Ghostnet sounds like something John le Carré would invent. This vast cyber-espionage operation spanned 1,295 computers worldwide, a third of them located in ministries of foreign affairs, embassies, international organizations and news media, some holding classified data. According to a report by three Canadian security think tanks in March, it included at least one unclassified computer at NATO headquarters in Mons, Belgium. Although the culprit is unidentified, some experts suspect China. Whether it exploited any of the data is hard to say. That it could obtain it so easily has raised eyebrows in the world's mightiest military alliance.
NATO is only just beginning to recognize that the Internet has become a new battleground, and that it requires a military strategy. As economic life relies more and more on the Internet, the potential for small bands of hackers to launch devastating attacks on the world economy is growing. To counter such threats, a group of NATO members, including the U.S. and Germany, last year established a kind of internal cybersecurity think tank, based in a former government building in Tallinn, Estonia. The 30 staffers at the Cooperative Cyber Defense Centre of Excellence analyze emerging viruses and other threats, and pass on alerts to sponsoring NATO governments. They are also working to bring the allies together on the elusive issues that deepen the fog of cyberwar.
Experts with backgrounds in the military, technology, law and science are wrestling with such questions as: What qualifies as a cyber "attack" on a NATO member, and so triggers the obligation of alliance members to rush to its defense? And how can the alliance defend itself in cyberspace? Already, the debate is producing strikingly different answers: as Washington moves to create a new "cybersecurity czar" and new funds for cyberdefenses, Estonia is moving much of the job into civilian hands, aiming to create a nation of citizens alert and wise to online threats.
The choice of Estonia as the home to NATO's new cyberwar brain trust is not accidental. In 2007 Estonia was in a public squabble with Russia over the fate of a Soviet-era monument when it suddenly found itself under a wave of cyberattacks. Among the targets were two of Estonia's biggest banks, whose online systems were severely degraded for several hours. The scale of the economic damage is still classified as a state secret, but the fact that this happened in "E-stonia," a proud digital society where even parking meters take payment via text messages, was eye-opening. Although the decentralized nature of cyberattacks made it hard to know whether the Kremlin ordered the attacks, clues led Estonia to a Russian suspect, whom the Kremlin refused to extradite.
One thing is clear: Russia gained from what may be the first successful invasion in the new age of cyberwar. Hillar Aarelaid, a manager at Estonia's computer emergency response team, who coordinated Estonia's defenses during the assault, told me that the attack used a nasty weapon called a "distributed denial of service," or DDOS. Cheap to organize and devastating, DDOS involves a small gang of hackers who command a cyber-army of infected PCs to overwhelm the Web sites of a bank (or other institution) with seemingly legitimate requests. Yet Aarelaid believes that the attackers who came after Estonia aimed to flaunt the range and power of their arsenal. If the orders came from the Kremlin, the message to former Soviet satellites was clear: defy us at your own risk. Estonia, courageously, went ahead and moved the Soviet monument anyway.
The attack revealed the vulnerability of a NATO member to external pressure. If a group in Russia could wreak so much havoc over a statue, imagine what a state-sponsored effort could do? Attackers could infect and gain control of thousands of computers—much like GhostNet did—and go after banks all across Europe, leading to digital chaos—online banking would go down, credit-card purchases couldn't be verified. Factor in electricity grids, dams and airport navigation systems, which are connected to the Internet, and it begins to sound like a Hollywood movie.
The trick, from NATO's standpoint, is figuring out when an attack is hacker mischief and when it's a military matter. Back in 2007, Estonia's minister of defense stated that "the attacks cannot be treated as hooliganism, but have to be treated as an attack against the state." But no troops crossed Estonia's borders, and there was almost nothing that we associate with a conventional conflict. How to respond, and against whom? The first step, say scientists at the center, is to identify when a threat warrants a military response. "In the absence of a clear legal framework for dealing with cyberattacks, it's very hard to decide whether to treat them as the beginning of armed conflict," says Rain Ottis, one of the center's senior scientists.
The United States is clearly leaning toward a military strategy. In March the U.S. Senate took up a bill that would bring cybersecurity work at the NSA, Air Force, DHS and a dozen other agencies under a "cybersecurity czar," who would also become a "national cybersecurity adviser." It would arm this person with unprecedented powers, including the right to shut off federal networks if they are found to be vulnerable. If passed, the bill might result in even further militarization of cyberspace; today, virtually all major security contractors—from Lockheed Martin to Boeing—have already set up cybersecurity divisions, fighting for government funds. U.S. government spending on secure computer networks is forecast to rise from $7.4 billion in 2008 to $10.7 billion in 2013. Most of NATO's biggest members, including France, Britain and Germany, appear to be following the U.S. lead.
Estonia, on the other hand, is choosing not to play up fear of a cyberwar. Such talk in 2007 only made already strained relations with Russia worse. Instead, it prefers to demilitarize the issue by shifting the responsibility for cybersecurity from the Ministry of Defense to the Ministry of Economic Affairs and Communications, and is working to identify the services—like online banking—that are most critical to running a digital economy. The Estonians are stepping up efforts to educate citizens on how to identify risks, and creating graduate programs in cybersecurity. Heli Tiirmaa-Klaar, the senior defense adviser at Estonia's defense ministry and one of the country's leading cybersecurity officials, speaks of promoting a "culture of cybersecurity," starting with schoolchildren.
The Estonians have the right idea. Cyberattacks would be prohibitively expensive if hackers had to build their own computers, rather than hijacking idle ones. And a society of savvy citizens is the best defense, because they have every incentive to stay ahead of the hackers; industry tends to stay a step behind, because attacks create a demand for new software. That's how America's reliance on centralized military industries could backfire: they are not numerous or nimble enough to fight Internet battles. Estonia's civilian answer is both more likely to prove popular in diplomatic circles, and more likely to be successful.