After having spent the better part of his 17-year career advising groups from NATO to the Palestinian Authority on issues of cybersecurity, development, and governance, Rafal Rohozinski has been known to say that computers can potentially cause more damage than a nuclear bomb. The cybersecurity expert, who serves as CEO of The SecDev Group, a global security and research firm, points to a 2009 report titled "Tracking GhostNet" that he and his associate Ron Deibert authored as an example. In it they detailed the Chinese cyberspying that infected 1,295 targets in 103 countries. Several of the targets were high level and included embassies, news media organizations, and even the Dalai Lama. While the saga of China versus Google has certainly awakened Net citizens to the possibility that the virtual world consists of more than Facebook, it isn't altogether clear how the Google hacking or a Google pullout from China could affect the rest of the globe. Rohozinski, who's consulted with Google on the issue of censorship, spoke to NEWSWEEK's Jessica Ramirez about where the Google issue stands now and what it may mean for the future of cyberspace. Excerpts:
Ramirez: How did Google come to see there was a problem and how did you get involved?
Rohozinski: Google became aware of it themselves, through their inside sources. At the time, we didn't know that Google had been hit. They reached out to Ron Deibert and myself because the modus operandi of the attacks was very similar to what we discovered with GhostNet, and they wanted to know what we could share that might be applicable to their in-house investigation. We had already been in touch with Google about the larger problem of censorship that companies face when working in a country like China. As it turns out, the type of attack appears to have been very similar.
How does someone manage to hack into Google of all places and get caught in the act?
Everyone in cyberspace leaves digital droppings, and attackers are no different. It's a domain described by data and it gives you patterns for what has happened, even if you can't identify the specific individual responsible for it. And we can't actually say they've been caught. What we can say is that the attacks appear to be emanating from a physical network from that part of cyberspace which belongs to the jurisdiction of China. That's the frustrating part of this. Cyberspace offers attackers the ability to always hide behind the ambiguity of attribution. Up until now, international law has chosen to apply the criminal justice standard of evidence, which means that unless you're able to identify specific individuals in a jurisdiction, you don't really have a case.
Google is still scanning its internal networks. Is there reason to believe there are still breaches to be found?
In our experience, rarely is there one singular breach. Usually, there are multiple vectors which are targeted, whether it's a government or business, largely because that's the best way to have a successful attack. That Google is taking a heightened view of scanning its internal networks should be expected.
There's some talk that this was an inside job via one of Google's Chinese offices. What's your take?
You have to look at this by analogy. The most successful fraud overall, whether it's banking, mortgage, government, whatever, is usually an inside job. That's because those on the inside have the trust, the access, and know the system well enough to cover their tracks.
Google has essentially said it is taking a stand against China's growing censorship, but censorship existed when the company went into China. So is this a stand against censorship or against the hacking of their system?
I think Google has always been concerned about its position vis-à-vis China, but, like most companies, realized it was too big of a market to ignore. I think in 2006, much as today, they believed that engagement is better than exclusion. Sometimes you can do a lot more from the inside than from standing at the barricades. I think they went in with their eyes wide open. At the same time, [Google cofounder and president] Sergey Brin has been on the record about his deep discomfort with that. He emigrated from the Soviet Union and understood what kind of a system China is from a political and information-control point of view. I think the cyberspying was very much a trigger for that broader angst they'd been having over censorship. They simply chose their moment well, with the breaches, and making the stand they made should be praised. If nothing else, it has really focused attention on this issue. I think it's woken up governments and our administration to the fact that this is a policy issue that can no longer simply be left to the techno geeks.
Whether it's censorship or cyberhacking, it's safe to say these are growing problems. What could this latest attack signal regarding the future of cyberspace?
I think our awareness of the value of intelligence on a state-to-state level decreased in the last 15 years as we focused on nonstate actors like Al Qaeda and others. We forgot the fact that this type of intelligence was always a state business. This was one of the great secrets of the Cold War, the sheer amount of dollars and energy expended on spying by the Soviets and the United States. For the large part, the most successful agents weren't human spies, it was signals intelligence. So the fact that now we're cognizant that cyberspace is the place for states to conduct intelligence against each other is a lot of new, but also a little bit of old. I think the interesting thing, when we talk about signal intelligence, is that it was once about setting up satellites to microwave up conversations between people in the Kremlin. With the advent of cyberspace, we don't have to build satellites in space. We have to build code. And these activities don't have to be run by the government. The government can and does outsource to other groups.
There are still millions of Gmail accounts that belong to Chinese users. If Google leaves, what happens to those loose ends?
This depends on how China reacts, should the pullout happen. One possibility is that the Chinese authorities will seize this as an opportunity to actually have a broader review of their policies and practices within China. The second option is the Chinese authorities will call Google's bluff and say, "If you are not willing to play by the rules we have set, then thank you, but you can close up shop." The third option is, if Google shuts down Google.cn and their offices there, what does that mean regarding their ability to provide services within China? Will China say, "If you aren't going to operate in our territory with our rules, then we will not give you access to, for example, indexing information within our cyberspace or allowing Chinese users to maintain existing e-mail accounts on Google"? If that were to happen, then we will enter a new era of the Internet.
What kind of era?
Up until now, Google, Facebook, and others have made their money and based their business on the openness of the Internet, whether it's here, or China, or the Middle East. If that were to go away, we would be moving away from a global Internet cloud into an era of many clouds. That more than anything should make our leaders very uncomfortable.
What would that Internet look like?
Although we've been quick to see the threat on our security that emanates from cyberspace, we have been very slow to see how important an open global Internet is to world issues that range from Iran to Haiti. The horse has left the gate on the issue of whether there's censorship in cyberspace. The question now is, will this space have borders in it? In this case, that means that China starts to censor what Google can access in Chinese cyberspace. The ability of search engines that previously operated globally to provide services globally would no longer be the case.
How do you think the Google versus China saga will ultimately play out?
I think the Chinese leadership is willing to sacrifice economics on the altar of politics and not losing face in this situation. But it won't be a small step to say, "Google, you can go." Note the fact that the Chinese have yet to make any significant political pronouncements on this. I think the likely outcome there will be an attempt for long-term low-key talks on this issue, hoping it will essentially go away before someone has to make a very serious decision about it.