May was not a good month for geeks in Estonia.
The tiny Baltic republic weathered a month-long cyberattack that shuttered Internet servers nationwide. At the height of the crisis, people who wanted to use payment cards to buy bread or gas had to wait, as the onslaught crippled Estonia's banks.
Investigators traced the attack to Russians angered by Estonia's decision to relocate the statue of a Red Army soldier erected during the Soviet era. Tensions over the incident led to rumors of Russian state involvement in the cyberattacks.
Even if these suppositions are never corroborated, Estonia's experience may be repeated elsewhere. "Estonia shows us how, as we become more networked and more wired, our vulnerabilities increase," says James Mulvenon, the director of the Center for Intelligence Research and Analysis, a Washington, D.C., think tank. With a population of just over 1.3 million, Estonia is one of the most wired countries on earth. Elections, banking, and point-of-sale systems have largely moved to the Web, so cyberattacks such as the one in May can have a profound effect on its commerce.
United States at Risk
The United States faces many of the same dangers as Estonia. And with public utilities such as hydro-electric plants and nuclear power plants moving away from proprietary (and more secure) systems toward open-standards-based systems that use common Internet protocols such as TCP/IP to connect to one another, the list of potential targets is increasing.
Attacks on U.S. systems have never been linked directly to state-sponsored cyberwarfare, but in 1999 Chinese hackers took down three U.S. government sites after NATO bombers mistakenly attacked the Chinese embassy in Belgrade.
Though identifying adversaries in cyberwarfare is difficult, preparing for computer network attacks involves many of the same steps as preparing for other online threats, according to Gregory Garcia, assistant secretary for cybersecurity and telecommunications with the U.S. Department of Homeland Security. "For our purposes, we really need to focus on reducing our vulnerabilities so those attacks don't happen in the first place," he says.
Last November the U.S. Air Force set up a new cyberwarfare group, called the Cyberspace Command, as part of the Eighth Air Force. "The aim is to develop a major command that stands alongside Air Force Space Command and Air Combat Command," says Secretary of the Air Force Michael Wynne.
Though much of the U.S. Department of Defense's cyberplanning is classified, some aspects of its strategy are public knowledge.
According to the Washington Post, President George W. Bush signed a secret directive in July 2002 that set down guidelines for determining when and how the United States would attack foreign computer systems.
Fifteen months later, then- Secretary of Defense Donald Rumsfeld approved a 74-page "Information Operations Roadmap" outlining his department's plan to develop cyberwarfare capabilities. The cyberwarfare sections of the plan remain classified, but a March 20, 2007, report prepared by the Congressional Research Service states that the Pentagon has proceeded cautiously with these capabilities, "since a cyber attack could have serious cascading effects, perhaps causing a major disruption to networked civilian systems."
The U.S. military decided not to launch a cyberattack in Iraq as part of its 2003 invasion, the report states. Concern that any such attack might have rolled over into civilian networks outside Iraq may have played a part in its decision.
Civilian Spillover a Danger
Estonia's situation aptly illustrates this key problem with cyberwarfare, according to Mulvenon, who has tracked cyberskirmishes between attackers in China, Taiwan, and the United States. "None of the cyberwars that I've seen in the last 10 or 15 years has been clean," he says.
This characteristic complicates matters for states that engage in cyberwarfare because an attack may reach beyond its original objectives into civilian territories or neighboring countries.
Nations must also contend with rogue agents, such as the ones in Russia and China who may have acted without their government's approval. One official who helped coordinate Estonia's response says the attack on Estonia's computer infrastructure amounted to a cyberriot.
"In war you have definite targets," says Hillar Aarelaid, manager of Estonia's Computer Emergency Response Team (CERT). "In a riot you don't care, you're just breaking windows."
Aarelaid was struck by the sheer variety of the attacks Estonia endured. Some assailants had simply downloaded software on their home computers that repeatedly sent information requests to Estonian servers, while others had marshaled sophisticated botnet armies.
Are civilian attackers part of any nation's cyberwar strategy? Perhaps. "I tend to think that the government views them as useful idiots," Mulvenon says.
For now, Mulvenon predicts, fears of unintended consequences--whether in the form of civilians joining in the fight or of a cascading network failure--will keep cyberwarfare planners cautious, especially in conflicts with powerful nation-states. But that won't prevent attacks like the ones in Estonia, where civilian irregulars pile on in hopes of serving their nation's interests.