This column first appeared in Business and Finance magazine on 1 June.

Richard Delevan

Estonia’s geeks prefer if you call their country E-stonia, so proud are they of how far, how fast their tiny former Soviet republic of 1.4 million souls. Starting with the country’s radical declaration that along with the more common life, liberty and the pursuit of happiness, access to the internet is a constitutional right. In recent years the country has reached a level of e-government adoption — not to mention its zero-percent corporate tax rate — that Ireland Inc can only salivate about.
Payments for everything from taxes to parking meters has been made increasingly online. A few years ago the country boasted that 40% of parking fees were paid via mobile phone. Taxes are paid online. Citizens access services over the internet. Bills are signed into law by digitial signature. Cabinet meetings take place via internet conference - and perhaps would migrate to a virtual reality platform such as Second Life. Even electronic voting. Not the 1980s-vintage voting machines of the type sitting in Irish warehouses but an even more controversial plan - earlier this year Estonia became the first country in the world to allow voting by internet.
But not all is well in the gleaming techno-paradise by the Baltic. A large portion of the state’s citizens are ethnic Russians, many of whom were quite upset by a recent decision to take down a statue of a Red Army soldier commemorating losses in what in Russia is referred to as the Great Patriotic War (or World War 2 as it’s known elsewhere). Street protests threatened to become violent. Online, a more modern form of political violence was happening.
On April 27, one government department after another came under sustained bombardment from Moscow. Vladimir Putin hadn’t sent bombers and tanks across the border. Instead, hackers with IP addresses leading back to Russia were systematically disrupting Estonia’s public and private electronic infrastructure. Government departments suffered denial of service attacks on their websites. So did banks, private companies, unions. So widespread was the disruption that NATO and the EU have sent investigative teams to Estonia to examine the country’s servers and do an electronic battlefield damage assessment to see what they can learn about the nature of the attacks. The attacks’ origin is in dispute. Vladimir Putin’s government hotly denies any involvement in the cyberterrorism, but many commentators have already dubbed the conflict as “Cyberwar 1″: the first instance of widespread state-on-state electronic warfare. In truth we have been leading up to this for some time. Earlier in this decade a US congressman who formerly worker for US Navy intelligence revealed to me previously unreleased details of the extent of NATO’s use of cyberwar techniques against Serbia alongside the 1999 Kosovo campaign - mostly for purposes of pyschological warfare against the regime. Chinese hackers (whether State-sanctioned or no) have disrupted US defence department and other sensitive websites on at least two occasions in 1998 and in 2001. Russian hackers have also probed US electronic defences. Israeli and Palestinian hackers regularly attack websites from the opposite camp.
Week in, week out Western intelligence agencies spar online with jihadist websites and discussion groups.
So what makes Estonia so significant? For one thing, the scale of the attacks. Estonian websites that normally would receive 1,000 visits per day instead got 2,000 per second in some cases. This suggested to some that the attacks could only have been orchestrated by another State.
Serious enough it was the Estonian defence minister argued that the NATO charter should be amended, so that cyberattacks on this scale would be seen as an attack triggering the alliance’s Article V mutual defence obligations.
As the dust settles, the Estonian experience raises all sorts of questions for advanced economies as they become increasingly reliant on the internet. The Estonian attacks did not successfully shut down the nation’s electricity grid, for example, or other vital services. But those could be targets in a future attack. What if the attacks had successfully disrupted a national election? Or erased records of a day’s trading on a stock market?
The Estonian Cyberwar should be a wakeup call for politicians and corporate leaders to listen very carefully to the results. The benefits that more and more companies have gained from opening up their networks could be lost and turned into vulnerabilities if systematically attacks such as these succeed.
Nor should Ireland think it is immune. Our traditional neutrality may be enough to make a physical attack unlikely, but what if someone decided that the Irish Stock Exchange or firms in the IFSC were soft targets for attack in hopes of disrupting the trades of the exotic debt instruments for which Dublin has become known, striking at a weak point in the world’s financial system? How safe are we?
Bank IT managers will be sanguine about their security, but vulnerabilities are often only exposed in their breach. A 2004 study by Dublin’s LAN Communications revealed that a shocking 70% of corporate wireless networks in the IFSC failed to use even basic encryption. Such lax security has, in the past, resulted in customer data like credit cards being stolen by hackers, such as those for Irish and British customers of TK Maxx recently.
We ignore what’s happened in Estonia at our peril.

Richard Delevan is business editor of the Sunday Tribune - rdelevan@tribune.ie