Heli Tiirmaa-Klaar, Senior Advisor to the Undersecretary, Ministry of Defence, Estonia
I would like to thank the IISS for the opportunity to address this important issue here, in front of such a distinguished audience. Martin did a very good job at just describing what cyberspace is, what is possible and what is not. As a policy person, I will not cover those technology details any more. My everyday job in Estonia is to draft and implement policies to provide better protection for the country in cyberspace. This is my departure for this issue, as a policymaker.
We have seen information and communications technology as a revolutionary actor in international affairs. It has empowered many actors, liberated many people, brought freedom and prosperity to many places, and made our lives so much easier. We should not forget the positive aspects of technology when we start to design security policies. I agree with Martin that we should not speak of a cyber Pearl Harbor, as cyber people sometimes do, because we have to be balanced here.
At the same time, we have seen a large number of smaller and larger incidents, as well as attacks sponsored by nation states with motives of espionage. We can now claim that cyber crime is becoming a very serious crime. The director of Europol was here yesterday. If you ask him his opinion, he thinks cyber crimes will be one of the major trends in crime for the next 10‑20 years.
We saw some malicious activities on the internet. We need some sort of global governments response and ideas for the future. Since we are at the very beginning of this area, we have not yet reached the point of something very bad happening, causing the loss of human life. However, it is theoretically possible for you to take down a country with cyber disruption, without putting a soldier’s foot on that territory, if you plan it well and know how to introduce those viruses and malicious codes to the critical infrastructure. Theoretically this is possible, and I think terrorists know that as well. Also the militaries of different countries have started to develop cyber weapon programmes. Most countries are concerned by their cyber defence systems of their governmental and civilian critical infrastructures.
I was asked by the Chairman to talk about what happened in Estonia in 2007. I have been talking about this on so many occasions, so will not cover it for too long, but will give you a reminder, in case you have forgotten the news stories from that time. Estonia relocated the Second World War monument from the central area of Tallinn to the Military Cemetery, because it was a symbol of the occupation and atrocities of the communist regime there. In conjunction with this relocation, we experienced a massive political campaign that had many elements – the physical destruction of Tallinn downtown, shops looted, and streets and cars burned. This happened to one of the advanced countries of Northern Europe in 2007. There were major riots. There were other elements, like the Nashi group besieging the Estonian Embassy in Moscow, and attacking the car of a Swedish ambassador who went there. We also saw other elements with economic sanctions.
Cyber attacks were just one of the elements that we experienced in the three or four weeks following the relocation of the monument. They lasted for roughly three weeks and included very different levels of professionalism. They included thousands of targets, some chosen precisely and some very random. An Estonian public‑private team, not only including the government but private sector people, mitigated the attacks over day and night for three weeks. The attacks came in waves. They never knew what was going to happen next. In a typical military attack, you have some intelligence and know when tanks are moving towards a border and that a missile is coming. With cyber attacks, it is very hard to know what exactly is coming and in what volume. You might have some knowledge before, but you never know exactly. At the time of the attack, you do not know what the motivation is and who is conducting it. This is something that Martin explained very well: if you want to hide your traces, it is very easy to do so in cyberspace.
Sometimes people have the feeling that Estonia was down for three weeks, that nothing worked and there was no electricity or water. This is not true. The major targets were civilian infrastructure. The banking system was one; the news media and governmental websites were others. The major attack method was the denial of service attack, which in human terms means a river 400 times bigger than usual, when your dam is not strong enough to hold it. Your server is not large enough to handle the floods of data coming, so it blocks your server, websites go down and you have to mitigate that in order to put up your services again.
To give you a picture of what it means in Estonia if your servers are down, I will throw in some numbers. You can look up how our e‑government systems work on Estonian websites. We use a lot of online services. We basically do not use physical money anymore, but buy car parking and everything with mobile phones. 98% of banking is carried out electronically. We submit 90% of tax declarations online. We very rarely use paper, even within government. In order to send paper to another government office, I use my personal ID card to submit my own codes to another government authority with my electronic signature. All private and public sector actors in Estonia use this system every day, all the time. Virtually everybody has this ID card, because it is also used for secure banking and for other transactions between the citizen and state. Most public services are online in Estonia, too. You do not have to queue up in the Motor Vehicles Department in Estonia; you just renew your licence online. That actually works because our society is small enough to manage that personal identification system. We have 1.3 million people, so the police can handle that. I was talking to some people from California about introducing that in the US, but it could be very different for them. Somehow we are like a technology test ground.
Therefore, what happened during those attacks is that, at some point, we could not access those online services because the servers were flooded. It was something that added to the moment of chaos, with the riots and the news about the siege of the Estonian Embassy in Moscow. What the Estonian IT people did was to limit access to the outside world. Our internet is built as the receiving point of the end connection. Not many countries can limit their connection to the outside world. For the major attacks that hit our banks and internet service providers (ISPs) hard, the connection to the outside world was limited, so services could be restored inside Estonia for the Estonian people. If you were trying to see a web page from the US, you could not. It told you that the web page was down. It would seem from the outside that the country was down, because none of the web pages was working, but this was the crisis management measure of last resort, which our IT people used to mitigate these floods of data.
What are the strategic implications of these kinds of attacks? Firstly, every country has to improve the defence of their own cyberspace. Secondly, no country in the world can do this alone. That is the major lesson learned, that we have been stressing from our experience. We need international cooperation in order to protect the global cyberspace.
What also happened during the Estonian attacks was that the governmental Computer Emergency Response Team (CERT) specialists contacted over 100 countries in the world. CERT is something similar to the Cyber Fire Department. In every country there is one at the governmental level. It is called the National CERT. So the National CERTs from all European countries, the US, Australia, Japan and everywhere in the world responded very quickly. They asked their internet service providers to shut down the compromised computers. Those computers that were attacking Estonia in 2007 came from basically all over the world and were the unprotected hijacked personal computers of the people who did not care to update their virus protection system. It is called the ‘Botnet’ in cyber terms. It is an army inside computers that attacks you, but the owner of that computer does not know that his or her computer is attacking another country. This is the technology part.
Coming back to more strategic elements now, the asymmetry and anonymity of the internet are factors that accelerate many of the international actors and empower many of the actors that are traditionally not very powerful. With just a small amount of resources, you can actually buy a decent Botnet to attack your enemy and their computer network. The prices are small. A decent Botnet, to destroy someone you do not like, could cost you less than $1,000. To plan a larger attack, there are cyber mercenaries and cyber proxies, and syndicated underworld cyber crooks to turn to. They could organise it very well for you. The only problem is that you have to make sure that they operate in a territory where there are no laws or not many law enforcement officials that govern cyberspace, or where cyber crime is not the subject of criminal investigation. There are many countries in the world where this is the case. Theoretically, it is very easy to organise a major cyber attack and get away with it. We see many smaller cases where actors try to use this cyberpower to achieve their political or economical objectives. We will see it increasing in the future.
The Estonian case was the wake‑up call because it was the first case against an entire nation state. We had the same technically relatively simple attacks or distributed ‘denial of service’ attacks against US websites on 4 July last year. There are cases where actors try to terrorise or show their asymmetric power for whatever reason. We will see more of the marginal actors using this method. We can also find some conclusions from the Georgian military intervention where the cyber methods were used precisely before the military attacks in order to cut off the ability of the Georgian government to communicate with the world. There is some nice open source analysis on this. These occasions are where cyber attacks are part of a military operation. They will probably not be rare in the future.
What we see now, from the policy side, is that the governments, in addition to protecting their own military and governmental infrastructures, are putting more and more attention on the protection of the civilian critical infrastructure. We all depend on the privately owned civilian infrastructure. In democratic countries, approximately 80% of the critical infrastructure is privately owned. There is now a big debate in the field called the ‘Critical Information Infrastructure Protection’ (CIIP) - or ‘cybersecurity,’ which is a longer civilian type of word - and most of the experts in our community are very concerned with this. Policy‑makers exchange their best practices and consult with each other on this. This is an emerging field in cybersecurity.
Governments here have a huge challenge. They need to find a model to protect their cyberspace in a situation where 80% of it does not belong to the government. Every country has its own approach. Some governments are already working on dialogue with the private sector in terms of public‑private partnership. Some of them have just started. In Estonia, we have also responded to our need to strengthen cyberspace, so in 2008 we drafted Estonian Cybersecurity Strategy. I had the opportunity to lead the process in Estonia of putting together the national cybersecurity strategy. Our strategy strongly stresses the need for the Critical Information Infrastructure Protection, the raising of awareness of the whole society on cyber issues; educational programmes have been introduced. The international cooperation is also very important.
In order to understand what is now happening in cyberspace, we can break it down to different levels. Cyberspace is everywhere. There is no national cyberspace; it is a global phenomenon. At the global level, we talk about the possible disruption of global cyber infrastructure that brings a lot of economic losses. At the national level, we are afraid of asymmetrical attacks by non‑state actors and sometimes by state‑sponsored actors. At an industry and company level, we know that some of the economic sectors are under heavy attack all the time. They have to invest extra money into their investigating teams in the banks, for instance. The banks are the most common subjects for the cyber attacks. Sometimes the economic actors of the companies have the problem of hiding the fact that they have been breached. They therefore invest more and more into countermeasures. Together with law enforcement officials, they try to mitigate cyber crime.
At an individual level, we have a situation where harmless people do not know that their own PCs are being used to attack other countries. We also have cases of identity theft, and other issues of social engineering. For example, someone might use your email in order to get to your network. You click on a link that has been sent by a false email sender, and then the virus spreads to your network. This virus collects your government data and sends it somewhere.
According to this conceptualisation, we can have responses at different levels. The good news for the state people and the policymakers is that the nation state is still the prime international actor that has the responsibility to draft the policies and to carry them out. At the global level, we can enhance the cooperative efforts in order to prevent the worst types of cases happening in cyberspace. We have to make sure that all the international mechanisms that are now in embryonic state will be developed further. At a national level, we have seen many national strategies that have been drafted. There have been many new laws, and law enforcement capabilities are now very important at the national level in order to fight cyber crime.
Most of the burden sharing falls on economic actors in our societies. The companies are the ones who are attacked. The cyber criminals are active; they are growing. They know all the safe havens where they can operate freely.
We talked about the international cooperation after the Estonian attacks, which we thought was the most important part of this element, together with the national protection. There are some very good international initiatives that are already in place. First we have the only legal international instrument. It is already quite old. This is the Council of Europe Convention on Cybercrime. The Cybercrime Convention is a litmus test on the willingness of the countries to actually deal seriously with the problem. Once they have signed and ratified it, it shows that they are serious about the issue. We then have the European Union CIIP policy and the first pan‑European exercise coming up this autumn. We have the Meridian process and other expert-level forums to exchange information and carry out consultations. We have NATO cyber defence policies. All sorts of international frameworks are good, but they need to be bolstered and they need to be given more importance. Awareness and events such as this are therefore very important.
To end my speech, I would like to warn the policymakers that we should not militarise the issue. It might happen that after the big event - which might also be part of a military operation - there is the threat that the arms control type of treaty idea is spreading around the world, but arms control does not work in cyberspace. It is still a civilian issue, and we have to approach it from the economic and civilian side.
François Heisbourg
Thank you very much. There is much food for thought, and indeed many convergences between the two of you. Overall, a rather different atmosphere to the overheated speeches we sometimes get on this topic, especially when the people who give the speeches have a direct vested budget, bureaucratic or industrial interest in hyping up certain types of solutions.
