The Accountability of Informality

The ambiguous nature of informal practices, such as cyberattacks and the creation of blame-attributing dilemma

The ambiguity of cyberattacks confronts organisations and individuals with a dilemma in which accountability cannot be attributed to an exact actor, be that state or non-state. Cyberattacks are informal practices because of the inherent illegal characteristics associated with cyberspace, and the use of semi-state actors who target political opponents or use these practices for political gain. The inherent informality of cyberwarfare makes finding accountability a complex and somewhat impossible task. The traditional notion of accountability – the exchange of responsibilities and the potential sanctions of the perpetrator (Schmitter 2004:49) cannot be fulfilled when informal acts are undertaken. This is because cyberattacks exploit the benefits of informality as the attacks operate in “grey zones” which have developed underground and are associated with “in-betweenness, liminality, marginality and ambiguity.” Hence, the ambivalent nature of cyberattacks exacerbates the complex task of attributing blame to the responsible, leaving victims and international tensions to fester and resolutions to feel out of reach.

Background

When Estonia became independent from the Soviet Union in 1991, the symbols of the regime presented a conflicting memory for ethnic Estonians and the Russian diaspora. For Estonians, the Bronze Soldier symbolized Soviet oppression. For the Russian minority, the monument was dedicated to the honour of the Soviet soldiers who liberated Estonia from Nazi Germany. The clash of memory was the catalyst for the cyberattacks, with Estonia’s relationship with Russia at the time was “further complicated by the legacy of Soviet rule and Estonia’s desire to integrate into Europe and balance Russian influence” (Russell 2014:74).

“Bronze Night”

In April 2007, “Bronze Night” had left Estonia a country in the midst of domestic unrest. The decision of the Estonian government to relocate a Soviet war memorial from the centre of Tallinn to a suburban military cemetery stirred the already strained tensions between the ethnic Estonians, and the Russia diaspora. The cyberattacks targeted at Estonia in May 2007 were the first widespread Distributed Denial of Service (DDoS) attacks to target a government. Estonia was a perfect victim for cyberwarfare owing to their advanced technological stance in the world. All significant governmental, banking and public service functions were debilitated for several weeks. The DDoS attack disrupted the whole of the Estonian cyber infrastructure, to the point which Estonia’s internet could only be used domestically and in effect, had to be cut off from the rest of the world.

The aftermath of the cyberattacks created an atmosphere of accusations, denial and ambiguity. Accountability polarised the national and international opinion with the anonymity of the cyberattacks, which meant that placing responsibility was an impossible task.

The ambiguity of informality and accountability

The DDoS attacks were launched by proxy using trojanised, unsuspecting end-users’. This was the main obstacle to finding the origin of these attacks, as most computers used were hijacked and distributed globally. The Estonian government were quick to blame the Russian government. The Kremlin had accused them of violating the human rights of Russian speakers just before the riots erupted over the Bronze soldier memorial. Although there is no definitive answer for who is responsible for the cyberattack, it is clear that Russian officials, directly or indirectly, encouraged the operations by accusing Tallinn of altering history, perpetrating human right violations, and encouraging fascism (Herzog 2011: 54).

A prominent reason against Russia was the perfect timing in which the cyberattacks occurred. The Bronze Night riots served as the most appropriate context for Russia to conduct a direct challenge to the Estonian government. The chaos conveniently led to an opportunity for the Russian government to call for Tallinn to step down, owing to the control of the crisis (Russell 2014:90). Russia took the opportunity to showcase Estonia’s ineffectiveness, whilst contrasting this with their prowess, prestige and commitment to protect its diaspora.

Figure 1 - Message in Russian and the submission of Estonian government officials' emails on LiveJournal

Figure 2 - Russian hackers take over an Estonian website

The ambiguity of accountability in informal practices means that there can be multiple suspects. Non-state actors, notably “hacktivists” are argued to have been responsible for the cyberattacks. Russian hacktivists, motivated by the political and social events unfolding during the Bronze Night riots, channelled their frustration against Estonia through virtual direct action. This group can be further categorised as “patriotic-hackers,” who used their anger against the Estonian establishment to pursue an attack in the name of Russian pride.

There is substantial evidence that points towards the involvement of non-state actors in the cyberattacks. Russian-language forums evolved into recruiting grounds for interested hackers, where instructions on how to undertake a DDoS attack were published. This indicates digital technology, combined with a shared identity, enabled rapid transnational mobilisation in times of crisis (Herzog 2011:51). Furthermore, the cyberattacks targeted social media platforms and government websites with Russian codes and slogans.

Figure 3 Russian instructions on how to conduct a DDoS attack

International response

At the time of the attacks, there was no universal legal framework protecting states against cyberwarfare. NATO nor the European Union held concrete jurisdiction against the use of cyberattacks in international relations, which furthered the cloud of ambiguity around these informal practices. Those responsible could not be held formally accountable. Even if Estonia accused Russia of the attacks, there was no legislative process or law that could be used against them. Hence, the informality of cyberattacks maintains the ambiguous accountability attributed to them.

Future responses

The Estonian cyberattack was an eye-opener for the international community, as there were attempts to clear the mist of ambiguity and place constraints on informal practices. The biggest achievement was the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE), established in Tallinn, which strives to support NATO members in cyber defence. The situation that unfolded in the spring of 2007 illustrated the increasing ability of transnational networks to use digital tools to challenge the sovereignty of nation-states worldwide (Herzog 2011:49). Restriction of malicious cyber informal practices are needed, however, constraints enable informality; this must be considered when intergovernmental organisations are finding ways of curtailing the effects of informality.

Word count: 997

Cited sources:

Christiansen, T. & Neuhold, C. (eds.) (2012). International Handbook of Informal Governance. Cheltenham: Edward Elgar.

Ehala, M. (2009). The Bronze Soldier: identity threat and maintenance in Estonia. Journal of Baltic Studies, 40:1, pp. 139-158.

Herzog, S. (2011). Revisiting the Estonian Cyberattacks: Digital Threats and Multinational Responses. The Journal of Strategic Security, 4:2 pp. 49-60.

Ledeneva, A. (et al.) (eds.). (2018). The Global Encyclopaedia of Informality. London: University College Press (Volume 1 and Volume 2).

Russell, A. L. (2014). Cyber Blockades. Georgetown: Georgetown University Press.

Schmitter, P. C. (2004). The Ambiguous Virtues of Accountability. The Quality of Democracy, 15:4, pp. 47-60

Rid, T. & Buchanan, B. (2015). Attributing Cyberattacks. Journal of Strategic Studies, 38:1, pp. 4-37.

Włodarska, A. (2011). Russian-Estonian Relations after 2007: current status and development prospects. International Studies, 3:1.