Source: Ottawa Citizen

Canadian security experts have found stolen plans for a top-secret surface-to-air missile system from India on Chinese computer servers, raising renewed calls for countries to co-operate in policing cyber security.

Hackers in China have been using well-known security flaws to steal more than 700 documents from embassies around the world, Indian government agencies, private corporations and private e-mails from the Office of the Dalai Lama, according to a groundbreaking study by experts from Ottawa’s SecDev Group and the Munk School of Global Affairs at the University of Toronto.

Ron Deibert, one of the study’s principal researchers, said international interest in the study will push his group to hold a global cyber-security summit at the university in the fall on how governments should deal with the problem.

“Governments are engaged in a competitive arms race in cyberspace, which prevents co-operation on global cyber security,” said Deibert in a release. “There is a vast, subterranean ecosystem to cyberspace within which criminal and espionage networks thrive. Networks such as these thrive because of a vacuum at the global level.”

While some governments are quickly ramping up their offensive capability against cyber attacks, there is a lack of international co-operation.

While the hackers behind the international data theft were found to be in China, there is no evidence to suggest that the Chinese government was involved, the report’s authors admit. Chinese government officials denied any connection.

“I don’t know what evidence these people have, or what their motives are,” said Chinese Foreign Ministry spokeswoman Jiang Yu. “Our policy is very clear. We resolutely oppose all Internet crime, including hacking.”

Deibert, of the Munk School, used the findings in the newly released study, Shadows in the Cloud: An Investigation Into Cyber Espionage 2.0, to chastise Canada for lagging in development of a plan detailing how the country should respond to a well co-ordinated cyber attack.

“For its part, the Canadian government has neither a domestic cyber security strategy or a foreign policy for cyber space,” Deibert said. “The (new) report should offer a wake-up call that rectifies this situation, or we may find that we are the next victim.”

The release of the study comes weeks after the federal government announced it would work on a national cyber-security strategy, detailing how Canada would respond to a cyber emergency.

The University of Toronto work builds on an earlier study, released in April 2008, that unearthed a computer network, dubbed the GhostNet, that was being used to steal sensitive information from various organizations, including the offices of the Dalai Lama.

For the new study, researchers started their investigation back in the Dalai Lama’s offices in order to track the cyber activity.

“If a target is particularly tempting, an attacker is going to keep coming at it until they finally crack through it,” said Rafal Rohozinski, chief executive of Ottawa’s SecDev Group and another lead researcher on the new study. “We thought, ‘The Dalai Lama’s computers are probably going to be a target that spies go after.’”

Over the course of eight months, researchers caught hackers sneaking into file systems and stealing e-mails, digital transcripts of telephone calls and other information.

The investigation led them to India, where plans for advanced weaponry and information on military procedures were taken. In the U.S., the offices of Honeywell were attacked and hackers tried to steal information about advanced aerospace technologies, although it is not known if any information was actually stolen. Various embassies in Kabul, Moscow, Dubai and Nigeria were all found to be compromised by the hackers.

Confidential information from the Indian embassy in Afghanistan, as well as Indian and Pakistani embassies in the United States was also compromised by hackers. Personal information from a handful of Canadians and citizens from 15 other countries seeking Indian travel visas was obtained by hackers and later recovered by researchers.

The investigation determined the hackers were based out of Chongqing, a large city in southwest China, and another nearby city of Chengdu.

Rohozinski said the global nature of the hacking attacks made them almost impossible to stop. China or Russia does not recognize U.S. or Canadian laws, and, since there are no international laws governing cyber espionage, countries harbouring hackers do not have to take legal action against the individuals.

“What will happen is the FBI or the RCMP will turn to the Russian authorities and say, ‘We have evidence of a cyber crime. Someone has been breaking into a system and stealing data. Will you please prosecute it?’” Rohozinski said.

“The Russians turn around and say, ‘According to our laws, defamation is also information security. There is a blog in the U.S. that is putting out content we feel is defamatory. Unless you take steps to prosecute that blog, I’m sorry, but we can’t co-operate with you.’”

Adam Vincent, chief technology officer of public sector at Vancouver security firm Layer 7 Technologies, applauded the newly released study, but said hacking attacks were becoming all too common.

“Yet again we see a sophisticated cyber attack with the sole purpose of obtaining information. Whether that information is being used or sold, we don’t know,” he said. “The stage we are in now is a scary stage. A new weapon has come onto the scene. One that is confusing, doesn’t take a whole lot of training to use and one that is freely available.”

Vincent said the threat posed by hackers wasn’t just a government concern; these types of attacks pose a risk to the personal information of millions of people every day. He pointed to high-profile attacks on Google Inc., which were reported in January.

More than 33 companies, including Google and Yahoo, were being targeted by Chinese hackers for the better part of a month. However, the attacks only came to light when Google came forward and voluntarily admitted that it was being targeted.

Vincent said the problem was “huge” and must be addressed. He admitted that, in many cases, government and private business did not publicly acknowledge when they had fallen victim to hackers, which only made matters worse.

The research being done by Deibert and Rohozinski becomes even more important since governments and private businesses are not talking about the problem.

“It took a long time before we had a law of the seas or a law of outer space,” Rohozinsky said. “It has to start somewhere.”

© Copyright (c) The Ottawa Citizen