Skip to content

The wild, wild web

Tech Support
|Written By Gerry Blackwell

A few months ago when a Canadian research group exposed the GhostNet, a brazen cyber-espionage network, the story briefly made headlines. Most of us marvelled at the ingenuity and nefariousness of the alleged perpetrator, the Chinese government.

Some may have momentarily fretted about implications for international security. But the man who helped break the GhostNet story, Ron Deibert, director of the Citizen Lab at the University of Toronto’s Munk Centre for International Studies, says the implications are at once more far-reaching and more immediate  —  especially, perhaps, for lawyers.

What Deibert’s team at the Citizen Lab discovered in the course of a 10-month investigation was a network of over 1,200 computers around the world infected with a piece of malware, a Trojan horse called Gh0st RAT, that allows attackers to take complete remote control of an infected computer, undetected by its owner. Gh0st RAT lets a controller extract files from the target computer. Deibert’s field team in Dharamsala, India watched in real time as GhostNet controllers extracted documents — letters to foreign heads of state and strategy papers — from the Dalai Lama’s personal computer. It can also log every key stroke made by the user. Most astonishingly, it can commandeer microphones and cameras attached to target computers and capture conversations within range and even live video of users.

At least 30 per cent of infected computers were in “high-value targets” such as diplomatic missions, government departments, banks, accounting companies, and non-governmental organizations, including the Tibetan government in exile in Dharamsala.  Others infected included the Indian Embassy in Washington, D.C., the Iranian Ministry of Foreign Affairs, and accounting firm Deloitte Touche Tohmatsu. The preponderance of such targets clearly suggests espionage activity, says Deibert.

The Citizen Lab team also traced the GhostNet control servers to Hainan Island off the coast of China where the People’s Liberation Army just happens to have a signals operation. The team eventually took remote control of those servers to gather evidence for its report  —  an irony Deibert calls “hilarious.” Despite seemingly overwhelming evidence and his personal belief that the Chinese government was behind GhostNet, he cautions against jumping to conclusions. As lawyers should be the first to appreciate, it’s all circumstantial evidence, he points out.

There are alternative explanations, including that some other intelligence organization was pulling puppet strings, using the computers on Hainan Island as a conduit. The odds that Chinese computers would be so used are good simply because of the size of the Chinese Internet-using population and the fact that computers there are notoriously insecure, says Deibert. It could also have been private “patriotic hackers,” another known feature of the Chinese Internet scene, or even criminals trading in intelligence.

Whoever is responsible, says Deibert, GhostNet should be a “wake-up call” on a couple of levels. For one thing, it’s a very visible manifestation of an ongoing arms race in cyberspace. Groups in Washington, he points out, have actively advocated using cyber weapons, both for intelligence gathering, and more destructive purposes, such as mounting “denial of service” attacks to bring down strategic systems and networks in the event of war. “This arms race could be very destructive of the global Internet  —  and of countries’ own interests,” Deibert says. “And it’s spiraling out of control just like the nuclear race.”

When the Citizen Lab first uncovered incontrovertible evidence of what it believed to be criminal activity with GhostNet, its members were struck by the fact that there was no international body to which they could take the evidence. There is an “urgent” need now, Deibert says, to form some kind of international legal oversight body.

Governments also need to enter into mutual restraint treaties as they did with nuclear arms. “It’s challenging to think how that could be done,” he says  —  meaning how countries could prove they were adhering to treaties. But the methodologies his team has developed, which he also refers to as “Columbo-style” detection, after the popular TV series of the 1980s, could offer a mechanism for policing weapons ban treaties.

Much closer to home, the existence of the GhostNet implies at least the possibility of similar espionage efforts mounted not by governments but by enterprises aimed at their competitors. In fact, it’s extremely likely. “Industrial espionage is a driving force behind many malware attacks,” says Deibert. Law firms, especially those involved in high-stakes litigation, may be particularly susceptible to being targeted.

And if you think that simply keeping your firm’s security software up to date guarantees impregnability, think again. The Citizen Lab used a meta tool to test the ability of 35 different commercially available virus programs to detect Gh0st RAT. Only 11 could. This is not surprising given how quickly threats develop and how long it takes for them to come to light and for security software companies to then add profiles to their scanners, says Deibert.

The Citizen Lab has shown other ways governments, individuals, and companies can use network connections for surveillance and clandestine monitoring. An earlier investigation focused on the Chinese version of Skype, the free, or cheap, Internet phone service, which the provider claims is very secure because it uses end-to-end encryption of voice streams. But Deibert’s team showed the Chinese government had easy access to unencrypted conversations, apparently provided by Skype’s Chinese partner  —  unbeknownst to Skype, the company claims  —  and that it routinely tapped into calls placed by and to dissidents, who were using the service in the first place because it promised security and privacy.

There is a widespread misperception, says Deibert, that the cyber realm is something we enter and exit when we choose, that it’s somehow immaterial, and that it can’t easily be controlled. “All three assumptions need to be seriously questioned,” he says. Anytime you’re connected to the Internet  —  and most companies and individuals are connected continuously  — computers are vulnerable to some extent, however well protected. And anytime you’re active on the Internet, data passes from your computer through several physical switching points that are outside your control, and for the most part, outside your ken. “And at every step along the way,” Deibert points out, “there are opportunities for governments and private companies to intercept or block traffic.”

This has implications in particular for cloud computing, the increasingly popular notion of using applications that reside on a remote server on the Internet rather than on a local server or personal computer, and storing associated data on remote servers as well. Cloud applications for business include online backup (sometimes free) and collaboration services with file sharing, wikis, blogs, and social networking features. They offer significant convenience and in some cases cost savings. But are they inherently insecure? “So much of what we do is mediated by private companies,” Deibert notes. “Who are these companies that control different segments of the cloud?”

And where, physically, is data associated with cloud applications stored? To what extent do the private companies involved collude, willingly or otherwise, with government  —  or might they if push came to shove? It’s clear from the Skype case that service provider claims of privacy and security cannot be taken at face value.

Deibert stops short of saying nobody should use cloud computing services. He adds, however, “I would recommend great caution to anyone, but especially to law firms.” 

Gerry Blackwell is a London, Ont.-based freelance writer. He can be reached at