Black Code: Inside the Battle for Cyberspace
Page 17
In 2008, two years after the Belarus election, war broke out between Russia and Georgia over the disputed territorial enclave of South Ossetia. As Russian tanks stormed the territory, ONI researchers inside Georgia and neighbouring countries monitored the information domain, collecting evidence of computer network attacks and filtering. At the war’s height, Georgian government websites and much of its information infrastructure, including banking and emergency services, came under a massive denial-of-service attack, which most people attributed to the Russian government. (A similar assault had been inflicted on Estonia a year earlier, when that country’s leaders made the unpopular decision to relocate the Bronze Soldier of Tallinn, an elaborate Soviet-era war memorial, along with the remains of Soviet soldiers.) Desperate to stem the attacks, and hoping to counter Russia’s disinformation campaign, the Georgian government censored access to all Russia-based websites. Accustomed to seeing Russian news online, and unaware of the decision taken by their government, Georgians in the capital city of Tbilisi panicked, fearing that the blackout presaged a massive Russian ground assault. Rumours quickly spread of tanks approaching the outskirts of the city.
Were the DDOS attacks orchestrated by the Russian military, undertaken by sympathizers to the Russian cause, or some combination of the two? No one would or could tell. To illustrate how easy it is for anyone to participate in such attacks, journalist Evgeny Morozov, writing for Slate magazine, downloaded instructions for one of the DDOS tools advertised on Russian forums and, in less than an hour, was a participant in the attacks on Georgian government websites himself.
After the war ground to a halt, Citizen Lab researchers were able to register the domains of the botnets responsible for the DDOS attacks, which the owners had let expire. Doing so gave us a precise sense of the breadth of commandeered computers under the hackers’ control during the Russian–Georgian conflict, as the zombie computers still “checked in” with domains now under our supervision. While most observers talked about Russian-based attacks on Georgian government websites, we found instead a global network of zombie computers used to assault the Georgian infrastructure, the vast majority of which were physically located in the U.S. and Germany. We also determined that the same botnets had been used in numerous recent criminal activities, mostly involving extortion against pornography and gambling websites.
The worldwide distribution of computers linked together to assault Georgia proves how difficult it is to “attack back” those causing mayhem in cyberspace. Indeed, at one moment during the conflict, when the Georgians took up an offer from a Georgian ex-pat based in Atlanta to host their websites in the United States, commandeered U.S.-based computers were overwhelming other U.S.-based computers hosting Georgian government websites!
• • •
What ONI researchers have found in the former Soviet Union has parallels in other parts of the world. In 2009, the Citizen Lab analyzed DDOS and defacement attacks that were vexing the Burmese opposition and independent media outlets alike. Most observers, including the victimized organizations themselves, blamed the Burmese government, but Nart Villeneuve determined that the attackers had no ties at all to the Burmese government. Instead, the attacks had been launched by a group of Burmese hackers trained as computer programmers at Russian military academies in Rangoon. Overseas Burmese pro-democracy groups had apparently irritated them, and they took it upon themselves to defend the military junta by menacing the groups persistently over the Internet. Part of the hackers’ motivation was to earn bragging rights, and their undoing was that they boasted about their exploits on chat forums that we were monitoring, allowing us to triangulate their usernames with other coincidental pieces of information. Still, why shut down cyber crime in your backyard if it happens to be doing work for you fighting national security threats abroad?
In the wake of the 2009 Green Movement in Iran, a group calling itself the Iranian Cyber Army emerged and began menacing Green Movement sympathizers at home and abroad. Hacking collectives had been active in Iran since the early 2000s, with groups like Ashiyane, Shabgard, and Simorgh cracking into websites for notoriety and, occasionally, profit. Beginning in the summer of 2009, however, politically motivated attacks on websites became increasingly common as a means to counter the Green Movement and create a climate of fear and suspicion. The Iranian Cyber Army hackers successfully defaced Twitter, Voice of America, the Chinese search engine Baidu, and opposition websites such as Radio Zamaneh, often emblazoning pages with their logo and leaving pro-government messages. (Recently, sophisticated attacks on the certificate authority systems that secure Internet traffic moving in and out of Iran were undertaken by an individual claiming to be a loner sympathetic to the regime, although no one can say for sure if the claim is true.)
The Iranian government has tacitly condoned the activities of the Iranian Cyber Army – even going so far as to applaud its efforts – while keeping itself one step removed from any formal endorsement or incorporation. When the Iranian Cyber Army launched a cyber attack on Voice of America websites and inserted an anti-American message, an Iranian official spokesman, Ali Saeedi Shahroudi, said that the U.S. could no longer claim that it was the “bellwether of software and cyber technology,” and that the “hacking of a VOA homepage by the Iranian Cyber Army and leaving a message on the site for the U.S. secretary of state shows the power and capability of the [Islamic Revolution Guards] Corps in the cyber arena.” In 2010, the leader of the Iranian Revolutionary Guard’s Ali Ibn abi-Talib Corps, Ebrahim Jabbari, publicly claimed that his organization possessed the world’s second-largest cyber army. Was he referring to the Iranian Cyber Army? In 2011, another Iranian Revolutionary Guard official, Brigadier General Gholamreza Jalali, said, “We welcome the presence of those hackers who are willing to work for the goals of the Islamic Republic with good will and revolutionary activities.”
• • •
Quasi-national cyber armies like these are spreading, and spreading fast, for two fundamental reasons. First, the tools to engage in cyber attacks are now widely available and as simple to acquire as “download, point, and click.” With such easy access, we have entered the age of do-it-yourself information warfare. A second factor, which reinforces and builds upon the first, is the growing pressure on governments and their armed forces to develop cyber warfare capabilities. While cyber warfare threats are often wildly exaggerated in order to win massive defence contracts, there is an undeniable arms race occurring in cyberspace, and the domain is being rapidly militarized. Governments around the world now see cyber security as an urgent priority. They are standing shoulder-to-shoulder with their armed forces on this issue, and the capacity to fight and win wars in cyberspace is now seen as an absolute necessity by authoritarian regimes and liberal democracies alike.
But not all countries follow the same playbook.
While the United States and other Western countries build cyber commands staffed by professionally trained military personnel, corrupt, autocratic, and authoritarian regimes follow a different path: exploiting the techniques and methods of the cyber-criminal underground, enlisting paramilitary hackers, and taking advantage of the vulnerabilities of the very systems their opponents depend on for mobilization and political action. They also target different adversaries, reflecting their own perception of what constitutes a national security threat: political opposition parties, independent media, bloggers and journalists, and the vast networks of civil society groups pressing for openness, democracy, and accountability.
For many years, global civil society networks saw the Internet and other forms of new media as powerful tools for their causes. They have gradually come to learn that these media can be controlled in ways that limit access to information and freedom of speech for citizens living behind national firewalls. Now, to those concerns must be added another, this time more ominous: cyberspace is becoming a dangerously weaponized and insecure environment. It is now a domain where human rights activists, opposition groups, and independen
t media can be trapped, harassed, and exploited, as much as they can be empowered. And there’s another thing. On what basis can the West condemn, for instance, the Syrian Electronic Army or other quasi-state hacker groups for infiltrating the computers of opposition groups when we openly market offensive computer network attack products and services at Las Vegas–style trade shows?
10.
Fanning the Flames of Cyber Warfare
Eugene Kaspersky is the CEO of the Russian-based malware and cyber-security research laboratory that bears his name, Kaspersky Lab. An outspoken, controversial, and sometimes flamboyant figure in the computer security industry, Kaspersky attracted wide public attention in 2011 when his twenty-year-old son, Ivan, was kidnapped by people suspected of having ties to the Russian mafia. Ivan was quickly rescued by Russian security forces, and Kaspersky claimed no ransom had been paid ($4.5 million had been demanded). The incident led to considerable speculation. Russian secret forces do not typically intervene in kidnappings involving average citizens, but Kaspersky is no average Russian and many believe that he made a deal with authorities to gain the release of his son, which Kaspersky vehemently denies.
I first encountered Kaspersky at the London Conference on Cyberspace in November 2011. Organized by the British Foreign and Commonwealth Office, the conference was meant to be a major “rules of the road” meeting of great powers on the future of cyberspace and Kaspersky was among several high-profile speakers. The conference itself was poorly organized and produced no tangible results, but Kaspersky certainly made for good theatre.
Taking his turn at the podium, Kaspersky addressed the buttoned-down crowd. His tie askew, suit threadbare, and hair wild and unruly, he began with a finger-wagging admonition: “I am glad to see that people are finally taking this issue seriously. I have been warning about it for decades. If you had listened to me, and took me seriously, all those years ago.”
After this stark beginning, Kaspersky segued into a more disturbing aspect of his lecture, a series of statements that left many in the assembled crowd squirming, me among them. Kaspersky is concerned about anonymity online, and that too many people are getting away with Internet crime because they can hide their tracks. He believes we need to institute the cyber equivalent of the passport or driver’s licence. We do not allow people to drive cars without a licence, Kaspersky asserted, so why should we let them browse the Internet unchecked, unregulated? And then he went even further, suggesting that Russia should be regarded as a model for the rest of the world when it comes to Internet governance.
Russia? The model for the rest of the world!
Grumbling started at the back of the room and rippled forward. There were grimaces everywhere, especially among our British hosts, but there were also some vigorous nods of approval from law-and-order types, most of them sporting the dark blue suits and very short haircuts that are the uniform of the defence and intelligence community.
In fact, somewhat under the radar, Russia has indeed created a model for cyberspace governance for other autocratic regimes to follow. The Russian Internet, known locally as RUNET, accomplishes controls not through Internet censorship per se, which has been applied only selectively in the past and even then mostly around specific content categories, like homoerotic pornography. Instead, Russian authorities rely on more sophisticated, but also more brutal methods – intimidation, public discrediting, surveillance, and symbolic arrests – while also meddling in organized crime and employing patriotic hackers to muddy attribution. Unfortunately these tactics have proven attractive to a growing number of autocratic regimes looking to control information and digital activism. Russia, the model for the rest of the world? Maybe, if what we have in mind for the future of cyberspace is a Blade Runner dystopia.
Kaspersky raised another ominous possibility, telling Sky News at the London conference: “We are close, very close, to cyber terrorism. Perhaps already the criminals have sold their skills to the terrorists, and then … oh, God.”
Cyber terrorism. The phrase points to a sense of heightened anxiety that has pervaded talk of cyber security since 9/11 : the view that those hideous events represented a failure (at least in part) of Internet surveillance; that had control been tightened over digital communications the perpetrators might have been identified before they were able to execute their plan. But raising the spectre of cyber terrorism can also get a person discredited as a Cassandra.
In this respect, Kaspersky is the Russian equivalent of Richard A. Clarke, the former U.S. counterterrorism czar. Like Kaspersky, Clarke is famously outspoken, and both believe they were onto something long before anyone else. (Notably, Clarke warned his superiors about the threat of al-Qaeda targeting the United States prior to 9/11.) Like Kaspersky, he is often dismissed as an alarmist, seen by many as simply a rhetorical bomb-thrower. Clarke may not have been the first to employ the phrase “electronic Pearl Harbor” – it was John Deutch, the former CIA director, back in 1996 describing the prospect of terrorists using the Internet to launch a surprise attack – but he uses it liberally, as do many U.S. defence industry lobbyists. Indeed, the phrase continues to be repeated like a mantra in Washington. But if people like Clarke have been warning of a catastrophic electronic Pearl Harbor for decades, why hasn’t it happened? Surely it is not for lack of people with grievances and access to computers?
The truth is that such extreme scenarios are unlikely for a number of reasons. The Internet (and cyberspace as a whole) is resilient precisely because governance over it is so distributed, and routing of network traffic across the Internet was designed from the outset to take multiple potential paths in the event of a failure of any one of them. The flip side, however, is that as cyberspace expands and embeds itself in more and more of everything we do, the chances of a cascading failure having catastrophic repercussions become considerable. In other words, it also seems unlikely that nothing bad will happen.
• • •
In June 2012, Kaspersky was back in the news, his company announcing that it had found a major cyber weapon called Flame. Better described as a tool of espionage than a weapon, Flame did not damage computers, but instead siphoned off massive volumes of information in a manner similar to GhostNet.
While technical experts pored over the data, some argued that there could be underlying political processes at work in the Flame revelations. Kaspersky’s organization was given the Flame virus to examine by a Malaysia-based organization called IMPACT (the International Multilateral Partnership Against Cyber Threats), a public–private cyber security alliance set up in 2008 by the International Telecommunication Union (ITU). Founded in the late nineteenth century to enable governments to coordinate international postal and telegraphic traffic, the ITU is the world’s oldest international organization, and its membership over the years has been almost entirely composed of state-owned telecommunications companies. (Some view it as a telecom cartel for just this reason. State-run telecommunications companies use the ITU to set long-distance telephone rates, a highly profitable source of government revenue.)
The ITU missed the boat on the Internet, however, which was developed largely outside the telecommunications sector and governed by engineers through an independent non-profit, the Internet Corporation for Assigned Names and Numbers (ICANN), under contract to the U.S. Department of Commerce. Over the past twenty years or so, as the Internet has grown enormously in importance, the ITU has tried to claw its way into Internet governance, a move at times fiercely resisted by those partial to the Internet’s non-state system of governance. Nonetheless, the persistent threat posed by cyber weapons and warfare lend credibility to the involvement of ITU and IMPACT in cyber security and governance. Interestingly, Russia, China, and other governments fully support this involvement, seeing more UN– and ITU-based control as a way to legitimize their own vision of a territorially bounded system of global communications governance that aligns with national sovereignty. In 2011, for example, Russia, China, Tajikistan, and Uzbekistan proposed a
“code of conduct” for cyberspace at the UN General Assembly, and Russia and China have been vocal proponents of a view of cyberspace governance that gives prominence to state controls over the Internet, and state organs power in the decision-making forums that set the rules of the road. Could the sharing of the Flame virus with Kaspersky’s group by the ITU and IMPACT, and his trumpeting about finding a giant cyber weapon, be part of an overall campaign to lend support to the Russian and Chinese preferences for cyberspace governance?
The possible connections between Flame and another devastating cyber weapon, Stuxnet, fanned the flames of these suspicions. Stuxnet was discovered in 2010, and had been connected to devastating setbacks at Iranian nuclear enrichment facilities. In May 2012, when Kaspersky first made the announcement of the Flame discovery, he speculated that it belonged to the same family of malicious software as Stuxnet, and just about everyone who examined the case believed either the United States or Israel (or both acting together) were involved in its production. Only four days after Kaspersky’s discovery of Flame, an explosive New York Times exclusive by journalist David E. Sanger all but confirmed those suspicions. Adding to the intrigue was the fact that the majority of the victims targeted by the Flame virus were in the Middle East, with most of them in Iran, and that later Kaspersky Lab claimed to have found an authorship link between a 2009 version of Stuxnet and Flame, a claim independently backed up by the security firm Symantec, and then by a supposed U.S. intelligence insider, who leaked the story to the Washington Post. As Roel Schouwenberg of Kaspersky Lab theorized: “I think this new discovery shows that the Stuxnet team used Flame code to effectively kick-start their project. I definitely think they are two separate teams, but we do believe they are two parallel projects commissioned by the same entities.”