Google, China, and the coming threat from cyberspace

Published in the Christian Science Monitor

By Ron Deibert and Rafal Rohozinski

Cyberspace attacks are set to increase. Here’s why – and here’s what we can do to stop them.

The recent cyberespionage attacks on Google and that company’s subsequent announcement that it would reconsider its search engine services in China gripped the world’s focus and set off a debate about China’s aggressive cybersecurity strategy.
Continue reading

Google Fallout

Google’s New Approach

There has been quite a lot of coverage of Google’s statement concerning the attacks it experienced and its reconsideration of its service offerings in China. Google made reference to our Ghostnet investigation, and felt that there might be a direct connection between the two. At this point, and with the evidence at hand, we believe they are similar in nature, but probably distinct attacks. Much more, I’m sure, will be revealed in weeks to come. Citizen Lab associates have been commenting on the attacks and the wider implications in the press and elsewhere. Below are some selected sources:

Citizen Lab, Psiphon and SecDev’s Nart Villeneuve’s reaction

Globe and Mail editorial

Christian Science Monitor

Wall Street Journal

New York Times

Globe and Mail

CBC As it Happens (My interview starts at the beginning of Part 3)

The Wild Wild Web – Canadian Lawyer Magazine

A few months ago when a Canadian research group exposed the GhostNet, a brazen cyber-espionage network, the story briefly made headlines. Most of us marvelled at the ingenuity and nefariousness of the alleged perpetrator, the Chinese government. Some may have momentarily fretted about implications for international security. But the man who helped break the GhostNet story, Ron Deibert, director of the Citizen Lab at the University of Toronto’s Munk Centre for International Studies, says the implications are at once more far-reaching and more immediate — especially, perhaps, for lawyers.

From Canadian Lawyer Magazine

Tracking GhostNet

Dear Friends and Colleagues

Please find below a link to Tracking GhostNet: Investigating a Cyber Espionage Network, the second major report from the Information Warfare Monitor – a joint project of the SecDev Group (Ottawa) and the Citizen Lab (Munk Centre for International Studies, University of Toronto).

Tracking GhostNet: Investigating a Cyber Espionage Network

This report documents the GhostNet – a suspected cyber espionage network of over 1,295 infected computers in 103 countries, 30% of which are high-value targets, including ministries of foreign affairs, embassies, international organizations, news media, and NGOs.

The report can be downloaded here.

For security reasons, we have redacted parts of the report until affected parties can be notified by the relevant authorities. A full uncensored report will be released in one week.

A New York Times story by John Markoff about the report is here.

This report is the culmination of a 10 month investigation of alleged Chinese cyber spying against Tibetan institutions. It documents a vast suspected cyber espionage network of over 1,295 infected computers in 103 countries, referred to in the report as GhostNet. Close to 30% of the infected hosts are considered high-value political and economic targets, and include computers located at ministries of foreign affairs, embassies, international organizations, news media, and NGOs.

The capabilities of the attack tools used by the GhostNet system were far-reaching, and include the ability to retrieve documents, and turn on web cameras and audio systems. The investigation was able to conclude that Tibetan computer systems were compromised by multiple infections that gave attackers unprecedented access to potentially sensitive information, including documents from the private office of the Dalai Lama.

While our analysis reveals that numerous politically sensitive and high value computer systems were compromised in ways that circumstantially point to China as the culprit, we do not know the exact motivation or the identity of the attacker(s), or how to accurately characterize this network of infections as a whole. One of the characteristics of cyber-attacks of the sort we document here is the ease by which attribution can be obscured. Regardless of who or what is ultimately in control of GhostNet, it is the capabilities of exploitation, and the strategic intelligence that can be harvested from it, which matters most. This report underscores the growing capabilities of cyber attacks, the ease by which cyberspace can be used as a vector for signals intelligence, and the importance of taking information security seriously by security professionals and policy makers worldwide. We look forward to your comments.