Edward Lucas
AUTHOR:Edward Lucas
06 June 2016

Cyber in Tallinn

“Cyber” implies a world apart—like outer space—in which normal rules don’t apply. In fact, the reverse is true. Every bit of real life—from the criminal justice system to social norms, via military force and political activism—impinges on the way computers and networks operate. And computers and networks increasingly affect them too.
For this reason, CyCon, the annual conference organized by the NATO Cooperative Cyber Defence Centre of Excellence in Tallinn, is particularly interesting. It attracts technical experts, but also lawyers, business people, spymasters, academics and journalists, all of whom have a stake in the way in which the rules of the internet are made, and how they are applied.

My panel was about the lessons learned from past cyber-conflicts. One message was that thinking about dividing lines is a mistake. “Cyber-attacks” sit on a spectrum. At one end is a “pure” cyber-attack: one that never becomes public, and has no “kinetic” effect: it doesn’t break things or blow them up. I gave the fanciful but pleasing example of a bug in Vladimir Putin’s nuclear “football” – the portable command system which launches Russia’s nuclear weapons. If that top-secret device could be made to play the “Star Spangled Banner” at random intervals, the Kremlin would assume that its nuclear deterrent was unusable in a crisis. But nobody would ever know.

Sometimes the aim is to spread information: computers and networks can be an essential part of propaganda attacks, as the NATO Centre in Tallinn has highlighted, in an excellent book on Russia’s war in Ukraine. Conceivable, but still for now in the realm of fiction, are attacks on critical national infrastructure that make the lights go out, or sewage systems run backwards.

It is easy to focus too much on the technical details. The main point I tried to get across at CyCon was that “cyber” is a vector—a direction of attack—but not the attack itself. The most mind-clearing way to look at events involving computers and networks is to ask who is the perpetrator, who is the victim, and what is the objective.

Take for example the crude swamping attack mounted by Russian hackers on Estonia in 2007. This was effective in the short term—the country had briefly to cut itself off from the outside internet in order to maintain public services. Many outside observers count that as an example of successful cyber-warfare. But Russia’s tactical triumph belies a strategic defeat. If the aim of the attack was to force Estonia’s government to back down, it failed: the Soviet war memorial at the center of the dispute stayed in the military cemetery to which it had been moved. If the aim of the attack was to display intimidatory capabilities, that failed too: the Estonian internet rapidly returned to normal and Estonia gained plaudits for its resilience. Thereafter expertise in dealing with swamping attacks (DDoS in geek-speak) mushroomed.

It can be hard to know if an attack is taking place. My co-panellist, the British expert Keir Giles, highlighted mysterious events in Sweden in recent days, affecting emergency communications systems, air-traffic control, the rail travel booking system, banking and payment systems, as well as DDoS attacks on the media, and sabotage to the national communications infrastructure. Some Swedes in the audience insisted: these are all unrelated. Perhaps they are.

Either way, the damage is done. It’s enough for people to believe that the system is vulnerable and that Russia’s hidden hand is at work—even if it isn’t. As Giles pointed out: the effect “in terms of loss of security confidence and trust is pretty much the same.”

Europe's Edge is an online journal covering crucial topics in the transatlantic policy debate. All opinions are those of the author and do not necessarily represent the position or views of the Center for European Policy Analysis.

NATO Cooperative Cyber Defence Centre of Excellence/Kristi Kamenik