The theme of cyber conflict could be likened to an unexplored continent - but that would probably be an understatement.

Its subject matter covers a vast array of offences. At the more diffuse end of the spectrum, these range from randomly distributed viruses and other malware designed as simple pranks or criminal vehicles for identity theft to ‘denial of service’ attacks, which can overwhelm and bring down websites and servers. Even more direct attacks are also possible, when government systems are hacked or key public infrastructure facilities brought down. At the other extreme of this scale lies interference with hardware - such as computer chips.

Such attacks can affect a multitude of spheres of life. Equally, there exists a proliferation of perpetrators and motives, ranging from the humdrum and individual to well-coordinated, government-backed action. Government involvement in cyber attacks has so far never been publicly proven, but in a number of cases overwhelming circumstantial evidence has pointed, above all, to China and Russia.

VICTIMS

In terms of victims, Estonia stands out so far as the only target to suffer a country-wide attack. During a few weeks from late April to late May in 2007, two waves of (mostly) ‘denial of service’ attacks repeatedly and at length brought down, among other things, government websites, news portals and banking networks.

At the time, Hillar Aarelaid, the director of Estonia’s Computer Emergency Response Team (CERT), said that during the two peaks in the attacks -- on 10  and 15 May 2007 - Estonia first lost 50% of its “bread, milk and gasoline” for 90 minutes and then 75% of the same commodities for another five minutes when card payments became impossible as banking networks shut down.

Estonian authorities later said the attacks originated from up to a million computers worldwide. Most of them acted as ‘zombies’ gathered into ‘botnets’, participating in attacks without their owners’ knowledge after having been infected with malicious software. But a certain proportion of the cyber assault appears to have been carried out by so-called ‘hacktivists’ -- individuals acting on instructions, which were widely circulated in Russian-language net forums.

Estonian authorities accused the Russian government for organising the attacks in retaliation for an Estonian decision to remove a World War Two memorial from central Tallinn. Later, a prominent Russian Deputy, Sergei Markelov, assumed responsibility for some of the attacks. A Schengen visa ban was imposed on him by Estonia, but was later removed after EU officials in Brussels discreetly objected to the use of the sanction.

The Estonian case illustrates the novelty of the threat, the technical complexity of pursuing cyber attackers, the legal ambiguity involved, as well as the sheer unpredictability of the implications of such attacks.

Members of a NATO support team, who arrived in Estonia within days of the first wave of attacks in May 2007, reportedly said they had “learned as much as they had helped”.

The Estonian government claimed it was a victim of a “cyber war,” pointing to the scale of the attack, which for a small, internet-dependent country (51% of all Estonian households had broadband connections in May 2007) with an open economy proved particularly debilitating. Although it never decisively proved Russian government involvement, Estonia has also been quietly lobbying NATO to broaden the remit of its Article 5 mutual defence commitment to extend to cyber attacks.

Although no direct military threat was involved in 2007, Estonia’s cyber defence strategy, adopted in 2008, argues that cyber attacks are a national security threat “permitting an attacker to from a distance and with minimal means significantly damage” the economy and the state’s “critical information infrastructure”.

SOME SYMPATHY

There was some sympathy with the Estonian position. A senior US official at NATO in 2008 compared the impact of the Estonian cyber attacks with those of 11 September in 2001. US General James N Mattis, announcing a decision to set up a NATO cyber defence facility in Tallinn, listed cyber defence alongside the defence of the allies’ land, sea and air borders.

The former head of NATO’s European command, General Wesley Clark, maintains in an article in Foreign Affairs(November 2009), co-authored by Peter Levin, that “Russia has already perpetrated ‘denial of service’ attacks against entire countries, including Estonia, in the spring of 2007”.

But NATO has avoided publicly blaming Russia. At the 2-4 April Bucharest summit, the alliance committed itself to providing assistance to members under cyber attack, but said member states themselves remain responsible for the protection of their critical infrastructure. Secretary-General Anders Fogh Rasmussen has said a debate on cyber attacks will be conducted within the ongoing review of NATO’s strategic concept.

Russia is a strategic partner for both NATO and the EU, and the issue is therefore highly charged. No proof of Russian authorities’ guilt has been made public.

Nestor Ganuza-Artiles, a Spanish official at the Estonia-based NATO Cyber Defence Centre, is quoted in the daily El Pais,on 2 November, as noting that such attacks “can be hidden with relative ease”. Other experts have noted that countries can easily be “framed”. For example, a series of attacks on the website of Radio Free Europe-Radio Libertyin 2008 led investigators to the island of Borneo.

NATO’s prevarication is also evident in the fact that the Cooperative Cyber Defence Centre of Excellence in Tallinn is not part of its command structure, but a voluntary venture involving only some of its member states.

NATIONAL PREOCCUPATION

In practical terms, cyber security remains very much a national preoccupation. All 27 EU member states have their own Computer Emergency Response Teams, as does Russia. The United States, which has so far mostly suffered from hacking attacks, has also taken steps to strengthen its cyber defences.

International and domestic legal regimes are patchy and varied. The Council of Europe (CoE), in 2004, adopted a convention on computer crime, whose main object is to standardise the signatories’ national legislation. The EU, in 2005, adopted a directive on cyber attacks, which builds on the CoE convention, but its jurisdiction is limited to the bloc itself and it is tailored to the needs of its common market.

All of this leaves victims of cyber attacks two broad options. For powerful countries, such as the US, such attacks remain a domestic concern to be addressed with national resources. Smaller countries, like Estonia, currently have no other recourse than appeals to international organisations for improved and more effective international regulation of the issue.

In the absence of the latter, the smaller countries can also opt for ‘asymmetrical’ measures. Estonia, for example, has invited IT experts from the private sphere to join an informal ‘cyber territorial army’. Leading Estonian experts have hinted on occasion at ongoing work on developing a ‘counter-cyber weapon’ to be deployed in case of an attack, which would deliver a single overwhelming strike against the attacker.

These novel ideas are not without their drawbacks. Counter-attacks presuppose established culpability. Also, limiting their effects to the confines of a single country might not be possible.

Involving private citizens in state-run cyber defence facilities raises the issue of the limits of their powers, and, in a broader sense, of government control and responsibility over their actions.

There are other ideas. Estonia’s Defence Minister Jaak Aaviksoo suggested in a speech to the George Washington University, on 3 November, that “cyber deterrence” should start with the responsibilities private individuals - entailing in future, for example, “the obligation to protect their computers by means of anti-virus programmes”.

Russia is a strategic partner for both NATO and the EU, and the issue is therefore highly charged