Cyberattacks were elevated to warfare status in early 2007 when the tiny country of Estonia decided they were going to let the world know that their country was "under a cyberattack" by the Russians (the government), i.e. state sponsored cyberwarfare.
- What was claimed and later proven by the Estonians was that the Russians had launched a series of massive coordinated cyberattacks on the Estonian public and private sector in April 2007. Estonian banks, parliament, ministries, newspapers, and TV were bombard.
- This was all over an argument with the Russians over the reallocation of the "Bronze Soldier of Tallinn" and war graves in Tallinn (the capital of Estonia).
- This was the second largest state-sponsored cyberattack, second only to "Titan Rain," a series of coordinated attacks on U.S. computer systems between 2003-2006, thought to be of Chinese origin.
Estonia shouted loudly from the roof tops that they were being attacked, that an act of war had being committed by the Russians, and called upon its allies to assist, but they had a hard time getting anyone to believe that this was a "real war" and not a cybernuisance.
In the end no one came to help the Estonians but what that alarm did do was to put global cyberattacks on the warfare discussion table for North Atlantic Treaty Organization, known as NATO.
Why is it important?
- Well for starters Estonia happens to belong to NATO, which has something called Article 5 which goes something like this: "attack one of us, and it’s the same as attacking all of us"…along the lines of Alexander Dumas Musketeer slogan "Unus pro omnibus, omnes pro uno" which is Latin for "one for all, all for one." Article 5 is at
the basis of a fundamental principle of the North Atlantic Treaty Organization (NATO). It provides that if a NATO Ally is the victim of an armed attack, each and every other member of the Alliance will consider this act of violence as an armed attack against all members and will take the actions it deems necessary to assist the Ally attacked.
- Ironically it was the United States that evoked Article 5 for the first time, in the aftermath of 9/11.
- The Estonians were trying to evoke Article 5 when they were being attacked by the Russians in 2007, but thought better of it and did not evoke the article because of the lack of support from their NATO allies;
- NATO could not agree on the definition of "under attack" in this case and identifying and proving that this was a Kremlin-sponsored attack was difficult.
- The Estonians were left to fend for themselves.
The Estonians raised global awareness of state-sponsored cyberattacks. We will never know if Estonia was the first real "cyberwar" but it was the first time a country claimed publicly it was under attack.
There are still many questions about cyberwarfare and cybersecurity that need to be addressed.
1. For example, what is the threshold of cyberattacks so that a cybernuisance is reclassified as a cyberwar?
2. Is it cyberwar if the perpetrator is a "geeky" kid next door launching an attack from his bedroom versus a state-sponsored group?
3. Moreover, do we declare we are under attack only when the cyber targets are military/government installations or national power grids or even if private institutions are hit?
4. Who do you go after, because usually cyberattacks "ping" themselves through a third party (country) computer server? And so on and so on.
Estonia spent the last six years becoming one of the best defended countries against a potential cyberattack (but with limited offensive capabilities).
Today, almost six years later, the Estonian model is studied by many countries on how to build national defensive cybersecurity capability systems.
This is of particular importance since the Estonians have a public-private business cybersecurity partnership model which is the envy of many countries.
Like most things, the issue is really now a legal one—about the rules of engagement in cyberwarfare (defensive and offensive), not only including the legal partnerships between a government and its pubic but with other nations.
We know one thing for sure, if there is no public-private business partnership, real national cyberdefense is an illusion, and if there is no international convention allowing defensive and offensive actions, all countries are vulnerable regardless of their domestic cyber capabilities.
- Today, Estonia is a global leader in cyber defence, not to speak of the fact that it is birthplace for Skype and FastTrack and the first full e-government.
- This country, which joined the EU and NATO after breaking away from the Soviet Union, is now a global leader in cyber awareness and cyber education.
- In the years after Estonia was hit by a cyber-tsunami, cryptography and cyber-security are all courses taught in the nation's colleges and schools.
- More interestingly, students between five and 15-year-olds are learning to write computer code as part of a countrywide campaign to inculcate a culture of "cyber-hygiene" in the next generation.
- Trust, share, cooperation between private and public entities, have to be done not by imposition of a law, but a more horizontal agreement among government, private sector, civil society. The first responders to an attack may not be official since it could well be civilian because most critical infrastructure is in private hands.
Lesson for India in particular !!!
In 2012, there was a panic exodus of north-easterners from south India in a tell-tale sign of a cyber attack. "Responses have to be in the same medium, instant, and not top-down."