TALLINN, Estonia — It was a horrific scenario.
The African island nation of Boolea was reeling from an attack by religiously inspired insurgents. Then a deadly cholera epidemic struck.
Local authorities were quickly overwhelmed. Only an international coalition force and a handful of aid organizations held the country together.
Then came the coup de grace: A sophisticated cyber attack struck the computer systems of the aid workers and international troops, severely degrading their response capabilities.
Vital food and medical supplies faced disruption. The downing of communications between the government and coalition troops risked giving the insurgents the upper hand.
That’s when the coalition’s 10-member cyber defense force was called in and given two days to beat off the attack and avert disaster.
In the midst of the crisis, in an army barracks built for the Russian Imperial Army on the banks of the Baltic Sea, a pony-tailed young man spearheading the insurgents’ cyber strike leaves a control room filled with blinking computer screens. He brushes past a group of visiting Western diplomats and military officers — to help himself to another Diet Coke.
The Boolea attack is fiction, the center-piece of operation Locked Shields, a “live fire” cyber exercise run by the NATO Cooperative Cyber Defense Center of Excellence in late April, to test the rapid response capabilities of allied cyber units.
Among the “red team” playing the part of the villainous insurgents are volunteer geeks from the private sector. They were called away from their day jobs — “penetration-testing” the systems of financial institutions and major corporations — to spend a couple days outwitting crack NATO electronic defense teams scattered around Europe.
“We use the same techniques as pen-test companies use, also the same techniques cyber criminals use,” explains Col. Artur Suzik, the Estonian infantry officer who runs the center.
It may have been just a war game, but participants say the scenario realistically portrays the threats facing the North Atlantic Treaty Organization as cyber defense emerges at the frontline of alliance strategic thinking.
“If the bad guys are teaming up to do things better, then actually we should be teaming up as well,” says Kristiina Pennar, spokeswoman for the cyber center. “We would like to believe that the guys on the defense side are one step ahead. That’s what we are working toward.”
Fending off cyber espionage or attempts to hack alliance systems has become routine, says Jamie Shea, who heads NATO’s Emerging Security Challenges department.
“What NATO is experiencing is pretty much what banks and companies, scientific laboratories and pretty much everybody else is experiencing these days,” Shea said in an interview from alliance headquarters in Brussels, Belgium.
“Most are easily parried, pretty much like putting up an umbrella in the rain.”
Last year, the NATO Computer Incident Response Capability responded to more than 2,500 cases. That works out to an average of seven cases per day.
Most of the online incidents were dealt with automatically, using special detection sensors, scanners and firewalls. More serious incidents crop about 10 times a month, NATO officials, say. They can include targeted emails with dangerous attachments, probes looking for vulnerabilities in NATO’s defenses or denial of service attacks.
Despite the diverse nature of the threat and the increasingly sophistication of the attacks, NATO’s cyber defenders are proud that the alliance reached the end of 2012 without any major disruption to its network services.
The alliance however is painfully aware of the danger of a major system-destroying attack that seeks to corrode the West’s military defenses, or trigger a disastrous real world event by, for example, interfering with air traffic control, power grids or other critical infrastructure.
NATO’s 2010 Strategic Concept — a roadmap for the decade — recognizes a growing cyber threat from terrorists, organized crime, foreign militaries and intelligence services. These “can reach a threshold that threatens national and Euro-Atlantic prosperity, security and stability.”
The center here in Tallinn acts as a training and research center, developing strategy and identifying risks and communicating these ideas among allies.
Nightmare scenarios include the prospect of enemy hackers cutting off vital fuel supplies, triggering a missile strike, or opening up dams to cause catastrophic flooding.
“Let’s imagine that state A decides it is going to target state B’s water purification plant and in particular the computer mechanism that controls the purification of the domestic water supply,” suggests Prof. Bill Boothby, an expert on the legal implications of cyber war.
“It’s going to introduce toxins into the water that nobody can detect,” he explains. “Parallel processes make those who are monitoring believe everything is operating normally, so the first indication you get that something’s wrong is when the kids start turning up in the hospital very ill.”
How nations can respond to such an attack is a legal grey area. Boothby, who retired in 2011 as deputy legal director of Britain‘s Royal Air Force, was one of a panel of international specialists commissioned by the Tallinn center to outline how the laws of war apply to cyberspace.
The so-called Tallinn Manual, published in March, controversially concluded that nations would be in their rights under international law to respond with bombs or bullets against cyber attacker that caused death, destruction or damage on a significant scale.
The manual triggered headlines suggesting NATO had given the all clear to kill hackers, and accusations it would lover the threshold for a military response.
Although NATO officials point out that the 300-page manual is not an official alliance document, it is expected to be influential in the policies of allied nations.
Shea says only the most damaging cyber attacks would likely trigger a kinetic response. He insists the allied militaries need to have that option.
“That which is not permissible in the real world, does not become permissible because it’s in cyberspace,” he contends. Hackers “can’t believe they can do terrible things in cyber space and get immunity because it is done with electrons rather than bombs.”
The Tallinn experts were unable to agree on whether the 2010 Stuxnet computer worm — widely reported to have been launched by Israel and the United States to disrupt Iran’s nuclear facilities — constituted an “armed attack” that would have entitled Iran to use force in response.
They also disputed whether a cyber strike that caused only economic damage — such as taking down Wall Street — would be legal grounds for a missile strike.
A smokeless gun
One major problem in responding to a cyber attack is the difficulty in determining where it is coming from. In 2007, Estonia was hit by a massive denial of service attack that tried to overwhelm the network systems of the country’s banks, media and government agencies. At the time, the country was embroiled in a dispute with Russia over its decision to relocate a Soviet-era statue.
Although suspicion immediately fell on some sort of Russian involvement, conclusive evidence pointing to a Kremlin-sanctioned operation has never been found.
Nevertheless the Estonia attack inspired a turning point in NATO’s cyber defense approach, leading to the founding of the Center of Excellence the following year and galvanizing military preparations for future events. One of Europe’s most digitally connected countries and with real experience at the sharp end of a cyber attack, Estonia was the logical place to locate it.
After breaking away from Soviet rule in 1991, the Baltic nation of 1.3 million quickly spotted a bright future by investing in emerging digital technologies.
Within six years, 97 percent of schools were connected to the internet. Skype and Kazaa were developed by Estonians, and 99 percent of bank transactions now occur online. The country’s embrace of the digital sphere led some to nickname it e-Stonia.
In 2002, Estonia introduced electronic ID cards, enabling citizens to do just about everything online — from paying their taxes, to voting, signing official documents or launching new businesses.
“You can establish a company legally in 15 minutes just using this ID card, or do lots of stuff that in other countries you’d have to spend time sitting in line for hours or days,” says Tarmo Randel, head of the government’s Computer Emergency Response Team. “This is actually really cool.”
Of course there’s a downside to being among the world’s most wired countries.
“Everything is digital, so [we] are beginning to be more and more vulnerable,” Randel told GlobalPost.
That became clear during the 2007 attack, when hackers laid virtual siege to the country for four days. Estonian tech defenders are proud of the way they beat back the digital invaders.
“There was an image that we were down. That’s not correct,” Randel says. “It caused some sleepless nights for administrators, and some systems were down for tens of minutes or a couple of hours, but people did their jobs well … ordinary people barely noticed.”
Nevertheless, the attack was a wake up call that greater cooperation was needed internationally and within the country to prepare for future attacks.
Since the 2007 assault hit headlines around the world, Randal says such events have become bigger, more sophisticated and more frequent. “Things are constantly happening, there is no down time.”
Each day his teams confront defaced pages; drive-by infection-spreading sites; malware infected homes and companies; and attempts at major security breaches.
So far, the defenders have mostly been able to neutralize them before they create a major disruption but officials stress that complacency is not an option.
“We live increasingly in fragile glass houses where this is concerned,” says Boothby. “Every time that we replace a card index with a computer system we increase our vulnerability, and there are very few card indexes left.”