S E C R E T SECTION 01 OF 04 TALLINN 000374
SIPDIS
SIPDIS DEPT FOR EUR/NB
E.O. 12958: DECL: 06/06/2017
TAGS: PREL, PGOV, ECON, ETRD, NATO, RS, EN
SUBJECT: ESTONIA'S CYBER ATTACKS: LESSONS LEARNED
REF: A) TALLINN 366 B) LEE-GOLDSTEIN EMAIL 05/11/07 B) TALLINN 347
Classified By: Charge d'Affaires Jeff Goldstein for reasons 1.4 (b) & (d)

1. (S)
Summary. On April 27, Estonia became the unprecedented victim
of the world's first cyber attacks against a nation state.
Although an analysis of events is ongoing, this event
demonstrated the vulnerability of both government and private
sector internet infrastructure. Working together with Estonian
cyber security experts, the Ministry of Defense (MOD) is
preparing a report analyzing the crisis, evaluating the
strengths and weaknesses of the Estonian response, and
recommend changes to Estonia's cyber defenses and security.
The GOE and Estonian cyber defense experts all agree that
while they successfully responded to these attacks, they will
need to improve Estonia's defenses to prevent what they
described as the nightmare scenario: a shutdown of Estonia's
internet infrastructure as a result of more serious attacks at
some point in the future. End Summary.

The Nature of the Attacks
-------------------------

2. (SBU)
Starting on April 27, Estonia became the world's first victim
of cyber attacks against a nation state's political and
economic infrastructure. For over a month, government,
banking, media, and other Estonian websites, servers, and
routers came under a barrage of ever-shifting and coordinated
cyber attacks that tried to shut down specific strategic
targets (Ref A). Unlike traditional cyber attacks which try to
"hack" into a system, the attacks against Estonian sites used
the basic architecture of the internet to disrupt their
operation. At Post's request, Lt. Colonel Broderick, a EUCOM
cyber defense expert visited Tallinn to assess the situation
April 16-18. Broderick opined that it is not technically
feasible to prevent attacks of this nature, no matter how
sophisticated a country's cyber-defenses are. However, due to
Estonia's rapid response, the attacks did not seriously
threaten Estonia's cyber network and infrastructure.

3. (C)
The cyber attacks exposed the strengths and weaknesses of
Estonia's cyber defense system. Hillar Aarelaid, Head of
Estonia's CERT (Computer Emergency Response Team), told us
that the Ministry of Defense is preparing a report to submit
to the GOE by the end of June. Based on our discussions with
GOE, CERT, and private Estonian cyber security experts, it is
clear that the Estonians are working furiously to analyze
where their cyber defenses and protocols worked, failed,
and/or need improvement. Although these cyber attacks were
unprecedented in nature, our Estonian interlocutors all agreed
that the outcome could have been much worse. They also note
that the MOD's report notwithstanding, the impact on cyber
defense policy for both the public and private sectors will be
discussed and felt for a very long time. The following is a
summary of GOE "lessons learned" from these attacks.

Lessons Learned: What Worked
----------------------------

4. (SBU) STRENGTH IN BEING SMALL. With a population of 1.3
million people, Estonia's small size was its strongest asset
in reacting rapidly to the cyber attacks. Estonia's CERT, the
GOE's Cyber Defense Unit, and private IT Security Managers all
knew each other for years before the crisis and were, thus,
able to work closely together. Information sharing and
decision making were rapid and flexible. Everything was
handled - from the working level to the leadership - in an
almost seamless fashion throughout the attacks. "We're talking
about a group of ten key people in

TALLINN 00000374 002 OF 004

the government and private sector who've known each other for
years, trust one another, and all have direct access to each
other" Jaan Priisalu, IT Risk Manager for Hansabank, commented
to us. "Therefore, there was no inter-agency bureaucracy or
red tape to cut through."

5. (C)
E-VOTING. In March 2007, Estonia held the world's first
national election where e-voting was used. From the outset of
the crisis, the e-voting security team was immediately
seconded to CERT and became a vital asset in responding to the
attacks. Although Estonia's CERT has only two full time staff,
Aarelaid said he was able to call upon a roster of 200
programmers and security experts from the e-voting security
team to ensure a 24/7 response mechanism against incoming
cyber attacks. As the e-voting team was already at work on
next generation security measures (in anticipation for
Estonia's 2009 local elections), there was no need for them to
"catch up" according to Aarelaid. These experts were
invaluable in addressing the wide variety of attacks (e.g.,
bots, spam, DDoS, Trojan Horses, etc.).

6. (C)
INFORMATION GATHERING. Our MOD interlocutors credit Estonian
law enforcement and cyber security experts' (public and
private) close monitoring of Russian-language internet forums
as key to CERT's ability to rapidly respond to the attacks. On
April 28, less than 24 hours after the first cyber attacks,
Russian-language internet forums (e.g., http://2ch.ru and
http://forum.xaker.ru) were exhorting people to attack
specific GOE websites and offering links to software tools.
Patient monitoring of these internet-forums led to
intelligence on targets, dates, and exact times for
coordinated attacks. Mihkel Tammet, MOD Director for
Communications and IT, told us privately that without this
information, the cyber attacks against GOE sites could have
inflicted far more damage than they did.

7. (C)
SECURE ONLINE BANKING. Hansabank and SEB successfully
weathered the cyber attacks against them because of defensive
measures and procedures already in place. According to CERT,
the banks' procedures are in many ways superior to the GOE's.
Priisalu said that due to the longstanding problem of cyber
crime in the region - often with banks as prime targets - the
banks were well prepared for the attacks. For example,
Priisalu told us, organized gangs have employed bot attacks in
the past. As a result, Hansabank had the necessary cyber
security measures in place to defend against this type of
attack. In the end, Hansabank-s sites successfully repelled
every attack and were able to provide their Estonian customers
access to their online accounts. (Note. Almost 90% of all
financial transactions (e.g., bill payments) are done online.
Hansabank and SEB alone handle over three-fourths of that
traffic. End Note.)

Lessons Learned: What Failed
----------------------------

8. (S)
FORMAL PROCEDURES. Lt. Broderick told us he believes that
Estonia-s formal and institutional procedures for responding
to cyber attacks failed completely. Throughout the crisis, ad
hoc meetings and decision making based on established informal
contacts and relationships were used to disseminate
information - instead of formalized institutional channels
with clear communication chains. Additionally, Aarelaid told
us that the GOE did not keep an official record or log of
decisions and actions taken during the crisis. Consequently,
it is uncertain how thorough the GOE's post-crisis assessment
or efforts to improve Estonia's formal cyber defense
procedures will be. Aarelaid explained that neither CERT nor
the GOE had the personnel to "put out the fire and also act as
a secretary to take down the minutes." (Note: Aarelaid's
claims of staff shortages are somewhat questionable given that
he told us that neither he nor any of his staff had to work

TALLINN 00000374 003 OF 004

over-time during the cyber attacks. End Note.)

9. (S)
LACK OF CENTRALIZED GOE POLICY. MOD interlocutors admitted
that there was no consistent GOE policy across ministries on
cyber security, broadband capacity, and information sharing.
For example, some ministries use static websites while others
use more vulnerable dynamic websites. Ministries also use
different internet providers which have different security
procedures in place. This unnecessary complexity made initial
information sharing between ministries more cumbersome and
confusing, especially for ministries with fewer resources for
IT risk management (e.g., the Ministry of Population, Ministry
of Education, Ministry of Culture, etc.). Mihkel Tammet, MOD
Director for Communications and IT, told us that creating a
consistent policy for the various ministries will be a key
recommendation in the MOD's report.

10. (S)
MONITORING. The cyber attacks also exposed Estonia's total
lack of a comprehensive monitoring system. Estonia does not
have a national IP (internet protocol) network of sensors to
precisely monitor traffic for cyber attacks. As a result, the
GOE and CERT did not have any hard data on the number of
computers and/or servers that were used in the attacks. Aivo
Jurgenson, IT Security Manager for Elion, Estonia's main
telecommunication and IT provider, told us that his company
relies on U.S.-based Arbor Networks to monitor its network.
Our MOD and private sector interlocutors all agreed on how
important it was for Estonia to have its own monitoring
network, but they could not confirm on the likelihood that the
GOE would invest in this infrastructure upgrade.

11. (S)
WHACK-A-MOLE. In the initial stages of the cyber attacks, the
Estonian method of response was to block each and every attack
through its corresponding ISP address as it happened. EUCOM's
Broderick dubbed this the "whack-a- mole" response and opined
that prior to April 27 this approach might have been
sufficient. However, the sheer volume of the recent cyber
attacks quickly overwhelmed the Estonian defenses. CERT,
Elion, and the GOE's Cyber Defense Unit were eventually forced
to apply broader and more stringent filtering mechanisms on
all internet traffic to prevent the attacks from entering
Estonia. Broderick observed that unlike the United States and
many European Union members who routinely filter foreign
internet traffic, prior to the recent attacks, the Estonian
network filtered very little foreign traffic.

12. (S)
INDUSTRY VULNERABILITY. While Hansabank and SEB successfully
weathered the cyber attacks, many other smaller private
Estonian sites that were attacked were overwhelmed. With no
industry standard or best practice in place in Estonia, many
smaller businesses and/or private organizations (e.g.,
schools, NGOs, etc.) did not have the technical expertise or
financial means to ramp up their broadband capacity. Aarelaid
claimed that CERT's log of complaints and reported cyber
attacks since April 27 is over 10 Tb (Tera bits). (Note. One
TB is equal to one million Mega bits. To put this in
perspective, the entire content of the online U.S. Library of
Congress uses less than 10 TB. End Note.) As the majority of
Estonian (SME) small and medium size enterprises employ online
services as part of their daily business, the GOE is now aware
that an industry standard with readily available cyber
defensive software, tools, training, and public
awareness-raising must become a part of Estonia's cyber
defenses.

Lessons Learned: Nightmare Scenarios
------------------------------------ 

13. (S)
TARGETING KEY ROUTERS AND SITES. Our Estonian interlocutors
all agreed that even during the attacks' peak, Estonia's cyber
network was not in any serious danger of being shut down. In
some ways, Estonia was lucky. Rein Ottis, MOD Cyber Defense
Chief, noted that had the attacks

TALLINN 00000374 004 OF 004

specifically targeted Estonia's key servers and routers, they
could have shut down Estonia's entire cyber infrastructure. On
May 4, two routers belonging to the GOE and Elion were attacked
with an unknown data packet that crashed the routers almost
immediately. Aivo Jurgenson, Elion IT Security Manager, told
us that if enough key routers and/or servers were shut down,
it would be the internet "equivalent of blowing up key roads
and intersections in the city Tallinn to bring all traffic to
a halt."

14. (S)
UNANNOUNCED AND BETTER TIMED ATTACKS. Most of the cyber
attacks were discussed in advance on Russian-language internet
forums, giving the Estonians the opportunity to ramp up
broadband capacity in advance. Tammet told us that the
perpetrators gave away the element of surprise and often timed
their attacks in the evening (when Estonia's internet usage is
at its lowest). Had they not made these mistakes, Tammet
opined that the attacks could have shut down their GOE targets
for up to a week. Aarelaid was thankful that they had advance
information about the May 15 attacks against Hansabank and
SEB. However, many of the attacks which employed bots were
unannounced and far more challenging, and in some cases did
crash their targets. If all attacks had been like this, Tammet
and Aarelaid could not confidently predict whether Estonia's
defenses would have held.

15. (S)
2ND TIER STRATEGIC ATTACKS. Estonia's banks were generally
well prepared for cyber attacks. However, the economic impact
could have been worse if the attacks had focused on 2nd tier
strategic targets which possessed less formidable defenses
(Ref B). Jurgenson speculated the fallout would have been far
more significant if Estonia's logistic-transport companies had
been attacked. "As over three-fourths of all grocery stores,
petrol stations, and shops rely on the internet for their
orders and deliveries," asked Jurgenson, "can you imagine the
damage this would bring? Cyber crime seems abstract to most
people. There's nothing abstract about empty shelves in
stores." Aarelaid also listed a whole range of other strategic
services and businesses that would have been far easier to
crash than the banks. The MOD felt that Aarelaid's
descriptions were far fetched, bordering on "science fiction."
However, when we mentioned Tammet's comments to Priisalu, one
of Estonia's leading cyber security experts, he felt that
recent events have changed the parameters of the debate on
possible threat scenarios. He said, "Last year, I would've
considered a cyber war against my country as science fiction,
too - but not anymore."

GOLDSTEIN