Real lessons learned from the attacks on Estonia (Kurtis's Blog)

Real lessons learned from the attacks on Estonia

A friend pointed me to this article that tried to analyse the lessons learnt from the attacks on various web-sites in Estonia.

I personally think that the article is naive at best.

First of all it claims that this was the first government to be attacked, this is certainly not true. While not a government I was fighting (actually I was in the EUnet NOC watching Pierre and James fight, but anyway) Yu attacks on the Nato web-site during the bombing raids on Sagreb, and I am sure it had been done before. There where also several reports of various forms of attacks against Iraqi infrastructure before the start of the second Iraq war.

The article goes on to claim that no collateral damage was done. This show a pretty poor understanding of the nature of these attacks. In most cases, there certainly will be collateral damage as the attacks can be large enough to never reach their intended destination and therefor infrastructure used to provide service to others is also taken out. However, even the notion of collateral damage get interesting when you talk about cyber attacks. If I attack an on-line bank web-site used for on-line trading. The users of that site is likely to loose money as they are not capable of completing their planned transactions. Are they 'real' damage or collateral damage? Does it matter? The term collateral damage is used in real warfare as a way to separate intended (read legitimate) targets from casualties that whose non-loss wouldn't have affected the ability to conclude the intended operational goal. Cyber attacks on banks and/or government web-sites seems highly unlikely to help in achieving these operational goals from a military point of view. Command and control systems of foreign forces, sure - but I am sure the Estonian government would not succumb to Russian rule just because their web-site could not be reached....

Third the article brings up the (lack of) panic created by the attacks. Having had the luxury of being invited to the Estonian CERT and had the privilege of working with the Estonian CERT during the attacks, they where far from panicking. While I don't understand Estonian so my capability of following local news was limited, I think I dare to say that there where no panic among the Estonian population in general either. What I could follow though, and that I dare to say is that there where far more panic in the International press-reports than anywhere else. And here is a real problem with reporting and handling incidents like these. I blogged about this when the DNS root-servers allegedly where attacked. The problem is that while you DO want to inform the public on what is going on, you are at the same time for operational reasons hindered to say all that you know. And the way the press will present the events is likely to more help the attacker achieve their purpose than to help inform the public. This is really worrisome as we for example have very little insight into how banks are handling on-line extortion etc and they are also afraid of reporting similar events to the police.

There is plenty more I could say about the article, but I do not want to disclose facts that could damage operations that the people on the ground are working on. Again, this is the sad fact working with incidents like this, you just can't correct misconceptions in real-time, no matter how much you would like.

Last, personally I am not so much worried about this being the first attack or the attack happening. We knew that all along, Estonian friends made an effort to point out that as far as they where concerned this was nothing more than cyber riots, i.e Internet events mirroring the physical events (I think there have been a fair bit of politicising and word in mouth putting going on, but that I just my personal perception) - the two things that DO worry me is that

1) A point on which I agree with the article. How hard it is to actually bring about arrests in these cases. Even when the criminals are known, and the locations and whereabouts can be tracked, we can't get them behind bars as legislation and international agreements are lacking. If the IGF is serious with fighting cybercrime and making a difference, this is where it will have to start
2) That not more governments are trying to draw their own conclusions and work on contingency plans.

But that is just me...

Posted on May 25, 2007 12:26 PM | Permalink

TrackBack

TrackBack URL for this entry:
http://www.kurtis.pp.se/cgi-bin/mt/mt-tb.cgi/125

Kurtis's Blog

Real lessons learned from the attacks on Estonia

TrackBack

Comments (64)

Post a comment

Search

About