Nation states seen as biggest cybersecurity threat

A prominent cybersecurity expert and the Estonian ambassador to the United States cautioned government insiders Thursday to be mindful of the significant threat that coordinated attacks by nation states can pose to a country's digital infrastructure.

Speaking at a breakfast hosted by Government Executive and the European Affairs journal, Dmitri Alperovitch, president of Asymmetric Cyber Operations LLC, outlined the categories of Internet adversaries, placing nation states ahead of terrorist groups, hacktivist collectives and organized crime as the biggest threat to national security on the digital front.

"I don't believe we have a cyber problem today," Alperovitch said. "I believe we have a China problem today, I believe we have a Russia problem today."

The true danger of nationally coordinated cyberattacks, he said, is that they are easy to deny, making a police or military response impossible.

Alperovitch also noted that though nation-sponsored attacks could inflict harm on the order of espionage or sabotage, they remain unlikely to cause the type of damage associated with Sept. 11 or Pearl Harbor. "Some people talk about cyber 9/11, cyber Pearl Harbor," he said. "It is very, very unlikely, almost impossible -- probably just below that line -- to cause strategic destructive damage on par with those types of events in cyberspace today."

In 2007, Estonia, a nation so fully Web-integrated that almost all its citizens vote and do their banking online, was the first country to experience a coordinated attack on its government and financial systems. Estonian ambassador Marina Kaljurand, who was ambassador to Russia at the time, said government officials strongly suspected Russia was behind the attack. But, she noted, such allegations were hard to prove.

"If the Russian government wasn't supporting [the attack], it was at least tolerating it," Kaljurand said, noting that officials were uncooperative in Estonia's cleanup efforts.

Asked whether national cybersecurity breaches should be treated as armed attack under Article Five of the North Atlantic Treaty, Kaljurand said nations like Russia would "pay more attention" if cybersecurity were identified as a significant threat.

Estonia officials considered invoking Article Five in the wake of the 2007 attacks, Kaljurand said, but refrained from doing so because the assault proved to be disruptive rather than destructive.

Alperovitch expressed skepticism about NATO intervention in such events, saying that any new convention on cybersecurity likely would require "tens of years" to take effect.

Ultimately, Kaljurand said, all cybersecurity problems boil down to whether someone is trustworthy or careful enough to be given access to sensitive information. "There's lots of information in cyberspace, and the weakest link is human," she said.

But the strongest link can be human, as well. As part of its response to the 2007 attacks, the Estonian government offered financial support and benefits to private hacker groups in exchange for assistance with cybersecurity measures. Estonia must rely on these so-called patriotic hackers, according to the ambassador. "We don't have huge defense industries. We don't have defense industries at all," she said.

Though the patriotic hacker model is one that can be implemented in other nations, Kaljurand was quick to add, "This cooperation can only be based on trust. If there is no trust, there cannot be cooperation."