ComputerScienceExpert
$18/per page/
Estonia Case Study
Read the following case study
Czosseck, C., Ottis, R., & Talihä, A. (2011, July). Estonia after the 2007 cyber attacks: Legal, strategic and organisational changes in cyber security. European Conference on Information Warfare and Security, 57-IX.
Answer the following questions:
Directions:
SIMILARITY MUST NOT EXCEED 20%
Estonia After the 2007 Cyber Attacks: Legal, Strategic andOrganisational Changes in Cyber SecurityChristian Czosseck, RainOttis and Anna-Maria TalihärmCooperative Cyber Defence Centre of Excellence, Tallinn, EstoniaChristian.Czosseck@ccdcoe.orgRain.Ottis@ccdcoe.orgAnna-Maria.Talihärm@ccdcoe.orgAbstract:At the time of the state-wide cyber attacks in 2007, Estonia was one of the most developed nations inEurope regarding the ubiquitous use of information and communication technology (ICT) in all aspects of the society.Relaying on the Internet for conducting a wide range of business transactions was and still is common practice.Some of the relevant indicators include: 99% of all banking done via electronic means, over a hundred public e-services available and the first online parliamentary elections in the world. But naturally, the more a society dependson ICT, the more it becomes vulnerable to cyber attacks. Unlike other research on the Estonian incident, this casestudy shall not focus on the analysis of the events themselves. Instead it looks at Estonia's cyber security policy andsubsequent changes made in response to the cyber attacks hitting Estonia in 2007. As such, the paper provides acomprehensive overview of the strategic, legal and organisational changes based on lessons learned by Estoniaafter the 2007 cyber attacks. The analysis provided herein is based on a review of national security governingstrategies, changes in the Estonia’s legal framework and organisations with direct impact on cyber security. Thepaper discusses six important lessons learned and manifested in actual changes: each followed by a set of cybersecurity policy recommendations appealing to national security analysts as well as nation states developing their owncyber security strategy.Keywords: Estonia, cyber attacks, lessons learned, strategy, legal framework, organisational changes1. IntroductionOver three weeks in the spring of 2007, Estonia was hit by a series of politically motivated cyber attacks.Web defacements carrying political messages targeted websites of political parties, and governmentaland commercial organisations suffered from different forms of denial of service or distributed denial ofservice (DDoS) attacks. Among the targets were Estonian governmental agencies and services, schools,banks, Internet Service Providers (ISPs), as well as media channels and private web sites (Evron, 2008;Tikk, Kaska, & Vihul, 2010).Estonian government’s decision to move a Soviet memorial of the World War II from its previous locationin central Tallinn to a military cemetery triggered street riots in Estonia, violence against the EstonianAmbassador in Moscow, indirect economic sanctions by Russia, as well as a campaign of politicallymotivated cyber attacks against Estonian (Ottis, 2008). By April 28ththe cyber attacks against Estoniawere officially recognized as being more than just random criminal acts (Kash, 2008). The details of theweeks that followed are described in (Tikk, Kaska, & Vihul, 2010).The methods used in this incident were not really new. However, considering Estonia’s small size andhigh reliance on information systems, the attacks posed a significant threat. Estoniadid notconsider theevent as an armed attack and thus refrained from requesting NATO’s support under Art. 5 of the NATOTreaty; instead, the attacks were simply regarded as individual cyber crimes (Nazario, 2007; Tikk, Kaska,& Vihul, 2010) or “hackitivism” as established by a well-known information security analyst DorothyDenning (Denning, 2001). A further discussion on whether or not the 2007 attacks were an armed attackis beyond the scope of this paper. Many defence and security analysts have covered this particular topicand discussed e.g. the “juridical notion of information warfare” (Hyacinthe, 2009), a “taxonomies of lethalinformation technologies” (Hyacinthe & Fleurantin, 2007), formulated a “Proposal for an InternationalConvention to Regulate the Use of Information Systems in Armed Conflict” (Brown, 2006), or “legallimitations of information warfare” (Ellis, 2006).The incident quickly drew worldwide attention, and media labelled the attacks the first “Cyber War”(Landler & Markoff, 2007). This led to an overall “cyber war hype” that was continuously carried forwardby media, researchers and policymakers. This exaggerating rhetoric was employed during followingconflicts like Georgia 2008 or Kyrgyzstan 2009, and such misuse of terminology has already received afair amount of criticism (Farivar, 2009).57
Attachments: