Expert dissects Estonian cyber-war

Cyber-attacks on Estonia began in late April

A security researcher involved in defending against last year's web attacks on Estonia has shared his account of the crisis, and is offering advice on how to prevent similar assaults in the future.

Gadi Evron has published an article in the Georgetown Journal of International Affairs detailing his experiences in helping Estonia's government defend against a "cyber-riot" from Russian nationalist hackers.

The attacks began in April 2007 when authorities from the former Soviet state disclosed plans to move a Russian World War II memorial out of a town square and into a military graveyard.

An outcry from ethnic Russians in the country led to a series of real-world riots as well as an outbreak of cyber-attacks on Estonian government websites.

The attacks were especially devastating for Estonia, which has become highly reliant on web-based services in recent years.

"While the exact source of the attacks remains unknown, evidence suggests a highly organised assault," wrote Evron.

"Not only did the cyber-riot start almost simultaneously with the actual riots, but fresh posts in the Russian-language blogosphere appeared with new targets and instructions."

Evron claims that the Estonian government went so far as to lobby the EU to pressure the Russian government to step in, a move which was ultimately blocked for diplomatic reasons.

The attacks began soon after. Fuelled by Russian-language blogs and websites, a mob of users joined with botnet controllers to attack Estonian government sites, and then target the country's banks and news outlets.

The government enlisted its own computer emergency response team to defend against the attacks along with volunteers and outside security consultants.

While the team was eventually able to weather the attacks, Evron said that the process might have been slowed by a lack of clear leadership.

"The Estonian response team was able, to a degree, to mitigate the impact of the attacks," he wrote. "But due to its ad hoc, unofficial status, it lacked the authority to enforce its recommendations on all parties involved."

Evron suggested that all governments need to develop a plan for responding to a cyber-attack and establish a clear chain of command.

"Public and political attitudes to cyber-crime must change, and law enforcement must be given greater resources to cope with its growing presence in the virtual community," he said.

"Different national law enforcement agencies and operations should collaborate and establish a common framework that will help trace recent developments involving internet security in a significantly faster fashion, as current measures have completely failed to cope."

• Gadi Evron: Battling Botnets and Online Mobs (PDF)