Were the attacks on Estonia state-sponsored cyberterrorism? Probably not, but the month-long protest signals a troubling trend.
Reports on the cyber assault against Estonia this spring once again raised the specter of pending doom in cyberspace--the "electronic Pearl Harbor" that always seems to be just over the horizon. One headline even upped the doomsday language to "cyber nuclear winter."
Is all this hype, as many experts have argued, or should we worry about cyberterrorism? So far, no attack in cyberspace has come close to bringing about the devastation, grief and political consequences of Pearl Harbor or Sept. 11, let alone nuclear war. Certainly not the cyber protest against Estonia, which left no one dead or even physically injured.
Yet the assault deserves our attention, as it took online activism to a new, worrisome level.
In one of the first cases of Internet-based protest 12 years ago, cyber activists conducted a one-hour "netstrike" against the French government. At the appointed hour, participants amassed at selected Web sites and repeatedly hit the reload button in an attempt to block legitimate use of the sites. Not much happened, but later, software was developed to automate these so-called "sit-ins." The Electronic Disturbance Theater's FloodNet software allowed activists to visit an EDT-sponsored site, where they could simply click a link to launch a barrage of page requests against a target. EDT and other groups used FloodNet and similar software for Web sit-ins relating to the Mexican Zapatistas, globalization and other issues. The effects were relatively benign.
However, more powerful cyber attack tools have emerged. One of the most potent is the botnet--a network of hijacked computers used to conduct DDoS attacks or send spam. By some estimates, 70 million computers have been compromised and assigned to botnets, which are sold and rented in underground markets.
Estonian attackers reportedly employed botnets in their DDoS attacks, including one with a million computers. The effect was equivalent to more than 1 million individuals participating in a Web sit-in--many more than the few thousand who typically join a sit-in--except that none of them volunteered. They too were victims. Moreover, unlike most sit-ins that last an hour or two, the Estonian attack went on for weeks. The net effect of the siege was extremely disruptive and costly--at least $1 million for one of the targets, Estonia's largest bank.
The extent of the assault led some to speculate that it was the work of the Russian government. This seems unlikely. The hijacked computers comprising the botnets were located all over the world. It is doubtful the Russian government would engage in that level of collateral damage against neutral countries. Although a few attacks seem to have come from inside the Kremlin, those computers too could have been compromised. Also, at least one individual--the leader of a pro-Kremlin youth group--admitted to staging one of the attacks, and several Russian-language Web forums distributed information and scripts for participating in the attacks.
More importantly, it did not take a government to cause the cyber damage seen in Estonia. The assault showed that a few individuals, operating on their own and without the resources of a government, can cause considerable damage at a national level. Al-Qaida and other terrorists know this. Indeed, they already advocate and use cyber attacks to fund operations, disrupt Web sites and cause economic harm. They want to do more.
As cyberspace increasingly penetrates our lives and critical processes, and cyber technologies and attack tools continue to advance, the possibilities for harm will increase. We need to take cyber defense seriously, regardless of whether the cyberterror terminology sounds like hype today.