On Wednesday, May 23, Jason Healey, moderator for the Atlantic Council’s “Building a Secure Cyber Future: Attacks on Estonia, Five Years On,” reminded us that for all the talk of emergent threats and new technology, cybersecurity has a history that’s worth remembering and learning from. While the Navy still studies the Battle of Trafalgar from the Napoleonic Wars, network defenders and pundits often ignore events from even five years back, deeming them no longer relevant. The technology has changed somewhat over the years, but the underlying principles of computer network operations and security as a whole have not, and with events such as the interactive conference on the 2007 cyber attacks on Estonia, the Cyber Statecraft Initiative aims to bring that perspective to cyber conflict.
Though perhaps not as significant a conflict in cyberspace as the Battle of Trafalgar was at sea, the attacks on Estonia were eye opening for the international and security communities. Amid a heated, nationalistic dispute between Russia and Estonia over a Soviet-era statue of a Red Army soldier, in late April 2007 Estonia was hit by a wave of cyber attacks temporarily disabling crucial websites such as those of Estonian parliament, newspapers, banks, and ministries. Given the current scale of cyber crime, the attack might have gone unnoticed by the global security community today, and even back then an attack of that magnitude would occur every three weeks, with the largest cyber attack at that point being ten times the size. Still, the attacks on Estonia were extremely significant in several ways. While only moderately large for the Internet as a whole, the attacks were overwhelming for the tiny country of Estonia, which had only 1.3 million people. Estonia had also been a leader in e-governance, relying on the Internet for many government services. Lastly, it was seen as an example of state-on-state cyber conflict, as the attacks were believed to be carried out or ordered by the Russian government.
So what can today’s defenders learn from this little cyber Trafalgar? The biggest lesson from the attacks on Estonia is that network defense and mitigation at the national and international level requires relationships that must be forged before the attack. As panelist Brian Peretti, Financial Services Critical Infrastructure Program Manager at the Office of Critical Infrastructure Protection and Compliance Policy of the United States Department of the Treasury, noted, just as the Internet is based on trusted connections between computers, cybersecurity is based on trusted connections between people and organizations. Estonia’s Computer Emergency Response Team (CERT) couldn’t develop the relationships it needed during an attack, and lacked the necessary ties to internal organizations such as banks and Internet service providers, as well as international organizations such as other CERTs. Other CERTS need to be confident in its capabilities to properly identify a threat and reciprocate if they have trouble before they are willing to work with another country’s team. As a result, Estonia’s CERT became a bottleneck. Fortunately, that lesson was not lost on the United States. After the Estonia attacks, America established the National Cyber Response Coordination Group domestically, which was co-chaired by the Department of Homeland Security, the Department of Justice, and the Department of Defense and we’ve since run numerous exercises with international partners.