The First Internet War in Estonia: The postmortem I wrote, 10 years later
It’s impossible to say whether there was a “first Internet war” or when it did happen if it did, but one event in history claims the name, and I was there.
I wrote a story the other day examining how it may have been DDoS attacks technically, but what we really learned from Estonia was how information operations, manipulation, and fake news, are a policy driver pattern we can trace back to Estonia as a first “test case”.
In this short post, I’d like to go back to the postmortem analysis I wrote for the Estonian CERT, and look at what happened since.
Ten years ago in Estonia DDoS attacks were happening. Following the fall of the Soviet Union, Estonia build its entire infrastructure from scratch, and therefore, did so on the Internet.
Imagine what DDoS attacks could mean for a country which “resides” on the Internet. Basic services could stop working.
When I first encountered the news, I shrugged it off. “Yet another DDoS,” I said. Then a second week rolled along. And then a third started. Having been one of the people who organize online task forces for global incident response and for protecting the Internet infrastructure itself, I knew a guy, and that was Hillar.
Hillar Aarelaid was the head of the Estonian CERT, a two people team in Tallinn tasked with coordinating and responding to security incidents. I sent him a note, saying: “Do you guys need any help?”
He replied immediately: “When do I pick you from the airport?”
I went in on the third week of what ended up being a month-long set of attacks. My role was relatively small. I helped where I could, and I wrote the post-mortem and lessons learned of the attacks. The Estonians however, taught us lessons that were to redefine information security, or as it has since become known, cyber security.
You are not measured by preventing attacks, only by how you respond to them.
Attacks will happen. Attackers will be successful. How good of a job did you do discovering the attack is going on, investigating it, and mitigating it?
It’s about people, not computers.
Computer attacks are not about the bits and the bytes. That is simply a necessary offset. Without it, they won’t happen. Computer attacks are about people. If people have the perception that an attack is successful, it is, regardless of any actual damage.
Anyone could affect world politics
Playing is not limited to nation stated. A kid on the other side of the world could potentially affect world politics and decision making based on computer attacks. They are easy enough to do, we are vulnerable to them, attribution is hard, and we have our own immediate suspects we want to attribute to regardless.
We no longer suspect — Here are the strategic implications.
We’ve always made boisterous statements about information and cyber security being strategic. But what did we really know? We could make educated guesses based off of three categories:
One was based on theory we learned from other areas of war. We could try to consider how they might be affected or implemented in a cyber war situation.
Two was based on taking smaller scale computer attacks, such as in cyber crime, and considering what they may look when a nation state uses them.
Three was based on what could happen. We know of various attack types and what hackers could potentially do. Meaning, thinking how these could potentially serve a nation state.
Understanding cyber security is strategic, and it is how we need to attack the challenge, is why I ended up starting my cyber deception startup, Cymmetria.
We must rely on others for our own defence
While Information Sharing and collaboration has become a fad, and we can tell who is a newbie to our field by who speaks on it more, it has also become clearer than ever that we can’t do without.
Survival on the Internet is about who you know, and who can help you. You do not control the world — You barely control your own network. It’s about Assured Self Help, or as I like to dub theatrically dub it: Mutually Assured Survival.
The past decade
Over the past decade all of these lessons have been proven true.
Cyber security has shown that it is about computer attacks, but is based off of policy goals. It has also shown us that it is often a medium through which messages can go through as opposed to just being disrupted. A continuation of policy by other means, as I write about in my other post.
We also learned though that these rules hold true for the world of espionage and world politics. Whether it’s in advanced nation state APT attacks, where attribution has been a major concern of mainstream media and policy makers lately, or in cyber security first principles, where we now Assume Compromise, and try to detect an attacker’s presence as soon as possible, rather than rely on prevention.
We noticed loosely affiliated groups of hackers such as Anonymous and organizations such as Wikileaks take to the world stage and affect world politics. It doesn’t take much.
Lastly, it’s not just about us and what we control. It’s about who we know who can help us defend ourselves, and how we can be responsible in return and help them.
Estonia was the first real and public use case we had, and it is critical today as much as it was back then. Ten years later, I am happy to look back and explore these lessons learned. We may have been through DDoS attacks, an espionage barrage, and all around been through hell. But Estonia still remain the de facto example to live by for cyber warfare, to date.
#cyber #cyberwar #Estionia #firstprinciples #lessonslearned #DDoS #propaganda #informationoperations