says, “but not too many more, because of the cost impact of scaling up such an effort.”
As for the Dutch case, it revealed that even successful investigations are tough to prosecute. Today Nasiri is awaiting trial in Holland on Dutch charges. But a Brazilian man originally charged along with him escaped trial. The U.S. indictment had alleged that the Brazilian orchestrated the receipt of 23,000 euros from a buyer and arranged to receive electronic media from Nasiri containing the bot code. It seemed he’d been caught red-handed. Last year, however, the United States dropped the charges, citing the unavailability of a key witness. The Dutch police say they escorted him to Amsterdam’s Schiphol airport and he jetted back to Brazil, a free man.
In 1959 the Tibetan spiritual leader, the Dalai Lama, fled to Dharamsala, a scenic town in the Himalayan foothills of northern India that is still home to Tibet’s exiled government. There, a local café called Common Ground also serves as a nongovernmental organization that tries to bridge the gap between Chinese and Tibetan cultures. But in 2009, a computer scientist visiting the café discovered a bridge of a different sort: an electronic spy pipeline. The researcher, Greg Walton, noticed that computers in the town’s Wi-Fi mesh network, called TennorNet, were “beaconing” to a command-and-control server in Chongqing, China.
The scope of the espionage extended far beyond the café. According to researchers from the Ottawa cyber forensics company SecDev Group (including Walton) and the University of Toronto, victims included agencies of the Indian national security establishment; the compromised data included personal, financial, and business information belonging to Tibetans, Indians, and human-rights figures around the world (see “Espionage in the Cloud” in slideshow). The discovery came before China-based attacks against Google and other Western companies prompted Google to pull out of China (see “China’s Internet Paradox,” May/June 2010). “We lack good metrics to figure out how big the espionage problem is, but it seems clear that it’s getting a lot worse–and fast,” says Paxson. “Google China was a wake-up call, and there’s a lot more of it out there.”
Baltic Battle: In 2007, following a dispute over Estonia’s plans to move a Russian monument, riots broke out between Russians and Estonians.
China denies that its government was behind either the Dalai Lama or Google attacks, and the Toronto group says Toronto group says it cannot prove it was. But we can fairly speculate that there is a Chinese market for intelligence about people active in Tibetan circles. Many institutions–corporations, governments, universities–are in a similar position to Tibet’s government in exile, in that they hold data worth stealing because it is of value to someone. And the Canadian work shed light on global espionage techniques that, by all accounts, are far more widespread than the China-based attackers’ strikes on Tibetan targets. “With exponential growth in cyber crime, private and public organizations will find cyber penetrations if they look,” says John Mallery, a computer scientist at MIT’s Computer Science and Artificial Intelligence Laboratory. “More or less, organizations are mired in inherently insecure infrastructures and components that were never designed for security and, at best, have been retrofitted with partial security measures. Today, the attacker has the advantage at the architectural levels and is innovating faster than defenders. So what organizations can do is manage their vulnerability by isolating valuable information.”
As Mallery suggests, the lesson is that organizations should plan for losses and remain constantly vigilant, because no networked IT infrastructure can be truly safe. Consider that in response to earlier incursions (also detected by the Canadian researchers), the Dalai Lama’s staff had installed state-of-the-art firewalls one year before Walton’s discovery. But firewalls generally must be programmed to block hostile sites, and the China-based spies used an ever shifting array of benign-seeming intermediaries, including Google Groups, Twitter, and Yahoo Mail. The attackers are believed to have embedded their malware in Microsoft Word and PDF documents sent from seemingly friendly e-mail addresses that had been either spoofed or hacked. If the victim opened the attachment with a vulnerable version of Adobe Reader or Microsoft Office, the spyware took root.
Fortunately, some emerging technologies could provide a solution even in these cases. Cyber espionage often involves sending malicious commands to an infected computer that then sends data back. Detecting the signature of those commands–and then blocking them–is the goal of Santa Barbara’s Kruegel, who has developed technology that spots the communication even if the initial infection went undetected. Even though attackers might compromise machines, Kruegel says, if you can identify the commands fast enough, “you can target and shoot them down.” He expects to bring the technology to market within one year.
Changes on the political level could also make a difference: right now, no treaty bars what the China-based agents did. While U.N. conventions make strong statements on human rights, for example–and such conventions are frequently