The Internet was built for plausible deniability. We'll never be able to prove through technological means alone who the attacker is. This is one of the basics of information warfare. Although the attacks themselves came from Russian-speaking individuals, the way the attack was orchestrated and the way it changed and adapted to defenses suggests there was some sort of organization behind it, whether it was a seriously planned operation or some sort of ad hoc coordination between attackers, we may never know for sure. But indications are this was more than ad hoc.
The attackers kept adapting. They kept getting new information on how to attack and respond to defenses. There are tools used that made us believe there was some work done on this attack that were specific to Estonia. If you are an IT security officer responsible for defending a private or government network, what are the lessons to be learned from this attack?
I'd say look at this as a country. We have to realize that the civilian infrastructure for business and private industry is as important if not more so for Internet engagement as what the military and other critical infrastructure like energy, transportation and air traffic [are managing]. What really worked in Estonia was how the CERT and [private entities] cooperated. They openly shared information and did not compete on security. Such coordination in Estonia was easier because it's a small country with only about a million people and the CERT knows everybody. So this was good cooperation between the private sector and government?
I would say between the private businesses themselves, between those in the private sector. They shared information instead of competing on security and chose CERT as the main coordinator. Because they did incident response well and coordinated well they gained the upper hand. I recently asked Howard Schmidt about the role of government vs. the private sector in dealing with cybersecurity We all have a role. We are all connected. But while coordination in the private sector was important in the Estonia attacks, CERT was the leader. It is very difficult to coordinate in real time with several hundred or thousands of ISPs. Coordination and cooperation with a centralized incident response [organization] was critical.