Cybersecurity's new world order
A year after massive cyberattacks virtually shut down Internet operations in Estonia, government officials here and abroad are still learning to adapt to a world in which technology, diplomacy and defense converge.
Cyber experts say the event exposed the challenges that cybersecurity poses to an international security system designed to deal with symmetric, physical threats from countries. Stolen data, malicious code and programming can become weapons of mass destruction in the 21st century, or what the leader of the Air Force’s Cyber Command calls “weapons of mass disruption.”
The attacks in Estonia began in late April 2007 when protesters became incensed over the Estonian government’s plans to move a Soviet-era statue and soldiers’ graves in Tallinn, the capital of Estonia, to new locations outside the city center. By taking their demonstrations to the Internet, the attackers disrupted the Baltic nation’s economy.
For weeks after the physical unrest subsided, Estonian authorities, working with other European Union and NATO allies, struggled to defeat a series of coordinated cyberattacks. The attacks came from 75 jurisdictions around the world and forced key Estonian government Web sites, media outlets and financial institutions off-line.
The tactics included botnet attacks, in which computers, hijacked and controlled remotely, were used to overload the country’s information technology infrastructure. Instructions for the attacks were posted on Russian Web sites. However, because of the complex architecture of the attack, in which communications passed through servers in several countries, security experts could not prove who ultimately was responsible.
Pinning down the origins of a cyberattack depends on diplomacy as much as technology.
“When it comes to the attribution of botnet attacks, then technologically, we have to admit it’s very complicated and it requires really deep international cooperation and thorough investigations,” said Lauri Almann, Estonia’s permanent undersecretary of Defence. Russia refused to cooperate with Estonia during its investigation and failed to take down the attack instructions that were posted on Web sites in Russia, he said.
The diplomatic, military and legal questions raised by the attacks in Estonia are not limited to Eastern Europe. Serious questions regarding how cyber incidents should be treated by NATO, an organization based on the common defense mentality that an attack on one is an attack on all, were raised and alliances were tested.
“Not many people, including lawyers, have been dealing with those questions very extensively,” Almann said in an interview during a recent trip to the United States.
Meanwhile, the implications were not lost on U.S. officials.
“The attacks on Estonia are simply one example of what any government of any country could face if determined terrorists…decided they wanted to carry out cyberattacks against our institutions,” Homeland Security Secretary Michael Chertoff said at a conference earlier in April.Blurred lines
When .mil and .gov networks come under attack, the federal government’s first challenge, before deciding the appropriate response, is to assess the scope of the attack.
The problem is that those incidents often span governmental borders.
“When you get a bad hacker or group of hackers, they’re not just going to hack in the Department of Defense,” said Doris Gardner, an FBI special agent, who previously led the bureau’s cybercrime squad in North Carolina. “They are going to hack [the Energy Department] and NASA and other government agencies. They’re not going to just stop and be confined to one agency.”
In those cases, how do federal officials determine whether the incidents are related? And who takes charge of the response: the FBI, the Defense Department or the intelligence community?
“A lot of times you can’t tell right off the bat,” so the people have to sort out if it is a law enforcement incident, a national security incident or something else, said James Lewis, senior fellow and director of the Technology and Public Policy Program at the Center for Strategic and International Studies.
Those uncertainties underscore the importance of collaboration and information sharing among agencies, activities that are a focus of the Bush administration’s classified cybersecurity initiative.
“The cyber initiative tries to leverage all of those agencies into a comprehensive strategy,” said Robert Jamison, undersecretary of the National Protection and Programs Directorate at the Homeland
The Bush administration is also seeking to boost the capabilities of the Einstein program, a federal network-monitoring system run by the U.S. Computer Emergency Readiness Team, a part of DHS since 2003.
But better monitoring is not the only answer. Under the cyber initiative, the administration recently established the National Cyber Security Center, also run by DHS, which will coordinate the prevention and response efforts of federal agencies.
“That center is going to play that coordination role to give us that comprehensive situational awareness across those operating areas,” Jamison said.An international agenda
In a meeting this month in Bucharest, Romania, leaders of NATO’s member countries committed to a common Policy on Cyber Defence. The policy emphasizes that NATO members must be prepared, upon request, to help an ally counter a cyberattack.
However, implementing a common cybersecurity strategy might force the alliance to confront a tough question: When does a virtual attack warrant a military response?
Article 5 of the NATO treaty states that among the member countries,“Parties agree that an armed attack against one or more of them in Europe or North America shall be considered an attack against them all.”
Understanding that language in the new context of cyber aggression poses a challenge.
“We have to be able to answer the question, ‘What does a possible cyberattack mean in the context of Article Five?’” asked Estonia’s Almann. Depending on the results of such an attack, the international community must be ready to accept that a country could invoke the treaty, he said. Estonia did not make such a request, he added.
Several United States agencies, including DHS, the FBI and the Commerce Department, regularly cooperate with international partners to track, investigate and prosecute cyber incidents. For example, the FBI works through 75 attaché offices around the world to coordinate with foreign counterparts.
But such efforts could be stymied if an attack passes through a place where such activity is not considered illegal. “If [investigators] can’t get the logs from that computer to determine origin or if they were just a pass-through, then our investigation is over,” the FBI’s Gardner said.
Another challenge is that the evidence needed to prosecute cybercrimes often resides on private systems that companies need to keep online to stay open for business, said Thomas Fuentes, FBI’s assistant director of international operations. The United States must also persuade foreign counterparts that cooperating on cybercrime and cybersecurity investigations is in their best interests, he said. Treaties and beyond
The federal government is working on several fronts to strengthen cybersecurity policies around the world, recognizing, as one State Department official put it, that cybersecurity is a problem of the weakest link.
The State Department began its international outreach efforts in earnest in 1998 through the United Nations, the Asia-Pacific Economic Cooperation group and the Organization of American States after the Clinton administration identified the importance of cybersecurity in Presidential Decision Directive 63, which deals with securing critical infrastructure.
Through the International Watch and Warning Network, State works with 15 allies, including European countries, South Korea and Japan, to work on policies dealing with cyberthreats, cybercrimes and related concerns.
Twenty-two countries, including the United States, have ratified the Council of Europe’s Convention on Cybercrime, which represents the primary international treaty on crimes committed via the Internet and other computer networks. Another 22 have signed the treaty but not ratified it.
U.S. officials promote the convention as a common framework for dealing with cybercrime. However, legal experts say putting its principles into practice is complicated by the relative dearth of international case law regarding cybercrime.
The Justice Department works with an international team that was originally formed in 1997 by a forum of the governments of Canada, France, Germany, Italy, Japan, Russia, the United Kingdom and the United States. It provides participating countries around the world with legal advice on cases that involve cybersecurity and electronic evidence. Justice also helps countries develop national cybercrime laws.
In a similar development, computer emergency readiness teams here and abroad have developed information sharing agreements. The US-CERT plays a leading role, but cooperation is not limited to government channels.
One well-known effort is the CERT Coordination Center located at Carnegie Mellon University. Jeff Carpenter, technical manager of the center, said that during an international cyber incident, organizations that have an opportunity to come together through a network of CERTs.
Personal relationships are vital when dealing with cyber incidents, said Derrick Scholl, chairman of the steering committee for the Forum for Incident Response and Security Teams, a global partnership of public- and private-sector computer response teams.
“When representatives of different governments interact, they are agents of a particular nation,” said Scholl, who is also security coordinator for Sun Microsystems. “In the security space, we are members of corporations, universities, government agencies and individuals.”
Cyberthreats do not fit neatly into frameworks laid out by governments or international organizations, and the private sector has to be a key component of any cyber strategy, said Scott Borg, director of the U.S. Cyber Consequences Unit, a nonprofit organization that assesses the economic and strategic effect of cyberattacks.
Meanwhile, Chertoff has expressed similar sentiments and asked the private sector for assistance.
“Because we have such a widely distributed set of cyber capabilities, and therefore such a widely distributed set of potential cyber vulnerabilities, the protection of these systems is not exclusively or even primarily a government function,” Chertoff said.
“It is a function which those in the private sector have a responsibility to engage in partnership with us, because the failure of any single system has repercussions and cascading effects across the entirety of our nation and our economy,” he added.