What governments can learn from the original Russian cyber attack

Ten years after Estonia's Internet came under siege from a Russian botnet in 2007, a group of Estonian officials gathered in Washington D.C. to reflect on how the incident helped shape the future of cyber warfare. 

Estonia is widely regarded as an international model for e-governance. While many nations speak in aspirational terms about radically digitizing government services, the tiny eastern European country can boast that its 1.3 million citizens engage with and access virtually all of their government services online.

With digital services so deeply engrained in Estonia’s economic and governance models, it is perhaps no surprise that it was also one of the first countries to grapple with how to respond to a cyber attack directed by another nation-state, in this case Russia. During a contentious debate about how to move an old Soviet-era statue, the government was dealing with riots and protests. In the early stages of the government’s response, officials realized they couldn’t upload press releases about the topic to the government’s website. Then news websites went down, followed shortly thereafter by banks and financial institutions.

Lauri Almann, who served as permanent undersecretary of Estonia’s ministry of defense, said it soon became clear the country was under a series of attacks from an unknown party. Additionally, Estonia was being hit at all levels – public sector, media and financial institutions. One of the first and most crucial decisions made, he said, was to be completely transparent with the outside world about what was happening and what the government knew.

While he called the experience “brutal” and “embarrassing,” Almann said it also helped to contextualize the coordinated nature of the attack and open lines of communication with non-governmental institutions.

“People don’t realize that the decision to talk about this, to go public with the attack, it was a conscientious decision. It was debated among principal in government and there was opposition.”

A decade later, governments at times still fail the transparency test around ongoing attacks, but the concept of information sharing in real time is now widely acknowledged as one of the best means of collectively defending against a cyber attack. The U.S. Department of Homeland Security has set up its own Automated Indicator Sharing program to allow public and private organizations the ability to share information in a similar manner.

“You can have good public sector cooperation, but in parallel there’s a huge amount of cooperation that you have to do with the private sector,” said Almann.

Another lesson: Learning what to protect and what you can live without during a cyber attack. Protecting every public and private website or system is impossible, the Estonian experts said, and trying to do so can stretch defensive resources to the point of being counterproductive.

“It was serious, there were some sites that were down, but [we] were prepared in that we made these decisions about what was important and what wasn’t,” said Merike Kaeo, Chief Technical Officer of Farsight Security and an Estonian citizen who participated in the government’s response. “What had to stay up and what didn’t. ”

Today, the concept of viewing cybersecurity through the lens of risk management forms the linchpin of many federal CIO cybersecurity strategies.

Finally, Estonia dealt with a common problem facing most cybersecurity victims: attribution. The government was confident that Russia was behind the attacks, but struggled to put together technical evidence, since the attack was a distributed denial of service attack from a botnet using computing devices around the world. Furthermore, Almann said many of the nation’s politicians charged with publicly responding to the attack lacked the technical expertise to properly understand and explain what evidence they did have.

Eventually, officials learned not to rely on digital forensics, but rather on other indicators that could more easily demonstrate their suspicions. For example, once Estonia put out the word about the attack, officials identified the IP addresses and host nations for every one of the devices used in the attack. Investigators eventually identified 175 jurisdictions around the world that hosted at least one of the devices used in the attack. Ultimately, they were able to communicate with and receive cooperation from all the countries that hosted those devices except one: Russia.

“For every denial from Russia, we should have come back and said why can’t you do it? We wanted to escalate the discussion more and more,” said Almann.

Attribution has only become more difficult in the last 10 years, as hackers have learned how to effectively mimic other organizations and nation states. Juhan Lepassaar, head of cabinet for vice president of the European Commission Andrus Ansip, said attribution becomes increasingly tricky as nation states begin to consider digital and non-digital forms of retribution for state-sponsored hacks.

“What about in international trade or economy where you have a player that doesn’t play by the rules? ” Ansip asked. “Do you then use your economic weaponry to respond appropriately?”

That’s a question that the U.S. government continues to debate today. In September, White House Homeland Security Advisor Tom Bossert argued that nation states that conduct large-scale cyber-attacks should see “real-world” consequences, presumably referring to diplomatic, economic or military retribution.

“I think what we’ll do on the deterrence side is end up figuring out a means and method outside cybersecurity to apply elements of national power to punish bad behavior commensurate with offense,” said Bossert. “We want to punish in a way that is real world, not cyber.”