In the spring of 2007, Estonia became the first nation to face a coordinated, nationwide cyberattack when a series of electronic bombardments struck down media, telecommunications, government and banking websites. Digital traffic from servers as far away as Peru, Vietnam and the United States flooded Estonian websites, drowning them in superfluous data. The attack knocked telephone exchanges offline for more than an hour, jeopardizing emergency services. It knocked out media and government portals, leaving citizens in an information vacuum. Beginning April 29, three waves of attacks during a two week period severely disrupted the ordinary tasks that fuel modern economies — shopping, pumping gas, withdrawing cash from automatic teller machines. A significant act of cyberterrorism posed an economic and political threat in a way no modern economy had previously experienced.
The onslaught against Estonian websites began after two days of rioting in the capital, Tallinn, spurred by the government’s removal of a Soviet-era statue honoring deaths in World War II. By the time officials cleared the streets of shattered glass and protesters, the dispute had moved online.
Though primitive by today’s standards, the distributed denial-of-service attacks on Estonia highlighted the central dilemma of online attacks — attributing the assault to the individuals or governments behind them. While attribution is elusive — skilled attackers typically hijack foreign servers to perpetrate their crimes — it is widely believed that Russia funded and led the execution of the attacks against its western neighbor. The architecture of the Internet allowed networks of bots, called botnets, to direct millions of packets to the servers of the Estonian targets, overloading and rendering them inaccessible to visitors.
“It’s a new form of public-private partnership,” warned Estonian President Toomas Hendrik Ilves in an April interview with Nextgov. “It requires massive numbers of computers. There are organized crime rings and they do this by length of time, but you have to have someone willing to pay for it — that’s where the public side of the public-private partnership comes in.”
Had the small Baltic nation not been one of the most wired countries in the world, such an attack might have been a blip on the screen of public awareness. In the two decades since breaking away from the former Soviet Union, Estonia built its new democratic society around Web-based services. Estonians were among the first to conduct elections online and today they perform 98 percent of their banking online. For the nation that spawned the global telecommunications phenomenon known as Skype, the 2007 attacks were a watershed moment. Estonia’s experience and subsequent actions continue to offer lessons for security managers who face more advanced threats today.