The recent Estonian denial-of-service attacks have left U.S. network managers wondering if they've entered a new era of cyberwar and what they should be doing to prepare for politically motivated attacks.
When the Estonian government was hit with major, sustained denial-of-service attacks this spring, the headlines screamed that it was the first incident of modern cyberwarfare.
The attacks disrupted a dozen government Web sites and networks run by ISPs, financial institutions and media outlets for several weeks in April and May. A global botnet of compromised home computers was used to create and direct the packet flood attacks that reached a peak of 90Mbps. Hackers also defaced key government Web sites with anti-Estonian slogans.
Pro-Russian activists were behind the cyber attacks, which were motivated by the Estonian government’s decision to move a Soviet World War II memorial. All in all, the hackers launched hundreds of individual cyberattacks against Estonian Web sites, ranging from less than one minute to 10 hours or more.
The Estonian attacks have left U.S. IT and network professionals wondering if they’ve entered a new era of cyberwar and what they should be doing to prepare for politically motivated attacks.
Glen Baker, CIO of Outsource Partners Inc. (OPI), says he is "absolutely" concerned about the Estonia incident and the threat of politically motivated attacks against his company's network. The New York City firm does finance and accounting outsourcing for multinational companies, and it has the majority of its 1,500 employees in India and Bulgaria.
"We're in the process of hiring a security consulting firm to try to mitigate this threat," he says. "They will do analysis for us and build what a typical industry response should be."
Baker says OPI suffered Web defacements in 2001 and sees regular virus and spam attacks through incoming e-mail. He says he's more concerned about hactivism than he is about internal threats such as disgruntled employees.
"We have locked down facilities in India and Bulgaria. Users don't have many access rights or Internet access. They can't bring personal items on to our networks," Baker says. "But we do worry about external attacks. We can imagine political or anti-outsourcing attacks. Those are the ones we are trying to target and trying to mitigate."
Jose Nazario, senior security researcher with Arbor Networks, says CIOs in government and industry have been asking about the Estonian incident and whether it is evidence of a new online threat.
"As we move more critical infrastructure to the Internet and we depend on it more and more for communications, the threat [of cyberwar] is real," Nazario says. "It could be as specific as shutting down a phone system or it could be like the Estonian attacks, which were hitting key government sites and mail servers. It could be both making a statement and disrupting an activity."
Security experts agree that despite the damage caused by the Estonian attacks, they were more hactivism than all-out cyberwar. However, experts fear that we could be entering an era of more frequent politically motivated attacks and that commercial networks will be targeted.
Experts say that the success of the Estonian attacks and the publicity they received may encourage other disgruntled individuals or groups to launch copycat attacks. Companies with unpopular employment policies, business practices or those contributing to global climate change could be hit by similar attacks, they warn.
"There is potential for [politically motivated attacks] to be more frequent based on the attention brought to what happened in Estonia," says Michael Witt, deputy director of the U.S. Computer Emergency Readiness Team within the Department of Homeland Security.
"We’re sort of in unchartered territory," Witt adds. "You don’t know what is going to upset an individual or a group to see if later they will launch a cyber attack."
Among the industries that could be targets for future cyber attacks are not only ISPs and banks but also oil and electric companies.
"When you think about the citizens of many countries that may disappear beneath the ocean from global warming within 50 years, it’s fairly easy to imagine a small, disaffected group [launching cyber attacks] because they’re not being heard otherwise," says Eugene Spafford, executive director of the Center for Education and Research in Information Assurance and Security at Purdue University. "We have seen various groups because of racial or religious extreme ideologies…circulating literature about bringing down utility grids."
Was it cyberwar?
Despite the initial headlines, most security experts say the Estonian incident wasn’t all-out cyberwarfare because it doesn’t appear to have been sponsored by the Russian government.
"I would call it more of a political statement," Witt says.
Spafford says true cyberwarfare would be undertaken by one nation to bend another to its political will, and network attacks would likely be a companion to other physical attacks.
"The activity that was carried out in Estonia was malicious and criminal," Spafford says. "If you look at some of the political demonstrations held in countries around the world, where traffic is brought to a standstill and there are work stoppages and banks are shut down as a matter of political statement, you wouldn’t call that warfare."
Charles Kaplan, chief technology strategist at Mazu Networks, says the Estonian attacks appear to have been conducted by Russian citizens but weren’t orchestrated by the Russian government.
"If it really was a government-caused event, we would have seen something more damaging," Kaplan says. "This was a pure demonstration of brute force, and it did have some economic impact. If somebody really wanted to take these guys down, the damage would have been greater than it was."
There are only two other known network attacks that were as devastating as the Estonian incident and have been called cyberwarfare. One, dubbed Titan Rain by the U.S. government, took place in 2003 and involved Chinese military attacks on networks run by Lockheed Martin, Sandia National Laboratories, Redstone Arsenal and NASA. The other incident, which the U.S. government refers to as Moonlight Maze, occurred in 1999 and involved Russian attacks on classified military information.
Whether it was cyberwar or hactivism, the Estonian incident shows the devastation that a politically motivated network attack can have on government and commercial networks.
Security experts agree that it should be an eye-opener for CIOs, who have been focused on profit-oriented attacks and should consider the threat of politically motivated ones, too.
Spafford calls the threat of political or ideological attacks against U.S. corporate networks significant. He points out that many early viruses and Web defacements were political statements.
"There are many organizations that may be targets for ideological groups because they do business somewhere in the world that may be unpopular," Spafford says. "If you’re part of the banking or power industries, you may be a target for purposes of harm to the overall economy."
Spafford estimates that there are thousands of politically motivated attacks across the Internet each year. "Many of them aren’t that coordinated or don’t have as big of an impact as in Estonia," he adds.
However, the majority of cyber attacks are economically motivated, with the most common targets being gambling, e-commerce, pornography and financial Web sites.
"We don’t see a lot of denial-of-service attacks these days because most of the cyber attacks we see are profit motivated," says Steve Bellovin, an Internet security expert and professor of computer science at Columbia University. "The most common are extortion, especially against gambling sites."
Lessons learned from Estonia
The packet floods used in the Estonian DoS attacks were not new. What was unusual about these attacks was the duration and the disruption they caused, experts say.
"The size and scale of these attacks in terms of the bandwidth and packets per second is in the middle in terms of what we have seen for these kinds of attacks," Nazario says. "But they lasted for weeks, not hours or days, which is much longer than we’ve seen for most of these attacks in the past. And the targets and the inferred motivation were geo-political rather than economic or a simple grudge. That suggests we have turned a corner."
Spafford says what’s important for U.S. companies to learn about the Estonian incident is how much damage a small number of people with resources can do.
Another lesson learned from this incident is that the Estonian response – of admitting the problem and getting help from ISPs and international governments – was largely successful.
One suggestion for network managers is not to worry too much about figuring out where a cyber attack is coming from or why. Ed Amoroso, CSO at AT&T, says network managers should instead focus on mitigating the attack.
"For the day to day types of attacks people are dealing with, the goal of trying to determine where the attack originates remains very elusive because most of the attacks involve bots," Amoroso says. "It’s so tempting in cyber security to say let’s trace back the attack to see where it’s coming from, and let’s hypothesize what the geo-political situation is. Let’s assume if we see that it’s an intense attack, that it’s well funded. But it’s just as likely to be a kid sitting in Brooklyn. That’s one of the great difficulties of doing cyber security."
The good news for U.S. CIOs is that they are better positioned to defend themselves against similar DoS attacks because the United States is so much larger than Estonia and has a more robust network infrastructure.
"The country of Estonia is about the size of Rhode Island [based on population]," says Marty Lindner, a senior member of the technical staff at the U.S. Computer Emergency Readiness Team. "They only have so much infrastructure. When somebody decides to launch a DoS attack, all it takes is a little more energy than the size of your infrastructure to knock it over. The attacker here decided to take out 11 to 12 Web sites….If you take a big corporate network in the U.S., it is bigger and more robust than Estonia’s will ever be."
Even though the U.S. network infrastructure is more robust than Estonia’s, hactivism and other politically motivated attacks are still a worry for CIOs, Witt says.
"We have worked diligently with our critical infrastructure owners and operators, whether in the telecom industry or the IT industry or the chemical or energy sectors," Witt says. "We’ve been working at this for many years to make sure we have a more robust type of backbone to deal with this kind of attack. Is that to say we are 100% protected against this type of attack? Absolutely not. It all comes back to best practices and having plans in place to deal with attacks."
What will happen next?
Security experts predict that politically motivated attacks will be more targeted than all-out cyberwar aimed at taking down the Internet.
"What motive would Russia or China have to try to take out the U.S. suddenly? If they do that, they’re going to get hurt, too," Bellovin says. "If they take out the internaps, they take them out for themselves, too. If they take out our economy, they take out some of their big trading partners, which hurts them, too. There’s not an obvious motive for something happening on that scale in the very near future."
Bellovin says the more likely scenario is that hactivists or cyber terrorists would disrupt individual commercial or government targets.
"What if someone said: Pay us $100 million or the denial-of-service attack that took out the electrical grid in California is going to happen again?" Bellovin asks. "That would be an act of war. And from a military perspective, every major country is looking at attacks and defenses on this issue."
Kaplan says politically motivated attacks are more likely to come in the form of spear phishing attacks rather than DoS attacks like those used against Estonia.
"If I want to steal a piece of information from a particular company or government, I just look around at publicly available information such as Google, find the controller of that information, and send that particular person a phishing e-mail," Kaplan explains. "He’s the only one who gets it, and it’s specific enough that he opens up. I can’t do that on a mass scale, but I can do it to get deep into a particular organization."
Kaplan also worries about hard-to-detect polymorphic viruses and malware hiding in virtualization engines.
"This is not to say that a big cyberwar attack couldn’t happen," Kaplan adds. "But when I think about what a group of kids or terrorists could do, there are so many other options that are more attractive than all-out governmental cyberwarfare."
Experts say what will happen next in cyberwar is that hactivists will launch whatever kinds of attacks – DoS, Web defacements, worms, viruses, phishing or pharming – that help them meet their goals.
"It’s an arms race. I would never predict what the next bad thing will be,” Lindner says. “The best thing that a corporation or anyone can do is have a good layered defense, understand their exposures and have a good plan for managing the attacks when they occur."
Most of the steps that CIOs should take to prepare for hactivism involve keeping up with state-of-the-art security practices. And these steps will protect networks from both political and profit-driven attacks.
"You shouldn’t neglect politically motivated attacks as a threat, but you should be worrying much more about the economic impact today," Bellovin says. "Most of the things you should do about that would help to protect you against this threat as well."