Since the early days of the internet, it has been a digital environment of communication across wide distances, a repository of shared files, and a place of shadowy exchanges of digital media of dubious ownership. The internet has exploded in use and user base since the mid to late ’90s with a near-total penetration into our lives, including things like: interpersonal communication (email, social media, instant messaging, videos, and video-conferencing), gaming, researching information (does anyone still remember looking things up in an encyclopedia?), banking, shopping, entertainment (both movies and music), and a wide variety of other activities. Our work lives are also shaped around a computer. When I worked in my first office job, as a student, there were 2 computers in the entire office of 30 people. Can anyone imagine walking into an office and not seeing a computer in today’s workplace? All of our information, in governments and corporations, in doctor’s offices and in hospitals is maintained in digital format, on computers. Things like our power grid, commercial and military aircraft, and even the seemingly simple things like our traffic lights are all governed by computers. But how secure are these systems? In movies and the media, we hear about rogue “hackers” causing chaos by breaking into systems to either steal information or to damage the systems, but is it more than just the odd rogue criminal, or are the governments of the world, through their intelligence agencies, becoming involved in a cyberwar, fighting battles of national interest in the digital domain? Are corporations, likewise, battling each other via corporate espionage and even sabotage efforts on digital assets? And if they are not, how long until they do?
Like with any activities of special forces and intelligence agencies, teasing out what we suspect has happened is not as simple as simply reading a press release. Rarely will a government even acknowledge that espionage resources exist, much less are actively involved. There have been, though, examples of some actions that we are aware have happened.
In two separate incidents, during the early stages of the Russian invasion of parts of the Ukraine, the Ukrainian power grid was sabotaged by digital warriors. Whether it was members of Russian groups in the Ukraine (sponsored by Russia) or by Russian intelligence operatives, we don’t know for sure. We do know that the incidents certainly hindered the Ukrainian government’s ability to deal with an active insurgency and military invasion. Later in 2016 it appears that Russia initiated an extended effort to breach the American electrical grid systems (as a scouting mission and proof of ability) which they did achieve. There was a point where they could have done damage to the US electrical grid during this exercise. In March of 2018, then Energy Secretary Rick Perry said that cyberattacks were happening “literally hundreds of thousands of times a day”. Notwithstanding the possible hyperbole, it is obvious that the US government considers this to be a risk, but is it just limited to Russian malfeasance?
From what else we know; it is quite clear that the Russians are far from the only nation playing this game. The Chinese have an infamous unit known as PLA Unit 61398 whose existence they have never formally acknowledged. China did not even admit to having any cyber capability until 2013, and even then, they have maintained the typical vagueness that one would expect from any government-run intelligence operation. They have been suspected of stealing a wide variety of technological information from both the US military as well as an unknown number of corporations. It is more than a mere coincidence, I am sure, that much of the new Chinese military equipment resembles American military planes and ships.
Rick Perry, in his speech, also indicated that the US should develop both capabilities to defend against these attacks and also the ability to engage in them, but is this demonstrating either misdirection by Perry or ignorance of what the US agencies have been up to?
In 2010, while Iran was engaged heavily in refining uranium for use in their nuclear weapons program, a malware program that was later known as the Stuxnet Worm infected Iran’s centrifuges. It disabled their safety cut-off protection and then ramped the centrifuge speed up too high, causing the destruction of an estimated 20% of Iran’s centrifuges and hindering the Iranian nuclear program. Nobody has claimed responsibility for the cyberweapon, though it is suspected to have been a joint project by the governments of the US and Israel. After Russian intelligence agents debriefed Edward Snowden, the American contractor who sought asylum there after blowing the whistle on various intelligence-gathering programs that the US government was engaged in, the Russians purchased 100 typewriters for their Kremlin Security department. That is a pretty good indicator of exactly how invasive the US cyber-intelligence activities have been. We don’t know exactly what they learned from him, but it was enough to have them remove some of their most sensitive information from digital storage and to put it all onto paper.
So, what does that leave for us? Is it inevitable that we live in a world where corporations and governments are hacking each other’s systems to steal information or sabotage equipment? Let’s be honest, we were doing this physically for centuries before, so to expect these agencies to not engage in this sort of behaviour in the digital realm is illogical. It does, however, raise concerns about decisions that are being made by both corporate entities and government agencies. We have past experience that China’s HTC has shipped equipment to our country (and others) that had security breaches embedded in the firmware (the programs that control the basic level operations of the hardware) and we know, thanks to Snowden, that the US has gotten the complicity of all the major US tech companies to insert backdoors into their products for the US intelligence agencies to use. Why are we not engaged in helping our own tech companies to thrive by identifying them as strategic interests and supporting their growth with a domestic marketplace? We should block such identified tech companies from foreign ownership, or restrict it to a limited percentage, and we should give preference to these technology companies. To do otherwise is to surrender our sovereignty to foreign nations who might not always have our best interests at heart. Ignoring the reality of what has been happening in the digital world does not shelter us from the realities that occur. Our government should be engaging in every effort possible to ensure that our privacy and security is being protected, and that means hardware being provided by Canadian companies that have a level of oversight to ensure our protection.
Éamonn Brosnan is a research associate with the Frontier Centre for Public Policy.