This post was co-authored by Sarah McKune, a senior researcher at the Citizen Lab.
Public attention to the secretive world of cyber espionage has risen to a new level in the wake of the APT1: Exposing One of China's Cyber Espionage Units report by security company Mandiant. By specifically naming China as the culprit and linking cyber espionage efforts to the People's Liberation Army, Mandiant has taken steps that few policymakers have been willing to take publicly, given the significant diplomatic implications. The report has brought to the forefront US-China disagreements over cyberspace, igniting a furious response from the Chinese government.
Also cast in stark relief by this incident, however, are the priorities of the United States in securing the cyber domain: threats to critical infrastructure, and the theft of intellectual property, trade secrets and confidential strategy documents from key industry players and Fortune 500 companies. General Keith Alexander, the head of US Cyber Command and the National Security Agency, raised the profile of the theft issue last year in asserting that widescale cyber espionage had resulted in "the greatest transfer of wealth in history." The issue was highlighted again in the newly-released Administration Strategy on Mitigating the Theft of U.S. Trade Secrets.
Certainly, threats against critical infrastructure and theft of intellectual property and trade secrets are important. However, they are not the only targets of cyber intrusion and espionage that should merit public attention and government concern.
An often-overlooked dimension of cyber espionage is the targeting of civil society actors. NGOs, exile organizations, political movements, and other public interest coalitions have for many years encountered serious and persistent cyber assaults. Such threats — politically motivated and often with strong links to authoritarian regimes — include website defacements, denial-of-service attacks, targeted malware attacks, and cyber espionage. For every Fortune 500 company that's breached, for every blueprint or confidential trade secret stolen, it's a safe bet that at least one NGO or activist has been compromised in a similar fashion, with highly sensitive information such as networks of contacts exfiltrated. Yet civil society entities typically lack the resources of large industry players to defend against or mitigate such threats; you won't see them hiring information security companies like Mandiant to conduct expensive investigations. Nor will you likely see Mandiant paying much attention to their concerns, either: if antivirus companies do encounter attacks related to civil society groups, they may simply discard that information as there is no revenue in it.
While cyber espionage against a company may result in the loss of a blueprint, an attack on an NGO could result in a loss of individual life or liberty. Yet civil society is largely on its own as it goes about its work to advance human rights and other public policy goals while struggling to stay ahead of debilitating cyber threats.
In Citizen Lab's research on cyber espionage against civil society, going back to the Tracking GhostNet and Shadows in the Cloud reports, we've routinely encountered the very same malware families, social engineering tactics, and advanced persistent threats experienced by the private sector, governments, and international organizations. Our research indicates that the important details uncovered by Mandiant are just one slice of a much bigger picture of cyber espionage linked to China. For example, Citizen Lab's Seth Hardy has found that certain malware targeting a Tibetan organization incorporates much of the same code and uses one of the same command-and-control servers as the APT1 attacks documented by Mandiant. This suggests that APT1 is also targeting civil society groups alongside the "higher profile" companies and organizations on its roster.
Our findings confirm there's more to China's motivations than just industrial and government espionage. The Chinese government appears to view cyber espionage as a component of much broader efforts to defend against and control the influence of a variety of "foreign hostile forces" — considered to include not only Western government entities, but also foreign media and civil society — that could undermine the grip of the Communist Party of China.
The solutions presented by US policymakers, however, have left civil society out of the equation altogether, focusing on industry and government only, as if these are all that matter. Notably, a February 12, 2013 executive order on improving cybersecurity provides that US policy is to "increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities so that these entities may better protect and defend themselves against cyber threats." No similar initiative exists for outreach and information sharing with civil society. Without these considerations, we leave civil society hung out to dry and lose sight of that which we are aiming to protect in the first place — a vibrant democratic society.
As we consider what to do about mitigating cyber attacks, and the bleeding of our industrial base from unabashed cyber espionage, we would do well to remind ourselves of a fact that may be easily overlooked: China's domestic problems in the human rights arena are a major factor driving cyber insecurity abroad. China's aggressive targeting of "foreign hostile forces" in cyberspace includes groups simply exercising their basic human rights. We may well soften China's malfeasance around corporate and diplomatic espionage, but without dealing with the often-overlooked civil society dimension, we will not eradicate it entirely.
By Ron Deibert, Director, The Citizen Lab, Munk School of Global Affairs, University of Toronto
|Cybersquatting||Policy & Regulation|
|DNS Security||Registry Services|
|IP Addressing||White Space|
Minds + Machines