Google Outs Cyber Spies

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

It’s about time the international community came to grips with long festering issues around cyber warfare and cyber espionage, issues that were raised again recently by the attacks on Google and others in China.

We need a Geneva Convention for the Internet domain.

Enterprise IT security professionals also need to step up and confront the implications of these latest attacks.

Now maybe both things will happen.

Google’s uncompromising response to the organized and apparently politically motivated attacks on its infrastructure and users in China was exactly the right one and just the spur to global action needed.

The first significant action came on cue late last week with Secretary of State Hilary Clinton demanding an explanation from the Chinese government.

Much more has to happen before any real progress can be made, but Clinton’s statement keeps pressure on the Chinese. They might be able to brush off Google. Brushing off the U.S. government will be another thing.

Clinton weighing in also keeps cyber espionage at the top of the information security agenda in the West, and in the public eye, where it most certainly belongs.

This is not the first time China has been at the center of a storm of protest over alleged cyber espionage.

A year ago, a team of Canadian investigators exposed what it dubbed GhostNet – organized deployment of spy bots on computers owned by hundreds of government and non-government organizations around the world, including the Tibetan government in exile in Lhasa, India. Even the Dalai Lama’s personal computer was infected.

The Canadian team led by SecDev.cyber, an Ottawa-based security consulting firm, and The Citizen Lab, a University of Toronto research institute, were able to trace the source of infections to specific DSL IP addresses on Hainan Island—where Chinese military intelligence is known to have signals operations.

But without the cooperation of Chinese authorities, they could never confirm who owned the computers—and rightly stopped short of attributing the activity to Chinese intelligence.

Besides, as the group’s report pointed out, there were other possible explanations, including criminal trade in intelligence and citizen espionage.

The Chinese dismissed the evidence in the GhostNet report as unsubstantiated and refused to investigate or engage in dialog about it.

The malware used in the GhostNet, a Trojan horse called ghOst RAT, allows a control server to siphon information from infected computers without the user being aware—some of the computers the SecDev team investigated had been infected for over a year.

ghOst RAT can also transcribe key strokes in real time and even commandeer microphones and cameras in the computer or attached to it so controllers can eavesdrop on the user remotely.

Google has not said explicitly what the mechanisms were that were used in the attacks on its infrastructure and users, but SecDev CEO Rafal Rohozinski notes, “The modus operandi is very similar to what we documented—and both have connections back to China.”

Google was very interested in the SecDev report, Rohozinski says, but he will say no more about his team’s involvement in the latest case.

Establishing responsibility for the attacks may not be the most productive way forward, he believes.

It would require establishing “a proper chain of evidence” under some kind of agreed-upon international legal framework. But no such framework exists as yet. And without the full cooperation of countries involved, establishing that proper chain of evidence would be impossible.

The correct approach at this point, Rohozinski believes, is the one taken by NATO in 2007 in a case of alleged cyber espionage activity by Russia against targets in the former Soviet republic of Estonia.

In that case, NATO made no accusations against Russian intelligence agencies. It simply presented evidence that the activity was ongoing and called on the Russian government to police the activity in its own jurisdiction.

It’s not clear what ensued, Rohozinski says. The Russians in the end did prosecute one Estonian national living in Russia, but he implies this was a show trial. “Basically they said, ‘This is a political smear campaign [against Russia], so we won’t discuss it further.”

In this current case, the Chinese are so far taking a similar position.

Part of the problem is that the international legal framework of treaties, conventions, and regulations around activity in cyberspace, and in particular, hostile activity, does not exist, as it does for other theaters of war—land, sea, air—and for other international domains, such as commercial air and sea traffic.

“The way international law works has to catch up with the realities of cyberspace,” Rohozinski says. 

But conventions and regulations in those other domains evolved over decades, or centuries, often by a process of trial and error. The cyber domain—as a global, borderless phenomenon—has only existed for 20 years, he points out.

“There is a whole generation of regulators and politicians who still see digital technology as some kind of mysterious black box. There really hasn’t been good, informed debate about these issues yet.”

In the meantime, private enterprises also need to take stock of what it means to operate in an environment where such vulnerabilities—and groups exploiting them—exist. Industrial espionage using similar tools is a dirty big secret, too often swept under the carpet, Rohozinski says.

“One of the things enterprises have to recognize is that sitting on disclosure, often for liability reasons, is the wrong thing to do. They’re just hiding the magnitude of the problem—with the result that there is less activity on the policy level than there might be.”

Enterprises have been hit hard by industrial espionage activity—he cites one case that came to light of two Israeli telecommunications companies spying on each other—but few have disclosed it as Google did.

That, paradoxically, is a hopeful sign, Rohozinski says. He believes Google’s high-profile will help “push momentum” on working through the issues and starting the long, slow process of establishing international norms and practices.

Good for Google.

Gerry Blackwell is a veteran technology journalist based in Canada and Spain. Read his cyberwar/cybersecurity column here every month.