Lunch over IP

Must-read story in the New York Times today about the cyberattack on Estonia of the last few weeks, a wake-up call for everyone -- for individuals as well as governments -- about cybervulnerability and electronic warfare. The attacks started in the wake of the Estonian authorities' decision to relocate a Soviet-era World War II memorial. Keep in mind that Estonia is one of the most wired countries in the world. It's the kind of place where, when president Bush visits, he receives a Skype phone -- the Skype software was developed there -- as the official government's present (see these previous posts). As the NYT writes, for people there "the Internet is almost as vital as running water; it is used routinely to vote, file their taxes, and, with their cellphones, to shop or pay for parking". I don't have the time to elaborate today, will come back to this in a few days, but here the key excerpts of the NYT story (also published in the IHT):

What followed was what some here describe as the first war in cyberspace, a monthlong campaign that has forced Estonian authorities to defend their pint-size Baltic nation from a data flood that they say was set off by orders from Russia or ethnic Russian sources in retaliation for the removal of the statue. (...) The Russian government has denied any involvement in the attacks, which came close to shutting down the country’s digital infrastructure, clogging the Web sites of the president, the prime minister, Parliament and other government agencies, staggering Estonia’s biggest bank and overwhelming the sites of several daily newspapers. “It turned out to be a national security situation,” Estonia’s defense minister, Jaak Aaviksoo, said in an interview. “It can effectively be compared to when your ports are shut to the sea.” (...) The first digital intruders slipped into Estonian cyberspace at 10 p.m. on April 26 (...) By April 29, Tallinn’s streets were calm again after two nights of riots caused by the statue’s removal, but Estonia’s electronic Maginot Line was crumbling. In one of the first strikes, a flood of junk messages was thrown at the e-mail server of the Parliament, shutting it down. In another, hackers broke into the Web site of the Reform Party, posting a fake letter of apology from the prime minister. (...)

The bulk of the cyberassaults used a technique known as a distributed denial-of-service attack. By bombarding the country’s Web sites with data, attackers can clog not only the country’s servers, but also its routers and switches, the specialized devices that direct traffic on the network. To magnify the assault, the hackers infiltrated computers around the world with software known as bots, and banded them together in networks to perform these incursions. The computers become unwitting foot soldiers, or “zombies,” in a cyberattack. (...) The attackers used a giant network of bots — perhaps as many as one million computers in places as far away as the United States and Vietnam — to amplify the impact of their assault. In a sign of their financial resources, there is evidence that they rented time on other so-called botnets. (...)

In the early hours of May 9, traffic spiked to thousands of times the normal flow. May 10 was heavier still, forcing Estonia’s biggest bank to shut down its online service for more than an hour. Even now, the bank, Hansabank, is under assault and continues to block access to 300 suspect Internet addresses. It has had losses of at least $1 million. (...) Estonia’s defense was not flawless. To block hostile data, it had to close off large parts of its network to people outside the country. (...) Though Estonia cannot be sure of the attackers’ identities, their plans were posted on the Internet even before the attack began. On Russian-language forums and chat groups, the investigators found detailed instructions on how to send disruptive messages, and which Estonian Web sites to use as targets. (...) Because of the murkiness of the Internet — where attackers can mask their identities by using the Internet addresses of others, or remotely program distant computers to send data without their owners even knowing it — several experts said that the attackers would probably never be caught. (...) “The Internet is perfect for plausible deniability.”

The Economist also has a story on the cyberattack, presenting a wider policy context (registration required). And it publishes an essential chronology of information warfare:

1986—The Cuckoo's Egg: A Soviet-backed hacker in Germany is caught breaking into computers at America's Lawrence Berkeley Labs to steal missile-defence secrets.

1998-99—Moonlight Maze: America traces a series of computer break-ins at the Pentagon, NASA and elsewhere to a computer in Russia (which denies involvement). Many files containing classified information are compromised.

1999—Kosovo: Chinese hackers break in and vandalise American government websites in retaliation for the bombing of the Chinese embassy in Belgrade by American aircraft. The White House website closes for three days.

2000-01—Middle East: Israeli and Arab hackers vandalise and crash each others' websites over a four-month period. Attacks also occur against telecoms firms supplying internet connections.

2001–America v China: After an American spyplane and Chinese fighter collide, hackers from both countries deface or crash the other's public and private-sector websites. The White House and the NYT sites are briefly brought down.

2006—Sneaky Word Doc: An American State Department employee opens an e-mailed file that secretly opens a backdoor in the computer system, allowing the theft of data. As the problem escalates, the agency cuts internet access, leaving some officials offline for weeks.

2007—Netwarcom: Officials at America's Naval Network Warfare Command (Netwarcom) accuse China of sponsoring hundreds of suspicious hacking incidents each day against military and private-sector computer systems to steal technology, gather intelligence, probe defences and install “sleeper” software.

UPDATE June 13: China's cyberwar strategy: first-strike

UPDATE June 15: Follow-up story from the WSJ after the April-May cyberattack against Estonia: At a meeting of NATO defense ministers in Brussels, US Defense Secretary Robert Gates urged Western nations to begin planning how they would respond to a cyber attack. One key issue: deciding at what point a cyber attack constitutes a breach of NATO's Article 5, which holds that an attack on one member is considered an attack on all of the alliance. "If a full-on [cyber] attack cripples an electric grid or shuts down a country's oil fields or something like that, does that constitute an Article 5 attack?" said a senior U.S. defense official.