An account of the Estonian Internet War by Gadi Evron, where the Internet is going to go, and Estonian cyberdefense strategy

May 31, 2008

In a recent Risks Digest, there was an account of the "Estonian Internet war" by a security expert Gadi Evron. Here is his writeup. And prolific discussion is going on about this in the comments at Techdirt and Slashdot.

We can split the discussion in two parts.

The first part is about what happened in Estonia a year ago and what are the politics and other motives behind it. I wrote about this a year ago myself -- see this, this, this and this. I stand by everything I said in the posts and comments, but I don't have anything new to add today.

Much more interesting and relevant question in light of Gary's writeup is what is going to become of the Internet in the long run? First off, I agree with those who think that Internet is rapidly becoming part of critical infrastructure. Apart from a few very isolated military applications (with parallel secure networks and strict access control), it is not possible to separate the world into "secure" and "insecure" any longer. Everything is becoming interconnected because it just opens up so many new opportunities and saves costs. And I think of the world's communciation infrastructure today as just one big cloud with boundaries that keep getting fuzzier between Internet, telephony, private networks and all the other different things that are going on.

I think that this has generally done the world a lot of good. My own life, as well as lives of hundreds of millions of other people, have become more enjoyable directly because of the Internet and everything that it has made possible.

It is also a fertile ground for "the bad guys". The Internet is suffering from abuse from those that are causing harm due to either commercial (spam etc) or political motives. The Estonian cyberattacks were just one instance of this. Spam in everybody's inbox is another instance. As the bandwidth continues to increase all over the place, and as we keep getting more smart devices on the Internet such as mobile phones, this is going to open up a whole new range of malware vectors and the problems will continue to get worse.

I think that this is going to inevitably change. The Internet in 20 years will be different policy- and governance-wise from what it is today. I do not yet know how, but it will be different. :) The differences will be about fixing some of the original Internet's design shortcomings security-wise (it wasn't done "wrong", it was just invented for a whole different purpose than what it's used for today), and they will involve both technology and policy changes. And there will be something about online identities, too, and many other things.

If there's something that I can apply here out of my past year's HCI Master studies, it is that people think of changing things within the framework of what they already know. We assume that the Internet inevitably works in a particular way, because it's the only way we know. And yet after we will change the Internet, we will look back and go "DUH... how come we could not fix this before? It's easy and win-win". The practical necessities of needing to combat malware and generally keeping the world running will justify some big changes of keeping good guys in and bad guys out.

I don't know if it will take a catastrophe for the world to step towards changing the Internet. (Like some particularly devastating attack against a big company or economy.) Maybe the changes will be more gradual. But in any case, there will be many ways to do the changes. Some of them will be about governments trying to seize power and reduce privacy, and some of them will be about making things more secure while still empowering individual users. I hope it will be the latter.

A related development is that a few weeks ago, Estonia published its national cyberdefense strategy. Alas, it's in Estonian only for now (good luck reading that) but I listened to a podcast with someone from Ministry of Defense close to the topic and he said that an English version will be forthcoming. I'll post here when that happens. I'm glad to see that while some materials will remain undisclosed, the strategy itself, given that it is aimed at everyone in the nation, is made public and they attempt to widely disseminate it.