Cyberattacks were elevated to warfare status in early 2007 when
the tiny country of Estonia decided they were going to let the world know that
their country was "under a cyberattack" by the Russians (the
government), i.e. state sponsored cyberwarfare.
- What was claimed
and later proven by the Estonians was that the Russians had launched a
series of massive coordinated cyberattacks on the Estonian public and
private sector in April 2007. Estonian banks, parliament,
ministries, newspapers, and TV were bombard.
- This was all
over an argument with the Russians over the reallocation of the "Bronze Soldier of
Tallinn" and war graves in Tallinn (the capital of Estonia).
- This
was the second largest state-sponsored cyberattack, second only to "Titan Rain," a series of
coordinated attacks on U.S. computer systems between 2003-2006, thought to
be of Chinese origin.
Estonia shouted loudly from the roof tops that they were being
attacked, that an act of war had being committed by the Russians, and called
upon its allies to assist, but they had a hard time getting anyone to believe
that this was a "real war" and not a cybernuisance.
In the end no one came to help the Estonians but what that alarm
did do was to put global cyberattacks on the warfare discussion table for North
Atlantic Treaty Organization, known as NATO.
Why is it important?
- Well for
starters Estonia happens to belong to NATO, which has something
called Article 5 which goes
something like this: "attack one of us, and it’s the same as
attacking all of us"…along the lines of Alexander Dumas
Musketeer slogan "Unus pro omnibus, omnes pro uno" which
is Latin for "one for all, all for one." Article 5 is at
the basis of a fundamental principle of the North Atlantic Treaty
Organization (NATO). It provides that if a NATO Ally is the victim of an armed
attack, each and every other member of the Alliance will consider this act of
violence as an armed attack against all members and will take the actions it
deems necessary to assist the Ally attacked.
- Ironically it
was the United States that evoked Article 5 for the first time, in the
aftermath of 9/11.
- The Estonians
were trying to evoke Article 5 when they were being attacked by the
Russians in 2007, but thought better of it and did not evoke the article
because of the lack of support from their NATO allies;
- NATO could not
agree on the definition of "under attack" in this case and
identifying and proving that this was a Kremlin-sponsored attack was difficult.
- The Estonians
were left to fend for themselves.
The Estonians raised global awareness of state-sponsored
cyberattacks. We will never know if Estonia was the first real
"cyberwar" but it was the first time a
country claimed publicly it was under attack.
There are still many questions about cyberwarfare and
cybersecurity that need to be addressed.
1. For example, what is the threshold of
cyberattacks so that a cybernuisance is reclassified as a cyberwar?
2.
Is it cyberwar if the perpetrator is a
"geeky" kid next door launching an attack from his bedroom versus a
state-sponsored group?
3. Moreover, do we declare we are under
attack only when the cyber targets are military/government installations or
national power grids or even if private institutions are hit?
4. Who do you go after, because usually
cyberattacks "ping" themselves through a third party (country)
computer server? And so on and so on.
Estonia spent the last six years becoming one of the best defended
countries against a potential cyberattack (but with limited offensive
capabilities).
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
Today, almost six years later, the Estonian model is
studied by many countries on how to build national defensive cybersecurity
capability systems.
This is of particular importance since the Estonians have a
public-private business cybersecurity partnership model which is the envy of
many countries.
Like most things, the issue is really now a legal one—about the
rules of engagement in cyberwarfare (defensive and offensive), not only
including the legal partnerships between a government and its pubic but with
other nations.
We know one thing for sure, if there is no public-private business
partnership, real national cyberdefense is an illusion, and if there is no
international convention allowing defensive and offensive actions, all
countries are vulnerable regardless of their domestic cyber capabilities.
- Today, Estonia
is a global leader in cyber defence, not to speak of the fact that it is
birthplace for Skype and FastTrack and the first full
e-government.
- This country,
which joined the EU and NATO after
breaking away from the Soviet Union,
is now a global leader in cyber awareness and cyber education.
- In the years
after Estonia was hit by a cyber-tsunami, cryptography and cyber-security
are all courses taught in the nation's colleges and schools.
- More
interestingly, students between five and 15-year-olds are learning to
write computer code as part of a countrywide campaign to inculcate a
culture of "cyber-hygiene" in the next generation.
- Trust, share,
cooperation between private and public entities, have to be done not by
imposition of a law, but a more horizontal agreement among government, private sector, civil
society. The first responders to an
attack may not be official since it could well be civilian because most
critical infrastructure is in private hands.
Lesson for India in particular !!!
In 2012, there was a panic exodus of north-easterners from south
India in a tell-tale sign of a cyber attack. "Responses have to be in the same medium, instant, and not
top-down."