Prof. takes questions on cybercrime and the Net

April 1 was to be the day that a destructive Web virus, dubbed Conficker, unleashed its full power upon unsuspecting Net denizens. While the day passed with no sign of calamity, worry about the virus, coupled with recent revelations of the threat of cyberespionage, have stoked fears about the impact of cybercrime. University of Toronto professor Ron Deibert is part of a crack team of Canadian researchers who
revealed this weekend a network, dubbed GhostNet, of more than 1,200 infected computers worldwide that includes such "high-value targets" as Indonesia's Ministry of Foreign Affairs and the Indian Embassy in Kuwait, as well as a dozen computers in Canada.

Who is behind GhostNet? Along with Rafal Rohozinski, Prof. Deibert wrote in the Globe and Mail: "The most obvious explanation, and certainly the one in which the circumstantial evidence tilts the strongest, would be that this set of high-profile targets has been exploited by the Chinese state for military and strategic-intelligence purposes. Indeed, many of the high-confidence targets we identified are clearly linked to Chinese foreign and defence policy, particularly in South and South East Asia."

China, for their part, dismissed the report as lies intended to stoke anxiety over Beijing's growing influence in world affairs.

Nevertheless, following the publication of the GhostNet research, Public Safety Minister Peter Van Loan warned Monday that cyberwarfare will be a "growing threat" for the foreseeable future, as he urged Canadian corporations to start patching potential holes in their networks.

How immediate is the threat posed to governments by cyberespionage? With so many digital worms creeping over the Web, what is the best way to respond to viruses like Conficker? How real in these cases is the threat to our own personal privacy? Prof. Deibert is joining us live to help separate the facts from the hype. Feel free to submit your questions using our comment tool or via Twitter @GlobeTechnology.

Editor's Note: globeandmail.com editors will read and allow or reject each question/comment. Comments/questions may be edited for length or clarity. HTML is not allowed. We will not publish questions/comments that include personal attacks on participants in these discussions, that make false or unsubstantiated allegations, that purport to quote people or reports where the purported quote or fact cannot be easily verified, or questions/comments that include vulgar language or libellous statements. Preference will be given to readers who submit questions/comments using their full name and home town, rather than a pseudonym.

Matt Frehner, globeandmail.com: Thanks a lot for joining us today, Professor Deibert. Following warnings from Public Safety Minister Peter Van Loan concerning the "growing threat" of cyberwarfare, what should policymakers be doing to try to limit the reach and frequency of cyberspy and other botnet systems? What do you see as Canada's role in this?

Ron Deibert writes: The question of what should be done at a policy level is an important one to me personally, and to us at the Information Warfare Monitor. For many years (and at least as far back as a 2003 comment piece I wrote in the Globe and Mail) I have been warning of increasing militarization of cyberspace and that we need to begin thinking about arms control in cyberspace. Part of the solution is to focus on securing critical infrastructures, and to create incentives for manufacturers of computer and software equipment to take security seriously. But that is only part of the solution. Arms control in cyberspace is going to be very challenging, in part because the "actors" involved include more than just states, and involve criminal organizations and even individuals. How do you get all of those actors involved in any possible arms control agreement? Another vexing problem is the one of attribution. Although the GhostNet study lays out quite powerful circumstantial evidence against China, we also lay out alternative explanations. Indeed, one of the defining features of cyberspace is the ease by which the perpetrators of these sorts of attacks can mask their identity and real location.

I see a great potential for Canada in this area. Long ago, we were widely known for taking a lead in pushing for arms control as part of a broader "human security" agenda, both in terms of arms control negotiations and verification. There was a small, but very influential area of expertise within the Department of Foreign Affairs on arms control verification, called the Verification Research Unit. That unit no longer exists, and our interest in promoting arms control and human security has diminished somewhat in recent years. In the area of cyberspace, I think it's natural for Canada to lead, both because of our past experience but also because of our historical experiences with telecommunications. We are a large land mass, and have depended on telecommunications, and we have a long and distinguished intellectual history around the study of telecommunications, beginning with Harold Innis and Marshall McLuhan.

Matt Frehner, globeandmail.com: With so many digital worms creeping over the Web, and the release of reports such as yours, how can the average computer user separate the hype surrounding viruses like Conficker from legitimate threats?

Ron Deibert writes: This is an excellent question and is at the heart of one of the aims of the Information Warfare Monitor -- to separate hype from reality. We are an evidence based organization, and that is why we were very careful to avoid speculation and hyperbole, and also to be cautious about making attribution. Some other organizations out there have been quick to identify China as the culprit, and the evidence does seem powerful, but it is not conclusive and there are alternative explanations. The answer is a combination of field investigations, technical scouting, and data analysis. This is a new field of inquiry we are helping to pioneer and I believe it is going to become more important as we move forward in dealing with the challenges of controlling arms races in cyberspace.

Roman Spears from St. Catharines Canada writes: With identity theft and hijack programs being threats to the average home user, what recommendations can you make to help us all be more secure online? Who is making the detection programs that can find this malicious code and rid the internet of it?

Ron Deibert writes: For the average Internet user, the GhostNet report -- and others like it -- has undoubtedly caused concerns, and we have been blitzed with many emails from individuals, activists, and NGOs, asking if they are infected, whether we can help, and what we might recommend for security online. We are not a service organization, but a research and development laboratory, so there is a limit to what we can do. There are many organizations out there whose job it is to provide information security, particular for consumers. But one of the remarkable aspects of our investigation was that the main tool used by the attackers was only identified by 11 of the 34 virus scanners we employed. That is a big problem. Many of the machines that were infected by GhostNet were using Windows, and of course most of the viruses out there disproportionately affect Windows operating systems. Switching to an open source operating system, like Linux, is now highly recommended for government ministries for this reason alone.

For NGOs and activists, there are many information security resources and training organizations out there that I would recommend, including Tactical Tech and Frontline Defenders and the Electronic Frontier Foundation, among others.

Albin Forone from Canada writes: I trust and use the Canada Revenue Agency site more or less as confidently as I use my bank and brokerage sites, and I'd be inclined to assume government sites with national security data at stake are pretty secure. So given that there are nefarious government or terror groups with internet crowbars, how much concern do you have about the quality of the government site and communications internet security measures.

Ron Deibert writes: We place a great deal of trust in our governments' communications systems when we communicate sensitive information to them, and hope that they take the issues of information security seriously. What GhostNet reveals, though, is that a large swath of high impact political and economic targets can indeed be compromised, including ministries of foreign affairs, embassies, and international organizations. Many of these organizations were compromised for many months, without their knowledge, and the attackers had potential access to all sorts of sensitive documents, and even had the ability to eavesdrop on classified meetings through the activation of web cameras and listening devices. Although most governments have invested heavily in secure methods of communication, many have not. This is particularly the case in the developing world where information security is often a distant priority next to other goals, such as the elimination of poverty or even simply access to information.

As citizens, we should be diligent to ensure that our government in Canada is doing the best possible job to secure our critical infrastructures, particularly when it comes to sending and receiving our own private confidential information, and that they are handling the latter with the utmost care. We should do the same with respect to the companies that provide us with our connectivity. We live in a world deeply permeated by digital technologies, much of which is serviced by private third parties and hosted on servers beyond our immediate control. We put a lot of trust in those organizations when we communicate with and through them.

O.A. from Toronto writes: To what extent would restrictions designed to limit such malicious networks also have the overlapping effect of censoring or limiting everyone else's freedom on the Internet?

Ron Deibert writes: This is an excellent question, and one that is vexing me personally. I worry that some of the conclusions that may be drawn from the GhostNet report and others like it will end up leading to pressures to over-regulate of the Internet. For example, the difficulties around identifying the perpetrators of attacks like GhostNet may lead some to propose the elimination of anonymous communications. However, the ability to surf the Internet and communicate anonymously is often very important, especially in the cases of whisteblowers and human rights advocates, and it is intimately linked with the right to privacy. Recently, there were discussions being held at the highest levels, and including the national security organs of both China and the United States, for some kind of IP (Internet Protocol) trace-back system in which owners of machines connected to the Internet could be positively identified. Although I believe the proposal is ultimately unworkable and undesirable, the fact that both China and the United States were on the same side of this question is worrisome.

Ultimately, I worry that in order to deal with some of these emerging problems in cyberspace, regulations will be made that will ruin the Internet and turn it into something else altogether. We must avoid that while finding ways to deal with cyber-espionage, denial of service attacks, and the growing spread of viruses, trojan horses, and worms.

M.L. from Canada writes: In terms of stemming the infiltration of cyberspys, Are there steps individual users can take, or is the problem of cyberespionage largely one that governments need to combat?

Ron Deibert writes: Actually, I'd like to begin my answer by turning that question on its head (if you do not mind). One of the characteristics of cyberspace is that the capabilities to engage in the attacks described in GhostNet are now readily available on the Internet. The main tool that was used in the GhostNet attack was a trojan horse software program
called Ghost Rat that is widely available for free download on the Internet. It was written by Chinese programmers, and has since been translated into English. It has a very nice graphical user interface (GUI) and is very simple to operate. The same sort of tools and malware kits for virus and worm production are also easily obtained. One no longer need an NSA-size organization and budget to engage in sophisticated cyberespionage. The Internet has democratized many things, including apparently signals intelligence. The same goes for denial of service attacks and computer network operations.

I do believe that this is going to be one of the most vexing problems of controlling the militarization of cyberspace: getting agreement among ~200 states is one thing, but how do you get the agreement of individuals?

Governments and individuals both have a role to play. All of us need to understand that cyberspace is a precious commons, one that we will need in order to solve the many shared global problems that present themselves today. We need a shared communications medium through citizens around the world can communicate freely and safely. Right now, that medium is in the process of being degraded by Internet content filtering, censorship, surveillance, computer network attacks, privacy violations, and bandwidth throttling.

In terms of solutions, I think we need to begin locally here in Canada, and start pushing for laws that, for example, enshrine network neutrality, protect privacy, create free zones of access to the Internet for all people (especially in rural areas) and protect access to information and freedom of speech. From there, we need to encourage other jurisdictions to follow suit and hope a global regime of cyberspace protection ultimately emerges. Right now, regrettably, the opposite is the case.

Matt Frehner, globeandmail.com: That's all the time we have today. I'd like to finish off with one final question: Looking forward, can you tell us a little bit about how you see these threats developing in the next 5 or so years? What kind of a role to you see cyberwarfare playing in future conflicts between states?

Ron Deibert writes: In recent years, there has been a dramatic increase in incidences of cyberwarfare, in conflicts that include Russia, Georgia, Estonia, China, Tibet, Burma, Israel, and others. Many states and non-state actors are investing heavily in cyber warfare capabilities, including the United States and China. Military doctrines now speak openly about fighting and winning wars in cyberspace and recognize the strategic importance of the information domain. At the same time, the number of states actively intervening to block access to information and services online is growing. Another research project I am involved in, the OpenNet Initiative, tracks Internet censorship and right now we are finishing up tests in 71 countries. I expect the number of instances we find of states blocking access to information will number in the dozens. That includes governments blocking access to the websites of political opposition groups and news organizations.

Alongside of all of this, the ease by which personal information can be harvested, fused, and analyzed from the digital traces we leave is growing. Surveillance is now widespread and facilitated by the private entities that service our communications, including Internet Service Providers and other communications companies.

Essentially, cyberspace is being carved up and militarized at the same time that it is being heavily monitored.

Together, these trends point to an ominous development and a troubling brew. I do believe that thinking about protecting the Internet as a forum for free expression, privacy, and access to information is one of the major issues of the next few decades.

Thanks for all of the questions!


http://license.icopyright.net/user/viewContent.act?clipid=256919400&mode=cnc&tag=3.7441%3Ficx_id%3D%2FRTGAM.20090401.wgtdiscussion0401%2FBNStory%2FTechnology%2F