GhostNet Cyber Espionage Network Potential International Issue For Official Use Only

May 2009

Example Legislation Researchers at the Information Warfare Monitor uncovered a suspected cyber es- pionage network of over 2,000 infected hosts in 103 countries. Approximately 30 Computer Trespass 1-52-4.1 – (a) It shall be percent of the infected systems are considered high value targets . These systems unlawful for any person to use a computer or com- include computers located at ministries of foreign affairs, embassies, international puter network without authority and with the intent organizations, news media, and NGOs. Principal investigators on this research to: (6) Make or cause to be made an unauthorized copy, in any form, including, but not limited to, any effort were - Ron Deibert and Rafal Rohozinski. In their report and during a recent printed or electronic form of computer data, com- presentation at InfoWarCon and in testimony by Rafal Rohozinski before the U.S.- puter programs, or computer software residing in, China Economic and Security Congressional commission is was stated the follow- communicated by, or produced by a computer or ing. computer network. (Provided as a reference interpretation only!) “This phase of the investigation focused on the discovery of the command and control serv- ers. We were able to identify and connect to the control servers used by the GhostNet by Three Potential Responses analysing the data from the OHHDL obtained during the field investigations carried out in Phase 1. During this process we were able to find and access web-based administration

1. China could continue with full denial of the acts interfaces on the control server identified from the OHHDL data. These servers contain links of espionage as they are currently doing. to other control servers as well as command servers, and so therefore we were able to enu- merate additional command and control servers.”

2. China could bring criminal charges against the researchers claiming electronic trespass and theft. The report goes on to say that IP addresses of the control servers that they exam- There is also the potentially to involve others who ined were traced back in at least several instances to China’s Hainan Island, home received the data/information/intelligence claiming receiving or possession of stolen property of the Lingshui signals intelligence facility and the Third Technical Department of the People’s Liberation Army. 3. China could claim the unlawful access and op- eration of there servers web-based administration An issue has surfaced relating to the use of the web-based administration inter- violated China’s sovereign territory and constitutes faces on the control server. While one account states that “they did not have to an act of cyber aggression against the country and hack the server because there was no firewall in place, the actions used to further retaliate. the investigation and collect data/information/intelligence may be considered a The massive amount of media and political atten- criminal act. The actions may be considered criminal within the context of tion decreases the likelihood that China will sit “electronic trespassing” - an evolving gray area of law. The common law doctrine back and take the first option present above. If of trespass to chattels has recently been revived and applied by courts in the China were to choose the second or third option, United States (US) to cover intrusions (in the form of electronic signals) to com- the political and security implications are signifi- puter systems connected to the Internet. This has had unexpected and far reach- cant. ing consequences. Trespass to chattels, a doctrine developed to protect physical The rules of engagement for cyber space are basi- property, was first applied in cyberspace cases to combat spam, and hacking. The cally non-existent. Military, Governmental and outcomes and reasoning in the most recent cases also illustrate the impropriety of Legal authorities need to thoroughly review this a property doctrine that analogizes telecommunications devices to land and con- situation and provide guidance on this issue. Fur- strues electronic contact as trespass to physical property. thermore, a full cyber aggression doctrine must be created now to reduce the possibly of triggering an international cyber conflict. If the actions are considered a criminal act, the data/information/intelligence would be the result of illegal actions and may even be considered stolen property owned by the Peoples Republic of China. Given the recent briefings to U.S. govern- ment organizations (said to include NSA) by Rafal Rohozinski, China could claim The Technolytics Institute the U.S. (the briefed organizations) are in the possession of data/ informa- 4017 Washington Road tion/intelligence illegally obtained from them. If China were to make these claims, Mail Stop 348 their action and resulting outcomes could directly impact the United States cyber McMurray, PA 15317 P 888-650-0800 security and operations as well as be used by the Chinese to damage the image F 412-291-1193 and reputation of the United States in the cyber and political domains. I www.technolytics.com Confidential & Proprietary © Copyright 2001-2009