BBC reporter’s focus in this entry lies in the realm of the infamous cyber attack on Estonia in 2007 and facts behind Stuxnet as viewed by renowned experts.
The first signs that one state might be prepared to use the cyber realm to attack another came in Europe in 2007. The conflict began with a monument, a memorial to an old war. But this time the battle would be fought using new technology.6 years ago, when the Estonian authorities moved this huge statue of a Soviet soldier I’m standing next to, from the center of their capital Tallinn to the outskirts here in the military cemetery, it caused a huge diplomatic row with Russia. There were protests on the street, but also a sustained cyber attack on Estonian institutions, which made headlines around the world.
The large ethnic Russian community in Estonia was furious at the moving of the statue, which they saw as a provocation. And they took to the streets. Our next guest was a student back in 2007:
– For me what was going on was riots in the streets, which was something completely unseen for a Northern European country. You don’t see them often, I think it was pretty much the only occasion when something like that has happened. Windows were smashed and you saw some small fires in the streets.
People flooded the streets, but something else happened. Estonia is a small country, and also unusually Internet dependent, and its websites were flooded too. Millions of computers tried to access them simultaneously, a bit like too many people trying to get through the front of the shop at sales time with the result that no one gets in. This type of attack, which takes websites offline, has a name – DDoS, a distributed denial-of-service attack. As well as the media, the attack struck a heart of the country’s financial system. In 2007 Yan Prislaw was head of IT security for one of the country’s largest banks.
– Usually we have some kind of warning. But then there was no warning, you simply see that your customers are not reaching you for some reason. Maybe you have some overloads in some places in your infrastructure, but basically you’re seeing that the number of customers who are actually reaching your systems is dropping.
– And you could see that at the time?
– Something was going wrong.
Estonia has always been convinced that Russia was behind the attacks because of the diplomatic crisis over the statue at the time. Although proving definitively it was the Russian state, and not just patriotic activists, is hard. Toomas Ilves had just become President of Estonia the year before the attacks.
– If you are a country that already then was as dependent upon information communication technology, it can be quite distressing. I mean, banks could not operate for a while; briefly, even the emergency number 112 was under attack. This could have had major implications for people’s lives.
The attack on Estonia largely involved taking websites offline. In 2010 came the game changer. The target was Iran’s nuclear facility at Natanz, which Western countries fear is being used to make material for nuclear weapons. The method of attack, a virus called Stuxnet, broke through from the digital into the real world with destructive effect. John Bumgarner has worked in US special operations and intelligence:
– The person behind these attacks had to make the decision: should they use a bomber or some type of strategic airstrike to destroy the facility or use a piece of cyber weapon, a piece of code? And they made a logical decision to use the code, because the code could be stealthy, it had very little attribution to it, and it could do destruction, but at a slower pace. If they were to pick the bomb to do a military strike, that would have potentially led to some type of conflict, a war, and it would have cost nearly a trillion dollars to deal with that. And Stuxnet was a very cost effective way to deal with the Iranian problem.
Stuxnet caused the centrifuges at Natanz, which enrich Uranium, to spin out of control whilst telling the operators that everything was fine. The machines crashed into each other, setting back Iran’s nuclear program, although only by a matter of months. The virus was carefully engineered to only damage Iran. But it escaped into the wider world, where it was analyzed by hackers and computer experts. Among them Eugene Kaspersky in Russia:
– We were waiting for something like this. That was the first time we had the cyber missile in our hands, and that was really scare.
– Do you believe it has to be in a state then?
– I don’t know who is behind these projects like Stuxnet, but I’m pretty sure that’s not criminal gangs, because these software projects are expensive, and they estimate Stuxnet like 10 million dollars budget to develop this kind of software.
So, who was responsible? Behind me is a huge black building. It’s home to America’s largest and most secret intelligence organization, the National Security Agency. For decades its job has been to spy on the world’s communications to break their codes. Now this place is also home to the US military’s Cyber Command.
Cyber Command became operational alongside the NSA the same year Iran was hit, 2010. America, perhaps with Israel, is accused of being behind Stuxnet. Neither will confirm it, but they certainly have the capability. General Michael Hayden, a former director of the NSA, proudly describes its headquarters as home to the greatest concentration of cyber power on the planet.
– It will be irresponsible for someone with my background to even speculate as to who was involved with Stuxnet. But it’s not speculation to know that someone just used a cyber weapon to effect damage not in the cyber domain, but in the physical domain. That’s the first significant crossover that we’ve seen. Now look, I tell audiences that crashing a thousand centrifuges at Natanz is almost an unalloyed good. When you describe what just happened there in several different ways: someone just used a cyber weapon during a time of peace to effect physical destruction, and what another nation would only describe as their own critical infrastructure. You’ve got to realize that although it was a good deal, it was also a really big deal. It does have second and third order effects.
– I think you recently described it as an August ’45?
– I did. It’s far different destructive power. But it just has the worth of August 1945; a new class of weapon has been used. Go deeper into history and, say, somebody’s crossed the Rubicon. We’ve got to lead you on the different side of the river now.
America was the first to use the atom bomb. The debates over the morality of that decision reverberate to this day. In the same way some question whether the release of Stuxnet will be judged worthwhile. Richard Clarke, former White House cyber coordinator:
– I think there are people in the Obama administration who think Stuxnet was not well done: a) we got caught, b) it went too early, and c), most importantly, it escaped onto the Internet, which it was not supposed to do. And people downloaded it all around the world. And they decompiled it and learned how it works.
Read previous: Under Attack 4: Cyber Threats to Critical Infrastructure