This Baltic country is getting a reputation for being security savvy. Just ask the hackers
During a November visit to the United States, Estonian Prime Minister Andrus Ansip comapared his country's success in combating a massive cyber attack earlier this year to Bruce Willis in the recent fourth Die Hard film.
In the movie, the macho character almost single-handedly takes out a criminal organization that attacks the United States by hacking into its online security systems.
Similarly, in April and May, Estonia's information technology (IT) infrastructure was subjected to a massive barrage of spam, viruses, and "botnet attacks," which rely on thousands of hijacked personal computers. The cyber-attack came just after a series of riots sparked by the relocation of a Soviet Red Army war memorial in Tallinn. Investigations showed that the attack originated in Russia and had a degree of coordination, possibly through hacker gangs. The Russian government has denied any involvement.
Whoever was responsible for the cyber-attack, however, has ended up doing Estonia a favor by letting the small state showcase its credentials as a modern, technologically advanced country and leader in technological security.
"Due to efficient and fast security measures, we were able to neutralize the attacks," Ansip said in Washington, D.C., in November. Rather than leave it to individual sites and hosts to sort out their own defenses, Estonia's Computer Emergency Response Team (CERT) acted as a coordinating unit, concentrating its efforts on protecting the most vital resources while sacrificing less significant infrastructure and even implementing an online "diversion" strategy that made attackers hack sites that had already been destroyed. Defense Minister Jaak Aaviksoo said in Washington that U.S. officials told him Estonia coped better with the attack than the United States would have under similar circumstances.
Not content with being the plucky underdog that punches above its weight, Estonia has been committed for several years to nurturing state-of-the-art online technologies that are used in politics, banking, security, and other sectors. Now, in the wake of its successful defense against the cyber attack, Estonia says it will develop a cyber-security industry that will allow it to sell its expertise around the globe.
"Cyber-security is a new measure of security, which must be actively engaged in both on the domestic and international level," Ansip said in Washington.
So highly regarded is Estonia's online technology and security savvy that NATO's new cyber-warfare center will be based there.
IN THE LEAD
Evidence of Estonia's commitment to online technology development is not hard to find. In 2005, Estonia becamse the first country in the world to use Internet voting in local elections. There are plans to expand the program. By January 2006, more than 355 governement agencies had joined together in the virtual world, allowing them to exchange data using an advanced secure server system called "X-Road." X-road is a message exchange system designed to enable secure communication and improve the availability of databases without endangering confidentiality.
Ninety-five percent of Estonia's banking operations are now carried out electronically, according to official data. Students can receive exam results via SMS, and Estonians commonly use their mobile phones to pay parking fees. The country pulled off a public relations triumph when it opened a virtual embassy in the online computer game "Second Life" on 4 December. The virtual embassy will be used to market Estonia across the Internet.
In addition to these developments, Estonia is playing the cyber-security card at every possible opportunity, leaning heavily on its success in overcoming the attack last spring. "Cyber-attacks are a clear example of contemporary asymmetrical threats to security," President Toomas Hendrik Ilves told the U.N. General Assembly in September. "They make it possible to paralyze a society, with limited means, and at a distance. In the future, cyber-attacks may, in the hands of criminals or terrorists or terrorist states, become a considerably more widespread and dangerous weapon than they are at present."
Estonia has placed the issue on par with energy security as a top priority for its chairmanship of the Baltic Council, an organization of parliamentarians from all three Baltic States. Estonia will hold the chair for a year starting in May 2008. Already, it has lined up eight countries willing to participate in the launch of a NATO Center of Excellence in Cooperative Cyber Defense, which will be located in Tallinn.
The proposal for the center was made in 2004, and the countries now on board include the Unites States, Spain, Germany, Italy, Bulgaria, Lithuania, Latvia, and Poland.
"Estonia has drafted two cooperation agreements, one of which will be signed between the countries that have expressed the wish to take part in the NATO center, and the other between NATO and the countries taking part in the center of excellence," Aaviksoo said in November, while promoting his cyber-security strategy. The eight countries will be asked to sign on formally as partners in January 2008.
Moreover, Estonia called in July for an international convention on combatting computer-based attacks. Global ratification of the convention would establish "a strong legal basis to fight cyber crimes," the Estonian Ministry of Economic Affairs said in a statement. Signatory countries would cooperate in preventing computer-related crimes and tracking down organizers of cyber-attacks.
So strong now is Estonia's reputation in the field that some countries already are trying to poach leading figures in cyber-security development. Hillar Aarelaid, head of the national CERT program, said he has received several lures from overseas, including an "exotic" bid from Singapore.
MONEY IN THE BANK
Along with government websites, Estonian banks came under cyber-attack during the spring showdown with hackers. Hansapank, which is owned by Sweden's Swedbank, was among the main targets, but it managed to keep its infrastructure intact and suffered only minor losses. It had prepared plans to deal with attacks in advance, and Hansapank, like many other Estonian financial instituations, worked closely with the CERT team.
Now that it has weathered an attack, Hansapank is able to serve as a model for financial institutions elsewhere as they prepare to protect themselves aginst threats, according to Toomas Vaks, the bank's internal-supervisory departments director.
"Thanks to that [attack], Estonia has repeatedly been invited to discussions in various international crime fighting seminars," Vaks said. "These so-called test attacks mean that Estonian banks have to be ready for constant wars, during which security systems have to be constantly improved."
Nordea Bank senior analyst Mikka Erkkila said that by specializing in cyber-security, Estonia effectively is creating a new financial services product. It is almost impossible, however, to put a figure on the likely size of the sector. With applications including such diverse areas as communications, database protection, cost savings, and remote military operations, the sector is potentially enormous. Some estimates put the global cost of damage caused by cyber-crime at around 68 billion euros each year, indicating a vast market for prevention and defense strategies.
Since Estonia is a small market, Erkkila said it was essential for Estonia to team up with larger international players to maximize the impact of its expertise in cyber security.
As outsiders look to Estonia for the next stage in security development, observers are picking up on particular trends that could teach valuable lessons. Alexander Ntoko, head of corporate strategy at the International Telecommunication Union, said it was imaginative responses that allowed Estonia to emerge from the spring cyber-attack relatively unscathed.
"In a number of countries, when the presidential website is being attacked, everybody rushes to protect it," Ntoko said, using the head of state's homepage as an example of a high-level government site that was attacked. "In Estonia it was different. They said, 'Well, let them attack and destroy this,' so that it would divert [the hackers] from destroying more critical things. The president basically gave up his own website and let them continue to attack it so that they would not be able to attack other things. That took a lot of political maturity."
Andrus Ansip: The prime minister sees his country as the good cop.
"[Estonian officials] didn't have enough people to be able to deal with the massive nature of the attacks, so they had to see how they could divert attention from other resources," Ntoko continued. "We are still following up on the Estonian experience because we want to be able to learn as much as we can and how to help other countries who might be subject to these types of attacks."
But in the fast-moving worlds of information technology and communications, time is of the essence, Ntoko added. As the use of online technologies balloons, more and more aspects of the physical world are being run by technology. Unless lessons from Estonia are learned quickly while the country presses for cyber-security development, the world could witness scenes that until now have existed only in the realm of Hollywood films or sci-fi dystopia.
"Imagine the types of attacks that could occur," Ntoko said. "Before, we were looking at people destroying information. But soon there will be the possibility of people being able to remotely manipulate industrial machines...[There could be] not just service attacks but real attacks on real infrastructure."