We are used to computers being our window to the world. It is time to get used to them looking back at us. Welcome to the world of do-it-yourself signals intelligence.
This week the Information Warfare Monitor -- a joint effort of the SecDev Group (Ottawa) and the Citizen Lab (University of Toronto) -- released a report detailing the results of a 10-month investigation of alleged cyber espionage, consisting of fieldwork, technical scouting and laboratory analysis.
The research began with allegations of Chinese cyber espionage against the Tibetan community in Dharamsala, India, and eventually widened out to include a stunning network of more than 1,295 compromised computers in 103 countries.
We were able to discover these infected hosts only because GhostNet -- the name we gave to the command and control network -- was set up in an insecure way, allowing one of lead researchers, Nart Villeneuve, to log on, archive, and monitor its lethal reach.
What is remarkable about the network is not its sophistication, but that it has been able to harvest such a large list of high-value computer systems. Close to 30 per cent of the affected systems belong to ministries of foreign affairs including those of Iran, Bangladesh, Latvia, Indonesia, Philippines, Brunei, Barbados and Bhutan; the embassies of India, South Korea, Indonesia, Romania, Cyprus, Malta, Thailand, Taiwan, Portugal, Germany and Pakistan; the ASEAN Secretariat, SAARC and the Asian Development Bank, news organizations, and an unclassified computer located at NATO headquarters.
As the evidence mounted of the number and range of targets collected, questions raced through our minds: how many sensitive activities have been pre-emptively anticipated by intelligence gathered through this network? How many illegal transactions have been facilitated by information harvested through GhostNet? Worst of all, how many people may have been put at risk?
Who is behind GhostNet?
The most obvious explanation, and certainly the one in which the circumstantial evidence tilts the strongest, would be that this set of high-profile targets has been exploited by the Chinese state for military and strategic-intelligence purposes. Indeed, many of the high-confidence targets we identified are clearly linked to Chinese foreign and defence policy, particularly in South and South East Asia.
Many of the high-profile targets reflect some of China's most vexing foreign and security policy issues, including Tibet and Taiwan.
Most damning of all, perhaps, the attacker(s)' IP addresses we examined trace back in at least several instances to Hainan Island, home of the Lingshui signals intelligence facility and the Third Technical Department of the Peoples' Liberation Army.
On the other end of the spectrum is the explanation that this is a random set of infected computers that just happens to include high-profile targets of strategic significance to China, collected by an individual or group with no political agenda per se.
Given the groupings of various entities in the infected computer list (by country and organization) internal e-mail communications and other sloppy security practices could have led to cross-infection and subsequent listing on the control servers.
Another possible explanation is that a criminal organization is targeting these victims for profit. GhostNet could very well be a for-profit, non-state venture, such as those that apparently profited by cyber-attacks against Georgia in the Russia-Georgia conflict of 2008.
Even "patriotic hackers" could be acting on their own volition or with the tacit approval of their government as operators of the GhostNet.
Finally, it is not inconceivable that this network of infected computers could have been targeted by a state other than China, but operated physically within China (and at least one node in the United States) for strategic purposes.
Compromised proxy computers on Hainan Island, for example, could have been deployed as staging posts, perhaps in an effort to deliberately mislead observers as to the true operator(s) and purpose of the GhostNet system.
Ultimately, the question of who is behind the GhostNet may matter less than the strategic significance of the collection of affected targets. What this study discovered is serious evidence that information security is an item requiring urgent attention at the highest levels. It also demonstrates that the subterranean layers of cyberspace, about which most users are unaware, are domains of active reconnaissance, surveillance, and exploitation.
Indeed, although the Achilles heel of the GhostNet system allowed us to monitor and document its far-reaching network of infiltration, we can safely hypothesize that it is neither the first nor the only one of its kind.
Ron Deibert is director of the Citizen Lab, Munk Centre for International Studies, University of Toronto. Rafal Rohozinski is a principal of the SecDev Group, Ottawa. They are co-founders and principal investigators of the Information Warfare Monitor Project. Their report, Tracking GhostNet, can be downloaded at http://www.infowar-monitor.net/ghostnet