Estonia 10 Years Later: Lessons learned from the World’s First Internet War

In-brief: Gadi Evron recalls the denial of service attacks aimed at the government of Estonia in 2007 – one of the first recognized acts of ‘cyber war’ and a template for incidents that followed. Evron says there were many lessons in that incident – some of which the U.S. and its allies are still struggling to learn. 

Ten years ago the country of Estonia came under attack – on the Internet. This first Internet war was a harbinger of things to come, and not only in cyber attacks. The claims of political manipulation world-wide, often with the finger of blame pointed at Russia, can be traced back to this 2007 incident. It was an event in which I was personally involved, that I saw play out first-hand, and which has shaped my professional career to this day.

Here’s the back story: in April 2007, a series of Internet attacks known as DDoS (Distributed Denial of Service) started hitting the Estonian Internet infrastructure. Following the fall of the Soviet Union, a newly liberated Estonia built their entire infrastructure from scratch. In the geopolitical sphere, Estonia is a bit player: a country of around 1.3 million people on the Eastern shores of the Baltic Sea. On the Internet, however, Estonia is a leader in technology: the birthplace of Skype and other startups. But they’re also an online country: a leader in technology adoption and a pioneer in online voting since 2005. The country’s most recent innovation is its online e-citizenship program.

Gadi Evron is the Founder and CEO of the firm Cymmetria.

Becoming reliant on technology has great benefits, but there are also risks. If Estonia lost its Internet connectivity, the country could stop operating. And, in April 2007, that possibility almost became a reality.

The attacks started when Estonia moved an old Soviet World War II war memorial from the centre of town, to the outskirts. Russians can be sensitive about World War II, and understandably so. They lost more than 20 million people in the war. To the Estonians however, the monument represented the rule of the oppressive Soviet regime. The decision to relocate the statue prompted the Russian government to suspend rail service to Estonia and spawned raucous demonstrations in Moscow.

The unrest spread online, as well. Back then, social media was just gathering steam, and people mainly communicated over web forums. On these forums the online Russian population was enraged. A simple message was distributed, decrying the Estonian act, with a simple call to action: ‘Let’s get them!’ A movement of sorts was started. The combination of the call to action with a simple attack tool that anyone could use created a situation where it was easy for anybody to get involved.

These days we think about denial of service attacks as a tool of cyber criminals or tightly organized hacking groups or hacktivists like Anonymous. But 10 years ago, the denial of service attacks were more of a grassroots movement that pulled in rank and file Russians working shoulder to shoulder with seasoned online crooks.  If your mother, your son, your uncle and your sister are all actively involved in “showing” Estonia, wouldn’t you jump on that bandwagon too? And if you happen to be a cyber criminal or spammer who was sympathetic and already controlled more advanced capabilities such as botnets, wouldn’t you use these instead of the simple “ping” the others used to express their dissatisfaction? The answer, in both cases, was “yes.”

The denial of service attacks, coming in waves, first hit the Web site of Estonia’s prime minister on April 27, 2007, before spreading to a web site run by the country’s President and those of several government. Before long, newspapers, banks, television stations and even schools were targeted by the attacks, crippling their Internet service, according to published reports.

The Kremlin denied government involvement in the attacks and dismissed Estonia’s complaints about the attacks as fabrications. In official spheres in Estonia, there was confusion about how to respond, if not about who or what was responsible. .“If you have a missile attack against, let’s say, an airport, it is an act of war,” a spokesman for the Estonian Defense Ministry, Madis Mikko, told The New York Times in a telephone interview. “If the same result is caused by computers, then how else do you describe that kind of attack?”

Online, it didn’t take long for the defender community in Estonia to get together. The country’s CERT (Computer Emergency Response Team) was staffed by just two people. One of them was Hillar Aarelaid. who pulled the country’s various technology organizations together and facilitated the exchange of information between them using a Jabber server. It took Hillar and the others about three weeks to start getting things under control, but they did. Persistence and a focus on hardening the nation’s defenses slowed the momentum of the attackers, slowing them down before finally turning them back.

Tactically, the cyber war against Estonia carried many lessons with it. First, we learned that cyber security and defense is a messy affair that involves strategy and policy not just the technical details of computer attacks. For example, when the Estonian President’s website came under attack -a site which attracts 20 visitors a week – Hillar made the tactical decision to allocate his resources to the defense of the nation’s banks, allowing the President’s website to stay down. This may have been the correct distribution of force and the right management decision, but it also caused for further engagement by the attackers who interpreted the DDoS on the President’s site as a success.

In another case where the attackers targeted the Estonian Parliament’s mail server, Hillar drew a line in the sand. Whenever the site would “drop”, they would fight to bring it back up. In one case, that involved driving with a server across Tallinn as the various service providers were helping each other. Eventually the attackers gave up and moved on to other targets. But we also noted that while they were engaged in that pitched battle, they showed less interest in expanding their attack to other targets. Our fire fight over the email servers kept them engaged – and preoccupied.

It became clear that cyber is about people. Machines were just what people were using. That is a shift in thinking. As recently as the 1990s,  the U.S. and its allies treated cyber as a combination of CNE (Computer Network Exploitation) and information operations. As information security professionals as we were called at the time, many of us objected to this unification and fought it, and the two were separated.

The Russians, however, were never confused. S.P. Rastorguev, one of the leading cyber strategists in Russia, wrote books on how the goal is to disarm the enemy by causing them to disarm themselves. One of the fables he uses to describe this is about a turtle and a fox, A turtle walks through the forest, enjoying the view. She runs into a fox, who says: “Turtle, turtle, get out of your shell and you can fly.” The turtle stares skeptically at the fox, and keeps on walking. Eventually, traveling through the forest the turtle comes across a television set. She watches as hundreds of turtles get out of their shells, and fly. She gets out of her shell, and she flies.

The turtle was engaged with what it saw on television, and disarmed itself. Estonia taught us that cyber security is performed through technical means, but it is about people, strategy, and most importantly, engagement.

I co-authored a paper, “Storming the Servers: A Social Psychological Analysis of the First Internet War,”(PDF) together with Dr. Rosanna Guadagno and Dr. Robert Cialdini, in which we examined the use of “influence” (as defined by social psychology) in motivating a massive online population to attack another country. Among other things, we argued that a range of psychological factors were in play. Among them, notions like “loss,” “anonymity” and “group membership.” Participants in the DDoS attacks were driven by factors like adherence to group norms, social validation, and contagion, all of which contributed to the success of the attacks.

Regardless of whether the attacks were orchestrated or an ad-hoc coming together of people, it was a successful test for the Russian authorities – one they could copy and build upon. And indeed about a year later much the same happened when Russia entered Georgia with ground troops. This time, the online attacks were coupled with a propaganda campaign and seemed more rehearsed than spontaneous.

Denial of Service attacks have grown in magnitude and frequency in the last decade. Today, they are background noise on the Internet, happening all the time and becoming a full-fledged business for cyber criminals. But they have also become larger and more damaging. The recent attacks attributed to the Mirai botnet against Dyn, a provider of managed DNS services, prevented users from accessing some of the Web’s biggest and most valuable properties.

Today, cyber security has become a mainstream topic of discussion and policy. From Apple and the FBI drawing legal swords over access to the now infamous iPhone, to the hacking that attempted to sway public opinion and affect the results of elections world-wide. We have seen that play out recently with targeted attacks on the campaign of US presidential candidate Hillary Clinton and the Democratic Party in the U.S. and of Emmanuel Macron and other candidates in France.

It may have started with Estonia in 2007, but calling it “fake news” doesn’t do it justice. Estonia was our first glimpse of the future, in which cyber attacks were married to political activity and clear policy goals. Estonia was the victim of a spontaneous, but organized assault of a type that is becoming more and more common. Before we can decide if and how to counter it, we must recognize these attacks for what they are, and also that we are behind the curve.

One Comment

  1. The programm you have mentioned is e-residency not e-citizenship. There is no citizenship rights provided with e-residency. Please correct this mistake. Thank you!