ISSG Chairman Gareth Niblett reports from the 3rd International Conference on Cyber Conflict (ICCC), organised by the NATO Cooperative Cyber Defence Centre of Excellence (CCD COE) in Tallinn, Estonia.

This conference rated as one of the best I have attended in the last 20 years - not having to speak or organise possibly helped.

The first day opened with an introduction and scene setting by Col Ilmar Tamm, the NATO CCD COE Director followed by a keynote from the President of Estonia, Toomas Hendrik Ilves, who demonstrated both a deep understanding of cybersecurity issues and an ability to communicate them clearly, even to an expert audience. I’d be impressed if leaders of other countries could do even half as well.

Ilves told the audience to look past state-to-state for asymmetrical cyber attacks, and towards handling an increase in plausibly deniable online operations, subcontracted to the private sector, with official public statements of disbelief when accused of involvement.

Cyber attacks can offer a negative take on public private partnerships (PPP), with botnet-herders and hackers implementing state desires without being part of the apparatus of government or military directly.

The president challenged governments to look beyond their fixation on military infrastructure (~2 per cent GDP) and towards protecting intellectual property. It is easier to steal than develop through investment and R&D (~3 per cent GDP) and arguably this could have a greater impact on a country.

As part of a positive PPP, providing information sharing for mutual protection, Estonia has established a Cyber Defence League (CDL), weekend warriors with ponytails, to help protect its critical national infrastructures - much of which resides in the private sector, which is also where the otherwise unaffordable knowledge and expertise also lies.

Nation perspective

Major General Jonathan Shaw, UK MoD, followed with a talk covering cyber force from a nation state perspective, and a view that cyber warfare will not overtake kinetic, although the UK MoD has woken up to the threat and is addressing it in the Defence Review.

Shaw expressed a position that cyber war is about people, not technology, and we should also start looking for the next thing beyond it. He stated that cyber war sits in a continuum of tools and must be integrated into training and operations, as well as a traditional defence capability of defend, detect and respond and it should be mainstream for defence in the UK by 2015.

Concepts and challenges

Apart from the keynotes, the days were split into two tracks - one covering concepts, strategy and law, which remains an emerging area, and the other covering technical challenges and solutions, which is a continual battle. All had an excellent array of speakers and topics but some of the highlights for me were:

  • Charlie Miller, Accuvant Labs, explaining the technical approaches to discovering unknown vulnerabilities in products, including Apple iPhones, and watching the media concentrate on slides about code disassembly and buffer overflows.
  • Tom Wingfield, Marshall Centre, Germany, discussing the ongoing development of a manual of international law applicable for cyber conflict, which was explained with the use of onstage shrubbery during the media workshop prior to the conference.
  • Raoul Chiesa, United Nations, giving a overview of the long-term study on the underground hacking scene, with statistics from over 1,200 interview / profiles, along with an interesting view of five generations of hackers, from original to present.
  • Ralph Langner, who led the efforts in reverse engineering and analysing the StuxNet worm, which was referred to as the first actually deployed cyber weapon in history, covering its architecture, highly targeted nature and implications. Ralph was engaging and had an excellent appreciation of the cybersecurity world, having come from a control systems background - a boon in the SCADA world.
  • Sachin Deodhar, Cyberconflict Researcher, India, discussing the use of covert communications channels in VoIP and its possible uses in terrorist planning and co-ordination and the challenges it presents to investigators. This is a threat area that I warned lawful interception agencies of quite a few years ago, as certain types wish to evade both traffic and content analysis yet want near real-time communications.
  • Richard LaTulip, US Secret Service, on shedding the suit and growing long hair to infiltrate both the underground credit card fraud and surfer scene, winning the trust of criminals and, with Operation Carder Kaos, dismantling one of the leading online black market sites for stolen card details.
  • Iosif Androulidakis, Ionnina University, Greece talking about how the introduction of modern communications technology doesn’t address traditional issues of PBX security, interception and forensics; indeed adding IP can make things worse.
  • Mikko Hypponen, Chief Research Office of F-Secure, covering cyber espionage in practice, provided real world examples of spear-phishing emails and malicious files, which had been collected by anti-virus research organisations. Mikko’s constant research, targeting the criminal underworld, also makes him a target; shortly after the conference, a fake news story was released in an attempt at discrediting him.

Unfortunately, it was not possible to attend or cover all the talks, but it was obvious why people from all over the world keep coming back to Tallinn for this conference, beyond the local sights, food, drink and summer weather.

Estonia is known as e-Estonia due to its highly digital society, and this can only be sustained through constant vigilance and protection. As such, Estonia is working to be at the forefront of research and preparation.

No hype

Obviously, the infamous 2007 cyberattacks against Estonia were mentioned numerous times, but without much of the hype that the media heaped upon it. Most delegates recognised it as a minor annoyance - rather than a cyber war or cyber terrorism delivering widespread panic, real-life casualties, or significant infrastructure or economic damage - whilst cognisant that the next attack may go beyond mere inconvenience.

Co-operation and co-ordination was mentioned throughout the conference, but issues of trust and privacy, from both an organisational and a legal standpoint, require continued efforts to address and that everyone plays a part in cyber defence: government, intelligence, law enforcement, military, public sector, private sector and even the citizen. The 4th conference is scheduled for Tallinn 2012 and I hope to attend again and see how efforts have continued and increased over 12 months.