There hasn't been a lot of information about what happened in Estonia, but there has been a lot of commotion and discussion. Once I discuss what actually happened and how Estonia's CERT (Computer Emergency Response Team) responded to the incident, I'd like to try and address the strategic lessons learned. What worked for the defense and for the attackers? I'll discuss the impact and what could be replicated on the part of future attackers and defenders. This has been called the first Internet war. I'm not sure if that's true or an exaggeration, but I'd like to present the details as a case study with the different lessons we can take from it. Originally there was talk that this was a coordinated effort by the Russians to attack Estonia over some controversy that erupted when Estonia decided to move a Soviet-era WW II memorial. But since then investigators have said it's more likely this was carried out by smaller, independent groups. What is your gut feeling?
The Internet was built for plausible deniability. We'll never be able to prove through technological means alone who the attacker is. This is one of the basics of information warfare. Although the attacks themselves came from Russian-speaking individuals, the way the attack was orchestrated and the way it changed and adapted to defenses suggests there was some sort of organization behind it, whether it was a seriously planned operation or some sort of ad hoc coordination between attackers, we may never know for sure. But indications are this was more than ad hoc.
The attackers kept adapting. They kept getting new information on how to attack and respond to defenses. There are tools used that made us believe there was some work done on this attack that were specific to Estonia. If you are an IT security officer responsible for defending a private or government network, what are the lessons to be learned from this attack?
I'd say look at this as a country. We have to realize that the civilian infrastructure for business and private industry is as important if not more so for Internet engagement as what the military and other critical infrastructure like energy, transportation and air traffic [are managing]. What really worked in Estonia was how the CERT and [private entities] cooperated. They openly shared information and did not compete on security. Such coordination in Estonia was easier because it's a small country with only about a million people and the CERT knows everybody. So this was good cooperation between the private sector and government?
I would say between the private businesses themselves, between those in the private sector. They shared information instead of competing on security and chose CERT as the main coordinator. Because they did incident response well and coordinated well they gained the upper hand. I recently asked Howard Schmidt about the role of government vs. the private sector in dealing with cybersecurity and he told me the private sector has a bigger role to play, since the private sector controls a lot of the infrastructure. Do you share that view?
We all have a role. We are all connected. But while coordination in the private sector was important in the Estonia attacks, CERT was the leader. It is very difficult to coordinate in real time with several hundred or thousands of ISPs. Coordination and cooperation with a centralized incident response [organization] was critical.