By Kim Hart
Washington Post Staff Writer
Thursday, August 14, 2008; D01
As the violence unfolded between Russia and Georgia during the past week, hackers waged war on another front: the Internet.
The Georgian government accused Russia of engaging in cyberwarfare by disabling many government Web sites, making it difficult to inform citizens quickly of important updates. Russia said that it was not involved and that its own media and official Web sites had suffered similar attacks. Although a cease-fire has been ordered, major Georgian servers are still down, hindering communication in the country.
Some Georgian officials, bloggers and citizens were able to work around the disruptions, sending text messages to friends in other countries using Web sites hosted by servers in the United States, Poland and Estonia that are less likely to fall victim to a cyberattack.
Concerted online attacks have been a threat for years. But security experts say the "cyberwar" between Russia and Georgia underscores the havoc that can spread on a digital battlefield. It also highlights how vulnerable Web-reliant countries are to assaults that could cripple military communications or a national banking industry.
The attacks against Georgia's Internet infrastructure began nearly two months before the first shots were fired, according to security researchers who track Internet traffic into and out of the countries. Such attacks, known as "denial of service" attacks, are triggered when computers in a network are simultaneously ordered to bombard a site with millions of requests, which overloads a server and causes it to shut down.
"In terms of the scope and international dimension of this attack, it's a landmark," said Ronald J. Deibert, director of the University of Toronto's Citizen Lab, which has nearly 100 researchers mapping Web traffic through several countries, including Russia and Georgia. He said small-scale attacks have occurred between the countries since June. "International laws are very poorly developed, so it really crosses a line into murky territory . . . Is an information blockade an act of war?"
Cyberattacks can be launched cheaply and easily, with a few hundred computers and a couple of skilled hackers. Simpler tactics are even easier to mount by hacking into a server and deleting files, reconfiguring settings and altering photos. Compared with expensive military attacks, cyberwar tactics "seems like the kind of thing that a sophisticated military would want to experiment with," said Ben Edelman, assistant professor at Harvard Business School who has studied cyberattacks.
"Imagine how devastating it would be to a military commander to lose access to a server that tells him where his troops are stationed and where he has resources," he said, adding that "this is the first time we've had such strong evidence of cyberwarfare."
Instructions on how to mount such attacks are readily available on blogs, making it easy for a grass-roots effort to quickly escalate into a crippling assault, said Evgeny Morozov, a technology consultant based in Berlin who has tracked blogs in Georgia and Russia.
Figuring out who is behind the attacks has been difficult, Deibert said, because of complex routing methods and a multitude of connection exchanges. The Internet's infrastructure is a maze of lines laid by different service providers traversing many countries, masking how information is traveling -- or blocked.
"It's an ongoing battle in documenting where it's coming from and helping people get around it," he said.
In Georgia, which is not as dependent on the Internet as other nations, the cyberattack mainly hindered the government's ability to communicate with its citizens and others during the fighting. The Georgian Foreign Ministry's Web site, for example, was disabled except for a collage that compared Georgian President Mikheil Saakashvili to Adolf Hitler.
"Battles today are as much about ideas and images as they are territories," Deibert said. "If you're a military and intelligence agency, you're going to take down information that is in opposition and control the message."
To get around the blockade, Georgian officials relocated national Web sites to addresses hosted by Google's Blogspot, whose U.S. servers are more immune to attack. Citizens used blogging platforms such as LiveJournal -- the dominant platform in Russia and Georgia -- to post their own reactions during the fighting.
For example, a Georgian refugee from Abkhazia who blogs under the name Cyxymu on LiveJournal posted photos of Russian troops entering the Georgian town of Gori. The blogger said the photos were taken after Russia had announced its withdrawal, proving, he said, that fighting continued.
Morozov said only a few hundred Georgians used blogs to communicate with people outside the country. Even that tool was threatened, he said, when a group of Russian bloggers sent a letter asking Sup, the Russian company that owns and manages LiveJournal, to censor posts with pro-Georgian sentiment. Sup did not comply.
Givi Bitsadze, in Tbilisi, used microblogging site Twitter to share updates about the fighting in English and Russian.
"Tbilisi is still safe, but other cities are under attack, bombs kinda stopped, but Russian soldiers are breaking in a houses," one post read yesterday. He also noted an Olympic victory: "Georgia beats Russia in beach volleyball."
The cyberwar will most likely serve as a Web security wake-up call, Morozov said.
"Georgia was completely unprepared to the fact that all this information was on the Internet," he said. "I think it taught them -- and a lot of people -- a lesson."
Hi all,Hpe u had a good weekend. Today is day 6 of 10, but the theme is still on legal issues.I still cant believe the learned friends have not spoken and left everything to Alex and Mike. If any of you runs into Evelyn R., Kihanya J., Omo J. or Clara R. just to mention a few, ask them if they can give us a shout without us having to 'open a file'We have only today for this since tomorrow we move into the Economic Issues to be facilitated by a renowned IG expert to be unveiled in due course.walu.--- On Sat, 8/16/08, Alex Gakuru <alex.gakuru@yahoo.com> wrote:From: Alex Gakuru <alex.gakuru@yahoo.com>Subject: Re: [kictanet] Day 5 of 10: IG Discussions, Legal IssuesTo: jwalu@yahoo.comCc: "KICTAnet ICT Policy Discussions" <kictanet@lists.kictanet.or.ke>Date: Saturday, August 16, 2008, 11:17 AMG8 links!The introduction to this topic was on the presumption thatconsumers were the criminals proceeding to outline lawenforcement challenges. The most convenient and common formof misrepresenting cyber crimes and law -- first take awayall their rights then they struggle to regain one after theother... It is good that Mike presents both sides of thestory.Telecommunication companies hold massive data on allindividuals and they ensure that their on their "Termsof Use" and contracts users are "guilty untilproven innocent" and the companies are at liberty to dowhatever they please with our personal data.Consider below extract from a local telecommunicationcompany's Terms of Use: -------------5. Use of your information(The Company) may hold and use information provided by youfor a number of purposes, which may include:(a) Carrying out any activity in connection with a legal,governmental or regulatory requirement on (The Company) inconnection with legal proceedings or in respect of crime orfraud prevention, detection or prosecution.(b) Monitoring or recording of your communications for (TheCompany)’s business purposes such as marketing, qualitycontrol and training, prevention of unauthorised use of(The Company)’s telecommunications system and ensuringeffective systems operation in order to prevent or detectcrime.---------"May include" does not mean "limitedto" - implying that they are allowed, for example, toshare, sell, etc private data to their partners... Exactlywhat Mike points out to on the Business Week link.Framed in ways suggestive of company "lawenforcer" (illegal roles) onto "guilty"users. Notice how "Intellectual Property" isconveniently repeated. Or is it be assumed that consumers donot have any "intellectual property" they wouldwish protected? the companies should abide to also protect.BTW, There is an IGF Dynamic Coalition movement calling fora balance between Intellectual Property and developmentwhich includes Access to Knwoledge(A2K).<http://www.ipjustice.org>. Very resourceful!Supposing earlier proposed M-Medicine went ahead in EastAfrica? Sold ailments data to pharmaceutical companies, thatwould hike medicines prices in outbreak zones at selectedlocations... You go to a bank with a water-tight businessproposals and all bank turn you down. Reason? They haveshared your medical history and they think you will soon"sleep in the shamba" your excellent businessproposals notwithstanding.In summary, unless Data Protection and Privacy Laws areenacted, the default should be to deny all telecommunicationcompanies legal loophole to trade with personal information.And it should be seen to be enforced.On a lighter note, should I sue a WiFi company fortrespassing when their signals enter my laptop, or shouldthey sue me for illegally access of their signal? Over toBen Shihanya.Thanks again Mike!--- On Fri, 8/15/08, Mike Theuri<mike.theuri@gmail.com> wrote:From: Mike Theuri <mike.theuri@gmail.com>Subject: Re: [kictanet] Day 5 of 10: IG Discussions,Legal IssuesCc: "KICTAnet ICT Policy Discussions"Date: Friday, August 15, 2008, 2:11 PMNot a legal opinion: It would be very difficult toapplyexisting common law(analogous to jurisprudence) to electronic crimescommittedin a new era,atleast within the local context.For these reasons it is necessary to define the crimesunder distinct andseparate legislation. Due to the borderless nature oftheInternet (seeshared link), it is necessary for such legislation totakea broadapproach into account.For instance there ought to be provisions that allowlocalauthorities toseek the arrest and extradition of foreign basedsuspectsfrom otherjurisdictions for electronic crimes committed againstcitizens or localinfrastructure owned by individuals or entities eventhoughthe suspects atthe time of commission of the crime were present inotherjurisdictions.The same provision can allow private parties to pursuecivil remedies in asimilar matter and give them the basis where possibletoenforce thejudgement in the defendant's jurisdiction.This for example would close the possiblejurisdictionalloopholeof individuals crossing borders so as to commitelectroniccrimes from acountry that lacks electronic crime laws. Current lawisill equipped inensuring civil remedies, prosecution or arrest oflocal orinternationalcyber criminals, 419ers, lurers of minors, harassers,electronicallytransmitted or created threats (threats to a person,threats toinfrastructure by way of viruses, malaware, DoS etc)etcneither is itlikely to be in a position to ensure seriousconsequencesor deterents forthe same or allow for the definition of crimes asdistinguished here for aninternational gang of culprits:It was recently reported that a bill or regulations toprotect the data ofconsumers would be brought about as a means ofregulatingthe CRBs. Thiscould be model legislation/regulations to adopt toensurethat the publichas a say in the manner in which their privateinformationis used.At the same time consumers ought to be able toinstructcompanies with whomthey have business relationships with not to sharethatsame informationwith 3rd parties without their prior consent (ieopt-in/out). This is onlyeffective if there are laws or regulations to provideforconsequences whenbusinesses violate the same.As CRBs take root, there will be a likelihood thatsimilarbureaus orentities will eventually start sharing information inrealtime, for examplean underwriter of an insurance policy might want tocheckan individual'sclaim history across the industry to determine thelevel ofrisk the insuredposes in determining policy premiums. Similarly anorganization may want toconduct background checks for prospective employees inprivately maintainedelectronic databases.It is important that instead of regulations or lawsbeingformed for sectorsof the economy, that national data privacy laws andregulations be defined(or ammended) and on that basis refinement of specificregulations/lawscould be made for sectors that require specific datarequirements. Suchregulatory foresight can reduce or avert the occurenceofissues such asthose seen here:On Fri, Aug 15, 2008 at 12:21 AM, John Walubengo<jwalu@yahoo.com> wrote:Mornings,Today and next Monday, we intend to thrash outthelegal dimensions ofInternet Governance. The typical issues revolvearound:-Jurisdiction & Arbitration (who resolvese-disputes)-Copyright & IPR (are they pro oranti-development?)-Privacy and Data Protection (how is thee-Citizensdata abused/protected?)I do hope the 'learned' friends will chipinsince I cannot pretend to bean expert here as I introduce the general legalprincipals. Basically,dispute resolutions can be done through,· Legislation;· Social norms (customs);· Self-regulation;· Regulation through code (softwaresolution);· Jurisprudence (court decisions);· International law.There is however two broad conflicting schools ofthought when it comes toresolving disputes occasioned by the Internet.Onegroup claims thatwhatever happens online does have an equivalent'off-line' characteristicsand as such existing laws can easily be applied.E.gstealing moneyelectronically is no different from stealingmoneyphysically and so Robberycharges and subsequent jurisdictional procedurescouldapply. However, thesecond group feels that electronic crimes have atotally different contextand must have a separate and totally new set oflegislation or methodologiesfor resolutions.The borderless nature of the Internet brings toforethe Challenges ofJurisdiction and Arbitration as inyesterday'sexample, where content in onecountry may be illegal but is legal in another.Copyright and IntellectualProperty Rights issues are also explosive asdemonstrated by the NapsterCase, where some young software engineers createdsoftware that facilitatedsharing of (SONY) Music files across theInternet.Also related was the caseof Amazon.com trying to Patent the'single-click' method of buying goodsonline.Other cases touch on Data Privacy where BusinessCompanies have been knownto sell customer records to Marketing firmswithoutexpress authority fromthe Customers. Other times customer data issimplyhacked into andBusinesses are unable to own up (going public) tothedetriment of theCustomer.Most of these issues are under discussioninternationally at the InternetGovernance Forum (IGF), World IntellectualPropertyOrganization (WIPO)amongst other fora. They present emerging legalchallenges and it would beinteresting to know if stakeholders in the EastAfrican region are/should beinvolved in shaping the outcomes of any of theseissues.2days on this one, today and next Monday and feelfreeto belatedly respondto Day 1 through Day 5 issues.References:_______________________________________________kictanet mailing listThis message was sent to: mike.theuri@gmail.comUnsubscribe or change your options at_______________________________________________kictanet mailing listThis message was sent to: alex.gakuru@yahoo.comUnsubscribe or change your options at_______________________________________________kictanet mailing listThis message was sent to: jwalu@yahoo.comUnsubscribe or change your options at_______________________________________________kictanet mailing listThis message was sent to: brian@caret.netUnsubscribe or change your options at http://lists.kictanet.or.ke/mailman/options/kictanet/brian%40caret.net