Application 2 – Annotated Bibliography

TERRORISM

The Dark Side of WEB 2.0: Criminals; terrorists, the state and cyber security

MICHAEL STOHL, PAUL MYERS AND MARY DANIS

The increasing digitization of information and the advances in communication technoiogy have meant that more and more of public and private life are con- ducted in cyberspace. The new technologies which en- able ever greater access to and sharing of information by individuals, organizations and governments as well as greater productivity and efficiency also create new arenas for malicious behaviors by criminals, terrorists and states. Thus, it is no surprise that there is increasing interest in the use ofthe Internet and other cyber infor- mation tools for nefarious activities. At the same time there is also increasing concern that criminals, terrorists and states will forge alliances or find common ground and exploit security vulnerabilities and threaten the ever increasing interconnected cyber and economic worlds.

This concern has been especially prevalent in the Asia Pacific region as illustrated by the recent accusations made by the United States and Great Britain of increas- ingly aggressive hacking activities emerging from Chi- na. There is further suspicion that the Chinese Peoples Liberation Army, which has made major investments in information warfare capabilities, has employed these ca- pabilities to hack into U.S., U,K., French, Australian, New Zealand and German government websites; and by in- creasing concerns that the increasing millions of private computers in China have poor security and are vulner- able to "capture" by malicious software and thus can be used to launch attacks throughout the region and world. Coterminous with China's major trading partners' con- cerns about security problems emanating from China, the Chinese government is increasingly concerned not only about insecure computers, but also Web based crim- inal activity ranging from pornography and gambling to dissident political activities. Chinese responses to these concerns have increased the concern ofWestern govern- ments and publics that major information providers such as Yahoo and Google are either collaborating with, or ac- quiescing to, Chinese government requests to control and suppress information flows on the Internet. In No- vember 2007, Yahoo settled a lawsuit brought against the company for its much publicized collaboration with Chi- nese authorities in identifying, leading to the subsequent imprisonment for ten years of, journalist Shi Tao in 2004 and pro-democracy dissident Wang Xiaoning in 2002.

In discussions of the threat of cyber crime, there is

aiso often confusion between criminal and terrorist cy- ber activity and the all too frequent use of sensational- ism and fear to compound the problem by calling it cy- ber terror. There are certainly enough serious potential vulnerabilities associated with the cyber world: issues of privacy of data and information, unwarranted ma- nipulation, destruction and theft of data, intellectual property theft and digital copying, as well as the dis- semination of offensive and harmful content including pornography, hate speech, defamation and negative or false social, political or economic information that may cause harm. The cyber instrument may itself be the target of the criminal activity or it may be the tar- get either of the theft or the manipulation. Thus there is justifiable and increasing concern for Internet secu- rity and corporate/governmental organizational secu- rity with respect to information based operations, but the fact that terrorist organizations might also employ the same tools as criminals to obtain resources does not create a new form of threat or a new class of activity.

Theft of services, fraud, unauthorized fund transfers, embezzlement, destroying or damaging data, and web- site defacement are a few of the cyber based criminal activities that may be employed by both terrorists and governments. Other malicious activities include the in- capacitation of information systems (denial of service attacks) and individual computers or the actual "captur- ing" of them with which to attack other computers while masking the origin of those attacks. In 2001 Pakistani groups linked to al-Qaeda threatened to deface hun- dreds of Indian sites, and demonstrated their capability by hacking into several government sites. More recently in India, Goa's Department of Information website was allegedly hacked by terrorists (Turkish republican hack- ers). This group is credited with numerous other hacking incidents in India, as well as other countries such as Can- ada, Australia, Belgium, and Sweden. Unlike traditional criminal or terrorist activities, crimes in cyber space know no boundaries and may easily be conducted from re- mote sites across national borders. In China, computer programmers were able to damage millions of comput- ers with the "Panda virus," exponentially causing more damage by selling the worm-style virus. In addressing the threat that these cyber criminal activities pose, the central security dilemmas presented are the tensions

Harvard Asia Pacific Review 47

betv^een security and convenience, market versus regu- lated systems and military versus economic interests.

Concerns about the stealing of information through cyber activities have extended to claims about govern- ments and legitimate businesses as well. There have been extensive discussions and accusations directed at China for involvement in industrial espionage via the Internet While little has been substantiated, a recent report by the US-China Economic and Security Review Commis- sion warned of large scale espionage against the US from Chinese computers and argued that this is currently the single great- est risk to A m e r i c a n technology. On the other hand, the Chi- nese govern- ment, worried about its abil- ity to control the flow of i n f o r m a t i o n within China and across its boundaries, has extended this control to data on prod- uct safety. This has made it very dif- ficult for the private-sector in the US and

many Chinese firms to monitor the production of, for ex- ample, toys and food products, two sectors which have had enormous safety concerns in the past few months.

While the focus of concern has been on the increas- ing threats posed by China, Chinese authorities have is- sued counter-allegations that their own sites are the tar- get of significant hacking activities. The allegations and counter allegations, as well as a review of the Symantec Internet Security Threat Report over the past few years, suggests that the problem of cyber security is far more interconnected and that the potential and concern for Internet based crime is far more widespread. The United States is far and away the country from which the great- est volume of malicious activity originates, accounting for just less than one in every three activities and one in every four attacks. China was second at one in ten. When one examines the attack ratio by country per In- ternet user, the United States drops to number three be- hind Israel and Canada and China Is not even in the top ten nations. Further, the United States Is the top coun- try of origin for attacks targeting the government sector and for most of the forms of attacks employed by cyber

criminals, i.e. phishing, spam, and malicious code. As the U.S. hosts the greatest number of Web servers this is not surprising in and of itself. On the other hand, since China has far greater regulatory controls on vwebsites, includ- ing Internet filtering tools on websites and Internet ca- fes, this may serve to reduce certain forms of malicious activity such as phishing within China. However, as the number of private computers increases in China and else- where, there is an increasing danger posed by insecure platforms from which cyber based attacks may originate. This may be particularly germane in the Chinese case. It is

believed that the discrep- ancy between China's bot- infected com- puters rank- ing {at 1) and bot-infected command and control serv- ers (at 5) may well be attrib- uted to cy- ber criminals from outside China "cap- turing" inse- cure Chinese private com- puters which are less con- trolled than Web servers and Chinese

government-owned computers. There is thus a dan- ger that as such controls are lifted or circumvented greater numbers of computers risk infection and the network faces the risk of greater vulnerability be- cause of the resulting increase in insecure platforms.

Many of the security difficulties and vulnerabilities extend from a lack of known security precautions, i.e. in- stalling basic anti virus software, spam filters and refusing to open suspicious files or files from unknown senders, protecting passwords and files when using public com- puter sites or accepting copied files from other than trust- ed persons or sites. This lack of precaution is not simply an economic cost factor, which particularly effects poorer computer owners, but is also frequently grounded in the tradeoff involved in the convenience and timeliness ver- sus security and cost ratio. Installing, monitoring and up- dating security software and following security basic di- rectives is a costly and time consuming process in which many are unwilling to invest. Some of that convenience and timeliness versus security and cost may also be found in the tension between using a Blackberry or Palm or oth- er PDA to transmit data electronically or memory sticks

digitalbattle. com

48 Harvard Asia Pacific Review

and CDs to physicaliy transfer data to be able to respond instantaneously or wori< away frohn the ofnce despite se- curity prohibitions for doing so because of the danger of data theft. Recommendations are now in place to limit what information is passed via these hand-heid devices by State Department officials, and even more stringent guidelines for data transfer are in place for U.S. govern- ment employees working in countries such as China. The convenience and timeliness of ignoring basic security precautions often leads to increased cyber vulnerability.

There are also cyber crime concerns that develop out of the ability of criminal organizations and individuals to exploit the Web to distribute illegal video such as por- nography faster, easier, and more anonymously and to extract funds electronically behind the same wall of ano- nymity. Gambling operations may also operate across

boundaries and avoid state intervention to collect tax- es on either the corpora- tion or the individual gam-

There have been tensions among Russia, China, and the United States about each na-

that the"other" will use such capabilities not only for info war and C3 {command, control and communication ca- pability) but also for Industrial/corporate espionage and disruption of commercial capabilities. The United States and other western governments suspect that attacks from the Chinese military (PLA) are disguised as coming from rogue computers and are actually outsourced for deniability purposes, and there have been reports that the U.S. government believes that prizes are offered by Chinese authorities for successful hacks of foreign sites. While firms such as Yahoo have been criticized for cooper- ating with the Chinese government in terms of providing Internet records, the US has also been outsourcing much of its work as part of the general outsourcing of all types of military and intelligence operations or has co-opted corporations such as those of the telecommunications

industry to assist in the eavesdropping of commu- nications for intelligence gathering. This means

bier. Fraud and electronic tion's major investments in info war and their that its potential probes theft through the devel- opment of sophisticated _ ^ _ mirror websites or email scams requesting naïve victims to provide bank account, credit card and personal information to "repair" dam- aged records, credit reports or award prizes. Often these schemes employ "captured"servers to mask their point of origin and reduce the chances of apprehension (Simply employing search engines without security software can lead to increased vulnerability. Thus while searching a le- gitimate-appearing and popular database on electronic scams for this article, the site attempted to place a Trojan on our computer.). Naturally, in those societies where government imposed controls are more stringent such activities are greatly reduced. These government im- posed filters have led to very low rates in China of phish- ing websites (those attempting to trick users to disclose information such as credit card numbers). At the same time the Chinese government and other governments (e.g. Myanmar) are concerned about the use of the Web for opposition political purposes and thus also limit ac- cess to particular websites and attempt to control access to transmission sites and search engines. In the Chinese case this practice of blocking website access has been dubbed the "Great Firewall of China." The website www. greatfirewallofchina.org allows people to see whether or not a specific website is currently being censored in China.

At the same time that the major trading nations are concerned about threats to the financial, manufacturing and trading system that cyber capabilities increasingly underlie, the military establishments ofsome of the major powers have also increasingly expanded their informa- tion war research and investment. There have been ten- sions among Russia, China, and the United States about each nation's major investments in info war and their in- creasing military capability. There are also continual fears

increasing military capability. of Chinese or Russian web- sites would also have de- niability possibilities. But

it is not only the major powers which are engaged in such activity. The 2007 edition of McAfee's annual Vir- tual Criminology Report charges that over 120 nations are engaging in Internet spying operations and attacks.

One interesting "private sector" crime that is often improperly characterized as cyber terror has also been dubbed "patriotic hacking." There have been two ma- jor variants. In the first, usually occurring in the midst of increasing tensions between two governments, web- sites of an "offending" country's government agencies, Defense, Foreign Ministry, Executive office are defaced by hackers from the home country and a message, or a symbol (such as the attacking country's flag) is placed on the site. Incidents have included the defacement of hundreds of Danish websites in response to the cartoon drawings of Mohammed, and the defacement of the UN website protesting military actions of the United States and Israel. A second version redirects visitors to the web page to a page of the hacker's choosing. Thus when Pres- ident Bush hosted the Dalai Lama in October 2007, those trying to access Google, Yahoo and Microsoft websites from within China were redirected to the Chinese based site Baidu. Americans are not innocent when it comes to "patriotic hacking." In 2003, the Arab network, Al-Jazeera was replaced by American hackers with an American flag and the tagline "let freedom ring." The English version of Al-Jazeera has since been victim to numerous hacking and defacement attempts. The National Infrastructure Protection Center (NIPC) operated by the FBI has issued several warnings against these types of crimes, target- ing both American hackers to cease this type of activity and warning of possible incoming "patriotic hacking" at- tempts. Although in 2003 the FBI issued a statement that

Harvard Asia Pacific Review 49

patriotic hacking is a felony, and does not condone these actions on the U.S. government's behalf. Further, the FBI warned that severe consequences can emerge from the exploitation of malicious code and acts intended to harm a target country can actually harm the interests of the hacker's country. The statement came less than a week after administration officials had confirmed that President Bush had signed a secret order allowing the government to develop guidelines under which the US could launch cyber attacks against foreign computer systems. This decision once again illustrates the tension between military needs and priorities versus those of a secure information system for commercial and private interests.

Cyber security chal- lenges are likely to grow with the increasing quantity of computers and growing interConnectivity. Of greatest concern is the increasing number of computers numbering in the tens of millions that remain unprotected from viruses and Trojans and other forms of malicious software. The individual vul- nerabilities of those computers, because of the power of the Web network, present a danger not only to the indi- vidual but potentially to all those who are connected to the network. As the computer enters greater numbers of households and businesses and lessens the digital divide between rich and poor nations and communities, the threat increases. It is quite possible that a par- allel will emerge between the physical world of failed states,whichprovidecrim- inals and terrorists safe ha- vens from which to launch attacks, and "cyber ha- vens'' in which the combi- nationofpoorsecurityandmalicioussoftwaresuchasbots enables the launching of attacks from large numbers of "zombie" computers from particularnetworked "regions" and thus may make it more difficult to prevent attacks.

The extension of cyber network capabilities to great- er numbers of hand held devices and the increasing reli- ance on interConnectivity for a growing number of every- day interactions for millions of people will make security / convenience tradeoff increasingly more important. If consumers,aswellasorganizations, public and private, do not privilege security overthe convenience of doing noth- ing, the system's vulnerability will continue to be exposed.

Because of the increasing need to prevent disrup- tions of all forms of commerce, those on the commerce side of the nations seek greater cooperation to create standards for the implementation of protections. Nu- merous bilateral talks and agreements, committees, commissions and intergovernmental organizations have

It is quite possible that a parallel will emerge between the physical world of failed

states, which provide criminals and terrorists safe havens from which to launch attacks.

While we may applaud the intent to pro- vide greater freedom for China's population, we need to carefully consider both the legal

and ethical dimensions of either assisting the Chinese people behind these government con-

striwtedfirewalls to break the law or...assisting the Chinese government in upholding its laws.

been created within the Asian regional associations such as ASEAN and APEC and have explored how betterto pro- tect information, infrastructure, regulatory reform, next generation networks and cyber security. Cyber emer- gency response teams (CERTs) have been set up in many nations and these response teams cooperate when large scale attacks occuror new malicious software is identified.

One major impediment to future cooperation re- mains tied to the tension among competing interests by governments to maintain their own military offensive and defensive cyber capabilities, surveillance capabilities and

to control the flow of infor- mation. At the same time the dynamics of globaliza- tion which has included an increased flow of people as well as information and goods and services has in-

creased the abilities and interests of those who seek to knock down cyber walls and encourage freer informa- tion flows. As a result, the flow of information may be re- strained within some nations but it cannot be completely blocked. For example, as software is developed that can bypass filters that block Web content, it can be shared and those who challenge Chinese Internet privacy laws are finding ways around the "Great Firewall of China." While we may applaud the intent to provide greater freedom for China's population, we need to carefully consider both

the legal and ethical dimen- sions of either assisting the Chinese (or other nations') people behind these gov- ernment constructed fire- walls to break the law or, as in the case of Yahoo noted above, assisting the Chinese government in upholding its taws. Draw- ing the line will not be easy

when it is placed in the context of encouraging greater in- ternational governmental cooperation to enhance cyber security. Balancing these competing needs will not be easy but perhaps the Chinese Proverb "If you don't want anyone to know, don't do it" can provide a starting point.

Michael Stohl is Professor and Chair of the Department of Communication at the University of California Santa Barbara. Paul Myers is a graduate student in the Department of Communication atthe University of California Santa Bar- bara and a former member of the London Metropolitan Police Service. Mary Danis is a graduate student in the Department of Communication at the University of California Santa Bar- bara.

50 Harvard Asia Pacific Review