On 27 April 2007 a blizzard of distributed "denial-of-service" attacks hit important websites in Estonia and continued until at least as late as mid-June. The targets included the website of the president, parliament, leading ministries, political parties, major news outlets, and Estonia's two dominant banks, which were rendered unable to interact with customers.

The attacks were damaging to Estonia, but they could have been even worse. The Estonian government believes that 9 May, the anniversary of the Nazi German surrender to the Soviet army's Marshal Zhukov in Berlin in 1945, had been the original intended date. The cordoning off, and subsequent removal, of a controversial bronze statue commemorating the Red Army "liberators" of Tallinn on 26 April pre-empted this and set off a wave of premature and uncoordinated attacks. Even so, Estonia's defence minister could describe the attacks as "a national security situation. It can effectively be compared to when your ports are shut to the sea".

It can also be considered a sign of things to come.

The new "iWar" Johnny Ryan is senior researcher at the Institute of European Affairs (www.iiea.com), a policy think-tank in Dublin with offices in Brussels.

He is the author of Countering Militant Islamist Radicalisation on the Internet: A User Driven Strategy to Recover the Web (Institute of European Affairs, 2007).

His blog is here

This article develops the argument of a shorter piece published in NATO Review (Winter 2007)

Also by Johnny Ryan in openDemocracy:

"The militant Islamist call and its echo"
(1 August 2007)

"Europe, terrorism and the internet"
(6 November 2007)


Since the late 1980s, the denial-of-service (DOS) attack has threatened networked computers. DOS attacks attempt to overwhelm a computer or networking system by bombarding it with a high volume of information requests. If successful, the attack renders the targeted system unable to respond to legitimate requests, which could include providing access to a particular website. A "distributed denial-of-service" (DDOS) attack operates on the same principle, but multiplies its impact by directing a "botnet" of networked computers that have been remotely hijacked to bombard the target system with many requests at the same time.

Botnets can be controlled by a single individual. Some botnets in the attacks on Estonia included up to 100,000 machines, all making specious requests for information from target websites at the same instant. DOS attacks have existed in various forms since at least as early as the "Morris Worm" in 1988. The new internet networking standard, IPv6, which was initially expected to mitigate many security risks, may in fact increase vulnerability to DDOS attacks, and it is reasonable to expect that new DDOS and other iWar tools will evolve to exploit vulnerabilities in the consumer internet infrastructure in the future.

I have introduced the term "iWar" (in an piece in NATO Review [Winter 2007], as well as this longer openDemocracy article) to denote attacks carried out over the internet that target the consumer internet infrastructure, such as the websites that provide access to online banking services. In this understanding, iWar is distinct from what the United States calls "cyberwar" or from what China calls "informationalised war". Each of these refers to controlling communications, access to imagery intelligence, electronic espionage, and battlefield command and control; China's defence white paper of December 2006, for example, emphasises the importance of gaining supremacy in space to control information assets such as satellites. iWar is different because it exploits the ubiquitous, low-security infrastructure. As a result, while nation-states alone can engage in "cyber" and "informationalised" warfare, iWar can be waged by individuals, corporations, and communities.

In essence, iWar is to cyberwar what an iPod is to the Vienna State Opera: small, convenient and cheap. The small "i" indicates its common pedigree with the gizmos and devices that symbolise the new generation of tech-empowered individuals.

The campaign's ingredients

Five factors make likely a conflagration of iWar in the near future.

First, iWar is extending the franchise of offensive action to include an unprecedented number of amateurs whose sole qualification is their connection to the internet, much as early gunpowder weaponry enabled the levying of armies of unprecedented size. Matchlock troops could be trained in a matter of weeks, compared to the lifetime of training required to produce effective longbow men. The iWar attacker, like the matchlock musketeer, is equipped with cheap, powerful technology that requires little training.

Second, iWar is inexpensive and easy to wage in a way that is revolutionary. iWar, perhaps for the first time, is liberated from the cost and effort that traditionally inhibits offensive action against geographically distant targets. From the chariot archer to the intercontinental missile, developments in mobility have been exploited to deliver kinetic force at ever greater distances from the state's own territory. Conventional offensive technology relying on physical assets capable of destroying targets by kinetic means is expensive and comparatively slow. The B-2 "Spirit" stealth bomber, for example, has a per-unit price tag (including development costs) of approximately $ 2.1 billion; which would clearly engender caution about its use in theatres of war; and the aircraft must make long flights to drop its payload. During "Operation Enduring Freedom" in Afghanistan that began in October 2001, for example, the B-2 flew from Whiteman air-force base in Missouri to drop its ordinance. iWar, though it delivers far less offensive impact, can inflict damage from any point on the earth at a target anywhere else on the earth at virtually no cost.

Third, iWar appears to be deniable and very difficult to punish. Many weeks after the initial attacks in April 2007 it remains unclear whether Estonia was the victim of a "cyber-riot" in which like minded "hacktivists" orchestrated the attacks without authorisation from the Kremlin, or whether the attacks were coordinated with official sanction. Yet even if official culpability could be proven, it is unclear how one state should respond to an iWar attack by another. Morover, a criminal investigation would be no less problematic. Even if digital forensic investigation could trace a malicious botnet to a single computer that is commanding a DDOS attack (which typically lasts only for a short, intense period), it is unlikely that effective action could be taken to prosecute. The culpable computer, if a static machine were discoverable, might be in another jurisdiction from which law enforcement and judicial cooperation are not forthcoming. If cooperation were forthcoming, the culpable computer might have been operated from an internet café or at another anonymous public connectivity site, making it impossible to determine who among the many transient users was involved in a DDOS attack.

Fourth, iWar is not limited by the geographical constraints that impeded the spread of earlier military innovations, and thus will proliferate quickly across the globe. The proliferation of gunpowder in Europe puts this in perspective: the technology appeared in China in the 7th or 8th century, but made its European debut only in Flanders in 1314. The tools and know-how necessary to wage iWar are available across the internet.

Fifth, the impact of iWar attacks will increase as the internet assumes an increasingly important role in daily political, social, and economic life. In the past decade, governments, communities, corporations, and individuals have steadily embraced the net as a means to deliver services to and interact with citizens, clients, and peers; a process that will increase in the next. In Estonia, for example, there are almost 800,000 internet bank clients in a population of almost 1.3 million people, and 95% of banking operations are conducted electronically. In many states, the delivery of media content via the net now competes with conventional distribution of newspapers and music (with television content soon to follow). The indispensability of internet technologies to the internal operation of business organisations is gathering pace. In this context, the vulnerability to iWar of business and government networks - is growing.

The piracy precedent

If the potential of this form of warfare to disable the internet-dependent economies, governments, and communities of the world is so grave, what kind of response is likely to be effective?

It is easy to say what will "not" work. Pompei's campaign to tackle piracy in 67 bce (before common era) could succeed in a limited area only because Roman law could be enforced throughout Mediterranean waters. Today, no single state has such power; and in any case, unilateral "policing" initiatives will not be effective against iWar because iWar, like piracy before it, is a global phenomenon that operates in and exploits a common resource (the high seas and the internet).

In the case of the former, informal customary laws gradually evolved to protect trade and maritime communications, and the unlawfulness of piracy became a universally accepted norm. The United Nations Convention on the Law of the Sea came into existence in 1982 to regulate the actions of states and stakeholders, and resolve disputes. This may provide a useful indicator of how internet governance - already shaped by such bodies as Icann and the Internet Governance Forum [IGF] - may develop in the future, as mechanisms are established to codify principles and rules, and develop new international norms of behaviour to protect the functioning of and access to the internet.

But even if an international framework does eventually arise to protect the net, the history of piracy suggests that it may take time. It was only in the Paris declaration of 1856, many decades after an international consensus against piracy had emerged, that state-sanctioned privateering was outlawed. There are, moreover, still many other breaches of maritime law that threaten life, property and the environment. The precedence suggests that an extended, unruly and damaging period of iWar attacks is more than likely.

Anarchy and governance

The advent of iWar reflects the powerful trends that have dominated the first decade of the 21st century: the spread of the internet, its empowerment of individuals, and the relative decline of the power of the state to control the communications infrastructure. The availability of online instructional material, relevant software and ubiquitous internet connectivity empowers virtually any proficient and dedicated actor to attack distant enemies.

An important question then arises: is iWar to be a tool of states, or an opportunity for non-state actors too to attack states and one other? The answer is both: iWar might be used by powerful nations to apply pressure on weaker adversaries in a modern form of "gunboat diplomacy", by non-state actors to leverage its convenience and potency in assaults on nation-state infrastructures, or by sovereign states using non-traceable, privateer-style "outriders". A new age of anarchy and piracy that will both serve and undermine the interests of power is in prospect. The need both for security counter-measures and adequate legal frameworks to meet this threat is pressing.