Russian continued cyberattacks on Estonia and their implications for the Internet governance
Russian Federation continues to wage cyberattacks agains Estonian government websites. The attacks come at least partly from IP addresses connected with Russian Federation government agencies and when continued, may have a potential to harm the functioning of Estonian economy and society, as Estonia currently and increasingly relies on the Internet to conduct its daily life and business.
Previously, Shel and Sten have covered the subject.
Moral qualification of the aggression
Before proceeding any further, I feel that I must morally qualify the current events and specifically the cyber-aggression from my own perspective. I have also previously posted about recent Estonian events, please read these posts and their comments to develop your own view.
In short: Russian Federation continues to actively demonstrate that she is not able and/or willing to act as a well-behaving member of the international community. Russia continues hostile activities against its neighbouring countries, including Estonia. The aim of such activities is to destabilize the situation, instead of promoting cooperation and building bridges and understanding. As my colleague Sten, I am deeply saddened by this, as I would really like to live in a free democratic world where countries respect each other and demonstrate a willingness and ability to cooperate with each other, instead of spreading lies, biased history interpretation and conflict.
I am happy that everyone living in Estonia is united in their willingness to cooperate in continuing to build the happiness and prosperity in this country through means of peaceful cooperation and dialogue. A clear indicator of this is the lack of violence on the streets of Estonia after the shocking events of two April “bronze nights”. This clearly shows that the issue we have to deal with is NOT conflict between ethnicities in Estonia, as some provocateurs would have wished. It is rather having to deal with the challenge of Russian Federation wishing to dominate over her neighbouring countries and disrespecting their sovereignity. One of the tools being utilized by Russian Federation are coordinated, well-orchestrated and government-mandated DDoS cyberattacks.
Tyically, such DDos, spam and phishing attacks and similar cybercimes are done by private criminal actors for commercial purposes in conjunction with other cybercrime such as spamming and phishing. The aim of such attacks is commercial gain, such as getting access to someone’s PayPal funds. To conduct these attacks, the criminals take precautions such as masquerading their true origins and identities by means of bouncing through different hosts before reaching their end destination. In contrast, at least a portion of the current attacks against Estonia can be clearly and directly traced back to Russian government agencies. This indicates the especially blatant and cynical nature of such attacks, as the attackers have not even bothered to conceal their identity. There may also be practical considerations to this, such as perhaps not having access to sufficent amounts of computing and networking power when conducting proxied attacks. But I personally consider this more of a (blatant but failed) demonstration of superiority.
A final, yet most important question about the attacks is their motive and end goal. What will Russian Federation gain by cyberattacking Estonia (or any other closeby country)? Will it do any good to her own economy? Is this truly the best use of the intellectual capacity of the country that’s always limited and could be spent on better things such as, uh, building products that the world market would be willing to pay for to advance Russia’s IT industry? Is this really a good signal to possible future investors that the country’s IT potential is willing to engage in orchestrating such attacks together with the authorities?
Internet governance and the bad guys
But what I really wanted to get to is the implication of these hostilities to Internet governance.
I’m pretty sure that in 50 or 100 years, such aggressions would result in an immediate invocation of Article 5 of the NATO treaty. The problem currently is that the whole “cyber” thing is still relatively new to the political scene, and there is some confusion about what constitutes an “armed” attack. I’m sure that there will be many discussions around this as the Internet continues to become a part of many people’s and organizations’ and governments’ daily lives. But for now, there remains an ambiguity around this on the government and political level.
So if someone misuses the Internet, and you cannot resolve it on a political level, what do you do?
The Internet originally was built to retain communication capacity in case of a nuclear attack that could have otherwise decapacitated a country, specifically the US. (Well, this is not entirely true. The Internet had also other design objectives. But it’s not entirely false to say that the above was one part of the Internet’s design objectives, and I’ll use it in this discussion.) This of course assumes that the “bad guys” are using conventional and nuclear weapons and other non-cyber-weapons and the Internet is entirely under the control of “good guys”. Remember that it was originally used for communication between academic institutions who all had a common goal of furthering science and research. I can’t imagine the original designers of the Internet imagining a situation where they would have had to deal with well-organized, well-funded, long-lasting and government-mandated hostilities. Normally you would deal with such abuse using law enforcement. But in case of Russian Federation and her current cyber-aggression against Estonia, I believe it is safe to assume that the law enforcement apparatus and IT capacity is part of the problem instead of solution, and participates in conducting the attacks or at least quietly approves those instead of taking law enforcement action.
So, in the framework of Internet governance and a government-mandated attack, and if the “bad guys” are an inherent part of the Internet as it has become global and open to everyone, what do you do?
I don’t believe in international Internet governance. It doesn’t exist currently and setting it up will be a lengthy process. This may eventually happen, but we in Estonia need answers here and today.
Rather, let’s look at how the Internet currently functions — on a basis of agreements between NGO-s dealing with the governance and regional authorities allocating the address blocks, stemming from the US Department of Commerce, most notably the ICANN.
I haven’t studied the exact framework to detail, but I believe there is a framework and a set of regulations in place in delegating responsibility for allocating blocks of IP addresses from ICANN to regional authorities like the RIPE NCC that is the relevant one in Russia-Estonia case, and from the regional authorities down to the government- and privately-owned ISP-s who allocate the addresses to end users. And being naive as I am, I believe that these frameworks and agreements contain provisions for enforcing the allocated address spaces being used for “fair use” purposes and not trashing the experience of other Internet users.
If the given ISP does not honour its commitments in forcing its users to use the Internet only for non-aggressive purposes, one real outcome of this conflict could be that the RIPE NCC or ICANN authorities get together and simply deallocate the IP blocks from the ISP-s who are unwilling to enforce the fair use policy and are permitting their customers to conduct hostilities against other international actors on a country and global level. This would mean that portions of Russian Federation and its government agencies could be simply disconnected from the Internet if they fail to capture and prosecute the offenders.
I’m sure there’s a lot more detail to this that I have missed, and I should study the delegation procedures in more detail. But this is a challenge and good opportunity for the Internet community to get together and demonstrate that they are willing to enforce the use of Internet for its original purposes, to further science, development and thereby national and international learning and understanding, instead of hostilities between countries.
I hope that the ICANN, RIPE-NCC and other relevant bodies will take action on this if the Russian Federation hostilities continue.
3 Comments
Leave a comment
Dear Jaanus,
I’m not an IT specialist and it may well happen that I’m totally wrong. But what I read before about these DDOS attacks is that they are often launched using lots of computers, where is kind of a “sleeping agent” program is installed and is can be remotely activated. Most of such programs can be basically removed if some kind of anti-virus sfotware is used.
Obviously in vast majority of the cases presence of such program on the computer is not a result of negligence about the IT secutiry, but not a deliberate installation.
In this respect what are the proofs that these attacks are deliverately launched by Russian government? Could it be that some IP have been used for DDOS attacks as a result of negligence of their respective users? I’m interested in your personal opinion as a specialist in this area. Apart from that, I haven’t seen yet any list of these organisations? Are you aware which organisations are meant? Is it state security agency, state bank, local police station or marriage registration office?
I understand that some actions undertaken by Russian Federation may be looking like economic sanctions, despite not been called like that yet and covering quite a limited area of economic relations between the countries (bank transactions are not prohibited for instance). However it does not necessarily mean that all other events happening in Estonia these days are the result of some Russian Federation actions or inspired by it.
One more note - on Kristallnachts. As you know these events have been inspired by Nazi government of Germany and were targeting Jews and jewish run premisies. I do not understand the grounds for your comparison, since the crowd in the mentioned events in your country was mixed and included people of both Russian and Estonian ethnicity and the shops that suffered from violence also belonged to different owners. Linking these events events that lead to ethnic cleansing is highly questionable. Comparing the victims of recent violence in Estonia with victims of Kristallnachts is, in my opinion, not quite respectful towards the latter.
I think that if you are looking for analogues for events in Tallinn you don’t have to go that far. In my opinion events in Paris of last year are much closer in terms of the reasons and results.
Regards
Mikhail: “both Russian and Estonian ethnicity”. Not ethnicity. As I understand it: It were “/3 non Estonians that means with alien passport and 1/3 Estonians, that means with Estonian passport. Now you can argue if the last ones are Russian speaking or Estonian speaking as their native tongue.
Mikhail,
as for the DDoS attacks - your description of them is accurate. They are often launched using “zombie” computers all over the world and this is true also for the current attacks in Estonia. But the attacks are more complicated and have more different types - the data gathered by the government clearly traces a small portion of them back to Russian Federation government agencies. I do not believe that they would come from there because RF government IT was negligible and failed to secure its own computers, all the evidence seems to pinpoint that at least a portion of these attacks, if not all, has been sanctioned and conducted with RF government blessing.
The most recent developments in these attacks are that one person in Estonia has been arrested for online activity supporting these attacks, and another person in Moscow has been identified. There are only scarce news reports available about the detailed technicalities of the attacks and their sources, and I don’t believe too much will be published while the investigation is ongoing. But there is a NATO defence ministers summit this upcoming week where these attacks are also discussed, and perhaps more info will be published as part of this.
Even though RF government may not be directly behind these attacks in the sense that their people have directly participated, I think it’s undeniable that they support and encourage them in their current general framework of hostility and hatred towards Estonia. Otherwise you would have heard at least some form of condemnation from RF about these attacks. And also the timing directly coincides with the recent events, so it can’t be just a coincidence.
I am not the first one to make a reference of the April nights to Kristallnachts, this was first made in some domestic news sources. I believe there is a clear ideological connection. In both cases, a nondemocratic government (Nazi Germani or Nashist Russian Federation) created conditions for a night of public disorder whose objective was to fuel hatred and violence and ethnic conflict in a society. RF fortunately failed here. We had two nights of disorder but that was it. But I agree with you that this may lead to some unwanted connections and implications and so I removed this term from the post body, replacing it with “bronze night” that now seems to start becoming the popular term of reference.