Original URL:
http://www.theregister.co.uk/2011/04/25/estonia_cyberwar_interview/
Cyberwarriors on the Eastern Front: In the line of fire packet floods
Former senior Estonian defence official talks cyberwar with El Reg
By John Leyden
Posted in Enterprise Security, 25th April 2011 09:00 GMT
Interview Estonian government ministers and officials deep in a crisis meeting
about riots on the street in April 2007 were initially nonplussed when a
government press officer interrupted a briefing to say that he was unable to
post a press release.
The initial reaction was "why are you bothering us with this" explained Lauri
Almann, permanent undersecretary at the Estonian Ministry of Defence at the
time told El Reg. "It was only when he said 'No you don't understand, I think
we are under cyberattack' that anybody took notice," Almann explained.
Estonia, a small country of around 1.3 million people bordering Russia and the
Baltic Sea, has moved swiftly since independence in 1991 to develop an advanced
network infrastructure for the delivery of both government and financial
services. The country completely skipped the phase of banking involving
cheques, for example, so that the vast majority of its citizens use online
banking to pay bills and carry out other day-to-day tasks. The disruption when
these facilities abruptly ceased to work was therefore all the more severe.
Cyberblitz
Both government and private sector systems in Estonia came under fierce
cyberassault in April 2007. This coincided with street-level riots that
accompanied the relocation of World War II (Soviet era) memorials. The riots
pitted ethnic Russians in the country against ethnic Estonians and the police.
The denial of service attacks that kicked in around two days after the street
protests began left important government, banking and news media websites
unavailable. The unavailability of government and news media websites was
important because it prevented the government getting information out at a time
of crisis. Estonia does not have BBC and CNN bureaus and the culture of using
the radio to get news, if all else fails, isn't as ingrained there as it would
be in the UK, for example. More Estonians rely on the web for news so the
attacks left them deprived of updates.
The first wave of "brute force" packet flooding assaults was followed by more
sophisticated attacks, including website defacement, and site takeovers. For
example, a fake apology over the relocation of the monuments was posted on the
website of one political party.
In total the attacks lasted around three weeks. "It could have been much
worse," Almann explained. "We thought they might go on for up to three months.
Technically the attacks we faced were nothing special," he added.
In the line of fire
Estonia responded to the cyberattacks, in part, by increasing bandwidth and
organising backup hosting for government websites. The process of replicating
content in the midst of the ongoing attack was unsurprisingly difficult. "Many
countries refused to take our sites because they said that would put them in
the line of fire," Almann said.
Speculation since the attacks, a landmark event in computer security, suggest
they were fermented in the "Russian blogosphere" and may have involved criminal
hackers turned patriots.
Some have suggested that the Russian government may have played a role in
encouraging these attacks, a charge dismissed by the Kremlin. Estonian Foreign
Minister Urmas Paet, for example, pointed the finger of blame [1] for the
attacks directly at the Kremlin.
A question of attribution
Almann was more circumspect. An estimated 1 to 2 million compromised machines
in 100 different jurisdictions, including the Vatican, were used in the
cyberattacks against Estonia. The use of botnets, which can be rented and paid
for anonymously on the digital underground, makes tracing the real source of
attacks difficult if not impossible.
Instead of relying on purely technical attribution to find a "smoking gun"
political and legal attribution also has a role to play.
Almann said that many countries helped Estonia at the time of the attacks with
one important exception – Russia. "Russia failed to help put out the attacks.
Repeated requests for assistance were denied, sometimes for obscure legal
reasons," he told El Reg.
For example, Estonia and Russia have an agreement covering the investigation of
cross-border crime which covers the exchange of info as well as the extradition
of suspects who might decide to skip over the border to avoid justice. "Treaty
requests for information at the time of the cyberattack were repeatedly refused
or not acted upon. This refusal to co-operate provides political attribution
for the attacks," Almann said.
Clueless spotters green-lit porn site for cyber carpet bombing
Just one person, an ethnic-Russian Estonian national, has been charged and
convicted of the attack. Dmitri Galushkevich, 20, was fined the local
equivalent of $1,200 after he was convicted of attacks against the Reform Party
of Estonian Prime Minister Andrus Ansip.
"He was not accountable as an organiser but a schoolboy providing targets via
chat forums," Almann explained, adding in some instances the attackers were
misdirected by their spotters on the ground.
One wave of attacks, for example, took out an adult entertainment (porn)
website instead of an Estonian state security site.
Estonia's analysis of the attacks reveals that small-scale ping attacks, used
to carry out reconnaissance of targets, preceded the main assaults, which came
in phases. "The main phase of the attack involved voluntary political botnets,
predominately located in Russia, which Almann described as "easy to block", as
well as assaults of growing sophistication from compromised machines around the
world.
The attacks against Estonia, the first of their kind on a country-wide level,
have been studied intensively by military planners since. In 2008, cyberattacks
on Georgian websites and communication facilities accompanied a ground war
between Russia and Georgia.
Estonia, along with Poland, stepped in to offer backup hosting of Georgian
government website. Almann argues this process needs to be more organised. "We
need pan-European backup hosting for critical websites," he said.
Rules of engagement
Almann reckons that rules for the investigation of cyberattacks need to be
established by more countries signing up to the Council of Europe Convention on
Cybercrime. Russia and China and several other key countries have not signed
the treaty while some countries in Europe, including the UK, have signed but
not ratified the regulations.
Russia might be encouraged to sign the treaty by making it a condition of World
Trade Organisation negotiations, he suggested, adding the issue of
cyberconflict ought to be on the agenda of G8 talks that include Russia and the
world's seven biggest economies.
Some observers have suggested that a Geneva Convention for cyberwar might be
needed, an idea Almann regards as a non-starter even though he's equally
adamant that cyberwar is all too real.
"With applications such as Stuxnet attacks are growing more sophisticated,"
Almann said. "There are really serious capabilities out there."
"However banning the use of cyberweapons is not realistic. Cyberwar is out
there and everybody is involved."
Offence is the best form of attack
Plenty of governments talk about boosting the capability of their
cyber-defences but very few, at least publicly, talk about cyber-offensive
capabilities. Cyber-offensive capabilities might involve attacking a particular
botnet of compromised PCs or disrupting the communication channels an enemy is
using to co-ordinate attacks. Almann reckons most countries are developing
cyber-offensive capabilities. "Sovereign nations need the capability. It's
unavoidable," he said.
However establishing rules to govern the use of such weapons is something else,
in Almann's opinion.
"A Geneva convention for cyberwar is not going to work," he said. "I'm a lawyer
and I wouldn't know what to write. The field is so fast-developing that you are
going to get it wrong.
"This is not burning issue and shouldn't divert attention from dealing with
shortcomings of critical national infrastructure systems," he added.
Preparing for the next cyberwar
Preparations for cyber-defence include running cybersecurity exercises and
establishing what Almann described as "matrices of co-operation". He said:
"It's better to have many people working together, and the ability to delegate
decisions, than a cyber-czar," adding that Estonia was establishing an
independent cyber unit in its equivalent of the voluntary part-time Territorial
Army (the US equivalent would be National Guard).
Russia, by contrast, appears to have used a militia of criminal hackers to
fight its battles, at least if rumours over the cyber-conflict in Estonia and
Georgia are to be believed. Almann said this approach was dangerous.
"Provide the [modern equivalent] of letters of mark to cyber-profiteers,
entitling them to loot or pillage when they are not working for you, is
dangerous," Almann said. "Criminals can easily turn against you."
But what are cyber-defenders preparing for, exactly? The UK's defence review
last year placed cyberattacks on a par with international terrorism as the
greatest threats facing the UK, a judgment Almann agreed with.
Almann argued that "every military conflict is going to have a cyber-component"
in future. "There are sophisticated attack scenarios but normally you never
want to truly knock out your enemies' network because then you eliminate the
battlefield. Instead you want to create confusion and misinformation," he said.
Cyberwar would not be limited to nation-state against nation-state conflicts,
with insurgency-style cyber-conflicts also more than possible.
"The opportunities to attack in cyberspace are huge for anyone with
imagination," he said.
The former top-ranking civil servant turned lawyer and university lecturer
spoke to us of phishing, espionage and attacks more sophisticated than those
faced by Estonia as among the threats, which might come from terrorist groups
such as Al Queda as well as state-sponsored hackers or intelligence agencies.
"You should never prepare for the last war," he concluded.
Some have criticised the debate on cyberwar for focusing on Hollywood-style
attack scenarios of lone hackers taking out power grids, for example. However
Almann reckon that cyberdefence brainstorming sessions are best run in an open
environment where even "crazy ideas" can be suggested.
"You need to come up with the meanest scenarios before you discuss whether they
are realistic or not," Almann said.
Almann, an experienced lawyer and diplomat, would be the first to admit he's
not a technologist. For an expert take on what the real – as opposed to
Hollywood-inspired – threats in cyberspace might be, we asked Chris Wysopal
(AKA Weld Pond), a former member of Boston-area hacking collective L0pht,
turned founder of application security firm VeraCode. Members of the group
famously testified before Congress in May 1998 that they would be able to take
down the internet in 30 minutes using shortcomings of the BGP routing protocol
that were endemic in international telecom networks at the time.
Although that particular hole has long been plugged, it remains the case that
critical infrastructure systems are wide open to attack, Wysopal told El Reg.
"The only safe way is to air-gap critical infrastructure systems," he said,
adding that removable media also posed a big threat from information leakage,
as the WikiLeaks case illustrates.
Wysopal agreed with Almann that most countries are developing offensive
cyber-capabilities, even if they don't like to talk about it. "The equivalent
of special forces units are building [cyberwar] tools. Meanwhile countries are
training soldiers, the equivalent of infantry, to use those tools," Wysopal
said, adding that he reckons any country with nukes is also likely to have
offensive cyberwarfare capability.
"Cyber-weapons can be used to amplify the effects of other attacks or carry out
cyber-sabotage, like Stuxnet. It takes an army to carry out cyberwar because
there are hundreds of targets."
Attackers have a built-in advantage over cyber-defenders because of the
"asymmetrical" nature of cyberwar, he concluded.
"Defence needs to plug all the holes, while those on the offence only need to
find one," he said. ®
Links
• http://www.csmonitor.com/2007/0517/p99s01-duts.html
_______________________________________________
Infowarrior mailing list
[email protected]
https://attrition.org/mailman/listinfo/infowarrior
