Book Read Free

Black Code: Inside the Battle for Cyberspace

Page 2

by Ronald J. Deibert


  INTRODUCTION

  Cyberspace: Free, Restricted, Unavoidable

  Look around you. Do you see anyone peering into their smartphone? How many times have you checked your email today? Have you searched for a wifi café to do so? How many people have you texted? Maybe you’re a contrarian, don’t own a smartphone. You find all this “connectivity” to be a social menace that isolates people from the world around them, as they stare endlessly into the glow of their computer screens, or engage in loud conversations with invisible others as they walk down the street gesticulating. If your date answers that cellphone call all is lost, you think. The digital revolution is not all that it’s cracked up to be, you say, and you resist it.

  Good luck with that.

  Even those of you who resist or fear cyberspace sense that we are in the midst of an onslaught. And we are! You resist initially because it is drawing you in, inevitably. Whether you like it or not, to remain part of civil society you have to deal with it. Cyberspace is everywhere. By the end of 2012 there were more mobile devices on the planet than people: cellphones, laptops, tablets, gaming consoles, even Internet-connected cars. Some estimates put the number of Internet-connected devices now at 10 billion. Cyberspace has become what researchers call a “totally immersive environment,” a phenomenon that cannot be avoided or ignored, increasingly embedded in societies rich and poor, a communications arena that does not discriminate. Connectivity in Africa, for instance, grows at some 2,000 percent a year. While the digital divide remains deep, it’s shrinking fast, and access to cyberspace is growing much faster than good governance over it. Indeed, in many regions rapid connectivity is taking place in a context of chronic underemployment, disease, malnutrition, environmental stress, and failed or failing states.

  Cyberspace is now an unavoidable reality that wraps our planet in a complex information and communications skin. It shapes our actions and choices and relentlessly drives us all closer together, drives us even towards those whom, all things being equal, we would rather keep at a distance. A shared space, a global commons, the public square writ large. You’ve heard all the ecstatic metaphors used by enthusiasts and your thoughts turn elsewhere. “Hell is other people,” Jean-Paul Sartre famously wrote in No Exit, and now teeming billions of them are potentially in your living room, or at least in your email inbox, that silent assassin. You cherish your privacy.

  Of course, there have been previous revolutions in communications technology that have upset the order of things and caused outrage and celebration. The alphabet, the invention of writing, the development of the printing press, the telegraph, radio, and television come to mind. But one of the many things that distinguishes cyberspace is the speed by which it has spread (and continues to spread). Those other technological innovations no doubt changed societies but in an “immersive” sense only over many generations, and more locally than not. Cyberspace, on the other hand, has connected two-thirds of the world – has joined, that is, more than 4 billion people in a single communications environment – in less than twenty years. And it is moving onward, accelerating in fact, bringing legions into its fold each and every day.

  The amount of digital information now doubles every year, and the “information superhighway” might be best described as continuous exponential growth, more on-ramps, more data, all the time, faster, more immediate, more accessible, its users always on, always connected. This speed and volume make getting a handle on the big picture difficult, and the truth is – a hideous truth, especially for those of you who think of yourselves as “off the grid,” somehow away from the connected world, and proudly disconnected – is that no one is immune. Let’s imagine for a moment that you don’t own a computer, have never sent an email or text, and don’t know what “app” means. The thing that informs you, that prepares you for cocktail parties and other gatherings, is mainstream or “old” media – newspapers, radio, and TV. Look closely at this “old media”: How much of it is now “informed by,” even directed by, “new media,” by thousands, even millions, of “citizen journalists,” unpaid, unaccountable, but with cellphone cameras permanently at the ready, documenting events as they happen in real time, unfiltered, and, perhaps, unreliable. The other truth is that no one really knows what this hurricane will leave behind or where it will take us. We’re just struggling to hang on.

  Another chief difference between then and now is that today, through cyberspace, it is us, the users, who create the information, do the connecting, and sustain and grow this unique communications and technological ecosystem. Save for the telephone, previous communications revolutions required a certain passivity on the part of consumers. There was little or no interactivity. We turned on the radio and listened, watched television happy to tune out and not to have to respond. The information provided, even the news of the day, simply washed over us. (We might get a call from a ratings agency, might be polled, might write a letter to the editor, but in the main we were passive recipients not active participants.) Cyberspace is wholly different, and potentially far more egalitarian. It is the lonely man in a café clicking away, the mother out for dinner with friends discreetly contacting her kids, the armed militant in Mogadishu, the criminal in Moscow, as much as it is anyone or any institution in particular, who feed the machine, cause it to grow, to envelop us further. While it is difficult to pin down a constantly moving target, this much can be said: it is peculiar to cyberspace that we, the users, shape it as much as we are shaped by it. We are at it every day, every night, transforming it all the while. Cyberspace is what we make of it. It is ours. We need to remember this before it slips through our grasp.

  This remains the issue. One of the extraordinary – and for many liberating – things about cyberspace is that while massive and hugely profitable corporations like Apple and Google have made it possible and accessible (virtually) to all, they don’t actually control it. Indeed, while having seeded the terrain, Apple, Google, and other gigantic corporations might have no greater control over cyberspace than those of us operating alone, at home, at our computer screens. This generative quality changes everything, causes grave concern, causes many to demand that cyberspace be brought under control.

  • • •

  It’s difficult not to marvel at the extraordinary benefits of cyberspace. To be able to publish anything and have it immediately reach a potential worldwide audience represents a democratization of communications that philosophers and science fiction writers have dreamed about for centuries. Families continents apart now share in each other’s daily struggles and triumphs. Physicians connect with patients thousands of kilometres away, in real time. Through vast aggregations of data we can now predict when disease outbreaks are likely to occur, and take precautionary measures. We can pinpoint our exact longitude and latitude, identify the nearest wifi hotspot, and notify a friend that we are, well, nearby and would like to meet.

  But there is a dark side to all this connectivity: malicious threats that are growing from the inside out, a global disease with many symptoms that is buttressed by disparate and mutually reinforcing causes. Some of these forces are the unintended by-products of the digital universe into which we have thrust ourselves, mostly with blind acceptance. Others are more sinister, deliberate manipulations that exploit newly discovered vulnerabilities in cyberspace. Together they threaten to destroy the fragile ecosystem we have come to take for granted.

  Social networking, cloud computing, and mobile forms of connectivity are convenient and fun, but they are also a dangerous brew. Data once stored on our actual desktops and in filing cabinets now evaporates into the “cloud,” entrusted to third parties beyond our control. Few of us realize that data stored by Google, even data located on machines in foreign jurisdictions, are subject to the U.S. Patriot Act because Google is headquartered in the United States and the Act compels it to turn over data when asked to do so, no matter where it is stored. (For this reason, some European countries are debating laws that will ban public officials from us
ing Google and/or other cloud computing services that could put their citizens’ personal information at risk.) Mobile connectivity and social networking might give us instant awareness of each other’s thoughts, habits, and activities, but in using them we have also entrusted an unprecedented amount of information about ourselves to private companies. We can now be tracked in time and space with a degree of precision that would make tyrants of days past envious – all by our own consent. Mobile devices are what Harvard’s Jonathan Zittrain, author of The Future of the Internet, calls “tethered appliances”: they corral us into walled gardens controlled by others, with unknown repercussions.

  These technological changes are occurring alongside a major demographic shift in cyberspace. The Internet may have been born in the West but its future will almost certainly be decided elsewhere. North Americans and Europeans make up less than 25 percent of Internet users, and the West in general is almost at saturation point. Asia, on the other hand, comprises nearly 50 percent of the world’s Internet population (the most by region), and only 28 percent of its people are online (next to last by region). Some of the fastest growth is happening among the world’s weakest states, in zones of conflict where authoritarianism (or something close), mass youth unemployment, and organized crime prevail. How burgeoning populations in Africa, Asia, the Middle East, and Latin America will use and shape cyberspace is an open question.

  The young “netizens” who launched the Arab Spring were born into a world of satellite broadcasts, mobile phones, and Internet cafés. They were plugged in to the digital world and able to exploit viral networks in ways difficult for authorities to anticipate or control. Meanwhile, perhaps the most innovative users of social networking and mobile technologies in Latin America today are the drug cartels, which use these tools to instill fear in citizens and lawmakers, intimidate journalists, and suppress free speech. To understand how and in what ways cyberspace will be used in the years to come we need to analyze innovation from the global South and East, from users in cities like Tegucigalpa, Nairobi, and Shanghai, the new centres of gravity for cyberspace.

  • • •

  And then there is cyber crime, a part of cyberspace since the origins of the Internet, but now explosive in terms of its growth and complexity. The economy of cyber crime has morphed from isolated acts by lone “basement” criminals into a highly professionalized transnational enterprise worth billions annually. Every day, security companies must review thousands of new samples of malicious software. Botnets that can be used for distributed denial-of-service (DDOS) attacks against any target can be rented from public forums and websites for less than $100. Some even offer 24/7 technical help. Freely available spyware used to infiltrate networks has now become commonplace, a mass commodity. As a result, the people who maintain network security for governments, banks, and other businesses face a continuous onslaught of cyber-crime attacks.

  Cyberspace has evolved so quickly that organizations and individuals have yet to adopt proper security practices and policies. We have created a hyper-media environment characterized by constant innovation from the edges, extensive social sharing of data, and mobile networking from multiple platforms and locations, and in doing so, we have unintentionally opened ourselves up to multiple opportunities for criminal exploitation. Cyber crime thrives partly because of a lack of controls, because the criminals themselves can reap a digital harvest from across the globe and hide in jurisdictions with lax law enforcement and regulations. Furthermore, it moves at the speed of electrons, while international law enforcement moves at the speed of bureaucratic institutions. It is almost routine now to hear about cyber criminals living openly in places like St. Petersburg, Russia, and exalted as tech entrepreneurs, not the digital thugs that they are.

  No doubt, cyber crime is a major nuisance, a shadowy, unregulated economy that costs decent folks dearly, but even more disturbing is how cyber crime, espionage, sabotage, and even warfare appear to be blurring together. Almost daily, there are breaches against government departments, private companies, or basic infrastructure. The Citizen Lab has investigated several of these cases, two of which we documented in our reports, Tracking GhostNet and Shadows in the Cloud. The victims, all compromised by China-based perpetrators, included major defence contractors, global media outlets, government agencies, ministries of foreign affairs, embassies, and international organizations like the United Nations.

  How far down this road have we gone? A 2012 New York Times report revealed that the United States and Israel were responsible for the Stuxnet virus, which sabotaged Iranian nuclear enrichment facilities in June 2010. While the two countries remained mum about the charge, they did not deny it. The incident represents the first time governments have tacitly acknowledged responsibility for a cyber attack on the critical infrastructure of another country, a de facto act of war through cyberspace.

  The techniques used in these state-based breaches and attacks are indistinguishable from those used by cyber criminals. Indeed, Stuxnet has been described as a “Frankenstein” of existing cybercrime methods and tradecraft, and many now see cyber crime as a strategic vector for state-based and corporate espionage. Hidden in the shadows of low-level thuggery and cyber crime for cash, in other words, are more serious and potentially devastating operations, like acts of sabotage against critical infrastructure. Now perilously networked together, such infrastructure is especially vulnerable to cyber attacks: our smart grids, financial sectors, nuclear enrichment facilities, power plants, hospitals, and government agencies are all there for the taking. And this is happening at a time when militaries, criminal organizations, militants, and any individual with an axe to grind are refining capabilities to target and disrupt those networks. Cyberspace has become a battleground, a ground zero, for geopolitical contests and armed struggle.

  Cyber crime is much more than a persistent nuisance. It has become a key risk factor for governments and businesses. The consequences of this exploding threat are numerous and wide-ranging and have led to greater and greater pressures for state regulation and intervention. Proliferating cyber crime and espionage have vaulted cyber security to the top of the international political agenda and brought about a sea change in the way that governments approach cyberspace. Where once the dominant descriptor of Internet regulation was “hands off,” today the talk is all about control, the necessary assertion of state power, and, increasingly, geopolitical contestation over cyberspace itself.

  The OpenNet Initiative (ONI), a project in which the Citizen Lab participates and that documents Internet content filtering worldwide, notes that roughly 1 billion Internet users live in countries (over forty of them) that regularly censor the Internet. States have become adept at content-control regulations, mostly downloading responsibilities to the private sector to police the Internet on their behalf, but some governments have gone further, engaging in offensive operations on their own, including disabling opposition websites through DDOS or other attacks, and/or using pro-government bloggers to flood (and sometimes disable) the information space.

  Although conventional wisdom has long maintained that authoritarian regimes would wither in the face of the Internet (and some in the Middle East and North Africa appear to have done so), many have turned the domain to their advantage. Tunisia and Egypt may have succumbed to Facebook-enabled protestors, but China, Vietnam, Syria, Iran, Belarus, and others have successfully employed second- and third-generation control techniques to penetrate and immobilize opposition groups and cultivate a climate of fear and self-censorship. These states are winning cyberspace wars. For them “Internet freedom” is just another excuse for state control.

  • • •

  It would be wrong, however, to see the growing assertion of state power in cyberspace as coming only from authoritarian regimes. As Stuxnet suggests, cyberspace controls, in fact, are being driven and legitimized just as much by liberal democratic countries. Many liberal democratic governments have enacted or are proposing Internet content-filte
ring laws, mostly, they say, to clamp down on copyright infringements, online child pornography, or other content deemed objectionable, hateful, or likely to incite violence. Many have also pushed for new surveillance powers, downloading responsibilities for the collection of data onto the private sector while relaxing judicial oversight around the sharing of information with law enforcement and intelligence agencies. They are also developing offensive information operations. The United States and many other Western governments now speak openly about the need to fight (and win) wars in this domain.

  Not surprisingly new companies have sprouted up to serve the growing pressure to “secure” cyberspace, a growth industry now worth tens of billions of dollars annually. Countries that censor the Internet have usually relied on products and services developed by Western manufacturers: Websense in Tunisia, Fortinet in Burma, SmartFilter in Saudi Arabia, Tunisia, Oman, and the United Arab Emirates. Filtering and surveillance devices manufactured by Blue Coat Systems, an American firm, have been found operating on public networks in Afghanistan, Bahrain, Burma, China, Egypt, India, Indonesia, Iraq, Kenya, Kuwait, Lebanon, Malaysia, Nigeria, Qatar, Russia, Saudi Arabia, Singapore, South Korea, Syria, Thailand, Turkey, and Venezuela – a list that includes some of the world’s most notorious human rights abusers. Netsweeper, a Canadian company, sells censorship products and services to ISPs across the Middle East and North Africa, helping regimes there block access to human rights information, basic news, information about alternative lifestyles, and opinion critical of the regimes. In 2012, dissidents in the United Arab Emirates and Bahrain were shown, during interrogations where they were arrested and beaten, transcripts of their private chats and emails, their computers obviously compromised by their own government security agencies. Those agencies didn’t use an off-the-shelf piece of cybercrime spyware to do the job; rather, they employed a high-grade commercial network intrusion kit sold to them by British and Italian companies.

 

‹ Prev