In a previous post “CERTs to the rescue” I highlighted how various CSIRTS around Europe assisted Estonia in dealing with a series of ongoing cyber attacks.  A number of subsequent media articles highlighted that Estonia felt Russia had initiated Cyber Warfare against them.

Subsequent analysis of the attacks still leaves a lot of unanswered questions.  Yes some of the IP addresses were sourced to machines located within Russia.  Indeed, there are claims some of those machines were located within the Kremlin.  However, attacks were also sourced from IP addresses in other countries including the United States and South Korea.

Jose Nazario from Arbor networks conducted an analysis of the IP addresses observed from the data gathered in their Atlas system where he highlights the attacks cannot be proven to be sponsored by Russia.  Indeed in an interview Jose Nazario concedes that while the IP addresses do not prove Russia mounted these attacks, they also do not exonerate Russia.  On the other hand, the Asymmetric Threats Contingency Alliance (ATCA) claim they have evidence proving Russia colluded with the owners of various Botnets to carry out these attacks.

Traditional talk about cyber warfare or cyber terrorism has focused on attacks against traditional critical infrastructure targets.  These targets have typically been the Supervisory Control and Data Acquisition (SCADA) systems which control items such as power supply grids, water treatment plants, sewage works etc.  What is interesting to note in Estonia’s case is that the Internet itself is their critical infrastructure.  Estonia is well known and applauded for its progressive adoption of technology in boosting its social and economic fabric, so much so that the country is known as E-stonia.  Therefore the attackers did not need to target the traditional SCADA systems in order to create havoc to Estonia’s critical infrastructure and its economy.  The attacks were only against a selected number of targets, namely some banking, government and newspaper sites.  However, the volume of traffic generated resulted in chaos for the rest of Estonia’s online businesses and citizens.  

The success of these DDOS attacks is a worrying issue for us all.  The fact that a country’s infrastructure could be so badly impacted by a concerted DDOS attack demonstrates how easily our reliance on the Internet can be exploited.  How many of us conduct parts of our personal and business lives online?  How badly impacted would your business be if email, online banking or your e-commerce systems were unavailable for prolonged periods of time? 

The other advantage Botnets give the attacker is the difficulty in tracing down the true aggressor.  This gives plausible deniability to whomever the finger is pointed at.  Did Russia start these attacks or were they innocent victims of a Botnet that subsequently attacked their neighbour?  Indeed, could a third party have instigated the attacks in the hope that Russia would be blamed in order to increase the tension between both itself and Estonia? 

Despite some claims that these attacks are the first case of Cyber Warfare, this is not necessarily the case;

1. The United States has admitted to using Cyber Warfare in the Kosovo conflict
2. China has been accused of concerted attacks against US government systems, otherwise known as Titan Rain
3. In 2005 the UK NISCC stated that foreign powers are the main cyber threat to the UK’s critical network infrastructure.
4. Regional conflicts such as those between India and Pakistan and the Israeli-Palistinian conflict have also led to online attacks against each other.

Whether or not the attacks were state sponsored or the work of activists, they highlight that Botnets are moving up the food chain from being spam distribution agents and may now be considered Cyber Weapons of Mass Destruction. Will we now have a cyber arms race with nation states building their own Botnets in order to have the capability to bring down a rival nation’s Internet infrastructure?   Will these Botnets become the equivalent of the nuclear deterrent from the Cold War? 

The use of Botnets and the threat of Cyber Warfare also leaves us with the issue as to how do we defend our nation’s critical infrastructure from a concerted attack by individuals, groups or other nation states?

While Estonia was able to call on the CSIRT community and NATO to assist them in dealing with the attacks, other countries may not have the same resources available to them.  Also in a lot of countries most of the Internet infrastructure is owned, managed and secured by private industries.

As with everything the answer I believe lies in cooperation and preparation.  Government and industry need to agree ways of open communication where issues can be highlighted and addressed quickly.  Plans highlighting roles, responsibilities and agreed actions need to be agreed and put in place so they can be invoked in a time of crisis.  Simulations of attack scenarios need to be played out to test the defences.  Constant vigilance, awareness and research into the potential threats and their sponsors is also required.

We may never see a digital Pearl Harbour but I am sure we will see many more digital skirmishes.