Black Hat Europe: The Power of AttributionEstonia's Marina Kaljurand Calls for Greater Cyberattack Accountability
When the U.K. government in February attributed last year's NotPetya attacks to Russia, its assessment was quickly backed in a coordinated diplomatic move. Six other nations - the U.S., Australia, Canada, Denmark, Estonia and Lithuania - also called out Russia for having been behind the attacks.
"But where was Germany, where was France, where was Italy, where were others?" asked Marina Kaljurand, chair of the Global Commission on the Stability of Cyberspace, in her opening keynote speech at Black Hat Europe conference in London on Wednesday (see: 14 Hot Sessions at Black Hat Europe 2018).
Kaljurand, who previously served as the foreign minister of Estonia and an ambassador to six countries, including the U.S., told the audience at the annual information security conference that the NotPetya attribution by the seven nations represented a breakthrough in countries' ability to hold others to account.
She said the 2014 wiper malware attack against Sony Pictures Entertainment, the 2016 Democratic National Committee attacks, the WannaCry outbreak as well as the repeat attacks against the Ukrainian power grid were attributed by the United States to relevant nation-state attackers. But she said the U.S. was largely alone. "Countries did not support the United States," she said, until the NotPetya attribution breakthrough.
Kaljurand's takeaway is that more accountability must be brought to bear in the cybersecurity and digital security space. "I would like to stress two aspects: Readiness of states to attribute and readiness of others to support that attribution," she said.
Life After Russian DDoS Attacks
Estonia is no stranger to attribution. The country was the first to be targeted by large-scale, politically motivated cyberattacks in 2007, when its banking sector and government agencies were hit by distributed denial-of-service attacks.
The ability of governments to attribute online attacks was much less advanced back then. Kaljurand said Estonia's defense minister at the time handled the attribution thusly: "If somebody looks like a dog, barks like a dog, and eats like a dog, it's probably a dog," she said, paraphrasing. "In our case, it looked like a bear."
The DDoS attacks may have been primitive by today's standards and they were not destructive, "but they were humiliating," said Kaljurand, who in the early 1990s helped to negotiate the withdrawal of Russian troops from Estonia and its border regions.
But Kaljurand said her efforts, as foreign minister, to find ways of cooperating with Moscow to trace back the precise origin of the DDoS attacks failed.
The attacks, however, served as a useful wake-up call for Estonia's leadership and have helped inform how it has developed and refined its pioneering and lauded e-Estonia program, which makes 99 percent of government services available digitally, she said.
"We learned the importance of political decision-making, and having it high on the political agenda, which means appropriate financial and human resources," she said.
In addition, it became clear that laws and regulations governing online activities must be in place, together with an "all-nation approach" that brings together stakeholders from the private sector, government and academia, she said.
International cooperation is also key. "Cyber does not have borders, and that's why, if you want to be efficient, you have to cooperate with others," she said.
Of course, many things that were important in 2007 remain so. "Attribution, countermeasures, the inherent right of states for self-defense, the responsibility of a state for nation-state actors, the applicability of international law to cyber, hack backs, offensive capabilities, and I could continue," she said.
Kaljurand helps find better approaches to these types of challenges as the chair of the Global Commission on the Stability of Cyberspace, which was launched last year by two think tanks - the Hague Centre for Strategic Studies and the EastWest Institute. But her GCSC work might be curtailed, because she's running for both the EU Parliament as well as for the Estonian national parliament.
Inflection Point: Election Interference
Kaljurand's analysis of how cybersecurity continues to evolve, even while many of the basic requirements persist, were also voiced by Jeff Moss, the founder of Black Hat Europe, who also serves as a GCSC commissioner, among other roles.
Moss opened this year's Black Hat Europe. Before he introduced Kaljurand, he analyzed how the information security community continues to evolve and how many big-picture problems - involving nation-states - fundamentally involve systems, networks and other aspects of the IT domain.
For comparison's sake, Moss looked back to the start of the dotcom era and all that it wrought for digital life, with so much commerce, personal data and more moving online, requiring commensurate, dramatic information security improvements.
Another key information security milestone followed in 2010, when Google became the first large organization to say that it had been hacked as part of Operation Aurora, being run by the Chinese government.
"That was a big deal," Moss said. While such attacks might have been known and acknowledged within IT circles, he says corporate leadership and government policymakers were not discussing it.
"Overnight, it was acceptable to talk about nation-states stealing your stuff," Moss said. "That enabled us to speak to a new audience," including the news media, corporate boards and policymakers.
Eight years later, another change is now taking place, Moss said, but in non-traditional technology areas that go beyond law enforcement, organized crime and botnets. "It feels like great powers have entered our backyard," he said, in the form of election interference, deep fakes, online propaganda and the potential risks posed by "giant social media."
On the upside, "the election meddling in the United States has made it OK to talk about interference in electoral processes" as well as assess the harm that can do to democratic institutions, he said.
Infosec on the Frontlines
But information security professionals, who are regularly called on to serve as first responders for system-level security problems, are still coming to grips with what's required of them, Moss said, as well as how these sorts of challenges might be better mitigated.
Clearly, the information security community has its work cut out for it, Moss said. "None of these are traditional infosec problems," he said. "But we're going to be getting the phone call; we're going to be getting asked to fix it; we're going to be handling the risks."