Kruunuvuorenkatu 4 (2 krs.)
tel. +358 50 599 3252
Office hours 10:00-13:00
Asymmetric threats in cyberspace
Dear Mr. Chairman,
Good evening. I am very glad to join everyone here today and I would like to thank our hosts, the honoured Paasikivi Society for inviting me to speak in this distinguished forum. I would like to start by recalling that both Estonia and Finland have recently celebrated their 90th anniversary of independence. We both know what national security means, and we have common concern in both traditional and new security environment.
Security problems in the modern times are not anymore strictly military, but more philosophical and relating to the society. Therefore, in my speech today, I would like to delve more into philosophical issues.
The western society has had a quite violent past for many hundreds of years. It has developed and ability to overkill, but has not dealt with its own tendency for suicide. New technologies that are more efficient and useful often also can be used as more potent and dangerous weapons.
Our society has also grown dependent on many resources that not always used to be of critical importance. Just over one hundred years ago, electricity started becoming widespread and used in most walks of life. If we look at our society now, we can see that we are absolutely dependent on electrical energy. Life without it would be unimaginable. As the 1977 New York blackout showed, sudden disappearance of this resource that we have grown used to can lead to disruptions and chaos in everyday life. It also underlined the vulnerability that stems from the modern society's reliance on such resources.
New technologies create new challenges. These challenges can not be avoided, but we have to learn to deal with the new threats that come with it. This line of thought can also very well be applied to cyberspace.
I would like to draw out several concepts for security that we should take note of regarding the topic at hand. First of all, many people think of security in their everyday life in very mundane terms. The knowledge that things are the same way every morning when we wake up gives people confidence, and this translates to their basic sense of security.
The second concept that we have to consider in the modern world is cyberspace. Cyberspace was created when the network that we today call the internet was first established, and when computers started to communicate with each other. At the present, the internet has developed in such an extent that we can say that it is fundamentally out of control. Nobody is able to fully control everything that is taking place in the internet, which means that amongst all the positive and useful uses, there are also threats in the network. Adding more users makes it even more dangerous, which again brings be back to the statement that the internet is fundamentally out of control.
There are different definitions for cyberspace, and for the purpose of today's topic it would be useful to narrow down the subject that we are talking about. First, there is the narrow definition that cyberspace consists only of the traditional internet. The second definition which is often used in real defence and military circles is much broader, and it includes electronic communication, the electromagnetic signal sphere and so forth. Today, when I refer to cyberspace I will be referring to the first definition.
If we look at the history of cyber attacks, then there have certainly been problems long before the attack on Estonia last year. On the individual, business or industry level - yes there have been problems before. But an attack on a national level such as it happened in Estonia, happened for the first time.
The attacks were also clearly politically motivated and not standalone, but part of a bigger event that put Estonia under pressure. Originally the Estonian government took the decision to re-locate an old Soviet war memorial that had been a source of controversy and conflict in our society. Unfortunately this led to street riots by people who opposed the re-location, and in connection with these riots the Estonian embassy in Moscow was blockaded. Finally, Estonia was hit by a barrage of cyber attacks that were unmistakably correlated with the other events.
These cyberattacks included attacking banks, news portals and services, communication firms and the Estonian e-government. The attack method that was used was Direct Denial of Service (DDoS), which basically means sending an overwhelming amount of queries to a server with the goal of overloading its capacity. I could compare it to sending hundreds of thousands or even millions of empty e-mails in a very short period of time. This was not the first time that DDoS attacks were used, but it was the first time that they were used in such a magnitude. Relative to the size of the Estonian online infrastructure, these attacks proved to be very dangerous. Therefore, cyberspace can be called a threat to national security.
To understand this situation better, we have to start by asking questions. First of all, what are attacks? Can an e-mail saying "Good morning" that is sent to a person thousands of times considered an attack? Secondly, is there a difference between a cruise missile attack on a bank and a cyber attack? Of course, there is difference in physical damage, but there is no difference in the function of this attack. Thirdly, how does Article V of the Washington treaty correlate to cyber attacks? In time, we will need answers for all of these questions.
Nation states are crucially defined by their territory. Sovereignty over its own territory and controlling borders is one of the basic requirements of an independent country. Cyberspace does not have such borders. Therefore it is near impossible to control.
Furthermore, in cyberspace there is no identity - no fingerprints, no footprints - that we can use as proof. Anonymity is a fundamental problem of cyberspace, and it is also the reason why Estonia has not been able hold its attackers responsible.
Cyber attacks are easy to perform, because their asymmetric nature means that a serious attack can be staged with comparatively low resources. Also, attackers may have access to and use computers that have been "zombified" with malicious programs which can be used to control these computers remotely. Such "zombie" computers are often gathered into networks called "botnets", which then are used to perform a cyber attack. In the case of Estonia, such botnets were estimated to compose of up to 10 000 computers, but IT specialists have determined that even botnets as large as one million computers exist. The implications of such tools in the wrong hands are serious.
How do we fight the threats that we are facing? Estonia has learned lessons from the attacks one year ago, and is already acting on them. But before I go into detail, I would like to give some background.
In 1999 Estonia received a Membership Action Plan from NATO and started also participating in research and development, including information systems. Following this, Estonia proposed the creation of a Cooperative Cyber Defence Centre of Excellence in 2003. Since Estonia is a small country where it is easy to bring together people from different walks of life like the Ministry of Defence, Defence forces or businesses, creating the Centre of Excellence in Estonia seemed a viable idea. When cyber attacks happened in 2007, it was in a big part responded to through informal reaction and cooperation, since hierarchies and chains of command were not yet finalized. Much work was done in cooperation of Estonian and foreign Computer Emergency Response Teams. After the attacks the response structure in Estonia became more formalized and official, but the capability for informal reaction is still there.
One conclusion that we can draw from this is that cyberattack response has to use fundamentally different strategies. International cooperation is important as well, since many of the computers which attacked Estonia were situated various countries. In fact the biggest numbers of these computers were situated in the United States, followed by China, Germany, Brazil and Russia. As I implied earlier, because of anonymity is one of the biggest issues in case of such attacks, it is very difficult to identify where the attackers who used those computers actually came from.
Cyberspace is also confronted with legal issues. During the attacks, Estonians asked their foreign colleagues to block attacks without legal basis. But by blocking the attacks, they also blocked some of the normal traffic. It would not be hard to imagine for example business deals made by e-mail which could not be made due to this blocking. This is one legal issue that may possibly arise.
The European Council's Convention on cybercrime is one of the first documents that deals with legal issues concerning cybercrime internationally. The Estonian position is to call countries to join this convention, which will be helpful in solving some of the legal problems.
I have already mentioned the NATO Cooperative Cyber Defence Centre of Excellence in Estonia. On May 14th this year the Memorandum of Understanding between participating countries will officially establish this institution. The Centre of Excellence is accredited by NATO countries and will achieve full operational capability by January 1st 2009. It is especially important that it will be open to non-NATO countries as well, and I would be very glad to welcome Finland - which has a very high level of IT expertise - to join the CoE.
After the cyber attacks on Estonia, I had the chance to bring this issue on the table for discussion as early as June 2007, at the NATO meeting of defence ministers. Just eight months later, the Alliance informal ministerial in Vilnius adopted the NATO Cyber Defence policy paper. This goes to show that the cyber security issue is extremely important to the Alliance.
When talking about cyber defence in connection with NATO, it is often asked whether Article V applies to cyberspace as well. I would like to say on this matter that we should not overestimate our needs. Cyber defence is first of all national responsibility. Still, as also pointed out in Vilnius, there is an urgent need for cooperation.
I would now like to draw some final conclusions on today's topic of cyber security. Cyberspace should be accepted as an inevitability, as we cannot stop technology from advancement. At the same time, there is increasing dependence on this new microcosm. Cyberspace is a real threat and cooperation is desperately needed on an international level.
On a final note, I would like to offer you an interesting, if somewhat controversial fact. Statistically, there are two cyber terrorists among this audience. I am saying this because 1,7% of computers worldwide are infected with botnets. Cyberspace has real cyberwars, not imaginary science-fiction conflicts. Personal obligation and responsibility to understand the potential of computers as sources of threat is an important first step in responding to this new challenge.