In 2007, Estonia became the first nation to experience a coordinated assault on its government and banking websites. The distributed denial of service attacks the country experienced would be considered primitive today, but the weeks-long digital bombardment--widely believed to have been orchestrated by Russia and carried out by criminal gangs--served as a catalyst for international action aimed at fortifying vulnerable global networks. The Baltic nation has since become a proving ground for attackers as well as an intellectual center for rethinking cybersecurity. Earlier this year, Government Executive sat down with Estonian President Toomas Hendrik Ilves at the Estonian embassy in Washington to discuss the lessons from that assault and the challenges governments face today. What follows is an edited transcript of Ilves' comments.
On the vulnerability of high-tech societies:
The reason the cyberattacks [in 2007] had any effect is we very consciously adopted computerization of society, government services, as our primary, fundamental motor of development. Since we came out of the Soviet Union we were poor--the usual gray people living gray lives in gray buildings with falling apart infrastructure or nonexistent infrastructure.
For 50 years everyone in the West built up their roads and their services and it was all wonderful, and we had nothing. We said building roads will take a long time, but we can, however, make a certain leap by computerizing as much as possible. By the late 1990s, 98 percent of bank transactions were on the Internet. All kinds of government services were on the Internet. Since 2003 we've been voting on the Internet. When you are so dependent on it . . . you're much more vulnerable.
It's a trade-off. The fact that we put so many government services online and so much of the citizens' interaction with the government is via computer means we have a much lower level of corruption than many other countries, especially among post-Communist countries . . . So you're more efficient, you're less corrupt, you do things better, but you're more vulnerable--and that's where we are today.
His personal computing history:
I'm pretty much an anomaly as a 57-year-old head of state. Most people who are my age in my kind of positions, at least in Europe, grew up without computers. I was lucky enough to have an experimental math program in New Jersey with a math teacher who taught me how to program in 1968--I was 14 years old--so I learned how to program. I've never been intimidated by computers even though I'm not a math person.
Trends in cyberattacks:
If you look at the January issue of the Small Wars Journal online there's actually analysis there by someone from U.S. Cyber Command about how the kinds of DDOS attacks we had in Estonia were taken to a new instrumentalized level with coordination between cyberattacks and what they call kinetic attacks--kinetic being anything like a bomb or a bullet that blows things up--during the Georgian war [in 2008]. If you look at the Georgian war there were coordinated cyber and kinetic attacks against the Georgians. That was much more than what we had in Estonia. Even so, DDOS attacks are fairly primitive. They overload servers, they don't steal data and they don't manipulate data.
Public reaction after the 2007 attacks:
I think we handled it better than most other countries. About two months before the big cyberattacks we had our first national parliamentary elections online. We'd had local elections beforehand, but this was the national election. Since we assumed every hacker worth his salt would want to sabotage the elections we gamed cyberattacks and in the process of gaming them--sort of like traditional war games--we realized there were things we needed to do if the elections were to be attacked . . . We figured out that if we were to be subject to these kinds of attacks we would then hook up with our friends in Slovenia, the Czech Republic, Finland and Sweden and their [Computer Emergency Response Teams] and divert things and set up mirror sites and all kinds of wonderful things like that. We were not attacked [during the elections], but, when two months later we were attacked we basically knew what to do. That made our life easier.
When in 2008 the Georgians had massive attacks they immediately called us up. We put up mirror sites for their government. Because they had a war going on people couldn't reach their Internet. They were all taken down by DDOS attacks so we put up mirror sites for them so they had access.
The most significant cyber threats today:
Probably most dangerous is actually espionage and probably economic espionage because the amount of espionage on the Web is absurd and ridiculous. I don't trust anything anymore.
Basically, if your system is infected, there are things you never know are in there and they're pumping out every last bit of data that you have. The problem is not only national security but all our innovative companies. We have one really big innovative company, Skype. They're putting millions if not more into developing new products and they have all these people working for them. Now if someone gets into their system, takes out the new code that they've developed, they get it for free and they can start making exactly the same thing. This is what countries are waking up to finally.
Growing concern about economic espionage:
This year at the Munich security conference for the first time there was actually a session on cyber defense. [German] Chancellor [Angela] Merkel, the foreign secretary of the U.K. and the prime minister of the U.K. all addressed cyber defense in their keynote speeches. That had never happened before. When I talked to Dame Neville Jones, Pauline Neville Jones [British minister of State for security and counterterrorism], who is in charge of all of this in the U.K. the way Gen. [Keith] Alexander is here, [I asked] what is it that has led to this understanding because it was really not on the agenda. [She] said, well, it's really that our economy is now so knowledge-based and if we lose our intellectual property it has a severe impact on our economy. It's not simply that the ministries of defense in the U.K., Germany and France are constantly hit by various things, but in fact, it goes to the core of your economy. And that's why there's a much keener awareness of these issues and we need to have a kind of major shift in our understanding of what is public and what is private and how that works.
The major challenges the international community faces:
One of the fundamental issues you come up against--these are really legal issues in many senses--is what is an attack? There isn't [consensus on the definition] unfortunately. The core of NATO's Article 5 says an attack on one is an attack on all, and then when you have an attack, U.N. rules say the response has to be proportional. What do you do when you get a computer attack? If your electrical system is wiped out by a bomb or a missile, then you know you basically have the right, and all of NATO will proceed in proportional response, to knock out the electrical system of whoever did it.
OK, your electrical system is knocked out with malware. You don't know who did it. What do you do? Who do you knock out? These are all big issues that need to be addressed.
On Stuxnet and what it portends:
It means everything is vulnerable. I don't know if you saw it, but a couple of weeks ago there was something on BoingBoing on using the Bluetooth controls for a car--you could actually make it brake. You could infect, through Bluetooth, the [supervisory control and data acquisition] system in the car to control the car, because everything is so computerized. Now if you have that capability it means everything is possible.
There are some pretty big things we know about. There was a piece in the Wall Street Journal two years ago about malware somewhere in the electrical system of North America that could have been used to shut down one-third of the electricity in the U.S. and Canada. I think slowly people are beginning to figure this out.
Improving defenses against attack:
One thing we've done, which I think is a really neat idea, a really cool idea, a very Estonian idea, is we have a cyber national guard. It's a government-funded, white-hatted hacker organization. When you think about it, every country has lots of geeks working in it--banks, insurance companies. Every company has an IT department. Not all the work they do is really interesting. They do it and they're getting paid a lot of money and they're doing cool things for their company, but they have a huge amount of expertise and they work 9 to 5; maybe some work more. But basically we said we're going to set up an adjunct to our national guard--we call it a defense unit, you call it a national guard. People spend their weekends or evenings and they do something defense-related.
Since we live in this modern era, it's not only riding around in the woods with guns. Defense also has to do with cyber defense. So why don't we set this thing up where you can volunteer and we will support you materially to work on defense? It's only about three months old but its widely popular among geeks. A number of countries have sent their people over to look at this because no one ever thought of this before. It's popular. It turns out guys with ponytails working in IT departments think it's cool to do this stuff.
On having an offensive cyber policy:
We're too small to have that. We'll let the big guys handle that. We have no reason to attack anyone . . . We want to be a nice, boring Nordic country.