Why More Human Rights Groups Are Getting Hacked Than Ever
As government surveillance tools get more sophisticated in the cyber arms race, humans rights groups are defenseless.
Protesters demonstrate against Chinese governemnt persecution of the Falun Gong. Image: William Murphy/Flickr
A new report released today by the University of Toronto's Citizen Lab—a multidisciplinary research organization specializing in cyber security, hacking, and online surveillance—shows state sponsored hackers are targeting human rights groups and political dissidents with impunity.
For the sake of their research, the Citizen Lab boils all of these groups and causes down to what they call civil society organizations (CSOs). According to the report, those group face serious attacks. "CSOs face the same threats as the private sector and government, while equipped with far fewer resources to secure themselves," Citizen Lab wrote.
The report, entitled "Communities@Risk: Targeted Digital Threats Against Civil Society" focuses on cyber attacks that are quite clearly targeted and politically motivated. These attacks are "focused on specific targets, they persist over a period of time, and they are motivated by political objectives."
It cites evidence from as far back as 2002, of attacks being levelled against ethnic minorities in China, along with religious minorities like Falun Gong.
As for where these attacks are coming from, the report is careful to note that government-sponsored attacks are "often elusive," meaning that analysts can often connect some dots to blame cyber-intrusions on a particular state, like China, but said governments are usually good enough at hiding their tracks to make proving their culpability near-impossible.
In addition to the aforementioned cyber-attacks on Chinese minorities who oppose the current regime, the report also uses attacks on "Syrian opposition groups" in 2012 as a case study. The Citizen Lab directly helped to research the cause and origin of these attacks on Syrians.
The opposition members in question first felt something was awry with their computer security when "suspicious messages and social media postings [directing] them to download documents and programs purporting to contain useful information" started to appear on their devices. At the time, Citizen Lab research was "able to develop compelling evidence linking the attacks to the Assad regime." Ultimately, it can't be explicitly proven that the Syrian dictator's government was behind the attacks, but the evidence is impossible to ignore.
I spoke to Sarah McKune, a senior legal advisor at the Citizen Lab, about their report. When asked why it's important that people recognize CSOs being targeted by cyber-attackers, McKune explained that these attacks were more significant than most people would guess.
"These are not the kind of attacks that are focused on stealing a credit card number or other financial data for material gain," McKune. "These are persistent campaigns to access the computer systems of an organization over significant periods of time, remaining undetected while seeking out and exfiltrating politically sensitive information. That information could include strategic documents, the personally identifiable information of political dissidents, or real-time surveillance from a device triggered by the attacker."
McKune describes these types of serious attacks as "digital sabotage" which could lead to "physical retaliation" against individuals involved in politically controversial groups if sensitive information, gleaned from cyber-attacks, ends up in their oppressor's hands.
Similarly, the Syrian Electronic Army (SEA) has attacked numerous media organizations and other Western interests, but it has never been proven that they are a direct arm of the Assad government.
The Citizen Lab's report also points out that the market for so-called "lawful intercept" software—as in, surveillance software that allows law enforcement agencies to wiretap digital lines of communication—is "largely unregulated."
This kind of software is marketed by companies like FinFisher and Hacking Team, who are presumably on the lookout for desirable law enforcement clients. But the lack of restriction on very powerful and potentially free speech-crushing tools that aim to provide "turnkey style surveillance solutions" to cops, is absolutely a formula for digital disaster.
Some of the most critical institutions in our society for advancing human rights and keeping abuses in check are in a state of digital erosion
To put it in perspective, one of the key tools used in the nauseatingly-named "Fappening" leak of celebrity nude photos stolen off of their iCloud accounts, is "Elcomsoft Phone Password Breaker." EPPB, as its known, is a piece of software designed in Russia which is intended to be sold only to law enforcement clients. It is, however, readily available online to whoever knows where to look, and how to use it.
The report is admittedly "China facing," meaning that most of the data the group studied pertained to groups who were in opposition to the Chinese government. But given the amount of surveillance software being distributed the world over, this issue is clearly of global significance.
As McKune herself said, this report has "only uncovered the tip" of this problem, and yet, "some of the most critical institutions in our society for advancing human rights and keeping abuses in check are in a state of digital erosion."
The fact that most of attacks on CSOs go undetected within the networks of the organizations being targeted indicates that these kinds of pervasive surveillance operations are more widespread than most people would imagine. And this strikes at one of the fundamental issues that the report has uncovered: who can help these targeted groups?
Yes, CSOs are critical to the furthering the evolution of human rights globally. But goodwill doesn't buy expensive security consultants.
I posed that dilemma to McKune, who wrote, "There is no easy solution to the problem of targeted digital threats, and for efforts to control it to succeed, stakeholders from multiple sectors need to step up to protect the interests of society as a whole."
"Private companies can explore pro bono models of support to CSOs, sharing threat information or technology to enhance digital security across the board," she continued. "Governments must credibly address attacks against CSOs in their domestic policy and international diplomacy, and take steps to reign in the market for commercial spyware."
The report also notes that CSOs should be diligent when it comes to logging suspected attacks so they can keep a record and check for patterns; they should also group together with their financial backers and partner CSOs to develop a groupthink approach to finding solutions; and lastly, CSOs should foster a "culture of digital security awareness" within their institutions.
It's easy to view it all as a hopeless situation, when so much of the firepower is stacked on the side of cyber-attacking groups that are rich enough, or simply just willing enough, to obtain "lawful intercept" equipment to spy on CSOs. I say "willing enough" because large amounts of money are not necessarily a factor, given the unregulated nature of the spy software market.
And this is the crucial Pandora's box that's been created by all of the mass surveillance technology proliferating in our world: political dissenters and free speech activists lose. And they lose hard.