"Cyberwar" in Estonia

I had been thinking about writing about the massive distributed-denial-of-service attack against the Estonian government last April. It's been called the first cyberwar, although it is unclear that the Russian government was behind the attacks. And while I've written about cyberwar in general, I haven't really addressed the Estonian attacks.

Now I don't have to. Kevin Poulsen has written an excellent article on both the reality and the hype surrounding the attacks on Estonia's networks, commenting on a story in the magazine Wired:

Writer Joshua Davis was dispatched to the smoking ruins of Estonia to assess the damage wrought by last spring's DDoS attacks against the country's web, e-mail and DNS servers. Josh is a talented writer, and he returned with a story that offers some genuine insights -- a few, though, are likely unintentional.

We see, for example, that Estonia's computer emergency response team responded to the junk packets with technical aplomb and coolheaded professionalism, while Estonia's leadership … well, didn't. Faced with DDoS and nationalistic, cross-border hacktivism -- nuisances that have plagued the rest of the wired world for the better part of a decade -- Estonia's leaders lost perspective.

Here's the best quote, from the speaker of the Estonian parliament, Ene Ergma: "When I look at a nuclear explosion, and the explosion that happened in our country in May, I see the same thing."

[...]

While cooler heads were combating the first wave of Estonia's DDoS attacks with packet filters, we learn, the country's defense minister was contemplating invoking NATO Article 5, which considers an "armed attack" against any NATO country to be an attack against all. That might have obliged the U.S. and other signatories to go to war with Russia, if anyone was silly enough to take it seriously.

Fortunately, nobody important really is that silly. The U.S. has known about DDoS attacks since our own Web War One in 2000, when some our most trafficked sites -- Yahoo, Amazon.com, E-Trade, eBay, and CNN.com -- were attacked in rapid succession by Canada. (The culprit was a 15-year-old boy in Montreal).

As in Estonia years later, the attack took America's leaders by surprise. President Clinton summoned some of the United States' most respected computer security experts to the White House to meet and discuss options for shoring up the internet. At a photo op afterwards, a reporter lobbed Clinton a cyberwar softball: was this the "electronic Pearl Harbor?"

Estonia's leaders, among others, could learn from the restraint of Clinton's response. "I think it was an alarm," he said. "I don't think it was Pearl Harbor.

"We lost our Pacific fleet at Pearl Harbor."

Read the whole thing.

Posted on August 23, 2007 at 1:18 PM • 15 Comments

Comments

AnonymousAugust 23, 2007 2:48 PM

Oh Yeah, Politicians and their sense in reality. I've always thought of Ene Ergma as a smart woman, but hey, this comment just blew me away, is she for real. Great article

Andrew2August 23, 2007 3:20 PM

That quote is quite a bit less insane in context. It's a limited analogy. The point isn't to claim that a cyberattack is as bad as a nuclear attack. The point seems to me to be to show that each can have comparatively subtle side effects, such as radiation sickness, in addition to the more obvious destruction.

HarryAugust 23, 2007 3:23 PM

from Poulson's article "(DDoS barely rated a walk-on role in DHS's comprehensive Cyber Storm exercise last year.)"

Who in his right mind would consider DHS a reasonable standard for what constitutes a likely attack and an effective defense?

RoxanneAugust 23, 2007 8:36 PM

I suppose the real question isn't how good we - in America - are on defense in a cyber war; the question is: Is anyone in America good on offense? And would we - or they - admit it? Hmmm.....

JukuAugust 24, 2007 2:24 AM

Yes. I have been waiting a comment for a long time. Look at the brigth side at least the IT people got it right. Politicians they just "Ei jaga matsu lahti" as we say in Estonia.

KanlyAugust 24, 2007 2:42 AM

> "When I look at a nuclear explosion, and the explosion that happened in our country in May, I see the same thing."

The phrase 'Series of Tubes' comes to mind.

> an "armed attack" against any NATO country to be an attack against all. Fortunately, nobody important really is that silly.

Come on Bruce, use your imagine and we can make some money off this. I'm thinking Jerry Bruckenheimer. I'm thinking the US Government releases the 'Hacking for Jesus' guys from jail in exchange for completing a mission: Save Estonia from Putin. Imagine the slow-motion shots as they swagger to their terminals.

Bruce Willis is Kevin Mitnick. Tommy Chong can play you, Bruce. John Markoff will can be played by the Gimp (and I'm not talking the Wilbur kind).

anonAugust 24, 2007 3:12 AM

@ Kanly

Thanks for the laugh.
I figure RMS as the evil post-communist katana-fanatic hacker reporting directly to Putin.

Hmmm.

Safe Computing TipsAugust 24, 2007 5:33 AM

"Yahoo, Amazon.com, E-Trade, eBay, and CNN.com -- were attacked in rapid succession by Canada. (The culprit was a 15-year-old boy in Montreal)." so where is he now? working with Govt??

StromAugust 24, 2007 6:06 AM

Ah yes, the whole thing was made so dramatic, but in the fear of loosing our independence.

A few days befoe this there was a multi-day riot in the capital Tallinn. Russians broke so much stuff and looted stores. The people who controlled the crowd tried to start a war or just change the government.

The thing is that we've already seen how the russians take controll of a country, they took controll of Estonia in similar way in 1940, while the eyes of the world were on WWII.

So the basic idea here was to get some attention on us, so that the russians can't just sneak in.

erikAugust 24, 2007 6:19 AM

I have been silently laughing into my beard while reading about these "CYBERWAR" incidents. The reactions really are way off the scale, and not in proportion to what happened. Perhaps because these people are lacking the big picture entirely? I wonder what they would really do in a real cyberwar situation?

In an event of a really coordinated and serious real attack the outcome would be really different. What I would for instance myself use would be a worm exploiting a previously unknown vulnerability in the most common operating systems. These appear plenty even nowadays. What mitigates that is that most of them get bought and/or reported by whitehats. There is constantly a lot of stuff that is usable, providing you can get ahold of someone who is good in digging them out. Or, you can simply purchase that component from the markets. A good one could cost you several hundred thousands.

It should also contain ways for penetrating the most common firewall technology (in the field of finding vulnerabilities the attacker has got the advantage of being able to prepare for events like this even for years - there ARE those available providing you have the resources to search) and being able to coordinate from behind NATted networks. Also, it would have heavily optimized propagation algorithms suitable for the targets and payload guaranteeing maximal performance. You can optimize the time slot for activation of payload etc quite reliably by simulations.

The payload would exploit certain bios/acpi/etc APIs to break down the hardware. Yes, it is possible.

In the past you could have used the vga registers to ask impossible things from the CRT monitors, actually damaging them physically and even destroying them. Then they became more intelligent and non-vulnerable. Now, some later TFT panels are suffering from the same again, as they have simplified the devices to control costs. I have seen this actually working myself, this is not speculation.

In the past you have been able to damage HDDs by forcing the heads to lock to transport position and after that issuing commands for still moving them - damaging them physically. Possible again in the past, then not, then perhaps again nowadays possible. Especially the new shock/fall sensors seem quite interesting to me.

What about the other options then? You can control on many hardware voltages by software. You can control clock frequerencies (for instance memory chips can be damaged really fast) of certain components.

One thing that you can do easily for targeted masses is to reflash the BIOSes. Voila. Braindead computers. (Some motherboard chipset bioses can recover that, but there are more things such as hdd and display adapter that can be separately destroyed.)

My point is: Given a few godly vulnerability hunters, resources enough to work for a year or two, associated hardware/software etc required, ANYONE can build a worm that can take down 90% of Internet connected and active computers within 12 hours. There will not be recovering from that for months because all possible supply chains will simply cough in the demands. Now, kids, what happened in Estonia was not really Cyberwar but some silly teen causing telecommunications interference (like driving around with a moped that causes interference lines on your TV set).

RemyAugust 24, 2007 8:34 AM

>Politicians they just "Ei jaga matsu lahti" as we say in Estonia.

Hah-hah! That's so funny. Or idiotic, as we say in US. Or e73jfs2#1!m as we say in our secret little elitist club.

johnAugust 31, 2007 4:06 AM

You guys (or geeks?) seem to think that you are the only ones having a comprehensive view on the whole situation. "Ei jaga matsu?" or "Don't get it?" Apart from the "real thing" or the technical stuff of cyber attacks there was an immense propaganda war going on and that was exactly the context in which the statements of the foreign defence ministers have to be seen. And Estonia won on both fronts!

SausageSeptember 4, 2007 1:54 AM

Remy, just cos Americans don't speak a language doesn't invalidate it. Knob off you ignorant imbecile, as we say in Europe.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.