Here’s What the US Could Learn From Estonia About Cybersecurity

While the spate of recent cyber attacks against Finland, Germany,Ukraine, and U.S. Central Command has governments worrying about how to combat cyberwarfare, Singapore just took a rare radical step towards doing so. On Tuesday, Prime Minister Lee Hsien Loong’s office announced the creation of the Cyber Security Agency of Singapore, which “will provide dedicated and centralized oversight of national cyber security functions.” Given the sinister ways in which cyber threats are evolving, the move is a necessary step for a wired, wealthy nation that has long been the target of cyber crime. 

Cyber attacks cost an estimated $400 billion in damages per year, but that number may soon soar thanks to what Estonian President Toomas Hendrik Ilves called “the “little green men-ization of cyberspace,” at Davos last weekend, referring to the “little green men” who started showing up around Crimea in unmarked uniforms before Russia formally annexed the peninsula. “It’s not just criminals, it’s not just states, it’s also in between–the unique public/private partnership form that we see where states will pay criminal groups,” buying information about critical vulnerabilities, Ilves said. In the cyber marketplace, where loopholes called “zero-day vulnerabilities” are traded, organized crime, terrorist networks, and state actors are converging, making it increasingly difficult to tell the difference between them. And with the number of politically-motivated cyber attacks on the rise (2013 saw a 91% increase in target attacks) these new channels between states and criminal networks are a crucial aspect of cyber infrastructure.

Eugene Kaspersky, who runs the Kaspersky Lab security group, cautioned that cybercrime has evolved to rival the sophistication of states. “A few years ago, there was criminal malware, and state-sponsored malware. and the difference [was] like a car and a space shuttle. Now, many criminals, unfortunately, the evolution in cybercrime is such that they are very professional.” Jean-Paul Laborde, executive director of the UN Counter-Terrorism Executive Directorate, warned of “more and more connections between organized crime and terrorist organizations.”

It’s unclear what these new cyber connections mean, or how they will shape the market for zero-day vulnerabilities: “It used to be that If I’m a gangster and I want to get access to my competitor’s computer, I go and I get the zero day and I look into that computer,” Andres Kutt, and advisor to Estonia’s Information System Authority, told me. “Now, governments are starting to participate in what used to be a black or grey market for vulnerabilities, botnets and such…that changes the game by pushing more money to the ecosystems and tilting the delicate market balances.”

At Davos, participants diplomatically shied away from naming exactly which countries are increasing their cooperation with organized cybercrime, but their identities are no secret. Uko Valtenberg, chief of the Estonian Defense Force’s cyber range, told me that “Russians are using the criminal element for their politically motivated attacks as well. It’s difficult to determine the military guys from the cyber criminal guys–you could say that they’re the same in Russia, more or less.”

Russia has been accused of sponsoring the hacker group CyberBerkut, which recently took responsibility for the attacks against official German websites. It’s also the more than likely origin of a debilitating cyberattack that took down Estonian banking, government, and media infrastructure in 2007–the first time a country witnessed its critical infrastructure crumble at the hands of hackers. Similar tactics were later used in Georgia and Ukraine in the lead-up to Russian military aggression, and a similar attack against critical infrastructure could easily happen elsewhere–in the US, for instance, where existing vulnerabilities to electricity, water, and gas networks were recently exposed.

“No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids,” President Obama said in his State of the Union address. “We are making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism. And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children’s information. If we don’t act, we’ll leave our nation and our economy vulnerable.”

Among the many cybersecurity reforms that Obama has introduced are measures that would require the private sector to share information about cyber threats with the government, to crack down on the sale of botnets, and to prosecute insiders who exceed authorized access to online networks. But some of those reforms might actually make it more difficult for “good” hackers to do their jobs: “This is good in intent, but will negatively affect positive cyber security outcomes by limiting the tool set that the good guys can use to detect and respond to attacks from bad guys as ‘wire or electronic communication intercepting devices’ are standard tools that are used in all global 500 organizations today,” J.J. Thompson, CEO of Rook Security, told Information Week.

As this new spate of reforms demonstrate, governments are still struggling to come up with effective ways to respond to threats posed by cyber attacks and cyber espionage. They would be well advised to look toward Estonia for advice on how to do so. After the 2007 attack, the Baltic nation overhauled its approach to cyber defense, introducing a systematic chain-of-command that ensures a swift reaction to a future attack. In 2009, it passed an Emergency Act which mandates that all vital services must retain the majority of their capacity in the event that they are disconnected from the Internet.

“Systems need to be built in a way that is difficult to attack. You need to have a holistic view of cybersecurity. It is not enough to have a cybersecurity initiative somewhere off in the Department of Homeland Security,” says Kutt. “We try to promote the concept that cybersecurity is not a technical matter. It never is…It’s a business issue. If your systems are vulnerable to attack, that is a cyber security incident in terms of national security, then they’re probably vulnerable to commercial cyberattacks, and if they’re vulnerable to commercial cyberattacks, they might be more vulnerable to information security risks coming from inside the organization.” So while nations like Denmark and Australia are scrambling to develop offensive cyber capabilities, the centralizing reforms in Singapore and Estonia may actually be a simpler, more effective way of combatting cyber threats.  

Estonia is also home to the NATO Cooperative Cyber Defence Centre of Excellence, housed in the renovated barracks of the Russian imperial army. There, Estonian Colonel Artur Suzik leads a team of researchers in identifying and laying the legal framework for the next generation of cyber threats, and determining what offensive responses would be proportional to incidents like the Sony hack. “Cyber is interconnected by nature, and the cyber environment has no regard for national borders. No one can defend their own network within their network or national borders and consider it safe. It means that cyber defense, especially if we consider it in the context of national security and defense and the provision of vital services, is an inherently cooperative effort,” Suzik said. “Before 2007, there weren’t a lot of national cyber security strategies developed. What we see right now, is that there’s this second wave of this development of national strategies.”

But judging from the sentiment of cybersecurity discussions in Davos, the sort of international cooperation necessary to fight increasingly intertwined criminal, terrorist, and state cyber networks is a long ways away. “Let me tell you how international cooperation really works,” Kaspersky told his Davos audience. “I have an email to my lab from the cyberpolice from country A. ‘Hey, Eugene, do you have a contact for Country B?’ I say, ‘Hey guys, you are both countries from the west, why don’t you call each other?’ ‘Hey, Eugene, it’s too bureaucratic’…this is how it really works.”