Black Code: Inside the Battle for Cyberspace (27 page)

In July 2011, the
Washington Post
reported on a U.S. Air Force contract solicitation for a surveillance system to be employed in Iraq, designed to intercept calls and messages in order “to assist in combating criminal organizations and insurgencies.” It specified that the product must be capable of maintaining a database of “a comprehensive catalog of targets, associates and relationships … With mapping overlays, it should have the ability to locate targets being monitored and a warning alarm of less than 10 minutes if two or more targets come within a defined distance of each other,” the
Post
reported. An Air Force spokesperson said that the technology is similar to that used by American federal and state law enforcement agencies, and that its use would be protected by Iraq’s “stringent surveillance laws.” A Human Rights Watch report disagreed, finding Iraq’s “information crime laws” to be “part of a broad effort by authorities to suppress peaceful dissent by criminalizing legitimate information sharing and networking activities.”

In 2012, an investigation undertaken by
Swedish television producers uncovered a huge surveillance market in Central Asia being serviced by the Swedish Telecom giant TeliaSonera, which had
allegedly enabled the governments of Belarus, Uzbekistan, Azerbaijan, Tajikistan, Georgia, and Kazakhstan to spy on journalists, union leaders, and members of the political opposition. One whistleblower told the producers, “The Arab Spring prompted the regimes to tighten their surveillance … There’s no limit to how much wiretapping is done, none at all.”

In October 2011, Bloomberg News provided a striking overview of the technologies used in Iran to quell dissent and create a climate of fear and self-censorship. As elsewhere, apprehended activists were routinely presented with transcripts of their mobile phone calls, emails, and text messages. After examining more than 100 documents and conducting dozens of interviews with technicians and managers who worked on the systems,
Bloomberg concluded that the technology was provided to Iranian authorities by Stockholm-based Ericsson, Creativity Software of the United Kingdom, and Dublin-based AdaptiveMobile. Ericsson had pitched a sophisticated tracking system to the Iranian mobile operator MCI, which it said could assist law enforcement to track users and archive locations for later analysis.
Nokia Siemens Networks faced an international “No to Nokia” boycott, EU Parliamentary hearings, and a lawsuit filed in U.S. courts (but eventually dismissed) by relatives of imprisoned Iranians for selling its communications intercept products to Iranian law enforcement. The Bloomberg story quotes an imprisoned activist, Mansoureh Shojaee, who was shown transcripts of her own communications while being interrogated in Tehran’s notorious Evin Prison: “My mobile phone was my enemy, my laptop was my enemy, my landline was my enemy,” she said.

On January 15, 2013, Citizen Lab researchers used a combination of technical interrogation methods to scan the Internet to look for signature evidence of censorship and surveillance devices associated with the American company, Blue Coat Systems. While our
investigation was not exhaustive, what we did find raised alarm bells. We identified 61 Blue Coat ProxySG (designed for filtering and censorship) and Blue Coat PacketShaper devices (used for surveillance) on public or government networks in countries with a history of human rights abuses, surveillance, and censorship. Although both of the products have legitimate uses, their deployment in such contexts should be cause for everyone’s concern.

Bloomberg News and the
Wall Street Journal
have sections on their websites – “Wired for Repression” and “Censorship Inc.”, respectively – dedicated to the rapidly expanding cyber security industrial complex. Tools to track cellphones, deep packet inspection, social network analysis, and computer network attack and exploitation are being developed by firms the world over and sold to regimes seeking to isolate and arrest dissidents and activists, and to strengthen strangleholds over communications within their borders.

•  •  •

Can this market be regulated?
Would export restrictions of the sort placed on advanced munitions make a difference?

In September 2011, the EU Parliament passed a resolution that bans the export of information technology systems that can be used “in connection with a violation of human rights, democratic principles or freedom of speech … by using interception technologies and digital data transfer devices for monitoring mobile phones and text messages and targeted surveillance of Internet use.” A strong and principled position, but far from flawless.

The same deep packet inspection systems used to spy on Libyan or Bahraini activists have legitimate purposes, like controlling against spam and other malicious flows of communication, but it is highly debatable that these functions are separated out by regimes
and agencies not transparent about how they employ them. American political scientist Milton Mueller has argued, “The problem with this approach is that
information technology, unlike bombs or tanks, is fundamentally multi-purpose in nature. You cannot isolate ‘bad’ information technology in order to control bad uses. There is no technical difference between the devices and services for digital surveillance used by the Chinese and Iranian governments and those used by the American, Canadian, French or British governments. The same capabilities inhere in all of them.”

Moreover, attempts to regulate do not get at the root of the problem – the demand for such technologies. And this brings us back to the responsibilities the West has in driving the cyber-security industrial complex forward in the first place. Since 9/11, and with unrelenting momentum, liberal democracies have moved towards the normalization of what Yale University law professor Jack Balkin calls “the national-surveillance state.” Whereas once it was fashionable to argue that the Internet would bring about the end of authoritarianism, how cyberspace is now being used and, more specifically, the new and emergent tools and tradecraft of surveillance and targeted attacks, suggest just the opposite. Summarizing Balkin’s concerns, a 2012
New Yorker
essay reported that since 9/11 the U.S. has witnessed “the emergence of a vast security bureaucracy in which at least two and a half million people hold confidential, secret, or top secret clearances; huge expenditures on electronic monitoring, along with a reinterpretation of the law in order to sanction it; and corporate partnerships with the government that have transformed the counterterrorism industry into a powerful lobbying force.” More or less the same tendencies towards illiberal policies can be found in countries like Canada, across Europe, and parts of Asia. As long as law enforcement and intelligence agencies in such countries continue to drive demand, the cyber-security industrial complex will continue to expand
worldwide and the surveillance society will be a fact of life at home and abroad.

•  •  •

July 2012
. Bahrain’s already restrictive media controls are ratcheted up. Bloggers and activists are increasingly at risk, many of them arrested and sentenced to lengthy prison terms for criticizing the regime or using social media to organize opposition campaigns. Once again Bahraini activists report experiencing targeted phishing and malware attacks, some of genuine sophistication, and dissidents arrested by authorities are presented with transcripts of their own text messages during interrogations.

The Citizen Lab’s Morgan Marquis-Boire is contacted by Vernon Silver, a Bloomberg investigative journalist who has received what he believes is a high-grade trojan horse that has been menacing Bahrain’s Net dissidents. Marquis-Boire contacts the Lab’s security analyst Seth Hardy, a man who spent many years in the antivirus industry reverse-engineering sophisticated malicious software. What he sees is unprecedented in its complexity, its cloaking features “several orders of magnitude better than anything I have ever seen,” says Hardy. This produces palpable excitement in the Lab, and Marquis-Boire seeks me out on a secure channel of communications. He describes the malware’s sophisticated features, especially the way it masks itself within a computer, and then says that he was able to unravel a signature that connects the malware to its manufacturer. “We know who made it,” Marquis-Boire says. “We have proof that it is Gamma’s FinSpy.”

A zero day no more.

June 3, 2011
. A video is posted on YouTube from those outlaws of the Net: Anonymous. It is a still image of a now-classic Anonymous poster: blue and black shading, a frightening looking lineup of men in suits topped with question marks where their heads should be. Hovering above is the overlord Guy Fawkes, brim down, covering his gaze in menacing fashion. Underneath, in large letters, is the caption “Expect Us.” A computerized voice-over, backed by a pulsating symphonic score, is addressed directly to the world’s largest and most formidable military alliance: “Good evening, NATO. We are Anonymous. It has come to our attention that a NATO draft report has classified Anonymous a potential threat to member states’ security, and that you seek retaliation against us.”

The voice-over then offers up a critique of the NATO draft document, alludes to recent Anonymous hacks of the private American security company HBGary, and in short, clipped sentences makes its threatening concluding argument:

Less than a year later, in an Anonymous signature moment, the movement posts an intercepted recording of a conference call between the FBI and Scotland Yard. The topic of the conference call? Anonymous itself. The call starts out with a few casual exchanges – jokes and observations about the weather – before moving on to the topic of rounding up people suspected of links to Anonymous, little doubt those behind the intercepted recording itself.

YouTube videos and other online statements such as these have become part of the Anonymous brand: brazen, irreverent, and almost always juvenile. Their videos typically include an ironic mixture of do-it-yourself editing tricks, silly Internet memes, pop
culture allusions, and X-rated vulgarity topped off with petty anarchism. Part of me enjoys the videos, particularly those like the one about NATO that take a swipe at the defence and intelligence establishment. But another part of me sees them in a more troubling light. I am not so interested in the “who?” of Anonymous but in what their fight represents: resistance and rage against a state-security lockdown of the Internet. With each new video, each new Anonymous breach, a little part of me shudders, and I think of the other shoe dropping. At what point will taunts directed at the CIA, or NSA, or FBI finally wake up the bear? How long will they tolerate such open challenges to their power and legitimacy? And when they do lose patience – and no doubt they will – Anonymous will play right into their desire to do away with anonymity online altogether.

Part of me also thinks of the strategic benefit of Anonymous to those in power. As a child of the Watergate era – and an admirer of conspiratorial 1970s films about the dark forces pulling strings behind the scenes of government:
Three Days of Condor, The Parallax View, All the President’s Men –
I often wonder just how many of the attacks for which Anonymous takes credit are actually the work of the very intelligence agencies being targeted? As Harvard law professor Jonathan Zittrain puts it, “Anonymous could be anyone, it could be the government, we don’t know.” Indeed, it would not be difficult to imagine a clandestine operative working for the Americans or the British or another government seeding an AnonOp, the name given for operations undertaken by Anonymous. How about one that meddles with an adversary by giving them a taste of their own medicine? Could this have been what was behind Anonymous’s March 2012 sudden preoccupation with China? As The Who’s “Baba O’Riley” played over and over again on defaced websites containing links to circumvent Internet censorship, an Anonymous screed warned the Chinese government
that it is “not infallible, today websites are hacked, tomorrow it will be your vile regime that will fall.” At that very moment, several Chinese companies experienced data breaches, the stolen data posted to file-sharing sites. A taste of China’s own medicine?

•  •  •

By most accounts
Anonymous’s origins stem from the 4chan message board, one of the many dark alleys of the Internet, like a Lower East Side of cyberspace where every delinquent, off beat, perverted taunt is not only tolerated but applauded. Anonymous spilled out of 4chan as a social movement in 2008, sparked when a decision taken by the Church of Scientology was viewed as a step too far across the breach of Internet morality. The Church sought to quash embarrassing online videos circulating across the Internet in typical meme-like fashion of a giddy Tom Cruise proclaiming his adherence to Scientology. A group calling itself Anonymous appeared, donned the now-familiar Guy Fawkes masks, and then started taunting the Church, both across the Internet and on the streets of cities throughout North America and Europe.