Under Attack, Over the Net

For a country emerging from a very recent invasion, Estonia has pretty much returned to normal. Sure, there were no roads and bridges to rebuild, no homes or offices destroyed. But the cyberattacks that, beginning on April 27, knocked out the websites of government departments, political parties, media groups and banks were a punishing blow to one of the world’s most wired countries — and a stark warning to other nations of just how vulnerable the Internet is in the face of a sustained assault.

The attacks began the day Estonian authorities removed a controversial Soviet war memorial from a park in the capital, Tallinn. Estonia has stepped back from directly accusing the Kremlin of exacting high-tech revenge, and Moscow has denied any role. But Estonian officials claim to have traced many of the attacks to computers in Russia. Whoever the perpetrators were, the sophistication of the bombardment was unprecedented, and it marked the first time the power centers of an entire nation were targeted simultaneously.

The bulk of the strikes involved what are known as Distributed Denial of Service (DDOS) attacks, in which computers flood targeted websites with an overwhelming number of requests for information, bringing the sites’ underlying networks of servers and routers to a standstill. The scope and coordination were staggering. At the peak of activity on May 10, hundreds of thousands of computers from around the world (likely tricked by malicious downloaded software) were bombarding Estonian targets with thousands of times the normal flow of data.

The siege of Estonia highlighted a major worry for governments, corporations and network administrators everywhere. “As familiarity with these technologies grows, and more and more actors get involved in information technology,” this kind of attack will “become more of an issue,” warned U.S. Deputy Secretary of State John Negroponte.

That’s putting it lightly. It’s routine these days to use the Internet to call friends, download music, shop and bank; Web-savvy Estonians even vote and settle their taxes online. So, while Denial of Service attacks typically only target pre-selected websites, if they’re the ones we’re clicking on most, “we’re that much more paralyzed,” says Jonathan Zittrain, an Internet governance and regulation expert at the University of Oxford.

So how vulnerable is the Web? Extremely. Just about anyone with a modicum of determination can successfully mount an attack. The “tools and instructions are readily available at a low cost,” says Oliver Friedrichs, a director at the security response unit of Symantec, a U.S. software firm. Internet chat rooms and bulletin boards can furnish would-be saboteurs with instructions on launching their own strike. And defending against these attacks is tricky. Large corporations can invest in clever hardware that detects odd patterns of requests for its websites and routes away the suspicious ones. Smaller firms, not used to handling huge volumes of traffic and lacking a big budget for security, are more exposed. And in the face of massive onslaughts like those against Estonia, even government networks can be brought down.

To make matters worse, there are plenty of other weapons in the cybercriminal’s arsenal. It’s also possible, for example, to pilfer confidential data from secure networks by mounting Trojan e-mail attacks. These infect a PC by e-mail, using a program that runs undetected in the background. Free to perform tasks usually reserved for the system’s owner, the invader can remotely swipe passwords, upload documents and transmit new attacks. In a report published in 2005, Britain’s government-backed National Infrastructure Security Co-ordination Centre released details of a series of Trojan e-mail attacks on U.K. government IT networks, which it claimed to have traced to the Far East, including China. Since then, a spokesperson says, the frequency of these attacks has speeded up.

It’s this kind of cybercrime — breaking into top-secret networks for reconnaissance, more than blocking access to Web-based services — that could serve terrorist logistics or research cells, worries Alexander Neill, head of the Asia Security Programme at the Royal United Services Institute in London. “To what extent are organizations like al-Qaeda using cyber attack to do reconnaissance?” he asks. “Given their command and control, I have no doubt they have experts doing this.” For now, though, there’s reason to suspect that terrorists might not attempt the sort of online barrage to which Estonia was subjected. “Terrorism is about creating true fear with spectacularly lurid attacks,” says Oxford’s Zittrain. Groups like al-Qaeda would “rather do something physical.”

Still, for tech-friendly Estonians, the invasion of their cyberspace was scary enough. In 21st century warfare, it now looks increasingly unlikely to remain all quiet on the Web front.