In April 2007, Estonia relocated the Bronze Soldier of Tallinn (or, ‘Alyosha'), a World War Two monument dedicated to the Red Army. This event caused a military build-up on the border from the Russian Federation, and two nights of rioting. The ripple effect from a giant cyber-attack timed for these events are still being felt by today's cybersecurity community.
Joseph Carson was on the ground during events in Estonia. The chief security scientist at Washington, DC-based Thycotic, a privileged account security firm has acted as an advisor to the Estonian government. Carson is also the COO at ESC Global Security, a Tallinn-based firm that specializes in maritime, land, underwater and cyber defense, and which owns activity licenses in global surveillance and protection.
This telephone interview was conducted in November 2017. It has been edited for length and clarity.
Simon Marshall: The cyber attack on Estonia was considered one of the most sophisticated to date. It's public knowledge that government Websites were despoiled or taken down, and that DDoS attacks using ping floods and botnets to deliver spam affected businesses, banks, broadcasters and newspapers everywhere in the country. But where does your side of this story start?
Joseph Carson: To begin with, 70% of the population are native Estonians, the remainder are a number of diverse ethnical groups, with a largely Russian-speaking population. Estonia was occupied by Russia until 1991 and after that, a very passionate government was formed by Estonians. Education had been governed by the occupying country, and the new government worried that its history, its education, its historical events, books, even language, could be rewritten. Land ownership was a big issue, with nationals coming back to claim their family lands.
The Estonian government decided in 1991 that Estonian history would never be rewritten. People are much more passionate and patriotic about their heritage when oppression is removed, and their whole emphasis becomes one of refocusing. The government sent off scientists to discover how history could be rewritten by an occupying force in the new Internet era.
Marshall: It sounds like the government was worried about how to secure the Internet so that no control could be exerted over the country that way?
Carson: In 1998 the scientists came back, and they had found a solution. They came back and recommended the Merckle Tree, especially useful since we wanted to find a way to time-stamp historical documents. In March 1999, the government introduced an ID card, and also an online digital authenticator. Many of the technologies behind that were from initial research into blockchain, and Estonia is the leading country in blockchain today. Back in 2000, they passed a law that a digital signature is equal to an actual paper signature. It empowered Estonia.
It became a thriving digital society, and in 2002 they introduced X-Road, a map for the digital future when other countries were still building physical roads. This was successful because it was communicated to citizens as a service provided by the government. In 2003, the government changed its mindset from policing citizens, to being a service provide to them, and being more transparent.
Marshall: That sounds very positive, but what went wrong?
Carson: In 2004, Estonia joined NATO, effectively moving (politically) from East to West. The government was also changing its interaction in terms of political stance. In 2005 it brought in electronic voting by mobile phone. And, Estonians built Skype.
Clearly, the tipping point was the relocation of the Bronze Soldier of Tallinn. Cyber was, at the time, becoming a tool of war and the 2007 decision to move [the statue] launched violence in the streets. It was seen from Russia as an oppression of the Russian speaking population. The Russian military built up on border. Multiple DDoS attacks brought government and many other systems to a halt. We had to physically sever inbound attacks from the Internet.
Marshall: Was the cyberthreat underestimated?
Carson: At the time, we had a good skillset. We handled it well and quickly, people were back at work after two days. We made the right decision at the time, but the (cyber) damage long term was significant. At the time we were more worried about a potential land invasion.
Marshall: The potential land invasion was real, but was the real power here the ability to ‘invade' without physically being there?
Carson: Absolutely. Russia had an influence. What happened, I think, is that this event really began the early years of fake news and trolling. Greater political disruption and instability. And that is really the key weapon in cyber today.
Marshall: How was the attack dealt with?
Carson: The majority of attacks were DDoS, and they were coming from outside of Estonia. They were coming from the US, the Middle East, other places. At an ISP level we severed requests; if you were outside and trying to access Estonian websites or services, we made that impossible. Attackers were basically controlling large botnets, and that has meant that, ultimately, attribution was difficult.
Marshall: So, bearing that in mind, what's your main concern about the challenge of dealing with these types of threats?
Carson: In 2007 we could trace attacks back thorough networks to single computers, but there's a lack of transparency of knowing who is sitting at the computer. You can pay criminals to do these transactions, you don't have to be the person doing it. But my personal view is that if you can trace criminal organizations attacks back to a particular country of origin, it's then up to the governments of those countries to make sure that activity is stopped, and also that no blind eyes are being cast.
Marshall: But how realistic is that? Are governments really equipped to deal with threats? Isn't this really being done at this point only in the private sector?
Carson: There has historically been a leaning on the private sector to carry out the work. But when an organization from one country is stealing the IP or databases of another one, I don't see that as an illegal act. Therefore, the government of that country should come down to the right legal position. When they're being selective, that's where I draw the line.
Marshall: What can be learned from all of this?
Carson: In 2008, the NATO Cooperative Cyber Defence Centre of Excellence was launched in Estonia. NATO investigated the cyber attacks, but two major issues we had at the time were a potential land war with Russia, so we had to decide, what's our strategy, what's our mitigation in that event from a digital perspective? Second of all, the cyber services for citizens were centrally located in Estonia.
So on the cyber side, our challenge was that we couldn't build a new data center in Estonia, because we would have to build it into the sea, there's little landmass available. We couldn't put it in another country because that was against the sovereign law of Estonia.
My expertise was in DDoS, so we considered: 'what would be the best mitigation against attacks?' My advice was: don't be centralized. Another idea came from the CIO of the government at the time, and he thought, 'we have the concept of a physical embassy, so why can't we have several data embassies?' Put data inside an embassy in another country, where it's still bound by sovereign laws. So we introduced the concept of virtual data embassies.
Marshall: Care to disclose where the physical locations are?
Carson: The key number is five, distributed by location globally. One was launched in May this year in Luxembourg with further embassies to follow.
Marshall: The US claims that it takes a lead in cyber defense. But what's your advice to the US government?
Carson: They have to understand transparency and cooperation; you cannot operate alone in cyberspace. If there are countries that are not-so-great-friends out there, you may want to have a better relationship with them in cyberspace. By reversing the current situation and becoming more closed at cyber borders, they're actually increasing the threat of cybercrime; it has a negative impact because there's less intelligence and less transparency about what's going on out there.
Marshall: You also have a background in maritime law, and I understand that's a concept that holds a solution? Is it a realistic concept?
Carson: Yes, we need a new "maritime law in cyberspace," -- a binding framework across all countries. Setting a framework is the most vital starting point. GDPR is a good example. The important thing is data flows through cyberspace on its own. Services can be located in other countries, but they can be tied back to various countries of origin.
In international maritime, the law of the vessel is the flag of the ship. That's where the law goes back to. If can say that data flowing through cyberspace is bound by the law of my country and my location. It's my way of raising a flag and saying that cyberspace should not be held by boundaries but by services. That's what GDPR is all about. Data is signed with a signature and blockchained, and that is the flag.
Marshall: How does that work from a legal standpoint?
Carson: No company within their nation states should be doing security attack attribution back to those nation states. Attribution for nation state crime should be come from working directly with the law. Businesses should be focused on a return to business and serving their customers.
We need education about how to act in cyberspace for every child, person, gender, workplace or whatever, because cybercrime doesn't care how old you are, what race or gender you are, cyberspace is a hive of criminal activities and people need to be aware of what that means. It's not going to go away, it's going to get worse, and people need to know how to control it.
— Simon Marshall, Technology Journalist, special to Security Now