Denial of Democracy Attacks

[As ever you can read this on the BBC News website]

In common with other administrations the UK Government is concerned about the security of the realm and its ability to cope with natural disasters, foreign aggression and terrorism.

Over the years the importance of computer systems, networks and of course the internet have become apparent even at the highest level of the administration, so it is unsurprising that the National Security Strategy announced by the Prime Minister last week contains a number of references to the network and to the growing fear of what they call ‘cyber-attack’.

The strategy notes that ‘the internet is itself a trans-national, fast-changing and loosely-governed entity, but is also part of our critical national infrastructure’ before stating the obvious by pointing out that ‘it is both a target and an opportunity for hostile states, terrorists and criminals’. (p21)

Amidst the platitudes about ‘new and sophisticated technical attacks, attempting to penetrate computer networks through the internet’ (p16) and a commitment to ‘support international efforts to monitor and protect the safety and security of new technology’ (p54) there’s little of real substance.

After all, promising to work with ‘international, public, and private sector partners to ensure that our government systems and critical national infrastructure are adequately protected against cyber-attack’ (p54) is not so much a strategy as a vague aspiration.

And in a world where even the largest and wealthiest companies worry about their susceptibility to distributed denial of service attacks from multi-million computer botnets, what chance does the UK government have of offering any realistic protection?

Let’s not forget that the Revenue and Customs website where people submit their tax returns crashed earlier this year just because people wanted to use it.  I somehow doubt it would withstand a concerted attack from one of the larger criminal gangs.

It’s also important to appreciate that it isn’t only the ‘critical national infrastructure’ that needs to be protected here.  Millions of people now rely on the internet in their daily lives, whether they are banking or shopping or earning a living or just keeping in touch with friends.

And more and more political and campaigning groups are using the network to organise, agitate and push for change.

Sadly it is quite clear that at the moment such groups have no real protection, as a number of them have found out recently.

Since the latest round of protests over the Chinese occupation of Tibet several groups campaigning for Tibetan independence have reported that their computer systems are under attack.

Rather than the obvious denial of service attacks, where millions of fake requests for information are made to a website so that it is unable to cope and either crashes or becomes to slow to serve real users, these intrusions are more subtle.

Activists at the International Tibet Support Network are being sent emails that appear to come from sympathetic organisations, with attached documents containing statements of support or evidence of human rights breaches by the Chinese governments.

When opened the documents, which can be Word, Excel or PDF files, use common security holes to try to install programs that will monitor the user’s online activity and send information back to a well-known Chinese website that has been used in the past for this sort of surveillance.

The details have been uncovered by security firm F-Secure, and it is clear that the goal here is not to damage the computer systems but to bug them.

This is a worrying development, not least because many of the pro-Tibet groups are small and under-resourced, so they are more likely to be running old computers that have not been properly patched.

And since the emails involved look like they come from sympathetic sources they are more likely to be opened by staff who may not be suspicious until it is too late.
The attacks are not limited to pro-Tibet groups.  In the US the Save Darfur Coalition has asked the FBI to investigate its suspicions that its email server had been hacked into.

According to spokesperson Allyn Brooks-LaSure the attack came from computers with IP addresses in China, and he believes that ‘someone in Beijing is trying to send us a message.’

This may be the case, but we have to be very careful when it comes to claiming that governments are directly behind this sort of attack.

There is no evidence that the emails either originated from or were sanctioned by the Chinese authorities, and they could just as easily have been organised by activists without official backing.

Russia was explicitly blamed for the denial of service attacks on many Estonian computer systems that started in April 2007 but there is no solid evidence that this was state-led cyber-terrorism and in fact it now seems more likely that a few technically-capable individuals were behind it, acting out of misguided patriotism rather than with state support.

Whoever is responsible, the attack on pro-Tibet groups is clever, sophisticated and has probably been very effective. And even if no data is actually sent to China, it will distract attention and resources from the campaign during the next few days and so will make life easier for the Chinese authorities.

Last year’s violent repression of the protests by Buddhist monks in Burma was accompanied by a clampdown on internet access, but this did not affect the photos and videos that were already out there on Flickr and YouTube. China has both the resources and the skills to make online life difficult for groups around the world, even if it is not behind the current attacks.

The possibility of state-sponsored attacks is acknowledged in the national security strategy. On page 21 it notes that ‘as economies and societies grow increasingly dependent on national and global electronic information and communication systems, it becomes even more important to manage the risk of disruption to their integrity and availability through cyber-attack, whether terrorist, criminal, or state-led’.

Yet it is not clear what could be done to offer real protection, especially if the attacks are not openly acknowledged as state-sponsored.  Naming and shaming the governments involved may seem attractive, but it will be difficult to offer conclusive evidence and even when it is available the desire to avoid a diplomatic incident may be too great.

In the end it may be up to individual groups and campaigns to harden their systems, improve their security practices and upgrade their protection in order to cope with attacks from those who disagree with them.  We may be headed for a period in which low-level cyber-warfare between governments and campaigning organisations is just part of the political process.

Perhaps the Prime Minister should show that he’s serious about his national security strategy by offering free security advice and support to any political or campaigning group that asks for it. After all, a strong democracy is one that supports and sustains an active and engaged civil society, and these days that means having a functioning website, a working email address and a secure network.

Bill’s Links

UK National Security Strategy:

Tax website crashes:

Good analysis of ‘targetted Trojan’ attacks:

F-Secure provides technical details:

FBI investigates attacks on Darfur groups:

Save Darfur Coalition:

Cyberattack on Estonia;