More than anyone else, Jaak Aaviksoo has first-hand knowledge of what a cyberwar might feel like. In April 2007, Estonia’s banking, media and government presence online was disrupted by several waves of distributed denial of service attacks that knocked services offline. The country is heavily wired — 90 percent of all financial transactions are conducted over the Internet and 70 percent of the population files their tax returns electronically — so the incident was widely felt by the country’s 1.3 million citizens.
Estonia’s cyber meltdown coincided with major civil unrest. Protests by Russian nationals, unhappy at the government’s decision to relocate a Soviet military war memorial to a less-prominent location, had flooded the streets of Tallinn. The country’s Russian embassy was blocked by protesters too.
By hobbling Estonia’s online infrastructure at such a time, the cyber-attackers hoped to make it look like the Estonian government was losing its grip on the situation, according to Aaviksoo, who is Estonia’s defense minister and managed the country’s response to the incident. “The virtual medium has become an inseparable part of real life in real space,” he said, speaking earlier this month at Stanford University. “So those attacks … were aiming at the credibility of the Estonian government.”
Security analysts dispute whether the Estonian attacks were, in fact, cyberwar, but in many ways that’s beside the point. In the online world, everything is murky. Criminals can hop between countries and launch attacks from hacked machines, making it hard to figure out who they are or even where they come from. According to Aaviksoo, whether the 2007 incident was actually cyberwar is still “an open question.”
Has Estonia learned much about this type of warfare in the three years since the attacks? Certainly. But in this edited interview with Aaviksoo, he says that in some ways the country could be doing more to prepare for the next major cyber-incident, which he says will inevitably come about.
IDG News Service: There are regions in the world where it’s difficult to get action on cybercrime. What can we do to put pressure on places like Moldova or Ukraine, where hackers are never arrested?
Jaak Aaviksoo: It’s not that easy. There are two reasons for that. Some of those countries have many more serious problems than cybersecurity and cybercrime legislation. Secondly, sometimes there are only claims that people are acting from those geographic locations. We can’t prove that.
Like there are safe havens for terrorism — I mean, Afghanistan is one example, Yemen is emerging. We don’t know about Nigeria. There are very many more safe havens in cyberspace than in real space. And even the only international working document — the Council of Europe Convention on Cybercrime [http://conventions.coe.int/Treaty/Commun/QueVoulezVous.asp?NT=185&CL=ENG ] — is so far signed and ratified by 50 countries. So there’s a long, long way to go, for different reasons. Sometimes there are constitutional limitations for ratifying [cybercrime law], some don’t take that seriously. Some may have bad ideas about this Convention altogether.
IDGNS: How important is international cooperation to solving the problem of cybercrime?
Aaviksoo: I think it’s extremely important. I don’t think that we can achieve anything really without international cooperation. It’s not necessarily 100 percent, so that all countries must cooperate. But clearly major countries should cooperate and make life more and more complicated for those who want to evade prosecution.
IDGNS: Did you get much cooperation from your neighbors when the attacks were happening in Estonia?
Aaviksoo: Unfortunately, not from Russia. They introduced formal excuses of not having the appropriate legal agreements in place to look into cybercrime.
IDGNS: Do you feel this has evolved at all since then? If there is another attack, will you get better cooperation?
Aaviksoo: I won’t comment further. It’s clearly a complicated case, not only in the case of cyberattacks in Estonia, but also in the case of cyberattacks in Georgia during the crisis. And in a few other cases, there is indirect evidence that the willingness to cooperate is not at the level which we would like to see.
IDGNS: From an international perspective, if you were to be attacked again, do you think things would be different? What’s changed since then?
Aaviksoo: I think we have many more international agreements in place. We do have technology measures in place. We are able to monitor what’s going on. We’d definitely be better in the assignment of the attacks; we can better follow where it’s coming from. So we’ve done a lot of work to prevent similar things happening.
IDGNS: Estonia is the poster-child for this type of attack. What’s the thing people are not getting right now? What’s the most common strategic mistake that other countries are making with respect to cyberattacks?
Aaviskso: I think the biggest problem is the lack of public awareness, in the broadest sense of the term. Without public awareness and public concern, politicians tend to underestimate the threats. In a democratic society, you respond to what people ask you to do. So there is no strong pressure from the people if the awareness is not there. Somehow they need simple wake-up calls, like what happened in Estonia. And even in the case of Estonia, maybe we were not able to make full use of the momentum we gained in 2007. It’s three years ago already, and nothing on that scale has happened since then, and people are saying maybe that was exaggerated, maybe it’s not that serious. People are very practical, and they have a number of real-world problems. When they don’t see a direct threat from cyberspace, they say maybe it’s not there. And that’s psychologically understandable, but that doesn’t mean that we can underestimate the threats.
IDGNS: I sometimes wonder if the threats are overblown. We’ve had physical attacks here in the United States; we haven’t had that type of paralyzing cyberattack. How much should we be worrying about it?
Aaviksoo: Much of that is hidden. I think this data is not overblown. Identity theft, intellectual property theft, credit card fraud — it’s growing. It’s growing at a speed of doubling every year, or something of that kind. So unless you are hit by that kind of crime yourself, I think this is so unreal, something from far away in the expanses of cyberspace. Psychologically it’s a much stronger feeling when your purse is stolen from your pocket. That makes these things complicated.
IDGNS: The great fear is that there will be critical infrastructure hit that will cause loss of life. Is that something we should worry about?
Aaviksoo: It is. Direct kinetic damage is also possible. But I don’t think we should only think about loss of human lives. If money is being stolen, intellectual property is being stolen, that is also a big problem. This basically means that it drives up costs for cyber security on behalf of the individual players, so I think governments should be made responsible for securing the broader environment. Otherwise the costs by private individuals and industrial or physical people, they simply have to pay too high a price.
IDGNS: What is the chance of a repeat of the 2007 incident?
Aaviksoo: I’d say 100 percent. It depends on what timescale you think of. In the next five years, definitely. Not necessarily for Estonia, but maybe in another country. It depends on a number of circumstances. It’s usually not a standalone event.
It may take place anywhere in the world. Of course, in the case of a bigger country, you need more resources to make an international security issue. With a small country, the resources may be more limited, but offensive strategies are also being developed. We know that; we know the countries who invest more. We know countries who haven’t done better until recently, but now are developing also offensive capabilities, in order to simulate the offensive environment in order to develop defensive technologies. So it’s clearly an emerging battlefield.
IDGNS: Are you developing offensive capabilities?
Aaviksoo: We work on simulating hostile environments. It’s like everything — take biological weapons. You have to know what the threat is, and you have to be able to monitor it.