April 26, 2017
A Decade After "Web War 1," Former Estonian President Blasts EU Cyber Inertia
By Teri Schultz
“I think the [European] Commission, in particular the high representative [Vice President Federica Mogherini] and the agency that she leads [European External Action Service], is being particularly remiss in addressing fundamental threats,” Ilves said.
“The external affairs people, they’re dealing with issues that, of course, are important but not of life and death importance to the European Union... we do not see attention paid to the fundamental threats to democracy within the members of the European Union,” he added.
This week marks the tenth anniversary of the first real act of cyber war—colloquially referred to as “Web War 1”—on Estonia. Ilves was president at the time. Estonia immediately blamed—and still blames—Moscow but was not able to pin down perpetrators from the Russian government in the ensuing investigations. A pro-Kremlin youth group eventually claimed responsibility for the attacks and one man received a light sentence. A decade later, the US Congress is holding hearings, some of which feature Ilves as a witness, about how deeply the Kremlin may have intruded into the American political process.
The Dutch went back to paper-and-pencil balloting in March to avoid Russian hacking and there's continuing nervousness about potential Russian influence in the ongoing French elections and impending German vote. “You have a shaky situation on the ground—let’s put it this way—in the European Union in terms of its future,” Ilves warned. “If you do not meet the needs of the of the members then what is the point of traveling around the world dealing with arcane issues?”
Ilves says there’s no excuse for this. “One of the problems is that many political leaders don’t really quite get it. They don’t understand the technology and then they will repeat things that they’ve heard such as ‘Oh well, we never really know who actually did it,’” he said. “In fact, that’s not true. In fact, we’ve gotten to the point where, though it may take a little bit of time, you can have a very high level of confidence in ascribing the source of an attack and it’s not simply looking at the code that’s used—though even that provides you a lot of information—but other sources as well, including human intelligence.”
Ilves, who’s currently a visiting fellow at Stanford University, fears there will be a high price to pay for this technological laziness and that we are watching that tab climb already. He believes the possibility of “little green men” scrambling over the border into the Baltics, a la Crimea and Donbas, is becoming more remote as the Kremlin’s methods of gaining influence by other means are working so well.
“My gut feeling is that they have been so overwhelmingly successful in manipulating democratic elections, why bother getting destructive?” he explained. “If you can put in place governments that are favorable to you, I mean, why get into the really nasty stuff?”
The cyberattack in Estonia in April of 2007 followed a decision by the Ilves government to move a Soviet-era statue of a soldier from downtown Tallinn to a cemetery on the outskirts of town. This was highly unpopular among Estonia’s ethnic Russian residents and citizens, about a third of the population, and riots broke out. On the morning of April 27, 2007, Estonians woke to find the websites of their banks, government, newspapers etc. all shut down, a situation that would continue for more than two weeks.
“Digital attacks, of course, had been around for a long, long time, mainly for spying or for theft, but having it directly as a political act designed to punish a country, it was the first time it happened,” Ilves said. “It fits kind of the Clausewitzian definition of ‘continuation of policy by other means.’”
The straight-speaking Ilves is accustomed to being out front; he recalls allies and partners being in denial following the 2007 cyberattack. “[W]e were met by incredulity on the part of even NATO, saying ‘No, no, how do you know? Can we really be sure? And what does it all mean?,’” he remembers.
In the decade since, NATO has gradually acknowledged the power of such weapons, last year formally adding “cyber” as a warfighting domain along with sea, land, and air, signifying that Article Five of the Washington Treaty—collective defense—could potentially be invoked in case of a severe enough attack on an ally. Ilves credits the Alliance with having moved quickly in 2008 to activate a Cyber Defense Center of Excellence in Tallinn, chuckling that this was an “own goal” for Russia, since Estonia had proposed the center already in 2004. “Web War 1” sped up recognition it was needed to research, coordinate, and train experts in the ever-evolving capabilities of the Internet.
In 2013, the center produced the Tallinn Manual on the International Law Applicable to Cyber Operations, with an updated version earlier this year, which is the most comprehensive compilation of thought on how international law applies to the Internet.
Ilves urges everyone to get up to speed. “Ultimately [it’s] the same law if someone shoots a missile at your electrical power plant and destroys it and if someone directs malware there and destroys it,” he noted. “The effect in the context of international law is the same. An aggressor has destroyed something on your territory that is of vital importance to the civilian population.”
Teri Schultz is a Brussels-based freelance journalist. You can follow her on Twitter @terischultz.