Join our Mailing List

"Canada can, within a positive friendly atmosphere, ask the Chinese government to resolve the Tibetan situation."

Google Outs Cyber Spies

January 30, 2010

By Gerry Blackwell
January 28, 2010

It’s about time the international community came
to grips with long festering issues around cyber
warfare and cyber espionage, issues that were
raised again recently by the attacks on Google and others in China.

We need a Geneva Convention for the Internet domain.

Enterprise IT security professionals also need to
step up and confront the implications of these latest attacks.

Now maybe both things will happen.

Google’s uncompromising response to the organized
and apparently politically motivated attacks on
its infrastructure and users in China was exactly
the right one and just the spur to global action needed.

The first significant action came on cue late
last week with Secretary of State Hilary Clinton
demanding an explanation from the Chinese government.

Much more has to happen before any real progress
can be made, but Clinton’s statement keeps
pressure on the Chinese. They might be able to
brush off Google. Brushing off the U.S. government will be another thing.

Clinton weighing in also keeps cyber espionage at
the top of the information security agenda in the
West, and in the public eye, where it most certainly belongs.

This is not the first time China has been at the
center of a storm of protest over alleged cyber espionage.

A year ago, a team of Canadian investigators
exposed what it dubbed GhostNet -- organized
deployment of spy bots on computers owned by
hundreds of government and non-government
organizations around the world, including the
Tibetan government in exile in Lhasa, India. Even
the Dalai Lama’s personal computer was infected.

The Canadian team led by SecDev.cyber, an
Ottawa-based security consulting firm, and The
Citizen Lab, a University of Toronto research
institute, were able to trace the source of
infections to specific DSL IP addresses on Hainan
Island—where Chinese military intelligence is known to have signals operations.

But without the cooperation of Chinese
authorities, they could never confirm who owned
the computers -- and rightly stopped short of
attributing the activity to Chinese intelligence.

Besides, as the group’s report pointed out, there
were other possible explanations, including
criminal trade in intelligence and citizen espionage.

The Chinese dismissed the evidence in the
GhostNet report as unsubstantiated and refused to
investigate or engage in dialog about it.

The malware used in the GhostNet, a Trojan horse
called ghOst RAT, allows a control server to
siphon information from infected computers
without the user being aware—some of the
computers the SecDev team investigated had been infected for over a year.

ghOst RAT can also transcribe key strokes in real
time and even commandeer microphones and cameras
in the computer or attached to it so controllers
can eavesdrop on the user remotely.

Google has not said explicitly what the
mechanisms were that were used in the attacks on
its infrastructure and users, but SecDev CEO
Rafal Rohozinski notes, “The modus operandi is
very similar to what we documented—and both have connections back to China.”

Google was very interested in the SecDev report,
Rohozinski says, but he will say no more about
his team’s involvement in the latest case.

Establishing responsibility for the attacks may
not be the most productive way forward, he believes.

It would require establishing "a proper chain of
evidence" under some kind of agreed-upon
international legal framework. But no such
framework exists as yet. And without the full
cooperation of countries involved, establishing
that proper chain of evidence would be impossible.

The correct approach at this point, Rohozinski
believes, is the one taken by NATO in 2007 in a
case of alleged cyber espionage activity by
Russia against targets in the former Soviet republic of Estonia.

In that case, NATO made no accusations against
Russian intelligence agencies. It simply
presented evidence that the activity was ongoing
and called on the Russian government to police
the activity in its own jurisdiction.

It’s not clear what ensued, Rohozinski says. The
Russians in the end did prosecute one Estonian
national living in Russia, but he implies this
was a show trial. “Basically they said, ‘This is
a political smear campaign [against Russia], so we won’t discuss it further.”

In this current case, the Chinese are so far taking a similar position.

Part of the problem is that the international
legal framework of treaties, conventions, and
regulations around activity in cyberspace, and in
particular, hostile activity, does not exist, as
it does for other theaters of war—land, sea,
air—and for other international domains, such as
commercial air and sea traffic.

"The way international law works has to catch up
with the realities of cyberspace," Rohozinski says.

But conventions and regulations in those other
domains evolved over decades, or centuries, often
by a process of trial and error. The cyber domain
-- as a global, borderless phenomenon—has only
existed for 20 years, he points out.

"There is a whole generation of regulators and
politicians who still see digital technology as
some kind of mysterious black box. There really
hasn’t been good, informed debate about these issues yet.”

In the meantime, private enterprises also need to
take stock of what it means to operate in an
environment where such vulnerabilities -- and
groups exploiting them—exist. Industrial
espionage using similar tools is a dirty big
secret, too often swept under the carpet, Rohozinski says.

"One of the things enterprises have to recognize
is that sitting on disclosure, often for
liability reasons, is the wrong thing to do.
They’re just hiding the magnitude of the
problem—with the result that there is less
activity on the policy level than there might be.”

Enterprises have been hit hard by industrial
espionage activity -- he cites one case that came
to light of two Israeli telecommunications
companies spying on each other—but few have disclosed it as Google did.

That, paradoxically, is a hopeful sign,
Rohozinski says. He believes Google’s
high-profile will help "push momentum" on working
through the issues and starting the long, slow
process of establishing international norms and practices.

Good for Google.

Gerry Blackwell is a veteran technology journalist based in Canada and Spain.
CTC National Office 1425 René-Lévesque Blvd West, 3rd Floor, Montréal, Québec, Canada, H3G 1T7
T: (514) 487-0665
Developed by plank