Crocs Uncover

Bizarre Species

lunes, 21 de junio de 2010

Why Estonia Is the Poster Child for Cyber-Security

I'm just back from a conference on cyber security held in Estonia, or, as the editors always force me to write: "the tiny Baltic nation of Estonia." Other popular tropes: "in Estonia, more than 90 percent of all banking is done online, digital signatures are used widely by government officials and you can pay for parking with your cell phone. Geeks have dubbed the place E-stonia. Oh, and four Estonians built Skype."

Right, we get it. Twenty years ago, the country shook free of the Soviets and made a strategic decision to invest, heavily, in information technology. The country's President, Toomas Hendrik Ilves, put it this way: "We are a small, unassuming European country that's fairly advanced when it comes to Internet applications."

You may also remember that the last time Estonia was in the headlines was back in 2007, when a series of denial of service attacks wrecked havoc with the the e-services that Estonians have come to depend on, and expect. The attacks began at the same time a real-world battle had developed over the fate of a statue of a Russian soldier in Tallinn. Online, banks, newspapers, and some government ministry websites were on the target list.

Some accused the Russians of coordinating the attacks, although no conclusive proof has ever been shown. Likewise, groups inside and outside Russia have claimed responsibility, but that's never proven either. To date, one student in Tallinn has been convicted of being involved. His punishment? A $1,500 fine.

At the time, headlines outside of the country did a lot of screaming about "Cyber-War!!" etc. The Estonians took things a bit more in stride, and got to work getting their systems back online. The attack was "the IT equivalent of a paleolithic attack with rocks and clubs," President Ilves said. "But we know that even attacks with rocks and clubs can cause damage."

Ilves was speaking last week in the capital Tallinn, at the opening of a major conference on cyber-security. Since 2008, Estonia has also been home to the Cooperative Cyber Defense Center of Excellence (CCD COE), a NATO-approved think-tank whose mission is essentially to formulate new strategies for understanding, and preventing, online attacks. Representatives from across NATO countries and beyond use the center to carry out research and share information.

The Center was actually in the works long before the attacks, but they did lend an added urgency to the need for concentrated, coordinated and above all global thinking when it comes to fending off Internet attacks. It's not just about dealing with the technical aspects of understanding and eliminating threats. It's also thinking about how we update our national laws, and the laws of war, into a world where, as Ilves said, "You don't need a tank. All you need is a keystroke."

Estonia has, it must be said, become something of a poster child for the whole notion of "cyber-war." There's a lot of fear-mongering right now about "Internet Pearl Harbors" and "Cyber 9-11s." But here's the thing that the experts gathered in Tallinn agreed on: we don't even know how to define "cyber-war," either from a strategic point of view, or a legal point of view. And without a conceptual framework for it, it's hard to know how to prevent it, or who to hold responsible for it.

What strikes me, in reflecting on the interviews I did in Tallinn, was how much we all might be able to learn from the way the Estonians dealt with the cyber-attacks in 2007, and how they continue to deal with both online threats, and the attention they bring.

Estonia's Defense Minister, Jaak Aaviksoo, has spent three years thinking about these things. On the attention focused on Estonia he says, "I wouldn't say it's good or bad. I have to live with it." He's philosophical when it comes to dealing with a future filled with online threats: "New technologies emerge every day, and both the good guys and the bad guys have access to them. We can't monopolize technology into the good guys' hands." The only way we'll learn to move forward, he says, is by going through a painful growing process of suffering from, and dealing with, online attacks.

Another official told me that Estonians haven't been frightened off of IT by the 2007 attacks. On the contrary, she said, they are using e-services more than ever. "We're too used to them now to give them up," she told me.

"Just because you get mugged once in a park," she said, "doesn't mean you stop going to parks."

If you want to read and hear more about the conference, by the way, I wrote it up for BBC News online, and for public radio radio too.

No hay comentarios: