Hacktivism attacks may rise, homeland security official warns

Michael Witt was appointed deputy director of the U.S. Computer Emergency Readiness Team within the Department of Homeland Security’s National Cyber Security Division in January 2006. He leads US-CERT in protecting the nation’s Internet infrastructure by coordinating the response to cyberattacks. Network World national correspondent Carolyn Duffy Marsan interviewed Witt about the Estonian cyberattack and its implications for U.S. network managers. Here are excerpts from their conversation:

Now that it’s behind us, what is the conventional wisdom about what happened in the Estonian attack?

The attacks had to do with the [movement of the Russian war memorial] statue. It was a hactivism attack. The Estonian government termed it a cyber-riot. It was more politically motivated than anything else.

We became involved when the Estonian government, which is a new member of NATO, asked for cyber-response assistance. The Defense Department, which represents the U.S. in NATO, contacted the US-CERT to provide assistance. We reached out to the Estonian national level CERT and started working with them to mitigate the denial-of-service attacks that were impacting their government networks and critical infrastructure.

5 things Estonia did right in battling hacktivism

The first thing we did over here was look for any attack originating out of the U.S. government, of which there were none, or the U.S. as a whole. The attacks consisted of botnets that were being controlled. It’s not that we had U.S. citizens involved, but we had their home computers assisting [the attacks.] We identified approximately 2,000 computers, primarily home computers, and we worked with the National Communications System, which is a sister directorate to the National Cybersecurity Division that works with the ISPs that control the backbone of the Internet. Working with the ISPs, we asked them to help mitigate the attacks out of the U.S. toward the Estonian government as well as the U.S. ISPs that have global presence [to help stop attacks] that were going to the Estonian networks.

We also reached out to the North American Network Operators’ Group, NANOG. This group is made up of the operators that help control the backbone of the Internet. This group was set up to combat the original denial-of-service attack in the 1999/2000 timeframe. So there’s a longstanding partnership among the ISPs to deal with denial-of-service attacks. This was not anything new to them. They worked diligently to track traffic headed toward [Estonia]. We also worked with the Estonian national CERT and with the NANOG community, in mitigating the attacks.

We also worked to identify attacks coming out of other NATO-allied countries and worked with those national CERTS in the form of incident response teams. There is a virtual group of national incident response teams, the CERTS, as well as the private sector that work together to try to ensure that cyberspace stays friendly and healthy.

This was an international presence that was working jointly together to mitigate the attacks going against the Estonian government and its critical infrastructure. We worked jointly as an international community, and it worked to mitigate a lot of the attacks going against them.