- Filed Under
Estonian Army Col. Ilmar Tamm is nearing the end of his term as the first director of NATO’s 3-year-old cyber think tank. It was a role for which Tamm, a signals expert, appeared destined. The small Baltic nation with the outsized economy was looking to carve a niche for itself within NATO in 2004 when Tamm and colleagues proposed creating a center to study cyber issues. A signing ceremony establishing the Cooperative Cyber Defence Centre of Excellence was held in May 2008, 11 months after cyber attacks forced Estonia to reboot its banking system. Today, the Tallinn-based center drafts curricula, studies legal questions and organizes cyber response exercises.
During a recent visit to Washington, D.C., Tamm spoke to editor Ben Iannotta about cyber cooperation, the need for preparedness and Stuxnet.
How big are the cyber stakes? Over here, you hear Defense Secretary Leon Panetta talk about 9/11 and Pearl Harbor.
The problem in cyber [is that] it’s so wide-spectrum. Even the U.S. cannot really afford that you have only the DoD who is dealing in cyber. You need to have some law enforcement or even private-sector companies [handling] certain level risks. From an Estonian perspective, it could be completely different in terms of U.S. perspective. That’s what makes it very challenging: How you reach common agreement on the international level because, if the issue comes, usually it goes beyond one state’s borders, and you have to have sort of international cooperation. This doesn’t mean necessarily that you will have to engage the military at all, but deterrence as such is not easy to copy-paste from existing, old type of deterrence models.
What are some of the areas for potential agreement?
We have the European crime convention, which is something that helps nations define what they could do to prevent and reduce cyber crimes. Some countries, for whatever reasons, [are] not considering [joining] that conventional law, so it leaves suspicions that those conditions are not acceptable or they don’t really want to take that commitment. Regulating something which [goes] beyond a crime type of event, that I think will be quite a long way to go because the piece of code or software, it’s very tricky to say when it comes as a weapon because, at one point in time, this code has been written as a defense measure. What like-minded nations are talking about is establishing norms of behaviors, which are probably a bit more soft.
Has the center looked at the question of a cyber treaty?
Not directly, to be very frank, because the treaty issue has been always politically sensitive. Usually techies do their certain things, and sometimes you feel like they don’t care about what the policies are because the zeros and ones flow in one way despite what the policy says.
Are cyber-enabled countries reluctant to sign on because they want to be able to snoop around in cyberspace?
The problem might be that we might not all speak the same language when we approach a treaty. The problem also [is] how you perceive what that treaty should give you.
You have to look, really, country by country. You don’t have just one simple answer. I’m not so familiar [with] Chinese culture and beliefs, but I think there are reasons why they act some ways, and it comes from history. If I’m looking at Russia, being in part of the Soviet Union for some time, I knew some part of the thinking. It’s right in the doctrine the way they are approaching cyber. It’s not a separate domain, it’s embedded in their information operation capabilities. If you don’t have this type of historical or cultural understanding, then we [make] mistakes.
In the Estonian government, what agency is responsible for protecting your critical infrastructure? Is it civilian, or is it military?
It’s civilian. Just this summer a new agency under our Economics and Transportation [ministry] was given more authority. They have a department who is responsible [for] setting some minimum standards for the critical information infrastructure companies, be they governmental or private sector. Whole companies are providing different services. What would be the impact if those services are not available certain times? The majority of the critical infrastructure is not in the hands of the government. It’s more in the private sector. You cannot expect that you apply some law or some regulations and they are happy to follow that. They probably won’t invest what’s needed. So we are trying to find the common way in consultations.
Where has the Estonian government come down on the question of whether there should be firm regulations on private infrastructure?
In the U.S., the government is sharing threat information with the defense industry. Could that kind of approach be broadened among the allies?
Well, it is [happening], at least within NATO. There is new organization called the Emerging Security Challenges Division. There is also a Cyber Defence Management Board. Both institutions are headed by the same ambassador. Memoranda of understanding are signed with the NATO nations, and one idea behind the MOUs is information exchange. But in real life, I don’t know how much information they really exchange because it depends probably also [on a] nation’s willingness to share, and whether those instances or problems or vulnerabilities are relevant for all.
What about attribution? Can that problem ever be solved?
I don’t know, honestly. Technically, you can always identify an IP address, but nowadays it becomes more easy to hide your tracks. Just relying on one source would be dangerous. You should have other sources who could confirm. It’s nothing new. If you do some typical military intelligence approach, you want to assure and reconfirm from multiple sensors. Plus, if it’s possible, you would rather have a human touch as well on those items.
What’s your sense about how much the government of China is behind a lot of the cyber attacks and espionage that goes on?
I’m not so familiar with the way China’s culture works, but it seems like they have a tendency to copy all good ideas, starting with toys and [ending] up with aircraft carriers. Probably for them this is natural. It’s nothing against their belief. Information collection, espionage, is part of how they can retrieve information. If [we] cannot attribute directly, but indirectly, we can always say that they have done it [and] probably will do it in the next day or even more.
It’s an interesting question because it goes to: What is an attack? The National Security Agency knows how to penetrate networks, but is that an attack?
Let’s put it this way: You’re looking [for] the threshold. We should be able to measure the consequence. If you concur that attack really caused damage, and if that requires the use of force, then that use of force should be proportional. Don’t just blow up the whole country because of certain type of attacks which cause huge disturbance, let’s say, for one week. What can be done starting with the economic, diplomatic and all other means? You can [as an] alliance start doing some embargoes.
What are some of the successes in the center’s first three years?
You can write good papers, but you have to have some way of testing them. So, in the center, we have chances to conduct a few exercises.
You mean the red-blue exercise?
One was a red-blue exercise [Baltic Cyber Shield], when you engage your technical personnel. Techies have a lot of knowledge, [but because of] the pressures in the daily works, they don’t have any options to test or verify or share experience. So, in 2010, in Sweden, we had a good exercise. We [will] do it again, not only Sweden but we have Switzerland and Finland on board and other nations as well. It will be March 26 to March 28. The red team will be in Tallinn in Estonia. It will be another interesting three days. We [are] expanding this, and this creates sort of a community. This community serves you when you have hard time in real life, because you built a fellowship of trust.
In the red-blue, somebody actually has an intranet?
Correct. Switzerland is offering a server farm where they built a virtual game environment. All blue teams are fitted with virtual machines with a certain setup, with certain vulnerabilities. You get pressure from red guys doing all those typical penetrations, trying to get passwords, and all those sort of things. You get certain points if you perform [defense] very well.
What will the red team do?
Estonia, we have volunteer paramilitary organization, the Cyber Defence League, [which] is sort of equivalent [to the] U.S. National Guard. They’re full-time professionals. They do daily work in the ISPs, in the banks, in the telecom operators. They are gathering in their free time on weekends. They do their commitment serving the country. They also [are] willing to support exercises like we had in May 2010 and like we are planning next spring. They will bring their experience and knowledge to help us draft the plan.
Who won in 2010?
It was [the] Swedish team.
How does that exercise compare with Cyber Storm here in the U.S.?
Cyber Storm is mainly oriented on interagency coordination, so you can improve the information exchange and crisis management. NATO is doing a similar, tabletop exercise [Cyber Coalition], which is process-oriented, where we as a Centre have a supporting role [to] help to draft scenarios and provide the role players. The MOUs I spoke about, those are the partners. It’s nice on paper, let’s create a situation where we have a need for information exchange. The point-of- contacts, can you reach them? Can you exchange information?
What’s your theory about who was behind the Stuxnet attack?
This type of effort requires nation-state involvement, and the question rises, what’s the motivation? As it’s pointing right now, the motivation was an Iranian nuclear facility. This summer, in [our] conference, one of the key speakers was Ralph Langner, a German engineer who had done a deep study on the code. He cannot really attribute directly, but he thinks that both the U.S. and Israeli intelligence agencies were behind crafting that work. Honestly, [I’m] speculating right now — you could launch one missile and that nuclear power plant would be blown up, but the consequence and the price you have to pay is completely different. You have actually achieved pretty much a similar effect [with Stuxnet], to slow down the enrichment process.
If you had a cyber agreement, you could be increasing the odds of a kinetic attack.
That’s the tough question. Again, in my view, there will always be covert operations. They never disappear. Those type of things, you might maybe find what really happened 75 [or] 100 years on, when files and records will be available. You’re right. Cyber can give you a good option, but it’s not only cyber. Remember, the piece of [malicious] code was required to be delivered to a [closed Iranian] system. So you have to have also old-fashioned means. The weakest link in the Stuxnet was still that human link.
What do you do in your Cyber Lab?
It’s an independent environment where we are able to create the course materials. We are delivering four courses twice a year. We have agreements with two German universities. I’m bringing them botnets, malware. So you need to have a safe environment where you could keep them, what we call a sandbox, so you don’t let things out [of] your playground. That’s the lab environment.
How vulnerable is Estonia’s critical infrastucture today, compared to 2007?
I wouldn’t know, because again, the one feature which makes cyber very challenging is you don’t really see the same attack twice. Like with zero-day exploits, once it’s exposed, this exploit [is] very, very unlikely [to] have any effect anymore, unless you are so lazy and stupid you haven’t patched your system. Companies like Microsoft, they are spending a huge amount of money on research, but the software codes are just so long, that you’re not able to find all those vulnerabilities. You can train, you can exercise, you can be creative and adaptive, but expecting that it will be a 100 percent secure environment — no, never.
What’s Estonia’s take on the public-private partnership?
Our minister of economics and transportation had negotiated with the private sector and created information infrastructure stakeholders. That’s one of the ways. Cyber Defence League [is] another one. You could say it’s the combination of people working in the private sector, or governmental sector, on a voluntarily basis, coming together, contributing their own time, under sort of a paramilitary organization.
Over here, it’s easy to find critics who will say President Obama said there was going to be this major initiative, but the policy hasn’t gone very far.
I think also what you have to keep in mind, the policy is combination of what you have, what is your nation political will, and what are the resources. I would not really say what’s your president’s role, but policies are something you have to revise constantly to ensure those things meet the expectation of your citizens and also the set of the values the U.S. has politically wanted to maintain.
Is there frustration [in Europe] with the U.S. cyber approach?
