The malware surrenders control of the infected to computer to a remote user.

Journalists receive emails alleging to be from the economic editor who is planning a trip to China. Attached is a PDF file that contains a relatively accurate list of local contacts. When the PDF is opened, malware installs itself on the user’s computer.

The malware has been traced to servers in Taiwan and the researchers have notified the proper authorities. The researchers, based at the Munk Centre for International Studies at the University of Toronto, recently discovered the systematic attacks and believe them to be linked to the upcoming 60th anniversary of the founding of communist China. In the build up to the celebrations, the Chinese government has undertaken additional security precautions and researchers believe this may be part of that effort.

Some of the suggestions include weighing a computer brought on business trips to China before and after to determine if any new electronics were installed on the computer. Other suggestions include buying new equipment such as laptops and cellphones once there and then discarding them upon leaving China.

The Chinese were recently implicated in the GhostNet investigations. A number of ethnic Chinese have also been convicted of spying on defense companies in recent years in an effort to steal advanced technology.

University of Toronto Professor and director of the GhostNet project, Ron Deibert, spoke with The New New Internet regarding U.S. cybersecurity and the increased militarization of cyberspace. Deibert believes the future of cyberspace rests in building a global and open Internet. He fears the consequences of weaponization in cyberspace supported by current world leaders.

TheNewNewInternet: Could you briefly describe your background and specifically your role in the GhostNet project?

Ron Deibert: I am the director of the Citizen Lab at the Munk Center of International Studies at the University of Toronto. The Citizen Lab’s Information Warfare Monitor, a collaborative project with the SecDev Group, tracks the exercise of power in cyberspace. The InfoWar Monitor was the project behind the Tracking GhostNet report. As one of the founders and principle investigators with that project, I helped manage and direct the Tracking GhostNet study and of course, contributed to the analysis and final report

TNNI: What did you think of President Obama’s 60-day review and his overall stance on cybersecurity?

Deibert: The speeches and proposals were of such a general nature that you are forced to read tea leaves to understand where emphasis is going to be placed. The United States coming forth so strongly in favor of developing operational doctrines for fighting and winning wars in cyberspace concerns me. I see an arms race in cyber space occurring and feel that more emphasis should be placed on creating norms of mutual restraint. I was a bit disappointed that the administration and President Obama didn’t take this opportunity to seize the high ground and come forth with a proposal with something like an open Internet initiative, making the case that the Internet is a global commons that should be protected and preserved, rather than see the Internet as a domain within which countries should compete against each other and militarize and weaponize.

TNNI: We’ve heard a lot of talk about comparing the cyber age to the U.S. Monroe Doctrine and the Space Race of the ‘60s. Do you have any comments on that?

Deibert: Comparisons and analogies are very instructive because cyberspace has now become a domain equal in importance to the other domains: land, air, space and sea. Like those other domains, cyberspace is going through a period of intense militarization and weaponization. If we want to protect the Internet as a public commons, we need to restrain what governments and militaries can do in this environment. Some believe that arms control in cyberspace is unrealistic because of its unique characteristics. But I believe a potential arms control agreement in cyberspace is no more challenging than in any of the other domains. If you think about outer space, for example, very similar challenges have arisen in the past. There has been some limited progress on the Outer Space treaty, but there are challenges around continued militarization and weaponization, and verification issues related to the unique characteristics of the environment of near Earth orbital space. We need to reflect on those challenges when deliberating on arms control in cyberspace.

TNNI: Is there a need for a global cyber organization?

Deibert: Following upon our GhostNet investigations, many of the affected countries have still not been notified of the problems that they faced with GhostNet because we have not been able to find a competent agency or organization who is willing to undertake the notification process. It has been sitting with Public Safety Canada, who apparently do not know what to do with it. With GhostNet, we discovered an international crime-taking place for which there is no international law, and no international organization capable of dealing with the notification process to affected parties.

TNNI: What do you think we should learn from your GhostNet findings and also the recent July 4 attack on the United States and South Korea?

Deibert: In the case of GhostNet a lot of circumstantial evidence pointed toward China, but you could paint several other explanations as to who was behind it, including it being another government altogether staging the network somewhere in China to make it appear that it was China. Likewise, with the attacks that are going on now in South Korea and that have hit the United States servers, people immediately assumed it was North Korea, but the more you dig, the more you realize that it could be any number of people, organizations or governments. When establishing some kind of cyberspace arms control agreement in the future, this question of attribution will be essential to verification, and I believe it is one of the major challenges of cyber security investigations.

TNNI: How should we solve this problem, specifically in the private sector?

Deibert: First and foremost, we need to understand that most of what we call cyberspace is owned and operated by private sector, making questions around which agencies should be in charge of cybersecurity exceptionally important. For example, should the National Security Agency, a very secretive organization, be asked to secure a domain that is primarily owned and operated by the private sector, many of whom are located in foreign jurisdictions? There is an obvious and unavoidable relationship with the private sector in cyberspace security that presents vexing domestic and international public policy issues.

TNNI: Where do you see the future of cybersecurity headed?

Deibert: Cyberspace is entering a period of intense geopolitical competition and potential instability. For example, virtually every election in the developing world, especially in countries that are non-democratic, include some kind of denied access to social networking platforms like Twitter and Facebook because of the ways in which these tools facilitate mass mobilization. All of the great powers, including the United States, Russia, China, United Kingdom and even Canada, are exploring or announcing plans for operational doctrines to fight and win wars in cyberspace. Given the properties of cyberspace, attacks can be launched from anywhere, they can anonymized, and even individuals can participate in the cyclones of cyberspace that erupt from denial of service attacks. The original hope of cyberspace was to allow citizens from one side of the planet to communicate with citizens on the other side of the planet in an unfettered, open and transparent way; a global commons. We still have that possibility now, but it is rapidly being eroded and degraded. We need to wake up to this fact and begin to think about ways to protect and preserve cyberspace as a global public commons in the same way we think about protect and preserving the natural environment.

Finjan announced its discovery of a 1.9 million-computer-strong botnet in April, one of the largest botnets discovered to date, and one of the largest controlled by a single criminal enterprise.  Infected computers are bought and sold like commodities in hacker forums worldwide, and this one was traced back to Russia.  Thousands of these botnets operate throughout the world, and, apart from brute force hacker attacks, they can be used for identity theft and a host of other illegal purposes, and some experts aren’t convinced the July 4th attacks came from North Korea, or were politically motivated at all.

Core Security Technologies’ Tom Kellermann commented on the economic motivation for cyber attacks, “There’s a trillion dollars in economic losses sustained due to hacking every year, not just financial data theft but also industrial espionage.”  Mandiant executive Mike Malin said that in his experience, state-sponsored attacks are usually “under the radar,” and James Lewis, a fellow at the Center for Strategic and International Studies (CSIS) offered, “If you were going to launch a sophisticated attack, you wouldn’t warn people with this kind of attack. This woke up all the network defenders and you lose the element of surprise.”

South Korean intelligence is also unsure that North Korea was behind the attacks.  In a statement, the Korean National Intelligence Service (NIS) said it was examining ”various pieces of evidence” pointing to North Korea’s responsibility for the attacks. “The NIS… has yet to reach a final conclusion that the acts have been committed by North Korea,” the statement said.  But if not North Korea, who is behind the cyber attacks, and why did they choose such conspicuous timing and such a high-visibility type of attack?

Rep. Delahunt, Rep. Rohrbacher, and Activist Rabiya Kadeer

One possible culprit: China.  Recent ethnic conflict in Xinjiang province, or East Turkestan as the Turkic Muslim minority Uighurs refer to it, has provoked bipartisan criticism from Captiol Hill, with both William Delahunt (D-MA) and Dana Rohrbacher (R-CA) calling for a resolution to condemn China’s harsh reprisals against Uighur demonstrators.  The official Chinese figures put the Uighur death toll at 156 and total casualties at over 1,000, but Uighur activist Rebiya Kadeer believes the real number of dead and wounded in the ongoing conflict is much larger.

Were the 4th of July attacks a hard elbow from China on the cyber court, warning the US government to back down from its support of Uighur Muslims in the wake of the release of 17 Uighurs from Guantanamo Bay and ethnic unrest in western China?  It’s difficult to call cyber fouls because it is difficult to distinguish between an officially-sanctioned and rogue criminal attacks, and since China and Russia refuse to abide by the 2004 Council of Europe Convention on Cyber Crime, which would criminalize cyberattacks, murky international cyber jurisdictions make these kind of attacks difficult to investigate.

But is it coincidence that “rogue” Chinese hacker groups like GhostNet align themselves with Beijing’s priorities and share information with Chinese Intelligence? Founder of the Technolytics think-tank Kevin Coleman had this to say about the widespread power outages in California in 2001: “There’s an interesting report that came out of the European Union, did you know in 2001 when we had those issues out in California with the power grid the report states it was basically China attacking it? Just more reasons for concern about China!”