Black Code: Inside the Battle for Cyberspace (3 page)

The young “netizens” who launched the Arab Spring were born into a world of satellite broadcasts, mobile phones, and Internet cafés. They were plugged in to the digital world and able to exploit viral networks in ways difficult for authorities to anticipate or control. Meanwhile, perhaps the most innovative users of social networking and mobile technologies in Latin America today are the drug cartels, which use these tools to instill fear in citizens and lawmakers, intimidate journalists, and suppress free speech. To understand how and in what ways cyberspace will be used in the years to come we need to analyze innovation from the global South and East, from users in cities like Tegucigalpa, Nairobi, and Shanghai, the new centres of gravity for cyberspace.

•  •  •

And then there is cyber crime
, a part of cyberspace since the origins of the Internet, but now explosive in terms of its growth and complexity. The economy of cyber crime has morphed from isolated acts by lone “basement” criminals into a highly professionalized transnational enterprise worth billions annually. Every day, security companies must review thousands of
new samples of malicious software. Botnets that can be used for distributed denial-of-service (DDOS) attacks against any
target can be rented from public forums and websites for less than $100. Some even offer 24/7 technical help. Freely available spyware used to infiltrate networks has now become commonplace, a mass commodity. As a result, the people who maintain network security for governments, banks, and other businesses face a continuous onslaught of cyber-crime attacks.

Cyberspace has evolved so quickly that organizations and individuals have yet to adopt proper security practices and policies. We have created a hyper-media environment characterized by constant innovation from the edges, extensive social sharing of data, and mobile networking from multiple platforms and locations, and in doing so, we have unintentionally opened ourselves up to multiple opportunities for criminal exploitation. Cyber crime thrives partly because of a lack of controls, because the criminals themselves can reap a digital harvest from across the globe and hide in jurisdictions with lax law enforcement and regulations. Furthermore, it moves at the speed of electrons, while international law enforcement moves at the speed of bureaucratic institutions. It is almost routine now to hear about cyber criminals living openly in places like St. Petersburg, Russia, and exalted as tech entrepreneurs, not the digital thugs that they are.

No doubt, cyber crime is a major nuisance, a shadowy, unregulated economy that costs decent folks dearly, but even more disturbing is how cyber crime, espionage, sabotage, and even warfare appear to be blurring together. Almost daily, there are breaches against government departments, private companies, or basic infrastructure. The Citizen Lab has investigated several of these cases, two of which we documented in our reports,
Tracking GhostNet
and
Shadows in the Cloud
. The victims, all compromised by China-based perpetrators, included major defence contractors, global
media outlets, government agencies, ministries of foreign affairs, embassies, and international organizations like the United Nations.

How far down this road have we gone? A 2012
New York Times
report revealed that the United States and Israel were responsible for the Stuxnet virus, which sabotaged Iranian nuclear enrichment facilities in June 2010. While the two countries remained mum about the charge, they did not deny it. The incident represents the first time governments have tacitly acknowledged responsibility for a cyber attack on the critical infrastructure of another country, a de facto act of war through cyberspace.

The techniques used in these state-based breaches and attacks are indistinguishable from those used by cyber criminals. Indeed, Stuxnet has been described as a “Frankenstein” of existing cybercrime methods and tradecraft, and many now see cyber crime as a strategic vector for state-based and corporate espionage. Hidden in the shadows of low-level thuggery and cyber crime for cash, in other words, are more serious and potentially devastating operations, like acts of sabotage against critical infrastructure. Now perilously networked together, such infrastructure is especially vulnerable to cyber attacks: our smart grids, financial sectors, nuclear enrichment facilities, power plants, hospitals, and government agencies are all there for the taking. And this is happening at a time when militaries, criminal organizations, militants, and any individual with an axe to grind are refining capabilities to target and disrupt those networks. Cyberspace has become a battleground, a ground zero, for geopolitical contests and armed struggle.

Cyber crime is much more than a persistent nuisance. It has become a key risk factor for governments and businesses. The consequences of this exploding threat are numerous and wide-ranging and have led to greater and greater pressures for state regulation and intervention. Proliferating cyber crime and espionage have vaulted cyber security to the top of the international political
agenda and brought about a sea change in the way that governments approach cyberspace. Where once the dominant descriptor of Internet regulation was “hands off,” today the talk is all about control, the necessary assertion of state power, and, increasingly, geopolitical contestation over cyberspace itself.

The OpenNet Initiative (ONI), a project in which the Citizen Lab participates and that documents Internet content filtering worldwide, notes that roughly 1 billion Internet users live in countries (over forty of them) that regularly censor the Internet. States have become adept at content-control regulations, mostly downloading responsibilities to the private sector to police the Internet on their behalf, but some governments have gone further, engaging in offensive operations on their own, including disabling opposition websites through DDOS or other attacks, and/or using pro-government bloggers to flood (and sometimes disable) the information space.

Although conventional wisdom has long maintained that authoritarian regimes would wither in the face of the Internet (and some in the Middle East and North Africa appear to have done so), many have turned the domain to their advantage. Tunisia and Egypt may have succumbed to Facebook-enabled protestors, but China, Vietnam, Syria, Iran, Belarus, and others have successfully employed second- and third-generation control techniques to penetrate and immobilize opposition groups and cultivate a climate of fear and self-censorship. These states are winning cyberspace wars. For them “Internet freedom” is just another excuse for state control.

•  •  •

It would be wrong
, however, to see the growing assertion of state power in cyberspace as coming only from authoritarian
regimes. As Stuxnet suggests, cyberspace controls, in fact, are being driven and legitimized just as much by liberal democratic countries. Many liberal democratic governments have enacted or are proposing Internet content-filtering laws, mostly, they say, to clamp down on copyright infringements, online child pornography, or other content deemed objectionable, hateful, or likely to incite violence. Many have also pushed for new surveillance powers, downloading responsibilities for the collection of data onto the private sector while relaxing judicial oversight around the sharing of information with law enforcement and intelligence agencies. They are also developing offensive information operations. The United States and many other Western governments now speak openly about the need to fight (and win) wars in this domain.

Not surprisingly new companies have sprouted up to serve the growing pressure to “secure” cyberspace, a growth industry now worth tens of billions of dollars annually. Countries that censor the Internet have usually relied on products and services developed by Western manufacturers: Websense in Tunisia, Fortinet in Burma, SmartFilter in Saudi Arabia, Tunisia, Oman, and the United Arab Emirates. Filtering and surveillance devices manufactured by Blue Coat Systems, an American firm, have been found operating on public networks in Afghanistan, Bahrain, Burma, China, Egypt, India, Indonesia, Iraq, Kenya, Kuwait, Lebanon, Malaysia, Nigeria, Qatar, Russia, Saudi Arabia, Singapore, South Korea, Syria, Thailand, Turkey, and Venezuela – a list that includes some of the world’s most notorious human rights abusers. Netsweeper, a Canadian company, sells censorship products and services to ISPs across the Middle East and North Africa, helping regimes there block access to human rights information, basic news, information about alternative lifestyles, and opinion critical of the regimes. In 2012,
dissidents in the United Arab Emirates and Bahrain were shown, during interrogations where they were arrested and
beaten, transcripts of their private chats and emails, their computers obviously compromised by their own government security agencies. Those agencies didn’t use an off-the-shelf piece of cybercrime spyware to do the job; rather, they employed a high-grade commercial network intrusion kit sold to them by British and Italian companies.

American, Canadian, and European firms that used to brag about connecting individuals and wiring the world are now turning those wires into secret weapons of war and repression. Suddenly, policy-makers are being given tools they never before imagined: advanced deep packet inspection, content filtering, social network mining, cellphone tracking, and computer network exploitation and attack capabilities.

This is not the way it was supposed to be.

As the imperatives to regulate, secure, and control cyberspace grow, we risk degrading (even destroying) what made cyberspace unique in the first place. In the face of urgent issues and real threats, policy-makers may be tempted to lower the bar for what is seen as acceptable practice or, worse, throw the baby out with the bath water. Before extreme solutions are adopted we must address the core value that underpins cyberspace itself: ensuring that it remains secure, but also open and dynamic, a communications system for citizens the world over.

“I’m in.”

“What do you mean, you’re in?”

“I’ve got full access to the control panel. There’s a list of computers here that looks pretty serious. It’s much more than just the Dalai Lama’s office.”

It started as an experiment, another wild hunch. We had been working with computer hackers and field researchers the world over for years, picking up the digital trails left by state officials and a slew of bad guys. But this was different. It was January 2009, and Nart Villeneuve, the then thirty-four-year-old lead technical researcher at the Citizen Lab, had made an extraordinary breakthrough. “I’m in,” he whispered into the phone from his workstation, and when I asked how, he said, “I just Googled it.”

So began the story of GhostNet. Villeneuve’s finding – twenty-two characters typed into Google – turned out to be our Rosetta Stone, our key to eventually uncovering an espionage network affecting more than 100 countries and targeting ministries of foreign affairs, embassies, and other state agencies, international organizations, businesses, and global media outlets. My world would never be the same.

The GhostNet investigation had begun months earlier, when Greg Walton, one of our field researchers, learned of persistent concerns about computers being hacked into at the Dalai Lama’s
headquarters. Walton knew northern India well, had lived in the small town of Dharamsala, where the Tibetan Government-in-Exile, Tibetan NGOS, and the Office of His Holiness the Dalai Lama are located. The Tibetan community in exile had long suspected that their computers were being monitored by the Chinese government. While attempting to cross the border into China, people doing advocacy work on behalf of Tibet were detained, interrogated, and presented with transcripts of their private chat and email messages. Although it is possible – in fact, likely – that the Chinese government pressured companies to modify their products to provide them with backdoor access or to simply turn over user data upon request, it is also possible that the Tibetans had their computers compromised at source. Foreign government officials planning to visit the Dalai Lama, or to meet with him privately when he travelled to their countries, had been told by China to stand down, not to meet him. But the issue now was: how did Chinese authorities know
in advance
that this or that meeting between the Dalai Lama and foreign sympathizers was to take place?

When presented with the idea of the Citizen Lab checking into this matter, Tibetan officials agreed to turn over their machines for inspection. It was a serious decision, as we would be given unrestricted access to computers at the Office of His Holiness the Dalai Lama, the Tibetan Government-in-Exile, and Tibetan NGOS in Dharamsala, New York, Brussels, and London. Although the Dalai Lama himself liked to point out publicly that they “had no secrets,” his office and those of other Tibetan organizations handled sensitive communications, including private correspondence and information about travel schedules. They took a risk working with us, one that paid off in the end.

•  •  •

Cyber espionage is a dark art
, widely speculated about but rarely examined in the light of day. There have been cases of state cyber spying reported on in the media, but too often key pieces of evidence were either missing or, more likely, locked down in the secret chambers of the world’s leading intelligence agencies. “Titan Rain,”
a huge compromise of American military and intelligence agencies and companies, was an exception between 2003 and 2006, and suspicions ran high that it was orchestrated by China-based hackers doing dirty work for their government. The Chinese government was almost certainly connected in some manner to what we unearthed too, and once the cat was out of the bag there would be international diplomatic furor.

While the Citizen Lab had been analyzing and exposing strange goings-on in cyberspace for years, the GhostNet investigation was unprecedented, the scope of the pilfering extraordinary. Computers based in the Dalai Lama’s headquarters and Tibetan organizations were compromised, but so too were those in foreign government agencies, and in international organizations, companies, and media outlets the world over. Included among the victims were the ministries of foreign affairs in Iran, Bangladesh, Latvia, Indonesia, the Philippines, Brunei, Barbados, and Bhutan, and the embassies of India, South Korea, Indonesia, Romania, Cyprus, Malta, Thailand, Taiwan, Portugal, Germany, and Pakistan. Computers at the UN and ASEAN, and an unclassified computer located at NATO headquarters, were also attacked, as was the prime minister’s office in Laos. One remarkable breach was of the mail server at the Associated Press office in Hong Kong, giving the GhostNet attackers access to emails sent to and from AP in Hong Kong containing information about stories before they were published.