By Jessica Ramirez | Newsweek Web Exclusive | Jan 29, 2010

After having spent the better part of his 17-year career advising groups from NATO to the Palestinian Authority on issues of cybersecurity, development, and governance, Rafal Rohozinski has been known to say that computers can potentially cause more damage than a nuclear bomb. The cybersecurity expert, who serves as CEO of The SecDev Group, a global security and research firm, points to a 2009 report titled “Tracking GhostNet” that he and his associate Ron Deibert authored as an example. In it they detailed the Chinese cyberspying that infected 1,295 targets in 103 countries. Several of the targets were high level and included embassies, news media organizations, and even the Dalai Lama. While the saga of China versus Google has certainly awakened Net citizens to the possibility that the virtual world consists of more than Facebook, it isn’t altogether clear how the Google hacking or a Google pullout from China could affect the rest of the globe. Rohozinski, who’s consulted with Google on the issue of censorship, spoke to NEWSWEEK’s Jessica Ramirez about where the Google issue stands now and what it may mean for the future of cyberspace. Excerpts:

Ramirez: How did Google come to see there was a problem and how did you get involved?

Rohozinski: Google became aware of it themselves, through their inside sources. At the time, we didn’t know that Google had been hit. They reached out to Ron Deibert and myself because the modus operandi of the attacks was very similar to what we discovered with GhostNet, and they wanted to know what we could share that might be applicable to their in-house investigation. We had already been in touch with Google about the larger problem of censorship that companies face when working in a country like China. As it turns out, the type of attack appears to have been very similar.

How does someone manage to hack into Google of all places and get caught in the act?

Everyone in cyberspace leaves digital droppings, and attackers are no different. It’s a domain described by data and it gives you patterns for what has happened, even if you can’t identify the specific individual responsible for it. And we can’t actually say they’ve been caught. What we can say is that the attacks appear to be emanating from a physical network from that part of cyberspace which belongs to the jurisdiction of China. That’s the frustrating part of this. Cyberspace offers attackers the ability to always hide behind the ambiguity of attribution. Up until now, international law has chosen to apply the criminal justice standard of evidence, which means that unless you’re able to identify specific individuals in a jurisdiction, you don’t really have a case.

Google is still scanning its internal networks. Is there reason to believe there are still breaches to be found?
In our experience, rarely is there one singular breach. Usually, there are multiple vectors which are targeted, whether it’s a government or business, largely because that’s the best way to have a successful attack. That Google is taking a heightened view of scanning its internal networks should be expected.

There’s some talk that this was an inside job via one of Google’s Chinese offices. What’s your take?

You have to look at this by analogy. The most successful fraud overall, whether it’s banking, mortgage, government, whatever, is usually an inside job. That’s because those on the inside have the trust, the access, and know the system well enough to cover their tracks.

Google has essentially said it is taking a stand against China’s growing censorship, but censorship existed when the company went into China. So is this a stand against censorship or against the hacking of their system?

I think Google has always been concerned about its position vis-à-vis China, but, like most companies, realized it was too big of a market to ignore. I think in 2006, much as today, they believed that engagement is better than exclusion. Sometimes you can do a lot more from the inside than from standing at the barricades. I think they went in with their eyes wide open. At the same time, [Google cofounder and president] Sergey Brin has been on the record about his deep discomfort with that. He emigrated from the Soviet Union and understood what kind of a system China is from a political and information-control point of view. I think the cyberspying was very much a trigger for that broader angst they’d been having over censorship. They simply chose their moment well, with the breaches, and making the stand they made should be praised. If nothing else, it has really focused attention on this issue. I think it’s woken up governments and our administration to the fact that this is a policy issue that can no longer simply be left to the techno geeks.

Whether it’s censorship or cyberhacking, it’s safe to say these are growing problems. What could this latest attack signal regarding the future of cyberspace?

I think our awareness of the value of intelligence on a state-to-state level decreased in the last 15 years as we focused on nonstate actors like Al Qaeda and others. We forgot the fact that this type of intelligence was always a state business. This was one of the great secrets of the Cold War, the sheer amount of dollars and energy expended on spying by the Soviets and the United States. For the large part, the most successful agents weren’t human spies, it was signals intelligence. So the fact that now we’re cognizant that cyberspace is the place for states to conduct intelligence against each other is a lot of new, but also a little bit of old. I think the interesting thing, when we talk about signal intelligence, is that it was once about setting up satellites to microwave up conversations between people in the Kremlin. With the advent of cyberspace, we don’t have to build satellites in space. We have to build code. And these activities don’t have to be run by the government. The government can and does outsource to other groups.

There are still millions of Gmail accounts that belong to Chinese users. If Google leaves, what happens to those loose ends?

This depends on how China reacts, should the pullout happen. One possibility is that the Chinese authorities will seize this as an opportunity to actually have a broader review of their policies and practices within China. The second option is the Chinese authorities will call Google’s bluff and say, “If you are not willing to play by the rules we have set, then thank you, but you can close up shop.” The third option is, if Google shuts down Google.cn and their offices there, what does that mean regarding their ability to provide services within China? Will China say, “If you aren’t going to operate in our territory with our rules, then we will not give you access to, for example, indexing information within our cyberspace or allowing Chinese users to maintain existing e-mail accounts on Google”? If that were to happen, then we will enter a new era of the Internet.

What kind of era?

Up until now, Google, Facebook, and others have made their money and based their business on the openness of the Internet, whether it’s here, or China, or the Middle East. If that were to go away, we would be moving away from a global Internet cloud into an era of many clouds. That more than anything should make our leaders very uncomfortable.

What would that Internet look like?

Although we’ve been quick to see the threat on our security that emanates from cyberspace, we have been very slow to see how important an open global Internet is to world issues that range from Iran to Haiti. The horse has left the gate on the issue of whether there’s censorship in cyberspace. The question now is, will this space have borders in it? In this case, that means that China starts to censor what Google can access in Chinese cyberspace. The ability of search engines that previously operated globally to provide services globally would no longer be the case.

How do you think the Google versus China saga will ultimately play out?

I think the Chinese leadership is willing to sacrifice economics on the altar of politics and not losing face in this situation. But it won’t be a small step to say, “Google, you can go.” Note the fact that the Chinese have yet to make any significant political pronouncements on this. I think the likely outcome there will be an attempt for long-term low-key talks on this issue, hoping it will essentially go away before someone has to make a very serious decision about it.

Find this article at http://www.newsweek.com/id/232793

© 2010

But the most interesting result was due to the combination of attacks, surveillance and censorship Google has decided to reassess their operations in China:

These attacks and the surveillance they have uncovered–combined with the attempts over the past year to further limit free speech on the web–have led us to conclude that we should review the feasibility of our business operations in China. We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China.

The decision to review our business operations in China has been incredibly hard, and we know that it will have potentially far-reaching consequences. We want to make clear that this move was driven by our executives in the United States, without the knowledge or involvement of our employees in China who have worked incredibly hard to make Google.cn the success it is today. We are committed to working responsibly to resolve the very difficult issues raised.

Wow.

The connection between censorship, surveillance and attacks is the key. Censorship, such as the blocking of web sites, is fairly crude but effective when combined with targeted surveillance and attacks. While many, especially the technically savvy, can circumvent China’s filtering system, the “GFW”, using tools such as Psiphon and Tor most Chinese citizens do not. The GFW doesn’t have to be 100% technically effective, it just has to serve as a reminder to those in China about what content is acceptable and that which should be avoided. The objective is to influence behaviour toward self-censorship, so that most will not actively seek out banned information of the means to bypass controls and access it.

The nexus of censorship, surveillance and malware attacks allows China is the key to China’s information control policies. It is not just about the GFW. Internet users in China face complex threats that are heavily dependent on additional factors, such as involvement in political activities, that involve targeted attacks and surveillance. China chooses when, where and how to exercise this granular control.

The InfoWar Monitor — which is a partnership between the Citizen Lab, Munk Centre for International Studies, University of Toronto and The SecDev Group (and SecDev.cyber which focuses on Internet threats) — has been focusing on these threats. For example, in a report “Breaching Trust: An analysis of surveillance and security practices on China’s TOM-Skype platform” we documented how Tom-Skype (the Chinese version of Skype) was censoring and capturing politically sensitive content. In “Tracking GhostNet: Investigating a Cyber Espionage Network” we documented targeted malware attacks that compromised over 1,295 infected computers in 103 countries, 30% of which are high-value targets, including ministries of foreign affairs, embassies, international organizations, news media, and NGOs.

Google’s decision to re-asses their operations in China is courageous. I strongly hope that Microsoft, Yahoo! and others follow Google’s lead — as, to their credit, they have done in the past. In “Search Monitor Project: Toward a Measure of Transparency” I compared the censorship practices of Google, Yahoo! and Microsoft as well as the domestic Chinese search engine Baidu and found that all followed Google’s lead to some extent by at least disclosing their censorship practices to their users. I hope that they stand by Google.

China, the ball is in your court.

Besides, as the group’s report pointed out, there were other possible explanations, including criminal trade in intelligence and citizen espionage.

The Chinese dismissed the evidence in the GhostNet report as unsubstantiated and refused to investigate or engage in dialog about it.

The malware used in the GhostNet, a Trojan horse called ghOst RAT, allows a control server to siphon information from infected computers without the user being aware—some of the computers the SecDev team investigated had been infected for over a year.

ghOst RAT can also transcribe key strokes in real time and even commandeer microphones and cameras in the computer or attached to it so controllers can eavesdrop on the user remotely.

Google has not said explicitly what the mechanisms were that were used in the attacks on its infrastructure and users, but SecDev CEO Rafal Rohozinski notes, “The modus operandi is very similar to what we documented—and both have connections back to China.”

Google was very interested in the SecDev report, Rohozinski says, but he will say no more about his team’s involvement in the latest case.

Establishing responsibility for the attacks may not be the most productive way forward, he believes.

It would require establishing “a proper chain of evidence” under some kind of agreed-upon international legal framework. But no such framework exists as yet. And without the full cooperation of countries involved, establishing that proper chain of evidence would be impossible.

The correct approach at this point, Rohozinski believes, is the one taken by NATO in 2007 in a case of alleged cyber espionage activity by Russia against targets in the former Soviet republic of Estonia.

In that case, NATO made no accusations against Russian intelligence agencies. It simply presented evidence that the activity was ongoing and called on the Russian government to police the activity in its own jurisdiction.

It’s not clear what ensued, Rohozinski says. The Russians in the end did prosecute one Estonian national living in Russia, but he implies this was a show trial. “Basically they said, ‘This is a political smear campaign [against Russia], so we won’t discuss it further.”

In this current case, the Chinese are so far taking a similar position.

Part of the problem is that the international legal framework of treaties, conventions, and regulations around activity in cyberspace, and in particular, hostile activity, does not exist, as it does for other theaters of war—land, sea, air—and for other international domains, such as commercial air and sea traffic.

“The way international law works has to catch up with the realities of cyberspace,” Rohozinski says.

But conventions and regulations in those other domains evolved over decades, or centuries, often by a process of trial and error. The cyber domain—as a global, borderless phenomenon—has only existed for 20 years, he points out.

“There is a whole generation of regulators and politicians who still see digital technology as some kind of mysterious black box. There really hasn’t been good, informed debate about these issues yet.”

In the meantime, private enterprises also need to take stock of what it means to operate in an environment where such vulnerabilities—and groups exploiting them—exist. Industrial espionage using similar tools is a dirty big secret, too often swept under the carpet, Rohozinski says.

“One of the things enterprises have to recognize is that sitting on disclosure, often for liability reasons, is the wrong thing to do. They’re just hiding the magnitude of the problem—with the result that there is less activity on the policy level than there might be.”

Enterprises have been hit hard by industrial espionage activity—he cites one case that came to light of two Israeli telecommunications companies spying on each other—but few have disclosed it as Google did.

That, paradoxically, is a hopeful sign, Rohozinski says. He believes Google’s high-profile will help “push momentum” on working through the issues and starting the long, slow process of establishing international norms and practices.

Good for Google.

Gerry Blackwell is a veteran technology journalist based in Canada and Spain. Read his cyberwar/cybersecurity column here every month.

Police don’t need intrusive powers to tackle modern Internet crime – there’s a new paradigm

I’m at the Citizen Lab, an interdisciplinary research facility at the Munk Centre for International Studies, University of Toronto. I am reviewing reports on cyber security. With me is Nart Villeneuve, senior research fellow and chief research officer for our partner company, SecDev.Cyber.

Nart is busy doing what he usually can be found doing: following hunches, deeply engaged in cyber forensic investigations. In his latest work, he has gained backdoor access to track a very large, Russian-operated botnet – a collection of infected computers under the control of an attacker.

No doubt about it, the perpetrators of this botnet are into criminal behaviour. Although it is Russian in origin, the botnet uses control servers in China and manipulates thousands of compromised computers in the United States and Germany (so-called “zombies [http://en.wikipedia.org/wiki/zombie_computer]“) to launch computer network attacks. Russian criminal organizations are known to contract out such attacks to anyone who will pay. We witness a real-time attack against an obscure Russian website, lasting a few minutes.

This botnet also appears to be connected to a massive spam operation that sends out bogus links to gambling, pornography, pharmaceuticals and fake anti-virus software. Nart’s probes uncover directories containing four million recipient e-mail addresses. They are also engaged in widespread “click fraud,” redirecting browsers of infected computers to online ads without the users’ knowledge in order to generate microincome on a massive scale.

In fact, botnets like this one are at the heart of just about every imaginable menacing and serious act of Internet crime, from espionage to child pornography. They are so vexing for law enforcement and intelligence, we are often told, because of the so-called “attribution” problem – the challenge of identifying the perpetrators.

It has become a truism to say the Web facilitates anonymity. “On the Internet, no one knows you are a dog,” went the famous New Yorker cartoon [http://weblogs.mozillazine.org/gerv/archives/2007/images/internet_dog.jpg] – or in this case, a fraudster, terrorist or gangster. Perpetrators can mask their real identities through proxy computers located in foreign jurisdictions, or contract out to third parties who carry out their criminal deeds.

Some have advocated radical solutions to this problem, including the end of anonymity, the requirement for Internet users to have permanent IDs, even the wholesale scrapping of the Internet as we know it. Bills C-46 [http://www2.parl.gc.ca/housepublications/publication.aspx?docid=4008179&language=e&mode=1] and C-47 [http://www2.parl.gc.ca/housepublications/publication.aspx?pub=bill&doc=c-47&parl=&ses=〈uage=e], currently working their way through Canadian parliamentary committees, would require Internet service providers to install new surveillance equipment, collect personal data, retain it for longer periods of time and allow law enforcement and intelligence to see that personal information, in some circumstances without a court warrant. The Privacy Commissioner of Canada and others have raised serious concerns about this.

Although attribution, anonymity, and investigation of Internet crime remain very real challenges, I believe they are not insurmountable and do not require radical infringements on privacy or wholesale alterations to the Internet as we know it. In fact, the Internet itself, and the mass of data it contains, points to the solution.

Shortly after our observations, Nart uncovered a lead to the possible botnet operator: a Russian student registered at Moscow State University. There was no magical sniffing tool or lawful access provisions clearing his way. He simply pieced together bits of seemingly disparate information – a name here, a string of code there, a domain registration, a recurring handle, an e-mail address, all pieced together by searching Google results.

It’s not the first time Nart has done this. In 2008, he uncovered a massive spy network being run through the Chinese version of Skype, and was able to locate, access and archive the control servers behind them using creative Google searches.

Earlier this year, the Information Warfare Monitor (one of our projects with SecDev.Cyber) tracked down Ghostnet [http://www.theglobeandmail.com/news/technology/meet-the-canadians-who-busted-ghostnet/article732409], a massive cyber espionage network infecting 1,295 computers in a 103 countries. Nart provided a critical break in the investigation by Googling a 22-character string collected during field research. It led to one of the poorly secured command server interfaces.

The Information Warfare Monitor is now working on a report about attacks against the websites of prominent Burmese human-rights groups. Many people suspect the attacks are connected to Myanmar’s military regime, but our investigation leads conclusively to a single individual. We even have his picture from his social networking pages.

The reason for such successes are twofold: our methods and the nature of superabundant information in the cyber age.

As university-based researchers and private sector researchers without access to warrants and private information, we have been forced to do more with less. We rely on qualitative, as opposed to quantitative, approaches. We engage in multidisciplinary analysis of data, as opposed to its automated mining. We search for connections between disparate sources of open information, instead of digging through that which is private.

The problem for law enforcement and intelligence today is not the lack of information; it is the deluge of it. The U.S. National Security Agency reportedly sucks up the equivalent of the contents of the Library of Congress every six to eight hours, every single day.

This is an old paradigm, based on methods where information is easy to hide and hard to find. It’s ill-suited to our modern hypermedia environment, which includes more than four billion cellphones around the world, according to the International Telecommunication Union. Many of them are equipped to snap pictures and videos, and upload them instantly to YouTube or Twitter. These images can be geotagged through Google Maps, which now includes street-level images of many major cities.

In other words, who needs more surveillance powers when people willingly monitor themselves? Social networking has brought us the Age of Auto-Surveillance. These are my friends, here is my house, this is the bus I take, here is my dog, this is my e-mail address, here is my phone number, this is my place of work, this is what I like to eat for lunch.

Criminals and terrorists rarely tweet about their crimes, true. But they cannot escape the digital traces and electronic signatures that everyone, even the most determined criminal, now leaves. In the case of the Russian student, it was a user name posted on a hacker forum that was also used as part of a website domain, which then showed up as a prefix on an e-mail address of an innocuous undergraduate essay that was posted online, along with the student’s name.

In a time when every person’s digital life is now turned inside out and electronically dispersed and disaggregated, does it really make sense to think solutions lie in adding to that flood? Law enforcement and intelligence don’t need to sidestep court protections and civil liberties to meet the challenges of cyber crime – they need a new investigatory paradigm.

Ron Deibert is director of the Citizen Lab and a principal with the SecDev Group. He is a cofounder of and principal investigator for the Information Warfare Monitor.