What the attacks on Estonia have taught us about online combat.

Innovation, the Internet, gadgets, and more.
May 22 2007 12:14 PM

Cyberwar I

What the attacks on Estonia have taught us about online combat.

Illustration by Robert Neubecker. Click image to expand.

In Estonia, you can pay for your parking meter via cell phone, access free Wi-Fi at every gas station, and, as of two months ago, vote in national elections from your PC. The small, wired country can now add another item to this list of technological achievements: It's the first government to get targeted for large-scale cyberwarfare.

Since late April, the Web sites of various Estonian government entities, banks, and media outlets have been barraged with extraordinary amounts of Web traffic (100 times more than usual), making them very slow and even unusable. The Estonian government has identified as-yet-unknown rogue Russian hackers and the Kremlin as participants in these denial-of-service attacks. Russia has firmly denied these charges.


After the attacks, officials from NATO and the European Union converged on Estonia's capital, Tallinn, to analyze what had transpired. All the Estonians can point to as tangible evidence of these attacks are gigabytes of server logs. Most of the targeted Web sites, which for a brief time were accessible only to traffic from within Estonia, are now accessible to the vast majority of the world's Internet users once again. It's almost as if nothing ever happened. (Indeed, Estonian newspaper Postimees reported that half of those surveyed were not at all affected by the attacks.)

Even in the absence of the physical evidence generated by traditional warfare—charred remains, bombed-out infrastructure—we've still learned a lot about the nature of online terrorism in the last few weeks. For one thing, cyberwarfare is efficient. Even the smartest of smart bombs takes out adjacent buildings and kills innocent bystanders. When you wage war online, there doesn't have to be collateral damage: It's possible to target a single Web site at a time.

It's also elementary to focus a cyberattack on the upper crust. In targeting Estonia's online seats of political and economic power, the perpetrators sent a threatening message to a country where cabinet-level discussions happen online, and documents are signed by digital signatures. Linnar Viik, the architect of many of Estonia's e-government services and now a government IT consultant, told me that there have been no panicked calls by politicians to completely shut down these online services. If these attacks had happened during March's national elections, however, a lot of bureaucrats might have rethought the country's dependence on e-government.

The Estonia case also shows how easy it is to cause massive panic on a shoestring budget. All you need to deploy a cyberattack is some malicious software, a bunch of zombie computers distributed around the world, and an Internet connection. Sure, you may need to pay for a "professional-grade" botnet—a network of computers that have been surreptitiously infected to run nefarious software. But surely that costs orders of magnitude less than the price of heavy artillery, battleships, and nuclear submarines.

Perhaps the most telling lesson here is how difficult it is to catch the perpetrators of online terrorism. Covering one's fingerprints and footprints online is relatively simple, compared with getting rid of physical evidence. IP addresses can be spoofed, and an attack that appears to come from one place may actually originate somewhere else. As such, the Kremlin (or anyone else) can plausibly deny that they had anything to do with the attacks, even if the Estonians' server logs show that the attacks first originated from Moscow. If the Russians don't want to hand over data or documents—or even pick up the phone, for that matter—there's not much that Estonia, or anyone else, can do to figure out the real story.

So far, only a single Estonian citizen has been detained and released in relation to the attacks. There have been no other arrests, indictments, or accusations made against any hackers inside or outside of Estonia—and there's no reason to believe that there will be anytime soon. American government and military sites faced cyberespionage by Russian hackers in 1999 (an operation dubbed "Moonlight Maze") and Chinese hackers in 2005 ("Titan Rain"). To date, no one has been caught for those crimes.

It's clear that these hackers, whoever they are, understand how easy it is to hide in cyberspace. Consequently, they have no reason to stop. While the initial wave started in late April and early May, the head of the IT department for the Estonian parliament told me that as recently as May 18 the attackers hit the sites of the State Chancellery and the Federal Electoral Committee. This continued assault on Estonian Web sites illustrates that these attackers—be they rogue operators or Russian government agents—are relentless pests, first going after one set of sites, then another, then another.

Despite this grim outlook, Estonian officials and their counterparts in the European Union, NATO, and the United States have at least learned quite a lot about how an attack of this scale progresses. Since it may be a while (if ever) before the perpetrators are caught, the best plan is to fight off the attackers, one denial of service at a time. Perhaps in some sense, it's good that Estonia was the patient zero for cyberwarfare. The small, tech-savvy country has provided a good blueprint for what to do to keep these attacks at bay.

Today, a team of Estonian computer and network experts from the various affected agencies is working around the clock in a secure chat room, monitoring their networks and sharing information about attacks and their possible attackers. They have also created blacklists of originating IP addresses and networks that are now banned from accessing Estonian Web sites. Until we develop better tools and techniques for catching hackers, that's the best anyone can do.



Don’t Worry, Obama Isn’t Sending U.S. Troops to Fight ISIS

But the next president might. 

IOS 8 Comes Out Today. Do Not Put It on Your iPhone 4S.

Why Greenland’s “Dark Snow” Should Worry You

How Much Should You Loathe NFL Commissioner Roger Goodell?

Here are the facts.

Three Talented Actresses in Three Terrible New Shows


The Human Need to Find Connections in Everything

It’s the source of creativity and delusions. It can harm us more than it helps us.


More Than Scottish Pride

Scotland’s referendum isn’t about nationalism. It’s about a system that failed, and a new generation looking to take a chance on itself. 

The Ungodly Horror of Having a Bug Crawl Into Your Ear and Scratch Away at Your Eardrum

We Could Fix Climate Change for Free. Now There’s Just One Thing Holding Us Back.

  News & Politics
Sept. 17 2014 7:03 PM Once Again, a Climate Policy Hearing Descends Into Absurdity
Business Insider
Sept. 17 2014 1:36 PM Nate Silver Versus Princeton Professor: Who Has the Right Models?
Sept. 17 2014 6:53 PM LGBTQ Luminaries Honored With MacArthur “Genius” Fellowships
  Double X
The XX Factor
Sept. 17 2014 6:14 PM Today in Gender Gaps: Biking
  Slate Plus
Slate Fare
Sept. 17 2014 9:37 AM Is Slate Too Liberal?  A members-only open thread.
Brow Beat
Sept. 17 2014 5:56 PM Watch Louis C.K., Dave Chappelle, Bill Hicks, Mitch Hedberg, and More on New YouTube Channel
Future Tense
Sept. 17 2014 7:23 PM MIT Researchers Are Using Smartphones to Interact With Other Screens
  Health & Science
Sept. 17 2014 4:49 PM Schooling the Supreme Court on Rap Music Is it art or a true threat of violence?
Sports Nut
Sept. 15 2014 9:05 PM Giving Up on Goodell How the NFL lost the trust of its most loyal reporters.