The recent cyberespionage attacks on Google and that company’s subsequent announcement that it would reconsider its search engine services in China gripped the world’s focus and set off a debate about China’s aggressive cybersecurity strategy.
The apparent scope of the attacks – more than 30 companies affected, Gmail accounts compromised, human rights groups targeted – took many by surprise. Some observers believe the attacks were highly sophisticated in nature, employing never-before-seen techniques. Many reports concluded that the Chinese government undertook the attacks.
As principal investigators in the Information Warfare Monitor, a project formed in 2002 to investigate and analyze the exercise of power in cyberspace, we have seen many of these types of attacks first hand in our research, and have followed closely those examined by other researchers.
From our vantage point, the Google cyberattacks are unusual not in apparent scope or sophistication – as some commentators believe – but rather in terms of the high-profile nature of the victim and the victim’s very public reaction. Indeed, we believe targeted cyber attacks such as these will grow in frequency as cyberspace becomes more heavily contested.
Defense against cyberattacks
The question is what to do about them.
Solutions won’t be easy. Nor will they be solved by technical means alone. They will require widespread and comprehensive public policy changes, greater awareness of network security practices, and above all else a recognition by governments worldwide that an arms race in cyberspace serves no country’s national strategic interest.
For their part, companies should be encouraged to be more transparent and willing to share information about attacks on their infrastructure and less concerned about the liabilities of doing so. Google’s actions are exemplary in this regard and may set a new standard of disclosure.
Although many people point to China as an aggressive cyberactor, it is important to understand that cyberspace has become a battleground for intense military competition. Many countries are developing offensive cyberwarfare capabilities, including targeted espionage. Just recently, for example, Dennis Blair, the director of US National Intelligence, argued the United States should be more aggressive in stealing other countries’ secrets in cyberspace. Other countries are less open about such intentions, but no less ambitious. Many successful operations, no doubt, are hidden.
The actors in this intense arms race are not just states. Cyberspace allows anyone with the intent and capability to exploit network vulnerabilities.
For example, there are countless criminal organizations thriving in the hidden ecosystems of cyberspace, profiting from cyberattacks, cybercrime, and cyberfraud. These organizations employ techniques and tools that are virtually indistinguishable from those that were uncovered in the Google attacks, and by us earlier in our Tracking Ghostnet investigation, a 10-month examination of alleged Chinese cyberspying of numerous diplomatic missions, ministries of foreign affairs, and international organizations.
Such groups also offer their services for hire, giving other actors who want to benefit from them a good cover and plausible deniability. It’s called cyberprivateering, and it’s one of the best ways to avoid being caught. Indeed, it’s a major reason why sourcing attacks like the one on Google is so difficult.
Risks from Web 2.0 companies
Second, attacks such as these are becoming more common because of changes to the character of cyberspace itself. The services of Web 2.0 companies – so-called cloud computing platforms and social-networking groups – are the primary vehicles through which most people experience and interact with the Internet today.
While Twitter, Google Groups, Yahoo Mail, and Flickr may make our cyberexperiences much more convenient, interactive, and richly engaging, they also create two risks: a wide spectrum of new security vulnerabilities and a multiplicity of ever-evolving vectors through which victims can be targeted and attacks mounted.
It is common today for cyberespionage or fraud networks to propagate their malware by exploiting and infiltrating popular social-networking forums like these, or to command their systems through blogging sites and multiple, redundant groups, free hosting services, or anonymous mail accounts. It’s often said that dark clouds may have silver linings, but cyberclouds have turbulent and very dark hidden cores.
A final ironic factor contributing to cyberespionage attacks relates to the very success of cyberspace itself. Over the past decade, numerous countries, organizations, nongovernmental organizations, and citizen groups have rushed to embrace new information and communication technologies. This is a way to jump-start economic development or take advantage of social-networking opportunities.
But they have done so largely without attention to proper security protocols. Private, sensitive, and even highly classified documents that were once locked away in file cabinets now circulate through proprietary clouds and pass between USB sticks, from the home to the office to the laptop, from the coffee shop to the airport lounge. Vulnerabilities multiply as networking increases.
When we issued our Tracking Ghostnet report, we concluded that it was not the first nor would it be the last of its kind. Unfortunately, the Google attacks have borne out that prediction. And there will surely be more.
Ron Deibert is director of the Citizen Lab, Munk Centre for International Studies, University of Toronto. Rafal Rohozinski is the CEO of SecDev.Cyber and a senior fellow at the Citizen Lab. Together, they are principal investigators of the Information Warfare Monitor project and coauthors of the “Tracking Ghostnet” report.