Cyberattacks against Google introduce us to a new lexicon. Is this grassroots hacktivism or state-sponsored cyberwarfare? Asks Tim Stevens
In 2006, Google sold its freewheeling, geeky soul in exchange for the rights to market its search products in the rapidly expanding internet market of China. “Don’t Be Evil” became “Don’t Search For the Three Ts”-Tiananmen, Tibet and Taiwan – and the California giant entered into a tense few years of Chinese operations. This week it decided enough was enough, and citing “malicious cyber activities” stopped its self-censorship of search results, forcing the Chinese government either to allow internet users free access to previously barred material, or to revoke Google’s right to operate in China. Google’s meeting last week with Secretary of State Hillary Clinton, and President Obama’s speech next week on internet democracy, can surely not be unrelated to Google’s upping the ante.
Google did not explicitly point the finger at the Chinese state, but its assertions that its networks had been consistently hacked in a bid to disrupt and gather intelligence on human rights activism clearly implied that a concerted effort had been made against it, and that China must have been aware at the very least. Although this is the clearest example yet of a cyber showdown between two global economic giants, the alleged skulduggery revealed by Google is nothing new to watchers of cyberspace. The terms cyberespionage, cybercrime, cyberwar and cyberterrorism are cropping up in security briefings and policy documents more often than ever before.
The menacing-sounding Iranian Cyber Army has attracted substantial media attention in recent weeks. First, they subverted Twitter, then the Chinese search giant Baidu. On each occasion, users were taken to webpages displaying a green Islamic flag and the words “The Party of God Will be Victorious”. This has been widely interpreted as a form of pro-Iranian “hacktivism”, the harnessing of computer hacking activities to a political agenda. We may never know who was actually responsible but they achieved the aim of all political campaigns: publicity. A bit of technical know-how can disrupt internet platforms so effectively that it gets the world talking about possible political motives. It can also provoke counter-attacks, it looks like a low-level conflict between Iranian and Chinese hackers is taking shape. We’ve seen these sorts of activities before notably during the Israel-Gaza conflict in 2008-09.
In this globally connected era, the internet is used to rapidly disseminate information and disinformation, and to organise physical protests and other forms of political expression. It is commonly assumed therefore that the internet is a driver of democracy. This explains why, in June 2009, the US State Department requested Twitter suspend maintenance activities to allow unimpeded use by Iranian anti-government protesters. In the relatively egalitarian environment of cyberspace however, what’s good for the goose is often just as good for the gander. Grassroots “hacktivism” of this sort is common these days but states and their security agencies are only a whisker behind.
Facebook’s Mark Zuckerberg recently claimed there should no longer be a presumption of privacy in internet communications. His company’s profligacy with its users’ personal details is inexcusable, but he does have a point, and it’s not a new one. If activists broadcast on relatively open channels like Twitter and Facebook, as during the Iranian protests, then the state will surely be listening. Coupled with geolocative data that identify individuals’ whereabouts, the advantages for rapidly “swarming” crowds are not much greater than the state’s own surveillance opportunities. The information streams upon which protesters rely can be sown with disinformation and engineered remotely. Cellphone cameras and handheld video provide on-the-spot visual evidence of people’s actions and identities. It may have taken a little time for governments to realise this, but far from being disadvantaged relative to more agile and dispersed networks of dissent they can, with skill and experience, use these data flows to their advantage.
When high-profile hacktivism occurs journalists and pundits are quick to ask, “is this cyberterrorism?”, to which, in this case, the answer is almost certainly “no”. Governments are, however, deeply concerned about two types of cyberterrorism. First, that terrorists will remotely attack and degrade critical infrastructures like power, water and transport systems. The possibilities are endless, the likelihood low. Second, the use of the internet to radicalise and recruit people to terrorist movements like al-Qaeda and global jihadism. Evidence from a stream of recent court cases suggests the internet often plays a role in the passage of individuals from peace to violence. The internet may not be the cause of violence per se but as a vehicle for some unsavoury ideas its importance is hard to dispute. Few countries, including in the West, have not considered or implemented measures to suppress this type of online behaviour, and these numbers will increase.
So far, we have discussed what, in the security literature, are referred to as non-state actors, and the reactions of governments to them. But what of inter-state conflict? The tools and techniques of hackers and hacktivists could in theory be used by states against one another in order to disable critical networks, disarm military systems, and coerce a country and its citizens into submission. An “arms race” is underway and military spending on “cyberwar” grew to $8.12bn last year, the majority attributable to the US. Other countries with known offensive cyberwar capabilities include China, UK, Russia, France, South Korea and Israel, and many more have similar abilities.
Although well below the public radar, there are active discussions about cyber arms control, cyber deterrence, and the militarisation of cyberspace as a means to combat various undesirable actors. It’s a murky business. If we cannot attribute responsibility, against whom should we react when attacked? If State A outsources its hacking capabilities to cybercriminals, can State B retaliate against State A’s citizens? What are the thresholds for declaring cyberwar, and what rules govern its conduct? There is currently no firm legal framework that satisfactorily deals with this complex and transnational multi-actor environment, and no well-documented examples provide lessons as a basis for one.
What is clear is that conflict has definitely come to cyberspace. The wave of national cybersecurity strategies unveiled in 2009 and coming on-stream in 2010 all demonstrate governments’ desires to defend against a variety of criminal, terrorist and military attacks, and to develop their own offensive capabilities too. The legal, moral, ethical and political implications are poorly understood, and the social ramifications problematic. Cyberspace technologies hold great promise for the future of average citizens, but their potential will also be exploited by governments and the bad guys.
Tim Stevens is an Associate Fellow of the International Centre for the Study of Radicalisation and Political Violence, King’s College London