On April 26, 2007, the small Baltic state of Estonia experienced the first wave of denial-of-service (DoS) attacks. Accompanied by riots in the streets, these cyberattacks were launched as a protest against the Estonian government’s removal of the Bronze Soldier monument in Tallinn, a Soviet war monument erected in 1947. These attacks targeted prominent government websites along with the websites of banks, universities, and Estonian newspapers. After three weeks, the attacks ceased as suddenly as they had begun, but not before the Estonian government undertook measures to block all international web traffic, effectively shutting off the “most wired country in Europe” from the rest of the world.
This study will begin with a detailed overview of denial-of-service attacks, the different methodologies utilized in their execution, and a brief history of their usage. Next, the case study of the Estonian cyberwar in April-May of 2007 will be outlined in detail. Finally, the implications of this case study on U.S. national security and potential mitigating policies will be discussed to ensure that the U.S. remains safe from cyberwar threats.
Cyberattacks: Means and Methodologies
Denial-of-service attacks, classified as “cyberattacks,” have been used by hackers since the mid-1980s. Aimed primarily at specific sites and networks, denial-of-service attacks block the access of legitimate users, rendering the entire site or network unavailable. This can be accomplished through any number of methods, including the relentless transmission of irrelevant information to tie up a server so that legitimate requests for information remain unanswered. Attackers can also use these cyberattacks to obstruct the transmission of routing information; as a result, legitimate requests never reach their destination. Alternatively, computer hackers could use cyberattacks to obstruct communication between two servers or networks so that information cannot be sent or received by either party. Cyberattacks can also include the use of malware, a program whose name is derived from the combination of the words “malicious” and “software;” such programs can destroy the victim’s system software or hardware, or turn the victim’s computer into a “zombie” system to be utilized in future attacks. These methods of attack manifest themselves in a number of ways through dozens of distinct denial-of-service attacks. The most common attacks known today are flood attacks, logic/software attacks, mailbombing, permanent denial-of-service (PDoS) attacks, accidental denial-of-service attacks, and distributed denial-of-service (DDoS) attacks.
Flood attacks overload systems by overwhelming them with irrelevant information or requests that tie up the server so that legitimate user requests go unfulfilled. “Smurfing,” also known as ICMP flooding, is one such type of attack that has commanded much attention from both hackers and cybercrime experts alike. Smurf attacks shut down servers by sending the victim’s IP network address to broadcasting computers, which in turn “broadcast” the IP address to other computers, beginning a chain reaction. These computers then respond by sending information packets back to the victim’s IP, overloading the server. On the other hand, TCP SYN cyberattacks work instead to overload a victim’s server by exploiting communication protocols. The attacker sends information requests with a false “return address” to a server, which unsuccessfully attempts to return contact until it times out. These attempts clog the system in the meantime, rendering the server unavailable to respond to other legitimate requests.
While flood attacks work to simply overload a server or system, logic/software attacks force errors by manipulating, and thereby breaking, communication protocols; these cyberattacks are usually most effective on systems that have not kept their bug fixes up to date. The “Ping of Death” attack is an example. This attack forces a system shutdown when the attacker sends a group of pings that exceed the maximum size allowed by the system. The inability of the system to reassemble the packets forces an error that causes the system to crash. Teardrop attacks work much the same way, sending malformed pings to the target server. The hacker manipulates these packets of information so that they cannot be reassembled, and when the target system attempts to do so, it forces a fatal error and crashes the system.
Hackers can utilize both flood and logic software attacks to disrupt an array of systems, from websites to entire networks. Conversely, a “mailbombing” attack is much more limited in scope since it only targets e-mail accounts and servers. The at-tacker uses a tool to send thousands of e-mails at a time to a single address, which renders the user unable to receive e-mail until the excess has been deleted. Mailbombing attacks were most effective in the late 1990s, when space allotted for e-mail inboxes remained small. Today, popular e-mail clients, such as Yahoo! or Gmail, grant their users an abundance of memory. This marked increase in storage capacity has relegated the tactic of mailbombing to a simple nuisance, as opposed to a tool of destruction.
Permanent denial-of-service attacks cause significantly more damage. Known colloquially as “phlashing,” this type of cyberattack is a relatively new phenomenon, first gaining significant press coverage in May 2008. Unlike other denial-of-service attacks that generally only cause service disruption, the permanent denial-of-service attack effectively destroys system hardware; users must reinstall it in order to run the system again. This cyberattack is carried out by a process known as “bricking a system;” a hacker sends the targeted system false hardware updates that, in turn, render the hardware in question completely useless. Although the popularity of these attacks has yet to be determined, most experts anticipate that hackers will resort to other denial-of-service attacks instead, as bricking a system renders it unable to be utilized in subsequent attacks.
It is important to note that denial-of-service attacks do not always occur intentionally. In 2006, the video website YouTube was sued by Universal Tube & Rollform Equipment, a small Ohio-based company, for initiating an accidental denial-of-service attack. As YouTube became increasingly popular, thousands of users each day began mistakenly logging onto utube.com, the website owned by the tubing company. This accidental cyberattack invariably forced the company to purchase more bandwidth, and Universal Tube & Rollform Equipment sued YouTube as a result. Another such attack occurred on September 30, 2008, when the U.S. House of Representatives failed to pass the $700 billion bailout plan. Millions of Americans flooded the House website to get more information, and the sudden surge in traffic brought the website down for several hours.
Distributed denial-of-service attacks will receive special attention in this study as they served as the modus operandi for the “hacktivists” who attacked Estonia’s Internet infrastructure in April 2007. These particularly volatile attacks made use of the methods discussed above on a large scale. When executing a distributed denial-of-service attack, a hacker attacks a network or server through the use of hundreds or thousands of “zombies,” computers whose security has been compromised; this allows the hacker to silently take control of the target without the owner’s knowledge. The hacker will often channel the attacks through other associates, called “handlers,” in order to further masquerade his or her identity. This use of intermediary computers in cybercrime presents a two-fold problem. First, the use of intermediaries acts as a cloaking device for the hacker, hampering law enforcement efforts to track him or her down after an attack has been made. Second, by using intermediaries, hackers can create a large-scale attack with little or no effort. The use of botnets, entire networks of zombies that can be “rented” online, in the case of Estonia’s 2007 Cyberwar is a prime example.
Denial-of-service attacks have existed in different forms since the mid-1980s, but distributed denial-of-service attacks first came into play as recently as 1999. The first documented case involved a hacker who used a network of 227 zombie computers to overload a single computer at the University of Minnesota. The system was knocked offline for more than two days as a result. Since that time, distributed denial-of-service attacks have been implemented to attack scores of online retailers and resources including Buy.com, eBay, E*Trade, and CNN.
The 2007 Estonian Cyberwar: A Case Study
In April 2007, Estonia experienced the world’s first cyberwar in the form of a three-week wave of distributed denial-of-service attacks that crippled the country’s information technology infra-structure. Although the Estonian Parliament’s decision to remove the Bronze Soldier memorial from Tallinn’s main square served as the main precipitating event, other factors contributed to the vulnerability of Estonia’s sociopolitical landscape. The first involved the scores of disaffected, disillusioned ethnic Russians who had been living within Estonia’s borders since the end of the World War II. During the 1944-1991 Soviet occupation of Estonia, large groups of ethnic Russians moved into Estonian territory in search of a better life. By the time the Soviet Union collapsed, ethnic minorities comprised approximately 40 percent of the Estonian population. Whereas the newly formed governments of Latvia and Lithuania—Estonia’s two Baltic state neighbors—extended universal citizenship to all people living within their borders (making great strides to integrate these disparate ethnic groups into one cohesive populace), Estonia refused to do so. Instead, the Estonian government insisted that all non-ethnic Estonians be treated as foreigners, thus forcing any ethnic Russian desiring Estonian citizenship to undergo naturalization. Instead of bringing people of all different ethnicities together under the Estonian banner, this policy served as a barrier to further solidify the division between ethnic Estonians and Russians living within Estonian borders. This division, in turn, created an unstable political situation that Russia would find easy to manipulate.
Whereas the civil unrest resonating within Estonia’s minority population increased the likelihood of a politically motivated attack, the heavy reliance of the Estonian population on the Internet and online services provided a conspicuous vulnerability that could easily be exploited. By 2007, Estonia had earned the reputation of being the “most wired country in Europe.” This was not the case in 1991. At the time of the country’s emergence after the collapse of the Soviet Union, only half of Estonia’s population had access to a simple telephone line. The new Estonian government, however, viewed this deficiency as an opportunity for growth; it passed legislation, the first piece of which was known as “Principles of Estonian Information Policy,” to devote a substantial portion of its budget each year for research and development in the realm of information technology and telecommunications.
The Estonian government’s investment in technology paid great dividends to the country, including innovations that resulted in the development of the software used to create Skype, a popular communication program. Estonia also became the first country to offer worldwide electronic voting to its citizens, a technology used in the 2005 Estonian elections. By 2005, the Estonian government had integrated information technology and the Internet into society to the point where an estimated 60 percent of the population relied on the Internet for “crucial” services every single day. In addition to conducting over 96 percent of banking transactions online, Estonians routinely use cell phone networks to pay for street parking. While the Estonian government heavily financed research and development (R&D) for telecommunications and other Internet-based services and innovations, it did little to explore defensive protocols against any potential cyberattacks that might occur. Estonia’s dependence on the Internet and its lack of defensive protocols made its information technology system vulnerable and easily exploitable.
The cyberattack took place at 10 p.m. on April 26, 2007, as unknown attackers launched a full-scale cyberattack against the Estonian government. The cyberattack remained relatively unnoticed for the first twenty-four hours, but was discovered soon thereafter when Estonian Minister of Defense Jaak Aaviksoo found himself unable to log onto the prime minister’s Reform Party website. The hackers had targeted this site first, subsequently spreading to other political party and government web-sites, including the official site for the Estonian parliament. By the end of the first week, the distributed denial-of-service attacks levied against these sites had knocked them completely offline.
The following week, the list of targets expanded to include major Estonian news publications. As the scale of attacks grew larger, news sites were systematically knocked offline. When it was discovered that most of the attacking zombie systems were located outside the country, news editors throughout Estonia resorted to blocking all incoming international traffic. The news media lamented the irony that their publications could not inform the rest of the world of what was happening in their country, as blocking international information requests was the only way to slow traffic to a reasonable level in order to eventually restore their servers.
The cyberattacks continued in waves for two weeks until May 9, the anniversary of the end of the European theatre of World War II. At the stroke of midnight, Moscow time, Estonia witnessed its heaviest attack yet—up to 4 million packets of information sent per second. This time the hackers focused their efforts on the Estonian banking system. By May 10, the cyberattacks had forced Hansabank, the nation’s largest bank and a pioneer of many of Estonia’s IT developments in the 1990s, to shut down its Internet-based operations. This was disastrous on three counts. First, it ceased online banking capabilities for Estonians in a country where an estimated 97 percent of all banking transactions occurred online; second, it severed the connection between Hansabank and its ATMs throughout Estonia; and third, it broke the connection between Hansabank and the rest of the world, thus preventing Estonian debit cards from working outside of the country.
These cyberattacks wreaked extensive havoc primarily due to their careful and methodical orchestration. The cyberattacks that had begun on April 26 averaged about 1,000 packets on the first day. By the second day, the attack rates averaged 2,000 packets per hour, a rate that increased exponentially throughout the three weeks of attacks. May 9 marked the heaviest day of cyberattacks, averaging a rate of over 4 million incoming packets of information per second at hundreds of targeted websites.
Hackers orchestrated these cyberattacks through the use of weblogs, web journals, and Russian-language chat rooms; at-tackers would post the times and dates of scheduled attacks, lists of vulnerable Estonian sites, and even instructions on how to best carry out distributed denial-of-service attacks against the Estonian information infrastructure. Additionally, many of the attackers utilized botnets from all over the world; the zombie computers commandeered in the attacks on Estonia alone resided in over fifty countries, including the United States.
Over the course of three weeks, targeted websites grew to number in the hundreds as government pages, banking systems, news and media outlets, and sites of prominent Estonian universities were systematically attacked and shut down. After vainly attempting to fend off the waves of distributed denial-of-service attacks, the Estonian government blocked all international traffic. In doing so, the government effectively cut Estonia off from the rest of the world. Nonetheless, this drastic measure was met with success as web traffic to target sites returned to a manageable load. On May 19, the attacks stopped and the world’s first cyberwar came to an end.
At this point, the Estonian government, the North Atlantic Treaty Organization (NATO), and the West began to ask questions—specifically regarding who was responsible for orchestrating the attacks. The Estonian government immediately accused the Russian government for several reasons. First and foremost, the Russian government had publicly denounced Estonia’s decision to remove the Bronze Soldier memorial. In addition to calling for the Estonian government’s resignation, it was rumored that the Russian government helped to instigate the street riots that took place in Tallinn upon the monument’s removal. The cyberattacks could have simply served as a “second wave” attack on the part of the Russian government in order to promote further instability within the region. Second, the Estonian government successfully traced one of the attacks back to an IP address owned by a member of the Russian government. The Russian government vehemently denied any involvement in the matter; they were later exonerated when the computer in question was found to have been a zombie acting at the will of another unknown attacker. To date, questions remain as to how much of an enabling role the Russian government played in the attacks.
It is now known that the attackers who waged cyberwarfare on Estonia acted on their own initiative, primarily as a form of political protest. These “hacktivists” turned out to be a combination of experienced hackers who would contract out their own botnets or write their own malicious programs, and “script kids” who were, by and large, individual novice hackers who attacked Estonian target sites by following “how-to” guides found on various hacker websites. The disparate nature of the attackers made them, in turn, difficult to track. In January of 2008, the Estonian government successfully traced and indicted one of the attackers, Dmitri Galushkevich, an ethnic Russian student residing in Estonia. Galushkevich had used his laptop to take part in the denial-of-service attacks targeting the Reform Party website, successfully taking it offline for ten days. Galushkevich pled guilty, claiming that he took part in the attacks to protest the removal of the Bronze Soldier, and was fined 17,500 kroons, an amount roughly equivalent to U.S. $1,635. To date, the Estonian government has made no subsequent arrests.
The lack of arrests should not be taken as an indicator of apathy or impotence on the part of the Estonian government. On the contrary, several major strides have been taken both on the part of the Estonian government and NATO as a whole to in-crease awareness of cyber-related vulnerabilities and the necessity of instituting safeguards for information infrastructure in response to the attacks. NATO reacted quickly to the news of attacks on Estonia by sending several key cyberterrorism experts into the country to assess the situation and assist the government in curtailing the damage wrought by the events that transpired in April and May. NATO also passed legislation to open the Co-operative Cyber Defense Center of Excellence (CCD COE) in Tallinn to conduct cyberterrorism response research and establish a standard protocol for responding to a cyberattack; the center was approved in May 2008, and it opened the following August.
Implications for U.S. National Security
The cyberattacks in Estonia have reinforced the severity of threats posed by cyberwarfare to the United States and the international community at large. However, the scale of attacks that crippled Estonia’s information infrastructure would incur limited damage to the United States, whose bandwidth capability dwarfs that of Estonia by a large measure. Nonetheless, an attack launched at a great enough magnitude could conceivably cripple the United States’ information technology and critical infrastructure (CI), especially if such an attack were undertaken by a foreign government such as China or Russia. The U.S. government is no stranger to such attacks. The most notable in recent history was “Titan Rain,” a string of highly successful cyberattacks in 2003 purportedly orchestrated by Chinese hackers. Their aim was to steal as much technology as possible, and in doing so the hackers compromised systems at Lockheed Martin, NASA, and many other relevant security organizations. This Chinese cyberespionage, cited by the U.S.-China Economic and Security Review Commission as the “single greatest risk to the security of American technologies,” continues today. Additionally, cyberattacks against the U.S. government are becoming more frequent; the Center for Strategic & International Studies (CSIS) recently reported that the number of confirmed cyberattacks against U.S. government agencies in the 2007 fiscal year had increased 152 percent from the previous year.
The United States currently possesses a number of technological systems that potential cyberattackers could choose to exploit. First, hackers could choose to target the information technology of the U.S. federal government. They may choose to do so for a range of reasons, such as to steal classified technology or intelligence. Second, an outside entity could conduct a cyberattack on a sector of U.S. CI. Automated computer systems known as “Supervisory Control and Data Acquisition” (SCADA) systems run much of U.S. CI, including those sectors that regulate water and electricity distribution, and mass transit. A sustained attack on one or more of these systems could bring about disastrous consequences for the quality of American life. Third, hackers could choose to attack private sector Internet providers or commercial websites to disrupt the flow of information and online commerce to U.S. residents.
Cyberattacks pose a distinct threat to U.S. national security priorities. A successful attack on U.S. government information technology systems could compromise technology and intelligence. In addition to hampering the United States’ ability to guard its citizens against foreign threats, cyberattacks have the potential to hamper U.S. operations abroad; this is particularly important because U.S. forces rely heavily on both current military technology and up-to-date intelligence in order to carry out their missions. In addition, prolonged cyberattacks levied against U.S. CI and the SCADA systems that govern many of the sectors therein could endanger the lives of U.S. civilians and residents. Finally, cyberattacks aimed at the private sector could inhibit entrepreneurship and economic growth in the area of online commerce. Safeguarding the United States against threats posed by cyberwar is a daunting task, involving the hardening of all of information technology and CI against current and evolving threats. Nonetheless, U.S. cyberwar policy cannot remain reactionary. Instead, the U.S. government should institute several proactive policies to harden our information technology and CI.
First, the U.S. government must increase its coordination and cooperation with the private sector to guard against cyberattacks. As previously mentioned, online retailers such as eBay and Buy.com are no strangers to cyberattacks, especially those of the denial-of-service variety. Increased coordination between the government, public, and private sectors will create protocols to allow for enhanced information sharing, whether by warning of an impending cyberattack or something as simple as the discov-ery of hardware vulnerability. The United States Computer Emergency Readiness Team (US-CERT) has begun this process. Created by the Department of Homeland Security in September 2003, US-CERT partners with organizations in the public and private sectors to reduce cyber vulnerabilities, to warn other ent-ities of pertinent threats, and to coordinate the U.S. response to cyberattacks. In order to more effectively guard against cybe-rattacks as a whole, US-CERT must continually strive to increase its network of partnerships.
Second, the U.S. government must reevaluate legislation regarding the issues of cyberwar, especially in regard to the monitoring, tracing, and recording of instances of hacking. U.S. legislation has typically failed to differentiate these processes from those of wiretapping or other means of electronic surveillance. This has, in turn, placed heavy restrictions on those law enforcement agents attempting to locate and apprehend hackers who perpetuate cyberattacks. For example, federal law stipulates that law enforcement officers must procure a court order before monitoring a single computer’s communications—in event of a cyberattack, multiple court orders would be required to trace a hacker, as they often use multiple intermediary computers in the process of executing an attack. Section 217 of the USA Patriot Act has relaxed these restrictions to allow law enforcement to monitor communications based on probable cause in lieu of a court order. This is a step in the right direction, but U.S. policymakers cannot stop here. Greater leeway must be given to U.S. law enforcement agencies to monitor and trace hackers. In addition to ensuring the prosecution of more hackers, this increased power will act as a possible deterrent to hackers operating on their own accord and may reduce the threat of cyberattack from amateur hacktivists.
Another legal issue that needs to be evaluated is the international nature of cyberwar. The zombie computers utilized in the 2007 cyberattacks on Estonia resided in fifty different countries, each of which possesses its own specific laws and jurisdiction regarding hacking and cyberwar. The United States must take the initiative to coordinate with countries across the world to ease legal barriers in hopes of expediting the tracing of hackers internationally. The U.S. government could make use of US-CERT to begin this process. The team has made strides to coordinate efforts with the private and public sectors domestically, and many countries in the European Union (EU) possess similar organizations. This seems to be an adequate starting point to consider. In addition to expediting the process for tracing and indicting hackers, increased international coordination could serve to increasingly deter future cyberattacks.
This case study elucidates two means of safeguarding against cyberwar attacks. First, the government could allocate resources en masse for R&D to harden information infrastructure and CI in an attempt to stay “one step ahead” of other potentially malevolent actors of both state and sub-state origin. Alternatively, the U.S. government and citizens could drastically decrease their dependence on the Internet, telecommunications, and various online services in an attempt to make an attack on U.S. IT or CI less attractive. This second policy option seems implausible due to the push for globalization and the state of the global community.
The Bush administration had laid the groundwork for in-vesting in cyber security safeguards. The National Infrastructure Protection Plan (NIPP), instituted in 2006, identified the key elements of U.S. CI, and tasked corresponding sectors in the U.S. government to protect them. As a result, the duty of safeguarding U.S. information technology has been relegated to the Office of Cyber Security and Telecommunications within the Department of Homeland Security. The administration also unveiled the classified Comprehensive National Cybersecurity Initiative (CNCI) in January 2008 as the latest plan to protect the U.S. federal government information technology systems from outside attack. Former President George W. Bush also allocated $242 million in the 2009 budget for the enhancement of US-CERT alone. Furthermore, the New York Times has reported that the “single largest request for funds” in the classified 2009 intelligence budget was for the execution of the CNCI.
Regardless of whether or not the Obama administration chooses to build off of the foundation laid by the NIPP and the CNCI, it is clear that President Obama takes the threat posed by cyberwar seriously. President Obama consistently emphasized the importance of protecting U.S. IT and CI from outside threats throughout his campaign; for example, during remarks at Purdue University on July 16, 2008, he placed cyberwarfare alongside nuclear weapons and biological attacks as the three greatest threats emerging out of the twenty-first century. President Ob-ama’s proposed cybersecurity policy initiatives hinge upon the protection of two key resources: information networks and U.S. critical infrastructure. His administration hopes to accomplish this through a variety of measures, including setting federal standards for securing personal data, preventing corporate cyber-espionage, and enacting a “safe computing” R&D effort to harden U.S. government systems against intrusion.
However, these measures are not sufficient by themselves. The new administration must allocate additional resources specifically for R&D for experimental technology to add to our own strategic arsenal. Currently, US-CERT is inherently reactive as an organization while the current cyber threat demands proactive measures. Ardent R&D of experimental technology, whether by the U.S. government or government contractors, will ensure that the United States remains a step ahead of its adversaries in the realm of cyberwar.
Part of taking a proactive stance against emerging cyber threats could be the addition of such threats and tactics to the strategic arsenal of the U.S. government. The case study of Estonia has helped to elucidate the danger of cyberwar, albeit when orchestrated effectively. The U.S. government should make a concerted effort to actively explore these possibilities. If bran-dished effectively, they may enable the U.S. to pursue deterrence policy with other nation-states and sub-state actors in respect to cyberwar. The U.S. government took steps in this direction in 2006 when it proposed the creation of the Air Force Cyber Command, a military entity solely devoted to securing the United States from emerging cyber threats and exploring the possibilities of utilizing tactics of cyberwar in conflict. As of October 2008, however, the U.S. government made the decision to discontinue plans for a separate and distinct Air Force Cyber Command, choosing instead to place the security of cyberspace under the jurisdiction of the Air Force Space Command.
Cyberwar could also be more fully utilized as a response to the asymmetric warfare waged upon the nation by terror cells and organizations—many such organizations, al-Qaeda in particular, make use of the Internet as a primary mode of communication to propagate their message and orchestrate attacks. A well-placed denial-of-service attack could effectively destroy all lines of communication, rendering the organization in question impotent.
The global community has been awakened to the destructiveness of cyberwar, specifically in the realm of denial-of-service attacks. The attacks levied on Estonia crippled the country’s information infrastructure for three weeks, and the United States can, and should, draw lessons from this case study. The U.S. government must take a proactive approach to hardening its information technology and CI against cyberattacks. This can be achieved by increasing U.S. government cooperation and coordination with firms in the private sector in order to ensure seamless information sharing regarding impending attacks and vulnerabilities. U.S. policymakers must also reevaluate legislation to ensure that law enforcement officials have the ability to trace and apprehend hackers who perpetrate cyberattacks. Additionally, the U.S. government must commit resources to R&D programs for experimental technology in an attempt to stay ahead of hackers. Finally, the U.S. government should take steps to integrate the tactics of cyberwar into its own arsenal for implementation against rogue states and/or sub-state actors threatening U.S. national security interests. The issue of cyberwar will become more pressing in the fast-paced, interconnected global arena; if the United States takes these steps to mitigate the threat, it will be prepared to meet the challenge of cyberwar.
Jason Richards is an MA candidate in security policy studies at The George Washington University Elliott School of International Affairs. His areas of specialization encompass the region of Russia and the former Soviet Socialist Republics, ethnic conflict, and cybersecurity. He recently served as a panelist at the 2009 International Studies Association Annual Convention on the topic of Russian demographics and their implications for Russian military power projection capability in 2025.