How to Russia-Proof Your Democracy [ML BSide]

In 2007, Estonia - then already a technologically advanced country - suffered a large-scale DDoS attack that crippled many organizations and digital services. Joseph Carson, a Security Scientist and an adviser to several governments and conferences, talks with Nate Nelson about the lessons learned from that event, and how Estonia became what he calls 'A Cloud Country'.

Hosted By

Ran Levi

Exec. Editor @ PI Media

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 14 million downloads as of Oct. 2019.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

Special Guest

Joseph Carson

Chief Security Scientist (CSS) & Advisory CISO @ Delinea

A Cyber Security Professional with 25+ years’ experience in Enterprise Security & Infrastructure, Joseph is a Certified Information Systems Security Professional (CISSP). An active member of the Cyber Security community and a frequent speaker at Cyber Security events globally Joseph is also an adviser to several governments and cyber security conferences. (ISC)² Information Security Leadership Award (ISLA®) Americas Winner 2018.

How to Russia-Proof Your Democracy

Transcription Editing by John W. Dall

[Ran] Hi and welcome to Cybereason Malicious Life B-Sides, I’m Ran Levi.

In 2007, tiny Estonia, a country with a population of roughly 1 million citizens and an area about a tenth of the size of California, was one of the most technologically sophisticated countries in the world.

Beginning in 1991, right after it gained independence following the breakup of the Soviet Union, Estonia’s government made it a priority to utilize the power of the then-new internet and make many of its services available to the citizens in digital form. But then came the now-famous Russian cyberattack, a DDoS attack that for more than two weeks crippled many of the country’s most important organizations, the parliament, banks, newspapers and many more services and websites.

In this B-Side episode, we’ll explore the results of this cyber-assault, and in particular how it pushed Estonia in the direction of decentralization as a strategy to defend itself against future cyberattacks and even as a way to make sure the country’s true history won’t get crushed under the boots of invading Russian soldiers.

Our guest today is Joseph Carson, chief security scientist at Delinea, an IT services and consulting firm, an advisor to several governments and cybersecurity conferences, and winner of the Information Security Leadership Award in 2018. Carson spoke with Nate Nelson, our senior producer, about how Estonia became what he calls a cloud country, going even as far as erecting data embassies and adopting blockchain
technology much, much earlier than any other country in the world.

Enjoy the interview.


[Nate] Why are we talking about Estonia or why should we be talking about Estonia in a podcast?

[Joseph] I think it’s really important to understand one is Estonia’s kind of journey as a digital society. Many people look at Estonia from different perspectives, whether it’s the unicorns and start-ups in Estonia or the cyber attack in 2007. But I always think it’s important to understand the journey about why they went digital. A lot of the lessons in Estonia’s history can help us learn about how other countries can become much more, let’s say, the ability to defend better and the ability to cooperate better. I think some of those lessons are critical in global stabilization in cyber threats.

[Nate] Could you just tell me a bit about Estonia because maybe not all of our listeners are familiar with what’s going on there.

[Joseph] I think it’s really important to understand that Estonia as a country has been occupied multiple times in its history. The most recent independence goes back to 1991. I think that’s really where the story should begin. When you think about Estonia as a country, it’s been like many other countries in the world. It’s been an independent country for hundreds of years. But of course, over those years, there’s been lots of occupations. And Estonia became its second independence in 1991, which is part of the singing revolution that occurred. Yes, it was formerly a Soviet state, occupied state, in the Soviet Union.

But in 1991, one of the critical things, it was also the timing, it was also the populations, and education, and background, and also really the patriotism as well, they are very patriotic, and also it was the start of the internet. And I think all of those combinations together really started this snowball rolling, started this foundation.

[Nate] Those are a lot of ingredients though. What was really at the core of Estonia’s transformation?

[Joseph] This goes back to even one of the challenges we look at a lot of the conflicts today is that whenever somebody who’s occupying a country, when you have an occupying force, they have the ability to change your history, to rewrite history. And they determine what’s been taught in schools, what maps are available, what history lessons, what’s on TV, what’s on radio, they control all of that.

So when you have an occupying country or state, they can control the narrative of history. And the challenge when Estonia became independent in 1991 was that history had been rewritten many times and changed and modified even though the population knew certain facts in history because they’ve been shared within the culture and society, but history had been changed and modified.

Estonia had a lot of cryptographers, mathematicians, computer scientists, and programmers, and they wanted to understand how they can make sure that history in both the physical and the digital could not be erased, could not be modified. So they sent off their scientists into the forests and said. The story, as I’ve been told, they give them some vodka, sent them off into the forest and said, go and solve this problem. Go and figure out how we can make sure that in a digital sense that our data can never be modified or changed by a future occupying force. And this really kind of set off this, kind of, effort into becoming a digital society.

[Nate] And that occupying force that you’re referring to is the USSR, right? There are deep Russian roots in Estonia, yes?

[Joseph] Yes, Estonia, it’s important to understand that Estonia does have quite a large Russian speaking population. And I always think it’s important to understand that Russian speaking does not necessarily mean that you’re a Russian citizen or that your background is Russian. It just means that you’re Russian speaking. Just like most Americans speak English, doesn’t necessarily mean that you’re British. This is important thing is to understand that just because of the language that you speak does not determine your mindset and your culture and what your, kind of, loyalty or political association is. So we always misunderstand that. I see so many times in the news and media that they misrepresent Estonia.

[Nate] So then what relationship does Estonia have with Russia? They’re pretty close neighbors. They’ve been talking about independence and defending themselves. It all sort of seems like it’s subtext here.

[Joseph] Absolutely.I mean, there’s no doubt. I mean, Russia has occupied Estonia for many years and changed its history. And Estonia does have a land border with Russia. And a lot of trade for many years has been towards the East and the Russian trade because of that occupation side of things. And having a language overlap as well. Estonian language is very different. It’s no relation to Russian whatsoever. It’s more similar to Finnish and Hungarian. But yeah, trade, the land border and having been previously occupied, that’s pretty much the basis of its relationship with Russia.

[Nate] Tell me about what happened in 2007.

[Joseph] So 2007. For years afterwards, Estonia became its own, let’s say, passionate country by taking digital society and taking it on. In 2002, actually, Estonia became this very digital society in regards to everything became digital. Tax systems were online. In 2005, we started doing internet voting. So this was where the journey really started. I think the key dates is that in 2004 is when Estonia became part of EU and also part of NATO. So this was really kind of this turning point where Estonia really decided that its future lay more with the West than with the East. And with Russia, it decided that its culture and society and mindset is more Western and that they see themselves as more a Nordic country in line with the likes of Finland, Sweden, Norway and Denmark, which it does have very, very close ties to those countries as well.

So Estonia decided that in 2004, its view and future was going more Western and more trade and more kind of that direction. But then in 2007, there was a decision. There is a monument and that was right in the city center, right in the intersection of lots of traffic. And that monument was typically known as the Fallen Soldier, which basically, in Russian views, if you’re familiar with Victory Day, which is coming up on May 14th, I think it is.

[Nate] I’m not familiar. What is Victory Day?

[Joseph] Victory Day is basically seen in Russia as the victory over Germany in World War II. But in Estonia, it was seen as oppression.
So for Russians, it was seen as victory. And for Estonians, it’s seen as basically oppression over another dictatorship and country.
So there was this decision in 2007 by the Estonian government and parliament to relocate that statue.

At the time, there was a minority of Russian speaking population in Estonia that was not in agreement with that. And it did start some
unrest, both violence and some violence in streets and protests against the moving of that statue. And ultimately, the statue was moved
and there was a decision in early April 2007. And that resulted in some violence in the streets. And Russia had then seen this as
oppression against its Russian speaking population. It always refers to Russian speaking population as oppression and aggression.
And then in April 27th, the start of a cyber war or a DDoS attacks and defacing of websites, government websites, DNS attacks to basically
disrupt the digital society that Estonia had built up until that time. And that meant that, yes, for a period of about 20+ days,
internet traffic was slow. Websites were loading very slowly. There was some unavailability in services such as telcos, financial
systems, access of government websites and news sites.

[Nate] So the DDoS attacks at the time were a direct result of the statue controversy.

[Joseph] So in 2007, yes, as a result of moving that statue to a remote military graveyard, there was a basically conflict, of a cyber
conflict, between Estonia and Russia. And it was really highlighted, but at the time, of course, Estonia was part of NATO and in Article 5,
because Article 5 at that time didn’t include cyber. So that meant that the cyber attacks were ongoing and it’s always, I think it’s
always important to understand that cyber is a way of being able to become anonymous or deniability is always kind of cyber has been
used because it has a good ability to deny accountability and deny involvement. So that’s one thing that a lot of countries hide behind
it because it has that good capability.

But the big concern in Estonia in 2007 was not so much the cyber attack. Yes, the cyber attack was important, it was causing disruption
in services. However, the big concern was that there was a buildup of military exercises on the border of Estonia.
And if you think about what happened in Georgia and what happened in Ukraine several times now, there was the fear of a land invasion.
But of course, one thing kept Estonia a bit more, let’s say less of concern was, of course, being part of NATO. And that’s also fortunate
today, that also means that we’re a bit more relaxed in regards to having a land invasion if that would happen.
But in 2007, it realized an important point, that the risk of a land invasion meant that an occupier force could destroy your data
centers and the data that was held within that.

So yes, there was major DDoS attacks, major cyber attacks, and I do call myself, I’m a survivor of a cyber war.

[Nate] What’s it like to live through a cyber war?

[Joseph] I remember and recall that it was only the first probably two to three days was disruption. But until then, the mitigation
effect of the cyber security defenses wouldn’t put in place. Then everything within Estonia went back to normal. It was just another day.
Systems were back up and running very quickly. And I always remember talking to some of the cyber defenders at the time was that they
would go to bed at night, wake up in the morning, find out what techniques had been changed and what systems were down, they’d bring
them back up in the morning. You think about even this past week, this Thursday, Friday, last week, we were actually hit again by a cyber
attack, by DDoS attacks in the past couple of days.

But actually, to be honest, most citizens didn’t even know.

[Nate] The thing I keep thinking about with this story is that I don’t really know any kind of organization, corporations, governments,
what have you, that thinks about cybersecurity proactively before it becomes a problem for them, right? It takes Solar Winds for us to
start thinking about supply chain. It takes critical infrastructure threats. So why is it that Estonia was thinking so far ahead?
Was it the threat of Russia? Was it something about its historical past or was it just, I don’t know, good leadership?

[Joseph] It’s a combination of all of those. It goes back to that 1991 of occupation and changing of history. When they looked at that
from a basically data protection perspective, they really looked at that as the foundation of society. It meant that, yes, that they
had to become vigorous. It’s not a time to become complacent. There’s always that sense of caution. Yes, and also Estonia is very much
a very tech savvy country as well. The society itself, a lot of people are very technical savvy, very technical knowledgeable
and therefore do contribute.

Estonia also has what’s called is the Cyber Defense League, which is also a call to the public citizens to come to the country’s defense
in the regard of cyber attack ever does occur again. So yes, we have basically almost, like you would have as military reserves, we’ve
got the cyber reserves and it’s coordination and cooperation between both private and the public entity and working together to make
sure to defend the country.

So that very sense of never become complacent, always be vigorous, always question things and always look to improve continuously forward.

[Nate] Estonia has always been like this?

[Joseph] I always think the important time is that in 2007, the worry about a land invasion made Estonia think about, well, how can we
actually mitigate that? My input at the time was the best way to defend against a DDoS attack is to be decentralized.
Also in 2008, then NATO Cyber Defense Center of Excellence opened up in Estonia, which was where they looked at being able to establish
a NATO cooperative alliance in cyber realm and also when cyber became also part of Article Five, so it became an area that a cyber
attack in one is a cyber attack in all NATO.

There were certain things that started going around that post 2007 attack, but still that worry about a land invasion and about making
sure history can never be erased was an important topic. The CIO at the government at the time took a lot of that, how do you protect
against DDoS, decentralized? How does Estonia become decentralized?

The problem was that if Estonia wanted to move its data beyond its borders, there was legal issues with that. Citizens’ data could not
go outside of Estonian land, Estonian borders, so that prevented it from being able to truly decentralize it in other data centers and
locations. The idea came up around data embassies, and I think still this is one of the greatest things, outcomes or results, of the
conflict in 2007 was the idea of a data embassy.

[Nate] What is a data embassy?

[Joseph] This was being able to take the data in Estonia’s borders and actually make many data centers within their embassies at other
locations. In their actually embassy locations in other countries, which is still considered the sovereign land of Estonia under the
law of Estonia, that making those data embassies was a way to decentralize the country.

I think it was around 2015, 2016, was basically the introduction of the idea of actually putting it in real data centers, so classifying
a location within a data center as an embassy, so this idea of virtual embassies. The original plan was to have it in the UK, but a thing
called Brexit came along and disrupted that plan and resulted in the decision to have it located in Luxembourg.

One of the things is in embassy locations, they don’t have a lot of the fault tolerance that you would get in data centers and high
availability, internet bandwidth connectivity. Was it airflow, cooling, power, energy? All of those are not as really efficient in the
real embassy locations, and that’s why it was important to move it to a true data center and have a location in that data center
as sovereign land of Estonia. That actually data embassy concept truly made Estonia a cloud government. It really meant that they
decentralized the government.

[Nate] Could you clarify this point? Because it’s not so intuitive to me to think of a government as decentralized.

[Joseph] Just like the importance that you see with cryptocurrency today, having decentralized financial institutions, and you also
look at things like identity being decentralized and Estonia was able to truly decentralize the actually dependence on the
physical land, meaning if there ever was a land invasion in Estonia, Estonian citizens and Estonian government can still continue as
a cloud country, still continue to look at their financial information, still have that data available, still pay taxes, and still
access the services no matter where they are in the world, even without a physical country.

[Nate] Remind me how long Estonia has had these systems in place.

[Joseph] The data embassy concept, the actual use of the real data embassy locations and actually putting in their embassy has been
around for a good 10 years or so, but putting it into an actual data center has been around since I think it was around 2017, 2018,
where it was actually placed in Luxembourg, I believe, was the first one.

Of course, they looked at continuing that further into proper data centers from other locations, and even considering to place one
outside of EU. Most of those have been within the EU because of the legal frameworks that EU is providing, but there has been
considerations to place them outside.

[Nate] You would say, generally speaking, that it’s working out because most of the time when I hear about blockchain, it has to do
with cryptocurrencies, but here’s a real-life use case, and according to what you’re saying, it’s working for them.

[Joseph] Absolutely. I mean, we have to understand. People misunderstand blockchain and cryptocurrency. There’s a misunderstanding,
but there’s this assumption that cryptocurrency is the prime use case for blockchain. Well, Estonia started doing blockchain in about 1998 based on a paper, and before it was called blockchain, it was actually typically
known as timestamping.

[Nate] Would you just briefly explain to us what timestamping is?

[Joseph] Timestamping was the element of, you know, take a piece of data, you basically do a timestamp on it, you create a hash, and
therefore, you can know that this hash basically and this time goes back to this data at that point in time.

It was basically available on a lot of things like PDF documents, so PDFs were timestamped. Browsers had implementations of timestamping
as well. But of course, as it evolved further, it became known as blockchain, but where does the history goes back to? It really goes
back to actually 1979. 1979 was basically where the real start of a digital sense of blockchain, and that’s known as the Merkle Tree
with Ralph Merkle.

What happened was in the 1970s, you had a big problem where you want to move data from one location, from one computer to another
computer. At the time, networks were not really that reliable, so I take this piece of data, files and folders from one location,
transfer it through a network to another system, and you’d end up having a lot of corruption.

So what basically the Merkle Tree was as a mechanism of doing hashing and concatenation of hashes in order to make sure that as the
data was moved from one computer, you can actually compare the hash to the other computer, and if it was the same, you knew that you
didn’t have that corruption during the transfer. So that was basically the foundation of using concatenation of hashes.

Then later, it was then combined with time that created the timestamping ability. So using time and hashing together was timestamping.
It’s really about non-repetition. It’s about making sure that one is that it’s accurate at the time. I look at the Bible as actually being one of the first real true global implementations of a blockchain in the world.

[Nate] What do you mean by that?

[Joseph] When you think about it, it’s a collection of data that’s basically agreed upon by a number of people. It’s not to say that
the data within it’s correct or accurate. That’s not what I’m saying. That’s up here for the size in beliefs. But the idea is you’ve
got a series of events that’s put into a book that’s agreed upon by a certain amount of people, and then that book is widely distributed
and copied. When you try to modify one version of that and then compare it to the other copies, that’s where we get basically what is
non-repetition, and that’s why you get this widely decentralized database, so the hash database, and therefore it allows you to do
basically validation and verification on the other copies.

Estonia has really implemented that type of scenario, for example, an event happens in Estonia, and then basically it actually goes
into a security log, and that security log gets basically blockchained, and the root hash then gets basically signed. Every month,
that root hash then gets printed in the Financial Times newspaper, and then the Financial Times newspaper then gets printed hundreds
of thousands and millions of copies and globally distributed, so that if you ever wanted to change that event, you would actually
have to look for it to try and get all the copies of the Financial Times paper on that day and destroy all of them. The mathematical
computation of that is quite difficult, not impossible, but quite difficult to achieve. So when you think about it, that’s kind of what blockchain is, it’s about decentralized, widely distributed ledger. That means that it’s hard for one person to change that ledger and change history.

[Nate] The last thing I want to ask is, I know, I’m falling into a sort of media trap by mentioning Russia three words after Estonia.
Estonia is worthy of talking about on its own, but we’re talking at a very particular time in history, you and I. Hopefully, by the
time this episode comes out, there isn’t a war in Ukraine, but I’m going to assume that there is. And frankly, even outside of Ukraine, in Europe, in America, we face these kinds of threats to elections, to our critical infrastructure, to everything. So what can the rest of us learn from Estonia’s example? What should we learn?

[Joseph] What we should learn is it’s basically all about making sure that as much information knowledge to the citizens as possible,
about how do they protect themselves? Where’s information and resources available for them to become more knowledgeable? The one
thing I have learned in my many years in the industry is that I do as much as I can to secure myself. I mean, I put as much protection
in place, but I’m only as secure as the society around me. And I realized that in order for me to better protect me, I have to protect
the society around me.

And this really means that society must be involved, it must be making sure that people have best practices, they understand what the
risks are, and that we basically embed the foundation of security, best practice, and hygiene into education, into society. We must all work together. We must basically hold countries who provide safe havens for cybercriminals (accountable) because a lot of the attackers out there are cybermerceries.

They’re basically, they’re doing it for criminal intentions. And we have to hold those countries responsible and accountable and provide
less places where cybercriminals have a place to operate from. And the only way we can do that is by working together.