Last May, Estonia was invaded. Rather than tanks and aircraft, the medium of trespass was fiber optic cables—which is nearly as bad, for such a wired country. The "cyberwar," which was precipitated by the controversial relocation of a World War II monument in the Estonian capital of Tallinn, drew international headlines, mainly focused on the Clancy-esque gizmology behind it. "Distributed-denial-of-service" has now entered the lexicon not as a symptom of disaffected Baltic waiters, but as a means of bringing down a country with spam. NATO, which used to only contend with enemy garrisons and missile silos on European soil, now finds itself dispatching allied geek squads to protect against that 21st century species of automaton: the "botnet."
The U.S. has announced plans to form its own "Cyber Command," a kind of digital NORAD, to better prepare key levels of state and economic infrastructure against foreign hackers. Yet lost in all the bit-rate analysis of Estonia's springtime troubles was any discussion of how the unconventional siege conventionally violated a nation's sovereignty, not to mention its citizens' human rights.
With a tiny population of 1.4 million, Estonia is almost entirely run on computers. The land that helped develop the free VOIP and instant messenger program Skype hosts wireless zones not just on cafe-lined streets, but in gas stations and remote national parks. Estonians bank, vote and pay their taxes online through digital identity cards that are scanned by easy insertion into slots in their laptops, devices that the country's "paperless" government uses to conduct cabinet meetings and draft legislation. Indeed, so proud was Estonia of its commitment to broadband efficiency—and the web's concomitant freedom of information—that its parliament passed a law in 2000 declaring Internet access a basic human right.
Symbolic though the law might be, it is still the product of a representative democracy in a sovereign EU-member nation. A coordinated attack on Estonia's digital infrastructure is therefore not just a "national security situation," as Defense Minister Jaak Aaviksoo rightly put it, but also a cause for the United Nations Human Rights Council and Amnesty International. Both organizations have yet to comment on the Estonian cyberwar, although a spokesperson from Amnesty International told me a statement is in the works. She had no idea, though, that Estonia even considered Internet access a human right.
In a sense, the trouble began over human rights, at least as they are defined by cold war historiographers. In April, the Estonian government decided, after much internal debate, to relocate the Bronze Soldier of Tallinn. Cast as a solemn, head-lowered "Ivan" of World War II, the statue was actually the centerpiece of an oddly placed urban sepulcher for the remains of nameless Red Army soldiers who died in the "liberation" of Estonia from Nazi occupation. Unveiled in 1947 by the returning Soviet occupiers, who had been kicked out by the Nazis, the Bronze Soldier was met with mixed feelings by ethnic Estonians, who were then subjected to half a century of Russian rule, under which a tenth of the population was deported to the gulag. Nevertheless, many patriotic Estonians remember that 11,000 of their compatriots, forcibly drafted into the Red Army, died fighting Hitler. Adding to the anger and frustration the Estonian man-in-the-street must have felt toward the statue, Stalin and Hitler had haggled over Baltic states in their notorious prewar negotiations, which culminated in the Molotov-Ribbentrop pact. In liberating Estonia, the USSR was more expelling its former competitor for imperial real estate than doing much for Estonians.
It's important to see the Bronze Solider for what it really was: imperialist propaganda, not a solemn consecration of war dead. The USSR loved to establish ad hoc burial grounds in the most visible locations of their occupied cities. The one in Tallinn, situated in the center of Tõnismägi Hill, was dubbed "Liberators' Square"—communist reliquary construction at its finest. Even before Estonia gained independence in 1991, the Kremlin satraps who ran the country hardly abided by their own catechism for glorifying the motherland. They built a bus station and a busy intersection directly on Tõnismägi Hill, turning it into an accessible rallying point for Russian extremists, the sort responsible for the two days of rioting that engulfed Tallinn in late April and in which 100 people were injured and one person killed.
These lumpen elements are mainly members of the nationalist Nashi ("Ours") movement, which is headquartered in Moscow and suborned by the Putin regime. The Russian president may now describe himself as the only "absolute, pure democrat" on the planet, but that doesn't mean he'll stop Nashi thugs from attacking the Estonian ambassador in Moscow, even though he's bound by the Vienna Convention to do so. To give some indication of just how upset Moscow gets when threatened with the tampering of its Stalinist legacy, the Russian Federation Council passed a resolution in January calling the imminent relocation of the Bronze Solider "an attempt to legalize fascism."
That Russians are once more resorting to Popular Front rhetoric is characteristic, but also ironic given that Estonia's relocation of the Bronze Statue was actually undertaken with great care and sensitivity, and included the long-awaited identification of the Red Army fallen by DNA testing. Russian's "unknown" soldiers are known at last, and will this month be re-interred in the cemetery of the Estonian Defense Forces. This is all of a piece with Estonia's passage of the War Graves Protection Act in January 2007, designed to align the nation's standard for honoring of military victims with the Geneva Conventions. No NGO or supranational body has objected to the Bronze Soldier's transplantation; only the Russian government has.
Whether or not the Kremlin is behind the violation is almost beside the point, although it is it curious that the cyber-attacks peaked on May 8 and 9, the calendar dates marking the Red Army's defeat of the Wehrmacht. Some Estonians I've talked to are of the opinion that if Moscow was in fact responsible, then this was only a trial run to gauge efficacy. The Bronze Soldier might well have been a convenient pretext for staging an elaborate war game.
The method and organization of the attacks suggest that the perpetrators had national paralysis in mind. They targeted nearly all the Estonian ministries; two major banks (one of which, Hansabank, had to be shut down for more than an hour, at an expense of at least $1 million); the website of the Reform Party, which was forced to host a forged letter of apology for the statue scandal claiming to be from the Estonian Prime Minister Andrus Ansip; and three of the six largest Estonian news organizations.
It's true that the "zombies," or infiltrated computers used to clog Estonian websites, were traced to places like Canada, Brazil and Vietnam. But a number also led straight into the offices of Kremlin and other Russian agencies—not easy silicon curtains to penetrate, even for the most enterprising hacker. So either Moscow was an accomplice in the criminality of its international sympathizers, or it should start worrying about the security of its own network. This isn't likely to happen. Russian officials refused to comply with early requests to help trace IP addresses of any cyber-blitzers who might have been piggybacking off Russian servers. At the very minimum, then, the Putin regime is guilty of benign neglect.
In a 2003 Military Review article addressing the proliferation of cyberwarfare—particularly as it has been waged between Israeli and Palestinian hackers—authors Patrick D. Allen and Chris C. Demchak shrewdly compared the phenomenon to the Spanish Civil War. In both instances, far-flung civilian volunteers were called into action—or "horizontally escalated"—through the use of targeted propaganda. (Russian language instructions explaining how and when to infiltrate Estonian systems were posted all over the web in the days leading up to the first sortie.) State sponsorship was plausibly deniable: If the Comintern could control the Abraham Lincoln Brigade, what's to stop a government from either openly or covertly corralling citizen "hacktivists" to do its dirty work? Most ominous of all, the event may be taken as a prelude to a later and more devastating assault, involving a greater number of players.
Pentagon computers had sensitive information pilfered from them by Russian computers in 2003 during a cyber-attack known as "Moonlight Maze." And in 1999, during an operation dubbed "Titan Rain," Chinese hackers broke into systems at Lockheed Martin, Redstone Arsenal, and NASA under similar motives of military espionage. Yet international law has yet to catch up with technology. According to Allen and Demchak:
Criminal punishment is particularly difficult when the hackers operate from a blatantly hostile nation. However, nations have certain rights under an internationally recognized protective principle if offending nations are not helpful. There is international case law, albeit limited, that might support state action in response to cyber attacks. Under this principle, when a person from country A harms country B, and country A does not prevent that person from continuing to do harm, then country B has the right to take action against country A… Although this principle has not yet been applied in cyberwar cases, the legal precedence exists.
Russian liberal Alexander Herzen once said what he feared most was "Ghengis Khan with a telegraph."* Given the communications conquest of recent weeks, cyber warfare is almost certainly going to be a continuing threat. The West should start laying the groundwork to deal with coordinated, state-sponsored cyber attacks before they happen again, and on a larger scale.
*-This article has been updated to reflect correct attribution for this quote.
Start your day with Reason. Get a daily brief of the most important stories and trends every weekday morning when you subscribe to Reason Roundup.