Cyber-war a growing threat warn experts

By Clark Boyd
Technology Correspondent, BBC World Service

  • Published
Tallinn town hall, Estonia
Image caption,
Only one person, a student living in Tallinn, was ever charged over the 2007 Estonia cyber attacks. He was fined £1000.

In 2007, Estonia was the subject of a series of cyber attacks which crippled the internet across the country.

Banks, government departments and the national media all found their websites swamped by a tidal wave of spam which took them down.

The perpetrators were never caught.

Some evidence pointed to Russian government involvement in the attacks, but no definitive link to the Kremlin was found.

So was it the first ever act of cyber-war?

Defining cyber war

Experts from nearly 40 countries gathered in the Estonian capital Tallinn to discuss the latest issues in the fight against virtual attackers.

Estonian President Toomas Hendrik Ilves opened the conference with a stark warning about the seriousness of cybercrime.

"Our critical infrastructure, electricity grids, transportation networks and mobile phone networks are so enmeshed and tied to the internet that any open society is open to complete and utter failure," he said.

Worse still, it's not easy for a country to protect itself from such an attack, added Estonia's Minister of Defence Jaak Aviksoo.

"There are no smoking guns, no foot or fingerprints in virtual reality," he said.

"The computers used in the (Estonia) attacks were distributed worldwide, in more than 100 countries. The attackers can hide very easily, and that is a problem."

For Mikko Hypponen, chief security officer at F-Secure, what happened in Estonia was not an act of war, especially as the country's military systems were not targeted.

"In my book, real cyber-war would be when the army of Country A attacks the computer systems of Country B. And that hasn't happened, yet," he said.

"In the attacks we've seen so far, there's no way to prove direct government involvement."

They were certainly classed as a national security threat though.

In Estonia, the vast majority of all banking is done online. And when the attackers took the banks down, there was pressure on the Estonian government to do something, and fast.

"If people can't access their money, if they can't buy milk and bread, then you're going to have problems," said Kenneth Geers, a US Navy representative.

"Data packets via the internet are fired all the time in anger. However, if no one dies, then according to the laws of war, we're not in conflict."

For the experts in Tallinn, the threats were all too real, and many believed the motivation for cyber attacks had moved beyond politics.

"In real space, there are real lines between criminals and soldiers," said Heli Tiirmaa-Klar, Estonia's national cyber-defence coordinator.

"But in cyberspace, the criminals could be used as mercenaries and proxies to fulfill the tasks others have told them to do."

Easy hacking

Skilled hackers at the conference said malware designed to be used in attacks could be purchased for a few hundred dollars online, or even downloaded for free.

Haroon Meer is a hacker and lead researcher at thinkst, a company that does penetration testing for clients.

He helps companies and organisations determine their own online weaknesses by breaking into them.

But he has also done a lot of thinking about how he would attack an entire country.

Image caption,
One expert said his government network is attacked 60,000 times per second.

"When people talk about cyber-defence, they instantly say, 'we'll protect control systems.' But what about banks, what about the internet service providers? Should the United States protect Amazon or eBay, which are huge financial income for the country?" he said.

Security consultant Dr Charlie Miller demonstrated just how quickly and easily he could take control of a single machine through a programming flaw he'd found in a web browser.

In less than 10 seconds, Dr Miller, who once worked for the US National Security Agency, took complete control of a machine remotely. He gained access to e-mail, activated the laptop's built-in camera and took a picture of the victim.

He said that with a budget of $100m (£67m) he could train a team to carry out a major cyber attack on an industrialised nation, with targets including military systems, critical infrastructure and banks.

"We would be able to get into many sensitive systems and cause disruption," he said.

"It's certainly not the same thing as dropping a bomb, but with a few years and enough money, we could cause havoc."

But consumers are not deterred by the magnitude of the potential threat, and even in Estonia e-services have continued to grow at a healthy rate since the attacks.

"Estonians were not frightened by what happened in 2007," said Heli Tiirmaa-Klar.

"We don't think dependency on IT is a bad thing. It's a good thing, and we are used to it."

Related Internet Links

The BBC is not responsible for the content of external sites.