I have posted before about the Tibetan attacks, because they offer good insights into this issue in general. But it’s not just the Tibetan activists and other outspoken critics of the Chinese regime that are targeted by this “GhostNet”. I work on Taiwan/China issues in Washington, D.C. Pretty much everyone in that community – be it academics, think tankers, NGO employees, and government officials – are consistently targeted by the kind of “social malware” attacks that are detailed in the two reports. These attacks are very sophisticated, making them really hard to spot, and they show intimate knowledge of what’s going on in the community. Let me give you two recent examples:
On March 26, the Pentagon released their annual report on the Chinese military. On March 27, I received an email ostensibly from one of the people responsible for Taiwan issues at the Pentagon. The email basically said “Hey, here is the expanded version of the report from yesterday, with some additional commentary on Taiwan. I thought you would find it useful”. Attached was a PDF named “China_Military_Power_Report_2009.pdf”, exactly like the official document released by the Pentagon. I work on Taiwan defense issues, so this would be very interesting to me were it real. However, I correspond with this person on a regular basis, and he usually signs his emails to me with his nickname. This email didn’t, which made me suspicious. A Virustotal scan confirmed that the attachment contained malicious software (only detected by 4/38 products, though) and a quick phone call confirmed that the person hadn’t sent an email like that.
In another recent attack, it was the name of the head of my organization that was used to try to trick recipients into opening malicious attachments. He had just returned from a visit to Taiwan, a trip that had been reported on in the Taiwan press. About a week after returning, he received an inquiry from a prominent researcher at a D.C. think tank, asking if he had sent the researcher an email with a trip report from his visit. He had not in fact sent such an email, although it wouldn’t have been unusual for him to do so. I spoke to the IT manager at the think tank, who confirmed that the researcher was indeed tricked into opening the attachment, and that it did contain malware.
And this was just in the last three weeks. I could go on for pages describing various things we have seen over the past two/three years (two more here), but you get the gist. For small NGOs like mine, protecting against infiltration, monitoring our systems for intrusions, and educating our staff to recognize potential hazards has become a huge drain on our already limited resources. The frustrating thing is that there is pretty much nothing we can do about it, except to remain diligent. But at least I’m glad that the issue is continuing to get coverage in the mainstream press.
The actors that represent the majority of users today, stakeholders from the South, the developing world, and the non-English segments of the net, will do more to shape the future of cyberspace than any discussions at the Pentagon or in policy circles in North America and Europe. To understand how and in what ways cyberspace will be characterized in years to come we need to think beyond the beltway, beyond Silicon Valley, and into the streets of Shanghai, Nairobi, and Tehran. The contests occurring in those spaces deserve our attention today, if for no other reason than that they provide a glimpse of the types of global issues that will drive cyberspace governance in the future.
Steve Stecklow, for Reuters, has an special report discussing how Chinese vendor ZTE was able to resell American network infrastructure and surveillance products to the Iranian government. The equipment sold is significant;
Mahmoud Tadjallimehr, a former telecommunications project manager in Iran who has worked for major European and Chinese equipment makers, said the ZTE system supplied to TCI was “country-wide” and was “far more capable of monitoring citizens than I have ever seen in other equipment” sold by other companies to Iran. He said its capabilities included being able “to locate users, intercept their voice, text messaging … emails, chat conversations or web access.”
The ZTE-TCI documents also disclose a backdoor way Iran apparently obtains U.S. technology despite a longtime American ban on non-humanitarian sales to Iran – by purchasing them through a Chinese company.
ZTE’s 907-page “Packing List,” dated July 24, 2011, includes hardware and software products from some of America’s best-known tech companies, including Microsoft Corp, Hewlett-Packard Co, Oracle Corp, Cisco Systems Inc, Dell Inc, Juniper Networks Inc and Symantec Corp.
ZTE has partnerships with some of the U.S. firms. In interviews, all of the companies said they had no knowledge of the TCI deal. Several – including HP, Dell, Cisco and Juniper – said in statements they were launching internal investigations after learning about the contract from Reuters.
The sale of Western networking and surveillance equipment/software to the Iranian government isn’t new. In the past, corporate agents for major networking firms explained to me the means by which Iran is successfully importing the equipment; while firms cannot positively know that this is going on, it’s typically because of an intentional willingness to ignore what they strongly suspect is happening. Regardless, the actual sale of this specific equipment – while significant – isn’t the story that Western citizens can do a lot to change at this point.
Really, we should be asking: do we, as citizens of Western nations, believe that manufacturing of these kinds of equipment is permissible? While some degree of surveillance capacity is arguably needed for lawful purposes within a democracy it is theoretically possible to design devices such that they have limited intercept and analysis capability out of the box. In essence, we could demand that certain degrees of friction are baked into the surveillance equipment that is developed, and actively work to prevent companies from producing highly scaleable and multifunctional surveillance equipment and software. Going forward, this could prevent the next sale of significant surveillance equipment to Iran on grounds that the West simply doesn’t have any for (legal) sale.
In the case of government surveillance inefficiency and lack of scaleability are advantageous insofar as they hinder governmental surveillance capabilities. Limited equipment would add time and resources to surveillance-driven operations, and thus demand a greater general intent to conduct surveillance than when authorities have access to easy-to-use, advanced and scalable, surveillance systems.
Legal frameworks are insufficient to protect citizens’ rights and privacy, as has been demonstrated time and time again by governmental extensions or exploitations of legal frameworks. We need a normatively informed limitation of surveillance equipment that is included in the equipment at the vendor-level. Anything less will only legitimize, rather than truly work towards stopping, the spread of surveillance equipment that is used to monitor citizens across the globe.