On May 16, the United States revealed its foreign policy strategy for cyberspace in a thirty page document entitled International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World. The document outlines the foreign policy goals of United States for the cyber domain. One commentator, Chris Bronk, pointed out that the strategy is not a cybersecurity plan, but rather, a broad set of prescriptions relating to the Internet and information more generally. Bronk states, “To borrow from Ronald Deibert and Rafal Rohozinski, the U.S. government has decided to pursue the protection of a global cyber commons.”

The document declares that the US will work with like minded states to establish a set of international expectations / norms of behaviour in which to guide defense policies, international partnerships and interstate conduct. These norms will be based on five principles: upholding fundamental freedoms, respect for property, valuing privacy, protection from crime, and the right of self-defense. Deriving from these principles, the document states, are core responsibilities in cyberspace, including global interoperability, network stability, reliable access, multi-stakeholder governance, and cybersecurity due diligence. To ensure that the United States will be able to implement its vision of cyberspace, the document outlines that the strategy will be realized through bilateral and multilateral partnerships, international and multi-stakeholder organizations, and private sector collaboration.

The document also explains that this vision of cyberspace will be enforced through the means of defense against “terrorists, cybercriminals, or states and their proxies.” An important paragraph states that “When warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country. All states possess an inherent right to self-defense, and we recognize that certain hostile acts conducted through cyberspace could compel actions under the commitments we have with our military treaty partners. We reserve the right to use all necessary means diplomatic, informational, military, and economic as appropriate and consistent with applicable international law, in order to defend our Nation, our allies, our partners, and our interests.” This statement has become a point of contention for some commentators, with Mikko Hypponen, Chief Research Officer for F-Secure tweeting, “So, basically, USA is saying ‘Try to DDoS us and we’ll launch missiles at you.’”

Bolstering the strategy’s commitment in fighting infringement of intellectual property is the release of a draft version of the “Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act of 2011” last week. If passed, this act would grant the government power to shutter Web sites that infringe on intellectual property rights. The IP Protect Act grants the government power to order Internet service providers to use DNS blocking to prevent domestic access to such sites; to order search engines from displaying links to the offending site; and rights holders would be allowed to instruct online services from partnering with offending sites. Touted as an Internet censorship bill by some, Google’s
Eric Schmidt cautioned that this action may set off a dangerous precedent for global freedom of expression: “So, let’s whack off the DNS. Okay, that seems like an appealing solution but it sets a very bad precedent because now another country will say, ‘I don’t like free speech so I’ll whack off all those that country would be China.”

Meanwhile, the United States has been strengthening bilateral relations with states. Last week, the U.S. Secret Service set up an office in Estonia to combat cyber and financial crimes, while the Economic Times of India reported on closer cooperation between India and the US on cybersecurity. Against the backdrop of increasing cyberattacks, India is currently in the process of setting up a Cyber Command Control Authority.

Amid these new developments, other states have implemented new measures to defend themselves against cyberattacks. Following the footsteps of other countries that have set up cyber commands, it was reported this week that Iran is doing the same. At the same time, it was been reported that Israel is also on the verge of setting up a national task force whose prime responsibility will be to “defend vital infrastructure networks against cybernetic terrorist attacks perpetrated by foreign countries and terrorist elements.” Meanwhile, Malaysia has partnered up with US security provider, Fortinet, to deal with cyberthreats.

U.S. intelligence is scheduled to open an office in Tallinn, Estonia, this week to help fight the battle against cyber crime, the U.S. embassy in Estonia announced today.

“Estonia was selected as the site for the new Secret Service office due to both the investigative nexus it provides in combating cyber and financial crimes, as well as the opportunity it provides the agency in the fulfillment of its protective duties within the region,” embassy spokesman James Land told AFP.
The office, which will employ four individuals, is set to open Friday. Tallinn will also serve as a prime location from which to engage counterparts in Russia and throughout the Nordic region, Land added.
Following the end of five decades of Soviet rule in 1991, Estonia decided to go hi-tech as fast as possible, AP said. Home to a 1.3 million population, the Baltic nation became one of the world’s most cyber-focused countries and earned the nickname “E-stonia.”

Since falling victim to Web War I in 2007, Estonia worked to become a leader in finding ways to counter cyber attacks. One of its efforts includes tapping a volunteer cyber workforce of programmers, computer scientists and software engineers as protectors of the nation’s digital battlefield.

With a population smaller than that of Phoenix, the former Soviet republic of Estonia has grown skilled at taking down international criminal networks operating millions of computers, after the Internet-dependent society became the victim of one such ring in 2007. Now Estonia is sharing its cyber defense know-how with law enforcement agencies throughout NATO, including the FBI.

“Basically, your security agencies — FBI — are in fact establishing a representation unit, whatever you want to call it, in Estonia,” Estonian President Toomas Hendrik Ilves said in an April interview with Nextgov.

FBI spokeswoman Jenny Shearer confirmed the relationship. “The Estonian National Criminal Police have consistently demonstrated their expertise and willingness to work as equal partners in the fight against cyber crime,” she said.

Ilves was in Washington to meet with Army Gen. Keith Alexander, chief of U.S. Cyber Command — another entity with which Ilves would like to partner.

The Baltic country has “a long-term, very deep and effective cooperation with the FBI on . . . [investigations into] stealing money, whether it’s credit cards, through bank transfers,” Ilves said. “We work very closely with them. They come to Estonia, we come here.”

Estonia unintentionally became an expert at fighting computer intruders in 2007 when a cyberattack, reportedly sponsored by the Russian government, crippled the country’s critical infrastructure and government networks for two weeks.

“The reason the cyberattacks had any effect is we had adopted in Estonia, we very consciously adopted computerization of society, government services, as our primary, fundamental motor of development,” Ilves said.

While Estonia was under Communist control, the West was constructing highways, public transportation and modern facilities, “but when we came out of the Soviet [era] we were poor, the usual gray people living gray lives in gray buildings with falling-apart infrastructure or nonexistent infrastructure,” said Ilves, 57. “We said building roads will take a long time, but we can, however, make a certain leap by computerizing as much as possible.”

Today, officials estimate 98 percent of banking transactions are conducted online. While some U.S. precincts still struggle to count paper chads, Estonia has been voting on the Internet since 2005.

“That means you’re very, very vulnerable because so much is online,” said Ilves, who learned computer programming at age 14 from a math teacher in New Jersey, where Ilves grew up.

The intrusion that brought down Internet services in 2007 was primitive by today’s standards, he said, pointing to malicious software such as Stuxnet, a sophisticated worm that reportedly derailed the industrial systems controlling Iran’s nuclear operations by reprogramming the machinery to attack itself. In contrast, the distributed denial-of-service attack that hit Estonia was essentially a spam blitz coordinated by criminals funded, allegedly, by the Russian government.

“In general, what they do is all these computers that are robots, bot computers, are sending out all kinds of silly spam,” Ilves said. “You can get all these networks of computers to send messages to one computer. Then you get hundreds of thousands of repeated messages to one address and you basically freeze out the server.”

When Estonia’s computer emergency response team deconstructed the incident afterward, a specialist showed Ilves that the onslaught reached its peak, “frizzed out everything” and then dropped back to zero. When the president asked why the barrage didn’t slowly peter out after reaching its climax, Ilves was told, the money ran out. “I said, ‘What do you mean the money ran out?’ [The specialist] said these botnets were rented. There was probably a comparable massive decline in the amount of Viagra spam. It was clear it was organized and paid for.”

Such denial-of-service attacks are pinpricks compared to the amount of damage that adversaries now have the power to unleash with tactics such as advanced persistent threats, which lurk silently inside networks until they detect — and download — the intelligence they want. In March, just such a threat penetrated an RSA Security system containing information related to smart card IDs and key fob credentials used by many federal personnel.

“The amount of espionage that goes on, on the Web, is absurd and ridiculous,” Ilves said. “I don’t trust anything anymore.”

He is particularly concerned about the vulnerability of the Internet phone provider Skype, a global business with research and development operations in Estonia. “They’re putting millions [of dollars] if not more into developing new products and they have all these people working for them,” Ilves said. “Now if someone gets into their system, takes out the new code that they’ve developed, they get it for free and they can start making exactly the same thing. This is what countries are waking up to finally.”

Countries like the United States. In 2010, the FBI assigned a full-time cyber-trained investigator to work directly with the Estonian National Criminal Police on cyber crime matters.

“The FBI’s decision to assign a full-time cyber investigator was based upon years of successful partnering on joint investigative matters,” said Shearer.

Tallinn, the capital, is home to NATO’s Cooperative Cyber Defense Center of Excellence, which is working to foster global cybersecurity collaboration by developing tools and best practices.

America could use some help in the cyber detective department, apparently. According to a recent audit by the Justice Department inspector general, more than a third of 36 FBI agents questioned said they lacked the networking and counterintelligence expertise to investigate national security intrusion cases.

Nevertheless, a joint U.S.-Estonia international investigation recently brought a major cyber ring to justice. In August, American law enforcement officials announced the extradition of a suspect from Estonia to the United States for arraignment on federal charges of, among other things, computer fraud and aggravated identity theft.

The Estonian suspect, aided by associates in Russia and Moldova, allegedly hacked into a network belonging to RBS WorldPay, the U.S. payment processing division of the Royal Bank of Scotland Group PLC, located in Atlanta.

Using customer data pinched from debit cards, the culprits in November 2008 generated 44 counterfeit cards to withdraw more than $9 million from ATMs in at least 280 cities worldwide, including cities in the United States, Estonia and Italy.

“Due to our strong partnership with the Estonian government on cyber matters, the case resulted in one of the first hackers extradited from Estonia to the United States,” Gordon Snow, assistant director the FBI’s cyber division, told lawmakers on April 12 at a hearing on cyber crime.

Interview Estonian government ministers and officials deep in a crisis meeting about riots on the street in April 2007 were nonplussed when a press officer interrupted them to say that he was unable to post a press release.

The initial reaction was “why are you bothering us with this” Lauri Almann, permanent undersecretary at the Estonian Ministry of Defence at the time told El Reg. “It was only when he said ‘No you don’t understand, I think we are under cyberattack’ that anybody took notice,” he explained.

Estonia, a small country of around 1.3 million people bordering Russia and the Baltic Sea, has moved swiftly since independence in 1991 to develop an advanced network infrastructure for the delivery of government and financial services. The country completely skipped the phase of banking involving cheques, for example, so that the vast majority of its citizens use online banking to pay bills and carry out other day-to-day tasks. The disruption when these facilities abruptly ceased to work was therefore all the more severe.

Cyberblitz

Both government and private sector systems in Estonia came under fierce cyber-assault in April 2007. This coincided with street-level riots that accompanied the relocation of World War II (Soviet era) memorials. The riots pitted ethnic Russians in the country against ethnic Estonians and the police.

The denial of service attacks that kicked in around two days after the street protests began left important government, banking and news media websites unavailable. The unavailability of government and news media websites was important because it prevented the government getting information out at a time of crisis. Estonia does not have BBC and CNN bureaus and the culture of using the radio to get news, if all else fails, isn’t as ingrained there as it would be in the UK, for example. More Estonians rely on the web for news so the attacks left them deprived of updates.

The first wave of “brute force” packet flooding assaults was followed by more sophisticated attacks, including website defacement, and site takeovers. For example, a fake apology over the relocation of the monuments was posted on the website of one political party.

In total the attacks lasted around three weeks. “It could have been much worse,” Almann explained. “We thought they might go on for up to three months. Technically the attacks we faced were nothing special,” he added.

In the line of fire
Estonia responded to the cyberattacks, in part, by increasing bandwidth and organising backup hosting for government websites. The process of replicating content in the midst of the ongoing attack was unsurprisingly difficult. “Many countries refused to take our sites because they said that would put them in the line of fire,” Almann said.

Speculation since the attacks, a landmark event in computer security, suggest they were fermented in the “Russian blogosphere” and may have involved criminal hackers turned patriots.

Some have suggested that the Russian government may have played a role in encouraging these attacks, a charge dismissed by the Kremlin. Estonian Foreign Minister Urmas Paet, for example, pointed the finger of blame directly at the Kremlin.

A question of attribution
Almann was more circumspect. An estimated one to two million compromised machines in 100 different jurisdictions, including the Vatican, were used in the cyberattacks against Estonia. The use of botnets, which can be rented and paid for anonymously on the digital underground, makes tracing the real source of attacks difficult, maybe impossible.

Instead of relying on purely technical attribution to find a “smoking gun” political and legal attribution also has a role to play.

Almann said that many countries helped Estonia at the time of the attacks with one important exception – Russia. “Russia failed to help put out the attacks. Repeated requests for assistance were denied, sometimes for obscure legal reasons,” he told El Reg.

For example, Estonia and Russia have an agreement covering the investigation of cross-border crime which covers the exchange of info as well as the extradition of suspects who might decide to skip over the border to avoid justice. “Treaty requests for information at the time of the cyberattack were repeatedly refused or not acted upon. This refusal to co-operate provides political attribution for the attacks,” Almann said.

Cyber warfare battles have already been fought in Estonia and Georgia.

For three weeks in the spring of 2007, Estonia, which has one of the highest levels of Internet penetration in Europe, was bombarded with a wave of sophisticated cyber attacks that targeted the country’s parliament, banks, newspaper and government ministries.

The denial of service attacks, from tens of thousands of computers in Russia and around the world effectively paralyzed Estonia.

Estonian officials, who for weeks had been embroiled in a bitter diplomatic dispute with Russia over the removal of a Soviet-era monument, were quick to blame the Kremlin for the attacks.

The Russians denied the charge.

But months later, an aide to one of the leaders of the then-president Vladimir Putin’s pro-Kremlin United Russia party claimed responsibility for the cyber attacks, saying they were an “act of civil disobedience” by the pro-Kremlin youth group Nashi.

Estonian experts discount that claim, saying the attacks were too sophisticated to be the work of a single group of mischievous hackers.

A year later, when Russia and Georgia had a brief border war, the Russian ground invasion was preceded by a denial of service attack on the Georgian government’s websites.

“Everyone assumed this was coming from Russian websites, but research we have done showed you can’t really tell,” said Ron Deibert, a telecommunications expert who runs the Citizen Lab research facility at University of Toronto’s Munk School of Global Affairs. “More importantly though, we found that the tools that were used in the attack were associated with the criminal underground. They had been used to attack banking sites, pornographic websites and engaging in extortion, long before the Georgian attacks. So they were either operating on their own in a patriotic manner or they were contracted out by the government.”

There is widespread suspicion Russia was renting the services of cyber criminals in much the same way great powers gave letters of marque to privateers in the 17th and 18th centuries and authorized them to attack foreign shipping.

“It is more effective for them to cultivate a criminal underground in order to shield their own identities,” Prof. Deibert said.

That sort of flexible anonymity worries U.S. policy makers.

“Cyber attacks offer a means for potential adversaries to overcome overwhelming U.S. advantages in conventional military power and to do so in ways that are instantaneous and exceedingly hard to trace,” said William Lynn, the U.S. Deputy Secretary of Defence. “A dozen determined computer programmers can, if they find a vulnerability to exploit, threaten the United States global logistics network, steal its operational plans, blind its intelligence capabilities or hinder its ability to deliver weapons on target.”

Many people have called the 2007 attacks on Estonian banks, media outlets and government ministries an early example of cyberwar, but using a legal definition, they were not, said Eneken Tikk, head of the legal and policy branch of the Cooperative Cyber Defence Centre of Excellence in Tallinn, Estonia. She defined cyberwar as an attack that would cause the same type of destruction as the traditional military, with military force as an appropriate response.

“If we’re not at cyberwar yet, you’ve got me really nervous,” added Blair Linville, vice president of enterprise IT at casino operator Harrah’s Entertainment. “We certainly feel under attack every day, out in industry.”

Tikk and Winter both called for governments and companies to better prepare for coordinated attacks, whether they come from nations or criminal groups. But preparing for cyberwar, in particular, is difficult because there’s little precedence, Winter said. Governments know how to negotiate treaties and engage in diplomacy to head off conventional wars, but no one really knows how a confrontation between nations would escalate into a cyberwar, he said.

“There’s a whole dance that nations go through” before a traditional war, and diplomacy can often avert conflict, Winter said. “That doesn’t really exist yet in the cyberdomain.”

Source: Grant Gross, PCWorld.

The world hasn’t yet seen examples of true cyberwar, although governments around the world need to prepare for it, an expert in cybersecurity law from Estonia said Monday.

Many people have called the 2007 attacks on Estonian banks, media outlets and government ministries an early example of cyberwar, but using a legal definition, they were not, said Eneken Tikk, head of the legal and policy branch of the Cooperative Cyber Defence Centre of Excellence in Tallinn, Estonia. She defined cyberwar as an attack that would cause the same type of destruction as the traditional military, with military force as an appropriate response.

“That means a smoking hole in the ground,” said Tikk, speaking at cybersecurity vendor ArcSight’s Protect ’10 conference in National Harbor, Maryland.

Tikk found some disagreement from two other cybersecurity experts speaking during the same session. While Tikk and the North Atlantic Treaty Organization (NATO) declined to define the attacks in Estonia as cyberwar, many other people saw the coordinated effort that way, said Prescott Winter, CTO for ArcSight’s public sector division and a former CIO and CTO at the U.S. National Security Agency.

“If we’re not at cyberwar yet, you’ve got me really nervous,” added Blair Linville, vice president of enterprise IT at casino operator Harrah’s Entertainment. “We certainly feel under attack every day, out in industry.”

Tikk and Winter both called for governments and companies to better prepare for coordinated attacks, whether they come from nations or criminal groups. But preparing for cyberwar, in particular, is difficult because there’s little precedence, Winter said. Governments know how to negotiate treaties and engage in diplomacy to head off conventional wars, but no one really knows how a confrontation between nations would escalate into a cyberwar, he said.

“There’s a whole dance that nations go through” before a traditional war, and diplomacy can often avert conflict, Winter said. “That doesn’t really exist yet in the cyberdomain.”

Nations don’t yet have rules of engagement for cyberwar, including how they might use private-sector networks to reroute traffic and shut down attacks, he said. “There’s a lot of work to be done, and we need to get started,” Winter added. “We’re sitting right on the edge of a very significant problem here.”

Tikk also called for governments to develop cyberwar policies. One way to better deal with cyberwar or other coordinated attacks is cooperation between nations, with governments helping each other during attacks, she said.

Many legal tools for dealing with coordinated attacks already exist, she added, but nations need to develop the policies to allow countermeasures such as mutual aid agreements and national cybersecurity policies, she said. “We spend a lot of time focusing on what we cannot do instead of what we can do,” she added.

One audience member asked whether governments should take more steps to track online behavior. In the U.S., there are limits on the data the government can keep, and a more formal tracking effort would take some major changes in law, Winter said.

Another audience member asked if new cybersecurity regulations are necessary, with Internet service providers held partly responsible for the traffic that comes over their networks. Tikk suggested it was time for the U.S. to reexamine laws such as the Digital Millennium Copyright Act that exempted ISPs from lawsuits involving traffic carried on their networks. ISPs could serve as a first line of defense from cyberattacks if they were allowed to filter content, although that idea would meet stiff resistance, she said.

Winter pointed to an effort in Australia, where ISPs will begin to voluntarily filter Web content by late this year, after a series of government filtering proposals stalled. The Australian code of practice, developed by the Internet Industry Association there, would allow ISPs to cut off access to Web users who refuse to take action to secure their computers, he said.

It will be “interesting” to see how effective the filtering system is against cyberattacks, Winter said.

The U.S. may also need to reexamine its largely hands-off regulatory approach to the Internet, in the name of cybersafety, Winter added. “The Internet sort of grew up here as the Wild West,” he said. “Anybody mentions the R word, regulation associated with the Internet here, and the noise levels become positively deafening. We may just have to accept some regulation if we want to have an Internet that is stable, reliable and resilient.”

http://www.pcworld.com/businesscenter/article/205773/nations_companies_should_prepare_for_cyberwar_experts_say.html

In 2007, Estonia was the subject of a series of cyber attacks which crippled the internet across the country.

Banks, government departments and the national media all found their websites swamped by a tidal wave of spam which took them down.

The perpetrators were never caught.

Some evidence pointed to Russian government involvement in the attacks, but no definitive link to the Kremlin was found.

So was it the first ever act of cyber-war?

Defining cyber war

Experts from nearly 40 countries gathered in the Estonian capital Tallinn to discuss the latest issues in the fight against virtual attackers.

Estonian President Toomas Hendrik Ilves opened the conference with a stark warning about the seriousness of cybercrime.

“Our critical infrastructure, electricity grids, transportation networks and mobile phone networks are so enmeshed and tied to the internet that any open society is open to complete and utter failure,” he said.

Worse still, it’s not easy for a country to protect itself from such an attack, added Estonia’s Minister of Defence Jaak Aviksoo.

“There are no smoking guns, no foot or fingerprints in virtual reality,” he said.

“The computers used in the (Estonia) attacks were distributed worldwide, in more than 100 countries. The attackers can hide very easily, and that is a problem.”

For Mikko Hypponen, chief security officer at F-Secure, what happened in Estonia was not an act of war, especially as the country’s military systems were not targeted.

“In my book, real cyber-war would be when the army of Country A attacks the computer systems of Country B. And that hasn’t happened, yet,” he said.

“In the attacks we’ve seen so far, there’s no way to prove direct government involvement.”

They were certainly classed as a national security threat though.

In Estonia, the vast majority of all banking is done online. And when the attackers took the banks down, there was pressure on the Estonian government to do something, and fast.

“If people can’t access their money, if they can’t buy milk and bread, then you’re going to have problems,” said Kenneth Geers, a US Navy representative.

“Data packets via the internet are fired all the time in anger. However, if no one dies, then according to the laws of war, we’re not in conflict.”

For the experts in Tallinn, the threats were all too real, and many believed the motivation for cyber attacks had moved beyond politics.

“In real space, there are real lines between criminals and soldiers,” said Heli Tiirmaa-Klar, Estonia’s national cyber-defence coordinator.

“But in cyberspace, the criminals could be used as mercenaries and proxies to fulfill the tasks others have told them to do.”

Easy hacking

Skilled hackers at the conference said malware designed to be used in attacks could be purchased for a few hundred dollars online, or even downloaded for free.

Haroon Meer is a hacker and lead researcher at thinkst, a company that does penetration testing for clients.

He helps companies and organisations determine their own online weaknesses by breaking into them.

But he has also done a lot of thinking about how he would attack an entire country.

“When people talk about cyber-defence, they instantly say, ‘we’ll protect control systems.’ But what about banks, what about the internet service providers? Should the United States protect Amazon or eBay, which are huge financial income for the country?” he said.

Security consultant Dr Charlie Miller demonstrated just how quickly and easily he could take control of a single machine through a programming flaw he’d found in a web browser.

In less than 10 seconds, Dr Miller, who once worked for the US National Security Agency, took complete control of a machine remotely. He gained access to e-mail, activated the laptop’s built-in camera and took a picture of the victim.

He said that with a budget of $100m (£67m) he could train a team to carry out a major cyber attack on an industrialised nation, with targets including military systems, critical infrastructure and banks.

“We would be able to get into many sensitive systems and cause disruption,” he said.

“It’s certainly not the same thing as dropping a bomb, but with a few years and enough money, we could cause havoc.”

But consumers are not deterred by the magnitude of the potential threat, and even in Estonia e-services have continued to grow at a healthy rate since the attacks.

“Estonians were not frightened by what happened in 2007,” said Heli Tiirmaa-Klar.

“We don’t think dependency on IT is a bad thing. It’s a good thing, and we are used to it.”

http://news.bbc.co.uk/2/hi/technology/10339543.stm

TALLINN (AFP) – Behind the walls of a high-security lab, the North Atlantic Treaty Organisation’s top cyber-minds are trying to predict the evolution of conflict in an Internet-dependent world.

While they play down disaster-movie scenarios of total meltdown, experts warn cyber-attacks will be part and parcel of future fighting.

Tallinn is home to a cutting-edge unit known in NATO-speak as the Cooperative Cyber Defence Centre of Excellence. The city is the capital of Estonia, whose flourishing hi-tech industry has earned it the label “E-Stonia”.

“Definitely from the cyber-space perspective, I think we’ve gone further than we imagined in science fiction,” said Ilmar Tamm, the Estonian colonel at its helm.

Its base is a 1905 building where military communications experts have toiled away since the days of carrier pigeons and the telegraph.

The centre’s dozens of experts second-guess potential adversaries, gazing into what they dub the “fifth battlespace”, after land, sea, air and space.

“The whole myriad and complex area makes it a very difficult problem to solve, and at the same time it keeps a very convenient grey area for the bad guys,” explained Tamm.

“Many states have realised that this is really something that can be used as a weapon… That we should not ignore. It will have a future impact,” he said.

“I’m not so naive that I’d say conventional warfare will go away. But we should expect it to be more combined,” he added.

Bitter experience taught Estonia — one of the world’s most wired places and a NATO member since 2004 — all about cyber-conflict.

The minnow country of 1.3 million people suffered blistering attacks in 2007 which took down business and government web-based services for days.

“It clearly heralded the beginning of a new era,” its Defence Minister Jaak Aaviksoo told AFP.

“It had all the characteristics of cyber-crime growing into a national security threat. It was a qualitative change, and that clicked in very many heads,” he added.

The assault came as Estonian authorities controversially shifted a Soviet-era war memorial from central Tallinn to a military cemetery.

The monument, erected when Moscow took over after World War II, following independence in 1991 became a flashpoint for disputes about the past with Estonia’s ethnic-Russian minority.

Tallinn was rocked by riots as the memorial was moved. Estonia blamed Russia for stoking the strife, and also claimed the cyber-offensive had been traced to official servers in Moscow.

Russia, whose relations with Estonia are rocky, denied involvement.

For Aaviksoo, cyber-attacks may “present a stand-alone security threat or a combined security threat”.

An example of the latter, he noted, came during Russia’s 2008 war with ex-Soviet Georgia, as hackers hit Georgian websites while Moscow’s troops moved in.

“Cyber-security, cyber-defence and cyber-offence are here to stay. This is a fact of life,” Aaviksoo said.

In a report this month, Canadian researchers said a China-based network had stolen Indian military secrets, hacked the Dalai Lama’s office and hit computers around the world.

A University of Toronto team traced the attacks to servers in Chengdu, China, but could not identify the culprits. Chengdu is home to Chinese military communications intelligence units.

“Some reports have, from time to time, been heard of insinuating or criticising the Chinese government… I have no idea what evidence they have or what motives lie behind,” Chinese Foreign Ministry spokeswoman Jiang Yu said.

Proving a formal state role in cyber-attacks is close to impossible, because of their fluid nature.

“We’re seeing opportunism in terms of citizens bandwagoning on these big events. The role of the state in this is all rather mysterious,” said Rex Hughes of the Chatham House think-tank in London.

“I’m sceptical that we’ll see an actual cyber-war, where countries will exclusively attack one another over the Internet,” he said.

“It remains to be seen if the great cyber Pearl Harbor or 9/11 comes,” he added.

http://ca.news.yahoo.com/s/afp/100424/technology/nato_it_internet_software_crime_military

Harry was a Russian secret service agent who spoke perfect English and wore cowboy boots with his uniform. I never knew what his face looked like because he wore a mask during the lengthy interrogation sessions he put me through during five days of captivity in Federal Security Service (FSB) hands in Chechnya in 1999. The first item taken from me by Harry and his friends was my laptop. I was as much unnerved as relieved when it was returned on my release. “I can have it back?” “Yeah, have it back,” the FSB agent replied, and laughed.

Within 24 hours of arriving home in London the laptop was deluged with spam, pornography and Russian hate mail, eventually crashing completely. The act was more a digital slap on the wrist than the attacks that the Russians would allegedly inflict on entire countries several years later, but it was my first experience of cyberwar.

The incident came to mind eight years later on a February morning in Helmand, southern Afghanistan, when I heard a Royal Marines colonel briefing his officers. He mentioned, almost as an aside, that one of the men’s e-mail accounts had been closed after being compromised by a “hostile intelligence agency”. In other words, someone hacked into a soldier’s computer to see what might be found there. Last December, in Sri Lanka, a senior UN official confided to me that his e-mails were being intercepted by a “key log” program that allowed everything he wrote and received to be read by an intelligence agency.

Today barely a week passes without the phrase “cyberattack” in the news. It is a loose term, incorporating everything from criminal hacking and commercial espionage to attempts to seize control of weapon systems or sabotage national infrastructures. Britain is treating the surge of hostile computer activity seriously enough to have established two organisations last year to co-ordinate, assess and expand its cyber strategy. The Office for Cyber Security (OCS), established by the Cabinet Office, was created in the autumn after a warning by intelligence chiefs that China may have acquired the ability to cripple key points of infrastructure such as telecommunications.

Whitehall departments were allegedly first targeted by Chinese hackers in 2007. Later that year Jonathan Evans, director-general of MI5, wrote to 300 chief executives warning of potential Chinese hacking attacks and data theft. In the year up to November 2009 Britain suffered 300 cyber intrusions — defined as a sophisticated attempt, successful or not, to steal data or sabotage systems — on government and military networks.

The OCS, at present staffed by 14 people, including personnel from the security services and military, is to be fully operational with a strength of 20 later this year. It works closely with a second organisation, the secretive Cyber Security Operations Centre, located within Government Communications Headquarters in Cheltenham. A key part of the approach is establishing rules of engagement for retaliatory cyberstrikes should critical infrastructure be attacked and crippled.

“If I go and bomb someone’s power station, that is an act of war,” Baron West of Spithead, the Permanent Under Secretary of State for Security and Counterterrorism, told The Times. “But if I use a computer to make that power station effectively not work, is that an act of war? That is a simple stark example. There are much more complex examples. These were issues that hadn’t been addressed before, and we are now at the forefront of doing so.”

The majority of attacks have been to obtain funds from commercial organisations, and a full assault on a country’s banks, stock market, energy grid, telecommunications and health systems is more likely if countries are already in a “hot” war. There are several other potential triggers, however. In 2007 Estonian ministries, banks and newspapers were bombarded with denial-of-service attacks — mass requests for information that cause systems to crash — for several days after the Government moved a Soviet war memorial in the capital, Tallinn.

In 2008 Georgia complained of similar attacks during its brief conflict with Russia over the breakaway province of South Ossetia. The Russians were blamed in both cases, although they denied involvement.

The threats and scenarios of cyberwar require some sideways thinking. British assessments conclude, for example, that the risk of a serious attack in this country is still lower than that of a flu pandemic — but that a flu pandemic would be a lot worse if combined with an attack on NHS computer systems involved in vaccine distribution. American academics have predicted that the physical damage from a country shutting the US power grid for three months would be several times greater than the damage done by Hurricane Katrina in Louisiana.

The strategy being developed by Lord West is not limited to risk assessment; retaliation is part of the package. “We could do what these people do [to us] if we wanted to,” he said. “We’re looking at … the ethics of all of this. If someone dropped a bomb on us, I would have no hesitation in shooting their bloody plane down and giving them a slapping … So we need to think through how we react to these ‘other things’ and the implications.”

The murky world of cyberwar is inhabited by small-time hackers, criminal syndicates and people operating with the support of their government.

“Everything that happens to us is called an ‘attack’,” said a senior official with a lead role in British cyber operations, “[but] most of what we see on a large scale … is about the exfiltration of data — theft, not an attack.” There exists, however, an overlap between the interests of hostile state intelligence agencies and cybercriminal syndicates seeking to steal intellectual data for profit. Russian cybercrime syndicates, better known as partnerka, lead commercial espionage in Europe and are known to have links with Harry and his comrades in the FSB. China has its own dedicated cyber operations headquarters within the People’s Liberation Army but also holds top rank in the league of cyberhostile countries — the list used by Western security companies to warn business clients of cyber-threat.

The West’s nuclear strategy was based on deterrence — the assurance that a guaranteed second strike would prevent a first strike from coming. Yet cyberwar is more complex because the attacks have certain things in common: they are fast, cheap and hard to trace.

“Attribution is unbelievably difficult,” admitted Lord West. “These guys could attack [as if it was from] your site — the attacks would come in from different nodes in a strange way that you can’t even identify. Follow the attack back and it gets to you — but it wasn’t you.”

The sophistication of commercial and state-sponsored activity has developed immensely since the attacks on Estonia and Georgia, with denial-of-service operations now considered relatively low-grade. More worrying is “zero-day malware” — an unidentifiable new generation of Trojan programs that are implanted into a host computer and lie dormant until activated.

“Let’s say that someone has received an e-mail that looks like it’s from someone they know, about a subject they feel comfortable with,” said Ian McGurk, associate director for information security at Control Risks, a security consultancy. “As a consequence they trust the material. If there’s an attachment — a photograph, a Word document, whatever — embedded within that attachment is some sort of malicious code that is going to install itself on the machine. That machine is then compromised, and a Trojan is installed that can search for information.”

As well as transmitting information back to its handler, zero-day malware can also hand a computer to outside control before going on to infect an entire system.

Raimund Genes, the chief technical officer of Trend Micro, said: “We grew up fearing the mushroom cloud, now we should fear a roomful of hackers with their electricity and internet bills paid for by a government.”