The Hindu Business Line : A loud wake-up call

It is hard to explain how many of us in India allowed a recent major occurrence in cyberspace to go past us without a public debate. My reference is to the unmitigated attack on Web sites in the tiny Balkan State of Estonia in late April and early May that brought life there almost to a standstill.

Although it has just a 1.3-million population, Estonia is often called E-stonia for the incredibly high computerisation of the day-to-day activities of its citizens, whether it be payment for petrol or parking or filing tax-returns. All banking transactions in the country are almost wholly electronic.

Would you believe it, the average Estonian casts his vote at general elections by the same medium? I wish we had this facility in India, the only way we can at least marginally push up the percentage of polling, which remains a miserable 60-65 per cent at the best of times.

The trigger

It all happened with the decision of the Estonian Government to remove a Soviet war symbol from a park in capital Tallinn and relocate it elsewhere. This sparked off protests from the Russian Government and ethnic Russians living in Estonia.

There were riots on the streets in which one person was killed and nearly 150 injured. Within hours, an unprecedented electronic aggression started. Many Estonian Government and private sites came under a furious attack. This took the form of the now familiar Distributed Denial of Service (DDoS), against which the most sophisticated security systems have precious little by way of defence.

According to one report, even the computers at the offices of the President, Prime Minister and Parliament were flooded. The mail server at Parliament, for instance, was totally put out of action by an avalanche of junk mail. On May 10, at the peak of the operation, which many public officials in Estonia believed were inspired by the Russian Government, the attacks were directed from various parts of the world.

As readers are aware, DDoS achieves its objective of paralysing networks through an overwhelming number of requests for information from a large number of computers at about the same time. About a million ‘bots’, which are infected computers or those hijacked for questionable purposes, were believed to have been used from countries as far away as the US and Vietnam.

All the preventive measures taken by Estonia’s CERT (Computer Emergency Response Team) chief, Hillar Aarelaid (a former police officer), including the firewalls he had assiduously put up since he took over the job a year ago, were unequal to the task. Apart from newspapers, schools and other institutions, banks (including Hansapank the largest in the country and the Swedish-owned SEB Eesti Uhispan) experienced an unprecedented slowdown. It took nearly three weeks for normalcy to return.

Tracking the trail

Estonian investigation, with the assistance of experts from neighbouring countries, such as Finland, Germany and Slovenia, is said to have yielded enough evidence of a Russian origin to most of the exercise that unmistakably aimed at causing cyber chaos in Estonia. According to one finding, there were many instructions in the systems used that were in Russian and which left a tell-tale mark difficult to ignore. One Estonian claim was that an address involved in the attacks was traced to an official in President Putin’s administration. CERT Chief Aarelaid’s accusation was that the attackers either restricted access to Estonian computers or attempted altering of information contained in such machines.

Experts across the globe, however, feel that it would be difficult to establish without doubt that computers in Russia unleashed the attacks. At best this could be only a guesswork based on the circumstances related to protests arising from the removal of the Russian memorial. This is the greatest weakness of all cyber investigations. It is even so when such investigation transcends political borders and there is no will on the part of authorities of suspect governments to cooperate with the victim country or organisations.

What about prevention of such aggressive moves by those not well disposed of towards us? Here again I see a certain despondency that is unsettling.

If there is precious little that we can do to protect our systems, how do we justify all the expenditure on devices such as firewalls, Intrusion Detection Systems (IDS), anti-virus software, etc? Experts cite remote-control technologies such as Scada (Supervisory Control and Data Acquisition) against which the best of defence can be inadequate. These can help to interrupt live production lines and major ongoing projects such as the construction of a dam. It is not preposterous, therefore, to believe that remotely switching off a whole factory floor or opening a dam’s floodgates for mischief and causing damage is well within the prowess of an enemy agency.

In addition to Scada, simple measures such as sending a Trojan through e-mails can cause devastation by facilitating pilferage of sensitive information. Such Trojans can perform crucial tasks unnoticed by the lawfully authorised person having access to a particular computer or a whole array of machines. These include swiping of passwords and uploading of documents. A Symantec official, Oliver Friedrichs, believes that the Estonia experience is a stark reminder of how vulnerable the Net is. Against the reality of how chat rooms and bulletin boards contain valuable information that is valuable to would-be saboteurs, in his view, the situation is grim. While major corporations can invest in software that can detect huge DDoS attacks and deflect suspicious demands for information, the smaller ones can hardly afford the money required.

Heed the warning

What happened in Estonia is a wake-up call to many countries across the globe. I am certain that our own CERT has geared itself to meet the challenge, especially in the context of continued fragile relationship with Pakistan. We have had past instances of some of our sensitive Web sites being defaced by inimical elements. It is sensible to note that even powerful nations such as the US and China are not complacent. All reports point to their being prepared for a major onslaught, how effective or not the protective measures could be when they are really needed. There is ground to believe that the Chinese army, in particular, has made a huge investment in the area. We may need to match such investment and constantly upgrade our systems.

Finally, Estonia should unsettle those who till the other day believed that ‘cyber terrorism’ was just a fashionable theory of cyber security theorists that was far removed from reality. It is not very relevant for this discourse whether the attack that Estonia suffered recently was a classic case of cyber terrorism or not. What is germane is that trouble-mongers among nations can, without being found out and punished, do a lot of mischief in cyber space to cause economic damage, which would surpass all that can flow from frontal physical attacks.

It is also difficult to believe that terrorist organisations are not watching, particularly because these use the Internet extensively for passing on sensitive instructions and for propaganda purposes. There is no point in our claiming to be a highly advanced country in terms of software skills. We need also to be prepared for the worst case scenario in order to meet the Big One that may be lurking round the corner.

The writer is a former CBI Director who is currently Adviser (Security) to TCS Ltd.

More Stories on : Security | Security Musings

Article E-Mail :: Comment :: Syndication :: Printer Friendly Page