An Interview with Jon Penney

Yesterday, security company McAfee released a report uncovering the largest series of cyber-attacks to date. Does this report reveal anything new about our vulnerabilities or about those instigating the attacks?

The report is noteworthy for bringing a large and sustained hacking campaign to light. But, in truth, it is not unprecedented; the scale and method is familiar. The Ghostnet, a cyber-spying ring discovered by researchers at the Citizen Lab in 2009, also involved high-profile social, political, and economic targets, with over a thousand computers infected in over 103 countries. And the McAfee report, though much shorter on details than the Lab’s release on Ghostnet, outlines a similar attack methodology: targets are sent emails with malicious attachments, which plant Trojan malware on a computer when executed. The malware then gives a control server, located elsewhere, remote-access control over infected computers.

Overall, though our capacity to track large-scale cyber-attacks has somewhat improved, our vulnerability has not changed. Nor has the extent and scale of the threat, though this will grow, too, as more governments feel the need to engage in cyber-warfare. What has changed is that there is now a greater media focus and willingness among industry to disclose attacks of this nature and scope.

Though the report’s evidence and external security experts point to China, McAfee will go only so far as to attribute these attacks to an unidentified “state actor.” Should Canada be similarly reticent on the subject of China’s cyber-operations?

Officially, it is difficult to finger China. The McAfee report has little detailed evidence on the origins of the hacking. There is circumstantial evidence pointing to the Chinese government, but nothing definitive. That said, these are very murky waters; there is rarely a smoking gun. Those responsible could be state actors, or state sponsored or encouraged actors, or private citizens carrying out their own nationalist aims, with law enforcement merely looking the other way. Canada cannot ignore such attacks, but a response should be measured, especially where the evidence is thin.

How potentially dangerous are these attacks?

Beyond the obvious dangers to privacy and data security, a key threat here is largely economic. Intellectual property and trade secrets were a central focus of this cyber-attack; government, defense, and technology industries were among the main targets. It is difficult to put hard numbers on economic losses in specific cases, but reports suggest that intellectual property theft costs western industries billions in net economic loss annually.

However, the greatest danger with large-scale cyber-espionage is likely its impact on international relations – the potential to promote what Ron Deibert and Rafal Rohozinski call a “cyber arms race.” As more governments become victims of such attacks, more ramp up their own cyber-warfare operations. This only increases tensions and the proliferation of tools – and state practices – that feed cyber-warfare. This leads to less security, and greater vulnerability.