Estonia is a model digital nation today, but you would hardly imagine that it was victim to the world’s first cyberwar just a decade ago. Fake news sparked riots in the capital city of Estonia. Simultaneously, several thousands of botnets accessing government, banking and news created a complete information blackout. The goal? To create widespread fear and confusion.
Toomas Hendrik Ilves was the country’s president at the time. “That’s one reason we will always be in the history books when it comes to cyber warfare – as where it all started,” recounts Ilves. More than a decade later, cyber attacks are rapidly becoming the norm through which state and non-state actors test the limits of other countries.
But most countries are still caught off-guard when it occurs. When the attacker cannot be traced, attributed or seen, how do countries protect themselves? GovInsider speaks to cybersecurity experts from Estonia, NATO and the US to learn how nations should deal with cyber warfare.
Knowing nothing of cyber
The Estonia cyber attack was the first of its kind in the world – state-backed botnets took down critical infrastructure systems across the country systematically. With news, banking and government websites down for several days, citizens and government officials alike were left in the dark. “If you actually look at the attack – the big attack on May 9 – the attack promptly started at 0000 GMT and then it went up to huge level of attacks per second, and it continued across the entire day. And then abruptly stopped at 2400,” details Ilves.
As a member of NATO, the Estonian attacks were immediately reported, says Ilves. But at the time, neither the NATO nor the North Atlantic Council had an inkling of what was going on or what Estonia should do, he continues. “We are a NATO member; we raised it immediately saying this thing’s happening, but they didn’t want to hear about it and brushed us off.”
While cyber security threats are often persistent and complex, basic preventive measures can go a long way to preventing hacks. An enquiry into the recent hack on millions of health records in Singapore identified outdated computers and systems, and easily decipherable passwords as among the reasons the hack occured. These same weaknesses were exploited by the hacks on the Democratic National Congress during the 2016 US elections.
Ilves points out that the old methods of authentication, such as passwords, are no longer secure. Instead, two-factor authentication (2FA) systems should be put in place across all government systems. “If we want minimal security, you need to go over to two-factor authentication,” he reiterates.
Estonia was one of the first movers in implementing 2FA, he continues. Citizens in Estonia have access to a unique chip in their phone or card and a personal code to authenticate their identities. “Those two together can give you a much higher security as to knowing that you are you,” Ilves points out.
Collaboration is key
Today, cyber attacks not only create fear and confusion but have also become a direct threat to a nation’s sovereignty. The 2016 US election meddling is exemplary of this, with hackers releasing information discovered through cyber attacks to influence election outcomes. “They also get involved in doxing – taking the hacked materials and then publishing it in the hope of embarrassing someone they don’t want elected,” Ilves explains.
As geographical boundaries cease to matter, Ilves urges to form collaborations with countries that face similar attacks regardless of geographical location. Countries should come together to share attack details and solutions, Ilves suggests. “We need far more collaboration and cooperation in this field than we have seen up till now.”
Last month, several European countries came together to share best practices in protecting elections. Known as the Compendium, the network provides a wide range of solutions to protect all aspects of elections, including voter registrations, electronic tools to gather votes, and systems used to publish results.
The Compendium runs through supply chain guidelines in sourcing election technology, such as sealing critical sections of the coding or conducting random integrity checks, and increasing the ability to note irregularities by monitoring online traffic. It also urges countries to setup an election security task force that oversees the election cycle from start to finish, and advises the creation of several modes of communications between systems in case of a single point of failure.
“Advice on protecting digital services and the IT of candidates and parties is particularly relevant as this has been the main attack vector in the ‘election hacks’ of the last few years,” explains Liisa Past, the former Chief Research Officer at the Cyber Security Branch, Estonian Information System Authority and the lead editor of the Compendium.
Have a plan in place
While elections are a key target for hackers, cyber attacks can occur from any direction. Kevin Mandia, chief executive officer of FireEye, identifies that currently all governments play defence in cyber security protocol. But, always playing defence doesn’t work, he explains. Mandia shares four key guidelines to follow when tackling cyber threats.
First, deterrence is key in avoiding cyber threats. Governments should have systems in place to know when an attack is occuring and determine who the attacker is. “Attribution does matter. If you know who compromised you, that’s the only way to enact policy; it’s the only way to hold nations accountable,” explains Mandia.
Next, cyber attacks are intrinsically linked to geopolitical tensions, explains Mandia. The ability to have “shields up” during times of geopolitical tensions is crucial. This includes making a decision on what systems and industries should be able to withstand a cyber attack, he says. To do this, collating all information spread across the nation is key. “How do we make sure that all the intelligence that sometimes is in the hands of government, sometimes in the hands of this private person or private sector, how do we get it all together?” asks Mandia.
Third, establishing rules of engagement on the internet is a crucial step, Mandia explains. “We have to start holding people accountable, and we have to make it so that nations that abide by the rules of engagement are all going to live with and have a good internet experience,” he adds.
Lastly, nations should place priority in protecting government systems first, critical infrastructure next, and then the nation, he details. “A lot of times when we put programmes in place, this is the order that should be followed,” he adds.
In 2007, Estonia was caught unaware and unknowing. Cyber attacks are bound to become more commonplace as digital technologies advance. The deciding factor between the hacked and unhacked will be preparation.
Image from US Department of Defense