need to be made far less ad hoc, far more based on rules that would allow us a greater deal of flexibility to face new threats, without at the same time allowing the crony-capitalism that destroys democracies.
Second, however, we on the state-side of things need the brains that today go to the private side of cyber. Let us be honest: Estonia cannot pay for the genius software developer at Skype. But then again the U.S. Department of Defense is most likely unable to hire the top guns at Apple, Microsoft or Google. The other side(s) can. Back during the Manhattan project the U.S. could hire Edward Teller or Robert Oppenheimer for a professor's salary. But nuclear physicists could only work for a university or for the government. Today neither a university nor the government can afford the private sector cyber equivalent of an Edward Teller.
All this puts governments at a disadvantage in developing cyber-defence. We cannot necessarily afford the best and the brightest. In Estonia, we have developed one solution to this problem, the Cyber Defence League: a cyber-home guard or national guard. These are weekend warriors with pony-tails, computer geeks who have high-paying day jobs running IT departments, working at software companies, or banks. We offer them the opportunity to help with our defence. Not running around the woods in camouflage suits, but building our cyber-defence capability. Today we have about 150 volunteer computer experts in the Cyber Defence League, not a bad number for a country with a military of 4000. They are motivated and patriotic, and - let's be honest - it's sexy to work on these things.
We are only starting out but I mention this initiative as the kind of creative solution that we need to consider if we are to be able to guarantee the highly sophisticated e-services, and the highly R&D-driven companies, a modern society depends upon. When threats are no longer classic threats, our responses can no longer be classic either. At least if we want to maintain the upper hand.
Estonia's experience in the past twenty years reflects this: we became pioneers in the use of ICT in government first because it seemed the best, if not the only way to leapfrog decades of backwardness caused by awful Soviet rule. Information technology and its use in the public sector, as well as the private, became the engine of our rapid development, and enabled us to become a leader in offering innovative solutions, which we gladly share with others. Then, almost as if on cue, we also became the world's first victim of purposeful, directed, massive and across the board attacks against our public ICT infrastructure, media, and banking. And, thence one of the world's centres of cyber-defence and security.
Part of the solution also lies in NATO. First, we need to use the Chicago Summit to keep up the momentum: a momentum that seems to have diminished since the last summit in Lisbon. To put things into perspective, the awareness of cyber-threats in Allied capitals is much better than it was three or five years ago. Yet that is not enough. Many Allies are still in the 'so what' phase when it comes to defining their critical information infrastructure, defining vulnerabilities and so on. Two thirds of Allies do not plan to draft national cyber-security strategies, five Allies have not been bothered to sign the Cyber Defence Memorandum of Understanding with NATO, and so on.
Second, cuts in defence spending do not help. It is a fact that national security was one of the first areas of national budgets to be cut in most capitals as soon as the financial problems started. As a footnote, I am proud to say that Estonia was the only Ally whose share of the budget for defence was not cut or stabilised, but increased. Cyber-security has fallen victim to an overall trend of defence being downplayed. And all too often, cyber is considered a technical or intelligence issue, but not a national security one.
Third, and equally importantly, until you have done your homework you cannot meaningfully cooperate internationally. You do not come to the North Atlantic Council asking for Article 5 when a primitive DDoS attacks your government website. You have to have a national strategy and legal framework in place to deal with threats. You have to have a CERT to turn to. Cyber-defence capabilities are now part of NATO's overall capability planning process. Yet the problem is that sovereign nations often don't fulfil the capability development targets that Allies have collectively agreed to. This results in capability gaps. Cyber-defence capabilities will not be immune to this. NATO should collectively stress the need for common standards to ensure interoperability, just as we have with conventional military hardware or exercises or language skills.
With the EU we have more or less the same issue: stovepiping, with cyber issues dealt with across four different Directorates General. In the European Union we face the additional problem of widely varying degrees of understanding of cyber among the member states. There is greater awareness in countries where IT plays a more important role in governance and the economy, and a concomitant lower awareness where IT use is less broad.
So to sum up, if we continue to treat cyber issues like intelligence and do not share capabilities, best practices and so on, if we do not adopt basic common definitions and platform principles, if we do not think long and hard about how to work with the private sector on these same issues, we will face a very hard time. Instead of a 'need to know' mindset, we must adopt a 'need to share' mindset.
The first step for everyone should be to take a long hard look at the threats we face. There are some very new ways out there to conduct policy by other means.
