News Analysis: How Vulnerable Are Countries To Cyberattacks? Ask Estonia!

  • By Ahto Lobjakas
Defense Minister Jaak Aaviksoo called "cyberattacks" a threat to Estonia's national security (AFP) TALLINN -- You don't know what you've got until you lose it. Rarely has the truth of that adage been driven home at a national scale as forcefully as in Estonia during the weeks that followed April 26, 2007.

A little over a year ago, Estonia became the first country in the world to come under a broad and sustained attack from the Internet. Beginning on April 27, and continuing for several weeks, anonymous foreign networks comprising hundreds of thousands of computers repeatedly disabled Estonia's Internet servers used by the government, banks, media, and other organizations by bombarding them with information requests.


Life in the Internet-saturated country was severely disrupted.


The Estonian government accused the Kremlin of calling the attacks in retaliation for the removal of a Soviet World War II memorial from central Tallinn on April 26. NATO became alarmed, and Estonia now spearheads efforts within the alliance to cope with the threat of what has become known as "cyberattacks."


Hillar Aarelaid, the director of Estonia's Computer Emergency Response Team, was to say later that during the two peaks in the attacks -- on May 10 and May 15, 2007 -- Estonia first lost 50 percent of its "bread, milk, and gasoline" for 90 minutes and then again 75 percent of the same commodities for another five minutes.


During these two episodes, the attacks, simultaneously harnessing as many as 1 million remotely controlled computers across the world, infected with malicious software without their owners' knowledge, brought down the Internet servers of Estonia's biggest bank, Hansapank, among others. People paying for their gasoline, milk, and bread -- not to mention other purchases -- suddenly found that their bank cards didn't work.


It was a rude awakening for a country where connectivity is a way of life. Peeter Marvet, a leading independent information-technology (IT) analyst, tells RFE/RL that he frequently makes this point to foreign visitors by paying by card for minor purchases such as a cup of coffee. He reminds them that when they chat via Skype -- the Internet service for making calls and exchanging messages free of charge -- they are using software that was originally developed in Tallinn.


People parking their cars in Tallinn routinely pay by text message. Free wireless Internet is ubiquitous, as are people using laptops in cafes and restaurants.


This is not to mention something as basic as access to information, public or private, for which the Internet has become the sine qua non. Estonia has an "e-government" -- government meetings now involve no paperwork. Its public administration has become an "e-state" -- people vote, pay their taxes, and perform a multitude of other operations via the Internet. Outside office hours, teachers and pupils are linked into "e-schools."


So it is no wonder that when Estonia came under cyberattack it decided to take the matter to NATO, of which it has been a member since 2004. Defense Minister Jaak Aaviksoo said at the time that the cyberattacks were a threat to Estonia's national security and likened their effect to a blockade of a country's sea ports.


From the start, Estonia sought to implicate the Russian government in orchestrating if not ordering the onslaught. However, the nature of such attacks makes it virtually impossible to track the real culprits as the computers used in them participate as "zombies," controlled by means of malicious software installed illicitly unbeknownst to their owners.


Given the difficulty of knowing who is behind cyberattacks, NATO has responded coolly to Estonian pressure to qualify cyberattacks as something that could trigger the alliance's collective defense clause. NATO made its position clearer this year, at its April 2-4 summit in Bucharest, where the alliance committed itself to provide assistance to members under cyberattack but said the member states themselves remain responsible for protection of their critical infrastructure.


One senior civilian NATO official dealing with the issue told RFE/RL in March that Estonia's response to the 2007 attacks was so effective as to preclude the need for drastic NATO action. He said NATO experts summoned by Estonia during the weeks of the attacks had learned "at least as much" as they had contributed in terms of advice.


NATO Secretary-General Jaap de Hoop Scheffer has repeatedly called Estonia "NATO's most IT-savvy nation."


He has also indicated NATO would welcome an Estonian lead role in cyberdefense. This role is shortly likely to be formalized, as Estonia is about to win NATO accreditation for a path-breaking Cyber Defense Center based in Tallinn.


Even before the 2007 attacks, Estonia had started work on the center and had applied to NATO to have it recognized as a "NATO Center of Excellence." Although such "centers of excellence" are not part of the alliance's command structure, they can and do play an important role in shaping alliance policy and capabilities. Officials in Tallinn say NATO will formally give the Estonian Cyber Defense Center its imprimatur on May 15.


It seems likely that NATO has not said its last word on cyberattacks yet. Although the debate within the alliance has, for the time being, subsided, officials acknowledge the seriousness of the threat. A NATO general working with cyberdefense policy noted in a briefing in March that the alliance is committed by its statutes to protect the stability, prosperity, freedom, and shared values of its allies, as well as civilization. "A massive cyberattack could be a threat to them all," he said.


De Hoop Scheffer is also wont to describe cyberattacks as a "21st-century threat" for the entire alliance.