Surveillance or Security?: The Risks Posed by New Wiretapping Technologies (32 page)

As the West learned about the Soviet espionage effort, the Soviet spies
were removed, but not before the United States played a deeper game of sabotage. One example that has since become public involved a transSiberian gas pipeline being built by the Soviets, who sought Western
computer systems to manage the complex control systems needed by the
pipeline. While the Soviets were permitted to buy the hardware, they were
not allowed to purchase the required software from the United States.
Finding a Canadian company producing what they sought, Soviet spies
lifted it. Unbeknownst to them, the software had been "improved."

For a time, the pipeline control system worked fine. However, after an
appropriate interval, a Trojan horse that had been embedded in the stolen
software began to reset pump speeds and valve settings. This created pressures that burst pipeline joints and welds, and the result was the "most
monumental non-nuclear explosion ... ever seen from space."124 At that
point, the Soviets realized they had been had. Their problem went very
deep: they had no idea which systems they had stolen were compromised
and which stolen systems they could trust.125

The pipeline burst in 1982, but Soviet economic espionage against the
West did not end. The spying let up briefly when the Soviet Union broke
up in 1991, but several years later the number of Russian intelligence
agents targeting U.S. technology had increased again.126 Meanwhile another
nation-state appeared to be entering economic espionage in a big way. And
this one's efforts began in earnest just at a time when the Internet became
particularly useful as a way to conduct economic and military espionage.

In 1997 the number of Internet users in China was reported to be
under a million.127 The nation of over a billion people quickly came up to
speed, at least in certain aspects of using the network. One night in October
2004, someone scanned various U.S. military computers to determine
which ones were using particular unpatched software. On November 1, at
10:23 p.m. PST, these vulnerabilities were exploited. Outsiders entered.
With great skill, they probed computer systems at the U.S. Army Information Systems Engineering Command at Fort Huachuca, Arizona. Less than
three hours later, the attackers used the same unpatched software to enter
the military's Defense Information Systems Agency in Arlington, Virginia;
two hours after that, they attacked the Naval Ocean Systems Center, a
Defense Department installation in San Diego, California. At 4:46 a.m. PST,
they hit their last target: the United States Army Space and Strategic
Defense installation in Huntsville, Alabama.128 Large amounts of sensitive
material, including army helicopter and flight-planning software used by
the U.S. Army and Air Force, were downloaded.129 The files were shipped
first to Taiwan and Korea, and then to southern China (Guangdong
province).

This series of digital surveillances and thefts were among hundreds of
coordinated intrusions into government systems between 2003 and 2005130
(the set of intrusions was dubbed "Titan Rain"). They raised many questions, first and foremost being who was responsible. Was it the People's
Liberation Army (PLA)? From the tracks left in the network, it was not
entirely clear. It is unlikely that a download of this size into China could
not have been accomplished without government awareness of the incident. More instances of attempts at such espionage followed.

Members of the U.K. Parliament were targets of well-crafted attempts at
email espionage. Personally tailored emails were sent to the MPs and their
secretaries and staffs. If the email attachments were opened, it would
download spying software that searched through the users' machines and
sent files of interest to a server in the Chinese province of Guangdong; the
theft was obstructed by the Parliament's computer security system.131 Oak
Ridge National Laboratory experienced a similar cyberespionage attempt
in 2007, but in this case, the cyberspies were successful.132 In 2007 and
2008 a number of governments reported cyberexploitation efforts, although
the nations did not want to name China as the culprit.133 This included
New Zealand, Australia, India, Belgium, and Germany.

Another incident involved espionage against the Tibetan community.
As with the attempts with the U.K. Parliament and Oak Ridge National
Laboratory, Trojan-horse programs were inserted into host machines after
being downloaded from carefully socially engineered email that looked as
if it came from legitimate sources. By enabling the operation of attached
devices, including microphones and cameras, the Trojans allowed remote
control of real-time surveillance. In addition, files were downloaded and
communications were monitored. University of Toronto researchers13a
studying the network found that a total of 1,295 computers in 103 countries were infected,13s including those in ministries of foreign affairs,136
embassies,137 the Asian Development Bank, and a computer handling
unclassified material at NATO headquarters.138 The servers controlling the
network were located mostly in China (Hainan Island, Guangdong and
Sichuan provinces, Jiangsu), though one was in the United States and one
in Hong Kong.139

As with the other cases, it is unknown who was responsible for this
particular espionage. The Toronto researchers noted that targets centered
on foreign policy concerns especially vexing to the Chinese governmentTibet and Taiwan-and in at least two instances information available from
the targeted machines was used by the Chinese government. In one case,
an activist was arrested on her return to Tibet and "full transcripts of her Internet chats" were shown to her.140 In another, a foreign diplomat who
had been invited via email to a meeting with the Dalai Lama was called
by the Chinese government and warned not to participate.141 But because
the organization for which the activist worked used communications
devices known to be insecure,142 this is not definitive proof of Chinese
government involvement in the "Ghostnet" surveillance. It is entirely possible that this effort was a do-it-yourself spyware system by a particularly
fervent Chinese patriot.

The last decade of the twentieth century and the first of the twenty-first
saw the extraordinary rise of China as an economic power. This development has been accompanied by an equally extraordinary modernization
of China's military. Only a decade ago China was dependent on Western
high technology, but that is rapidly changing. Struck by the U.S. use of
information technology in the first Iraq War and realizing what a force
multiplier such technology can be, the Chinese military has become
increasingly networked. The nation is in the midst of a C41 (command,
control, communications, computers, and intelligence) revolution,143 a
revolution enabled by the "digital triangle" of booming Chinese IT companies, Chinese government investment in research-and-development
infrastructure, and major military innovation (the military is also funding
research).144 It is worth noting that the world's second largest maker of
mobile telecommunications equipment is Huawei, a privately held Chinese
company.141

One can trace Chinese military interest in electronic reconnaissance to
at least 1999, when two Chinese experts on information warfare wrote, "We
can use computer information networks set up in peacetime and enter networks as different users to do the surveillance in an area broader than the
battlefield. We can borrow the power of computer experts, especially hackers,
to finish computer surveillance tasks."146 China's industrial espionage is part
of its larger cyberwarfare efforts, which begin with probing the enemy to
gain intelligence.147 Since 1999 there has been increasing Chinese attention
to electronic warfare. In 2000 Dai Qingmin, a general, wrote that an active
offense was needed; by 2003 Dai had written Deciphering Information Security,
a book with a description of an information-security university teaching
such skills as hacker attacks and virus design.148 That same year PLA
announced that it would start high-tech units capable of conducting information warfare.149 Since 2005 the intrusions have mounted and there is a
great deal of circumstantial evidence that the PLA is behind these efforts.15°

As China has become more of a world power, it has moved away from
disruptive hacker attacks, which are now a serious, though not always prosecuted, crime in China. The nation has embarked on cyberexploitation
of a more damaging nature.15' China is interested in economic espionage
and is quite willing to engage in long-term groundwork to get what it
wants. Moles placed in useful situations may take years before they begin
providing useful information. An example is Chi Mak, an engineer who
immigrated to the United States from China in 1978 and began passing
information to the Chinese government in 1983.152 Mak's focus was military technologies, a frequent target.

NASA, the U.S. space agency, has had plans stolen for rocket-engine
designs, for the design and testing of satellite command-and-control software, for the shuttle-engine design, and for rockets for intercontinental
missiles. Some of the theft appears to have been by criminal groups operating in Moscow, but vast amounts of data appear to have been exfiltrated
to Taiwan-and from there almost certainly to China. This has included
operational information about the space shuttle, and information about
all of NASA's research projects. Boeing and Lockheed Martin had been
managing the networks from which the shuttle information was lifted. In
total, at least 20 gigabytes of data were taken.ls3 One U.S. government
official characterized NASA as "completely open" to the Chinese.ls4

"China has downloaded 10 to 20 terabytes of data from the NIPRNet,
DoD's non-classified IP Router Network," according to Major General
William Lord, the air force's chief information officer.155 A 2009 U.S.
National Research Council report remarked that U.S. "DoD systems have
been subjected to foreign cyberexploitation" for sensitive business and
personal information,15' but did not disclose the nation or nations involved.
Lord's statement that the Chinese posed a nation-state threat regarding
cyberexploitation was a rare public admission by a member of the U.S.
government.

Another incident, covered in detail in a report prepared by Northrop
Grumman, describes intrusion and data exfiltration through-or originating from-China. This set of intrusions, which targeted a number of large
U.S. firms, were worked with the same precision and speed as the Titan
Rain ones.

The intruders accessed the system through previously stolen usernames
and passwords, and were sophisticated in their choice of user accounts.
There are indications that reconnaissance done earlier allowed the intruders to develop a full understanding of the target's file structure and where
data of interest was kept. Once the intruders were in the host machine,
they immediately navigated to particular files, not stopping to look at other
files along the way. Prior to downloading and removing the targeted files, the intruders checked that particular company internal servers were available as intermediate transfer points. Once the targeted files were moved to
these intermediate servers, the files were renamed, making their movement
outside the system less liable to arouse suspicion. The intruders tested the
downloading capability of channels using a video file before they began
moving the targeted files. This was a highly professional operation. The
intruders were able to move significant amounts of data before the company's IT staff observed the problem and stopped the operation. It is
unknown how much information the intruders intended to move."'

The initial cause of Titan Rain was unpatched software, but these
other intrusions have not just been lucky hits. Given the tight timing of
the exfiltrations, careful scouting work had clearly occurred earlier; the
exploit was characteristic of a professional, well-trained organization. The
incident described in the Northrop Grumman report shows high professionalism as well. The targeting done of the U.K. Parliament and Oak Ridge
National Laboratory demonstrated further technical capabilities. The type
of highly technical information being taken and the fact that it is unlikely
that criminals could monetize these thefts give clues as to who the cyberintruders might be; the general conclusion is that the thefts are state
sponsored.158

The attacks on Google that were widely publicized in January 2010 also
followed this pattern. Intruders gained access using a Trojan horse downloaded through an Internet Explorer browser that had an unpatched-and
previously unknown159-vulnerability. The intruders were able to access
certain Gmail accounts (they were interested in human rights activists),
although they only found out account information160 and engaged in the
theft of intellectual property.161 There appeared to have been reconnaissance of Google beginning the previous April; these intrusions fit earlier
patterns seen by other American and European companies and government agencies .112

In 2007, the British counterintelligence and security agency M15 took
the unprecedented step of writing 300 business leaders, warning them of
state-sponsored economic espionage efforts by China. The letter did not
recommend stopping doing business with China but noted that the espionage was highly sophisticated and "designed to defeat best-practice IT
security systems." The United Kingdom's critical infrastructure, including
telecommunications companies, financial firms, and water and power
companies, were all warned of the potential dangers.163

Other nations continue to spy on U.S. industry. Recent federal reports
on foreign economic and industrial espionage show, for example, Iranian, Iraqi, Russian, and Israeli activity, and so it might seem that China does
not pose a more serious threat than other nations. One must keep in mind
that China's approach to industrial espionage involves the collection of
lots of pieces of information, "an inefficient, but not ineffective" system
according to the U.S. government.164 The Chinese system of enlisting civilians in industrial spying efforts16s means that China's ability to perform
economic espionage runs on a scale different from other nation-state
players.