Disclaimer: The opinions expressed are not necessarily those of the U.S. Army War College, Department of the Army, or the Department of Defense.
Tensions in Tallinn, Estonia had been building for weeks when Hillar Aarelaid—director of Estonia’s Computer Emergency Response Team (CERT)—detected an unusually volume of web queries toward government and commercial websites on 26 April 2007.[1] He was not particularly surprised. The ethnic Russian minority population in Tallinn was incensed about the Estonian government’s intention to reposition the “Bronze Soldier” war memorial from downtown Tallinn to a military cemetery—not to mention the annual enmity that occurred on the forthcoming 9 May “Victory Day” observance of triumph over Nazi Germany. Many Estonians viewed Victory Day as an unwelcome reminder of Soviet occupation from 1944-1991, and derisively called the Bronze Soldier “the Unknown Rapist.”[2]
As Russian protests turned into riots, the simple queries grew into a well-coordinated Distributed Denial of Service (DDOS) effort—led by associates of the pro-Kremlin cyber militia calling itself Nashi.[3] For nearly three weeks Estonia experienced periodic DDOS disruptions involving over a million unwittingly “enslaved” botnet computers from 175 countries.[4] Bank services were unavailable to customers; government websites were defaced and overtaxed with incoming queries. On 19 May 2007 the disruptions ceased almost all at once—suggesting the presence of central control, with most botnet controllers’ Internet Protocol (IP) addresses traced to Internet Service Providers in Russian Federation locations.[5] Antivirus giant McAfee’s analysis revealed over 80,000 participating IP addresses—many traced to the Russian mafia and Russian sympathizers in Latvia, the Ukraine, and the United States.[6]
The DDOS caused financial damage to banking and private industry estimated at over three million euros,[7] yet there were no consequences for the hackers outside Estonia. Russia feigned ignorance of the nationalistic cyber militia; unsurprisingly, European Union and NATO experts could find no evidence of direct collusion between the government and Nashi.[8] Nevertheless, Russia-based botnet controllers violated Estonia’s sovereignty by interfering with the nation’s commerce, governance, and communication; the Russian government should have been held accountable to stop the DDOS. There are two levers to accomplish this if it occurs again: demand United Nations legal action against Russia for its unlawful conduct, and request sanctions from the World Trade Organization (WTO) for violations of international trade conventions.
Countries victimized in the future by Russia’s cyber bullying could make a strong case against the Kremlin in the UN’s International Court of Justice. Under international law norms, nations are responsible for their citizens’ actions that are detrimental to other countries. The recently published Tallinn Manual on the International Law Applicable to Cyber Warfare—a three-year project by an “International Group of Experts” at NATO’s Cooperative Cyber Defence Centre of Excellence—describes cyber responsibility in Rule 5: “A State shall not knowingly allow the cyber infrastructure located in its territory…to be used for acts that adversely and unlawfully affect other States.”[9]
The Russian government asserted that it neither had knowledge of the DDOS’ origin from IP addresses inside its borders, nor were its law enforcement organizations willing to investigate. When the Estonian General Prosecutor contacted his Russian counterpart for assistance in bringing hackers to justice, the response was curt: “In our criminal proceedings, Russian police do not identify IP addresses.”[10] Although post-event analysis did not produce evidence of a Nashi conspiracy with President Putin’s government, the Tallinn Manual indicates that Russia was in violation by failing to act “upon notification by another State that [DDOS] activity is being carried out.”[11] Russia was aware of the DDOS in Estonia, and its origins on the Russian-language hacker websites—yet they chose to do nothing. When the DDOS ended, the Estonian government took measures to remove the worldwide botnets and determine the locations of botnet controllers. Out of 175 countries hosting computers victimized by botnet malware, all but one cooperated in cleaning up the bot problem: Russia.[12]
The financial backing and intellectual prowess required to execute the DDOS further implicated the hand of the Kremlin.[13] David J. Smith, a Senior Fellow at the Potomac Institute for Policy Studies, candidly describes Russia’s cyber posture in 2012: “Russia—a motley crew of government-sponsored cyber criminals and youth group members—has integrated cyber operations into its military doctrine.”[14] Evidence of Nashi involvement surfaced during the DDOS attacks on Lithuania and Georgia in 2008, as well as Kyrgyzstan in 2009.[15] Thus, there is growing suspicion that the Nashi now receives subsidies directly from the Kremlin, particularly because Vladislav Surkov held meetings with the group during his time as first deputy chief of President Putin’s staff from Nashi’s early days in 2005.[16] Since December 2011, Surkov has been Putin’s Deputy Prime Minister. Smith asserts that working through hacktivists is cheap for the Russian government and confounds attribution; traces of IP addresses will never point to a government computer, which provides plausible denial.[17]
After decades of marginalization from international trade decisions, Russia completed its accession to the World Trade Organization (WTO) in December 2011. Russia’s membership should boost its annual economy by tens of billions of dollars—but the WTO expects it to reduce corruption and improve the rule of law.[18] Estonia’s Defense Minister, Jaak Aaviksoo, declared the DDOS effects “can effectively be compared to when your ports are shut to the sea.”[19] This is known in international legal parlance as a blockade. The Tallinn Manual’s Group of Experts could not agree about whether a cyber blockade could meet the legal criteria for a true blockade—and therefore an unlawful use of force.[20] As an impediment to trade, though, such an action would be unacceptable to the WTO. Sanctions could be on the table for Russia’s nascent membership.
Estonia’s loss of three million euros—or over 4 million dollars[21] —is not insignificant to a nation with a population comparable to Phoenix, Arizona. Estonia lost over 1.85% of its 2007 GDP; the same scale of attack upon the United States would cost US citizens nearly $260 billion.[22] This equates to wiping out the Gross State Product of the entire State of Arizona for a year—which was the United States’ eighteenth-largest state economy in 2007.[23] The international community must choose one or both of the aforementioned courses of action to discourage Russian collusion with cyber militias. As Hillar Aarelaid remarked while reflecting on Estonia’s DDOS event, “If you have an unknown number of attackers with different skills and capabilities, it’s quite painful.”[24]
[1] Mark Landler and John Markoff, “Digital Fears Emerge After Data Siege in Estonia,” The New York Times Online, May 29, 2007, linked from HeinOnline http://heinonline.org/HOL/Page?handle=hein.journals/brownjwa18&div=9&g_sent=1&collection=journals (accessed January 14, 2013)
[2] Kertu Ruus, “Cyber War I: Estonia Attacked from Russia,” European Affairs Vol 9, Issue 1-2 (Winter/Spring 2008), http://www.europeaninstitute.org/2007120267/Winter/Spring-2008/cyber-war-i-estonia-attacked-from-russia.html (accessed January 11, 2013)
[3] “Nashi Activist Says He Led Estonia Counterattacks,” Issue 4103 (March 13, 2009), The Moscow Times, http://www.themoscowtimes.com/news/article/nashi-activist-says-he-led-estonia-cyberattacks/375271.html (accessed January 7, 2013)
[4] Steve Mansfield-Devine, “Estonia: what doesn’t kill you makes you stronger,” Network Security, Vol 2012, Issue 7 (July 2012): 12-20, http://www.sciencedirect.com/science/article/pii/S135348581270065X (accessed January 7, 2013)
[5] Stephen Herzog, “Revisiting the Estonian Cyber Attacks: Digital Threats and Multinational Responses,” Journal of Strategic Security, Vol 4 (2011), No 2: 54 http://scholarcommons.usf.edu/jss/vol4/iss2/4/ (accessed January 7, 2013)
[6] “Advanced Persistent Threats: Fight large-scale threats with unified solutions and advanced intelligence,” 2010, McAfee Global Threat Intelligence Solution Brief, www.mcafee.com/us/resources/.../sb-advanced-persistent-threats.pdf (accessed January 9, 2013)
[7] Toomas Lepik, “Setting the Scene: Lessons Learned,” February 13, 2008, linked from Europe’s Information Society Thematic Portal: “Workshop on learning from large scale attacks on the Internet – Policy Implications,” http://ec.europa.eu/information_society/policy/nis/strategy/activities/ciip/large_scale/index_en.htm (accessed January 7, 2013)
[8] Stephen Herzog, “Revisiting the Estonian Cyber Attacks,” 51. Although an IP address can be traced to a country with 99% accuracy and to a specific city with 90-96% accuracy, putting a name to the IP address often requires cooperation from law enforcement and the Internet Service Provider. See David Clark and Susan Landau Harvard National Security Journal, vol 2, issue 2 (2011): 334, in HeinOnline (accessed December 12, 2012)
[9] Michael Schmitt et al, Tallinn Manual on the International Law Applicable to Cyber Warfare, (Tallinn, Estonia: Cooperative Cyber Defence Centre of Excellence, 2013): 33.
[10] Steve Mansfield-Devine, “Estonia: what doesn’t kill you.”
[11] Michael Schmitt et al, Tallin Manual, 34.
[12] Steve Mansfield-Devine, “Estonia: what doesn’t kill you.”
[13] Wyatt Kash, “Lessons from the Cyberattacks on Estonia,” Government Computer News, June 13, 2008, http://gcn.com/Articles/2008/06/13/Lauri-Almann--Lessons-from-the-cyberattacks-on-Estonia.aspx?Page=1 (accessed January 8, 2013)
[14] David J. Smith, “Russian Cyber Operations,” July 2012, Potomac Institute Cyber Center Online, 1: http://www.potomacinstitute.org/attachments/article/1273/Russian%20Cyber%20Operations.pdf (accessed January 9, 2013)
[15] Jeffrey Carr, “The War That We Don’t Recognize Is the War We Lose,” July 13, 2010, Forbes Online, http://www.forbes.com/sites/firewall/2010/07/13/the-war-that-we-dont-recognize-is-the-war-we-lose/ (accessed January 14, 2013)
[16] Roland Heikerö, “Emerging Cyber Threats and Russian Views on Information Warfare and Information Operations,” March 2010, Swedish Defense Research Agency, www.highseclabs.com/Corporate/foir2970.pdf (accessed January 13, 2013)
[17] David J. Smith, “Russian Cyber Operations,” 3.
[18] “Russia becomes WTO member after 18 years of talks,” December 16, 2011, BBC News: Business Online, http://www.bbc.co.uk/news/business-16212643 (accessed January 14, 2013)
[19] Kertu Ruus, “Cyber War I: Estonia Attacked from Russia,: (accessed January 14, 2013)
[20] Michael Schmitt et al, Tallinn Manual, 163. (accessed January 14, 2013)
[21] Calculated with a 19 May 2007 date. See X-Rates Online, http://www.x-rates.com/historical/?date=2007-05-19 (accessed January 9, 2013)
[22] Calculated with Estonian GDP at $21.279 billion and US GDP of $13.811 trillion. See geohive Global Economy, http://www.geohive.com/charts/ec_gdp1.aspx (accessed January 9, 2013)
[23] Compiled from Arizona’s 2007 Gross State Product (GSP) of $259.2 billion. See US Government Revenue, January 9, 2013, http://www.usgovernmentrevenue.com/compare_state_revenue_2007bZ0a (accessed January 9, 2013)
[24] Jeremy Kirk, “Estonia Recovers from Massive DDoS Attack: Denial-of-service onslaught may have Russian origins,” May 17, 2007, ComputerWorld Online, http://www.computerworld.com/s/article/9019725/Estonia_recovers_from_massive_DDoS_attack (accessed January 14, 2013)