A wide-ranging cyberattack that targeted three Canadian government departments and seems to have originated in China has left counter-espionage experts scrambling to determine how much sensitive information might have been stolen and by whom.
CBC News made public on Thursday the results of an investigation that showed the cyberattack was first detected by government officials in early January and involved the Finance Department, the Treasury Board and Defence Research and Development Canada.
The breaches were traced back to computer servers in China although there is no way of knowing whether those who perpetrated the attacks were actually in China or simply routing the attacks through China to cover their tracks.
It's only the latest example of what experts say is a growing threat: global cyber-espionage.
CBC News spoke to Pradeep Khosla, dean of the College of Engineering at Pittsburgh's Carnegie Mellon University and founding director of CyLab, the university's cyber-security research institute, about the nature of such attacks and the need for greater cybersecurity.
CBC: What are the hot spots for global cyberterrorism?
Pradeep Khosla: It's easy to pick on countries like China and Russia or Eastern European countries, but to be honest with you, the Western countries are doing something similar but in a less obvious way. The point I'm making is, anybody is capable; everyone can do it; and everyone is probably doing it. Maybe not cyberterrorism but certainly cyber-espionage.
Why do countries like China, Russia and Pakistan, for example, repeatedly come up in cases of cyberattacks?
To be honest with you, I don't know why. I can see why China would be on the radar – it's a large country, large population, lot of what people call "patriotic cyberhackers" needing access to information. It is flexing its muscle; it's going from being a Third World country to a first world country. I think Pakistan may come up partly because of al-Qaeda; it's not like the government there is sanctioning this. But [Pakistani cyberattacks] might come up as a government-sanctioned program against India, for example.
Are there differences in prosecuting an attack on a country and prosecuting an attack on a company?
I think when a sovereign country supports such an attack, by definition, they will not help you in prosecuting it. But when an individual does it, or a group of individuals does it, against a company or some private entity, the sovereign country where it is happening will prosecute it.
But before we get there, we have to have some unified understanding of what constitutes a crime in this domain, and that everybody agrees to it and is willing to prosecute it.
Are there any international agreements on this?
It's not clear to me. If there is one international treaty that should happen, it should be in the cyber arena, like harmonizing laws and regulations across countries.
Have proposals been put forth?
There's nothing like that. At least I'm not aware of it.
Why do you think that is?
It's a very new area, so there's a lack of understanding at the highest levels of policy-makers. Secondly, there are countries that really may not want to collaborate. As another example, if you look at money-laundering on the internet – if you look at it, of course, money-laundering is a crime, right? Countries that come to mind are Latvia, Romania [and] credit card thefts. And there's no way to prosecute them, because of a lack of a bilateral treaty.
How involved is the U.S. in launching cyberattacks?
I have zero knowledge about that. Having said that, if I were to just conjecture, does the U.S. have the ability to launch cyberattacks, I would say, yes. I cannot imagine the country sitting there not having that ability. Maybe they are developing attack capabilities as a defensive measure.
Do you have any sense of what percentage of cyberterrorism is the work of individual, unaffiliated hackers and what percentage is the work of groups with an ideological agenda?
I don't know, but I'd be willing to bet that the work of individuals — it could be devastating, but it's more about playing a prank. Whereas the work of a group is either to make money or to debilitate a country, like Russia on Estonia, when the attacks happened a couple of years ago.
What are the most common types of attacks?
They're usually worms or viruses, but the worst kind of attack is denial of service. The denial-of-service attack is usually one that occurs against commercial enterprises, like Amazon.com. There, you stop the service from being offered, but you get no access to information. Whereas the goal of these sovereign nations, when they do this, the goal is to get information. Like credit-card thieves, they might not be a sovereign nation, but it's an organized group with a lot of money. Or drug dealers. And when they do this, it's to get credit-card numbers and move money around.
Based on what you've seen, what sort of tactics can we look forward to in the future?
All the con games we play in the real world are happening in the cyber world, too. But that's not the issue. The issue is, this needs to be contained and stopped. And what are we going to do about it? What we need to do is look at a single technology: IP trace-back.
Right now, if you start pinging my computer, you can hide your IP number and you can create a fake number that points to China whereas it's you in Canada that's doing it to me. That thing has to stop. IP trace-back should be a mandatory requirement in every network, end of story. That means, whenever somebody tries to attack me, and I find the IP number of who's doing the attack, I know exactly where that computer is located.
What's the biggest hurdle to establishing such a system? Is it a case of different countries having different jurisdictions?
Yeah, national jurisdiction, but even in the U.S., more than 90 per cent of our IP infrastructure is private, so unless everybody upgrades, it doesn’t work. And what's the mandate to upgrade? None.
I think government has to figure out a mechanism where people have to be somehow encouraged, if not mandated, to upgrade their infrastructure. And industry should be encouraged to build that infrastructure.
Is there anything that individuals can do to mitigate such attacks?
The individual consumer can't do anything, because we rely on technology supplied by big companies and providers. It's a very complicated thing, because half the story is technology, and half the story is policy. And the policy impacts privacy and investments, you know what I'm saying? We haven't figured this out, and it will take 10 years to figure this out. Something bad has to happen for us to figure this out.