Most cyber attacks are likely to remain difficult to trace to official sources, the report explains, citing the denial of service attacks on Georgia as Russia’s army invaded in 2008. This year GCHQ’s close US counterpart, the National Security Agency (NSA), has been called in to investigate attacks on Google’s GMail service apparently from inside China.

“An internationally agreed definition of cyber warfare will remain elusive, with state actors making increasing use of hired criminals and ‘hacktivists’ to carry out deniable cyber attacks on their behalf,” CSOC predicts.

The offical British view casts ongoing talks (http://www.nytimes.com/2009/12/13/science/13cyber.html) between the US and Russia – aimed at fostering cooperation between states on internet security and agreeing ground rules – in a pessimistic light.

“States are likely to increasingly see the cyber domain as an area in which to wage war… it is difficult to see international agreement on what acts are and are not acceptable in a cyber war being achieved within five years,” CSOC says. “Even if regulation of this kind was to emerge, it is likely that it would make little difference.

“The increasing sophistication of criminal cyber tools and the availability of cheap, fast broadband will mean that states are able to achieve their aims by hiring criminal botnets to carry out DDOS or other attacks on their enemies’ infrastructure.”

Cyber arms race

Government eavesdroppers also face a secret “cyber arms race” to develop quantum cryptography technology, according to GCHQ.

“In the next 5 to 10 years, states are likely to engage in a cyber arms race for quantum cryptanalysis, which would enable the users to crack any encryption within a very short space of time, and for quantum cryptography, which would prevent secure communications from being intercepted,” it said.

Quantum computers would be able to test every possible cipher for a traditionally-encrypted message very quickly. Meanwhile a quantum-encrypted message would be impossible to intercept because just by observing it the eavesdropper would destroy it.

GCHQ – the descendent of the UK’s famous World War Two codebreaking effort at Bletchley Park – is responsible for intercepting foreign communications and for trying to ensure government communications are not intercepted. Without directly referring to its own work on quantum cryptography, it said the revolution the technology would spark in both areas remains out of reach.

“It is unlikely that any state actor will have been able to put quantum systems into operation by 2015, although some state actors may have basic quantum computing capabilities by 2020,” CSOC says.

The NSA is said to be investing heavily in quantum computing.

The predictions in CSOC’s report have served as the basis of a series of classified and unclassified meetings with industry and academics hosted by the Office of Cyber Security in recent weeks. Officials plan to feed the results of the meetings into policy, including whether and how the UK should develop offensive capabilities online. ®

PJ Crowley, US state department spokesman

“Whenever we encounter blocks in our services we try to resolve them as quickly as possibly because we strongly believe that people everywhere should have the ability to communicate freely online,” the California-based company said. “Sadly, sometimes it is not within our control.”

The US state department, although also unable to confirm the move to block the popular email service, insisted that any efforts on the part of the government to keep information from the Iranian public would fail.

“While information technologies are enabling people around the world to communicate … the Iranian government seems determined to deny its citizens access to information,” PJ Crowley, a state department spokesman, said.

“The Iranian people are dynamic and determined and will find a way to overcome the obstacles the Iranian government puts in their way.”

Google itself has had run-ins with other governments, including an escalating dispute in China, where it has threatened to withdraw over claims of online attacks and issues over censorship.

While the Feds embrace this idea, many businesses in Corporate America fail to see the benefits in taking this extra step in their cyber forensic investigations. Most are concerned only with ensuring that such an attack never occurs on their systems again, and pay little – if any – attention to whomever is playing havoc with their network. Anecdotal evidence suggests the reasons are numerous, with the most popular being that it’s not worth the time and effort since there’s most likely no real legal recourse against such organizations anyway. Additionally, some organizations believe that making the suspects known will only encourage future attempts to infiltrate their networks.

A notable exception to this tendency is Google’s recent corporate blog posting regarding suspected hacking of Gmail servers by the Chinese government. Google made the effort to determine the source of the attack on their servers, and more notably, disclose the information that they discovered forensically to the public with the methods and suspected perpetrators of the attack.

Benefits outweigh the costs

More companies should follow Google’s example, if not in the publication of cyber attacks and methods, at the very least in determining the “who” and the “how” of the attack. In fact, companies that don’t try to uncover the people and groups behind the attacks are doing themselves more harm than good, both in long term monetary loss to their shareholders and loss of competitive advantage. Determining who was responsible can shed light on numerous opportunities and unforeseen pitfalls.

For example, a multi-national firm may discover that an overseas competitor was behind a particular attempt to hack into their network because they were looking to gain insight into their technology for use in a developing market. Recognizing that the attack came from a foreign government allows the corporation to bring in U.S. government resources who are interested in criminal activity or espionage threats. Even marketers who measure such things as brand equity can leverage such information about who’s attacking the system to determine the depth and nature of the competitive threat in different geographic areas and market.

Identifying the assailants by groups will not necessarily encourage additional attacks. In many cases the opposite is true– hackers don’t want to be known and will run for cover when the light is shined upon them. Google is betting on just that by publicly threatening to shut down its Chinese operations in the wake of the aforementioned attacks against its networks.

Suffice it to say there are ample reasons why companies should spend time and resources to not just understand the “how” of cyberattacks directed against them, but also the “who”. If knowledge is indeed power, than organizations need to make it a point to seize the opportunity to learn more about their people behind such events in order to learn from them. The dividends can be significant and potentially critical to the company’s future success.

In order to comply with government search warrants on user data, Google created a backdoor access system into Gmail accounts. This feature is what the Chinese hackers exploited to gain access.

Google’s system isn’t unique. Democratic governments around the world — in Sweden, Canada and the UK, for example — are rushing to pass laws giving their police new powers of Internet surveillance, in many cases requiring communications system providers to redesign products and services they sell.

Many are also passing data retention laws, forcing companies to retain information on their customers. In the U.S., the 1994 Communications Assistance for Law Enforcement Act required phone companies to facilitate FBI eavesdropping, and since 2001, the National Security Agency has built substantial eavesdropping systems with the help of those phone companies.

Systems like these invite misuse: criminal appropriation, government abuse and stretching by everyone possible to apply to situations that are applicable only by the most tortuous logic. The FBI illegally wiretapped the phones of Americans, often falsely invoking terrorism emergencies, 3,500 times between 2002 and 2006 without a warrant. Internet surveillance and control will be no different.

Official misuses are bad enough, but it’s the unofficial uses that worry me more. Any surveillance and control system must itself be secured. An infrastructure conducive to surveillance and control invites surveillance and control, both by the people you expect and by the people you don’t.

China’s hackers subverted the access system Google put in place to comply with U.S. intercept orders. Why does anyone think criminals won’t be able to use the same system to steal bank account and credit card information, use it to launch other attacks or turn it into a massive spam-sending network? Why does anyone think that only authorized law enforcement can mine collected Internet data or eavesdrop on phone and IM conversations?

These risks are not merely theoretical. After September 11, the NSA built a surveillance infrastructure to eavesdrop on telephone calls and e-mails within the U.S. Although procedural rules stated that only non-Americans and international phone calls were to be listened to, actual practice didn’t match those rules. NSA analysts collected more data than they were authorized to and used the system to spy on wives, girlfriends and notables such as President Clinton.

But that’s not the most serious misuse of a telecommunications surveillance infrastructure. In Greece, between June 2004 and March 2005, someone wiretapped more than 100 cell phones belonging to members of the Greek government: the prime minister and the ministers of defense, foreign affairs and justice.

Ericsson built this wiretapping capability into Vodafone’s products and enabled it only for governments that requested it. Greece wasn’t one of those governments, but someone still unknown — A rival political party? Organized crime? Foreign intelligence? — figured out how to surreptitiously turn the feature on.

And surveillance infrastructure can be exported, which also aids totalitarianism around the world. Western companies like Siemens and Nokia built Iran’s surveillance. U.S. companies helped build China’s electronic police state. Just last year, Twitter’s anonymity saved the lives of Iranian dissidents, anonymity that many governments want to eliminate.

In the aftermath of Google’s announcement, some members of Congress are reviving a bill banning U.S. tech companies from working with governments that digitally spy on their citizens. Presumably, those legislators don’t understand that their own government is on the list.

This problem isn’t going away. Every year brings more Internet censorship and control, not just in countries like China and Iran but in the U.S., the U.K., Canada and other free countries, egged on by both law enforcement trying to catch terrorists, child pornographers and other criminals and by media companies trying to stop file sharers.

The problem is that such control makes us all less safe. Whether the eavesdroppers are the good guys or the bad guys, these systems put us all at greater risk. Communications systems that have no inherent eavesdropping capabilities are more secure than systems with those capabilities built in. And it’s bad civic hygiene to build technologies that could someday be used to facilitate a police state.

The opinions expressed in this commentary are solely those of Bruce Schneier.