Cybersecurity and Cyberwar (19 page)

The battle over Internet freedom is not simply a matter of access (such as whether Chinese or Iranian citizens should have access to online news reports). It has evolved to be more pointed and relevant to cybersecurity issues, as the Internet has become viewed as a means to change regimes themselves.

A number of nations, including the United States and the UK, as well as advocacy groups, have reached out to dissident groups operating under repressive regimes in ways that complicate cybersecurity. This effort has gone beyond traditional diplomacy, providing not just cyber training for the groups, but also the development and distribution of new technologies, like Tor, that aid users in evading government surveillance and censorship. It seems simple enough, but the problems are manifold. By enabling behavior on the Internet outside control or observation of the local government, regimes have often seen the technologies and those behind them as a security threat. For instance, in China, the government views its censorship not as a violation of human rights but as a tool for stability. Thus, these technologies have been categorized by China and its allies in international forums as tools of cyberattacks.

Freedom of speech is not only viewed differently among authoritarian and democratic states, but also across cultural and historic lines. In Thailand, it is illegal to defame the monarch; in Britain, it's a popular hobby. Controversial laws limit behavior online in the West, too. France successfully sued Yahoo! to ban the sale of
Nazi memorabilia
, something legal in the United States. Indeed, at the very moment the US State Department was pushing an online freedom agenda, other parts of the Obama administration and the US Congress were considering the Stop Online Piracy Act, which would have forced American ISPs to prevent access to foreign websites that illegally offer copyrighted material. An online protest movement, including a
blackout of Wikipedia
, forced the administration and Congress to back down.

The conflict between rights and security is not just a matter of political expression but also tests how issues of cybersecurity might be resolved. The debate about Internet governance has spilled into the security space. Those opposing American dominance in the multistakeholder process of setting Internet standards (discussed in
Part I
) point to the revelations of NSA surveillance and the build up of Pentagon cyberwar capabilities as evidence for why a shift is needed. Defenders of the ICANN model, in turn, observe that many of those nations pushing for more government control just happen to be the most active at restricting speech within their own countries.

Ultimately, these questions turn on basic political questions of who should and who does have the power to decide whether something is a security risk or a human right. It is a matter that has vexed everyone from ancient Greek philosophers to the Founding Fathers, and it continues with us today.

It has received financial backing from the US Department of Defense as part of a Naval Research Lab program to keep digital secrets secret, but in turn, Edward Snowden revealed that any use of it is grounds for
surveillance by the NSA
. It has been described by
The Economist
as a “
dark corner of the Internet
,” while it also won the 2010 Award for Projects of Social Benefit for enabling “
36 million people
around the world to experience freedom of access and expression on the Internet.” Tor is one complex character.

Suppose you want to communicate with another computer user and not have anyone know. You could use encryption, but that would only prevent any eavesdropper from knowing what you were saying. Sometimes it's also important to keep private who you are communicating with. This type of privacy is important for a wide variety of online players: intelligence agencies communicating with undercover sources, companies exploring the competition's public website without their IP address showing up in the server logs, and especially for political activists inside authoritarian states, who don't want their governments to identify other dissidents whom they're working with.

A simple approach is a single-hop proxy, where you send your traffic to a computer that then passes it along to the final destination. This can be effective for an adversary watching an endpoint, but now you have to trust the intermediary. Who controls it? Do they keep records? What legal jurisdiction do they operate under?

Many users are rightly hesitant to use anonymity infrastructure that they do not control. However, on an open network such as the
Internet, running one's own system won't work. A system that carries traffic for only one organization will not hide the traffic entering and leaving that organization. Nodes must carry traffic from others to provide cover.

The solution is a system called Tor, short for “The Onion Router.” Tor is an “overlay network” that provides online protection against surveillance and traffic analysis. An overlay network sits on top of the Internet but provides its own virtual structure of nodes and links. The network is formed by volunteers who offer their machines as nodes. Internet traffic is broken up into chunks, much like the underlying Internet packets, and encrypted to provide confidentiality. Communication then takes a multiple-hop path through the network, forcing any surveillance regime to watch every node in the network if they want to trace communication between the endpoints. Communication between each hop is separately encrypted so that an eavesdropper cannot learn as much from watching any single node. In short, Tor uses a network of intermediates to disguise both the source and
endpoint of a conversation
.

While it offers complex protection, Tor engineers have worked hard to make the network easy to use. You can download a whole web browser with
Tor built in
. Individuals with access can then e-mail, surf the Web, and share content online without anyone knowing who or where they are.

The positive social side of Tor is that it provides anonymity that supports free expression on the Internet by circumventing censorship. Tor originated in 2004 but rose to greater prominence a few years later during the 2009 “Green Revolution” protests in Iran and the 2011 “Arab Spring” as a means for dissident movements to collaborate but remain hidden in plain view.

Yet that same advantage also means that it provides anonymity for criminals seeking to avoid law enforcement's online surveillance. Tor has been used in cases involving child pornography (an FBI agent told us about one forum where anonymous users exchanged information on the best way to drug children), bank fraud, malware distribution, and an online anonymous black market called “Silk Road,” where Internet users buy and sell controlled substances, guns, and narcotics.

The result has been a mixed attitude toward the technology and its uses. Despite the fact that it originally funded Tor, parts of the US
military have described it as a threat, not least because of its use in several whistleblower cases like WikiLeaks. Meanwhile, because it has proved to be a thorn in the side of authoritarian governments, the US Congress and State Department have been supportive, describing it as an enabler of online freedom.

Tor's future rests on how this battle over Internet freedom is resolved, not just on the policy side but also technologically. Increasingly, regimes like China are employing new Internet censorship technology to fight a cat-and-mouse game with Tor developers. As the censors seek to find ways to block access to the network, Tor tries to
circumvent each new technique
. For instance, one innovative effort to keep Tor open for users behind the “Great Firewall of China” piggybacks Tor traffic inside a Skype video conference connection. This technique is innovative not only because it successfully hides Tor traffic within another protocol, but also because if the Chinese authorities were to shut it down, they would be forced to shut down all Skype traffic in the country, an impossible task given
Skype's importance
to multinational firms communicating with branch offices. Censorship then comes with a real monetary cost.

Tor illustrates the tension that can emerge between cyber freedom and security. The onion router has given extra layers of security to those who want to stay secret online, but secrecy can be scary to the established order.

When Estonia's websites were attacked in the “Estonian Cyberwar” of 2007, Urmas Paet, the tiny nation's foreign minister, was quick to point his finger at neighboring Russia. He angrily accused the Kremlin of trying to paralyze his nation's economy and government through a massive denial–of-service attack. “
Russia is attacking Estonia
.… The attacks are virtual, psychological and real.” But the Russian parliamentary leader Sergei Markov suggested the accusers look elsewhere than the Russian government: “About the cyberattack on Estonia … Don't worry, that attack was
carried out by my assistant
.”

It sounds odd, but Markov's version of the story actually has an element of truth in it. Far from denying his role in what many thought of as an illegal action,
Markov's young assistant
openly
acknowledged it. He was a leader in Nashi (“Ours”), a movement of some 120,000 Russians between the ages of seventeen and twenty-five. While not officially part of the Russian government, the group was organized by pro-Putin regime supporters to take on “
anti-Fatherland
” forces. Modeled in some ways after the Young Soviet Kosomol, its activities ranged from running summer camps to beating up antiregime protesters in street rallies. It also engaged in cyber activities against what it saw as the twin perils of “
Nazism and liberalism
.” In this case, Estonia had moved the Bronze Soldier of Tallin, a Russian grave marker from World War II. It was an act that Russian nationalists like members of Nashi believed deserved retribution, including by cyber means.

What Nashi was involved in is often called “patriotic hacking,” an action that involves citizens or groups within a state joining together to carry out cyberattacks on perceived enemies of that country.

While those executing the attacks are private citizens and groups, one of the hallmarks of patriotic hacking is the subtle role that a government often plays in orchestrating the action to make it effective. One lone Russian youth trying to carry out a denial-of-service attack would meet with little success. But in the Estonian case, tools and instruction kits detailing how to carry out the DDoS attack were posted in Russian forums, mobilizing vast numbers of individual hackers to give it a state-sized scale. In an even better example, cyberattacks against Georgia only a year later during the Russian-Georgia War were not only timed to coincide with Russian military operations but even utilized, in the words of one study, “vetted target lists of Georgian government websites,” thought to be provided by
Russian intelligence
.

The advantage of using patriotic hackers is that a government can utilize the synchronization and large-scale effort it wants without being officially involved, giving it just enough cover to claim plausible deniability. Without cross-border police cooperation (which the Russians refused to provide—another hallmark of the phenomenon), it was impossible to determine exactly who was behind all the computer accounts involved in the Estonia attacks (besides parliamentary leaders ratting out their assistants). Thus, in an ironic twist, governments that orchestrate such attacks can act aggrieved whenever accused of involvement. Ultimately, while attacks against Russia's foes occurred in cyberspace and a parliamentary leader
spoke of his office's own role in it, a Russian ambassador could retort, “If you are implying [the attacks] came from Russia or the Russian government, it's a serious allegation that has to be substantiated.
Cyber-space is everywhere
.”

Patriotic hackers, though, aren't limited to youth groups. An interesting nexus actually exists with criminal organizations. They usually operate for their own profit motives but can also be mobilized by a state for political purposes. Many of the very same tools, platforms, and tactics used in the 2008 Georgia attacks, for instance, were also utilized by the Russian Business Network, one of the larger cybercriminal organizations. This leads many to believe that agreements have occasionally been struck in the patriotic hacker world. Criminal groups are given some freedom to operate in exchange for demonstrating their patriotism when governments ask for aid. Think of it as the cyber equivalent of the deal struck between the FBI and Mafia during World War II, when the Feds agreed to lay off their investigations in exchange for the mobsters watching the docks for Nazi spies and aiding military intelligence operations in Italy. Similarly, Russia was fairly active in cracking down on cybercrime rings before the cyberattacks of the late 2000s, but it has been far more lax in its law enforcement since. Indeed, it's notable that while nearly any publication that the Russian government considers objectionable has been prosecuted and harassed into prohibition in recent years, the
hacker magazine
Xaker: Computer Hooligan
remains in broad circulation.

Sometimes, these activities are more explicitly condoned. In 2011, a hacker collective calling itself the Syrian Electronic Army defaced or disabled news websites that were critical of the Syrian regime's behavior in the widening civil war.
Syrian president Assad
praised these activities, calling the group “an electronic army which has been a real army in virtual reality.” This led to “patriotic hacker” versus “hacktivist” drama as Anonymous entered the fray against the Syrian regime, and the SEA retaliated by targeting Anonymous-affiliated sites.

Another advantage is that patriotic hackers allow governments to tap into expertise and resources that lie beyond the state. Some governments even appear to be working in concert with patriotic hacker groups in order to scout new talent and create a “B-team” of cyber reserves. In 2005, the Chinese military reportedly organized a
series of regional hacker competitions to identify talented civilians. As a result, the founding member of the influential
hacker group Javaphile
(hugely active in Chinese patriotic hacker attacks on the United States in the early 2000s, including the defacement of the White House website) joined the Shanghai Public Security Bureau as a consultant.