Estonia training Nato 'techies' for cyberwar

The Nato training centre, set up in 2008, is host to some 30 experts from Germany, Estonia, Spain, Hungary, Italy, Latvia, Lithuania and Slovakia. It organises training seminars and simulations, and examines the legal aspects of cyber defence for military personnel in Nato countries and for defence contractors.

Speaking to EUobserver on the margins of a conference on cyber conflict organised by the centre last week, centre director General Ilmar Tamm said that he would ideally also like to have Nato decision-makers go through some of the trainings on offer.

"In that way they would have a better understanding even of what type of information they would need to know in order to assess the severity of an attack," he said.

He noted that a large denial-of-service attack putting down servers for days - something Estonia experienced in 2007 - may have less damaging consequences than a small, targeted virus able to change the chemical formula at a water clearing station or the speed of a nuclear-enriching centrifuge.

"You also have to evaluate when and how you would expect Nato to step in. The majority of risks in cyber are actually owned by the private sector, which is running the services. So Nato should at least improve information exchange so as to know faster what is going on. Then you can identify who is the best stakeholder to take action," he said.

Smartphones

Tamm identified the increased use of smartphones as one potential vulnerability. "As handheld devices are becoming more like personal computers, they are also becoming the subject of identity theft and the codes are more and more complex. So you will always have bugs in the code - the question is who will abuse it and what for."

Industrial and governmental spying is also on the rise. This is especially the case for attacks originating from China, which Tamm accuses of "collecting specific technology information and then using it for their own needs and benefits."

Over the weekend, the International Monetary Fund was the latest international organisation to admit to a large-scale attack on its servers. It is supposed to have takenn place a few months ago and used the email system to extract valuable information. China is suspected of being behind the attack. A cyber attack on the European Commission earlier this year also saw the finger pointed at China.

Lack of proper 'cyber hygiene' - using webmail for confidential exchanges and confusion over who is responsible for securing the network - often makes it easier for governments and international institutions to be hacked into, Tamm said.

"You need to have stronger agreements with service providers. There is a tendency that your data will be somewhere you don't even know it belongs. If you're based in the EU and go for an Amazon cloud, the servers may be in the US - so they would be subject to US legislation which you have to know if you want to take them to court," he explained.

His centre, for instance, has a webpage hosted by a private company. "But emails are run through separate servers. We have public emails and emails run through the Nato secret system, which can only be accessed from certain working stations. It's not very convenient, but that' the price you have to pay for security."

Detecting an attack is also not easy, especially for smaller companies. Christian Czosseck, a German military computer scientist working at the centre, says that for a medium-sized company, there are some 5 million events a day.

"But you need to filter out to some 100 what could be suspicious activities in order for a human to be able to look at them and find a sequence of 'wrong code'."

One of the trainings on offer from the CCD COE is "botnet infiltration" - learning how to 'take over' the command of a network of zombie computers scattered around the world used to attack governmental or private servers. This is the type of attack Estonia experienced five years ago, with Russia suspected of being behind it.

"Most botnets nowadays have an uninstall or disable functionality, so if you get your hand on a command and control server, you can issue the uninstall me command, which the bots will execute. Still, this has legal issues, because you are sending something without the consent of the owner of the network," Czosseck explained.

If in the US, a company such as Microsoft is able to go to court and get a legal backup for taking down a spamming network of zombie computers, in Europe "it all depends on the local law in every single nation," even though most countries have criminalised botnets.

In an attempt to streamline various provisions, EU justice ministers on Friday agreed to toughen penalties for cybercrimes, including new punishments for people who develop and supply malware or other tools for creating botnets or stealing passwords. Additionally, the illegal interception of computer data will become a criminal offence.

As for the countries behind such attacks, a recent study by the Chatham House floated some 36 states around the world which are developing cyber warfare capabilities.

Keir Giles from the UK-based Conflict Studies Research Centre said that the Russian military is developing so-called information troops capable of conducting "computer network operations" meaning penetration and sabotage of foreign systems, but also the whole spectrum of information warfare, including "systemic counter-propaganda".

And Major General Jonathan Shaw from the British ministry of defence said that despite overall budgetary cuts, the UK government approved an increase in the budget for cyberdefence.

"The war in Libya would also look different if we had the proper cyber capabilities," he pointed out during the conference.

As for the transatlantic view on cyber security, Eneken Tikk, a legal expert with the Tallinn centre said that both the EU and the US have a interest in "keeping the internet demilitarised, so that people can speak to each other freely."

"But there is a conflict in how to defend its functionality, with the US having a more military approach to cyber," she said.

Over-regulation?

The EU, meanwhile, "is in a phase where they deal with every aspect of cyber security, as opposed to the past when there was just the single market approach. There is a trend towards over-regulation, for instance on cybercrime issues," Tikk argued.

She also noted that by declaring IP addresses private information, the EU has created legal challenges for so-called Computer Emergency Response Teams (CERTs) in different EU countries to exchange information in case of an attack. "There is a solution - to make exemptions under the principle of national security, but some countries are slow in doing that."