The Spies Behind Your Screen: Hacking Team, International Law and the New Cyber Arms Race
Note: An edited version of the piece appeared in the Seven section of The Sunday Telegraph on November 20, 2011. UPDATE (November 25, 2011): A further, different version was published on the Telegraph website on November 24, 2011.
Screenshot of the Remote Control System dashboard. Red backgrounds to icons denote new material has been downloaded in those categories.
The assassin is a careful man, and his low profile relies on the security of his communications. So when he logs on to pick up the email containing his latest instructions, he leaves nothing to chance.
He's connected his laptop to a wi-fi network he's never used before, in a city he's visiting for the first time; the police forces chasing him won't know where to look. He uses an anonymous, untraceable email account, and only opens encrypted messages sent as attached files, which he downloads onto a password-protected partition on a USB stick. Today's file contains three words - 'Kill David Vincenzetti'.
The assassin doesn't use public telephone networks - too easy to intercept. He prefers Skype - the free software encrypts its users' calls to a level that was, until very recently, the preserve of government security services and the military. When he opened a bank account, he made sure the bank's website used an on-screen keypad to enter password and account details. He knows how easy it is for keyboard strokes to be monitored and recorded.
But the assassin hasn't been careful enough. Somewhere along the line - maybe when he downloaded the latest version of Skype, or updated his Windows operating system - he's opened a door to his enemies. He doesn't know it yet, but his computer has been taken over.
Everything he's read on screen, every transmission of data, even Word files stored in encrypted folders - all of it has been compromised. The police have heard and recorded his Skype conversations, watched as he entered his bank account details and password, even turned on his webcam without his knowledge and taken photographs of him too. If they'd wanted to, the people on his trail could have pretended to be him, sending apparently genuine emails from his account to anyone in his contact book.
The assassin is the latest victim of Remote Control System, almost certainly the most powerful cyber weapon to be promoted for sale on the open market. The product of an Italian company made up of former computer hackers, RCS can be installed on smartphones and computers, giving its user almost complete access to the "infected" device. It operates in the background, undetected by anti-malware, anti-spyware or anti-virus software, hiding its transmissions inside the user's usual email or internet traffic.
Tools like RCS make hacking into mobile phone voicemail look like the ham-fisted bungling of amateurs: but in a global society increasingly dependent on computers to function, cyber weapons can be used to do more than steal secrets. From government and finance to the power grid and the factory floor, unauthorised alteration of computer code can have enormous ramifications. Money can be diverted into the wrong hands; electronic switches can be flipped, turning devices on or off; physical objects can even be destroyed if the code controlling them is tampered with in the right way. But because cyber weapons don't exist in the physical world, the laws we rely on to restrict the sale of arms may not apply. Perhaps the most terrifying aspect is that nobody seems to know for sure.
"They kill me every day!" laughs David Vincenzetti, still very much alive as Seven's demonstration of RCS comes to an end. The sharp-suited Vincenzetti is the CEO and co-founder of Hacking Team, the Milanese software company that developed RCS. As he offers Seven a coffee from a high-tech espresso machine, the serial entrepreneur looks more like an executive from a Milanese fashion house than the owner of an arms company. Similarly unprepossessing is Vincenzetti's "assassin" today, Hacking Team's senior security engineer, Daniele Milan. "We have killed him countless times," the bespectacled programmer smiles.
RCS can track the location of the device it's installed on using a Google Maps interface
It is easy to see why Hacking Team's client base of government security services, counter-terror investigators and police forces is growing by the day. Remote Control System was designed for surveillance of "high-value" individuals - terrorists; senior figures in organised crime - and, as Vincenzetti proudly points out, "it works." He won't say who, or whereabouts in the world, but, every now and then, someone from a security service or police force will give Hacking Team a call, point out a news story of some bad people being put away for a very long time, and, without going into any detail whatsoever, politely thank the company.
Hacking Team sells licenses for the product, and a client can only install as many RCS "bugs" at any one time as they have licenses for. Those licenses cost at least €200,000 per annum, with an annual fee of about 20 per cent of that payable every year to ensure the software remains undetectable and keeps abreast of communications technology. While the price probably puts RCS out of reach of a newspaper publisher looking to dig dirt on celebrities - and would stop anyone from trying to use it for mass surveillance of the general public, if the vast amount of man-hours it would take to monitor everyone didn't put them off anyway - it is well within the resources of the security or police services of an average nation state.
Hacking Team concede that their description of RCS as a cyber weapon is marketing spin: but the trade in cyber weapons is even more occult than conventional arms dealing. Unlike a gun, a tank or a fighter jet, cyber weapons seem to fall between the cracks in international arms trade law. It is a matter for the company's directors, and their consciences, whether they sell RCS to repressive regimes, human-rights abusers, or governments riddled with corruption.
Hacking Team will not divulge information on its clients, but they say the product is in use by around 30 entities in 20 countries. (Seven understands the company has not sold RCS to any clients in the UK.) The licenses oblige the purchaser to abide by all relevant local and international laws, and forbid them from passing the technology on to third parties - but Hacking Team have no other control over the product once they deliver it.
The company retains the services of a number of expert lawyers, who advise on whether possible sales would be allowable if arms export control regimes applied to the product. It has turned down sales to countries which are under EU arms embargoes, even though the sale would have been legal. "We will not even start a negotiation with an entity in a country under the embargo of the EU and/or the UN," Vincenzetti says. They go further, too, only selling RCS to government or law-enforcement agencies, not private companies or individuals - though it is by no means clear that they would be obliged not to by law.
Is it sensible, desirable or wise to leave decisions about trade in computer-based weapons to the companies that make them? The question may seem specialist and obscure, but the issues raised are broad and increasingly urgent. If a company like Hacking Team - staffed by computer code experts barely out of university and, a bit of venture capital funding aside, a small, independent business - can build a weapon so powerful and sophisticated, what's to stop other groups with less noble motivations? One expert on cyber conflict, speaking to Seven on condition of anonymity, summed the situation up succinctly: "The people who should be making the decisions don't know what's going on - and when they eventually realise, one hopes it will not be too late."
In Britain, cyber warfare is one of the few areas of defence where the coalition government is increasing spending. In last year's Strategic Defence and Security Review, which made deep cuts to the Army, Navy and Air Force, £650 million of new money was allocated to cyber defence and security.
"Cyber" is a broad church, and most of the attention on this new domain of warfare has been on protecting critical national infrastructure - the computer-dependent power, utilities, transportation, finance and communications networks - from hackers and terrorists. But if there is a cyber threat that has to be defended against, then an attacker has to be using a cyber weapon: and there is no inherent reason why cyber attacks can only be committed by loose collectives of bedroom anarchists or cells of politically motivated extremists.
Last year, a sophisticated computer virus called Stuxnet was discovered on the internet by computer security experts. After months of painstaking analysis, it was found that the program was designed to operate only when it came into contact with a very specific series of linked devices. The only place where the right combination of hardware seemed to exist was in a uranium enrichment plant in Iran. Shortly after Stuxnet was discovered, parts of the plant were shut down: it is believed the virus crippled vital equipment there.
Stuxnet is considered too complex to have been the work of any one lone-wolf programmer; and the precision with which it sought out and destroyed its target means whoever wrote it had access to the kinds of secrets usually obtained by the intelligence services of rich nation states. No-one has yet claimed responsibility, but there is plenty of speculation within the computer security and cyber warfare communities that it was procured by countries with something to gain by derailing Iran's nuclear programme - Israel and the USA are most frequently mentioned.
Stuxnet hit and destroyed its target, but caused no human casualties, and as no machines outside the Iranian nuclear plant were damaged, it can be considered to have caused zero collateral damage. It may well be the most surgical precision-guided weapon ever "fired" in this way. Its evident success certainly implies that a nation committed to spending £650m on cyber defence might devote at least some of that money to building a cyber weapons arsenal. And while the British government has revealed no details, both the Armed Services Minister Nick Harvey and even the Foreign Secretary, William Hague, have gone on record as apparently confirming that the UK has acquired a cyber attack capability. But are cyber weapons legal?
The man to ask is Bill Boothby. A military lawyer for over 30 years, Boothby recently retired, at the rank of Air Commodore, from the Royal Air Force; he was part of the UK delegation that negotiated the anti-personnel mine ban treaty, known as the Ottawa Convention, and in 2009 published Weapons and the Law of Armed Conflict, the only book to thoroughly investigate that subject. During his RAF service, Boothby established the UK's system for assessing the legality of new weapons systems.
"The UK is obliged to review, in the study, development, acquisition or adoption of new weapons, whether the capability that it's reviewing would be compliant with the international law obligations that we have," Boothby explains. "That stems from article 36 of a treaty called Additional Protocol 1 of 1977 - 'additional' in the sense that it's additional to the Geneva Conventions of 1949. That's the weapons review system I and others set up for the UK: it's operated by the Ministry of Defence and would be the vehicle for the legal review of new cyber weapons."
But what is a cyber weapon? Boothby believes that the only way to answer that is to assess the intended impact.
"Put simply, if a computer system, program or data is used with the intention that it will cause damage or injury to an adverse party to an armed conflict, it will constitute a weapon in relation to that use," he says. "It seems to me it's when a decision is made - 'I am going to use this thing for that purpose' - that it becomes a weapon. What analogy would I draw? I suppose with a rock. A rock is a rock is a rock: it becomes a weapon when I decide I'm going to pick it up and hurl it at somebody."
By viewing cyber weapons in this way, Boothby believes it is possible to draw some useful lines. The internet is not a cyber weapon, even though it may be used to deliver one to its target; however, a computer or a piece of software may be considered parts of a weapon system if they are used to carry out a cyber attack. While Remote Control System will usually be a tool of espionage, Boothby believes it capable, similarly, of being part of a cyber weapon system.
"Fundamental to computer network defence is going to be staying one step - if you possibly can - ahead of developments to which you may be blind," he says. "Well, there's an inherent difficulty in that, isn't there? Self-evidently, there are all sorts of exploitation mechanisms out there that are being used, some of which, one suspects, are what keep us safe. But the conclusion I've come to is that just because it's espionage may not necessarily stop it from being an attack."
From the look of the large, fairly empty rooms, you might think Hacking Team have just moved in to their two-floor offices, but the firm has been based here for years. There are desks, chairs and, of course, computers; but very little decor, and almost no books or stationery. Vincenzetti and his fellow executives dress like upscale businessmen; the programmers downstairs favour the jeans and t-shirts of the hacker stereotype.
New technologies demand new ways of working, and Hacking Team is a very unconventional kind of arms manufacturer. The company was founded in 2003 by Vincenzetti and Valeriano Bedeschi, computer security experts with over 20 years experience. They started out providing the sort of defensive cyber security that almost qualifies as traditional - testing companies' systems to see how resilient they were to hacking attacks. Clients for this part of the company's business include international blue-chip brands such as Barclays, BT, Deutsche Bank and Gucci. But cyber attack was always on the agenda. RCS 1.0 was released in 2003: its current iteration is version 7.5.
Vincenzetti and Bedeschi built the core Hacking Team group from among people they knew. It helped that Milan has long been a centre of excellence for hacking: in 2004 and 2007, teams from two of the city's universities won the University of California, Santa Barbara, Department of Computer Science's international tournament Capture the Flag, a kind of World Cup for hackers. Members of both winning groups are now on the Hacking Team payroll.
As the company has expanded - from an initial staff of three, Hacking Team now has 35 employees, and in 2010 turned over €4.5m - it has managed the not inconsiderable feat of retaining all of its technical staff. "I'm very proud of that," says Vincenzetti. "We've never hired somebody by means of advertising. Everybody comes because they are a trusted friend of somebody already inside. It's not very scientific, but it works. There are no strangers here."
The typical Hacking Team technician is young - the average age is under 30 - and heavily experienced in systems exploitation. "Usually the background that's required is to think in an uncommon way," explains Daniele Milan. "We do not believe strictly that you should have many years experience for being good at writing software like this - since it's very uncommon, it's difficult for you to have done something like this in a previous job. The university courses were good, but they hardly ever focused on computer security, so in that regard we are mostly self-taught."
One absolute prerequisite is the absence of a criminal record. This means the type of person the company hires is not found among the hacker groupings, like Anonymous or Lulzsec, which have risen to prominence in recent months. In the computer security community, "hackers" are considered to be those who relish the challenge of fully understanding a system (as opposed to those who don't understand the technologies, who are known as "lamers"); those who break in to computer networks using their own skills are called "crackers", while people who break in to networks seeking to "own" - take over - servers using software tools they've found online are derogatorily referred to as "script kiddies". "Owning some servers is for the lamers," says Milan dismissively. "Then boasting that you've done that is the lamest thing of all - and probably one of the last you're going to do as a free citizen."
Hacking Team's ethical credentials are arguably as impressive as their software engineering expertise. But what would happen if a product like RCS was created by a company which placed a lower premium on business morality? How would current laws govern the manufacture, sale and use of such a powerful cyber weapon?
Seven asked several British government departments for comment, both about how UK law would apply to an investigative tool like RCS, and about emergent thinking on how to regulate cyber weapons proliferation in general. The Department for Business, Innovation and Skills (BIS), which runs Britain's arms sales watchdog, the Export Control Organisation, were unable to grant our interview request. The Committees on Arms Export Controls - the parliamentary body with oversight on arms sales, made up of MPs from the Foreign Affairs, Defence, International Development and BIS committees - have apparently never discussed cyber weapons. GCHQ (Government Communication Headquarters), the sister agency to MI5 and MI6 which collects and analyses information gleaned from telecommunications monitoring, released a statement which read, in full, "This is a developing area and GCHQ is actively contributing to cross government work." The Office for Cyber Security and Information Assurance - a department within the Cabinet Office - also declined to discuss the issues.
Foreign Secretary William Hague at the London Cyberspace Conference, November 2, 2011. Photo: FCO/Crown Copyright
In November, the Foreign and Commonwealth Office hosted a two-day London Cyberspace Conference, during which everyone from Hague and US Vice President Joe Biden to Wikipedia founder Jimmy Wales spoke of the vital importance of the unfettered exchange of ideas and information online. Yet the conference's session on security was held behind closed doors, the only part of the event not to be streamed live on the web.
Even the campaign groups one might expect to have latched on to the cyber arms issue are unsure how - or even if - to respond. Amnesty International are nearing the end of a five-year negotiation on the international trafficking of small arms, and don't have the resources to spare on this new domain of warfare. Campaign Against Arms Trade similarly feel they lack detailed enough knowledge of cyber weapons to speak about them on the record.
Industry, too, is keeping its cards close to its chest. The big defence firms all have cyber security products they're happy to talk about - Northrop Grumman unveiled the UK's first cyber defence test range in 2010, BAE Systems have been on a cyber spending spree, acquiring five cyber security and defence companies since 2008, while Lockheed Martin, victims of a well-publicised cyber attack earlier this year, will open a cyber defence hub in Farnborough next month - but remain tight-lipped about any cyber attack capabilities.
In the US, the example unintentionally provided by Endgame Systems is instructive. The Atlanta-based company, founded in 2008, has no website and does not talk to the press, but what appeared to be a price list of its services became public earlier this year when the Washington security firm HB Gary were the victims of a hack by Anonymous, and thousands of emails were posted online. Endgame seem to be in the business of selling packages of zero-day exploits - the previously unknown vulnerabilities in computer systems or programs that allow outsiders to gain access. Computer security experts who analysed Stuxnet were amazed that the weapon had relied on as many as four zero-days; Endgame's price list appeared to suggest that for an annual $2.5m, a client could acquire more than 20 zero-days every year.
Licenses to export weapons - or goods capable of being used as weapons - from Britain are issued by the Export Control Organisation, though the applicable law is a Council Resolution of the European Union. But in order for licenses to be granted, companies have to apply for them. Virtual weapons don't sit in packing crates ready to be examined by customs officers; they may be being developed and sold globally without the ECO ever being aware they exist. So is the current legal framework capable of dealing with cyber weapons?
"I think not," says Dr Ian Walden, head of the Institute of Computer and Communications Law at Queen Mary University in London. "Clearly, if these technologies are being developed by military or for military under contract, then it's not something they will want to make transparent and therefore would not form part of an export control regime."
"I am not aware of any non-proliferation or arms-control negotiations going on in the cyber field," says Bill Boothby. "And I think I would be aware if there were any." However, Boothby is part of an international project run by NATO's Co-operative Cyber Defence Centre of Excellence, based in Tallinn, Estonia, which is seeking to assess how existing international law may apply to virtual weapons and their use. "We're writing a manual on the law of cyber warfare," he explains. "And believe me, it's damned hard work. It isn't simply a case of taking the existing law and sprinkling the word 'cyber' all over it."
The existence of RCS proves that cyber weapons can be produced by small teams of self-taught individuals. Whether their sale and use is legal may not be as important as whether similar weapons could be developed by terrorists or criminal gangs.
"I think that to develop something like [RCS], with the same features and integration and ease of use, requires a lot of co-ordinated work," Milan says. "You need to gather lots of people with the correct mindset and skills, and get them to work together for a few years. It's not impossible, but what I'm quite sure about is that al Qaeda, for example, do not have the skill or the vision to design something like this. The narcos [international drug cartels] have the money to invest, but they don't know the right people."
Ultimately, the future security of our communications may rely not on international arms control treaties or effective action by governments, but on something as banal and uncontrollable as criminal and terrorist personality types. Milan believes that the typical hacker, who wants to be first to break into a system and is keen to brag about "owning" a server, almost by definition isn't going to be happy working as part of a team - and for a product as sophisticated and complex as RCS, directed, focused teamwork is an absolute prerequisite.
"There has to be an ecosystem which is about more than money, technology and opportunity," Milan says. "Idealism could push in that direction, but it's still not enough."