Open Collections

UBC Theses and Dissertations

UBC Theses Logo

UBC Theses and Dissertations

Bowing to Quirinus : compromised nodes and cyber security in East Asia Ortis, Cameron Jay 2006

Your browser doesn't seem to have a PDF viewer, please download the PDF to view this item.

Item Metadata

Download

Media
831-ubc_2006-200629.pdf [ 12.34MB ]
Metadata
JSON: 831-1.0093025.json
JSON-LD: 831-1.0093025-ld.json
RDF/XML (Pretty): 831-1.0093025-rdf.xml
RDF/JSON: 831-1.0093025-rdf.json
Turtle: 831-1.0093025-turtle.txt
N-Triples: 831-1.0093025-rdf-ntriples.txt
Original Record: 831-1.0093025-source.json
Full Text
831-1.0093025-fulltext.txt
Citation
831-1.0093025.ris

Full Text

B O W I N G T O Q U I R I N U S : C O M P R O M I S E D N O D E S A N D C Y B E R S E C U R I T Y I N E A S T A S I A by C A M E R O N J A Y O R T I S B . A . , Un i ve rs i t y o f Nor thern B r i t i s h C o l u m b i a , 1999 M . A . , M c M a s t e r Un ive rs i t y , 1999 A T H E S I S S U B M I T T E D I N P A R T I A L F U L F I L L M E N T O F T H E R E Q U I R E M E N T S F O R T H E D E G R E E D O C T O R O F P H I L O S O P H Y in T H E F A C U L T Y O F G R A D U A T E S T U D I E S (Po l i t i ca l Sc ience) T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A A u g u s t 2006 © C a m e r o n Jay Or t is , 2006 11 Abstract A n increas ing amount o f scholar ly w o r k i n International Relat ions is be ing devoted to recons ider ing tradit ional concepts about what constitutes security i n an era o f in fo rmat ion technologies . Y e t the d isc ip l ine has focused this re -examinat ion almost exc lus i ve l y on the Internet as a communicat ions technology ; a technology that a l lows for the ab i l i t y to exchange c o m p l e x forms of data - the abi l i ty to talk at a distance. V i e w i n g the Internet through the p r i s m of a communicat ions m e d i a largely ignores its more potent d i m e n s i o n -the ab i l i t y to act f r o m a distance. Th i s study seeks to examine the relat ionship between rapid Internet d i f f u s i o n and the emergence o f new threats and the d ig i t i zat ion o f t radit ional threats. T h e study outl ines a compromised -node f ramework . A t the core o f this leve l o f analysis is the argument that the c o m p r o m i s e d node o n the Internet is the central p r o b l e m i n a d i g i t i z i n g w o r l d both i n phys ica l and theoretical terms. Other approaches used i n International Relat ions to study security and the in format ion revo lut ion c o m m o n l y e m p l o y more t radi t ional f rameworks bui l t around the international system or the state and more recent ly the " n e t w o r k " level o f analysis . In more theoretical terms, us ing a node-based level o f analys is a l lows for a contr ibut ion to the 'broadening o f security' project that has occup ied m u c h of the International Relat ions literature recently and at the same t ime grounds the research i n the technical realit ies that are often over looked or misunderstood. U t i l i z i n g different methodolog ica l tools and data forms to i l luminate the mul t i - faceted nature o f the p r o b l e m , this study is organized into two parts. Part one examines the d is t r ibut ion o f c o m p r o m i s e d nodes cross -nat ional ly in order explore the re lat ionship between the leve l o f Internet insecuri ty and k e y s o c i o - e c o n o m i c , po l i t i ca l and infrastructural I l l factors. Part two examines transnational organized c r ime as a h igh - tech threat to f i rms and state organizat ions in East A s i a . T h e insecurit ies o f the d ig i ta l w o r l d ca l l into question the ef f icacy and leg i t imacy o f t radi t ional state-based security w h e n appl ied to new Internet based threats. B u t for the foreseeable future the state remains the o n l y actor w i t h the authority, l eg i t imacy , resources and governance tools to address these issues. i v Tab le o f Contents Abst ract i i Tab le o f Contents i v L i s t o f Tab les ix L i s t o f F igures x A c r o n y m s x i G l o s s a r y x i i i Preface • x v i A c k n o w l e d g e m e n t s x v i i i D e d i c a t i o n xx I N T R O D U C T I O N 1 Scope o f study 1 Organizat ion o f study 1 Chapter O n e The Or ig ins o f the C y b e r Infrastructure 6 T h e Internet 6 W h a t is the Internet and where d i d it come f rom? 7 Current ove rv iew o f Internet and Infrastructure 11 D i f f u s i o n o f cyber infrastructure 14 R e g i o n a l d i f fus ion patterns 15 Internet and comput ing security: situating the state 17 C y b e r infrastructure security incidents 20 Object ives and l imitat ions o f study 23 V P A R T O N E C Y B E R T H R E A T P E R C E P T I O N A N D R E A L I T Y 26 Chapter T w o T h e o r i z i n g C y b e r Infrastructure Secur i ty 26 Introduction 26 Study ing the soc ia l impact o f the Internet 2 6 International Re lat ions 29 T h e o r i z i n g the cyber infrastructure and International security 31 D u a l not ions o f cyberspace and security 36 T h e return o f the state 39 Coevo lu t ionary compet i t i ve processes and compromised nodes 43 Study ing c o m p r o m i s e d nodes 48 C o n c l u s i o n 50 Chapter Three E x a m i n i n g the D is t r ibut ion of C o m p r o m i s e d N o d e s 52 Introduct ion 52 Terr i tor ia l integrity and secur i t izat ion o f cyber infrastructures 53 Hypotheses 58 E x i s t i n g w o r k 59 D a t a 62 Port scans, w o r m s and g loba l random noise 64 Chapter F o u r Instabi l i ty and C y b e r Infrastructure Secur i ty 73 Introduction 73 Case select ion 73 v i Independent variables 75 A n a l y s i s 81 Par t ia l correlat ion results and d iscuss ion 83 Chapter F i v e The L e v e l o f D e m o c r a c y and R u l e of L a w and C y b e r Instabi l i ty 91 Introduction 91 Stabi l i ty and C y b e r Infrastructure Secur i ty 91 R e g i o n a l di f ferences: East A s i a and the rest o f the w o r l d 97 Genera l results and interpretation 107 C o n c l u s i o n s : East A s i a 112 P A R T T W O T R A N S N A T I O N A L O R G A N I Z E D C R I M E A N D T H E I N T E R N E T I N E A S T A S I A 114 Chapter S i x Non - t rad i t iona l C y b e r Secur i ty Threats i n East A s i a 114 Introduction 114 A note on methodology 116 Chapter Seven Organ ized C r i m e as C y b e r Threat 123 Introduction 123 Transnat ional organized c r ime i n East A s i a 124 Non - t rad i t iona l security threats i n East A s i a 136 Transnat ional o rganized c r i m e and the cyber infrastructure 141 Chapter E i g h t O rgan i zed C r i m e and C o m p r o m i s e d Nodes 146 Introduction 146 C r i m i n a l s connect ing i n cyberspace 148 VII Case one: bot nets i n H o n g K o n g S A R and Shenzhen , C h i n a 151 Case two: d ig i ta l b lack markets and security 161 T h e dynamics o f the cyber b l a c k market 164 C o n c l u s i o n : W h a t is the nexus? 166 Chapter N i n e Botnets and B a c k Channe ls : T h e Return o f the State 170 Introduction 170 V i r t u a l rea l i sm and the loss o f contro l 172 Adaptat ion space 174 Singapore 183 H o n g K o n g S A R 187 C h i n a 189 East A s i a reg ion 191 East A s i a in an international context 194 U n e v e n adaptation spaces 196 C O N C L U S I O N 198 C o n c l u s i o n : B o w i n g to Qu i r inus 198 Introduction 198 C o m p r o m i s e d nodes, stabi l i ty and security 199 T h e nexus and coevolut ionary adaptation 202 C o n c l u s i o n : 206 R E F E R E N C E S 207 A p p e n d i x A 235 Vll l Dependent var iables 235 Independent var iables 2 3 5 Chapter F o u r diagnost ics 237 Chapter F i v e diagnost ics 237 M e t h o d o l o g i c a l notes 2 4 0 ix L i s t Tables 1.1 - Stat ic Internet d i f fus ion by reg ion 17 1 . 2 - C y b e r security t ypo logy 20 1.3 - U S Repor ted Incidents and Vu lnerab i l i t ies 1995-2001 22 3.1 - S a m p l e l o g entries f r o m D S H I E L D portscan logs 64 3.2 - R e l a t i v e Count ry rankings 71 4.1 - Par t ia l correlat ions cont ro l l ing for d i f f u s i o n 85 4.2 - Par t ia l correlat ions cont ro l l ing for popu lat ion 87 5.1 - Q u a s i - P o i s s o n regression results: R u l e o f law 93 5.2 - Q u a s i - P o i s s o n regression results: D e m o c r a c y 97 5.3 - D u m m y regression w i t h interaction terms: D e m o c r a c y 101 5.4 - D u m m y regression w i t h interaction terms: R u l e o f law 104 A . l - Internet d i f f u s i o n and study dependent var iables 235 A . 2 - Internet d i f f u s i o n and study independent variables 235 X L i s t o f F igures 3 . 1 - C h a i n e d - r e l a y density funct ion 68 3.2 - H i s t o g r a m o f h * ( T S O U R C E ) for 49 upper tier countries 70 3.3 - H i s t o g r a m of h * ( T S O U R C E ) w i t h U S case removed 71 4.1 - Scatterplot matr ix o f source, G D P per capita , and the D A I 75 5.1 - E f fects d isp lay for the interaction o f the leve l o f democracy and reg ion 102 5.2 - E f fects d isp lay for the interaction o f the leve l o f the rule o f law and reg ion 105 4.2 - Scatterplot matr ix o f address space, Internet users, hosts, A S s , and pref ixes by country 237 5.3 - D iagnost ics for M o d e l 1, R u l e o f L a w 238 5.4 - D iagnost i cs for M o d e l 2, D e m o c r a c y 239 5.5 - B i va r ia te density estimates for democracy and rule o f law 240 x i A c r o n y m s A P E C - A s i a P a c i f i c E c o n o m i c Cooperat ion A S E A N - A s s o c i a t i o n o f Southeast A s i a n Nat ions B G P - B o r d e r gateway protocol B S D - B e r k e l e y Serv ice D is t r ibut ion C C P - Ch inese C o m m u n i s t Party C S E - C o m m u n i c a t i o n s Secur i ty Establ ishment (Canada) D o D - Department o f Defense ( U S ) D n D - Department o f Nat iona l Defence (Canada) F C C - Federa l C o m m u n i c a t i o n s C o m m i s s i o n ( U S ) F i n C E N - A m e r i c a n F in an c ia l C r i m e s Enforcement N e t w o r k (US ) G D P - G ross domest ic product G I S - G e o g r a p h i c in format ion system G P S - G l o b a l pos i t ion ing Sys tem I D S - Intrusion detection system I T U - International Te lecommunicat ions U n i o n ( U N ) IP - Internet protocol I S P - Internet service prov ider K I S A - K o r e a Informat ion Secur i ty A g e n c y ( R O K ) L A N - L o c a l area network L C D - L o w e s t c o m m o n denominator format N G O - Nongovernmenta l organizat ion N S A - N a t i o n a l Secur i ty A g e n c y ( U S ) X l l O E C D - Organ i za t ion for E c o n o m i c Coopera t ion and Deve lopment P R C - People's R e p u b l i c o f C h i n a R I A A - R e c o r d i n g Industry A s s o c i a t i o n o f A m e r i c a R B L - R e a l t ime b lack l i s t S C A D A - Superv isory contro l and data acqu is i t ion T C P - T r a n s m i s s i o n contro l protocol V P N - V i r t u a l pr ivate network W A N - W i d e A r e a N e t w o r k X l l l Glossary C h a i n e d relay - a series o f c o m p r o m i s e d Internet devices l i n k e d together. C r a c k e r - a network intruder. E n c r y p t i o n - is the process of obscur ing in format ion to make it unreadable wi thout special k n o w l e d g e . T h i s is usual ly done for secrecy, and typ ica l l y for conf ident ia l communicat ions . E n c r y p t i o n can also be used for authentication. E x p l o i t - a p rogram written to take advantage o f a vu lnerabi l i ty . F i r e w a l l - a hardware or software dev ice designed to restrict inbound and outbound network t raff ic . H a c k e r - i n c o m m o n pub l i c usage refers to an i n d i v i d u a l that breaks into computer systems or network . In fact, a hacker actual ly refers to an ind iv idua l that takes things apart to understand, m o d i f y or improve a machine . L i n u x - is the name of a computer operat ing system and its kerne l . T h e name Linux str ict ly refers o n l y to the l inux kerne l , but it is c o m m o n l y used to describe entire u n i x - l i k e operating system. O p e n relay - a computer or sever that performs electronic m a i l handl ing . A relay is a f o r m o f open p r o x y w h i c h is an Internet p r o x y server w h i c h is accessible b y unauthor ised users, spec i f i ca l l y those f r o m elsewhere o n the internet. P o l y m o r p h i c shel l code - is code or programs that act l i k e chameleons b y chang ing their f o r m autonomous ly to avo id detection. Cur rent ly , in computer security there is no k n o w n defense against this type o f program. Port scan - refers to c h e c k i n g for services presented on port addresses, usua l l y as part o f a c rack ing attempt or computer security scan. Port scans are per formed both by attackers and systems administrators attempting to check the security o f their systems. Sca le free topo logy - refers to the general structure o f the Internet on an aggregate scale. O r i g i n a l l y , the concept was appl ied to computer networks by A l b e r t - L a s l o Barabas i at the U n i v e r s i t y o f Not re D a m e , i n Indiana. U n t i l 1999, the standard w a y o f m o d e l l i n g the Internet was to use randomly generated graphs, i n w h i c h routers were represented by points and the l inks between them by l ines. B u t it turns out that such random graphs are a poor approx imat ions because they miss two important features. T h e first is that l i nks i n the net are "preferent ia l l y attached": a router that has m a n y l inks to it is l i k e l y to attract s t i l l more l i n k s ; one that does not, w i l l not. T h e second is that the Internet has more clusters o f connected points than r a n d o m graphs do. Sca le - f ree topologies are thought to be resistant to r a n d o m fai lures. x i v Scr ipt k i d d i e - a cracker w i t h a l o w s k i l l l e v e l , in other words without a deeper understanding o f science and engineer ing beh ind the code. Genera l l y thought to be responsib le for the major i ty o f the k n o w n Internet attacks. Server - a computer software appl icat ion that carries out some task o n behal f o f its user. T h e most c o m m o n types are f i le servers and appl icat ions servers. W e b , e m a i l and database servers are the most c o m m o n l y used for the Internet. S o c i a l engineer ing - in the comput ing c o m m u n i t y context it refers to the act o f manipu la t ing humans to d ivu lge pr i v i leged in format ion . It shou ld not be confused w i t h its m e a n i n g i n soc ia l thought. Source code - is a series o f statement wr i t ten i n some human readable computer p r o g r a m m i n g language. Source code can be i n one or more text f i les that are then converted by software into computer executable f o r m . T C P / I P stack - T C P / I P is the Internet protocol suite. It is the set o f protocols that imp lement the protocol stack o n w h i c h the Internet runs. It is sometimes ca l led the T C P / I P protoco l suite, after the two most important protocols in it: the t ransmiss ion contro l protocol ( T C P ) and the Internet protocol (IP). T h e internet protocol suite can be descr ibed b y analogy to a layered stack w h i c h describes the layers o f a protocol stack. In a protoco l stack, each layer solves a set o f problems i n v o l v i n g the t ransmiss ion o f data, and prov ides a w e l l -def ined service to the higher layers. H i g h e r layers are log ica l l y c loser to the user and deal w i t h more abstract data, re l y ing o n lower layers to translate data into fo rms that can eventual ly be p h y s i ca l l y manipulated. A n y dev ice that can "connect " to the Internet must have a T C P / I P stack. T ro jan horse - is a program that is secretly p laced on a computer or network dev ice to per fo rm var ious tasks. Uberhacker - a s lang term used in reference ind iv iduals w i t h the highest leve l o f c rack ing or h a c k i n g expertise. U n i x - is a portable, mul t i - task and mul t i -user computer operating system or ig ina l l y deve loped b y a group at A T & T and B e l l L a b s V i r u s - is a se l f - rep l icat ing program that spreads by insert ing copies o f i tself into other executable code or documents . A computer v i rus behaves in a w a y s imi la r to a b i o l o g i c a l v i rus w h i c h spreads by insert ing i tself into l i v i n g cel ls . Vu lnerab i l i t i es - f laws i n computer or network systems that are either k n o w n or u n k n o w n w h i c h can be taken advantage o f b y explo i ts to compromise the machine . W i n d o w s - an operating system created and so ld by M i c r o s o f t . W o r m - is a se l f - rep l icat ing computer p rogram s imi la r to a computer v i rus . A v i rus attaches XV i tself to, and becomes part of, another executable p rogram; however , a w o r m is self -contained and does not need to be1 part o f another program to propagate itself. Z o m b i e - i n computer security a z o m b i e can be either a machine that has been taken over b y a cracker to attack other machines or a p rogram that remains running on a computer after it has rece ived a terminat ion c o m m a n d . x v i Preface Qu i r inus was a R o m a n god o f the state and war . H i s or igins are often traced back to the protector god o f the f ie lds before be ing associated w i t h R o m u l u s ' apotheosis toward the end o f the R o m a n E m p i r e . M o s t o f what is k n o w n of both Qu i r inus and the cult that worsh iped h i m is der ived f r o m a t ime per iod w h e n myths were be ing reworked to f i t into the R o m a n p o l i t i ca l ideo logy ( C o o k , 1905; Qu i r inus , 2006) . T h e R o m a n s themselves often wondered about Qu i r inus because he was seen as myster ious , often be ing depicted in both c le r ica l and mi l i ta r y c lo th ing , and set as a lesser god against Jupiter and M a r s ( C o o k 1905). Y e t they cont inued to worsh ip h i m even though they were not real ly sure w h y it was important to do so. T h e impact o f the cyber infrastructure on international security is a lesser p r o b l e m w h e n compared to e c o n o m i c and mi l i ta ry security issues. It is interesting then that cyber infrastructure security is st i l l assumed to be o f some importance by academics and p o l i c y makers even though they are often not sure exact ly w h y . T h e pol i t ics o f cyber infrastructure security can be c lothed i n either c le r ica l or mi l i ta ry garb. Th i s dissertation does not try to argue that Qu i r inus is equal to M a r s and Jupiter. Rather , the argument is that the state n o w sees the cyber infrastructure increasingly in tradit ional security terms. O r couched in the metaphor above, Jupiter and M a r s are beg inn ing to take m u c h more than a pass ing interest i n the affairs o f Qu i r inus . There are two prob lems that are the analyt ica l focus o f the study. T h e f irst is the general gap between threat percept ion and real i ty i n the cyber infrastructure. T h e object ive here is to use a unique l a r g e - N data set to show that one o f the current assumptions regarding the sources o f infrastructure instabi l i ty across countries is without empi r i ca l merit . T h e second XVII analyt ica l p r o b l e m is the adaptation space between the state and transnational organized c r i m e groups i n East A s i a . A series o f short case studies are developed that focus in on spec i f ic soc ia l and po l i t i ca l processes o f the state's response to cyber security issues. T h e dissertat ion takes an unusual approach to the two analyt ical problems b y us ing two dist inct research designs that both keep the analysis rooted i n the technical real it ies o f the infrastructure, e x e m p l i f i e d and centered o n c o m p r o m i s e d nodes, w h i l e s i tuating the state i n an emerg ing v i r tual rea l i sm. XV111 A c k n o w l e d g e m e n t s T h i s dissertation w o u l d not have been writ ten without the unwaver ing support and encouragement o f m y parents. I w o u l d also l i k e to thank m y research superv isor D r . B r i a n Job , professor o f P o l i t i c a l Sc ience at the Un i ve rs i t y o f B r i t i s h C o l u m b i a ( U B C ) and director o f the Centre o f International Re la t ions . H i s guidance and comments o n the many drafts made the dissertat ion poss ib le . In part icular , I w o u l d l i k e to thank D r . Job for a l l o w i n g me to take on an unusual topic and approach to the study o f the impact o f technology o n international securi ty i n the East A s i a region. In addi t ion to m y supervisor , other members o f the dissertation commit tee were inva luable . I w o u l d l i k e to thank D r . P a u l E v a n s , professor i n the Facu l t y o f Graduate Studies at U B C and c o - C E O of the A s i a P a c i f i c Foundat ion o f C a n a d a i n V a n c o u v e r for the intel lectual guidance and constant reminder that wr i t ing a dissertation is a marathon not a sprint. D r . Evans also he lped to prov ide contacts i n East A s i a for the f i e l d research. D r . F r e d Cut le r , assistant professor i n the Department o f P o l i t i c a l Sc ience at U B C , also a m e m b e r o f m y commit tee , spent one -on -one t ime w i t h me hunched over a computer pour ing over statistical results. I w o u l d also l i k e to thank T o m N g i , a software engineer l i v i n g i n V a n c o u v e r , whose technical sk i l l s made Part O n e o f the dissertation possib le . M r . N g i g rac ious ly volunteered his t ime o n the project and re -wrote the software that processed the data for the quantitative sections. M y fr iends and f a m i l y members should also be acknowledged for their understanding dur ing the m a n y absences w h i l e I completed this project and for their help celebrat ing its x i x conc lus ion . I must also thank the anonymous ind iv idua ls in East A s i a and N o r t h A m e r i c a w h o grac ious ly agreed to speak on the issues addressed i n this study. W i t h o u t their part ic ipat ion dur ing m a n y trips to the reg ion, Part T w o of the dissertation w o u l d not have been wri t ten. I w o u l d also l i k e to acknowledge D r . Heather S m i t h , associate professor o f International Studies at the Un i ve rs i t y o f Northern B r i t i s h C o l u m b i a , whose mentor ing dur ing m y undergraduate years la id the groundwork for a cont inu ing interest and pass ion for the study o f international relat ions. T h e w o r k rece ived f inanc ia l support f r o m the Char les C C . W o n g M e m o r i a l F e l l o w s h i p through St. John 's C o l l e g e at U B C . T h e research also benefited f r o m f inanc ia l support f r o m the S o c i a l Sc iences and Humani t ies Research C o u n c i l o f Canada. T h e Centre o f International Re lat ions at U B C prov ided o f f i ce space and other log is t ica l support at var ious points between 2001 and 2 0 0 5 . XX T o m y parents. D e d i c a t i o n 1 Introduction Introduction: scope of study Drawing on the recent research of various scholars and social scientists working in and around the debate in International Relations over the meaning o f the information revolution, this study outlines a compromised-node theory of security. A t the core o f this theory is the argument that the compromised node on the Internet is the central problem in a digitizing world both in a physical and theoretical sense. The coevolutionary behavior between those trying to secure nodes and those trying to compromise them can be likened to a series of asymmetrical arms races of attack-defense where offensive adaptations are countered by defensive adaptations. This study's conclusions are in general agreement with Herrera's theory that, as is mostly the case in coevolutionary processes, the outcome is indeterminate as long as the environment, or in this case infrastructure in which these dynamics play out, continues to evolve and change.1 In more theoretical terms, using a node-based level of analysis allows for a contribution to the 'broadening of security' project that has occupied much of the International Relations literature recently and at the same time grounds the research in the technical realities that are often overlooked or misunderstood. It also allows for a contribution to the securitization literature and its attempts to understand the linkages between perceived existential threats and performative acts. Organization of the study Focusing on the East Asian region, this study is broken down into two investigations that explore two dimensions of Internet security. Uti l izing different methodological tools and data forms to illuminate the multi-faceted nature of the problem of the compromised 1 See Herrera (2002). 2 node, I wi l l show in the following pages that there is a coherent theme and fundamental problem that connects the two approaches. Two distinct methodologies are used in this dissertation. Both the indicator o f cyber infrastructure instabilities and the locus of transnational organized crime's usage of cyber space are centered on compromised nodes. Thus, the study is broken down into two components. The first looks at the aggregate cross-national distribution of compromised nodes. The second component focuses on how the number o f compromised nodes continue to grow and support untoward uses of the infrastructure. Both designs are meant to better situate the state as an imperfect actor in an increasingly complex technological environment. Building upon the introductory chapter and the theoretical discussion in Chapter Two, Chapters Three, Four, and Five of the dissertation examine the variation of compromised nodes both globally and specifically in East Asia . Using unique data obtained from a widely distributed logging system, Chapters Three and Four of Part One examine multiple hypotheses on the relationship between these patterns and several socio-political, economic and infrastructural variables. To my knowledge, this is the first study to address this problem from an international perspective using quantitative data collected via intrusion logs from networks distributed throughout the world. The primary objective here wi l l be to develop a quantitative description of Internet incidents - specifically from compromised machines - by country and explain the variations in these patterns on a state oriented basis. Part Two also takes as its starting point the problem of the compromised node on the Internet. Here I examine transnational organized crime as a high-tech threat to firms and state organizations in the East Asia ; a problem that many in the Internet security community consider to be the most serious Internet based threat. B y looking at the 3 coevolutionary adaptive gap between sophisticated, well organized criminal elements and state response mechanisms used to confront this threat, the analysis focuses on how far the adaptation space has widened. Chapter Eight develops a series o f three short case studies from Hong Kong, Japan and Singapore that examine two dimensions of the impact the organized crime groups are having on the cyber infrastructure. The central question is: i f the evolutionary adaptive gap between criminal innovators and enforcement response is widening, can it be narrowed? Research for Part Two is based primarily on field work plus documentation from scholarly journals and media reports. Over the last four years I have conducted 31 interviews with government officials, engineers, and members of the 'hacker community' in 8 cities in As ia as well as with individuals in Canada and the United States. Interviews with government officials and security practitioners yielded valuable information on new and emerging Internet threats that states and firms face from organized crime. It was also valuable to get firsthand accounts on the policies and strategies that have been implemented in national settings in order to get a sense of what has worked what has not worked in the past and why. Field interviews also provided a unique opportunity to speak with individuals in the "underground" community. While access to this population was limited when compared to government policy makers and network engineers working at large firms, enough qualitative data was gathered to gain some insight into general behavioral trends. The East As ia cases were chosen as the focus for this study for three reasons.2 The first 2 For the remainder of this study the term 'East Asia' is taken to mean the regions: Southeast Asia which 'includes Brunei, Myanmar, Cambodia, Indonesia, Lao, Malaysia, Philippines, Singapore, Thailand, Vietnam (as well as New Zealand and Australia); and East Asia which includes, China, Hong Kong SAR, Japan, North Korea, S. Korea (Northeast Asia) and Taiwan. I will largely ignore both: Central Asia which includes Mongolia, Afghanistan, Kazakhstan, Kyrgyzstan, Tajikistan, Turkmenistan, Uzbekistan; and South Asia which includes Bangladesh, Bhutan, India, Maldives, Nepal, Pakistan, Sri Lanka. 4 is that the region provides a certain kind of diversity of actors. There is no other region in the world where there is such extreme variability - deep and shallow - in Internet diffusion patterns and where there are both non-democratic and democratic regimes. Along side state actors in the region, and often at odds with them, are a host of non-state actors that are taking advantage of rapid Internet diffusion. Second, this particular regional context is unique from others in the sense that there has been a nascent socio-political impact of the Internet. Finally, East As ia has a growing reputation as a breeding ground for software piracy, crackers, virus writers and lackadaisical system administrators. The region plays host to the most advanced use of the Internet by organized crime groups. The role of the state is extensive in most East Asian countries and this is particularly true with respect to the Internet. Early experimentation with computer networks occurred i in the scientific or academic sector, but the central government has been the major player in any Internet development beyond the experimental level. L ike their counterparts in advanced industrial democracies, many authoritarian governments have instituted security plans, created special Internet governance committees, or reorganized bureaucracies to deal more effectively with the Internet and resulting security dilemmas. State Internet security policies and governance structures are often outgrowths of older regulatory regimes of the armed forces, intelligence and law enforcement agencies. A s in any country — especially where the role of the state is strong — policy wi l l have an important influence on the myriad of ways in which Internet security issues are approached and framed. There is, of course, room to quibble with the use of 'East Asia' to mean 'Southeast' and 'East' Asia alone, and the addition of New Zealand and Australia. I define the regions largely based on a cyber infrastructural perspective, which also takes into account geopolitical and cultural influences. In two of the following chapters, for technical reasons to facilitate data analysis, I do expand the regional definitions to include India, New Zealand and Australia. 5 The final chapter of the dissertation is a summary that returns to the theoretical or analytical framework fleshed out in Chapter Two and empirically assessed in Part One and Part Two. It reassesses the utility of a node-based approach in understanding the efficacy o f setting the context of cyber security within purely territorial or non-territorial . frameworks. The concluding chapter w i l l also return to the description of specific usages of Internet technologies by non-state actors and subsequent state responses as a coevolutionary process. The state does appear to be adapting in the short run even though much of the adaptation gap remains tenuously uneven. Over the long run, however, this gap.may begin to widen. In East Asia , this wi l l put increasing pressure on states to securitize cyber infrastructures as opposed to criminalizing nefarious uses of this environment. New node-based security actors behave as both a threat to the state, as in the case of organized crime usage of computing technologies, and as a surrogate to the traditional role of state-based providers of security. International Relations might be applied and its conceptual apparatus yield insights; but it too requires serious rethinking as both the phenomena and conceptual frameworks of the cyber infrastructure are novel. International security studies wi l l play an important role both by conceptualizing the nature o f these 'new' threats and assessing the response by state and non-state actors. It is to this subject that the dissertation now turns. 6 Chapter One: The Origins of the Cyber Infrastructure The Internet This introduction begins with an historical overview of the development of the Internet. The focus here wi l l be on the technologies themselves because these are the evolutionary engines of the Internet that are driven by technological developments. The social, economic and political environments of the mid to late twentieth century provided fertile ground for their growth. The second section moves to a discussion of the literature on the social impact of technology in more general terms. Here the focus is on the intellectual heritage that scholars in International Relations have drawn upon in the study of the impact of the Internet on international politics. The third and fourth sections of the chapter outline current Internet security issues and begin to place the state within this context. The central theme here is: why should students of international security care about the Internet? The final section of this chapter briefly outlines the objectives of this study. The Internet is often taken to mean loosely connected computer networks. Cyber space is shorthand for not only Internet space but other forms of electronic or digital domains that can be reached via computer networks. Cyber space, a term first used in science fiction, is much broader in the sense that it describes not just the Internet but other architectures, applications and spaces that can be accessed from, and send data through the Internet. These electronic spaces have evolved into a much more complex infrastructure - primarily in the Western world - and taken together the Internet, intranets, cyber spaces now provide a digital environment for both control of machines and communications between humans, and between humans and machines. 7 • W h a t is the Internet and where d id it come f rom? The Internet is one d imens ion o f an immense ly complex electronic universe. The categories o f electronic m e d i a and in format ion technology range f r o m radios, ce l lu lar phones, wire less Internet-enabled devices to distr ibuted comput ing networks that f o r m a k i n d o f Internet-based supercomputer ( W o n g , 2 0 0 1 : 6 7 - 6 8 ) . F o r the purpose o f this study, the Internet and computer networks are taken to mean both the hardware and software necessary for the control and c o m m u n i c a t i o n o f in format ion that has been reduced to b inary f o r m . Hardware refers to comput ing and network ing components. Software inc ludes appl icat ions and protocols that a l l o w for var ious k inds o f control and communica t ion functions to take place v i a an emerg ing g lobal web o f computer networks that can now be considered as a cyber infrastructure. F o r the purpose o f this dissertat ion, an Internet node refers to the connect ion o f any machine that possesses a t ransmiss ion control protocol and Internet protocol (TCP/IP) stack; in other words any dev ice that can use the c o m m o n protocols for c o m m u n i c a t i n g w i t h other nodes i n the cyber infrastructure. A n y Internet device whether it is a router, server or a personal computer is a node that is theoretical ly accessible though a large and. increasingly c o m p l e x connect ion o f very large networks. T h e idea o f an inter-net was first articulated b y Joseph L i c k l i d e r , a psychologist w o r k i n g at the Massachusetts Institute o f Techno logy ( M I T ) i n the late 1950s and early 1960s. L i c k l i d e r , in 1962, wrote about the concept o f a "Ga lac t i c N e t w o r k " and ' t h i n k i n g center' concept (L iener et al., 2003) . H i s idea was essential ly a g loba l l y connected set o f computers through w h i c h anyone c o u l d send and receive data and programs f r o m any site i n an eff ic ient and re l iable manner. B y the 1950s and into the early 1960s computers were already w i d e spread enough for researchers at major universit ies to have access and 8 begin w o r k i n g them into research designs (L iener et al, 2003) . T h e d r i v i n g factors were the emergence o f several technologies and ideas in the U n i t e d States where a technology f r iendly envi ronment existed. The internat ional izat ion o f economic markets encouraged f i rms and the U S government to respond pos i t i ve ly to new technologies that appeared to st imulate interconnect ion (Zacher, 2 0 0 2 : 1 9 0 - 1 9 1 ) . The emergence and adopt ion o f the telegraph, telephone, radio , and computer la id the groundwork for what L e i n e r et al observed was an "unprecedented integration o f capabi l i t ies" (2003:1) . N e w network ing concepts demanded new technologies, or more precisely , new ways o f t h i n k i n g about networks. Computers themselves had been invented a decade before any serious thought was appl ied to th ink ing about h o w to connect t h e m . 3 U n t i l the early 1960s, networks, such as the telephone system, were circuit swi tched. In the m i d - 1 9 6 0 s Leonard K l e i n r o c k publ ished the first paper on packet swi tch ing . Th i s was a fundamental ly different w a y o f network ing . Instead o f sw i tch ing based on the idea o f c i rcui ts K l e i n r o c k env is ioned packet based s w i t c h i n g . 4 The central dif ference is that data w o u l d traverse a network i n d i v i d u a l l y based on a rout ing a lgor i thm that a l lows for ind i v idua l packets to ' f i n d ' the best path to destination avai lable. T h i s m o v e f r o m theoretical idea to electronic real i ty was not, however , tak ing p lace in iso lat ion. Researchers were proceeding in paral le l wi thout either k n o w i n g about each others' work . A s these separate groups o f researchers became aware o f one another, the focus o f packet sw i t ch in g congealed around the U S A R P A N E T . A f t e r a research center at Stanford was connected, the first host - to-host data was sent between the two locat ions. T w o more nodes were added b y the end o f 1969. Thus , four host computers were connected together to f o r m the in i t ia l A R P A N E T - the genesis o f the Internet. B u t the 3 For more on the history of computing see Edwards (1994) and Mahoney (1988:113-125). 4 For more on telecommunications see Rockstrom and Zdebel (1998:36: 36-40). 9 new network f o r m needed a re l iable , agreed u p o n w a y to exchange data, one that w o u l d a l low d i f fe r ing architectures, network envi ronments , and interfaces to communicate w i t h one another. Other researchers m o v e d to develop a new vers ion o f the protocol w h i c h cou ld meet the needs o f an ' open ' architecture network. Th i s early co l lect ion o f protocols w o u l d evo lve into the T ransmiss ion Cont ro l Protocol/Internet Pro toco l (TCP/IP) . In an f r iendly - to -d i f ferent -hardware - forms network, w i t h the TCP/IP suite o f protocols , a l l part ic ipat ing networks cou ld be o f different design and each m a y have its o w n unique interface but yet st i l l part ic ipate. 5 The issue at this point in the evolut ion o f the Internet was h o w to get the protocols out to as m a n y computers as possib le . The U S Defense A d v a n c e d Research Projects A g e n c y ( D A R P A ) dec ided to support the Un ivers i t y o f C a l i f o r n i a at B e r k e l e y to see i f these changed cou ld be added to the un ix operat ing system, w h i c h already inc luded the TCP/IP suite o f protocols . T h e addit ion o f TCP/IP into the un i x B e r k l e y System Dis t r ibut ion ( B S D ) marked an important point in the d i f fus ion o f the necessary Internet software protocols to the broader research w o r l d . 6 Th i s strategy o f incorporat ing Internet protocols into an operating system for the research c o m m u n i t y was an important ingredient i n the widespread adoption o f the Internet (L iener et al, 2003) . T h e universal protocols for in ter -network ing were thus bui l t d i rect ly into computer operat ing systems. A t this stage in the evo lut ion o f the Internet there existed an e v o l v i n g hardware (packet switching) and software (TCP/IP protocols) w h i c h prov ide an a l l - n e w - c o m e r s - w e l c o m e concept o f interconnected networks. B y 1983, the A R P A N E T was be ing used b y a s ignif icant 5 For a complete overview and history refer to the original paper authored by Cerf and Kahn (1974) and also Clark (1998). 6 For more on protocols see Stallings (1993:17-56). This is essentially an overview of network concepts based upon the ISO Reference Model of Open System Interconnection (OSI). The OSI model consists of seven layers of protocols: 1) physical 2) data link 3) network 4) transport 5) session 6) presentation and finally 7) the application layer. 10 number o f U S governmental agencies and organizat ions. B y the m i d - 1 9 8 0 s the Internet was already w e l l established i n both the U S defence c o m m u n i t y and univers i ty env i ronments . 7 What spurned this growth was the emergence o f a ' k i l l e r app l icat ion ' - e lectronic m a i l (email ) . The ut i l i t y and ef f i c iency o f emai l was immedia te l y apparent to users on the re lat ive ly smal l nascent Internet. W h i l e other appl icat ions o f the early Internet were m a k i n g an impact in tucked away corners o f specia l ized communi t ies , it was emai l that was the c o m m o n f o r m o f c o m m u n i c a t i o n that, in m a n y ways , helped to jus t i f y reasons to connect. T h e Internet's evolut ion accelerated i n the 1980s w i t h the invent ion o f Ethernet and the personnel computer (PC) . Ethernet, o r ig ina l l y invented in the 1970s, was b e i n g adopted as a c o m m o n hardware approach to connect ing machines . A s opposed to tok in - r ings , a compet ing technology backed b y I B M in the early 1980s, Ethernet, back b y 3 C o m , a l lowed for true loca l area networks. Th i s is important. The idea here was that Ethernet 'cards ' cou ld be added to a dev ice , any dev ice , to a l l o w it to phys i ca l l y j o i n a network and exchange data. W h i l e most personnel computers in the 1980s d id not have Ethernet cards, the use o f local area networks i n univers i ty , government, and large corporate environments meant that computers that cou ld understand TCP/ IP were b e g i n n i n g to connect disparate loca l area networks ( L A N ) . B y the ear l y -mid 1990s the Internet begins to look and act more l i k e the infrastructure w e see today rather than s i m p l y a co l lec t ion o f interesting interconnected technologies. Th i s is an important genesis point for security. C y b e r infrastructure security today inc ludes not on ly the technologies themselves but also the soc ia l , p o l i t i c a l , economic and psycho log ica l factors that inf luence both security technologies and p o l i c y (Denn ing , 7 For more on data networks please see Bertsekas and Gallager (1991). 11 2003:26) . D u r i n g the 1990s the growth in L A N s drove mass ive increases i n Internet traff ic as firms o f a l l sizes began to rely on Internet technologies to stay compet i t ive , reduce costs, manage supply chains and explore new ways to create demand for products and serv ices . 9 Internet d i f fus ion patterns - the spread and adopt ion o f Internet infrastructures and technologies - beg in to impact rural areas and the lesser developed economies . T w o Internet appl icat ions, emai l and the W o r l d W i d e W e b ( W W W ) , become standard communica t ion m e d i u m s . 1 0 These developments beg in to ' f e e d ' o f f o f one another as firms, governments and ind iv idua ls begin to u t i l i ze Internet technologies in ways the univers i ty and mi l i ta ry environments had scarcely env isaged. 1 1 Current overv iew o f Internet and infrastructure T o d a y there are four ne twork ing architectures or general models that u t i l i ze both computer hardware and software. T h e first, and st i l l most c o m m o n l y seen, is the c l ient -server m o d e l . A c l ient -server is a network appl icat ion architecture that separates the cl ient, usual ly through some type o f interface, f rom the server. Through cl ient software a user can send requests to a server to per form some sort o f task and then the server sends the results back to the cl ient. T h e second network ing m o d e l is a mul t i - t ie r f ramework w h i c h bu i lds upon the cl ient -server concept. A mul t i - t i e r or n-t ier envi ronment exists when an appl icat ion server stores data on a third machine , k n o w n as a database server. Throughout this study I will refer to both the cyber infrastructure and the Internet. The former is a broader, more ecological definition in line with Denning (2003). Internet security refers to the technologies themselves and as such is a subset of cyber infrastructure security. More on this below. 9 For more on local area networks see Vargo and Hunt.(1996). It is often difficult to understand the early impact of intra and inter networks on businesses. For a good case study which describes the evolution of the American Hospital Supply and Baxter information systems see Short and Venkatramen (1992). 1 0 For more on wide area networks see "The Worldwide Web and Internet Technology" (1998). 1 ' For more on the Internet's impact on commerce and business see Porter (2001:63-78). Porter argues that the Internet does not change the old rules of doing business but rather that the "old rules" are also the "new rules." See also Venkatraman (1994:73-87) for more on the different ways in which Internet technologies can impact and transform a business. Venkatraman focuses on business impact after the dot.com market depression in 2000. Did these technologies really improve the productivity of organizations? Did they create new kinds of organizations? For an alternative perspective where Internet technologies were critical for a firm please see the following case study on how firms connect disparate global operations in Ross (1995). 12 A s opposed to the more generic client-server architecture, in general, an n-tier architecture may deploy any service using any number of intermediate servers as helpers doing specific tasks. The third model is a peer-to-peer (P2P) computer network. This is a network that relies on the computing power and bandwidth of the participating nodes in the network rather than relying on a few servers as in the client-server or n-tier cases. In a P2P network there is no real concept of clients and servers, but rather peer nodes that operate as both "clients" and "servers" at the same time. A P2P network is typically used for connecting nodes via ad hoc connections. Such networks are useful for many purposes. Sharing content files (file sharing) containing audio, video, data or anything in digital format, as well as real time data such as telephone traffic is also passed using P2P technology. The term "P2P network" can also be employed to act as a grid computer where the computing power o f many individual machines is harnessed for large number crunching tasks. 1 2 Finally there is the web services model. This is a more software focused model than the previous three architectures discussed above. It is a 'system of software systems' designed to support machine-to-machine interaction over a network - without human intervention. Applications written in different programming languages and using different technologies can use web services to exchange data over any type of computer network in the same way as an inter-process communication on a single computer. 1 3 Web services allow machines to communicate with other machines, thus it is theoretically capable o f removing any remaining barriers between disparate nodes, networks and devices. Into early 2000 and 2001, these four networking models allowed for a vast array of 1 2 For more on grid computing see Waldrop (2002). 1 3 It is important to point out that the word "web" in web services is a bit of a misnomer and should not be confused with the World Wide Web (WWW) which is an application built 'on top' of the Internet. For more on web services see Vaughan-Nichols (2002); Hansen, Madnick, and Siegel (2002); and Seetharaman(1998). 13 human activities to migrate to the Internet: from personal banking and manufacturing assembly plants to modern military applications. Mili tary functions such as command, control, communications and intelligence now rely on computer networks as do an increasing amount o f government services. 1 4 Home entertainment systems from gaming to movies, scientific research and education, traffic control systems, infrastructures such as sewage treatment, water, and electrical grids now rely on Internet based technologies to evolve and function efficiently. In the near future, voice-over-Internet Protocol (VOIP) wi l l begin to replace the plain-old-telephone system (POTS) in many organizations allowingfor voice communication to be digitized and travel over the Internet and be processed like any other form of digital information. This growing reliance on and use of the Internet in real-world applications signals a shift from the Internet as merely a collection of useful technologies to a cyber infrastructure capable of absorbing and integrating other technologies (Denning, 2003). Increasingly, economies - especially advanced industrial and post-industrial economies -can not maintain current growth levels and competitive market positions without the cyber infrastructure. The complexities of this infrastructure can be understood as a kind of ecosystem or cyber ecology complete with its own species variation, environmental conditions, pathogens, population growth and decline patterns. For many, however, the Internet and cyber infrastructure is merely an interface to a computing machine to which instructions can be given through a keyboard and then information is retrieved and presented through a monitor. This gives the mistaken impression that the interaction is unidirectional: from the real world to the digital world. 1 4 There have been claims by the US Department of Defense that the US military does not use the public Internet for anything other than unclassified, routine tasks. This is not entirely true. A considerable amount of classified data used by militaries around the world zips through cyber space along side ordinary email and other data. The difference is that these organizations open encrypted tunnels through the public Internet which allow the data to safely get to its destination. 1 4 From this vantage point the cyber infrastructure is seen as purely a communications and information retrieval technology. But beginning in the mid-1990s the cyber infrastructure began .to take on omni-directional characteristics: the digital world could interact and control the real world. This adds the dimension of using the Internet and the cyber infrastructure as a control technology to interface with real world objects like manufacturing robots, sensor monitoring, and other control systems. The computing machines that can perform these tasks (not so different from a typical personal computer or email server) are called supervisory control and data acquisition devices or simply S C A D A . When S C A D A equipment is 'plugged into' the cyber infrastructure the host computer allows for 'supervisory level ' control of a remote site and can acquire data from that site. The bulk of the site control is actually performed automatically by instructions programmed into the computer that allow it to operate without human intervention using various types of artificial intelligence set according to predefined rules. The diffusion and adoption of S C A D A equipment accessible via the cyber infrastructure across sectors and industries is arguably the current growth stage in the evolution of the Internet as infrastructure. Diffusion of the cyber infrastructure The global diffusion o f the Internet can be best described as a hub-and-spoke formation where the hub is the United States and the spokes are the other parts of the world. Diffusion patterns are neither uniform nor symmetrical (Luke, 1998:120-122; C A I D A , 2001; Kirkman et al, 2002:11-12). The lack of uniformity can be explained by the high variance in the growth of the Internet around the world. It is asymmetrical because the various social and technological dimensions of Internet diffusion in any 15 country vary in breadth, depth, rate and penetration. For example, some statistics point to an increasing number of hosts in a geographical region but upon closer examination the vast majority of these hosts are likely personal computers where the primary use is only in a few applications. This type of diffusion may be wide but it is not very deep. Deeper diffusion exists when critical infrastructures such as health, electrical systems, government services, manufacturing and production, apply Internet technologies. Internet diffusion patterns globally remain profoundly uneven. Much of the cyber infrastructure is concentrated in North America, Western Europe and parts of East Asia . For example, many countries that are currently seeing rapid diffusion patterns - such as much of East As ia — must still rely on the peering relationships between large networks called autonomous systems that are concentrated in North America or Western Europe to achieve connectivity with the rest of the world. This reliance of periphery countries on the United States drives much of the international security politics of the Internet. Many governments are profoundly uncomfortable with the idea that their data traffic w i l l often travel through distrusted cyber space in order to reach its destination. 1 5 Regional diffusion patterns Internet diffusion patterns in East As i a are unique. There is no other region where the variation in diffusion is as high. Singapore, Hong Kong S A R , Japan and South Korea represent typical cases where diffusion patterns are both broad and deep. A t the other end of the spectrum are several countries where there is virtually no use of the Internet, for i t 1 5 With regard to the politics of peering it should be noted that an autonomous system can simply cut off a country on its own by refusing to handle data traffic. If a stoppage were to take place this would not stop traffic from going between computers attached to these ISPs. It merely stops the data from going to its destination directly; it will most likely travel via other providers. This will take longer but it will eventually get there. This is the essence of packet switching technology and the reason why the Internet tends to see political censorship and other forms of control as a kind of damage and routes around it. For a very interesting example of the peering relationship see <https://www.linx.net/www_public/our_members/peering_matrix/>. This informative table shows the peering matrix at the London Internet Exchange and nicely illustrates the complexity of Internet topology. 16 example N o r t h K o r e a and B u r m a , and a var iety o f countries somewhere i n between. In po l i t i ca l terms there are a var iety o f reg ime types; i n e c o n o m i c terms there is an equal range o f systems and levels o f development. There are addit ional differences that m a k e this region unique when c o m p a r i n g cyber infrastructures and d i f fus ion patterns. - F o r example , W o n g argues that " w h i l e A s i a n countries i n the past have captured a disproport ionately h igh share o f g lobal product ion o f I C T goods, [they] have as a group been laggard i n the adoption o f I C T in compar ison to n o n - A s i a n countr ies" ( W o n g , 2002 :167) . Th i s lag means that N o r t h A m e r i c a and to a lesser extent Europe have a considerable advantage f r o m an infrastructural perspective. T h e more interesting infrastructural disparit ies are h igh l ighted b o l d i n Tab le 1.1 be low . B e g i n n i n g w i t h the number o f autonomous systems ( A S s are the largest networks that connect to each other to a l low global connect iv i ty and are owned p r i m a r i l y b y f i rms) i n 2001 59 out o f the roughly 95 A S s were located i n N o r t h A m e r i c a ( N A ) . Thus , w h i l e N A had o n l y 7 % o f the w o r l d ' s populat ion it had a s ign i f icant ly h igher proport ion o f the cont ro l l ing infrastructure. A s i a , w h i c h had roughly 2 8 % o f the w o r l d ' s populat ion - and the fastest cyber infrastructure growth rates - possessed a pal t ry 11 autonomous systems. T h e imbalance is even more s t r ik ing w h e n the number o f pref ixes and address ( IPv4) space is compared . 17 Tab le 1.1 Static Internet d i f fus ion b y reg ion (%) R e g i o n N A A s i a ' E U S A A f r i c a A r e a 12 28 6 5 20 Popu lat ion 7 59 10 3 13 G D P 27 35 24 3 3 Telephones 24 35 29 2 2 ISPs 75 9 13 1 1 A S s 59 11 23 2 0.5 Pref ixes 69 8 12 2 1 Addresses 68 8 20 1 0.5 Source: Cooperative Association of Internet Data Analysis (CAIDA) (2001). It is easy to see w h y p o l i c y makers and strategic analysts in B e i j i n g , for example , are eager to address this infrastructural imbalance . S i m p l y add ing more 'users ' and nodes to the Internet i n a country does not necessari ly m e a n that infrastructure robustness w i l l f o l l ow . Th i s imbalance leaves the per iphery dependent on the core and is at the heart o f m a n y o f the international po l i t i ca l disputes surrounding Internet governance . 1 7 T h i s sense o f imbalance is i n part the impetus for cal ls f rom the international c o m m u n i t y that the U S should re l inquish control over the governance o f parts o f the Internet to a l l o w it to elevate to an international inst itut ion l i k e the U n i t e d Nat ions ( U N ) . Internet and comput ing security: s i tuating the state A c c o m p a n y i n g this d i f fus ion has been an increase i n Internet security incidents that threaten the integrity and security o f the d ig i ta l networks that dr ive an increas ing ly d ig i t i zed international s y s t e m . 1 8 States, f i rms , c i v i l society groups and ind iv idua ls face 1 6 An Internet Service Provider (ISP) is a firm that provides the 'last mile' connections for most home and corporate users to the backbones of the Internet. An AS is an autonomous system (defined earlier). Prefixes are the first set of digits in a telephone number which are not a country code or area code. Addresses are IP addresses, pools of numbers (IPv4) that are given out by country. 1 7 Internet governance, in general, falls well beyond the scope of this study. For more see Mueller (2002). The book provides an introduction to the role of the US in 'governing' the Internet as well as the role of epistemic communities and non-governmental organizations. 181 will use the term "Internet security" to refer to a set of issues that surround network integrity. The term "security" by itself will refer to the academic field "international security" which can be thought of as a sub-field of International Relations. The term "computer security" will refer to the academic study of securing networks and computers that draws from computer science and engineering. 18 uncertainties as their reliance on the Internet and its constituent components and applications continues to deepen. The nation-state in particular is in a unique dilemma as it faces challenges to its autonomy not only from the overt spread of communications and information technologies but also to its traditional function o f security provision. Covert challenges to national security from network intruders have increased steadily since the early 1990s. 1 9 The central theme or question in the International Relations literature with regard to the cyber infrastructure is: how does the state fit in? The short answer is: not easily. The long answer requires recognizing the multidimensional role that the state plays; as the object of increasing reliance on the cyber infrastructure, the protector of this infrastructure, the initial investor, the sometimes unwilling and at other times wi l l ing regulator, and of course a major beneficiary of these new technologies. The state can also be an obstacle seeing this type of technology as a threat to its existence. The state is the ultimate, although often contested, source of authority in cyber space. While the Internet evolved to be self-governing and organic, it is still the state that has both the authority and legitimacy to un-plug. But state capacity and autonomy in cyber space is not necessarily about extremes, it is more about the ability to allow the cyber infrastructure to grow and take advantage of the resulting benefits while at the same time managing the risks associated to this dependence. Two brief illustrations of the differential effects of network intrusions are a useful 19 I will avoid the use of the term "hacker" when referring to those that perpetrate network intrusions. The term is an unfortunate casualty of media hyperbole. The term "cracker" is more apt in the sense that it captures the act of cracking the code to reveal vulnerabilities in machines which can then be exploited either directly or indirectly by a program called an "exploit." An "intrusion" will be used in this study to refer to a clear evidence-based case where a network or machine has been compromised. Furthermore, an "Internet incident" or just "incident" will refer to either an actual or attempted intrusion by a human or machine. 19 starting point . F i rst , consider the results f rom research done on network intrusions at major f i rms in Western economies . F i r m s that p u b l i c l y announced security breeches lost an average 2.1 percent o f their market value - a U S $ 1 . 6 5 b i l l i o n loss on average i n market value - w i t h i n two days after report ing inc idents . 2 1 Increasingly the effects o f serious network intrusions are not restricted to the targeted firm. A f t e r the incidents are reported, the market values o f security firms spec ia l i z ing in the technologies to protect organizat ions in cyber space tend to go up on average o f U S $ 1 . 0 6 b i l l i o n (Husey in et al, 2002) . There are interesting questions, therefore, about report ing effects as opposed to intrusion effects not o n l y for firms, but states as w e l l . Second, consider a more tradit ional state-based national security target. B e g i n n i n g at some point in or around 1998 an extended organized pattern o f intrusions and p rob ing was discovered tak ing p lace against the Pentagon, major U S research labs, and other U S 22 mi l i ta r y sites. These incidents referreds to co l lec t i ve ly as " M o o n l i g h t M a z e " , i n v o l v e d the systematic reading and copy ing o f tens o f thousands o f files over an extended per iod . D u r i n g field research for this dissertation government of f ic ia ls from two other countries acknowledged s imi la r cases o f serious breaches against mi l i ta r y or h i g h l y sensit ive research sites - some or ig inat ing internal ly v i a a "trusted ins ider" others external ly f r o m 23 remote sites. U n l i k e the first i l lustrat ion, the costs associated w i t h this type o f Internet incident are very d i f f icu l t to quanti fy but are quite easy to conceptual ize . 2 0 A discussion of the tactics, strategies and techniques of system intrusion is well beyond the scope of this study. For more information see Denning (1990) for a good introduction to system intruders, hackers, crackers and culture. Of additional interest is The Knightmare (1994) which is a "how to" manual on breaking into computer systems. The book argues that system intrusions are sometimes more a matter of dumpster diving rather than technical mastery. See also "hacker" based websites: <http://www.phrack.org/> ; <http://www.binrev.com/> ; <http://vx.netlux.org/29a/main.html> ; <http://www.2600.com/> ; <http://www.rootkit.com/index.php> ; and for more general security websites see <http://www.securityfocus.com/> ; and <http://www.securitypronews.com/>. 2 1 For more on computer crime issues see <http://www.farcaster.com/sterling/contents.htm> 22 Some reports indicate accidental discovery. 23 Confidential Interviews, August-September 2003. 20 Cyber infrastructure security incidents The forms of conflict on the Internet can range from information attacks to the promotion of violent ideologies (Ballard et ai, 2002:1007). 2 4 Adapting a cyber-incident typology used by Ballard et al to study cyber terrorism, there are four general types of Internet incidents or attacks. A s noted in Table 1.2, an information attack is the use of the Internet directly or as a "force-multiplier" to alter or destroy systems or files. This is the most common objective and result of systems intrusions, and the primary concern for firms that rely heavily on the integrity of data files. Infrastructure attacks are designed to destroy or disrupt actual hardware in communications or control systems. 2 5 This category of cyber incident is often analyzed in conjunction within broader notions of critical infrastructure protection. Table 1.2 Cyber Security Typology Category Description Information attacks Altering, destroying, or stealing electronic files Infrastructure attacks Altering or destroying hardware, platforms, and control systems Facilitation of attacks Communications to plan attacks or facilitate non-Internet based activities Disruption Intention not to destroy or alter but to slow and frustrate Source: Adapted from Ballard et ai, 2002 Facilitation is the most common form of cyber incident that uses the Internet as a communications tool. B y using such techniques as encryption via the W W W , email, anonymous ftp servers and Internet relay chat servers, the destructively minded can 24 Large parts of this section appeared in Ortis and Evans (2003). 25 For example, a process management system or supervisory control and data acquisition system (SCADA). 21 communicate for purposes of coordinating cyber or physical attacks. In East Asia , most incidents involve considerably less spectacular events than high-profile intrusions. I have added disruption to the Ballard et al typology to encompass a common form of cyber incident that can be even more costly to an economy than other forms of intrusion. Internet disruption includes the creation and proliferation of viruses and worms that are not necessarily designed to destroy.or alter files and data. For example, firms that use an open-mail relay on mail servers to flood the Internet with 'spam' can be classified as disruptions (Orris and Evans, 2004:253-254). The frequency of Internet incidents - the attempted or actual compromise o f nodes -by either direct human attacks or the creation of artificial attacks (viruses, worms and malicious bots) is steadily increasing. In the early 1990s it sparked the creation of computer emergency response teams (CERTs) around the world which in theory are designed not only to monitor national incidents but to cooperate internationally with other C E R T s . In East Asia , for example, there are thirteen nationally-based C E R T s with loose regional coordination taking the form of an annual Internet response coordination conference. The US-based computer emergency response team ( C E R T / C C ) published a " ..Encryption, both the science and politics of, is a vast topic unto itself. For the most part, this dissertation does not deal directly with the politics, international relations, and national security issues surrounding these technologies. This study does, however, presuppose some knowledge by the reader of the use of encryption in cyber infrastructure security. For more on encryption and the politics of code, see as a general introduction to the different algorithms by Ferguson and Schneier (2003). For a textbook introduction see Stinson (1995). One of the most frequently asked questions of the author of this dissertation during field work in Asia and North America was: has the US government (or their own governments) put secret "backdoors" into any of the most frequently used encryption algorithms? M y response was invariably "I have no idea." Further to my field response, it should be pointed out that while some US government cryptography and encryption policies have been controversial there is no evidence of secret backdoors or exploitable weaknesses. Users, however, should always adhere to community recommendations on safe encryption. Of course, the only known provably secure encryption technique is the 'one-time' pad. A one-time pad is provably secure in a certain academic sense. However, it is not practical for use in the cyber infrastructure because it needs long keys that can never be repeated and i f not used correctly in practice one-time pads can be very insecure because an individual can intercept the message and alter it without the intended recipient noticing - cautum intromit. The 'community' standards for secure hashing is SHA-256 (MD5 has been broken, SHA-1 is not far behind); and for a block cipher AES-128 or Triple-DES (with AES preferred), in either C B C or CTR mode; and for private-key authentication H M A C - S H A 1 ; and finally, for public-key encryption and signatures there is D H / D S A or RSA. 22 report outlining both incident and vulnerability trends for the period 1990-2002 but these trends do not allow for motive or source of incidents. Table 1.3 shows a steady increase of incidents and vulnerabilities until 1998 and then a dramatic increase in 1999, 2000 and 2001. The kinds of vulnerabilities that networks face are also increasing. Despite a renewed effort on the part of software companies to control poor programming practices leading to costly holes in both network protocols and applications, software engineers believe that the number of incidents will continue to increase. Table 1.3 US Reported Incidents and Vulnerabilities 1995-2005 Year Reported incidents Vulnerabilities reported 1995 2412 171 1996 2573 345 1997 2134 311 1998 3734 262 1999 9859 417 2000 21756 1090 2001 52658 2437 2002 82094 4129 2003 137529 3784 2004 - 3780 2005 - 5990 Source: (CERT/CC, 2006) T h e data do not show where these incidents took place and against whom. Not all cyber or Internet incidents are random or opportunistic events perpetrated by the archetypal anonymous intruder as conceived in the early and mid-1990s. In an increasing number of instances, the intrusion is deliberate and has a specific target in mind. A recent study by the security firm Riptech shows that the ratio between "targeted" and "opportunistic" system intrusions and attacks may be more even than previously thought. This indicates not just a quantitative difference but also a qualitative shift in the behaviour underlying Internet incidents. It appears to affirm the C E R T / C C results 23 presented in Table 1.3 that attacks are increasingly both in frequency and magnitude (Belcher et al, 2002:13). The Riptech results are suggestive even i f the methodology of its study is rather obscure. It is very difficult to differentiate targeted versus opportunistic intrusions. It is equally difficult to pinpoint the origin of attack, even when employing a combination of passive and active tracing. Specific industries suffered significantly different rates of attack, measured both by intensity and severity. Financial services, media/entertainment, technology companies and power and energy enterprises showed the highest number of attacks per firm with each averaging more than 700 attacks per case over a six-month period. A top-tier group of countries was the source of the vast majority of the attacks. Attacks originating from the U.S . accounted for 30%, from South Korea 9%, and finally China 8%. East Asian countries populated half of the top-ten in this category. Objectives and limitations of study This study examines the relationship between rapid Internet diffusion and the emergence of new threats, the digitization of traditional threats and new security actors that are beginning to take advantage of the ability to act at a distance using the cyber infrastructure. I w i l l introduce the securitization-desecuritization puzzle and its application to the Internet's impact on security. In particular, by examining the emergence of new threats, the digitization of traditional threats, and new security actors, I wi l l assess why some Internet security issues make it onto state security agendas while others do not. A main argument in this study is that approaching the Internet's impact on security through the prism of the Internet as a communications media largely ignores its other dimension - the ability to act from a distance. M y objective in this study is to put forward a node-based level of analysis allowing for ' 2 4 a contribution to the 'broadening o f security' project that has occupied much of International Relations recently. A s opposed to a "network" or "state" level of analysis, a compromised-node framework grounds the research in the technical realities of the Internet that are often overlooked or misunderstood. Finally, I assess these findings against the securitization-desecuritization puzzle in an attempt to understand the linkages between the existential threats posed by the Internet and the performative acts that articulate Internet security issues in several states in East Asia . To do this, the study is broken down into two parts. Part One wi l l characterize cyber infrastructure security incidents from an international perspective. A quantitative analysis is used to assess claims that there are links between cyber infrastructure events cross-nationally and socio-political instabilities. The roles of state capacity and stability are the primary concepts through which the research situates the state in, what I wi l l argue, is an emerging virtual realism in the cyber infrastructure. Part Two examines the role o f cyber infrastructure events more closely by directly examining the non-state and state actors engaged in competitive defensive-offensive strategies. This is interesting because it examines the manner by which states in East As ia 'see' security when confronted with a non-traditional security issue - one that is often treated as a more traditional, often territorially based threat. Chapter two begins by providing a general introduction to the theoretical issues and the central problem that are the focus of this study: the relationship between Internet based threats, the digitization of traditional threats and the new security actors. The analytical framework and problem under study here is somewhat unusual in International Relations. Given this, a significant amount o f the following chapter is devoted to situating this study within the recent literature and outlining the general problem of 25 increasing Internet security incidents globally. A s wi l l be shown below, this study explores security and the cyber infrastructure from the perspective of the compromised node rather than that of the system, state, or network levels of analysis. 26 Chapter Two: Theorizing Cyber Infrastructure Security Introduction This study examines the relationship between rapid Internet diffusion and the emergence o f new threats, the digitization o f traditional threats and new security actors that are beginning to take advantage of the ability to act at a distance. This chapter begins by suggesting that technology is treated differently in International Relations than it is in other modes of social inquiry. The chapter then moves to a discussion of the dual notions of security in cyber space by making the distinction between Internet technologies as a mode o f communications and a mode of control - a control technology that allows for security actors to act from a distance. This ability to act from a distance is influencing a territorialization of the cyber infrastructure along geopolitical lines and how state actors understand or 'see and perceive' security in cyber space. A key issue is what states see as the referent object of security. Is it geographical territories of information spaces, networks, or individual nodes? The chapter concludes by arguing that a virtual realism is emerging in a digital environment where the gap between threat perception and reality is widening. Explicit empirical claims are being made which link cyber infrastructure instabilities to geopolitical spaces, even though the threats from the cyber infrastructure originate from both state and non-state actors. The question that emerges for state actors is, can the constructs of security in the cyber infrastructure be changed or adapted enough to meet these challenges? Here the chapter introduces the idea o f an adaptation space and argues that cyber security incidents and threats are best understood as coevolutionary competitive processes. Studying the social impact of the Internet The literature and debate surrounding the impact of the Internet on human behaviour 27 covers numerous f ie lds and d isc ip l ines . In m a n y ways the study o f the Internet or cyber infrastructure and socia l systems has g rown out o f the study o f technology in general and the impact o f computers and te lecommunicat ions more s p e c i f i c a l l y . 2 7 Debates over the impact o f technology on soc ia l , po l i t i ca l and e c o n o m i c systems often bo i led d o w n to Utopian versus dystopian perspectives, c o m m u n i t y versus social i so lat ion , or o f modern i ty versus post -modern ideas and their associated c la ims o f the death o f modern i ty and the rise o f a post - industr ia l landscapes. Because o f this intel lectual legacy, it is worth s u m m a r i z i n g the key debates and questions raised in this literature i n order both to better situate the state i n its ' p lace ' i n the evo lut ion o f the infrastructure and to rev iew h o w this has been approached b y scholars in International Relat ions . The ro le o f technology i n the transit ion f r o m the industr ial w o r l d o f the twentieth century to a post - industr ia l twenty- f i rst century are central themes i n the scholar ly work the deals w i t h the impact o f technology on society. F o r example , D a n i e l Be l l ' s research on the post - industr ia l e c o n o m y highl ighted theoretical and conceptual issues r e v o l v i n g around the emergence o f an ' in format ion society' . Th i s concept chal lenged dominant theories in soc io logy and economics w h i c h were st i l l us ing the idea o f an ' industr ia l society ' to f rame research questions. T h i s academic debate over the transit ion into an ' informat ion society' has in fo rmed a number o f compet ing perspectives on the po l i t i ca l and economic impl i ca t ions o f the cyber infrastructure ( B e l l , 1999; M i l e s , 1996; Caste l ls , 2000) . . Research on the impact o f technology has an intel lectual l ineage and the studies that it produces are often cr i t iqued for not i n c l u d i n g the po l i t i ca l and economic factors that feedback into the evo lut ion as w e l l as the in i t ia l impact o f technology . A n empi r ica l case See for example Mesthene (1969) and de Sola (1977:1-9). 28 can be made that technologies, l i k e the emergence o f a cyber infrastructure, m a k e a l inear dif ference s i m p l y b y shaping patterns o f re l iance and dependency ( R o c h l i n , 1997), accelerat ing and enabl ing g lobal i zat ion (Castel ls , 2000) and b y creat ing domest ic po l i t i ca l issues o f access to technology and p r i vacy (Dutton, 1999). The impact o f technologies such as the Internet also concerns scholars in C o m m u n i c a t i o n s w h o ask more basic questions o f certain appl icat ions o f the Internet such as the W o r l d W i d e W e b ( W W W ) . F o r example , are there inherent biases to electronic modes o f communicat ion? A r e electronic modes somehow inherently more democrat ic than o lder fo rms o f m e d i a and modes o f communicat ion? V i s i o n s o f cyber democracy have been promoted s ince the 1960s w i t h each new m e d i a fo rm renewing debate over the opportunit ies and threats posed b y technology in democrat ic institutions (Deutsch, 1959, 1963). A key quest ion i n this literature i s : what are the factors that are important to electronic democracy i n areas l i k e government, po l i t i cs , and the infrastructures o f pub l i c access to in format ion (Dutton, .1999 :173 -202 ; 28 Caste l ls , 2001)? The changes i n government and p u b l i c service de l i very have become a focus o f p o l i c y at m a n y levels and across states. 2 9 Inventions l i k e direct democracy , for example , is n o w an accepted topic for exper imental p o l i c y , and w i t h them comes an increasing re l iance on the cyber inf rastructure . 3 0 T h e debates i n the soc ia l sciences seem to shift cont inuous ly from determinist ic perspectives to technological and organizat ional paradigms o f the networked society (Freeman, 1996; H i l t z , 1978; T e i c h , 1999; Shapi ro , 2000) . Quest ions relevant to students 2 8 See also Laudon (1977), and Becker and Slaton (2000). 2 9 This is especially true in countries such as Canada. There, the federal government has been quietly moving as many services to the W W W as possible (i.e. employment insurance, taxation, human services, and so on). For more see the main portal to the Government of Canada at <http://www.canada.gc.ca>. 3 0 For more on governing and public service delivery in the 'information' age, see Bellamy and Taylor (1998), Raab et al (1996), Tsagarousianou, Tambini, and Bryan (1998), and Taylor et al (1999). r 29 o f po l i t i ca l science and international relat ions have also been addressed. F o r example , to what degree are po l i t i ca l v ic iss i tudes designed into technology? Is p o l i c y embedded in technology? What variables effect their development and d i f fus ion? H o w can w e study the shaping o f technological change? T h i s is where the treatment o f ' technology ' i n general , and the cyber infrastructure more spec i f i ca l l y , is different i n International Relat ions when compared to other fields o f social inqui ry . Instead o f the u top ian -d isutopian f rameworks , International Re la t ions treats technology as enab l ing or d i sab l ing international actors and processes. It can enable non-state actors l i k e organized c r i m e and c i v i l society groups or enable process based phenomenon l i k e g loba l i zat ion . Spec i f i c col lect ions o f technologies l i k e the cyber infrastructure can also d isable actors l i k e the state or ind iv iduals . International Relat ions Cons iderat ion o f the cyber infrastructure is not entirely new to the study o f International Relat ions . S ince the early 1990s there have been cont inuous efforts to address the effects o f the Internet and other in format ion communicat ions technologies on international po l i t i cs (La tham, 2 0 0 5 ; Herrera , 2 0 0 2 ; Rosenau , 2 0 0 2 , 1998; S i n g h , . 2 0 0 2 ; Deibert , 1997; Papp and A lber ts , 1997; Zacher and Sutton, 1996; Freder ick , 1993; Krasner , 1991). L o n g before the broad d i f fus ion o f comput ing , scholars have debated the impact o f science and technology on nat ional security (Deutsch, 1959). Techno log ica l innovat ion and transference was seen as an important factor in order to understand change - p r i m a r i l y as a result o f war ( G i l p i n , 1981). M o r e recently , this focus began to shift toward the Internet and comput ing and its consequential impact on international order and security (Deibert , 2 0 0 2 a ; A r q u i l l a and 31 Throughout this study I will use the upper-case "International Relations" when referring to the academic discipline and the research therein. A lower-case "international relations" refers to actual relations between modern states and events that take place in the international system. 30 Ronfe ldt , 2 0 0 1 ; Keohane and N y e , 1998; Castel ls , 1998; M a t h e w s , 1997). F r o m the earliest theoretical explorat ions it was recognized that the growth o f in format ion technologies w o u l d b r i n g about some sort o f t ransformation. James Rosenau pointed out that there are profound shifts tak ing p lace i n the international system but "students o f g lobal po l i t ics have not begun to take account o f transformations at w o r k w i t h i n societ ies" (Rosenau, 1997:17) . F a l l i n g marg ina l costs, the spread o f dig i ta l technologies and the r ise o f network forms o f organizat ion have a l l contributed to the rapid d i f fus ion o f the Internet w h i c h i n turn has fed back into and spurned the former (S ingh , 2002) . B u t several research questions surrounding the impact o f the cyber infrastructure and 1R theory remain , not least o f w h i c h i s , as Robert L a t h a m puts it: should " f ie lds l i k e International Relat ions prov ide theories for the format ion o f g loba l [cyber] infrastructures" (La tham, 2005:146)? L a t h a m , the former director o f the U S Soc ia l Sc ience Research C o u n c i l ' s Information T e c h n o l o g y and International Cooperat ion P rog ram, argues that the "c ruc ia l factor i n th ink ing about the infrastructure log ic o f the Internet is the relations among networks'" (2005:149) . L a t h a m makes a k i n d o f leve l o f analysis d ist inct ion between the network level and the internetwork leve l (2005:173) . U l t i m a t e l y then, the starting point is not necessari ly international po l i t i cs or international system processes but the infrastructure log ic i tse l f - though it should be noted that the ult imate goal is to w o r k up to the former f r o m the later. I f socia l mean ing , l aws , norms and behaviour are not def ined at the aggregate leve l o f the in ter -network ing process that is constantly occur r ing in cyber infrastructure then "the fo rm and character o f the Internet w i l l be a funct ion o f (1) the interact ion o f the in format ion and purposes o f the networks and organizat ions that compose it; and (2) the patterns o f aggregation [which] favor concentrat ion and power v i a back -bones and h u b s " 31 (Latham, 2005:174). Herein lies a flip-side to Herrera's notion of indeterminancy (discussed below) - the logic model put forward by Latham seems to suggest that the evolution of the Internet did not really have an overarching social purpose or rationale built into it, and thus is open to contestation of many purposes by all actors in the international system. Latham's model is useful in exploring the historical evolution of the infrastructure, especially the interconnectivity between states, but brings researchers in international security studies only incrementally closer to a modus operandi for a working theory of the cyber infrastructure.3 2 Theorizing the cyber infrastructure and International Security A s the Internet has evolved over the last decade its impact on security has been multidimensional and controversial. Threats from cyber space have garnered much popular speculation in the media. The speculation is sometimes insightful but often prone to hyperbole. Scholarly research on the subject has generally employed two distinct approaches. The first is to assess the security implications on technical-behavioral grounds. The second is to understand the way the problem is rhetorically framed and how it is eventually perceived through discourse. Ra l f Bendrath has argued that most researchers working in the social sciences have chosen to work the ground of the latter rather than the former. 3 3 This is not surprising given the background required to To be fair, this was not the purpose that Latham (2005) set out for in this particular line of his research. Latham appears to be after a kind of genetic logic of the infrastructure which could then help explain the scale up problem. Here, Latham draws heavily on Metcalfe's theory of network effects V = N2 to illustrate an underlying logic of interconnection between states. Briefly, Metcalfe's formulation suggests that the value of a network (V) is equal to the number of nodes (N) connected to it. The number of nodes (N) is squared in order to capture the maximum amount of interaction between nodes. Latham builds onto Matcalfe's formula by adding the interaction of information (I) to a network to get y = N(I) • Thus, Latham's modification can better account for the reality that not all network interactions are maximized (2005:158-161, 171). This relationship sits at the core of Latham's attempt to explain transboundary internetwork formation. The question of how transboundary connections scale up, however, remains elusive because, as Latham admits, the logic of infrastructure formation appears to be il l equipped to move beyond the network level of analysis (2005:173). 33 This interdisciplinary or transdisciplinary problem produces a tricky pedagogical dilemma: how to train 32 build research designs to explain a very technically driven set of security dilemmas (Bendrath, 2003:52-53). Immediately after World War I it became clear that technological change and war are closely related and that many technological advances come as a result of military requirements demanded by the state (Ogburn, 1949). Beginning with research in the mid-twentieth century the work of Kar l Deutsch, whose rich quantitative research and ground breaking measurement of information flows, serves as a starting point (Deutsch, 1963, 1966). Deutsch approached the subject of technology and security cautioning against the overestimation of its potential impact on international politics without first systematically observing technological change itself (1959:669-670, 680-681). For Deutsch, technology played a subordinate role to politics. He concluded that the state's capacity to deal with subsequent national security problems would likely adapt and evolve over time. B y the late 1960s and early 1970s theories of war and conflict in International Relations began to draw heavily from Geography. Geopolitical theories suggested that as technology both develops and diffuses throughout the international system - together with other factors such as population growth - states would begin to seek greater access to resources and as a consequence the likelihood of armed conflict would increase. But the impact of technology always appeared to be a two-way street: the potential for conflict along with possibilities for peace. Even at this early juncture, electronic communications and computing technology were beginning to 'bl ink' faintly on scholarly radar. Quincy Wright, who underscored the association between political and technological change and its impact on war, postulated that technology narrowed the communication students in the social sciences whom generally have very little background in computer science or engineering? See Nielsen and Welch (2003). 33 distance between societies. Technology becomes an important 'factor' in understanding the growth of state power and therefore technology's potential to contribute to both the growth of states and the shrinking of distance between peoples, but also increases demand for more resources. In other words, for Wright and others technology makes it more necessary that conflict be resolved through means other than war (Cohen, 1973:28-32). Two groups of general arguments that emerged in the late 1990s are relevant to this study. The first see the Internet and information technologies as a type of fundamental change that is rendering the state less capable of managing security. A s an example, Rosenau attempts to situate technology and its transformative capabilities when looking for a causal dynamic in broader processes like globalization. He writes "it is technology that has profoundly altered the scale in which human affairs take place ... it is technology in short, that has fostered the interdependence of local, national and international communities" (Rosenau, 1990:17). If technology is an important driving force behind the processes like globalization, then the Internet 'fits' into the etiology by reinforcing and enabling its effects such as undermining governments and state borders. Information flows freely and information is power. For Rosenau the Internet has helped to trigger a long process of change, by which the lines between nation-states are currently fragmenting, a process that could play out toward the emergence of what he calls spheres of authority (SOAs). Thus, by implication, it appears that state-centric models alone can no longer explain international phenomenon. If state-centric models of security are less powerful, is there something more appropriate to replace or supplant them? One such effort by Ron Deibert compares four competing images of security in the context of rapid Internet diffusion: private security, 34 state security, nat ional security and network security (2002). The preservation o f in format ion between communicat ions and control systems l i k e the Internet becomes more important than state-centric perspectives and instead favors a network -centr ic " i m a g e " o f security. A r q u i l l a and Ronfe ld t , w h i l e not after a new level o f analysis for International Relat ions and security studies, support s imi la r network centr ic ideas o f what constitutes security (2001, 2003) . Deibert , A r q u i l l a and Ronfe ld t have this in c o m m o n : the Internet has the inherent capabi l i ty o f increasing state vu lnerabi l i ty . F o r Deibert , w o r k i n g in an activist mode , this is a good th ing w h i c h represents a w i n d o w o f opportunity to use the Internet's unique architecture to develop appl icat ions that c i rcumvent state contro l . F o r A r q u i l l a and Ronfe ldt , this cou ld be a bad thing. A r q u i l l a ' s most recent openly avai lable work w i t h the U S N a v y at the M o n t e r e y Institute is designed to protect the state and its agencies f r o m the darker side o f the Internet b y f i n d i n g ways to defeat cyber adversaries be they other states or non-state actors ( A r q u i l l a , 2 0 0 1 , 2003) . The most important c o m m o n a l i t y in this ve in o f the literature is the observat ion that there are an increas ing number o f actors that have been enabled b y in format ion technologies. T h e Internet and its constituent components and appl icat ions have increased the importance o f non-state actors i n matters o f national and international security. The assumption here is that these actors become both challengers and new providers o f security usual ly because they have adapted to the new network environment faster than state institutions and organizat ions (Poo l , 1990; Castel ls , 1998; A r q u i l l a and Ronfe ld t , 2 0 0 1 ; Deibert , 2 0 0 2 ; Deibert and Ste in , 2003) . S t i l l an even stronger fo rm o f this argument, a l though increas ing ly in the minor i t y , suggests that the rise o f the "v i r tua l state" and the p r i m a c y o f network forms o f organizat ion mean a decl ine in state-to-state 35 v io lence and a gradual reduct ion for the role o f state-based security p rov i s ion (Rosecrance, 1996). Th i s reduct ion, however , comes w i t h the potential for an increase in non-state v io lence directed either at the state or at other non-state actors, or both. It is important to emphasize that the perspectives in the previous theoretical " c a m p " do not necessari ly predict the demise o f the state. Rather that the changes brought about b y technologies such as the Internet require a re - th ink ing o f the strict state-centric models o f security. Th i s is not a new mantra in International Re lat ions . T h e second group o f perspectives on the Internet and security p i c k up where the more abstract theoretical d iscussions o f the former group leave off. In contradist inct ion to the first group, the second approach the p rob lem o f security b y first cons ider ing the technological envi ronment i n w h i c h these contending forces p lay out and their potential to affect and effect real , phys ica l spaces. The i r general conc lus ion is that Internet-based security threats are o v e r - b l o w n . A n example is the argument that Internet security enabled issues l i k e cyber terror ism are s i m p l y "synthet ic issue[s], easi ly correctable, and not deserv ing o f the attention forced on the p u b l i c b y the press and w o u l d - b e solut ion mongers" (Desouza and Hensgen , 2003 :386) . T h e security purist here w o u l d contend that unless the instruments o f the cyber w o r l d can be used as the p r i m a r y tool to cause direct damage it can not be considered as part o f hard security threat environments and more broadly , a direct threat to national security ( L i b i c k i 1997, D e n n i n g 2 0 0 1 , D e s o u z a and Hensgen, 2003:386) . Internet based threats do not yet have the capacity to k i l l - i n large numbers - but they can certainly cause great economic damage (Bendrath, 2 0 0 3 ; D e n n i n g , 2003) . Others m a k e s imi lar arguments that the potential uses o f cyber warfare b y the state and cyber terror ism b y non-state actors do not constitute a real threat to security or, at the 36 very least, that these network based threats are overstated ( E m b a r - S e d d o n , 2002) . B u t a closer examinat ion o f both the def in i t ions c o m m o n l y employed to f o r m typologies o f cyber terror ism and their prognost icat ion for the potential for acts o f cyber terror reveal that the infrastructure - at present - w o u l d be used more as a potent force mul t ip l ie r than a method for di rect ly causing death and destruction (Ba l la rd et al, 2 0 0 2 : 990 -993) . Uses o f the cyber infrastructure b y anti-state forces a i m to achieve a means to an end b y fac i l i tat ing terror activit ies i n an environment where the state security apparatus appears f lat - footed and weak (Stanton, 2002) . Here , the state is not just an imperfect actor, it is an incompetent one. D u a l notions o f cyberspace and security The key here is to v i e w this new environment and its constituent technologies both as a communicat ions and control techno logy . 3 4 Students o f International Relat ions -especia l ly security studies - should appreciate this d ist inct ion and thus the histor ical uniqueness o f these technologies. N e v e r before has the abi l i ty to remote ly control mater ial objects rested w i t h so many . The Internet a l lows for ord inary ind iv idua ls to possess the capabi l i ty that was once the d o m a i n o f the state or very weal thy ind iv idua ls , often connected i n someway to the funct ion o f the state, to destroy remote locat ions. Th i s l eve l ing o f the p l a y i n g f ie ld us ing the cyber infrastructure raise important questions, not least o f w h i c h is : i n an era o f g r o w i n g cyber technologies does the idea o f security also enlarge and change for the state? A n a l y t i c a l l y , should the state be considered an object o f security or a provider ; or both? The broadening o f security to incorporate the Internet and 'cyber space' must be more than adding technology and then st irr ing. T reat ing the cyber infrastructure as a new On historical evolution of communications technology versus control technology see Hall (2000:22-31). 37 dimension or layer of international security requires a new framework to address it. Such a cumulative analytical process wi l l keep technology like the Internet as an exogenous variable without allowing for a new assessment of the referent objects and providers of security. A more extreme analytical stance would see the state taken out completely as new/old questions about security "for whom?" and "what is being secured" are redux to become the "what and where is the threat?". The more careful analytical approach would be to remain open to a broadening of the notion of security but keep the focus on empirical evidence and the referent object the state. There are good reasons for this. First, very little is actually known about the 'real' threats to cyber infrastructures themselves. A who's-who list o f both state and non-state actors has been identified to have malicious or threatening intent, ranging from bored teenagers to other states. The result has been a wide gap between threat perception and reality. Claims made regarding threats often pay little or no attention to the infrastructure itself. Can the technology really facilitate such threats? Is the infrastructure itself becoming more amenable to actors who wish to use it as a platform? How would we know i f more of the infrastructure's nodes were being compromised by new or old security actors? Critical infrastructure protection is another dimension of the Internet's impact on security and here again one that finds similar theoretical polarities. For example, Lewis's analysis of critical infrastructure vulnerabilities from Internet based attacks used a unique methodological approach to compare infrastructural vulnerability issues with routine failures in the past, drawing from the strategic bombing literature. He argued that computer network vulnerabilities are an increasingly serious economic problem but that their threat to national security has been vastly overstated (Lewis, 2002). 3 5 Critical 3 5 For example, Matthew and Shambaugh (2005) use network theory to study the ways in which networks limit the breadth of non-traditional challenges to state security. It is resiliency, they argue, that favors the 38 infrastructures, especially in market economies are more heterogeneous making them less vulnerable to Internet based attack. In most cases, Lewis argues, cyber attacks are less effective and less disruptive than physical attacks. Their only advantage is that they are cheaper to carry out (2002). What Lewis fails to account for is that under increasing free market pressure much of the cyber infrastructure is beginning to concentrate and centralize. This is an unexpected result of the externalities of market economies: instead of many smaller infrastructure stakeholders (embryonic stage of the Internet) there are now fewer, larger owners of national cyber infrastructures (current stage of Internet). Geoffrey Herrera's argument more clearly illustrates the hesitation in the literature. For Herrera, as the Internet continues to evolve it wi l l slowly reduce both relative state capacity and autonomy (Herrera, 2002). Herrera frames this process as relative to other actors but attaches an important caveat: the real effects of Internet diffusion, he argues, are actually quite indeterminate for two reasons. First, the technology itself is far from complete; and second, the technology itself is "inextricably intertwined" with politics (2002:120-121). Herrera argues that increasingly transnational efforts to deal with the problems poised by insecurity in the digital world wi l l be developed. 3 6 Responding, in part to the first group of perspectives reviewed above, Herrera and others have grown increasingly frustrated with theories that fundamentally misunderstand the nature of the digital environment and in doing so assume prematurely that the architecture is beyond the reach of state-based organizations to control and regulate. This, they argue, is not the case (Herrera, 2002; Lessig, 1999). This perspective appears to echo Deutsch's much defender and past a certain threshold, actually hinders the coordination of attacks. Matthew and Shambaugh conclude that over the long-run, challenges to state security from various non-traditional and traditional network-based threats such as cyberwarfare and infectious diseases and terrorist strikes are overstated. 36 There is increasing evidence to suggest that Herrera may indeed be correct. A recent example from the Asia region is the 12-nation multilateral talks taking place in Australia in June 2004. These meetings, involving countries from Europe and North America, are laying the ground work for increasing inter-governmental cooperation on Internet security issues like critical infrastructure protection and cyber crime. 39 earlier observation and caution regarding the state's ability to cope with technological change. The state is adapting its role - however slowly - as supreme provider of security in the digital world (Fountain, 2001). The Return of the State The starkly defined positions both in the theoretical and policy literatures miss an important development in international relations: the Internet has gone through or is currently going through a period of "securitization" (Eriksson, 2001a and 2001b; Will iams, 2003). It is becoming an infrastructure in its own right (Denning, 2003; Bendrath, 2003). In this sense, cyber infrastructures are physical things that have a territorial existence. The securitization of the Internet means, among other things, that the state and other actors see threats to the cyber infrastructure as originating from "outside" their territory - even i f the threats often originate from within. In geo-strategic terms the Internet actually becomes an invaluable "overlay" on geography (Gray, 1996a:251-252; 1996b:276). Threats from the Internet and to the Internet are no longer associated with the stateless cyber geographies of the "hacker" but from real, often geopolitical, territories. The result is the territorialization along geopolitical lines of the cyber infrastructure and how state actors understand it. Many governments are beginning to frame the problem within, context of territorial integrity and therefore assume that technology does not make geography irrelevant - a distinct shift from the thinking in the early to mid 1990s. This territorialization of the cyber infrastructure and subsequent responses to threats to information territory heralds the emergence of virtual realism. 3 7 Virtual realism means 3 7 Michael Heim (1998) appears to be the only one to use the term virtual realism Heim's concept is based on an artistic interpretation of Utopian (idealist) and disutopian visions of virtual reality. It is not, as far as I can tell, based in IR or political realist thought. Heim argues that there should be balance between the cyber idealist's enthusiasm for computerized life and more deep grounding in primary reality. This "uneasy 40 that states treat threats to and from the cyber infrastructure in a more traditional manner. Almost every country makes some sort of commitment to constructing information infrastructures that are considered empowering. Yet states are at some level aware of the potential danger that the growth of the cyber infrastructure produces negative externalities and therefore look for ways to regulate this space. Virtual realism mirrors the precepts of IR realism. Virtual realism assumes the worst and that international relations, where the cyber infrastructure is concerned, are fundamentally conflictual. In cyber space, states seek to maximize national interests; and the primary actors are, in the end, other states. The structure of cyber space strongly informs the behaviour of states acting as both an enabler and a restrictor. International institutions that inform and influence the cyber infrastructure are important actors in and of themselves; but they are reflections of states pursuing their own interests. A priori, then, the various institutions and mechanisms that have shaped the cyber infrastructure are only relevant in the sense that states have just begun to take an active interest in them. This is an important insight for this study. The nature o f the infrastructure is such that traditional approaches to security studies because of their territorial orientation meet with mixed results. This is, o f course, due to the digital environment. Network intruders can appear to be originating from anywhere and then from nowhere. Yet, there have been cyber infrastructure security constructs that rely heavily on the link between territory and threat. These constructs or ideas of security threats come from state actors and corporations that supply cyber infrastructure security knowledge and information to policy makers. One example is particularly stark. During a recent conference on cyber infrastructure security held at Oxford's Internet Institute (Oil) in February 2005 an balance" he calls virtual realism (Heim, 1998). I cannot find this term after searching the IR and Political Science literature, after having searched of my own files and online databases of journals, and the ISA conference paper archive. 41 interesting development in the discourse on cyber security emerged. D K M a t a i the execut ive director o f m i 2 g — a pr ivate company that special izes in cyber security and intel l igence gathering — gave a talk i n w h i c h the c l a i m was made that there are l i n k s between cyber attacks and 'real' w o r l d cross-nat ional factors. D r a w i n g on mi2g 's proprietary databases and research, M a t a i argued "when w e [mi2g] over lay d ig i ta l attack data w i t h phys ica l attack in format ion , interesting patterns beg in to emerge." The patterns, accord ing to M a t a i , l i nk aggregate soc io -po l i t i ca l features o f states, such as reg ime type and stabi l i ty , to the preponderance and t i m i n g o f cyber attacks and infrastructure instabi l i ty . H e went further arguing that the "higher the number o f d ig i ta l attacks or ig inat ing per capita the greater the po l i t i ca l and socia l instabi l i ty i n that country. R u s s i a , Tu rkey , B r a z i l , Saudi A r a b i a , Egypt , M o r o c c o and Pak is tan al l fa l l into this category" ( M a t a i , 2005) . Th i s study returns to e m p i r i c a l l y assess this conjecture i n later chapters us ing non-propr ietary l a r g e - N data. T h e security o f the cyber infrastructure is often a confus ing m i x o f threat perceptions and rhetoric combined w i t h under l y ing uncertainties surrounding the growth and evolut ion o f technologies used i n the infrastructure. International Re lat ions does have some theoretical tools that can be appl ied here. T h e Copenhagen school first introduced the idea o f secur i t izat ion in the early to m i d - 1 9 9 0 s ( B u z a n , 1 9 9 1 ; Waever , 1995). Here security is an idea that is rhetor ical ly articulated rather than just ex is t ing as a mater ia l thing. A n existential threat is usual ly ident i f ied or d iscovered rather than constructed i n a part icular w a y w h i c h can then be f o l l o w e d b y action(s) that are required to protect f rom the threat - sometimes j u s t i f y i n g the use o f extraordinary measures. The ut i l i ty o f this approach when appl ied to the Internet and security is that it a l lows for a more precise art iculat ion o f perceptions o f Internet threats on security relat ions. T h e approach is very 42 close to both Deibert's notion o f security images and Bendrath's exploration of memetic change and evolution in the rhetorical uses o f "cyber security". Similar to Will iams' general conclusions on security studies, the process of securitization of the Internet has fused the political with the "production" and "transmission" of Internet security images. Therefore, studying the Internet's impact on security requires more than a focus on speech-acts or network security images. It requires efforts be devoted to understanding the mediums and structures themselves (Williams, 2003:512). Returning briefly to the two "camps" discussed above, Deibert, Herrera and Bendrath, while arriving at differing conclusions, share this indeterminancy o f threat ideas that are tied to the infrastructure. The crucial issue for securitization theory and the Internet's impact on security is assessing the links between the "performative" acts and the existential threats themselves (Williams, 2003:526). In other words, the threats to cyber infrastructure are often constructed in a particular way to be threats to national security as opposed to economic or individual security. This, in turn, allows for governments to securitize rather than criminalize cyber infrastructure incidents and also expands the range of policy tools that can be employed against potential threats. Internet based threats are more prone to securitization than traditional threats because they are difficult to understand, hard to measure, and even more abstruse to anticipate. This uncertainty is the central conundrum that motivates the exploration o f the two dimensions of cyber infrastructure security that were chosen for this study. The first dimension is the distribution of compromised nodes. This is essentially a look at the structural or global network environment in order to examine the distribution of threats cross-nationally and within a particular regional security context. The second dimension seeks to assess the threats posed by non-state or uncivil society actors. Here the study 43 continues in the East Asian security context to look at the digitization of transnational organized crime. This is particularly useful because it allows for a better understanding of how state capacity is responding to a specific group of Internet enabled non-state actors - a group that some have argued should be viewed as a threat to security because of their rapid adaptation to the cyber environment. In short, as opposed to viewing cyber infrastructural security as either a strictly territorial or strictly non-territorial problem, the technology has created security dilemmas that exist as both simultaneously. This idea of a duality in impact of 'cyber space' on security is close to Herrera's notion of an emerging "double-move" in international politics. Herrera argues that one can "observe in international politics today a simultaneous double-move: the territorialization of cyberspace and the deterritorialization of state security. In other words, the claims for the placelessness of cyberspace are overstated. This double-move is neither inevitable, nor necessarily desirable. But it is clearly in evidence in contemporary world politics and its existence exposes the fallacies of traditional ways o f thinking about technology and its relationship to international politics" (Herrera, 2006:2). This thesis wi l l argue that there is indeed a territorialization o f the cyber infrastructure, but that this has not necessarily changed the way states 'see' security nor does the cyber infrastructure require a complete, as Hererra puts it, "deterritorialization of state security"(2006). In other words, there is both a simultaneous deterritorialization and territorialization of security in the cyber infrastructure - not one or the other. Coevolutionarv competitive processes and compromised nodes Regardless of where one is positioned in the debate it is safe to assume that the Internet brings some sort of pressure to bear on the functions of the state: i.e. to provide national security, to regulate economic activities, and to protect and promote civic and 44 moral values. Clearly individuals have access to a wealth of information and influences more so now than at any other time in human history. Various applications of the Internet are responsible for this process. Electronic mail, databases, and the World Wide Web ( W W W ) , to name only a few, have all contributed to the relative decline in capacity with which the state can protect and promote civic and moral values and control information. The contemporary escalation of incidents and the vast array of technologies and strategies being developed and deployed by states, firms, civi l society groups, and individuals, to combat the problem of compromised Internet nodes would have shocked early Internet pioneers. Firewalls, intrusion detection systems, network telescopes, artificially intelligent servers and topologies, self-healing networks, honey nets, and biometrics are all evolving to keep the good information flowing and the bad guys out. The behavior between systems intruders and those that design policies, strategies and technologies to defeat them can be described as a continuing series o f coevolutionary competitive processes analogous to arms races. The battle to keep the nodes safe takes on the characteristics of an asymmetric arms race of attack-defense where offensive adaptations are countered by defensive adaptations. Nodes are compromised, strategies and technologies are developed to harden them which in turn spurns on more 38 sophisticated counter moves. It is important to note that the definitions and uses of symmetrical and asymmetrical competitive processes vary between those of international security studies (i.e. military arms races) and those of evolutionary theory being considered. Symmetrical arms races emerge when two actors compete at the same thing, for example, the nuclear arms race A more recent and specific example is the development of polymorphic shell coding used to avoid intrusion detecting systems (Confidential Interviews, Vancouver 2005-2006). 45 between the Soviet Union and the United States during the Cold War . 3 9 According to Langlois and Catherine (2005) an asymmetrical arms race emerges when there is predatory behaviour against primarily defensive adaptations.4 0 The nature o f cyber infrastructure security is predominantly populated by asymmetrical arms races between those trying to secure infrastructure and those trying to compromise that same infrastructure. The former group is almost always on the defensive while the latter has the luxury o f always being on the offensive. Both states and non-state actors can find themselves in either position - often simultaneously. 4 1 Upon closer examination, however, there are specific peculiarities of adaptation patterns of both state and non-state actors in cyber environments. The most important peculiarity for defensive adaptation groups - state actors - is that during an asymmetrical arms race the fastest adaptation wi l l only produce a static outcome. In other words, it takes all the effort of an actor just to keep up with the threats. Thus, the adaptation space, or gap between offensive and defensive actors, remains constant, neither widening nor shrinking i f the defender is 'running' flat out. In evolutionary theory this is referred to as the Red Queen effect. The "Red Queen" hypothesis - the Red Queen is taken from the children's story 'Alice in Wonderland' - is used to describe two ideas. The first is that coevolution could lead to situations for which the probability of extinction, or failure to adapt, is relatively constant over time. The second, a species has to "run" and evolve in order to stay in the same place or maintain 3 9 It is important to point out here that there are few, i f any, pure symmetrical arms races left in the contemporary international system. There are, however, still asymmetric arms races such as PRC-Taiwan, Pakistan-India. 4 0 For an example of how researchers in International Relations define arms races please see Langlois and Catherine (2005:506). It is important to point out that no real deterrence effect exists in cyber infrastructure security and that part of my objective here is to demonstrate - if only in an informal manner - the existence of inefficient equilibria. 4 1 An example would be the state which is trying to adapt to pressures to its cyber infrastructures while at the same time developing offensive cyber warfare tactics and strategies. 46 ground. 4 2 One of the impacts of the Red Queen effect is that it makes it very difficult to assess whether or not any real progress is being made in an actor's strategy. Many coevolutionary processes are susceptible to the "Red Queen effect" and the relationship between those trying to secure Internet nodes and protect them, often succumb to this effect.4 3 In an asymmetrical arms race the implication for states, firms and other actors is that stamping out Internet security threats or obtaining victory against network intrusions is unlikely. The optimal strategy is to find a temporarily stable equilibrium point. A simple example would be state based property rights enforcement and subsequent attempts to stamp out online file sharing or peer-to-peer networking strategies. Firm-based organizations like the US Recording Industry Association of American ( R I A A ) have developed a set of novel approaches drawn from pollution strategies where the networks are loaded with bad files to a point where file sharers get frustrated and leave. In other instances they have built robots that w i l l seek out and destroy a users machine that have a certain quantity of "pirated" data. But because this is a coevolutionary type of process where the red queen effect is present the R I A A strategies to achieve complete disruption of P2P networks is an improbable outcome. The optimal point or outcome wi l l l ikely be some sort of stable equilibrium or a "mediocre stable-state" which is not, over the long run, self-sustaining. The Red Queen effect might suggest that this is a result of a moving equilibrium because of adaptive counter-strategies. These type of pursuit strategies and evasion strategies in the realm of Internet security lead to outcomes which are acceptable but far from optimal for all actors. 4 2 Keep in mind that in evolutionary theory adaptation involves generational sequences. And that evolution selects on populations not individuals. M y purpose here is to adapt these concepts to describe, in general terms, how this dynamic behaviour in cyber infrastructures takes place. 4 3 During many confidential interviews with law enforcement personnel and policy makers in East Asia conducted for this study the sense of never being able to get ahead was often expressed. 47 When systems administrators take measures to secure nodes that are not necessarily optimal, or software and hardware vendors issue patches that are not preemptive, mediocre stable-states emerge. These are sub-optimal for a plethora of socio-economic and political reasons. One of which is political where the state pursues adaptive strategies that address cyber security threats in part to try to satisfy domestic stakeholders (individuals, corporations, and other state agencies) but does not pursue full maximization strategies in either a domestic or international context. 4 4 This typically results in slowing the adaptation pace for network intruders but only for a finite period of time — a type of Nash equilibrium called a collusive equilibria. 4 5 The cyber infrastructure relies on its 'internationalness' to provide benefits to the state. Both the international system and the cyber infrastructure itself — from the perspective of the Internet — are essentially anarchical. A set of important questions emerges from this discussion. First, how do competitive, selfish processes like this end when they are deeply embedded in both the technologies and socio-political processes themselves? Second, how are they won or is it even possible to win? One possible answer is that there are three general outcomes to coevolutionary processes: they simply 'peter-out' over time; they are won or lost, or a kind of detente is reached. 4 6 Using the same ecological metaphor A n i l Somayaji, a professor of computer science, argues that the "best we can hope for is to stay in the This is basically a problem of two-level games that policy makers must often play. In predominantly Western countries this also involves tensions between securing cyber infrastructures while at the same time preserving privacy and freedoms. 5 Interestingly, Nash equilibriums can also be observed in the infrastructure as well as, and not just from, social processes that emerge from its use. For example, a data flow in the cyber infrastructure is at Nash equilibrium when all are routed on a minima latency path called a Nash flow (Roughgarden, 2003). But research in network engineering suggests that Nash flows do not minimize total latency because of network anarchy in the cyber infrastructure. Instead, a Nash flow is the outcome of selfish routing, trying to get the best out of the infrastructure. The price of this anarchy, as Roughgarden shows, is completely independent of the current network topology (2003:341). 4 6 Through the modern and contemporary international system arms races have usually 'petered-out' and not led to conflict. 48 game no matter how the adversaries change and adapt because we're faced with adversaries that can potentially deploy attacks faster than we can deploy defenses, even i f we use automated update systems [including artificial intelligence]" (Somayaji, 2004:70, 71). Somayaji argues that it may be desirable to pursue radically new strategies to change the game entirely by adapting evolutionary theory ideas of propagation and death to the cyber infrastructure (2004:72). A t this point, the Red Queen effect begins to dissipate. While it may, in the future, be possible for scientists and engineers to adopt radical new strategies that can, on technological grounds, "change the game", the state and other non-state actors are not in a position - do not yet have the capacity - to change the nature of the game. But can the constructs of security in the cyber infrastructure be changed or adapted enough to meet these challenges? The adaptation space between state responses and threat perception can be in several positions: either widening, nominal or narrowing. One of the keys to understanding this process is to clearly identify what is being secured: Is it the state, the nation, the corporation, 4 7 the individual, the network, or the individual node in cyber space? This study wi l l begin with individual nodes in the infrastructure, the subject to which the chapter now turns. Studying Compromised Nodes The "network" is an abstraction. When a network is "hacked" it is a node that is compromised which in turn may or may not compromise the more abstract connections of nodes called a network. Networks are generally concerned with securing against threats and attacks from outside the network. However, they also are increasingly designed to secure against compromised machines that are inside a network. B y definition i f a node inside a network is compromised the rest of the nodes inside that network are at much 4 7 The firm level (corporation) is added to this list because most of the cyber infrastructure is owned by corporations, not by states, a point that is often understated in discussions of 'critical infrastructure protection' more broadly. 49 greater risk. Internet security incidents are really compromises of firewalls, servers, 48 S C A D A or other devices. These devices are nodes which in turn communicate with other nodes producing a network. The communicative sense tends to dominate the "discourse" of re-inventing security in an "information age". Yet IR has focused this re-examination almost exclusively on the Internet as a communications technology; a technology that allows for the ability to exchange complex forms of data - the ability to talk at a distance. Viewing the Internet through the prism of a communications media largely ignores its other dimension - the ability to act at a distance. The network level of analysis used by Deibert and Arquil la represents an interesting and useful advancement in the study of the Internet and its impact on security. Network levels of analysis draw from social network analysis in sociology, network analysis in engineering, and graph theory in mathematics. 4 9 One of the beneficial claims that is made to justify this level of analysis is that it may be applied to "hacking" terrorist networks and improving network centric warfare in order to 'fight back'(Deibert and Stein, 2003; Arquil la and Ronfeldt, 2002). In the face o f threats from both physical and social networks it is argued that "we need appropriate conceptual language to understand what a network is, how it operates, how it thrives, and how it withers, i f we are not to misunderstand the threat or misconceive the response" (Deibert and Stein, 2003:157). Network levels of analysis share one common feature across disciplines and applications: they are pure structural approaches, which tend to ignore individual agents or actors. A compromised node level of analysis begins with the assumption that networks are 4 8 Recall that S C A D A is an acronym for supervisory control and data acquisition. These devices are essentially machines that can control the physical world from within the cyber infrastructure. For example, S C A D A are often found in electricity grids. 4 9 In military and intelligence circles the term Nodal analysis is used to mean the determination of linkages and relationships among disparate entities. The intellectual lineage here is social network analysis used in sociology. It is a very structural approach which allows the observer to, in theory, look for patterns based on no observations of previous activity. In intelligence analysis, nodal analysis allows the analyst to deal with individual names of people in order to try to understand vulnerability and linkages. 50 not attacked; nodes are attacked. It is the node not the network that is both the vulnerability and the opportunity in Internet security. Conceiving the network as actors or agents unto themselves suggests an unnecessary equality among a distribution of nodes. Deibert and Stein make this error when they argue that " in the pure model o f the network, such as the Internet, eliminating one node of a network does not imperil other nodes" (Deibert and Stein, 2003:160). This is not the case. Some nodes are more important than others. The Internet is full o f critical nodes whose failure can place many other nodes in immediate peril. In the wide area network ( W A N ) sense i f a border gateway protocol router fails (BGP) it can "blackhole" any number of local .area networks. In the local area network ( L A N ) sense failure or compromise of a firewall, IDS, or router can immediately open other nodes to peril. This is the central dilemma of Internet security; when one node fails or is compromised it immediately threatens others. This "inside" "outside" problem is often rhetorically grafted onto national cyber security issues by framing the problem as threat from outside the state's geographical border. The Internet - recall from the introductory chapter, is a collection of networks - is "scale free" in structure and form which comes with a certain amount of redundancy. Indeed, it is very difficult to imagine a threat to the Internet infrastructure itself. One cannot "hack the Internet" in its present form or "take it down". 5 0 This does not contradict the notion o f vulnerability presented above. It simply means that while individual networks are vulnerable once a key node has been compromised, no one set o f networks or nodes can be seen as critical to the Internet's operation. Conclusion The motivation for using this level of analysis does not originate from a need or desire 50 In theory, even i f all of the root domain name servers - part of the Internet's plumbing — were to somehow be compromised, the Internet, or more specifically applications of the Internet like the W W W , would still have some level of functionality. 51 to replace other security frameworks or theories but seeks to add to the current analytical tools available to researchers in a cumulative manner. In this sense, the framework presented'here is necessarily incomplete. The rapid deep diffusion of computer networks and the rise of the compromised node have produced new security dilemmas and amplified the role of new security actors. These new node-based security actors behave as both a threat to the state, as in the case of organized crime usages of computing technologies, and as surrogates to the traditional role of state-based providers o f security. Does the distribution of compromised nodes reinforce territorial based perspectives on security? Or does the data point to a world where security in the cyber infrastructure knows no boundaries or border? It is to these questions that the dissertation now turns. 52 Chapter Three : E x a m i n i n g the D is t r ibut ion o f C o m p r o m i s e d N o d e s Introduction T h e l ink that M a t a i suggests between soc ia l , po l i t i ca l and economic instabi l i t ies and cyber infrastructure security events is a part icu lar ly tempt ing one for practit ioners and p o l i c y makers responsib le for secur ing cyber space. It raises the poss ib i l i t y o f better predict ive power : as soc ia l - inst i tut ional instabi l i t ies increase so to does the threat to cyber infrastructures f r o m these states. Another i m p l i c a t i o n for cyber security theory is that by l i n k i n g factors l i k e weal th , reg ime type, and levels o f socia l stabi l i ty to the integrity and behaviour o f the cyber infrastructure theoretical concepts l i k e cyberterror ism gain a conceptual canti lever to m o v e f rom the abstract hyperbole level to the concrete - usual ly v ia inferences made f r o m prima facia cases. M a t a i ' s O i l talk generated controversy and has renewed debate over the connect ion between geopol i t ica l instabi l i t ies, state capacity , cross-nat ional factors and cyber security. C y b e r security practit ioners and former inte l l igence p o l i c y makers were qu ick to respond. R i c h a r d C l a r k e , the former W h i t e House cyber security advisor , c r i t ic i zed Mata i ' s use o f the term cyberterror ism and the l ink between seeming ly disparate factors. B r u c e Schneier , c h i e f technology of f icer o f Counterpane Internet Secur i ty echoed C l a r k e ' s cr i t ique o f M a t a i ' s theory (Ilet, 2 0 0 5 ; Sturgeon, 2005) . S o , w h y the concern regarding a hypothesis articulated at an academic event? In short, cyber security is a field - especia l ly threat forecast ing - w h i c h can inf luence p o l i c y ; thus assertions l i k e the M a t a i conjecture. One m e d i a response to his O i l talk i l lustrates this point more c lear ly . The interv iewed source qu ipped , "we cou ld just laugh this o f f as barmy , were it not for the fact that government, the C i t y and n o w O x f o r d Un ivers i t y actual ly take this self -appointed guru ser iously . That's where I stop laughing and start w o r r y i n g about the 53 direction things are going" (Sturgeon, 2005). Indeed, Matai's conjecture is a significant departure from conventional wisdom which suggests that there is no link between territorial geography and cyber infrastructure instabilities like attacks. But Matai makes it quite clear that mi2g has in its possession the empirical data to support the conjecture using in part "profile databases on over 7,500 hacking groups across the world" which draw from "the world's largest digital attack database" (Matai, 2005). But, the problem is that their data remains proprietary, closed and not available to other researchers or to policy makers. Closing the gap between threat perception and reality in cyber space is well beyond the scope of this study. It is, however, possible to test parts of the Matai conjecture to look for links between real world instabilities and cyber security events. Using unique data obtained from a widely distributed logging system, Chapters Three, Four, and Five of Part One test for the suggested relationship between incident patterns and several socio-political, economic and infrastructural variables. This is the first study to address this problem from an international perspective using openly available quantitative data collected via intrusion logs from networks distributed throughout the world. The primary objective here wi l l be to develop a snapshot of Internet incidents - specifically from compromised machines - by country and to explain the variations in these patterns. Territorial integrity and securitization of cyber infrastructures The nature o f the Internet is such that traditional territorial-based approaches to security studies meet with mixed results. This is, o f course, due to the environment. Network intruders can appear to be originating from anywhere and then from nowhere. Yet, there are often geographical patterns to Internet incidents in an environment that is assumed to be non-territorial. Countries that experience high levels of Internet incidents 54 and have high levels of Internet technology diffusion tend to be more concerned about the impact that network intrusions have on their security. An increase in the number of compromised nodes in a country's cyber infrastructure is associated with an increase in the number of Internet incidents globally. The problem is that while reducing the number of compromised nodes in a geographic domain, like a state, may decrease the number of incidents both in the immediate geography and globally, it does not, however, reduce the threat from compromised nodes that exist in other states. Alone, domestic efforts to reduce the number of compromised nodes have resulted in only marginal reductions in Internet incidents. These features of the Internet point to an important problem: the digital insecurity in one state contributes to the insecurity of other states. This is a security dilemma that, interestingly, emerges from a non-traditional asymmetric threat. An increasing number of compromised nodes in one country produce security pressures on others. In this environment, the threats from "cyberspace" can be couched in actor-based frameworks. Terms like "cyber warfare" and "cyber terrorism" allude to threats from the state and non-state actors. It is difficult, however, to determine which actors pose the greatest threat from their untoward use of the Internet. This has led to a large gap between threat perception and reality. In the United States, for example, there have been shifts in who or what constitutes a threat in cyber space which has translated into wild policy gyrations and "sharp bends in the threat perception" (Bendrath 2003:68). The first shift, according to Ralf Bendrath, was from the "cyber terrorists" of the Clinton administration to the state-based threats during the early days of the Bush administration. After the events of September 11, 2001 attention shifted abruptly back to non-state actors and their potential to use the Internet to launch attacks or incorporate cyber tactics as a force multiplier. 55 Securitization of "cyberspace" is a confusing mix of threat perception and reality. There are no clear standards forjudging the threat. Individual networks may be able to discern when particular nodes are threatened, which in turn may allow systems technicians to monitor and accumulate anecdotal evidence in order to defend their "sites" from intrusion attempts. However the majority of organizations - firms and state agencies - do not look outside their firewalls in order assess the threat from the 'outside'. Yet while there have been "qualitative changes in the discourse, that two times in the last two years has moved from terrorists to states", it is still not possible to assess the variation in the threat language against actual changes in the "real world" (Bendrath 2003:70-71). In other words, there is a disconnect between perceived Internet-based threats and actual threats. While there have been substantively significant shifts in the cyber threat perception of other states, they have not been as sharp and frequent as in the U S case. A s Bendrath rightly points out, the number of rapid changes in U S policy language point to a serious problem (2003:69). Have the nature of cyber threats oscillated that much? Or is there simply no link between security perception and reality in cyber space? Bendrath concludes that is unlikely that there is a link between cyber threat perception within the policy community of the United States and the realities in cyber infrastructures. He argues instead that the cyber threat is treated as a "wi ld card" which is attached to the primary "hard" security threat (state or non-state actors) in order to amplify the capability of the "enemy" (2003:72). This amplification, and subsequent multiplicative effect, is securitization. The threat perception discourse has increased in sophistication and tempo but our understanding of the real nature of the problem remains limited. These issues begin to look much like a problem being framed, or being directed 56 toward framing, within the context of territorial integrity. Therefore one that assumes that technology does not make geography entirely irrelevant - a distinct shift from thinking in the early to mid 1990s. In strategic terms the Internet actually can become an invaluable "overlay" on geography (Gray, 1996a:251-252; 1996b:276). Threats from cyber space and to the infrastructure are no longer associated with the stateless geography of the "hacker" but from real, often geopolitical, spaces. The result is the territorialization of the Internet and how state actors understand it. The Matai conjecture is perhaps the most explicit manifestation of this analytical trend. In East Asia, in addition to cyber threats from external actors, perceptions and performative acts are usually couched in language that points to threats from "within". Most of the discourse in the region remains actor-based rather than capabilities-based. Beyond this observation, the generalization breaks down according to groups of countries that utilize threat perception not necessarily as a "wild card" as in the US case but toward the key areas that are seen to be traditional security priorities for their respective regimes. In Singapore, for example, the threat from cyber space is to the economy and stability. In China, protecting social harmony from online cyber dissent is a priority in its securitization discourse. In each country there is an undercurrent of threat perceptions that run along side the public discourse. In China, for example, policy makers and technical elites quietly worry equally about the lack of integrity in their cyber infrastructure stemming from a growing number of compromised nodes that are fueling everything from theft of proprietary knowledge via network intrusions against regional high technology competitors, to piracy and spam.51 It is easy to understand pleas for international cooperation between states, firms and 5 1 However, it should be noted that this concern often runs concurrent with inaction and even encouragement of these activities (Confidential Interview, Hong Kong 2002). This has produced a kind of boomerang effect or cyber blowback for security practitioners in China. 57 nongovernmental organizations to reduce the number of nodes on the Internet that have been compromised or are at risk of compromise due to poor Internet security practices. The absence of Internet security in one state contributes to the insecurity o f all others and in real-time. One of the dilemmas that face proponents of international cooperation is the variation in the number of compromised nodes cross-nationally and the nature of Internet diffusion patterns. This is, of course, in addition to traditional obstacles to international cooperation such as the variation in legal systems, interests, values, regulatory quality, rule of law, wealth and power. Shifting the focus from incidents and actors to a compromised node framework can be thought of as an examination of the other side of the same coin. A node-based framework introduced in the previous chapter takes as its starting point the integrity of machines and devices on the Internet. In order to better understand the impact that the Internet has on security, describing the global distribution of compromised nodes is the first step. Part One examines the variation of compromised nodes both globally and in the East As ia region in order to assess the Matai conjecture and other assumptions regarding 'real ' world instabilities and cyber security events. Using unique data obtained from a widely distributed logging system this chapter tests multiple hypotheses on the relationship between these patterns and several socio-political, economic and infrastructural variables. This is the first study to address this problem from an international perspective using quantitative data collected via intrusion logs from networks distributed throughout the world. 58 Hypotheses The central question for Part One of this study is: across an upper stratum of countries with the highest level of cyber infrastructure diffusion, what factors best explain the variation in compromised nodes? Controlling for both the size of economy and the level of Internet technology diffusion, does democracy or institutional capacity matter? Or is the cross-national distribution of compromised nodes simply a function of the level of Internet technology diffusion? It could be that the more Internet there is, the more incidents there wi l l be and other socio-economic and political factors do not matter. While conducting interviews for this study a policy maker was asked why some East Asian countries had a serious problem with cyber infrastructural instabilities while others, with similar levels of G D P per capita and Internet diffusion, did not. He argued that "we have a better government and people follow the rules" (Confidential Interview, Tokyo, August 2003). There is also a clear sense that the level of "openness" and "freedoms" in general contribute to the number of Internet incidents in a country. This is not because o f "hackers" attacking national Internet topologies from the outside but because of various motivations from the "inside" taking the form of political dissent using "hacktivism", the growth of peer-to-peer networks for file sharing, or simply poor security practices in industry and government. Could there be a link between instabilities in a state and the number of Internet incidents as D K Matai suggests? To explore this, the study wi l l test the following hypotheses. H I : There is a relationship between rule of law and the number of compromised nodes 'located' in each state's territory H2: There is a difference between democratic and non-democratic states and the number of compromised nodes located within each of them The null hypothesis the would be that the distribution of compromised nodes can be best 59 explained by the level of Internet diffusion in a country alone and that diffusion is a function of wealth or other characteristics. 5 2 A s wi l l be described below the cases chosen for this cross-national analysis are from the top stratum of "IT" economies. Adding countries that have^little or near zero Internet, diffusion would artificially skew the results. In general, the analysis w i l l use explanatory variables from four "baskets": general diffusion metrics, economic indicators, Internet security indicators, and socio-political indicators — some of which wi l l be used as proxy measures of institutional capacity. It is important to note that the following analysis does not make claims regarding causation. Statistical modeling using observational data, especially cross-sectional, can only hope to point to associations between factors. Apart from experimentation, which is clearly not feasible, a time-series model would dramatically improve inferential power, but this falls well beyond the scope of this study. Existing work One study in particular stands out and is worth summarizing. Vinod Yegneswaran, Paul Barford and Johannes Ul l r ich investigated a range o f characteristics of global intrusion activity by analyzing data from Dshield.org a globally distributed monitoring system. They studied the daily volume of intrusion attempts, the sources and destinations of intrusion attempts, and specific types of intrusion attempts (Yegneswaran et al.^ 2003). What they found is important. First, the goal of their study was to focus on the distribution, typology and prevalence of intrusion activity globally. Not surprisingly they found that both a large quantity and wide variety of types o f intrusions take place daily; typically around 25 bil l ion per day. 5 3 This is a much better "picture" of Internet incidents 5 2 It may be useful at a later date to run the model on Internet diffusion characteristics alone - as a kind of stand-alone null hypothesis. More on this in Chapter Four. 5 3 This number is difficult to compare as an overall percentage of cyber infrastructure activity. It is, however, a substantively significant level of activity. It should be pointed out that the 'type' of intrusion 60 than previously available. Yegneswaran et al also found that the source IPs of typical intrusions are uniformly distributed throughout the Autonomous System (AS) space (Yegneswaran et al, 2003). 5 4 O f particular interest for security studies was that their team found evidence that a significant proportion of the activity is coordinated. 5 5 This indicates that much of the intrusion activity is much more sophisticated than conventional wisdom suggests and that this non-worm activity represents a much larger proportion of over-all intrusion activity. The work by Yegneswaran et al was designed in part to try and reduce the "noise" in the global sample in order to delineate between serious and non-serious attempts. In other words, every effort was made to filter out worm traffic. 5 6 For example, they found that the distribution of source IP addresses o f the non-worm intrusions as a function of the number of attempts followed Z i p f s law (2003). A small number of source IPs were found to be responsible for a significant amount of serious intrusion attempts and that these particular trends showed a type of cliquing or patterning - more on this below. This is important for the work presented here for two reasons. First, very little noise reduction was performed on the data used for my study. 5 7 As wi l l be explained below, this study focuses on the distribution of compromised-nodes globally be they household PCs that have been infected with Code Red (a worm) or a more serious type of intrusion activity. Second, the uniform distribution of source IPs used to provide the incident data is "reasonably" well distributed across A S space and geographic space. This is key to assuring a good sample of typical global activity is used in the analysis. The global activity is not related to the incident typology outlined in Chapter One which is based on motivation rather technical variation. 5 4 Recall that autonomous systems are the largest 'networks' on the Internet that provide global connectivity. 5 5 The Yegneswaran et al. (2003) study determined this by analyzing the signatures of non-worm scans, and then comparing the temporal pattern and consistency of source IPs. 5 6 Not methodologically relevant for this analysis. 5 7 This is the same data as Yegneswaran et al. (2003) study. 61 distribution of ASs is nonuniform; skewed toward North America and Western Europe. If the distribution of source IPs from provider networks were skewed it would add a layer of bias in the data meaning that certain geographies would be over represented. Similar research efforts have focused on Internet incidents other than serious intrusion attempts. Moore et al studied distributed-denial-of-service attacks and Staniford et al focused on particular types of worm activity in order to prognosticate on future outbreaks (Moore et al, 2001; Staniford et al, 2002). Using a more aggregate level of analysis, Cowie et al examined instabilities in the global border gateway protocol (BGP) system in order to understand how worm propagation creates instabilities in the Internet globally (Cowie et al., 2001). Finally, other than the commercial offerings on the international distribution of attacks which were presented above and discussed in Ortis and Evans (2003), there are also studies employing microanalysis techniques to study intrusion behaviour. One of these, the Honeynet Project developed a method that uses "fake" networks to lure network intruders in without detection in order to study their behavior. A "honey-net" or "honey-pot" consists of machines deployed on the Internet with no real purpose other than to look like a common network that could be in use by an organization. This in turn has inspired the use of so called "Dark Nets" which conduct a similar type o f research on micro-behaviour only on a much larger scale. Dark networks are network telescope that are used to gather data on emerging threats to the cyber infrastructure -especially from worms. Network telescopes are large expanses of unused globally routable IP space. The Yegneswaran et al study (2003) compared data gathered from a network telescope with the DShield project and discovered evidence which suggests that 62 non-worm traffic exhibits spatial geographical characteristics. 5 8 While this finding is suggestive for the present work, the only way to confirm this is to compare the DShield data with a set of geographically distributed set of network telescopes. 5 9 To date, however, no study has looked at the link between cyber infrastructure instabilities on non-technical factors. Data It is also important to note that for the purposes o f this project, total source IP data (tsource) is an overall indicator of the overall stability of a national infrastructure topology rather than a specific understanding of hacking or cracking patterns cross-nationally. In other words, no inference can be made from the data regarding the type o f intrusion activity or its purpose. The source data is the measure of compromised nodes. In order to focus in on particular types of illegal activity the amount of noise in the data would have to be reduced substantially. A s wi l l be discusses below, not all portscans (source IP data) are indicative of a compromised node. Target data was excluded from this study for two reasons. First, the distribution is skewed heavily toward a handful of states making statistical analysis unreliable. Second, because of the nature o f the target data, at the time this research was conducted liability and confidentiality issues had not been adequately resolved. The idea of measuring the "health" and stability of a country rather than specific categories of Internet incidents is controversial. In order to capture the matrix of security dilemmas that states face as a result of the rapid and multidimensional diffusion o f Internet technologies excluding worms in favor of the more sinister images o f professional "crackers" would be premature. There are, of course, trade-offs here. 5 8 Any traffic observed on a dark net is inherently suspicious. 5 9 For a more capable and technically correct explanation see Yegneswaran et al. (2003) discussion of network telescopes and global incident prevalence: , 6 3 Capturing a cross-national picture of compromised nodes by broadening the definition of an "incident" requires accepting a higher amount of noise in the data. From the perspective o f a policy maker and the systems administrator these distinctions may be superficial given that the number of compromised machines is a considerable problem, one that is increasing. I am, in effect, assuming a similar distribution pattern of compromised nodes across countries. More on this below. The data for this study, as in the Yegneswaran et al research, was obtained from firewall logs of portscans collected over a two year period from over 20,000 firewall administrators distributed throughout the wor ld . 6 0 The log files provide a lowest common denominator ( L C D ) summary of portscan activity obtained from various firewall/IDS systems. This includes Blacklce Defender, C I S C O P I X Firewalls, ZoneAlarm, Linux IPchains, Portsentry, Snort and FreeBSD's IP firewall. The data, submitted to Dshield.org significantly increases coverage across the Internet and reduces'reliance on individual firewall or IDS interpretation of events. It is comprised of log files submitted by a very diverse series o f networks which include 7 class B networks and over 45 full class C sized networks and a wide variety of smaller subnetworks. Table 3.1 below shows the format of an example L C D log entry. The date and time fields are standardized to G M T and the provider hash 6 1 allows for aggregation by country of source IP addresses that belong to the same administrative network. 6 0 As indicated earlier, there is always the danger of bias in a 'global' data set. In this case, the participating networks that gather the data are fairly evenly distributed throughout both IP and geographical spaces. If there is a bias in the provider networks (sensors) it will be of little consequence for this study because the sensors collect data which themselves do not discriminate based on geography. Although it is helpful to ensure that i f there is spatial trends and patterns the more evenly distributed the sensors the less likely bias will be a factor. 6 1 Not shown — but is a part of each log entry. 64 Table 3.1: Sample log entries from D S H I E L D portscan logs Date Time Source IP + Port Target IP + Port Packet Flags 2002-12-09 02:39:16 000.000.000.000 1111 444.444.444.444 555 17 2002-12-09 02:34:44 111.111.111.111 2222 444.444.444.444 555 17 2002-12-09 02:35:26 222.222.222.222 3333 444.444.444.444 555 17 The dataset was obtained from Dshield.org - a research effort funded by S A N S Institute as part of its Internet Storm Center. DShield's objectives include detection and analysis of new worms and vulnerabilities, notifying ISPs of exploited systems through their "fight back" initiative, and publishing blacklists of worst offenders and community support to the submitters of data in order to improve firewall configuration (DShield, 2003). The lowest common denominator ( L C D ) approach used by DShield provides a unique, globally diverse and stable data source — the only data source of this kind available to the research community. The benefit of choosing to use an L C D approach is in its simplicity and generality making analysis a much less complicated task. While there is a clear benefit to the L C D approach, there are two weaknesses. The logs do not provide information about packet headers or information about the events taking place during active connections. In other words, a detailed analysis of behaviour after the portscan activity has taken place is not possible. There is also a certain degree of vulnerability to pollution in the data through false positives by oddly configured firewalls or other exogenous factors. This inevitably leads to measurement error in the data. Port scans, worms and global random noise The interdisciplinary nature of this research requires balancing the need to be clear about the technical assumptions without losing sight of the goals of the study, which are strictly "social scientific". Due to the unusual nature of the data used for this section of 65 this study it is necessary to p rov ide some technical in format ion on portscans, port number ing , and w o r m s . T h i s section begins w i t h a qu ick d iscuss ion o f port assignments on servers, or nodes and moves to the issue o f noise bu i ldup i n the data as a result o f w o r m prorogat ion. F o r the most part, a "b i rds -eye v i e w " o f each subject should suff ice. Ports are numer ica l l y assigned values to w h i c h d i f fe r ing types o f connect ions to machines are m a d e . 6 2 These are not phys ica l ports but are log ica l mappings o f services to numbers. B y custom certain appl icat ions general ly use predef ined port numbers. E v e r y mach ine that can reach the Internet or other machines on a network does this through ports. W h e n two machines communicate they open up one or more ports to exchange data. F o r example , most web servers w i l l " l i s t e n " on port 80 for i n c o m i n g connect ions. A typ ica l mach ine that runs m u l t i p l e services through software cal led servers w i l l l isten or keep open mul t ip le ports. O n e o f the first events that takes p lace before an intrusion, by either a human or another mach ine , is a scan o f al l open ports i n order to gather in format ion on var ious characterist ics and attributes o f the target system - be it a f i r ewa l l , or server or some other dev ice . T h e Yegneswaran et al study researchers needed to control for machines attacking other machines i n order to get at the s ignal through the noise. T h e y began b y l o o k i n g at some w o r m s l i k e C o d e R e d and N i m d a that scan port 80. W h a t they found was that port 80 scans formed the s ingle most dominant group o f scans const i tut ing somewhere between 2 0 % - 6 0 % (Yegneswaran et al, 2003) . M a n y o f port 80 scans that they observed dur ing the per iod between M a y 2002 to June 2002 were a result o f either the 6 2 The ports which are used in common applications and servers over the Internet (such as a web server: port 80 or 8080) are in the range 0-1023. The next range above. 1023 is for registered port numbers between 1024-49151. Port numbers above 49151 in the range 49152-65535 are private or dynamic ports; those not used by any defined application but which can be opened and by any program and then dosed when not in use. The total number of logical ports (including 0) would be 65536. In general, a port can be in a state that is closed, waiting, listening, and established. For a complete list see the Internet Assigned Numbers Authority (IANA) site at <http://www.iana.org/assignments/port-numbers>. 66 CodeRed or the Nimda - worms that were causing considerable disruption at the time and, consequently, add 'noise' in the data. The important thing to keep in mind is that some of the worm versions are used simply to cause damage, others are used to compromise machines for sending spam or building links of nodes that can be chained together in order to launch more sophisticated attacks against firms or governments while staying anonymous. Still other compromised machines are used to build "bot-networks" which are then rented out for periods of time on a kind of black-market for network intruders or other malicious users. The utility of collections of compromised nodes for the maliciously minded is varied. In East Asia , for example, bot nets are broken down into small-blocks and big-blocks of compromised nodes. Buyers or renters usually meet with administrators or builders of bot nets in Internet Relay Chat (IRC) rooms. From that point payment is made using an online method or a barter arrangement is made whereby code for exploits is exchanged or some other type of information of value. The benefit for the renter is that he/she does not have to maintain or use a privately obtained chained-relay from which to send spam or launch attacks (Confidential Interviews, Hong Kong, 2002). A market based system also means reducing the risk o f being discovered by law enforcement by providing a quick and easy method of access to these types o f relays which can be recycled. 6 3 The concept of a chained-relay is important here and is often the reason why it is extremely difficult to trace a cyber attack back to its true origin. Think of a chained-relay 6 3 A recent case from Europe further illustrates the growing problem. The Netherlands' government arrested three individuals in October 2005 that allegedly controlled some 1.5 million computers as part of a worldwide bot net. At first, Dutch authorities thought the network of compromised nodes was around 100,000 but it turned out to be orders of magnitude larger. It is unclear how much of the bot network was stable enough to be sold to the underground for use in criminal activity. But it is clear that even if criminal were charged US$ 1.00 per node, the bot network creators stood to make a considerable amount of money. Cyber security researchers have found evidence in the past of other million-bot networks but this may be the first well-documented case of such an elaborate operation. See Lemos (2005). The dissertation returns to the case of bot nets in Chapter Seven. 67 as a series of stepping stones; the more stones that a network intruder steps through the less likely he/she w i l l be discovered by law enforcement. The drawback is that the larger the chained-relay the more latency wi l l exist in the path to the target machine. In other words, the more links in the chain the more delay in communication between to the start and end points. Another drawback to large chained-relays used in intrusions is that they can become unstable over short periods of time. B y convention a chained-relay is expressed as hx h2 (Zhang and Paxson, 2000). The symbol /z, indicates the originating machine and h2 the end machine where <=> describes the .bi-directional communication between the two machines which can be located anywhere (over both geographical and IP space) in the cyber infrastructure. In the set of stepping stones or chained-relay /z, <=> h, the last hop before the target machine is h, . 6 4 If we have a chained-relay where /z, <=> h4 then /i 4 = ht (are the same) and the probability o f knowing the IP address of the originating machine /z, is P(x), or unknown. In general, the likelihood of a large chained-relay being used is rather small when compared to the average attack which uses one or two stepping stones. The optimal safety margin for the intruder is to create chained-relays that span several jurisdictions using machines in differing ISPs and or countries. This frustrates passive and active tracing methods used by forcing law enforcement to pursue the "trail" through the weeds of 6 4 The observation h„ is recorded or logged as a result of a port scan on the target machine running software to record the event which subsequently gets submitted to Dshield.org. Not all port scans are identical in behavior. There are essentially four different types or categories of scans (Staniford et ai, 2002; Yegneswaran et al., 2003). The first type is a vertical scan. This is a sequential or random scan of multiple ports of a single IP address from the same source during a one hour period. The second type is a horizontal scan which takes place from a single source of several machines in a subnet aimed at the same target port, ie. the same vulnerability. The third type is a coordinated scan. This type of portscan originates from multiple sources aimed at a particular port of destinations in the same subnet within a one hour window. Finally, the fourth type is a stealth scan. Stealth scans can be horizontal or vertical scans that start with a very low frequency and are quasi-random in order to avoid detection from an intrusion detection system (IDS) (Yegneswaran et al, 2003). The notation h, is in keeping with previous work in engineering on chained-relays. 68 various legal environments. This is the central reason why it is often difficult for security or law enforcement to trace the attack back to its origin and the reason why cooperation across jurisdictions is so important. We could theoretically derive from network communication theory that there a larger numbers of systems intrusion attempts (worm and non-worm) that use fewer stepping stones than those attempts that aggressively attempt to conceal their physical location using relays with many stepping stones. The probability of a large number of stepping stones tends to shrink over the observation space. The exponential probability density function in Figure 3.1 illustrates the relationship between the number of stepping stones in a chained-relay (x) and the probability o f that relay length being used. Notice that there does not necessarily need to be a chained relay used in an intrusion attempt. Thus, there is no 'step' and the x axis begins at 0. Figure 3.1: Chained-relay density function E j p c T r n t t . 1 P D F 0 7 3 -S1 H 0 1 1 ' 1 1 1 1 1 1 1 1 1 4 . X , Number o f S t o p p i n g S t o n e s This is a theoretical assertion with no empirical evidence other than anecdotal claims obtained through field interviewing done for this study. The purpose here is to link the concept of a chained-relay to the dependent variable source.IP. This is important because in the data used for this study a relay of unknown length hx <=> hk, the observation tsource 69 (K ) is the " last h o p " or where hk = h, ,65 T h e prov ider networks represented i n the D S h i e l d data are reasonably w e l l distr ibuted (over both geographical and IP space) and thus represent a good g lobal sample for the top-t ier countries (cases) under considerat ion h e r e . 6 6 T h e point o f r e v i e w i n g the var ious technical aspects is to show that even i f it is not poss ib le to complete ly t race-back an attack w i t h accuracy to the absolute source point (weed through chained- re lays) ; a mach ine has st i l l been compromised at a geographic locat ion . In this sense, whether or not the incident was cause by another " z o m b i e d " mach ine , a compromised machine used i n a chained relay, direct attack, or a v i rus is not necessar i ly important. A l l incidents are indicat ive o f the over health o f national cyberspaces and are therefore reveal ing . Tota l source IP data (tsource) is a representation o f compromised -nodes and is the dependent var iable for the f o l l o w i n g analysis . It is broken d o w n into two samples one taken f r o m a four -month per iod in 2001 and the other a s imi la r per iod i n 2 0 0 2 . T h e sample s ize i n 2001 is 81,035,793 and 2002 is 3 3 1 , 2 9 1 , 6 5 6 . F o r both per iods the total number o f observations is 4 1 2 , 3 2 7 , 4 4 9 for 49 case count r ies . 6 7 T h e h is togram b e l o w displays the distr ibut ion o f tsource (ht) data b y number o f incidents. T h e extreme observat ion on the far right hand side o f the x axis is the U n i t e d States. The choice of the type of scan to be used in an attack is sometimes cited, controversially, as an indication of a strategy or motivation behind the scan. In future research it would be worth performing a limited amount of noise reduction on the data by separating two categories of ports scanned: 80 and 1433. This would help to filter out traffic from worms like sub-seven and noise due to MS Windows netbios. Noise reduction, however, reduces the accuracy of knowing the compromised-node distribution but does increase the signal of non-worm intrusion attempts. A comparison of data without noise reduction and data employing various noise reduction strategies would prove very useful in the future. 6 6 Case selection is described in following chapter. 6 7 The data came in two general formats: as raw log files and M y S Q L database files. To process the data programs had to be written to sort the data, feed it into M y S Q L (if it was not already in a database format) and then determine the geographic location based on the IP address using commercially available databases that map IP addresses to countries. 70 Figure 3.2 - Histogram of h, for 49 upper tier countries Histogram of TSOURCE -f 1, II Ill -HII F T11-™^ I ' - ^ - ^ H ^ - >* | ^ L -o I I I l 1 1 1 0.0 e+00 2.0e+07 4.0 e+07 6 0 e+07 8.0 e+07 1.0e+08 1.2e+08 T S O U R C E The histogram, Figure 3.2, with kernel density estimate lines superimposed, suggests that the raw dependent variable tsource (K ) follows a Poisson distribution. The vast majority of the top-tier countries fall within the lower half o f the distribution. The overall skew in histogram of is not surprising. From the mid-1990s a group of five countries accounted for a large portion of the Internet incidents and have consistently been home to a disproportionate number of compromised nodes. The United States is the most extreme value lying on the far right hand side of the histogram. With that case removed (Figure 3.3) the shape of the distribution becomes more pronounced. 71 Figure 3.3 - Histogram with U S case removed Histogram of S Q U n C F . I P . H A W i ! 1 1 r S O U R C E IP R A W The United States consistently ranks at the top o f each sample for the number o f compromised nodes that generate port scans on other machines. Table 3.2 lists the top 16 worst offenders for three sample periods in 2001 and 2002. Wel l over one quarter of the total number of "incidents" can be attributed to compromised machines in the United States in each of the samples. There is a cast of usual suspects that accompany the U S case in all three periods. China, Germany, Korea, the U K , Brazi l and Canada together account for roughly 35% of the remaining counts. Table 3.2 - Relative Country rankings 2001:3 month sample 2002a: 2 month sample 2002b: 3 month sample U N I T E D S T A T E S 32338512 (39.90) U N I T E D S T A T E S 38830559 (26.93) U N I T E D S T A T E S 53896074 (28.80) C H I N A 4650198 (5.73) K O R E A , R E P U B 13744981 (9.53) K O R E A , R E P U B 22237582 (1 1.88) G E R M A N Y 3590141 (4.43) C H I N A 10730055 (7.44) C H I N A 13896358(7.42) K O R E A . R E P U B 3443155 (4.24) G E R M A N Y 8115244 (5.62) T A I W A N 9152039 (4.89) U N I T E D K I N G D O M 3004499 (3.70) T A I W A N 7245367 (5.02) G E R M A N Y 9037935 (4.83) B R A Z I L 2541728(3.13) B R A Z I L 6805925 (4.72) C A N A D A 7402730 (3.95) T A I W A N 2145466 (2.64) C A N A D A 5364278 (3.72) B R A Z I L 7366722 (3.93) F R A N C E 2129813 (2.62) F R A N C E 4096389 (2.84) I T A L Y 4835819(2.58) C A N A D A 1997649 (2.46) M E X I C O 3874396 (2.68) U N I T E D K I N G D O M 4209723 (2.25) I T A L Y 1755970(2.16) U N I T E D K I N G 3848402 (2.66) J A P A N 4116433 (2.20) J A P A N 1545967(1.90) I T A L Y 3448066 (2.39) M E X I C O 4003479 (2.13) M E X I C O 1479373 (1.82) SPAIN 3137600 (2.17) SPAIN 3646702 (1.94) SPAIN 1376356 (1.69) J A P A N 2968269 (2.05) F R A N C E 3526849(1.88) INDIA 1373129 (1.69) INDIA 2808887 (1.94) INDIA 2787927(1.49) T U R K E Y 962628 (1.18) T U R K E Y 1865754 (1.29) P O L A N D 2304608 (1.23) A U S T R A L I A 960661 (1.18) P O L A N D 1799419(1.24) R U S S I A N F E D E R A T I O N 1814830 (0.97) Total in sample 81035793 Total in sample 144 62438 Total in sample 187127981 Notes: Figures are raw counts for top 16 of 49 countries with percentage of total for sample period in brackets 72 Other than a consistent group o f worst offenders - the U S , China and South Korea -there is no immediate pattern to the rankings. Some of the countries have large populations, others small. Relative to overall population, approximately half have a high level of Internet diffusion while others such as China, India, and Brazil have relatively low levels of Internet diffusion but with rapid growth rates. The total number of observations in each sample is for all countries globally. The point here is that there is no immediate pattern to these rankings. It is interesting to note that the United Kingdom and Taiwan are the only countries to noticeable change ranks across samples. First, the overall stability and consistency of ranks indicates that the noise reduction in the samples was intuitively effective. If the case countries in each sample were to jump around considerably than this would suggest that noise reduction used on the data had been less effective or was somehow selecting on certain countries in a biased manner. Sti l l , it is unclear as to why the U K and Taiwan change ranks. 6 8 The choice of case countries for inclusion in this analysis was made based on two distinct grounds. The first being that there was a significant break in the distribution in the raw data which indicated that many countries in the international system did not yet have 'enough' cyber infrastructure to warrant inclusion in this study. The second reason was more sociological than technical. The significant break in the raw data was compared with a socio-economic measure of Internet diffusion called the Digital Access Index to see i f the break somehow coincided with a cross-national measure. It did. The rationale for case selection and the choice of independent variables is the subject to which the dissertation now turns. 6 8 The next step in the research would move the design from a pooled cross section to time series. This would have the added benefit of running a number of noise reduction algorithms on the data and comparing the results. 73 Chapter Four: Instability and Cyber Infrastructure Security Introduction The link between political instability and cyber infrastructure instability - as suggested and discussed by the Matai (2005) and Bendrath (2003:69-70) - will be examined. Political-institutional factors are the focus of Part One of this study because they are proxy measures for institutional capacity and overall stability across countries. The motivation for the analysis, as discussed in Chapters Two and Three, stems directly from assumptions that are made by both network administrators and policy makers that there is a relationship between cyber incidents and general instability in a country. These assumptions inform the growing gap between cyber threat perception and reality. Second, the analysis is motivated in more general terms to examine relationships between social, political and economic instabilities, and cyber security events cross-nationally because it provides a unique look at the development of the cyber security infrastructure. Examining measures of infrastructure instability and what they might mean is important for international security studies because, as Bendrath writes "threat perception can change when the criteria for a threat are changed" (2003:70). Case selection The dependent variable tsource or K is the source frequency of Internet incidents and the number of compromised nodes per country. 6 9 The source of the Internet incidents in the data provided an ample sample size for approximately 90 countries in the 70 international system. Only half of these countries were selected for use as cases. The 6 9 As discussed in Chapter Three, the target data was excluded from this study for two reasons. First, the distribution is skewed heavily toward a handful of states making statistical analysis unreliable. Second, because of the nature of the target data, liability and confidentiality issues prevent its use in publicly accessible research. The notation h use for the dependent variable follows from Zhang and Paxon (2000). 7 0 This is for the raw data. I did not subject the entire sample to the noise reduction, only the 49 countries (cases) used for this study. 74 selection of case countries was done in order to best capture the variation of compromised nodes globally. A minimum level of Internet diffusion had to exist in each country. Therefore, 49 countries were selected based on the upper half of the International Telecommunications Union's (ITU) Digital Access Index (DAI) which ranks all countries in terms of their potential for what the I T U calls digital development. The D A I uses a range of socio-economic and infrastructural data to assess the level of IT development. It combines eight variables, covering five areas which create an overall country score that ranges from 0 to 1. The criteria measured for the D A I are availability of infrastructure, cost of access, education levels, quality of IT services (ISPs etc.), and Internet usage. Because the principal focus here is the variation among countries in compromised nodes the cutoff point for the cases was the median point of 0.43 - the Philippines. In Figure 4.1 below, there appears to be no relationship between the D A I and the dependent variable A , . A log transformation was performed on the dependent variable in order to normalize the variables for visual inspection using scatter plots. The scatter plot matrix below (Figure 4.1) showing the relationship between h,, G D P per capita and the D A I for all 49 countries illustrates this point. The solid line in each window shows a nonparametric regression of y on x. 75 Figure 4.1 - Scatterplot matrix of source, G D P per capita, and the D A I 7 . 2 -6 . 2 -5 . 2 -4 . 2 -DAI _1 I I I I L_ OM/TSOURCE 4 . 2 5 . 2 6 . 2 7 . 2 A A . A * * A A ^ A * A A * A * " A . A _ A I*/ - 0 . 8 - 0 . 7 DAI A A A A - 0 . 6 * _ A A * A. £ A - 0 . 5 A - 0 . 4 - 0 . 3 A 4 A . » / A A / ^ 8 c A * A * " A * - A ^ ^ A. logTSOURCE A A _ A W A . A . _ A A . * i A / o m Q o TJ ^ A / A A A A A _ i i A A A A ^ — _ _ _ A _ * • A A - 4 . 7 - 4 . 2 * * . * * A A * ' A * A logGDP - 3 . 7 - 3 . 2 A A - 2 . 7 0 . 3 0 . 4 0 . 5 0 . 6 0 . 7 0 . E 2 . 2 2 . 7 3 . 2 3 . 7 4 . 2 4 . 7 TSOURCE/GDP It is important to point out that the D A I is a basket of IT measures o f which Internet diffusion represents only a small component. The result, as shown in cell 2 above, is a weak negative relationship between ht and the D A I . While the D A I is a good measure for case selection, it has very little relationship to ht. Clearly, the D A I is heavily based on G D P per capita as both are strongly correlated with each other as shown in cell 3. As is the case with the D A I , cell 6 shows G D P per capita has little or no relationship with h, . Independent variables The independent variables chosen for this study can be grouped into four categories: infrastructural, sociological, economic and political. The analysis is restricted to one variable in each category in order to minimize the effects o f multicollinearity. Many of 76 the independent variables w i l l be familiar to readers in International Relations with an exposure to cross-national research designs. However, it is useful to describe the key variables and outline why they were chosen for this analysis. 7 1 1. Infrastructure measures The first category of independent variables is general Internet diffusion. It has been show in other research that raw host counts and simple counts o f Internet users are often misleading indicators of overall diffusion in a country (Zook 2000, Giacomelloa and Picci 2003: 364-365). The number of Internet users in each country is at best a guess made by national statistical agencies. In order to capture additional dimensions of diffusion in each country other aspects of Internet infrastructure must be taken into account. Measures such as the number of autonomous systems, prefixes and address space may help to adjust for other diffusion dimensions. In order to adjust for the various indicators of Internet diffusion a composite variable was created: C = (AS + prefixes + addresses +users + hosts) + 5 . The individual diffusion measures are strongly associated with one another.7 2 This, unfortunately, means that the composite measure may not substantially improve upon simple standalone host and user counts. The value of the consolidated measure is. that it captures the variance in the individual measures across countries. Adding other measures such as teledensity and P C availability could also be incorporated into the composite measure but they suffer from significant draw backs of their own. 7 3 7 1 See Appendix A for a complete list of variables including source and measurement level. 7 2 See Figure 4.2 in Appendix A . 7 3 A n alternative to the composite indicator is teledensity, or number of lines per 1000 inhabitants, which is a frequently used as a general telecommunication infrastructure indicator. The use of this measure alone as a proxy for availability of equipment enabling Internet diffusion only accounts for PCs as one among many various possible devices that can be used to access the Internet. Collapsing the five variables into one composite index may not significantly improve upon host or user counts alone, but it will help to avoid multicollinearity in the analysis below. As shown in Figure 4.2 the five variables are strongly correlated. This would make an interpretation of the regression coefficients 77 2. E c o n o m i c measures T w o e c o n o m i c indicators were used i n the mode ls b e l o w : P P P and total unemployment (see 'Appendix A for data sources). Purchas ing power par i ty ( P P P ) was used to capture a country's potential total personal computer or workstat ion hold ings . The P P P was chosen because it tends to more accurately reflect real i n c o m e levels . Total unemployment was also inc luded as a p r o x y for overa l l c r ime levels i n each country. The theory here is that countries w i t h h igher levels o f G D P per capita, a more stable economy, w i l l see l o w levels o f cyber infrastructure events. A recent case in point invo l ved a study o f Russ ian and Eastern European 'cyber c r ime gangs' operat ing fraud r ings (Business W e e k O n l i n e , 2006) . The combinat ion o f advanced education systems that train students i n mathemat ics , engineer ing and computer science and very h igh levels o f unemployment produces sophist icated cyber c r ime r ings that are d i f f icu l t to combat. 3 . C r i m e and corrupt ion and openness In order to hone i n on "cyber c r i m e " a var iable that measures the level o f software p i racy is inc luded . The p i racy var iable is c o m p i l e d b y the Bus iness Software A l l i a n c e ( B S A ) . T h e "d i f fe rence between software appl icat ions instal led (demand) and software appl icat ions lega l l y shipped (supply) equals the estimate o f software appl icat ions p i ra ted" ( B S A 2003:13) . T h e B S A values were calculated for this study b y country for 2002 and used i n the 2001 cross -sect ion. T h e B S A p i racy rate is def ined as the v o l u m e o f software pirated as a percent o f total software instal led in each country. P i r a c y rates, o f course, vary a m o n g software appl icat ions and countries. T h e B S A groups the software into "three tiers and uses ratios for each tier. T h e tiers used were general product iv i ty appl icat ions, problematic. When multicollinearity is present, the standard errors of the coefficients estimated by OLS tend to increase, and the reliance that can be placed in the coefficient values decreases. The remedy is to take some of the correlated variables out of the model but this means a loss in precision. An alternative is to create an index which collapses all of the offending variables into one measure. 78 professional appl icat ions, and ut i l i t ies . These were chosen because they represent different target markets and pr ice levels , and it is be l ieved , different p i racy rates" (2003:12) . The interpretation is percentage rates where .99 indicates a very h igh level o f p i racy and .01 a very l o w leve l . Th i s was useful here because cyber c r ime, spec i f i ca l l y p i racy , can be pos i t i ve l y l i n k e d to cyber infrastructure instabi l i t ies. T h e B S A data is not perfect, but is the on ly avai lable metr ic that tries to di rect ly measure aggregate cyber c r ime levels . The level o f corrupt ion m a y also be related to the number o f compromised -nodes in a country. F o r example , in the K o r e a n case, the p rob lem o f open-re lays was i n part attributed to large scale contracts awarded b y the K o r e a n government to IT f i rms to instal l and conf igure servers and workstat ions i n the educat ion and government sectors (Conf ident ia l Interview, K o r e a , 2003) . These contracts were often improper l y implemented leav ing a large number o f nodes free for misuse on a large scale. Another example is the relat ionship between ISPs and the government o f the People's R e p u b l i c o f C h i n a ( P R C ) . In m a n y cases ISPs are the second l ine o f defense in ident i f y ing p rob lem networks and shutt ing d o w n access to the Internet unt i l the o f fend ing sites have rect i f ied the compromised machines . M a n a g e r s and administrators at the ISP level are often pa id to over look o f fend ing networks (Conf ident ia l Interview, H K S A R , 2002) . The p r o b l e m at the ISP leve l has been found in other countries i n c l u d i n g the U n i t e d States. It is not the number o f ISPs that are an indicator per se, but the general leve l o f societal co r rup t ion . 7 4 The general level o f corrupt ion can be taken as a rough indicator o f the number o f corrupt ISPs . T h e corrupt ion percept ion index ( C P l ) is generated b y Transparency International and 7 4 For an example of recent cross-national research that explores the utility of various measures of societal corruption see X in and Rudel (2004). 79 is a composi te index , m a k i n g use o f surveys o f businesspeople and assessments b y country analysts. It is bui l t us ing a w i d e range o f methodologies . O v e r a l l , 15 surveys are inc luded in the C P l o r ig inat ing f rom 9 independent inst itut ions. T h e C P l is interpreted on a scale o f 0 - 1 0 where the higher the number the less corrupt ion is perce ived. Thus the lower the score the h igher the perceived leve l o f corrupt ion i n a state. The level o f corrupt ion is important here as a measure o f inst i tut ional capacity , and hence, overal l stabi l i ty (see A p p e n d i x A for data source). In general , there is a strong pos i t i ve correlat ion between the C P l and overal l stabi l i ty across countries i n the international s y s t e m . 7 5 A s a l luded to above, one o f the assumptions that is often made regarding the relat ionship between Internet security and the state is that more " o p e n " states are more vulnerable or susceptible to Internet security incidents. Th i s is not because they have less control over extraterritorial processes l i k e " h a c k i n g " f r o m the " o u t s i d e " but rather that states that exercise controls over m e d i a have greater abi l i ty to better control internal " h a c k i n g " and enforce IT related laws w i t h i l l ibera l jur isprudence. A prototyp ica l case w o u l d be Singapore. T h e p r o x y measure that was chosen to measure m e d i a f reedom is the Free Press Index c o m p i l e d b y F reedom House . The F reedom H o u s e survey o f 187 countries measures the degree to w h i c h each country permits the free flow o f in format ion . It rates countr ies accord ing to whether or not the press is "Free" , "Part ly F ree" , or "Not Free" . Countr ies scor ing 0 to 30 are regarded as h a v i n g "Free" m e d i a , 31 to 6 0 , "Part ly F ree" m e d i a , and 61 to 100, "Not F ree" m e d i a . The most recent data (2005) and analysis on this relationship can be found online at <http://www.foreignpolicy.com./story/cms.php?story_id=3420&page=3>. The Failed States Index provides a good introduction to the factors generally associated with instability. For more see Foreign Policy and the Fund for Peace report online at <http://www.foreignpolicy.com./story/cms.php?story_id=3420>. 80 4. P o l i t i c a l stabi l i ty measures T h e f inal category consists o f two po l i t i ca l - ins t i tu t ional var iables that measure leve l o f democracy and rule o f l a w ; the prox ies for s tab i l i t y . 7 6 T h e purpose o f i n c l u d i n g the democracy var iable is p r inc ipa l l y to see i f there is a s igni f icant d i f ference between democracies and non-democrac ies in the pattern o f compromised nodes. S i m i l a r in mot ivat ion to the free press proxy , it has been suggested that democracies are more vulnerable to the spread o f Internet incidents g i ven var ious inst i tut ional features that restrict government invo lvement in industry and pr ivate affairs. W h a t is o f potential interest is whether or not the distr ibut ion o f compromised nodes differs between the two regimes types. The democ var iable f r o m the P o l i t y I V project is a democracy indicator w h i c h is der ived f r o m codings o f the competi t iveness o f po l i t i ca l part ic ipat ion, the openness and competit iveness o f execut ive recruitment, and constraints on the execut i ve . 7 7 Inst i tut ional ized democracy is conce ived as three interdependent elements. One is the presence o f institutions and procedures through w h i c h c i t izens can express effect ive preferences about alternative pol ic ies , and leaders. Second is the existence o f inst i tut ional ized constraints on the exercise o f power b y the execut ive. T h i r d is the guarantee o f c i v i l l iberties to a l l c i t izens in their da i l y l i ves and i n acts o f po l i t i ca l part ic ipat ion ( P o l i t y l V , 2003) . The democracy indicator is interpreted u s i n g an eleven point ord inal scale f r o m 0 - 1 0 where 0 is very l o w and 10 indicate a h igh leve l o f democracy (see A p p e n d i x A ) . 7 6 Other work in International Relations, especially security studies, that model stability across both time and space. These studies also draw from the Polity IV project for measures of other forms of international system instability, see Marshall and Gurr (2005), Goldstone et al. (2005), and Gurr, Woodward and Marshall (2005). This study uses these same measures. 7 7 For a more elaborate discussion of the political stability measures see the Polity IV User Manual available online from <http://www.cidcm.umd.edu/inscr/polity/> 81 The second variable in this category is the level o f the rule of law in a country. It is very unclear i f legal environments in countries have any affect on the distribution and pattern of compromised nodes. In order to test for this relationship cross-nationally the measure for the rule o f law is taken from the Wor ld Bank's Governance Matters III project. Rule of law (RoL) is comprised of several indicators which measure the extent to which people have confidence in and abide by the rules of society. The variable is constructed from 250 individual measures, gathered from 25 different sources, produced by 18 different organizations. This study uses 2000 data for 2001 and scores lie between --2.5 and +2.5, with higher scores corresponding to better rule o f law. Analysis A full exploration of the causal mechanisms linking each explanatory variable to the number and distribution of compromised nodes in each country is well beyond the scope of this study. Not all o f the explanatory variables are used in the remaining analysis. Crime, corruption and openness do not perform as well as the political-institutional variables when acting as proxies for cross-national instability. The purpose here is to ) identify the patterns of compromised nodes globally and try to explain this variation. Subsequent chapters in this dissertation deal with several factors in more detail. Causal mechanisms are not usually determinable through large N quantitative research. For this purpose, carefully conducted case studies "close the loop" between explaining variation and identifying causal relationships through various mechanisms. Following a series of correlation plots, standard multivariate regression techniques were used to analyze the data. Both the data and modeling technique are unusual to IR research and thus a brief review is useful. The dependent variable (h,) , which is essentially counts of incidents or 82 compromised nodes for each country over an eight month period, follows a Poisson distribution as shown in Figure 3 . 1 . 7 8 Poisson regression was chosen over ordinary least squares ( O L S ) . 7 9 Comparing O L S and Poisson models indicated that the Poisson did perform slightly better than the standard model. Poisson regression, of course, is a form of the generalized linear model ( G L M ) . G L M s fit data by using an iterated weighted least squares procedure ( IWLS) which generates coefficient standard errors and maximum-likelihood estimates. These models assume that the dependent variable has a Poisson distribution and uses the log link to map onto the linear predictors. For example, in Poisson models a unit increase i n X h a s a multiplicative impact o f ep on Y. Thus, i f P = 0 , the multiplicative effect is 1 and a unit increase in Xincreases log Y by /? ; the effect of explanatory variables on the mean becomes multiplicative. Formally, the cross-national compromised node model can be expressed as: l og 1 0 [h,) = a + BjXy + ei, wherec/) = 1 Poisson models have a dispersion parameter^ which is set to 1. It is very likely, however, that the model w i l l suffer from some level of over or under dispersion - a common problem which was detected. 8 0 To compensate for this a quasi-Poisson 8 1 model The number of attacks from the cyber infrastructure arriving at a node (i.e. server etc.) in a time period (/) is assumed in this dissertation to have a Poisson distribution. Thus the number of cyber attacks during one time interval is assumed to be statistically independent of the frequency of attacks arriving during any other non-overlapping time interval. This is a one-dimensional Poisson process. In this case, the expected value of the number of attacks between time a and b is: b a The parameter A is the rate of attacks against a node andA(t) is the non-homogenous rate function. 7 9 For more on the theory behind Poisson regression in Political Science see King (1988:838-863). For an application of this modeling technique in International Relations see Pollins (1996)1 This analysis relied heavily on Fox (2002:156, 177-180, 186-187). 80 2 J To clarify, over-dispersion in a Poisson model essentially means that <T > jA. When the variance is greater than the mean a quasi-Poisson model is generally thought to be more appropriate. Quasi-Poisson techniques are often chosen by researchers because a log transformation of the data may not satisfy the assumptions required by classical statistical methods. Thus, the dispersion parameter is really the variance 83 was speci f ied i n p lace o f Po isson regression and a l lows for the d ispers ion parameter^ to "f loat" . F o r m a l l y : log l 0(h,) = a + 8jXy + sj, where<f> * 1 A quas i -Po isson m o d e l uses a q u a s i - l i k e l i h o o d est imation that calculates estimates for an arbitrary combinat ion o f l ink = l o g and var iance funct ions i n the absence o f a condi t ional d istr ibut ion for the dependent var iable that measures the number o f compromised nodes cross -nat ional ly (h,) . These estimates are s imi la r to m a x i m u m -l i k e l i h o o d estimates in that they share m a n y o f the same properties. T h e regression coeff ic ients in a quas i -Po isson m o d e l are not affected b y a l l o w i n g the d ispers ion parameter to float - coeff ic ients in both a P o i s s o n and quas i -Po isson m o d e l w i l l be the same. W h a t are not iceably different between the results o f the two m o d e l i n g techniques are the coeff ic ient standard errors. Th i s is because i n the quas i -Po isson case the coeff ic ient standard errors are mu l t ip l i ed by (f> and thus, are m u c h la rger . 8 2 In short, f a i l i n g to detect and remedy for over or under -d ispers ion can lead to very smal l standard errors and hence the coeff ic ients w i l l be " t o o " precise (Fox 2 0 0 2 : 1 8 6 ) . In a sense, us ing the quas i -Po isson fit s l ight ly "pena l i zes " the coeff ic ient standard errors. T h e result is a more cautious approach. Part ia l correlat ion results and d iscuss ion W h e n a correlat ion exists between two var iables , the associat ion m a y be exp la ined b y a third var iable that is correlated w i t h both X and Y. Th i s is a lmost a lways present to one divided by the mean: <f> = <72/'// . In a Poisson model, the mean is also the variance and the canonical link is the natural log. Poisson distributions are often chosen to model counts or for data in which the variance increases with the mean. 8 1 The choice to use the R statistical environment over S-PLUS or SPSS is directly related to the choice of modeling technique. S-PLUS does not have a quasi-Poisson family of functions and treats its Poisson family in a rather inconsistent way. SPSS cannot perform quasi-Poisson regression. 8 2 The dispersion parameter (f> is defined for each model below. 84 degree or another in cross-national research. A set of partial correlations is used here to control for the effect of a third variable when examining the correlation between X and Y. If the correlation between X and 7 is reduced, the third variable is responsible for the effect. Before proceeding to the regression models, two separate partial correlation matrices are examined: one with Internet diffusion ( Q controlled for, the other controlling for population. 8 3 This procedure not only helps to elucidate the relationships between the various socio-political and economic variables but wi l l also serve as an indicator of colinearity. It is possible that the strength o f the composite measure is having an effect on the other variables. Table 4.1 below shows the partial correlations for the same variables but controlling for diffusion. Once the level of Internet diffusion is controlled for both the rule of law and level of democracy become more important. This also allows for other variables like population to reappear. It is important to note that the term "control" refers to statistical control not experimental control. 85 Table 4.1 - Partial correlations controlling for diffusion Controlling for ... COMPOSITE TSOURCE CPI TOT_ UNEM POP DEMOC R_0_L PIRACY FREE_PRE PPP TSOURCE 1 0000 _ .2573 2182 6198 4341 _ 3115 4087 3513 _ 2498 < 0) ( 35) ( 35) ( 35) ( 35) ( 35) ( 35) ( 35) ( 35) P« P= .124 P= . 194 P= .000 P= . 007 P= .061 P= .012 P= .033 P= .136 CPI - 2573 1 .0000 - 3230 - 3734 3226 9430 8233 _ 5952 7931 ( 35) ( 0) ( 35) ( 35) ( 35) ( 35) 35) ( 35) ( 35) P= . 124 P= P= .051 P= .023 P= .051 P= .000 ; • .000 P= .000 P= . 000 TOT UNEM 21B2 - .3230 1 0000 7180 - 0697 - 2362 2870 2065 _ 3238 ( 35) ( 35) ( 0) ( 35) ( 35) ( 35) ( 35) ( 35) ( 35) P= .194 P= .051 P= P= .000 P= .682 P= . 159 P= .085 P= .220 P= .051 POP 6198 - .3734 7180 1 0000 5084 3683 5234 4794 _ 3894 ( 35) ( 35) ( 35) ( 0) 35) ( 35) ( 35) ( 35) ( 35) P= .000 P= .023 P= .000 P= • .001 P= .025 P= .001 P= .003 P= .017 DEMOC - 4341 .3226 - 0697 - 5084 1 0000 4367 _ 6214 8574 4467 ( 35) ( 35) ( 35) ( 35) ( 0) ( 35) ( 35) 35) ( 35) P= .007 P= .051 P= . 682 P= .001 P= P= .007 P= .000 .000 P= .006 R O L - 3115 9430 - 2362 - 3683 4367 1 0000 8180 _ 6913 8257 ( 35) ( 35) ( 35) ( 35) '( 35) ( 0) 35) ( 35) ( 35) P= .061 P= .000 P= . 159 P= .025 P= .007 P= . .000 P= .000 P= .000 PIRACY 4087 - .8233 2870 5234 - 6214 - 8180 1 0000 7730 _ 7284 ( 35) ( 35) ( 35) ( 35) ( 35) ( 35) ( 0) ( 35) ( 35) P= .012 P= .000 P= .085 P= .001 P= .000 P= . 000 P= P= .000 P= .000 FREE PRE 3513 _ .5952 2065 4794 . 8574 _ 6913 7730 1 0000 _ 6467 ( 35) ( 35) ( 35) ( 35) ( 35) ( 35) ( 35) ( 0) ( 35) P= .033 P= .000 P= .220 P= .003 P= .000 P= .000 P= .000 P= P= . 000 PPP - 2498 7931 - 3238 - 3894 4467 8257 7284 _ 6467 1 0000 ( 35) ( 35) ( 35) ( 35) ( 35) ( 35) 35) ( 35) ( 0) P= .136 P= . 000 P= .051 P= .017 P= . 006 P= .000 • .000 P= .000 P— (Coefficient / (D.F. / 2-tailed Significance] Concentrating again on the first column under tsource (h,) , the correlation between population and the number of compromised nodes jumps from .284 in the full correlation matrix to .6198 - both are significant at the 95% level. It now appears that after controlling for the composite measure of diffusion there is a moderate to strong positive relationship between population size and ht. The population measure could be picking up on the initial relationship between the size of a countries population and Internet diffusion but the original correlation was only .157 and not significant. It is unclear as to how these two factors are linked. A simple explanation might be that i f a large population has high rates of diffusion, there wi l l l ikely be an associated increase in the number of 86 compromised nodes. B u t this is d i f f icu l t to infer from correlations alone. T h e increase i n the correlations o f rule o f law and the level o f democracy i n Tab le 4.2 are not easi ly understood. A f t e r cont ro l l ing for Internet d i f fus ion , the correlat ion between the frequency o f Internet incidents and the level o f democracy j u m p s f r o m b e i n g ins igni f icant at .001 to - . 4 3 4 1 s ignif icant at the 0.01 leve l . Th i s suggests a moderate negative relat ionship between the leve l o f democracy and the number o f compromised nodes in a country once the " a m o u n t " o f Internet is contro l led for. R u l e o f l aw , too, j u m p s from .091 to - . 3 1 1 5 but is not s ignif icant . There appears to be a weak- to -moderate negative relat ionship between the level o f the rule o f law in a country and the number o f compromised nodes when cont ro l l ing for d i f fus ion . There is a large amount o f " j u m p " in the key independent variables when cont ro l l ing for d i f fus ion factors. In part icular , populat ion showed the greatest di f ference between the fu l l and part ial correlat ions. In order to explore this further, Tab le 4.3 b e l o w shows the part ial correlations w i t h populat ion contro l led. N o t i c e the di f ference between the prev ious results for the rule o f l a w and democracy var iables and the results presented i n Tab le 4 . 3 ; both are n o w ind icat ing a m u c h weaker , n o w pos i t ive , re lat ionship w i t h tsource, .2298 and .1625 respect ively . 87 Table 4.3 - Partial correlations controlling for population Controlling for ...POPULATION TSOURCE CPl TOT UNEM DEMOC • R O L PIRACY FREE_PRE PPP COMPOS I TSOURCE 1 0000 1900 - 0730 1625 2298 _ 3331 1928 3187 . 9810 ( 0) ( 35) ( 35) ( 35) ( 35) ( 35) ( 35) ( 35) ( 35) P= P= .260 P= . 668 P= .337 P= . 171 P= .044 P= .253 P= .055 P= .000 CPl 1900 1 0000 - 0818 1996 9358 . - 7979 5319 7674 .2005 ( 35) ( 0) ( 35) ( 35) ( 35) ( 35) ( 35) ( 35) ( 35) P= .260 P= P= . 630 P= .236 .000 P= .000 P= .001 P= .000 P= .234 TOT_UNEM - 0730 - 0818 1 0000 4844 0441 - 1423 _ 2220 _ 0627 . 0076 ( 35) ( 35) ( 0) ( 35) ( 35) < 35) < 35) ( 35) ( 35) P= .668 P= . 630 P= P= .002 P= .796 P= . 401 P= . 187 P= .712 P= .964 DEMOC 1625 1996 4844 1 0000 34 63 - 5146 8199 3557 . 1997 ( 35) ( 35) ( 35) ( 0) ( 35) ( 35) ( 35) ( 35) ( 35) P= .337 P= .236 P= .002 P= P= .036 P= : 001 P= .000 P= .031 P= .236 R O L 2298 9358 0441 34 63 1 0000 _ 8039 _ 6502 8116 .2561 ( 35) ( 35) ( 35) ( 35) ( 0) ( 35) ( 35) ( 35) ( 35) P= . 171 P= .000 P= .796 P= .036 P= P= .000 P= .000 P= .000 P= .126 PIRACY - 3331 - 7979 - 1423 - 5146 _ 8039 1 0000 .7 126 -.7 072 -.3628 ( 35) ( 35) ( 35) ( 35) ( 35) ( 0) ( 35) ( 35) ( 35) P= .044 P= .000 P= . 401 P= .001 P= . 000 P= P= .000 P= .000 P- .027 FREE PRE - 1928 - 5319 - 2220 - 8199 - 6502 7126 1 . 0000 _ 5949 -.2117 ( 35) ( 35) t 35) ( 35) ( 35) ( 35) ( 0) - ( 35) ( 35) P= .253 P= .001 P= . 187 P= .000 P" .000 P= .000 P= P= .000 P= .208 PPP 3187 7674 - 0627 3557 8116 7072 _ 5949 1. 0000 . 3270 ( 35) ( 35) ( 35) ( 35) ( 35) : 35) ( 35) ( 0) ( 35) P= . 055 P= .000 P= .712 P= .031 P= . 000 p= .000 P= . 000 P= P= .04 8 COMPOSIT 9810 2005 0076 1997 2561 _ 3628 _ 2117 3270 1.0000 ( 35) ( 35) ( 35) ( 35) ( 35) ( 35) ( 35) ( 35) ( 0) P= .000 P= .234 P= . 964 P= .236 P= . 126 p= .027 P= .208 P= .04 8 P= . {Coefficient / (D.F.) / 2-tailed Significance) This "jump" factor is cause for concern. Both the democracy and rule of law variables appear to be very sensitive to slight changes in specification suggesting, in part, that these variables be the focus of the quasi-Poisson regression models. The way in which the political-institutional variables were measured may also contribute to this hyper 84 sensitivity. This is discussed at length in Appendix A - Methodological Notes. The results presented above are suggestive, but far from complete. The partial correlations indicate that, when population is controlled for, the level of openness as measured by the free press variable, piracy and population could be linked to the number Future research would require closer examination of the instability research done by Marshall and Gurr (2005); especially measurement and transformation issues with the Polity IV data. 88 of Internet incidents. This suggests that "openness" in some way contributes to a larger, number of compromised machines in a territorial context. But the link, so far, is tenuous. Piracy, a proxy measure for cyber crime, has a moderate positive relationship with the number of compromised nodes as a measure of cyber infrastructure instability but this w i l l more likely be an artifact of criminal opportunity. The remainder of the analysis wi l l focus on the impact that political and economic instability leaving out the sociological indicators of instability. Some consideration regarding the accuracy of the measures used in this study is worth attention. First, how well has instability and perhaps more broadly institutional capacity been captured? N o measure wi l l be perfect. But making the distinction between instability, institutional incapacity, and even state effectiveness with respect to the cyber infrastructure is important yet well beyond the scope of this study. Some states, for example, may have high levels o f state institutional capacity but low effectiveness in managing cyber infrastructure instabilities. The United States, Britain and Canada are typical cases. While other states have, in general, low institutional capacity yet high levels of state effectiveness in managing the growth of the cyber infrastructure -especially in its early stages. States in the Middle East and parts of East As ia are indicative of this relationship. Indeed, there are states with many combinations of varying levels o f institutional capacity, instability and state effectiveness in both East As ia and the rest of the world. What is important to note is that after an outcome such as cyber infrastructure instability is produced, there are complex relationships and etiologies that link institutional capacity and state effectiveness together; and between them is politics. Thus, these measures are proxies at best. A s w i l l be shown below, the cases chosen for this study are heavily skewed toward 89 socio-economic and political stability. It is likely that it is introducing bias in the correlation results. To explore this further, Chapter Five turns to the results from the regression models and in particular 'zooms' in on the East As ia region. This is important for the work here in substantive terms but also in statistical terms because East As ia provides a diversity of states that generate enough variance in stability measures which may increase model performance. If there are links between instability, territory, and cyber infrastructure incidents they should emerge here. This wi l l also be important for a broader understanding of the securitization of the cyber infrastructure and state responses in East As ia - the subject of Part Two of this study. The partial correlations indicate that the level of openness as measured by the free press variable, piracy and population could be linked to the number of compromised nodes. After controlling for diffusion, there is a weak positive relationship with free press. This suggests that "openness" in some way contributes to a larger number of compromised machines in a state. This link, however, is tenuous. Piracy, a proxy measure for cyber crime, had a moderate positive relationship with the number of compromised nodes. Were cross-national crime statistics readily available and reliable, further research should be done to explore the link between electronic crimes and the increasing number of compromised machines globally. Chapters Six and Seven of this dissertation w i l l explore this relationship in more detail by examining several case where transnational organized crime has taken advantage of, and is driving, the growing number of compromised nodes globally. 8 5 Internet diffusion, however, was strongly associated with the number of compromised nodes. This was not unexpected. What is somewhat surprising is the very weak link 8 5 It is not likely, however, that national crime statistics will capture the impact of transnational organized crime. 90 between measures o f wealth (PPP) and Internet diffusion for the economies chosen for this study. This affirms the axiom that Internet diffusion general follows an ' S ' curve and once past a certain point, economic factors tend to be less important. What is important in the upper stratum is that, in general, the political measures of stability are not as strongly associated with cyber infrastructure instabilities as D K Matai has suggested. The more specific model of stability in the East As ia region is the subject to which the dissertation now turns. 91 Chapter Five: The Level of Democracy and Rule of Law and Cyber Instability Introduction Cyber infrastructure security incidents take on both territorial and non-territorial characteristics. This duality of Internet security has a direct impact on the securitization of cyber space. The dissertation now turns toward the link between socio-political instability and Internet incidents that D K Matai of M i 2 G and others have posited. There are two key findings: First, the level of democracy has a minimal impact on the frequency of cyber infrastructure events cross-nationally. Second, the level o f the rule of law - as a proxy for state capacity and stability - can be linked to cyber infrastructure instabilities. Thus, the level of the rule of law suggests a possible weak-moderate link between the proxy variable for institutional capacity and stability but the democracy model shows that Matai 's claims are overstated, or at best, imprecise. The effects of specific socio-political factors on cyber infrastructural instabilities appear to be interactive rather than direct, let alone determinative. Chapter Five begins with a general model o f stability and the role o f the state for all 49 upper-tier countries. Here, the 'leading' factors that were identified in chapter four are set with two distinct measures of stability - rule o f law and level of democracy. Second, the focus shifts to East As i a in order to both understand the role of state capacity and stability in the cyber infrastructure, and to place this within the broader international context. The results indicate that there are unique characteristics in East As ia that set it apart from global patterns. Stability and Cyber Infrastructure Security The first model focuses on the impact o f the rule of law on the distribution of Internet 92 incidents in the cyber infrastructure cross-nationally. It includes two other variables, the composite measure o f diffusion and purchasing power parity based on the results of the simple analysis of the partial correlations in the previous chapter. More formally: \og(h,) = a + /?, \og(composite) + (32 (RoL) + /?3 (PPP) + ei, where<f> * 1 The results are presented in Table 5.1 below with the dispersion parameter <f> set at 1714204. A couple of caveats need to be pointed out regarding interpretation. Because of the way the composite variable is measured its coefficient of 0.8707 is actually quite large. A composite unit increase leads to a large percentage increase in the number of compromised nodes. The result is significant and clearly has the largest impact in the model. The level of purchasing power parity, as measured in international dollars, appears to have only modest explanatory power. The coefficient for purchasing power parity size is 0.2381 and is not significant. Rule o f law is slightly more powerful. A n increase in the rule of law is associated with a moderate decrease in the number of compromised nodes at the 99% confidence level. Again, it is important to keep in mind that while the coefficients for the rule o f law (-0.676) and composite (0.863) appear to be close in scale, they are not. The regression slopes (estimates) have a percentage interpretation. The coefficient indicates that, controlling for internet diffusion and purchasing power parity, an increase o f 1 on the 5 point rule of law scale results in roughly a 50% reduction in compromised nodes. 8 6 (exp(-.67)=.51) 93 Table 5.1 - Quasi-Poisson regression results: rule of law Deviance Residuals: Min 1Q Median 3Q Max -2692.0 -790.6 -368.8 343.9 4078.4 Coefficients: Estimate Std. Error t value Pr(>|t|) (Intercept) 0.86323 2.14859 0.402 0.689802 log(composite) 0.87807 0.04541 19.338 <2e-16 *** R_o_L -0.67615 0.18385 -3.678 0.000637 *** log(PPP) 0.23813 0.24451 0.974 0.335420 Signif. codes: 0 '***' 0.001 "**' 0.01 0.05 '.' 0.1 " * 1 (Dispersion parameter for quasipoisson family taken to be 1714204) Null deviance: 867774578 on 47 degrees of freedom Residual deviance: 72716318 on 44 degrees of freedom AIC: N A Number of Fisher Scoring iterations: 5 Every statistical model and associated tests, specifically when the data are unusual, should be accompanied by the appropriate diagnostic procedures that check to see i f the model is performing well . There are two concerns. First, plotting the residuals against the fitted values shows a bell shape opening toward the high end of the linear predictor (see Appendix - Figure 5.3). This suggests that there is some heteroskedasticity in the model. Various attempts were made to correct for this but were unsuccessful. Second, both Cook's statistic plots show one, perhaps two observations that are very influential in the model; they appear at the upper right corner of both plots. Interestingly, in order to correct for this several countries were pulled out of the case list and then the model was run again followed by another set of Cook's tests. This iteration repeatedly revealed "new" influential observations each time. Returning to the first hypothesis posed at the beginning of Chapter Three (HI) it See Figure 5.3 Appendix A for detailed explanation and plots. 94 appears that there is a weak-moderate relationship between the frequency of incidents and rule o f law. It is, however, a tentative finding given the strength of the coefficient for this and other variables. The kind of change that would be illustrative of real relationship between rule of law and cyber infrastructure instabilities would have to be much greater. Recall that because of the way in which the composite measure for Internet diffusion is constructed, it is providing the most explanatory power. H I : There is a relationship between rule of law and the frequency of Internet incidents (/?2 * 0) The null hypothesis can be rejected but barely. The coefficient for rule of law is statistically significant at the P=.001 level. Rule of law has a negative impact on the frequency of incidents (compromised nodes), but it is a weak one. The weakness of this finding suggests that while a country with high levels of rule of law can expect to on average have lower number of compromised machines - incidents — there are many cases where this is simply not what is seen in the cyber infrastructure. For example, of the top five states with the highest number of compromised nodes - U S , China, Germany, South Korea, Taiwan, U K - half have strong legal institutional environments within well functioning political regimes. Interpreted as a proxy measure for institutional capacity and overall stability, the rule of law appears to have only a modest impact on cyber infrastructure instability as measured by ht .88 8 8 The language used in this chapter to describe A. shifts from the frequency and distribution of Internet incidents, the number of compromised nodes, to the more general concept of cyber infrastructure instability. They are all faces of the same phenomenon. However, as discussed in previous chapters, it is important to keep in mind that there is a difference between an "Internet incident" and a "compromised node" even though one presupposes the other. Both are indicative of cyber infrastructural instability. 95 The second hypothesis focuses on the impact of democracy on the frequency and distribution of Internet incidents cross-nationally. The model specification changes only slightly by removing the level of the rule of law and inserting the measure o f democracy. Both cannot be included because of multicollinearity. Formally: \og(ht ) = « + /?, \og(composite) + fi2 (DEM) + /?3 (PPP) + si, whereij) * 1 The dispersion parameter <f> is 2660173. The results are presented Table 5.2 below. The coefficient indicates that, controlling for internet diffusion and purchasing power parity, and increase of 1 on the 5 point democracy scale results in only a roughly 1 % reduction 89 in compromised nodes. The coefficient for the composite measure of Internet diffusion has changed little from the previous model. It still has the largest role in explaining the variance in the distribution of incidents globally. The purchasing power parity coefficient has changed substantially to -0.448, significant at the 95% level. The hyper sensitivity noted earlier during the discussion of the partial correlation results has not diminished by focusing the model on key variables only. At this point, the need to move from cross-sectional data to time-series or longitudinal research design is apparent. The impact that the level of democracy has on the variation in the number of incidents is minimal. During field interviews for this dissertation the question asked was "what institutional features allow for governments or policy makers to address the impact that the Internet has had on security." Many of the interviewees argued that countries like Singapore have a considerable advantage because they are not restrained by liberal democratic rules and principles. This non-democratic advantage has been cited as a key factor more broadly in the impact that Internet diffusion has on authoritarian regimes. 8 9(exp(-.014)=.01) 96 The original notion was that complex information ecologies created by rapid Internet diffusion (i.e. W W W technologies) would erode the authoritarian state's ability to maintain its monopoly on the flow of ideas, data, and information. During the late 1990s and into 2000 the assumption that the Internet and other information technologies would be the electronic "Trojan horses" for democratic change was largely dismissed (Latham, 2002:102-103). In fact, it began to appear that non-democratic regimes were adapting to the many dilemmas created by information technologies faster than anyone thought. Whether or not a state is democratic is not a factor mitigating against the increasing frequency of Internet incidents. H2: There is a difference between democratic and non-democratic states and the number of Internet incidents (/?2 ^ 0) The hypothesis H2 can be rejected. The policy makers in democratic states may feel that their counterparts in non-democratic states have a particular 'edge' in addressing the 'health' and stability problem of national cyber infrastructures but the data do not support this. The partial list o f countries noted by Matai during the O i l discussion identified non-democracies, or states with weak institutions or low institutional capacity, as growing sources of intrusion attempts and, hence, a threat to global security. The results of the democ model (Table 5.2 below) clearly show no link between the number of compromised nodes and regime type. The rule of law model suggests a possible weak-moderate link between the proxy variable for institutional capacity and stability but the democracy model suggests that Matai 's claims are overstated, or at best, imprecise. 97 Table 5.2 - Quasi-Poisson regression results: Democracy Deviance Residuals: M i n 1Q Median 3Q M a x -3157.4 -809.1 -383.7 108.6 5422.1 Coefficients: Estimate Std. Error t value Pr(>|t|) (Intercept) 7.46932 1.35159 5.526 1.78e-06 *** log(composite) 0.86805 0.05958 14.569 <2e-16 *** D E M O C -0.01429 0.04564 -0.313 0.7556 log(PPP) -0.48809 0.21155 -2.307 0.0259 * Signif. codes: 0 '*** '0 .001 "**'0.01 '* '0 .05 .'0.1 1 (Dispersion parameter for quasipoisson family taken to be 2660173) N u l l deviance: 863793747 on 46 degrees o f freedom Residual deviance: 95041761 on 43 degrees of freedom A I C : N A Number o f Fisher Scoring iterations: 5 The diagnostics for the democracy model suggest two important features. The first is that, as was the case with the previous model, there appears to be some heteroskedasticity. The Cook's plots indicate that there are two, perhaps three observations that are influential - the U S being one. The most likely explanation is that the results from the Cook's plots and the residual plots are related: the influence of several observations. The results from the diagnostic tests indicate that the models are borderline acceptable. 9 0 Regional differences: East As ia and the rest of the world A s discussed earlier, East As ia has a growing reputation among systems administrators and policy makers for being the source of too many open relays, hackers, "spammers" and other assorted cyber transgressions. In statistical terms, this generalization can be subjected to a systematic analysis by adding a regional dummy variable with interaction terms on rule of law and democracy. The countries that make See Figure 5.4 Appendix A for plot and explanation. 98 up the regional variable are Australia, China, Indonesia, Japan, Malaysia, New Zealand, the Philippines, Singapore, South Korea, Taiwan, and Thailand. The base group or benchmark group against which the comparisons wi l l be made are non-East Asia region countries. 9 1 Cross-national studies that look for differences between regions among various factors are often criticized for imposing artificial boundaries, geographically and culturally, around "regions" o f the world. Internet diffusion, however, often reflects regional characteristics and attributes.9 2 From an infrastructural perspective, there are clear regional differences with respect to routing and the distribution of autonomous systems. This, in part, leads to unique politics of peering within regional contexts. A t the user level, there is also good reason to explore regional differences. For example, one of the biggest drivers of Internet diffusion in East As ia (at the infrastructural level) has come from cell phone adoption and usage which traditionally has been significantly higher than other regions of the world. Taken together, these reasons alone may riot provide convincing evidence to look at regional differences. This dissertation, however, is focused on Asia Pacific security. Thus, for no other reason than "scope" it is useful to uncover regional characteristics and attributes. Returning to the quasi-Poisson model specified above with the added dummy interactions: log(/z, ) = a + 0j X0. + S0 A, + y(Xi Aj ) + e„ wherec/) = 1 In the model above S0Ai is the additive variable for East As ia and y(XiAi) is an 9 1 For model specification with binary variables this study relied heavily on Fox (2002:130-136) and Wooldrige (2003:220-222, 225-226, and 233-234). 9 2 See discussion in previous chapter. 99 interaction term. The regional focus model looks at the differences between East As ia and the rest of the world with respect to the factors that may explain the variation in the number of compromised nodes in the region. In order to "see" the difference that rule of law and democracy have in the East As ia region, effects plots are provided for the models below. 9 3 The results below (Table 5.3) show that three factors affect the frequency of incidents in the cyber infrastructure in a country: composite measure of Internet diffusion, the level of democracy, and PPP. SmceS0A: = 1 when a country is located in the East As ia (both in the physical sense and cyber sense) and S0Aj = 0 when the country is grouped in the rest of the world; the interpretation of S0Ai is the difference in the number incidents between East Asian countries and the rest of the world given the same amount of diffusion, PPP and democracy. If S0Aj < 0 then for the same level of other factors there is a difference between East As ia and the. patterns in the rest of the world (ROW), keeping in mind that the coefficients have a percentage interpretation. The regional dummyS 0 A j essentially allows for different intercepts between the two groups of countries. The interaction term/(X,.^,.) takes this "allowance" once step further to allow for a difference in slopes. For example, we may wish to assess the regional differential with a non-constant "effect" of various factors like diffusion and PPP. Stated in other words, the dummy interactions allow for the analysis to posit that the response to a change in a continuous explanatory variable (factor) differs between the Here I omit specification and analysis of a lower order term which cannot be interpreted in a meaningful way when used with interaction terms. See Braumoeller (2004). 100 base group and the East Asian countries; simply put ,y(X j A j ) is the differential effect. The first regional model for East As ia considers the impact o f the level o f democracy on the variation of compromised nodes. Table 5.3 below shows the coefficients, standard errors and t tests for regional quasi-Poisson regression focusing on democracy. The magnitude of the variable composite has not changed from the previous models. The composite, D E M O C and PPP coefficients show little movement with the addition of the dummy variable and interaction terms. The dispersion parameter <f> - 3723292. The coefficient for the regional dummy variable is -4.01. It is important to understand that the base group is the R O W , so, /3ADUM is the difference in intercepts between the East As ia and the R O W group. The difference between the two groups - East As ia and rest of world - is shown in Table 5.3. The relationship between wealth and compromised nodes is positive in the R O W , but negative in Asia . In the R O W , for a one unit increase in PPP we would expect h„ to almost double (.98). But in As ia we would expect ht to decrease by less than h a l f 9 4 Applying this to the D E M O C , a one-unit increase in D E M O C gives only about a 4% reduction in ht for the R O W , 9 5 but a 25% reduction in A s i a . 9 6 The difference between R O W and A S I A is minimal. None of the key coefficients are statistically significant. • M (.98 + (-.13) = .85) 9 5 (exp(-.07)=.04) 9 6 (exp(-.07 + -0.07)=-.14) 101 Table 5.3 - Dummy regression with interaction terms glm(formula = h, ~ logCOMP + D E M O C + log(PPP) + A D U M + ADUM:logCOMP + A D U M : D E M O C + ADUMfog(PPP), family = quasipoisson) Deviance Residuals: Min 1Q Median 3Q Max -3877.5 -966.4 -255.6 348.5 6380.7 Coefficients: Estimate Std. Error t value Pr(>|t|) (Intercept) -3.14515 5.28744 -0.595 0.555574 logCOMP 1.43118 0.36754 3.894 0.000398 *** D E M O C -0.07621 . 0.06868 -1.110 0.274298 log(PPP) 0.98691 0.39147 2.521 0.016139 * A D U M R O W -4.00859 7.09243 -0.565 0.575354 logCOMP:ADUMROW 0.62713 0.54013 1.161 0.253051 D E M O C : A D U M R O W 0.05334 0.19016 0.281 0.780642 log(PPP):ADUMROW -0.13887 0.50799 -0.273 0.786080 Signif. codes: 0 '***' 0.001 '**' 0.01 '*' 0.05 '.' 0 .1 ' ' 1 (Dispersion parameter for quasipoisson family taken to be 3723292) Null deviance: 373126841 on 44 degrees of freedom Residual deviance: 117713921 on 37 degrees of freedom Number of Fisher Scoring iterations: 6 To visualize the impact that the interaction terms have on the models, effects plots were produced. The effects plot in Figure 5.1 for the quasi-Poisson regression shows the interaction of the covariate D E M O C and the regional dummy variable for East Asia . The figure can be read as going from highest to lowest from left to right. On the graph below the vertical axis is the probability of compromised nodes in a given country. A 95% point wise confidence interval is drawn around the estimated effect. The solid effect line is sandwiched in dashed lines that represent the limits of the confidence envelope for the effect line. The confidence envelope translates statistical uncertainty in the estimation of the effect into a graphical display. Figure 5.1 confirms the numerical results in Table 5.3 that there is no differential effect of the level of democracy on the number of 102 compromised nodes in the East As ia region. Figure 5.1 - Effects display for the interaction of the level of democracy and region. 1.2e+08 1e+08 8e+07 6e+07 4e+07 "O O ~u <u _ E 2 Q. E o O 'o >f !5 ro .Q o DEMOC*ADUM effect plot J L _1_ 0 A D U M : A S I A 10 _ i _ A D U M : R O W ^ i i i i 1 i 1—:—i 1 i—;—r -^ 0 2 4 6 8 10 D E M O C In Figure 5.1 the tick marks along the vertical axis are labeled on the scale of the dependent variable - compromised nodes, the proxy for cyber infrastructure instability cross-nationally. The actual effect for East As ia and the rest of the world are plotted on the scale of the independent variable level of democracy. The level of democracy has only a slightly different relationship to the probability o f cyber infrastructure instability for East Asian states and the rest of the wor ld . 9 7 The discussion now turns to the differential effect that the level of the rule of law has on the distribution of compromised nodes in East Asia . In contradistinction to the 9 7 This discussion relies heavily on Fox (2003:5). 103 regional effect o f democracy, the impact that the level of the rule of law has in East As ia is substantial. Table 5.4 below shows the results for both the regional dummy variable and the interaction effects. The dispersion parameter^ = 1428473. First, the coefficient for A D U M is 21.02 significant at the P=.01 level. The difference between the two groups of countries is quite strong. There is a significant difference in the number of compromised nodes between East As i a and the R O W given the same amount of diffusion, rule of law and PPP. The relationship between wealth and compromised nodes is positive in the R O W , but negative in Asia . But this is to be expected given the S curve for diffusion and is consistent with the D E M O C model. In the R O W , for a one unit increase in PPP we would expect K to increase by about 40% (3.59). But in As ia we would expect h, to be cut in half. 9 8 Applying this to the R O L , a one-unit increase in R O L gives about a 7% reduction in K in the R O W , 9 9 but a 90% reduction in A s i a . 1 0 0 This is approximately 10 times greater. Confidence envelopes are nice and tight around the effect line. Results are significant at the P=.001 level. (3.59+ (-2.50)= 1.09). (exp(-2.44)=7.9) }(exp(-2.44 + 2.21)= -.03) 104 Table 5.4 - Dummy regression with interaction terms glm(formula = TSOURCE ~ logCOMP + R.o.L + log(PPP) + A D U M + ADUM:logCOMP + A D U M : R . o . L + ADUM:log(PPP), family = quasipoisson) Deviance Residuals: Min 1Q Median 3Q Max -2664.4 -729.0 -175.7 757.6 2534.3 Coefficients: Estimate Std. Error t value Pr(>|t|) (Intercept) -31.0039 6.6162 -4.686 3.52e-05 *** logCOMP 2.0264 0.3255 6.225 2.79e-07 •k"kk R.o.L -2.4488 0.4022 -6.088 4.31 e-07 kkk log(PPP) 3.5958 0.5182 6.939 2.98e-08 kkk A D U M R O W 21.0202 7.5781 2.774 0.008541 kk l ogCOMP:ADUMROW 0.1044 0.4102 0.254 0.800488 R .o .L :ADUMROW 2.2144 0.4408 5.024 1.23e-05 kkk log(PPP):ADUMROW -2.5047 . 0.5812 -4.309 0.000112 •kkk Signif. codes: 0 '***' 0.001 '**' 0.01 '*' 0.05".' 0.1 " 1 (Dispersion parameter for quasipoisson family taken to be 1428473) Null deviance: 374456589 on 45 degrees of freedom Residual deviance: 54779127 on 38 degrees of freedom Number of Fisher Scoring iterations: 5 To illustrate the differential effect o f the rule of law interaction term, Figure 5.2 shows how the "slope" decreases as the values o f the lower order term increases across the number o f observations. In Figure 5.2 below, the tick marks along the vertical axis are labeled on the scale of the dependent variable - compromised nodes, the proxy for cyber infrastructure instability cross-nationally. The actual effect for East As ia and the rest of the world are plotted on the scale of the independent variable level o f the rule of law. The level of the rule of law has substantially different relationship to the probability of cyber infrastructure instability for East Asian states and the rest of the world. 105 Figure 5.2 - Effects display for the interaction of the level of the rule of law and region R.o.L*ADUM effect plot -1 o +813 3 2 . . 2e+09 1.5e+09 1e+09 5e+08 <n <D "O O TJ tn 'E p o O (0 o A D U M :ASIA A D U M : R O W \ Y \ \ in i nn M i 111 mu in i II i i nun i in i uu ii i 11 i i i i nun i R.o.L While it is clear that the level o f rule of law is an important factor in the frequency and distribution of incidents in East Asia , it may be the case that this measure has a larger impact in a region that has a more variance in the level of the rule o f law when compared to the cases in the rest of the world. The model was run, and effects plots produced, for other regional groupings. Other than the East As ia grouping, none indicated any significant differential effect in the level of the rule of law. Future research would see this done in the context of a time series design. A l l o f the problems mentioned above and in Appendix A can affect the dependent variable. This study is focused on all compromised nodes so problems like worm identification become less of an issue. Yet, there are two types of measurement error that are of particular concern here. Non-systematic measurement error occurs where the 106 values are sometimes too high and sometime too low. This increases inefficiency in the data but does not increase bias; and on average the value wi l l be correct. This type of error on the dependent variable theoretically should be less of a concern because the sample for source IP is so large that the error would eventually cancel itself out. The second type of measurement error is systematic across the data. Systematic measurement error is a consistent mis-measurement of units. The only way to tell i f this is happening is to acquire additional DShield data to cover more time periods (and re-sample). Another issue is the choice of explanatory factors and the ever present possibility of omitted variable bias.' For example, it was not possible to find reliable cross-national data on crime, deference to authority indicators, or measures of sudden economic shocks in high tech sectors all o f which leave out a potentially powerful set of explanatory factors -even with the inclusion of several proxy variables to compensate. This could, in part, explain the heteroskedasticity found in the models above. A number of diagnostic tests were used to check for various problems in the data from heteroskedasticity to the amount of nonlinearity in the models. Both problems were found and attempts were made to compensate. There are also substantial patterns o f clustering in the data. 1 0 1 The full and partial correlations discussed above strongly suggested that the regression models would be "sensitive" to slight changes in specification. Sensitivity analysis essentially requires an estimation of the original model followed by a reasonable modification of the original. If the important conclusions change dramatically then the original specification is said to be too sensitive to be reliable. Two procedures were carried out in order to test for this. First, the independent variables were increased to 1 0 1 See Appendix A - Methodological Notes, as well as Appendix A Figure 5.5 for contour plots of the variables rule of law and democracy. 107 include additional factors that could conceivably help to explain the variation in the number of compromised nodes cross-nationally. O f the key explanatory variables that had a marginal impact the coefficient signs changed from positivist to negative as expected from the partial correlations. Second, an alternative measure was used in place of D E M O C . In both cases, there was some sensitivity and subsequent research would need to explore alternative measures to other explanatory variables. For now, the "robustness" of the models is uncertain. Finally, internal validity is, for now, impossible to assess. It would be useful to compare these results to externally verifiable data to find and validate other key patterns that affect the distribution of compromised nodes or Internet incidents and cyber infrastructural instability. This involves asking the same questions but testing the propositions using different data. For example, would there be a correlation between rule of law and compromised nodes using data gathered from other sources? Are differences between regions or between democracies and non-democracies? Unfortunately, DShield represents the only data set available to the research community. 1 0 2 In order to try and asses the internal validity of this work several commercial providers of large scale distributed intrusion detection data were contacted in 2003. None of the firms agreed to share their data or discuss their methods of analysis. General Results and Interpretation The purpose of Part One and the regional focus of this dissertation was to test systematically for country differences in the effects of Internet diffusion, wealth, degree 1 0 2 There are now other research projects that can supplement the DShield.org data. For example, there is the Internet Motion Sensor at the University of Michigan <http://ims.eecs.umich.edu/> and the my|NetWatchman project <http://www.mynetwatchman.com/>. For a more thorough discussion consult the study by Bethencourt, Franklin, and Vernon (2005). 108 of democracy, and the level of the rule of law on the number o f compromised nodes and to model this variation both globally and in East Asia . Reducing the number of compromised nodes globally wi l l not reduce the threat of network intrusions entirely, but it w i l l decrease the likelihood of a broad range of capabilities based threats. It w i l l also go a long way to reducing the overwhelming amount of "noise" on the Internet that often obfuscates real attack signatures. Increasingly, digitally driven economies wi l l also have less "drag" on them by reducing the number of compromised nodes that can be easily used in distributed denial of service attacks, spam, and other nuisances of the modern Internet environment which places undue strain on productivity and trust in the e-economy. There are causality issues that remain unresolved. Political-institutional factors wi l l not be important unless governments are actively trying to address Internet security problems stemming, in part, from increasing cyber infrastructural instability. With respect to causality: are lower numbers of compromised nodes influenced by the acceleration in Internet adoption patterns, or are both phenomena correlated but caused by another factor, such as wealthier, more productive economies? 1 0 3 There is no clear advantage to authoritarian regimes in controlling the number of compromised nodes and the frequency of Internet incidents. A t this point, it should be clear that the ideal research design to confirm these findings would be longitudinal rather than cross-sectional. 1 0 4 Economic factors appear to play little role in explaining cross-country differences in 1 0 3 It is hard to conceptualize diffusion of the infrastructure as anything other than a user defined process governed by national infrastructure strategies. The observation may be self-evident and trivial. 0 4 There are two points to be made with respect to the statistical robustness of the results. First, removing and adding the US case does change the results, but only slightly. Second, the models are very sensitive to specification. Changing assumptions can generate wildly differing conclusions. See Appendix A . As noted early on, the only way to 'fix' this is to move to a time-series design with sampling periods from 1999 to 2005 (N=1.75 billion) for 51, possibly 52, cases. 109 the sample o f 49 upper tier states. While the amount of Internet diffusion is the most powerful factor, gross domestic product per capita and purchasing power parity cannot be linked to either diffusion or the distribution in the number o f compromised nodes in the upper tier countries chosen for this study. This is, in part, because Internet diffusion is not associated with increases in wealth in the upper half of the states in the digital access index. Were this study to incorporate states in the bottom tier, it is l ikely that economic factors would play a stronger role. There is no evidence of a difference between democracies and non-democracies and their ability to control the number of compromised nodes. Cross-nationally, both generally and in East Asia , the level of democracy did not appear to be a factor. A key implication of this result is that non-democratic regimes do not necessarily have an "authoritarian advantage" in controlling the number of compromised nodes. While they have been increasingly successful at managing content based restrictions (primarily W W W based) and turning various applications of the Internet into a quasi-surveillance tool, there is no empirical evidence to suggest that more authoritarian regimes have a "deeper" control over Internet security matters. This conclusion is, o f course, as measured by the frequency of Internet incidents sampled in each country. A n alternative explanation for the result could be that no government has begun to address security at this level and thus there is no measurable difference between regime types. The latter explanation, however, is unlikely. While reducing the number of compromised nodes has always been the weak link in national and international Internet security policy, most governments began to address this problem in early 2000. Reducing the number of compromised nodes frustrates the 110 creation and use of chained-relays, lessens the impact of zombies, forces spammers into ever shrinking corners of cyber space, and reduces the ability of hostile actors to "talk and control" from a distance. The number of compromised nodes and the resulting Internet incidents has been an embarrassment for some governments. In East Asia , Chinese and Korean authorities have tried - often without success - to come up with a strategy to reduce the numbers. The primary pressure has come from systems administrators from outside the region who have begun to blacklist IP spaces based up country of origin (Confidential Interview, Hong Kong S A R , 2002; China Daily, 2005). For the first time, the problem of compromised nodes is being directly addressed by a government agency. Australia wi l l be the first country in the world where regulators w i l l begin notifying ISPs of infected machines using their access. In a three-month pilot program, the Australian Communications and Media Authority w i l l identify compromised machines and ask their owners to clean them or risk being disconnected (Sawas, 2005). This new territorial focus has taken on a 'you take care of your territory and I ' l l take care of mine'disposition. Internationalizing Internet security is no easy task; there are multiple actors and stake holders, converging and diverging interests, regional political dynamics that are often incommensurate. There have been a plethora of suggested international mechanisms to mitigate these frustrating factors. One such idea is to use a collective security approach to protecting cyber infrastructures (Bryen, 2002). I l l This international mechanism has been quietly studied by the ITU, primarily because other international efforts have done little, to reduce cyber infrastructure instabilities. Bryen writes: In some cases, governments and organizations with substantial resources are increasingly backing such attacks. To respond properly to this threat to security and prosperity, a strong, international solution grounded in a political framework is needed: isolated technical or legal solutions will not work. Moreover, efforts to confront structured hostile threats on a national level have been less than successful, and the technology employed has not been adequate'to seal the systemic vulnerabilities in the information technology-dependent critical infrastructure (2002:3). The key ideational shift that would have to take place is that states would have to consider cyber infrastructures as part of a global infrastructure rather than a collection of national 'spaces' that are connected to one another. This, given recent trends in international politics and in the frequency and distribution of Internet incidents, is unl ike ly . 1 0 5 I have emphasized the role of political institutional factors in explaining country differences in the dependent variable which measures cyber infrastructure instability. At a fundamental level, states are responsible for creating and maintaining the laws, security policies and thus, the integrity and stability o f their infrastructures. Unlike the level of democracy, rule of law is linked to the dependent variable. The measure of the rule of law used in this study, from an institutional perspective, is broad. The impact of the level o f the rule of law would likely become stronger in a time-series design, or at the very A recent example is the tension over US control of the domain name system (DNS). The E U is led a diplomatic effort at the World Summit on Information Society (WSIS) meetings in Tunisia 2005 to change this. Other countries, such as China and Iran are supporting this effort, albeit for different reasons than the E U . The DNS governance issue is the first, in what is likely to be a continuing series of moves to at the same time pull Internet governance 'upward' to the UN's ITU and 'downward' to individual nation-states. The US has maintained some control over Internet infrastructure (albeit very arms length) is responding to these challenges with a kind-of cyber Monroe Doctrine. Recall that the Monroe Doctrine was a unilateral declaration by the US that it would not permit European powers to establish new colonies in the Western Hemisphere. A similar policy stance has emerged from the US Commerce Department - which oversees the not-for-profit DNS agency - which tersely says no to non-US control either at the International level (i.e. UN) or devolving DNS systems to the control of individual countries. These issues are beyond the scope of this study. 112 least, preserve the initial results. It is important to point out, however, that a comprehensive theory of security in the cyber infrastructure would have to be multiscalar, explaining both the small scale of a sequence of Internet incidents and the larger scale of the infrastructure stability and social and political processes in which these incidents occur. Conclusions: East Asia The analysis done for eleven Asian countries demonstrated that some explanatory factors had more importance in a regional context than did others. First, there is no differential effect of the level of democracy on the number of compromised nodes in the East Asia . This.particular result is more interesting in the regional setting given the wide range of political systems in the region when compare to the rest of the world group. Second, the level of the rule of law interaction did have a significant differential effect when compared to the base group. Institutional capacity and stability matters in this region. This is the key finding of the analysis. The level of the rule o f law has a substantially different relationship to the probability of cyber infrastructure instability for the As ia country grouping and the rest of the world. States with lower levels of the rule of law are more likely to have higher levels of cyber infrastructure instability than would states with higher levels of the rule of law, while states in the Asia grouping with high levels o f the rule of law are less likely to have cyber infrastructure instabilities than states in the rest of the world grouping with a similar level of the rule of l a w . 1 0 6 The relationship between the level of the rule of law and the probability of cyber infrastructure instability is also much steeper for East Asian states 1 0 6 Singapore would be a case in point. 113 than for the rest of the world. In short, Matai 's claimed relationship between socio-political stability and cyber -infrastructure instability cannot be dismissed as easily as critics may wish but only within certain contexts. There is some evidence to support a link between cyber infrastructure events and macro-level variables. It is important to point out that D K Matai identified primarily non-democratic regimes as correlated with intrusion attempts: Russia, Turkey, Brazi l , Saudi Arabia, Egypt, Morocco and Pakistan. O f this list, which presumably is not exhaustive, only Russia, Turkey, Brazi l , and Saudi Arabia appear as cases for this study. Overall, however, the link between the "stability" of a country - economic, social, or political - i s at best a very weak one. The underlying goal of Part One was to demonstrate that working at the level of the compromised node holds theoretical and methodological promise but large N studies alone wi l l not accomplish the task. Part Two of this dissertation continues at the level of the compromised node but moves from the aggregate perspective of the last three chapters to a more narrow set of case studies. This shift in focus is apropos given the stark regional findings presented here. Chapters Seven and Eight o f Part Two examine transnational organized crime and organized collections of compromised nodes called bot nets, as a high-tech threat to firms and state organizations in the East Asia ; a problem that many in the Internet security community consider to be the most serious Internet based threat. B y looking at the coevolutionary adaptive gap between sophisticated, well organized criminal elements and state response mechanisms used to confront this threat the analysis focuses on how far the adaptation space has widened. 114 Chapter Six: Non-traditional Cyber Security Threats in East As ia Introduction Reconsidering traditional and non-traditional concepts about what constitutes security in an era o f rapid diffusion of information technologies and infrastructures requires framing technologies such as the Internet not just as a mode of communication but also as an environment that provides the ability to act at a distance. This duality is key to realizing the positives uses of Internet technologies. It is also a source of vulnerability and insecurity that both state and non-state actors may exploit. Considerable disagreement remains over both the nature and source of the threat from the cyber infrastructure in East A s i a . 1 0 7 There is, however, a growing consensus that non-state actors, especially sophisticated organized crime groups, are rapidly adopting new technologies and leveraging those that understand those technologies. This techno adaptation by organized crime in East As i a comes at a period when these groups, according to many, already pose a threat to both state and regional security. If there is evidence of a nexus between system intruders and organized crime groups in the region, two questions emerge: Is there a threat to security and stability? And can the East Asian state adapt? The focus o f the dissertation now shifts from an aggregate analysis of the relationship between state instability and compromised nodes to transnational organized crime as a high-tech threat to firms and state organizations in East Asia . There are three objectives of Part Two of this study. The first is to investigate the veracity of the claims that there is a nexus forming between traditional and non-traditional transnational organized criminal 1 0 7 Part Two of this dissertation uses the term East Asia to collectively mean the countries of Northeast Asia (Japan, Noth Korea, South Korea), East Asia (China, Taiwan, Hong Kong SAR, Cambodia, Vietnam) and Southeast Asia (the Philippines, Singapore, Malaysia, Thailand, and Indonesia). Part One of the dissertation included parts of South Asia, but these will be ignored for the remainder of the discussion. 115 groups in East Asia , and systems intruders or 'hackers'. The second objective is to characterize the differing forms of organized crime in the region and revisit how these forms are treated in the security literature. The latter is important because it allows for a more thorough understanding of how a hacker-organized crime nexus might be approached from an international security studies perspective. The third objective is to situate this finding within the broader process of cyber infrastructure securitization currently taking place in the region. This securitization process, which is far from complete, provides an insight into how states in the region perceive and respond to both traditional and non-traditional security threats. B y looking at the coevolutionary adaptive gap between sophisticated, well-organized criminal elements and state response mechanisms used to confront cyber threats the analysis focuses on if, and how far, the adaptation space has widened. The remainder of chapter Six outlines the organization of Part Two of the thesis and briefly summarizes its findings. Chapter Seven begins with a brief review of the literature on transnational organized crime in East As ia and why, from time to time, researchers in International Relations and security studies re-visit this problem in order to assess its potency as a non-traditional threat to state security in the region. Chapter Eight begins by investigating the claims that there is an ever increasing overlap between traditional transnational organized criminal groups in the region and computer hackers that perform illegal systems intrusions for financial gain. The focus here is on two case studies from the Hong Kong-Shenzhen region. What is important here is the idea that there are changing patterns of organized crime in East As ia which are distinct from the changes taking place in other regions of the world. Weak institutional capacity and a globalization of knowledge and technology are 116 important supporting factors. The primary research for this dissertation focuses on the organized building and use of chained compromised nodes in cyber space (bot nets) by what I call non-traditional organized crime groups in the region. The distinction is made between traditional organized crime groups in East As ia and non-traditional forms of criminal organization. Traditional organized crime (TOC) focuses on older, more hierarchical, sub-regionally based (often local) groups like the Triads and Tongs. Non-traditional organized crime groups ( N T O C ) are characterized as less hierarchical collections of more nimble networks that are transnational, multi-ethnic, often fleeting groups. The primary distinction from a technological perspective is the uses of the cyber infrastructure for criminal gain. The final substantive chapter o f Part Two discusses the results of the field work and sets them within the context o f the cases countries in the region. Chapter Nine then turns to an assessment of the adaptation space between sophisticated organized criminal groups and state responses in East Asia . In light of the findings two central questions emerge: is there a threat to security and stability; and can the state adapt? A s wi l l be shown below, it is the absence of clear adaptation strategies and responses that are, in part, responsible for the continued securitization of the region's cyber infrastructure. Chapter Nine links the problem of transnational organized crime to security in the region and how states perceive this as part of a broader loss-of-control in cyber space. State responses to the problem of bot nets are fleshed out, assessed in light of the two cases presented in chapter seven, and tentative conclusions reached about the new 'nature' o f the threat from the cyber infrastructure. A note on methodology The research described in the following chapters is based primarily on field work and 117 documentation from scholarly journals and media reports. During the period 2001-2004 I conducted 31 interviews with government officials, engineers, and members of the 'hacker community' in Tokyo, Seoul, Manila, Kuala Lumpur, Hong Kong S A R and Singapore; as well as with individuals in Canada, the United States and the United Kingdom. The field research evolved as a 'snow bal l ' sample where one chance encounter in Singapore in 1999 led to a shallow introduction to the 'underground' community in East Asia . From initial contacts, interviewees were asked the question "would you know o f someone I could talk to about that" in order to keep the sample going. Interviews with government officials and security practitioners in East As ia yielded valuable information on new and emerging Internet threats that states and firms face from organized crime. It was also useful to get firsthand accounts on the policies and strategies that have been implemented in national settings in order to get a sense of what has worked what has not worked in the past and why. Field interviews also provided a unique opportunity to speak with individuals in the "underground" community. While access to this population was limited when compared to government policy makers and network engineers working at large firms, enough qualitative data was gathered to gain provisional insight into general behavioral trends. Given the subject matter under study here, the use of anonymous sources was unavoidable. Studying the adoption and integration of Internet technologies by T O C groups involves examining the nexus or overlap o f two types of hidden social networks: 1 0 8 Name generators were used during interviews. Marsden (2003) defines name generators as questions asked by an interviewer to an interviewee regarding their personal social networks (i.e. friends, family, business associates and so on). Marsden studied the interviewer effect on the use of name generators in social network analysis. His work is relevant only in the sense that interviewer effects (especially on social network questions like "do you know so-and-so") can be both statistically and substantively significant. But he cautions that even under ideal laboratory conditions respondents are less likely to reveal depth in their personal social networks and these, results can vary widely across different interviewers and interview techniques used (2003). The conditions in this study were far from ideal and any information on the extent of the respondents' social network(s) is treated with a healthy dose of caution and qualm. 118 organized criminal groups and network intruders. A t some point in the early development of the Internet these two groups were, for the most part, mutually exclusive. Over time, however, connections formed which linked sophisticated criminal enterprises with "crackers" at varying levels o f capability. Unfortunately, the use of anonymous sources is often necessary simply because crucial pieces o f information might never see exposure i f a name had to be attached to information shared or discovered. I adopted several informal "validity" checks when speaking with "crackers" or network intruders involved with or claimed knowledge of this nexus. First, it was necessary to somehow assess the skill level - i f only at an ordinal level - of the supposed network intruder who is relaying information about changes and trends in the practices of the "underground" in East Asia . For this research I avoided Internet relay chat (IRC) encounters, pushing instead for face-to-face meetings. This was a precarious undertaking but interviewing the individual or individuals in their "laboratory" reduced the likelihood that the interviewee would turn out to be a low level "script kiddie" and thus o f questionable value. 1 0 9 Second, while doing the field research I assessed the authenticity o f the interviewee by first assuming that the type of operating system distribution that they used approximated the skil l level of the supposed network intruder. If the individual offered to illustrate a point on a computer it was essential to take note o f this point. Whi le many sophisticated crackers keep a variety of machines with versions o f Microsoft operating systems installed it is very unlikely that it is their main "work" machine. 1 1 0 Capable 1 0 9 It is important to point out, however, that script kiddies are still capable of a number of above average intrusions, but it is unlikely that lower level hackers have the ability to sustain themselves in the world of transnational organized crime. My trips to Asia and the subsequent interviewing that was conducted over the past few years strongly indicates that script kiddies have been "hired" to install key loggers and transmit passwords but are rarely tasked with more sophisticated sub-contracted network intrusions. In one instance, the interviewee began pointing and clicking through intrusion software downloaded on 119 network intruders do look for vulnerabilities on Windows machines, as well as other operating systems like IRIX, Solaris, Linux and the B S D family, but the implementation and or execution of remote hacks wi l l invariably be constituted on some unix-like operating system with little more than an a few open terminals visible on the desktop. In a similar vein, most highly effective network intruders have some working knowledge of assembly languages and are usually "fluent" in C and or C++. If I encountered an individual struggling with a simple shell script written in a "higher" language, I assumed that it unlikely that this individual could be ranked in the upper echelons of network intruders. It is important to point out again that even 'script kiddies' can be effectively employed by criminal elements in the organization of organized crime using the cyber infrastructure. The factors discussed above are general indicators only and assessing the authenticity of the computer skill level of the interviewee is only the first step. The second problem is characterizing the veracity of any claims of ties to organized criminal networks. This was particularly tricky as decisions on field safety and courses o f action often had to be made on the fly - in one instance after what turned out to be prerequisite amounts of time spent in a pub or bar. I make no claims here to have penetrated that murky criminal underworld in East As ia ; though, it must be pointed out, that it is an environment that is not as hidden as one might think. Unlike North America, academics doing field work in East As ia sometimes have the ability to gain access to communities and populations that would otherwise be inaccessible. Being a young field researcher helped rather than hindered making contacts within this population. Superficial characteristics, such as appearance, played a key role. a Windows X P laptop while we were sitting in a bar. The interviewee was trying to illustrate a new "hack", but from this information alone it was clear that he did not know as much as he had claimed. 120 T h i s , f rom what I can guess, is a result o f a large generational d i v ide w i t h i n organized c r imina l groups i n several East A s i a n cit ies - especia l ly ones that are act ive ly incorporat ing technology as tools. W h i l e these factors m a y have helped w i t h access to the two h idden populat ion groups and the nexus between them, it m a y have hindered interv iews w i t h government p o l i c y makers in the reg ion. P o l i c y makers and analysts were, i n most cases, o n l y able to elaborate on po l ic ies and strategies that were readi ly avai lable f r o m agency websites or ex is t ing literature. The vast major i ty o f the p o l i c y makers and l a w enforcement o f f i c ia ls in the region argued that w h i l e the threat posed b y h igh - tech enabled T O C groups used to be s ignif icant , law enforcement and inte l l igence agencies were n o w c los ing the gap. There were two notable exceptions. T h e first is the Ph i l ipp ines . Here there was broad based acknowledgment that the gap was w i d e n i n g , an acknowledgment that came without m u c h o f the rhetoric o f the o f f i c ia l l ine that I was subjected to i n other countries. The second except ion was South K o r e a . Be fo re t rave l ing to S e o u l , I sent several letters and emai l introduct ions to the relevant government agencies request ing interv iews. O n l y one ind i v idua l agreed to a b r i e f " superv i sed" meet ing dur ing w h i c h I was to ld that there never rea l ly was a p rob lem (Conf ident ia l Interview, S e o u l , 2003) . The c r i m i n o l o g y literature does not reveal m u c h in the w a y o f evaluat ive case study in format ion on the impact o f Internet technologies on transnational c r ime and the impact o f law enforcement efforts against this type o f c r im ina l behav iour in East A s i a . W h a t is be ing suggested i n c r i m i n o l o g y research thus far is that a s igni f icant leve l o f computer -related c r ime l ies beyond the capacity o f l a w enforcement agencies alone to address. T h e ideal p o l i c y response, it is general ly argued, w o u l d see a m i x o f l a w enforcement, technological and market based solut ions and response mechan isms (Grabosky , 2000) . 121 Ultimately, however, in most jurisdictions, the responses are left to local law enforcement. ' It is important to point out that while the criminology literature does inform this study, it is not a discipline specific exploration of crime and law enforcement issues in East Asia . This is a rethinking.of the impact that non-traditional security threats such as T O C have on security not law-enforcement specifically. A s such, it is a "top-down" perspective from Political Science - International Relations using two case studies- 1"; rather than a "bottom-up" approach used in Sociology - Criminology. The literature on non-traditional security threats in International Relations and security studies provide the starting point. The Leviathan now faces additional pressures from networks forms of organization that often mimic the ranks of states in exploiting the diffusion of modern technologies (Deutsch, 1966; Rosenau, 1990; Rosenau and Czempiel, 1992; Risse-Kappen, 1995). Enabled or amplified by the cyber infrastructure, network-based threats now span the entire security spectrum (Matthew and Shambaugh, 1998; Li l ley , 2003; Sageman, 2004; Deibert, 2002). A s wi l l be shown below, the emergence of new threats and new actors does not by itself provide conclusive evidence that the role of the state as the primary provider of security is in decline. On the contrary, due to the fundamental nature o f the digital world, cyber enhanced security threats and the emergence of new actors are not entirely beyond the capacity or scope of state-based responses. The insecurities of the digital world may well call into question some of the efficacy and legitimacy of 1 1 1 For the purpose of Part Two of this dissertation a case study is "an intensive study of a single unit for the purpose of understanding a larger class of (similar) units. A unit connotes a spatially bounded phenomenon - e.g., a nation-state, revolution, political party, election, or person - observed at a single point in time or over some delimited period of time" (Gerring 2004:342). The definition provided by Gerring is an 'ideal'; I am convinced that much more field work would be required before there would be sufficient evidence to make an inference or "understanding [of] a larger class of units." • 122 traditional state-based security when applied to new Internet based threats; but for the foreseeable future the state remains the only actor with the authority, legitimacy, resources and governance tools to address these issues. 123 Chapter Seven: Organized Crime as Cyber Threat Introduction One scholar theorizes "that criminal organizations might well move from corruption and co-option of political elites to more direct control of political power" and that it is possible that "the main fissures in international politics would be that between 'outlaw states' and law-abiding states" (Williams, 1999:51). These fissures are already forming in cyber space where jurisdictional arbitrage by traditional and non-traditional T O C has meant that states with lower levels o f institutional capacity and high levels of Internet diffusion (usually driven by rapid economic growth rates) are playing host to uncivil society groups seeking safe digital harbors. Does this constitute a threat to security? This is an examination of the pressure that non-traditional security threats such as T O C place on security through illicit uses o f the cyber infrastructure and as such it is a "top-down" perspective from Political Science - International Relations; rather than a "bottom-up" approach used in Sociology. The literature on non-traditional security threats in International Relations and security and the perspectives contained therein provide the starting point. I argue in this chapter that unlike other regions, East As i a are not seeing a reduction in traditional forms of organized crime as the newer non-traditional transnational organized criminal groups emerge and evolve. Rather, both are growing, each with its own characteristics and attributes and uses of technology. The effect is additive and interconnected. This has a direct impact on the nascent nexus explored in Chapter Eight. .This pattern is contrary to that which is emerging in Europe as new non-traditional networked forms of T O C are 'replacing' older hierarchical traditional organized crime. There are two general factors that explain this additive effect in East Asia . First, there 1 2 4 has been a weakening of institutional capacity in key regions of mainland China during a period of rapid, uneven economic growth. Second, globalization of the international system has meant cheap and easy access to advanced knowledge and technologies. The 'newer' non-traditional forms of T O C have focused attention on more sophisticated uses of technology in crime which has enabled them to create more stable black markets and connect with more traditional forms of organized crime. Transnational organized crime in East As ia The definition of'organized crime' used in this thesis is behavioral rather than legal. This is, o f course, due to the regional focus which presents a considerable amount of variance in legal systems, concepts of 'crime', which make a definition based on law or governmental policy not useful for this research. There is a growing international legal framework that commits states that ratify it to taking a series of measures against transnational organized crime. Transnational crime (with or without the 'organized' element) is distinct from international crimes and domestic crime - the former prosecuted under international law and the latter under national jurisdictions. A n organized criminal group - whose activity is organized crime - is defined by the United Nations Convention 112 Against Transnational Organized Crime as: a structured group of three or more persons, existing for a period of time and acting in concert with the aim of committing one or more serious crimes or offences established in accordance with this Convention, in order to obtain, directly or indirectly, a financial or other material benefit (Article 2 Sec a.). Organized crime is considered 'transnational' i f it: a) it is committed in more than one state; b) is committed in one state but a substantial part o f its preparation, planning, direction or control takes place in another state; c) is committed in one state but involves 1 1 2 In December 1998 U N resolution 53/11 lwas passed from which the General Assembly established an Ad Hoc Committee to begin the process of developing an international convention against transnational organized crime and three supporting international legal protocols. The convention was adopted by the General Assembly by Res. 55/25 in November 2000 and entered into force September 2003. 125 an organized c r imina l group that engages in c r im ina l act iv i t ies in more than one state; or d) is commit ted in one state but has substantial effects in another state (A r t i c le 3 Sec 2.a). The i l l i c i t activit ies covered by the U N Convent ion range w i d e l y f r o m t ra f f i ck ing in drugs and humans to computer c r ime. Sett l ing on a precise, meaningfu l soc io log ica l def in i t ion o f transnational organized . c r ime is important because it d i rect ly scopes and in fo rms conc lus ions . Th i s is part icular ly important when addressing T O C relat ionships w i t h other soc ia l networks l i k e systems intruders and also when assessing substantive l inks to nat ional securi ty more general ly . F o r example , dur ing the international meetings to hammer out a U N T O C Convent ion , the most d i f f icu l t task o f the national representatives was to agree on what transnational organized c r ime is and what it is not. T h e end result, as shown above, is a very broad c o m m o n denominator def in i t ion . E v e n the term 'transnational organized c r ime ' i tse l f is not without its cr i t ics w h o argue that the international legal def in i t ion was never real ly designed to be usefu l for those act ive ly engaged i n s tudy ing or respond ing to it. T h e y argue that T O C has b e c o m e a catch-a l l repository for the bad things that happen across borders and that, more portentously the: concepts [organized crime and transnational organized crime] share the advantage of being easily exploited. Each can imply whatever the speaker wants it to be: a massive threat; a theatrical legacy; or petty criminals and hoodlum bikers. The police, politicians, public and media tend to see the term organized crime and alternatively transnational crime, as an undifferentiated blanket under which most 'serious' crimes can be shoved. The concept of organized crime has become mythologized to the point of total distortion, rendering it useless for anything but political mileage and the bargaining for resources by law enforcement (Beare, 2000). Th is is not just a p rob lem that can h inder cross-border cooperat ion or s low the progress o f domest ic legis lat ion designed to conclude mutual assistance agreements, it can also create operational problems for law enforcement at al l levels (Loree, 2002 :73) . A case in point w o u l d be the persistent struggle in fo rmulat ing extradit ion treaties in the East A s i a n 126 region due to barriers which can often be distilled down to disagreements over the definitions of offenses. , Academic studies are not bound by such constraints and often dispose of international definitions in favor o f more sociological and behavioral frameworks. For example, Finckenauer (2005) defines organized crime in terms of loose networks that share continuity across space and time. For Finckenauer, T O C has little in common with what he argues are fictional interpretations in the Western media based largely on a romanticized mid-twentieth century understanding of la cosa nostra}™ Finckenauer posits that these organizations are instead "loosely affiliated networks of criminals who coalesce around certain criminal opportunities. The structure o f these groups is much more amorphous, free floating, and flatter, and thus lacking in a rigid hierarchy" and that "continuity is maintained over time and across crimes, and remains an important definitional element of what is truly organized crime" (Finckenauer, 2005:65-66). This self-perpetuation, of course, presupposes some sort of sophistication, skill level of at least some of its members, and a socio-political environment conducive to survival. A recent report published by the Council of Europe's Octopus Programme concluded that the evolution of T O C over the last decade suggests that the "notion of clearly defined hierarchical organisations is being replaced by one of criminal networks - consisting of individual criminals or cells of criminals as well as legal entities and professionals which are more or less loosely affiliated and cooperate in varying compositions for particular criminal enterprises" (2005:44). This conclusion, based on the study of T O C in Europe, would seem to be in accord with some of the more recent research on T O C in East Asia . A n instructive example is the work of Zhang and Chin who studied Chinese human and 1 1 3 La cosa nostra loosely translates to this thing of ours. 127 heroin smugglers in the United States. Based on their field interviewing they argue that there is currently a decline of traditional T O C activity and that "a different breed of organized Chinese criminals has come of age in transnational activities. These organized Chinese criminals are not affiliated with triad societies or any other traditional Chinese organized crime groups. They are freelancers" (Zhang and Chin, 2003: 469). But just because there are emerging forms of T O C does not necessarily mean that the old ones have abated in the region. The key theme in the non-traditional T O C groups and organizations internationally is that the relationships within organized crime are expedient and functional; not necessarily rooted in the trappings of ethnic histories or familial ties. For example, Phi l Will iams argued that the majority of relationships or ties between drug traffickers should be understood using more trite vocabulary and that the mechanics of organized crime in the drug trade are "essentially alliances of convenience based upon strictly economic considerations rather than part of a global conspiracy" (Williams, 1995:67).' 1 4 The key implication for law enforcement is that it is much more difficult to find critical nodes in these social networks in order to compromise or remove them. Small social networks tend to make connections with others for a short period, then detach, and connect again to another network in order to continue the pursuit of wealth. They are often apolitical, fleeting, and multinational. In general, and more specifically in Europe, T O C is evolving into looser more fluid network forms of organization and the more traditional hierarchical, ethnically based 1 1 4 Williams has argued more recently that organized crime, which may be transnational in scope and ambition, should be understood as both entity and activity (Williams, 2004:2). This distinction allows for conceptual ease-of-use between, for example, la cosa nostra and terrorist networks creating their organized crime to provide a source of financing. The former is an entity while the latter is an activity. Interestingly, Williams notes that in "some circumstances, therefore, terrorist and criminal networks will increasingly be involved with one another, albeit in competitive as well as cooperative ways" (2004:2). 128 groups are i n d e c l i n e . 1 1 5 In East A s i a , the picture is different. Organ ized c r i m e groups i n East A s i a are often categorized as tradit ional or non- t radi t ional . T rad i t iona l organized c r ime groups inc lude the more fami l ia r Ch inese triads based in H o n g K o n g , T a i w a n , and M a c a u as w e l l as the Japanese Y a k u z a or B o r y o k u d a n . Non - t rad i t iona l groups often characterize more i n f o r m a l networks and associations such as tongs w i th c r i m i n a l ties, tr iad aff i l iates, and c o m m o n gangs located i n East A s i a and in countries w i t h large East A s i a n communi t ies . T h e activ i t ies that these groups engage in vary w i d e l y ; racketeer ing and extort ion, k idnapp ing , i l legal g a m b l i n g , prost i tut ion, loanshark ing , a l ien smugg l ing , drug t ra f f i ck ing , f inanc ia l f raud, theft o f computer chips and other h igh tech goods, counterfei t ing o f computer parts, and m o n e y launder ing (F inckenauer , 2 0 0 2 ; C h i n , 1996). Here the d ist inct ion is made based on formal i zat ion o f ties and structure as w e l l as longev i ty not on technical sk i l l s and the use o f the cyber infrastructure. In East A s i a , there are also organized c r imina l groups that are locked into or embedded i n part icular soc ia l and po l i t i ca l contexts. In addit ion to the tradit ional and non- t radi t ional T O C groups there are also w e l l fo rmed m u n i c i p a l or metropol i tan groups that are often p o l i t i c a l l y active w i t h a h igh cross-groups var iance in level o f sophist icat ion. T h e most recent and extensive w o r k on these tradit ional fo rms o f T O C in East A s i a is b y A n C h e n . C h e n ' s research examines contemporary organized c r ime i n C h i n a . She notes that in " today 's C h i n a nearly a l l c r i m i n a l gangs are local ones" (Chen , 2005:81) . The surv iva l o f organized c r ime over l o n g periods o f t ime, accord ing to C h e n , requires int imate connect ions w i t h loca l government o f f i c ia ls , w h i c h in turn use the "gangs" to pursue their o w n goals - a k i n d o f se l f - re in forc ing symbio t i c feed-back loop , 1 1 5 Most of the literature that focuses on European experiences confirms this trend. But it is important to point out that this is a statistical observation. There will be exceptions. For example, the biker gangs in Northern Europe and North America retain the hierarchical, ethnicity based, business organizational frameworks. 129 w h i c h is a different not ion o f n e x u s . 1 1 6 C h e n concludes that the p r i m a r i l y explanatory factor for the increase i n organized c r i m e is po l i t i ca l corrupt ion (2005:82) . ' T h e C h i n a focus here is an important d imens ion in understanding the more sophist icated uses o f the cyber infrastructures b y non- t radi t ional T O C i n the reg ion. Th is is not to say that the p r o b l e m o f T O C is an exc lus i ve l y Ch inese one; but rather that because o f C h i n a ' s un ique soc ia l , e c o n o m i c and po l i t i ca l trajectory, organized c r ime o f al l types is f l o u r i s h i n g . " 7 A d d i t i o n a l l y , non- t radi t ional T O C i n H o n g K o n g S A R and main land C h i n a prov ides m a n y o f the transnational 'br idges ' i n East A s i a for other c r im ina l entities i n the Ph i l ipp ines and Indonesia. C h e n notes important domest ic evolut ionary trends a m o n g active organized c r ime c i t ing cases f r o m Z h e n g z h o u , H e n a n , C h e n g d u and S ichuan . C h e n breaks organized c r ime i n main land C h i n a d o w n into three types: a) c r im ina l means to legal businesses; b) pure ly i l lega l markets ; and c) m o b s or gangs o f hool igans (2005:82) . A c c o r d i n g to C h e n ' s findings, organized c r ime leaders in the more sophist icated t y p e - A group, i n general , have taken earnings f r o m i l l i c i t act iv i t ies and act ive ly invested in legit imate 118 businesses. T h i s is certainly not a new tactic, but as C h e n argues: their organizations do not necessarily quit crime [after transitioning to legitimate enterprises], but rather undergo 'upgrading' in the structural arrangement, membership, and patterns of criminal conduct. They typically evolve from loosely structured gangs into more formal organizations with a rigid pyramidal hierarchy and discipline. While continuing to recruit among marginal social groups, they also approach people with political offices or social status of membership (Chen 2005:86). , . 1 1 6 Chen notes that criminologists in China point out that most of the crime is collective but not organized crime. Chinese researchers make the distinction using levels of planning and coordination to separate real 'organized crime' (Chen, 2005:83-84). 1 1 7 For more on how changing social forces and circumstances - especially capitalism and democratic versus patriarchal leadership - are altering transnational patterns of crime in the Asia Pacific region more generally see Shaw (2003). 1 8 Chen identifies several 'secret societies' as the closest type of sophisticated organized crime that resemble organizations in the West and closely parallel very traditional Chinese secret societies like the Green-Red Gang (2005:84). The notion of a 'secret society' has made a kind of come-back in China since a series of reforms in the 1990s designed to "stream-line" government operations. These reforms, in part, devolved administrative power and responsibilities for managing sub-regional economic growth and development to lower paid local officials (2005:85). 130 These hierarchical evolut ions increase trust levels a m o n g the organizat ions members and thereby insulate leaders f r o m prosecut ion through a strategy o f c o m p a r t m e n t a l i z a t i o n . 1 1 9 W h a t C h e n does not account for i n the type a) group is the extent to w h i c h transnational l i nks are made and h o w they are sustained - or i f they exist at a l l . Th i s is an especia l ly important gap i n the literature on T O C in East A s i a but g iven that C h e n ' s results show c lear ly that government o f f i c ia ls are increas ing ly j o i n i n g the type a) organizat ions i n Shanx i , H u n a n , and G u a n g x i Prov inces and i n some cases even " a s s u m i n g po l i t i ca l of f ices persona l l y " (2005:105) it is safe to assume that the domest ic -international interfaces are m a n y and grow increas ing ly complex . Interestingly, i n response to this evolut ion o f domest ic organized c r ime, the communis t party in B e i j i n g amended several domest ic laws i n 1997 .wh ich strongly suggest "that the reg ime no longer treats c r i m i n a l secret societies as pure ly c r i m i n a l cases but as the prob lems o f a po l i t i ca l nature" (Chen , 2005 :106) ind icat ing both a nascent internal -domest ic secur i t izat ion process and that the more t radi t ional , l oca l l y entrenched groups are not necessar i ly the apo l i t i ca l actors i m p l i e d i n the more general def in i t ions o f organized c r i m e . 1 2 0 There are two important considerations to keep i n m i n d . F i rst , the T r iads are not synonymous w i t h Ch inese c r imina l syndicates. N o t a l l syndicate members or c r imina ls are automat ical ly tr iad members . B u t a l l tr iad members are c r imina ls , i f o n l y because membersh ip alone is considered a c r imina l offense under H o n g K o n g ' s 1994 Organized 1 1 9 Evolution implies smooth upward progression. M y interviews in the region lead me to believe that punctuated equilibrium is the more appropriate descriptive term. 2 0 The evolutionary trend is horizontal as well as vertical. For example Wong found that in counterfeit medicine markets, traditional organized crime waited to enter into this underground business and when it did it began it connections with mostly informal gangs. From Wong's field interview of a mid-level criminal member: "If you are in the business of selling and trafficking in illegal drugs, the police are always after you, but counterfeit drugs, very little" (2004:167-169). Wong also discovered connections between illicit markets, TOC groups and the PRC military, whom are still involved with running illegal businesses even though the central government, through a series of policy measures, has restricted the Army from owning companies (2004:170-171). 131 Serious C r i m e s Ord inance as w e l l under legis lat ion in the P R C . 1 2 1 Second , c r i t ica l to understanding T O C in East A s i a - especia l ly the more sophist icated c r i m i n a l act iv i ty - is the practice o f "guanx i " or personnel relat ionships and connect ions (Hart, 1999). T h e activit ies o f both tradit ional and non- t radi t ional c r i m i n a l groups are based on e v o l v i n g ties between sets o f ind iv idua ls , associat ions, and legit imate organizat ions. The extent o f transnational organized c r i m e in the region is general ly uncovered through an examinat ion o f the f inancia l and personal ties, however remote, a m o n g part ic ipat ing i n d i v i d u a l s . 1 2 2 W h e n H o n g K o n g reverted f r o m B r i t i s h to Ch inese rule i n 1997 there were concerns i n the p o l i c y communi t ies o f East A s i a and N o r t h A m e r i c a n that the T r iads and other organized c r ime groups w o u l d leave the c i ty i n favor o f ' g r e e n e r ' pas tu res . 1 2 3 T h e th ink ing at that t ime predicted that m u c h o f the 'o rgan i zed ' element o f the T r iads w o u l d constrict back into rudimentary c r i m i n a l enterprises l i k e extort ion, g a m b l i n g and drug t ra f f i ck ing in new locat ions. L i tner observed that " i n the 1980s, m a n y outs ide observers and analysts thought the gangs that were based i n the then B r i t i s h co lony w o u l d leave once it reverted to Ch inese rule in 1997. In the end, the reverse turned out to be the case. N o t on ly d id the H o n g K o n g Tr iads m a k e arrangements w i t h the territory's new over lo rds" but "both T r i a d - l i n k e d c r imina l groups and var ious syncret ic sects, are also expanding at a breathtaking pace. A n entirely new breed o f entrepreneurs is emerg ing on 1 2 1 Much of the new legal definition of 'organized crime' emerged out of Beijing's 1996 Strike Hard Campaign (pTnyTn = yan da). 1 2 2 For more on the role of guanxi see Chen (2005:93-94) and Pye (1981:139-141). During my interviews in Hong Kong I noticed that, from the perspective of the individuals interviewed, the role of personal ties and connections are very important for both traditional and non-traditional criminal organizations in East Asia. Guanxi, however, played less of a role in the non-traditional groups which appear to rely on more corporate ties and relationships along professional lines. 1 2 3 This observation, in many respects, is difficult to empirically verify. In part, this is because there has been little scholarly attention to Asian organized crime in North America relative to other forms. An exception is the recent work of Zhang and Chin (2003). A key point here is that the victims of Asian organized crime in,North America are often within the Asian North American communities'themselves. As an example, see the study of Korean gangs in the United States by Ahn (2004). 132 the fringes of China. The businesslike and well-connected, pinstriped suit-wearing managers of the Sun Yee On Triad have shown where the future lies" (Lintner, 2004:84; Chu, 2005:5). The post-1997 Hong Kong transition opened up both legal and illegal markets inside China. There, a period of accelerating economic growth and development in provinces such as Guangdong and more specifically in the Pearl River Delta region was generating enormous wealth but also putting extraordinary pressure on state institutional capacity. 1 2 4 In addition to the northward focus o f the Hong Kong S A R based groups Chu identifies three important trends in East As ia T O C between 1997 and 2004. B y using the Sun Yee On, W o Shing W o , and 14K groups as case studies Chu concluded that "First, triad members from various societies group together to run profitable criminal projects. Second, they team up with legitimate entrepreneurs to monopolize a newly developed market. Lastly, triad members increasingly invest in legitimate businesses (Chu, 2005:5). 1 2 5 It was not just the Hong Kong based groups that were looking for new opportunities in mainland China during the 1990s. Taiwanese organized crime was also moving into the mainland in search of vulnerable, more conducive environments. But it is important to point out that there are considerable differences with their counterparts in Hong Kong. Taiwanese organized crime, while structured, is not as 'sophisticated' as the Hong Kong Triads and the mainland Tongs. A research report published by the National Central 1 2 4 The Independent Commission Against Corruption (ICAC) set up in Hong Kong in 1974 was designed to kick-off a quiet revolution against perceptions and patterns of corruption in Hong Kong government and society - specifically the role that the Community Relations Department of the ICAC played. To counter the possibility of a return of corruption post-1997, the ICAC began a new push similar to the 1970s to ensure that pre-ICAC days did not return. It is important to point out that much of the post-1997 ICAC effort was designed to calm the Hong Kong population and, likely the markets as well (Lai 2000:79-80, 83, 85). Singapore has also had similar programs and offices designed to boost institutional capacity and raise awareness and education among the business and general population. 1 2 5 Shenzhen and Shanghai are two important cities for the Hong Kong to China trend pattern. 133 r Police University in Taipei found that the most active and organized groups in Taiwan rely primarily on 'brute force' crimes along with some involvement in the construction industry. According to the report, in the Bamboo United group "the level o f professionalism within the gang is not as high as the public has imagined" (Anonymous Authors, 2005:16). These findings seem to suggest that there is little evidence of the rapid evolutionary patterns in Taiwanese T O C that are found in other groups in East As i a and southern China. The report also observed that in "the Bamboo United, decisions about what criminal markets to enter are primarily based on (1) the kinds of businesses existing within a branch's territory and (2) the kinds of businesses with which branch leaders are familiar" (2005:14). This is the stick to what you know stratagem. If the cases of Hong Kong S A R , China and Taiwan are representative of environments with long lineages of both traditional and non-tradition transnational and national organized criminal groups, the Philippines is one of the few exceptions in the region. The Filipino based T O C groups are a relatively new phenomenon. These groups have developed the sophistication in the strategies and tactics o f both national and transnational criminal activities found elsewhere in the region, but they have yet to adopt the more rigid and pronounced organizational hierarchies or the flattened, sophisticated social networks found in the non-traditional and traditional groups in Hong Kong, China and Japan. The more innovative groups in the Philippines are usually broken down into specialized cells that perform specific tasks. There is evidence that approximately 5% o f these groups are using the cyber infrastructure both as force multiplier and as a method to steal digital goods (Interviews in Manila, Philippines 2003). Increasingly, Filipino organized crime is being used and is forming relationships with East Asian Triads and the 1 2 6 The report was published in the journal Trends in Organized Crime but the authors remain anonymous. Please see reference list. In text citation as 'Anonymous multiple authors'. 134 Tongs in Southern China primarily to take advantage of the country's unique geography and low institutional capacity - the military's inability to secure borders and law enforcements scarce resources being diverted to terrorism and internal security matters (Confidential Interviews, Manila and Caticlan, Philippines 2003). There are, of course, other states in As ia with similar and dissimilar struggles with both traditional and non-traditional forms of transnational organized crime. A general pattern does seem to be apparent. States with growing T O C levels are generally those with low institutional capacity i.e. low levels of the rule of law - similar in measure to the independent variable used in Part One of this dissertation, and have high economic growth rates with rapidly diffusing technologies and infrastructures. This lop-sided development is a perfect environment for the attachment o f organized crime onto weak institutions and fertile for the operational mechanisms of non-traditional transnational criminal activities. External international system factors have also played large role in East Asia . One of the conclusions o f the United Nations Centre for International Crime Prevention ( U N C I C O ) survey published in 2000 was that "the available evidence suggests that new technologies and other developments related to globalization have lowered the barriers to entry in respect of some criminal activities, and have as a result diversified the nature and types o f activities that criminal groups are involved i n " ( U N C I C O 2000:49-50). This 1 2 7 The political-institutional 'variable' is also a factor in other Asian states even though they have high levels of institutional capacity. The case of the Yakuza in Japan and gambling is instructive. In Japan there are very complex of regulatory controls on gambling which are administered as leisure activities. The pachinko gaming industry generates hundreds of billions of dollars (US) and has close ties the traditional forms of organized crime. The industry itself is administered by the National Police Agency who must enforce laws governing this industry that were written in 1907 and are very difficult to understand, let alone enforce. This is a small example of pre-War laws carrying over into modern Japan. Furthermore, up until the early 1990s organized crime in Japan could operate, to a certain extent, in the 'open' because membership in these groups was not illegal. There were no statutes in Japan comparable to the US Racketeer Influenced and Corrupt Organizations Act of 1970 (RICO). To rectify this, the Japanese Diet passed the Boryokudan Countermeasures Law in 1991. 135 would, in part, explain the high variance in the type of transnational organized groups (traditional and non-traditional) found operating in East As ia and the explosive growth in some criminal enterprises in the region. Cognizant of the growing complexity of criminal enterprises and the high cross-group variance o f characteristics and features o f and between domestic traditional and non-traditional transnational organized crime, the U N C I C O survey argued that "the collection of information on transnational organized crime must focus on the lowest possible level, that of the criminal groups themselves. While criminal clusters may contain specific characteristics - indeed, these are presented at various points in the report - they do not on their own constitute valid research categories for the study of organized crime" j -jo ( U N C I C O , 2000:47). The report continues by laying out a standardized system for examining trends in transnational organized crime which should consist of three components - that of "groups," "clusters" and "markets" (2000:52). Both traditional and non-traditional forms of transnational organized crime thrive in particular types of states. In East Asia , the T O C groups, both traditional and non-traditional, succeed in states where there is rapid economic growth, readily available technology, weak institutional capacities and extreme variance in socio-economic conditions which provide a large pool of 'foot soldiers'. The growth of both types of groups in the region has resulted in cooperation and functional linkages of convenience. The loose ad hoc ties between non-traditional T O C and traditional organized crime serve two purposes. First, it limits risk in both 1 2 8 This is easier said then done. I have tried to stick to social scientists that follow this anthropological approach to the study of organized crime, see Chen (2005), Chu (2005), and Zhang and Chin (2003) for recent efforts in Asia. On the impact and use of cyber infrastructures and TOC see Nordstrom (2003) for her study of smuggler's use of information technology in southern Africa. Nordstrom's work is the only example that I could find in this vein. In terms of political science and international relations research (specifically security studies) Allan Castle argued that when trying to understand the impact of TOC on security, "these activities are best conceptualized from a policy viewpoint [and arguably from a conceptual viewpoint as well] in terms of their effects, rather than their predicate nature" (Castle 1997:28). 136 organizations by limiting each type o f social network to sporadic, temporary connections. It is less likely that law enforcement would be able to see the entire chain or complete network by compromising only a handful of nodes. There is a multiplicative effect here. A s one interviewee put it "the cooperation between new groups and old is being made more efficient by abstract and very real underground market forces" (Confidential Interview, Hong Kong S A R , 2002). While the trend toward an increase in non-traditional types of T O C in Europe and North America has come with a relative decline of more traditional criminal 'cartels' and 'families' but because of unique state environments in East As ia the emergence of new non-traditional T O C groups has not slowed or diminished the evolutionary trajectories of the more traditional 'secret societies', Tongs, Triads and other more scale-free networks. It is important to note that non-traditional groups can and do act as facilitators o f transnational activity for the more traditional organized criminal groups; they become specialists for hire, contractors that provide enhanced services. This littoral nature of the 'underworld' makes non-traditional T O C groups the most innovative in their use of technologies (Confidential Interviews, Hong Kong S A R and Tokyo, Japan 2003). It is not yet clear i f states in the region wi l l be able to keep pace with these changes. Non-traditional security threats in East As ia A security threat is both an existential or empirical reality and a social process which is intersubjectively constituted. Both of these components intermix through a complicated social dynamic that involves factors ranging from deep genetic predispositions in humans to socially constructed perceptions about the world. The ontological debate over the idea of security often hinges on the relative weight placed on the impact of material versus socio-cultural variables. A puzzle for students of 137 International Relations and security studies centered on explaining why some empirical threats become or are responded to as dangers to 'national security' and others do not make it as security issues. Existential security threats come from actors or processes with the combination of hostile intent and the capacity to carry it out. But by this definition alone there are a plethora of both potential and actually threats to security ranging from communicable diseases and environmental climate change to terrorism and rogue states. The 'threat spectrum' is enormous. Complicating matters is the level of analysis problem. Existential threats can impact at the individual level, the level of the state and the international system (Castle, 1997). This crossing of the levels of analysis does not, however, immediately justify special measures that only the state can legitimately employ. Indeed, an analysis of a possible nexus between transnational organized crime and network intruders as a security issue rests rather precariously on two possible presuppositions: that T O C groups and syndicates are already security threats or that a potentially rapid technological innovation by T O C groups wi l l take them from being non-security threats, or purely criminal matters, to having the potential to be articulated as a danger. Would a nexus really be a threat? The Copenhagen School is a particularly appropriate theoretical framework in this case because it does not focus primarily on the material but rather on the social processes involved within and between the starting point of how a threat is identified to the point when a rhetorical justification of extraordinary response mechanism is articulated by the state. Thus, Buzan argues that military issues are just one area that posses an inherent capacity to induce fears over state and international security and thus all have the potential to become securitized (Buzan, 1995:205-208). For Castle the link between T O C and security begins with an understanding of intent, 138 and as such: organized crime exists almost entirely for the purpose of making money outside the confines of legally acceptable behaviour. If this is the case then the primary risk for other actors is not to their physical security but rather to their economic well-being, as a consequence of the economic distortions resulting from activities such as extortion, fraud, and smuggling (Castle, 1997:2). Cast le establishes four cr i ter ia for determining i f T O C groups can be seen as presenting a threat to state security based on two assumptions about the nature o f security. F irst , security is a " c o m m o d i t y or condi t ion over w h i c h v io lent dispute is a s igni f icant poss ib i l i t y " and that is important to understand that these "contents and c o m m o d i t i e s " change over t ime (1997:3) . Second, i f T O C is a grave threat to security it should 'threaten' one or more o f the f o l l o w i n g contents or commodi t ies : a) the maintenance o f the core values o f a society ; b) the f reedom o f that society 's populat ion f r o m grave or existential threats; c) the maintenance b y constituted authorities o f control over the legit imate use o f force; and, d) the maintenance b y constituted authorities o f control over def ined national territory (1997:6 -7 ) . W h e r e Cast le parts ways w i t h the soft constructiv ists o f the Copenhagen Schoo l i n understanding the l ink between non- t radi t ional threats to security is i n l i m i t i n g its subjective nature; or more precisely , that security is pure ly what states m a k e o f it. H e cautions that any "examinat ion o f transnational organized c r ime as a security issue, f inessed b y reference to security as a se l f -def ined and e v o l v i n g concept w h i c h eludes the boundaries o f tradit ional concepts o f state security, w o u l d be i n serious danger o f predetermining its o w n c o n c l u s i o n " (1997:4) . Thus Cast le opts for an examinat ion o f the al leged threat posed b y T O C groups w i t h i n the back -d rop o f more tradit ional understanding o f the referent objects o f security. T h i s is important because an invest igat ions' conc lus ion w o u l d be on the same terms as h o w state and non-state actors perceive the potential threat themselves - us ing the same criter ia. Indeed, m u c h , i f not al l 139 o f the l iterature, on the l i nk between T O C groups and security beg in at this point . T h e empi r i ca l cr iter ia o f what threat T O C groups pose can be whi t t led d o w n further. F o r example , D u p o n t ' s study o f the l i nk between organized c r ime and security is anchored on the characteristics o f i l lega l organizat ion i tse l f and its permanence i n society. T h e i l lega l groups most l i k e l y to threaten security are not the groups that are " random and transient" but directed b y groups w i t h a recognizable structure, leadership and established modus operand i " (Dupont , 1999 :435 -436) . Dupont sees four k e y l inks between sophist icated T O C groups and operating in the East A s i a reg ion. The first l i nk is d i rect ly related to sovereignty in the sense that they have the "capac i ty to undermine the authority and leg i t imacy o f governments" (1999:436) . Th i s capacity , Dupont argues, can and m a y interfere w i th both the states m o n o p o l y on v io lence and its p r inc ip le source o f revenue -taxat ion. The second l i nk centers on the concept o f economic security. D e v e l o p i n g states are most at r isk because o f the culture sh i f t ing that takes p lace w h e n ind iv idua ls and businesses develop a pattern o f w o r k i n g outside rule and norms o f regulated economic act iv i ty (1999). The third and fourth l inks between T O C and security are exogenous to the state. T O C groups i f left " u n c h e c k e d " , Dupont argues, w i l l "subvert the norms and inst i tut ions that underp in g lobal order and the society o f states" (1999:436) . Th i s increasing leve l o f sophist icat ion, capacity and international cooperat ion, accord ing to Dupont , forces the state to beg in to reach for the tradit ional tools o f nat ional security. It is this reaching into the "strategic d o m a i n " w h i c h can then b lur the l ines between mi l i ta r y and l a w enforcement responses (1999:436) . B y studying narcotics t ra f f i ck ing i n East A s i a Dupont conc luded that transnational organized c r ime is "arguably the most press ing and vexat ious o f an emerg ing set o f transnational security issues, none o f w h i c h can be 140 adequately addressed wi thout substantial regional cooperat ion" (1999:455) . F o r Dupont , the l i nk between T O C groups and security in East A s i a exists because c r imina l entities "v io late the sanctity o f the reg ion 's borders and weaken the authority o f nat ional governments" and are also "cha l leng ing East A s i a n states' t radit ional m o n o p o l y o f power and taxat ion" (1999 :454 -455) . L i k e Cast le 's more general conclus ions (1997) Dupont argues that the i l l i c i t drug trade in the reg ion i n v o l v i n g a re lat ive ly h igh degree o f var iance i n c r im ina l organizat ions is " e m e r g i n g as a s ignif icant long - term security i ssue" (1999:434) . T h e temporal elements sketched b y the phrases "most press ing" and "s ign i f icant l o n g - t e r m " is never c lear ly na i led d o w n ; but at least there are some w a r n i n g signs. T h e importance o f weak inst itut ional capacity cannot be understated and is a theme that consistently surfaces i n the literature. Cast le concluded in 1997 that w h i l e "the threat to the nat ion state posed b y c r imina l groups has been overstated i n general terms, part icular ly w i t h respect to short -term existential threats, the threat is very real for poor l y inst i tut ional ized, non -democrat ic states. T h e threat w h i c h presents i tse l f is a security threat i n terms o f the future democrat ic development and po l i t i ca l stabi l i ty o f n e w l y -democrat i z ing areas" (Casf le ,1997: i i ) . T h i s loca l nature o f both tradit ional and n o n -tradit ional T O C groups is prec ise ly w h y some scholars argue that c i v i l society, especia l ly i n the f o r m o f strong bonds o f trust between government and society, are cruc ia l components o f any response to transnational organized c r ime (Shel ley , 1994; C h e n , 2 0 0 5 : 1 0 0 - 1 0 2 ) . ' 2 9 Other than outl ier cases l i k e C o l u m b i a and Georg ia , T O C groups m a y indeed 1 2 9 Although, there are cases where the trend has been halted, and in some cases shows signs of retreat of traditional forms of TOC. For example, the case of Macau and PRC initiated reforms in the SAR, see Lo (2005). It could also, however, be argued that in this case it was a relatively easy 'territory' to stabilize given that much of it was under the control of one triad leader with whom the government in Beijing "penalized" and then came to an understanding with. 1 141 undermine the integrity o f certain types o f states and in certain state contexts, but have yet to present a threat to the nation-state i tse l f - i.e. mature, capable states (Shel ly , 1995). O n balance, T O C groups do not constitute a short - term threat to security. O v e r the l o n g -run , however , the prognosis is less posi t ive . T O C groups, i f left to evo lve , w i l l pose a direct threat to the security o f less developed countries w i th l o w levels or uneven levels o f inst i tut ional capacity . States l i k e C o l u m b i a and Georg ia are thus w a r n i n g signs. T h e interact ion between organized c r ime and po l i t i ca l institutions at the local and sub^ regional levels in East A s i a m a y act as important indicators. Because the pressure that T O C groups are putt ing on security the responses must be mul t id imens iona l and mul t i ju r i sd ic t iona l - hence responses at a l l levels o f analysis . Institutional capacit ies at the nat ional , regional and.international levels are o f paramount importance because not only, do T O C groups "pose serious threats to both national and international secur i ty" but addi t ional ly they are "ext remely resistant to efforts to contain , disrupt, or destroy t h e m " ( W i l l i a m s , 1996:96) . G i v e n this resistance, G o d s o n and W i l l i a m s argue that responding to this "chal lenge requires a comprehensive strategy that combines l a w enforcement and regulatory responses, such as enhanced intel l igence analysis and intel l igence shar ing, s tate -bui ld ing , and trans-state cooperat ion, w i t h n o n -regulatory approaches, such as the extension o f the strategy to c i v i l society and the pr ivate sector. The latter w o u l d inc lude chang ing cultural attitudes towards organised c r ime and cor rupt ion" (1998:66) . Transnat ional organized c r ime and the cyber infrastructure O n October 11 , 2001 i n Singapore a jo int c o m m u n i q u e was issued at the conc lus ion o f the T h i r d A S E A N M i n i s t e r i a l M e e t i n g on Transnat ional C r i m e ( A M M T C ) . T h e statement noted " w i t h part icular concern the increase i n cyber c r ime in this reg ion and its 142 serious impact on the peace, security , prosper i ty . " Indeed, a recent report has suggested that one in ten Internet transactions i n East A s i a is fraudulent (Brey , 2002) . C y b e r security issues have made it onto the agendas o f regional security meetings and in nat ional p o l i c y statements. T h i s reflects a g r o w i n g percept ion in the reg ion that governments do not have a comfortable level o f control over their cyber infrastructures at a per iod when their inst itut ions and economies grow increas ing ly rel iant on these technologies. A t a rhetor ical leve l the l i n k between 'cyber c r i m e ' and security is b e i n g made. E m p i r i c a l ev idence or case studies on the relat ionship between T O C groups and systems intruders are rare. Th i s is not surpr is ing. S o m e observations, however , have been made in relat ion to the broader concept o f cyber c r ime and its l i nk to organized cr ime. P h i l W i l l i a m s argues that: organized crime and cyber-crime will never be synonymous - most organized crime will continue to operate in the real world rather than the cyber-world and most cyber-crime will continue to be the result of individuals rather than criminal organizations per se. Nevertheless, the degree of overlap between the two phenomena is likely to increase considerably in the next few years (Williams, 2002:1). W i l l i a m s goes further b y suggest ing that T O C groups do not necessar i ly need to develop in -house expertise about cyber space because it w o u l d be more eff ic ient to contract systems intruders capable o f p e r f o r m i n g needed tasks "ensur ing through a mixture o f rewards and threats that they carry out their assigned tasks e f fect i ve ly" (2002:2) . W i l l i a m s ' descr ipt ion w o u l d mean that system intruders w o u l d just become part o f T O C groups. Th i s blunts, i f not understates, the c o m p l e x i t y o f the phenomenon is East A s i a . T h e evidence o f more sophist icated uses o f comput ing technologies in East A s i a b y either 1 3 0 Cyber crime, which is often linked to organized crime, is invariably cited as an emerging non-traditiorial security issue of serious concern. See (2002) Joint Declaration of A S E A N and China on Cooperation in the Field of Non-Traditional Security Issues 6th ASEAN-China Summit Phnom Penh, 4 November; the (2004) Joint Communique of the Fourth A S E A N Ministerial Meeting on Transnational Crime ( A M M T C ) Bangkok, 8 January; and the (2004) Joint Communique of the First A S E A N Plus Three Ministerial Meeting on Transnational Crime (AMMTC+3) Bangkok, 10 January. 143 tradit ional or non- t radi t ional T O C groups has been s low to accumulate. In one o f the few examples Shel ley and P i c a r e l l i , i n their w o r k on the poss ib le convergences between T O C and terrorist groups, cite a report w h i c h "noted that Tr iads i n H o n g K o n g were recru i t ing graduates o f l o c a l technical col leges to serve as counterfeiters for the c r i m i n a l gangs" (2002:310) . O v e r a l l , however , so l id ev idence is paltry. In theory, part o f the potential power o f u s i n g the cyber infrastructure for T O C groups is i n the secure, re lat ive ly anonymous abi l i ty to both communicate and exchange data without phys ica l interactions. T h i s reduces the r isks o f detect ion. Th i s is certainly the case i n East A s i a . B u t there are some notable exceptions. T e c h n o l o g y can also be seen b y tradit ional T O C groups as a threat as w e l l as an opportunity (Conf ident ia l Interview, T o k y o 2003) . F o r example , Internet technologies that send packets o f data over u n k n o w n landscapes can be ' sn i f fed ' b y inte l l igence and l a w enforcement, and ce l l phones can be tapped and traced to a general geographical l o c a t i o n . 1 3 1 T h i s w o u l d exp la in W i l l i a m s ' theory that tradit ional organized c r i m e ' s re l iance on the 'contractors ' to incorporate and ef fect ive ly use technology w i l l l i k e l y grow. In ma in land C h i n a , for example , there is good reason to be suspic ious o f poss ib le 'eaves droppers ' , even i f it is extraordinar i ly d i f f i cu l t for state agencies (i.e. l a w enforcement and intel l igence) to hone i n o n part icular paths o f c r imina l i t y tak ing p lace w i t h i n and f r o m the cyber infrastructure (Conf ident ia l Interview, H o n g K o n g S A R 2003) . T h e abi l i ty to act at a distance through the cyber infrastructure where opportunit ies appear to outweigh such r isks is key . There are a lways new p h y s i c a l , safer territories f r o m w h i c h to p lace cyber operations, further l o w e r i n g the r isk: . 1 3 1 Using cloned cell phones would help to mitigate this problem as well as the use of proxy servers and judiciously employed encryption may provide necessary camouflage. However, the use of encryption can make traffic stand out enough to be identified for further interrogation. 144 For criminals and terrorists, these divergences offer opportunities to launch attacks at minimal risk - even i f the source of the attack is somehow discovered. This suggests that there might be a form of jurisdictional arbitrage with potential attackers seeking out low risk jurisdictions from which to launch their attacks. Over the longer term, of course, the opportunities for arbitrage of this kind can be diminished through more inclusive laws criminalizing this kind of activity, through the harmonization of laws among states, and through the extension of extradition treaties and mutual legal assistance treaties. As well as using jurisdictional arbitrage computer intruders also seek to cover their tracks by going through multiple jurisdictions. In some cases, this makes it impossible to track the activity back to source by complicating the digital trail. In others, it adds significant legal obstacles as some states are simply unwilling to cooperate in investigations There is also the potential for mischief with the possibility that skilful intruders might lay a false trail that lead to unwarranted but damaging accusations against innocent parties (whether individuals, groups or nations) (Shimeall, Dunlevy and Williams, 2001). The availability of jurisdictional arbitrage, absence of harmonized laws, and uneven institutional capacities across states in East As ia would mean that acting at a distance through the cyber infrastructure to perpetrate crimes against firms or states could be done within the comfort zones of the local embeddeness of the traditional criminal organization. In addition to the murky predicate nature o f these activities, measuring state responses through policy and legal responses is difficult at best. Cyber crime legislation in East As ia is just emerging from early stages o f development still exhibiting wide variation across criminal justice systems. This variation is not surprising given the different historical, social and political contexts within which these laws have evolved, and the differing levels of technological development within the region. This dynamic between the cyber infrastructure and T O C groups makes the task of both law enforcement and research and information collection activities more difficult (Williams, 2001b). Organized network intruders that have organically evolved w i l l be more likely to engage in "hands-off' or distanced cybercrime because of the role o f moral disengagement and differential association This may, in part, explains the "keep the nerds at a distance" behavior that I found in many of my field interviews in East Asia . There does not appear to be an immediate, short-run threat to the security of states in 145 East Asia . This conclusion is tempered by the overwhelming consensus in the literature that both traditional and non-traditional T O C groups pose a long term threat, especially to certain types of states in certain contexts; like weak or failed states. But the growth of traditional and non-traditional organized crime can be associated with states in East As ia that do not fall into the standard definition of what would constitute a weak state. The link then between security and T O C groups in the region presents something of a puzzle or at the very least a trend that diverges somewhat from experiences in other parts of the world. 146 Chapter Eight: Organized Crime and Compromised Nodes Introduction Is transnational organized crime a threat to state security in the digital age? In order to address this question several over lapping themes wi l l be developed. First, the chapter introduces that concept o f nexus between two previously distinct, hidden social networks: system intruders and transnational organized crime (TOC). What emerges from this research on a possible nexus between the two groups is the implications for regional security. In other words, i f there is a nexus between T O C groups and systems intruders that provide advanced innovation, how does this change the calculus between the link between security and T O C in East Asia? Does it change at all? The second theme that w i l l be developed is the concept of digital black markets. The market concept explores the mechanisms by which system intruders are sustained, outlines the various actors, the basic microeconomics, and integration trends. The third over lapping theme in this chapter is the role of state capacity in East Asia . This is, in part, why digital black market dynamics are specifically interesting and of immediate importance to East As ia and to regional security. In light of the rapid innovation and the state's perception of a loss of control in the cyber realm, are the institutional capacities levels high enough in the region to allow for adaptation to co-evolve with criminal innovation? The chapter presents two case studies. The first is an examination of a bot-network operated out of Hong Kong S A R and Shenzhen, China. The case provides a technological starting point to a possible nexus between T O C groups and systems intruders. I argue that bot herders - the individuals or small groups that build and 147 maintain bot nets - have become new cyber infrastructure security actors. The second case examines instances of sophisticated network intrusions for the purpose of economic gain. The purpose o f this second case study is to examine the possibility that a stable nexus has formed in the region between systems intruders and T O C . If there is a nexus, the formation of a stable illicit market would be a key indicator to the stability and longevity of links between T O C groups and 'hackers'. The chapter wi l l argue that while criminal innovation is taking place - which is producing an uneven adaptation space across the region between law enforcement and T O C groups - this does not necessarily change the short-run link between organized crime and security. There are, however, an emerging set of new security actors that have the potential to alter the links between security and T O C but these 'information markets' and actors that rely on the cyber infrastructure are not beyond the reach of the state. Due to the nature o f the use of cyber infrastructure security actors by T O C in the short run, it is unlikely to change the trajectory of the relationship between T O C innovation and security in the region. Among these cyber security actors there is intense competition within groups of system intruders. A n externality of these adaptations is that bot nets and those that operate them are becoming a kind of pseudo or meta cyber infrastructure for both traditional and non-traditional forms of organized crime in the region. The trafficking in il l icit data, obtained by systems intruders, in East As ia is a growing problem and one that mirrors, in many ways, the growth of trafficking more generally. It draws on the problem of flatter, more nimble social networks, jurisdictional arbitrage, and the problem of state capacity. The scope o f the nexus between organized crime and cyber crime wi l l be restricted for 148 both case studies. Terms such as computer crimes, computer-related crime, high-technology crime and cyber-crime are often used interchangeably even as they comprise 132 separate and distinct crimes. Fausto Pocar defines cyber-crime as "the criminal use of any computer network or system on the internet, which implies attacks on or abuse of the system network for criminal purposes" (Pocar, 2004:33). While Pocar's definition is quite broad, it has the advantage of seeing the computer as both a tool for the perpetration of a crime and as a target. I also use the phrase 'cyber-crime' here as short-hand for conventional crimes that are enabled by the infrastructure such as industrial espionage which is theft and bot networks which is misuse and criminal trespass. This implies that there is no pure computer or cyber based crimes. Computer enabled, and/or cyber crimes take place in new environments and utilize new tools but they do not constitute the invention of never-before-seen criminal activity. In short, these are old crimes with new tactics and strategies and the addition of new security actors. Criminals connecting in cyberspace Both traditional and non-traditional organized criminal groups innovate by using the cyber infrastructure to "communicate, to organise themselves better, to widen the spectrum of their businesses, to update their modus operandi and techniques, and to avoid law enforcement risk" (Savona and Mignone, 2004:4). Criminal innovation, however, does necessarily imply that a stable nexus exists between the computer 'underworld' and T O C groups in East Asia . A stable nexus between criminal organizations in East As ia would exist i f there are continuing links and relationships between system intruders and 1 3 2 See comparison between European Convention on Cyber Crime <http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm> and U N Resolutions 55-63, 56-121, and 57-239>. 149 T O C groups that affect both groups in a manner that would not have otherwise have taken place. This does not necessarily imply symbiosis or co-dependence, but rather that the linkages between the two groups are profitable enough and organizationally efficient enough to spark continued interaction. The use of the phrase "nexus" to describe nebulous links in security is not new; a recent example on the subject of terrorism and piracy by Gal Luft and Anne Kor in (2004). There are distinct pitfalls that must be carefully acknowledged and hurdled when making links between secretive actors and their impact on security in East Asia . Hamilton-Hart wrote a provocative argument which clearly outlines the dilemma for researchers (Hamilton-Hart, 2005:303-325). She points to several problems, but chief among them is that researchers cannot simply identify links or points of connection without making a statement on their importance and clearly identifying what a reader might infer from this . 1 3 3 The potential problems inherent in studying terrorist nexuses extend to the question o f organized crime and systems intruders. 1 3 4 A few examples from other research efforts on criminal innovation as a security threat are instructive. A recent study by Nordstrom (2003) based on field work in the southern Africa region looked at the relationship between parts of the cyber infrastructure and smuggling networks. Nordstrom found that smugglers were procuring customized software adapted to suit the needs of their operations. In one example, the nexus was based on familial ties wherein the smuggler paid his son - who happened to be studying at a leading university in the U K - to do the customizations and keep him up-to-date on the 1 3 3 The academic study of terrorism in Southeast Asia has been the focal point of this debate, see Brown (2006). 1 3 4 See also Brown (2006). 150 latest technology (Nordstrom, 2003:238). A second example from Nordstrom's work shows that there are high-tech links between criminal organizations, not just between crime groups and 'civil ians ' . In that region, for example, smugglers often require the services of forgers who now have their own websites (2003:246). This is also the case in East Asia . For example, in the Philippines the "really good forgers that are worth their weight in gold" run web servers for criminal e-commerce but are obscured and kept hidden from both the casual web surfer and law enforcement. Nordstrom also found that smugglers 'cracked' into systems with security work schedules of firms and other organizations (2003:247). This illustrates an important point: it is not necessarily the high security servers systems that contain the useful information. It is taking advantage o f low priority or sub-systems where one can glean useful pieces of data that can then be connected to other information. But her study also found simpler uses of the cyber infrastructure. 1 3 5 For example, smugglers make extensive use of look-outs, individuals with a cell phone (2003:244). Again, this kind o f counter-intelligence activity takes place in East Asia . In Shenzhen, T O C groups have installed networks of wireless cameras that send transmission over the Internet. These cameras watch for police movement and competitor organizations becoming a kind of counterintelligence node. The wireless cameras are cheap, discreet, nearly impossible to trace and can work longer hours than their human counter parts with cell phones. The 1 3 5 Interestingly, Nordstrom documents a conversation with a smuggler in which she asks why smugglers (who are very wealthy) choose the cyber infrastructure over the creation of their own communications channels. The answer is that hiding in the noise of the cyber infrastructure is much more tactically beneficial than would the creation of their own 'channels' or vectors of communication (Nordstrom 2003:246-247). 151 wireless counter-intelligence nodes or networks were designed and installed by a small group of systems administrators that were worked on contract (Confidential Interview, Hong Kong S A R 2003). These are certainly examples of cooperative business relationships but it is important to point out that the nexus can also be unstable. In Russia, for example, there are cases where the nexus is based on coercion and co-optation. This co-optation of systems intruders by T O C groups begin to look more like a draft by "traditional criminal organizations [that] have recruited ex-hackers and ' crack erz' to carry out computer crimes and attacks on their beha l f (Savona and Mignone, 2004:12). Examples of this complex interdependence in East As ia abound. In one case an engineer who faced a layoff after a Japanese corporation outsourced its legacy software development teams to South Asia and who was subsequently hired for a position with much lower pay, was blackmailed into providing system passwords to "local gangsters" which trapped the engineer into a "relationship that he just can't get out o f (Confidential Interview, Tokyo 2002). Case one: bot-nets in Hong Kong S A R and Shenzhen, China In the cyber infrastructure compromised machines (nodes) can be used to build "bot-networks" which are rented out for periods o f time on a kind of black-market for network intruders or other malicious users. The early motivation for creating bot nets lie in their ability to provide secret communications "resource sharing, and curiosity have historically been primary motivators for underground research and 'hacking'." A s the cyber infrastructure evolved online attackers have shifted their focus from curiosity to 1 3 6 The use of the term 'bot net' should not be confused with 'bot'. The later is shorthand for a robot 152 financial gain. In order to "accomplish this goal, they vigorously pursue access to information and capacity" (Ianelli and Hackworth, 2005:2). Bot nets are built by breaking into other nodes in cyber space and taking them over without being noticed by the individual or organization that owns or operates the device. But before a compromised node is brought online and added to a bot net, it is searched for interesting files. For example, i f it is a business machine, it is searched for the C D keys for software packages running on that machine. The keys are then sold to pirates. A bot net's collection of compromised nodes thus has intrinsic value for stolen information as well as through their more active use of providing difficult to trace platforms for more sophisticated attacks. Some compromised nodes are rented for phishing, other are leased to spammers. Thus the accumulation and "controlling a large group of these systems provides attackers and their collective associates (i.e., crews) enormous power" (2005:3). While adding to the bot net or "herd" of compromised nodes can be done manually, tools such as autorooters are now used to expand bot nets (2005: 8 ) . 1 3 7 But the more intricate bot net expansions in East As ia are still often performed manually (Confidential Interview, Manila , Philippines 2003). The 'herd' o f compromised nodes is managed remotely via differing 'layers' o f the cyber infrastructure. Bot nets can are managed and built using various architectures of command and control: peer-to-peer, web-based, the Internet Relay Chat infrastructure, and now even the D N S system can be used for command and control functions (although without a body (software) which is often used on the Internet to do various tasks, see Hotlz (2005). 1 3 7 For more on autorooters see Tanase (2002) available online from: <http://www.securityfocus.com/infocus/1619>. In brief, an autorooter adds efficiency and automation to get 'root' on a system. 153 138 it is a lot less efficient). After the intrinsic value of a compromised node has been mined and the compromised node added to the larger bot net the nodes can be sold, leased or rented. Bot nets "are also one of the many things available for sale in the underground economy. The market for bot nets is competitive, and they w i l l be sold to anyone wil l ing to pay the asking price" (Ianelli and Hackworth 20 05:3). 1 3 9 If existing bot net software or bot nets do not meet a client's particular needs, custom designed software and networks can be ordered for a premium. 1 4 0 The bot nets themselves can also be traded "for goods or services" thus the "possibilities are endless, but some of the items commonly bartered for bots include physical goods, such as computers and jewelry, batches of credit card information, shell accounts on servers, or even other botnets" (2005:6-7). 1 4 1 1 3 8 This, of course, raises the question of how to deal with bot nets. While any strategy must be multidimensional and exist in both real space and cyber space, one defense against a large bot net is to use the bot net against itself - compromise the network of compromised nodes. The idea here would be to allow an enforcement system (good guy) to be infected with the bot net; in other words join their network. Once inside the network, the traffic between bot net nodes could be 'sniffed' to find out what command and control system is being used and any security protocols that are necessary to control the bot net. Then upload a retro virus or other electronic pathogen into the bot net that would begin to quietly fix the infected system and remove the bot net binaries to turn the compromised node back into a tame or domicile node. 1 9 The Ianelli and Hackworth study cites another study which claims that a compromised node can sell for US$0.04 to US$0.10 per typical compromised system (2005:7). From my last email exchange with an interviewee (originally conducted in Hong Kong 2003) the price range was between US$0.05 and US$0.25 (Confidential email exchange on February 3, 2005 PDT; Leyden, 2005). This begs the question: why? Perhaps it is the effectiveness of state and private sector counter actions since one would anticipate the price dropping in an 'expanding' bot net context. This could be the result of general inflation or that the more sophisticated use of bot nets is generating higher profits. M y thanks to Brian Job for pointing this out.1 1 4 0 By custom designed illegal software or malware, Ianelli and Hackworth (2005) mean the addition of server-class services to money making dimensions of bot nets. They found that "[t]o facilitate the operation of bot nets, bot malware can include useful services like HTTP and FTP. These types of services allow bots to host a) phishing sites b) web pages where infected systems can log their infection status c) malware download sites d) spyware data drop off sites and e) bot command and control sites" (2005:10). 1 4 1 In Southeast Asia (esp. Hong Kong SAR and the Shenzhen region) bot herders are beginning to earn income by selling more basic services like privacy and anonymity online (Interview Hong Kong SAR, Manila, Philippines). This begs the question: why would opt for an expensive 'solution' provided by a bot herder when there are free web-based alternatives like Tor? Tor is a service that is part of the Onion Router which is sponsored by the Electronic Freedom Foundation. Tor helps anonymize W W W traffic by 154 In the Hong Kong-Shenzhen case, for example, bot nets are broken down into small-blocks and big-blocks of compromised nodes. Clients (renters) usually meet with administrators or builders of bot-nets in Internet Relay Chat (IRC) rooms. From that point payment is made using an online method or a barter arrangement is made whereby code for exploits is exchanged or some other type of information of value. The benefit for the renter is that he/she does not have to maintain or use a privately obtained chained-relay from which to send spam or launch attacks (Confidential Interviews, Hong Kong 2002). A market based system also means reducing the risk o f being discovered by law enforcement by providing a quick and easy method o f access to these types of relays which can then be 'recycled.' Competition between bot nets that are controlled from East As ia is growing fierce. Bot nets must be defended from both other bot herders and hackers, and from endogenous repair by the legitimate user or administrator of the compromised node. 1 4 2 In general, bouncing it between volunteer servers called onion routers. They mask the origins and make it easier to evade filters, such as those installed by firms, educational institutions, and governments. The draw-back of Tor and other free online services is that the data can be slower (much greater latency) due to the high frequency of 'hops' and the low number of volunteer onion routers. While Tor does come with a proxy server, it is a system that still 'leaks' data and thus is not perfectly anonymous. Bot nets can provide similar services but with none of the latency issues and, in general, bot herders can get closer to the provision of truly anonymous cyber infrastructure activity (though no technology can provide true anonymity). See <http://tor.eff.org/> for more information. 1 4 2 For a detailed technical discussion of the tactics used to defend bot nets see Ianelli and Hackworth (2005:20-26), for a simplified, birds-eye-view please consult B B C (2005b). For information on research on bot net 'hunting', see Naraine (2005). Although it should be noted that bot net hunting research has been labeled vigilantism by critics. A variation of this strategy has been used by Microsoft Corporation to track down illegal spamming organizations. Microsoft researchers set up a system and allowed it to be infected with Trojans used by spammers. They then monitored the system for 20 days — watching it send out 118 million spam emails per day - in order to gather intelligence and evidence against the groups. The effort was done in cooperation with the US Federal Trade Commission, see Keizer (2005). Yet another program to try and curtail the growth a bot nets is due to begin early 2006. In a three-month pilot program, the Australian Communications and Media Authority will attempt to identify compromised nodes and ask their owners to clean them or risk being disconnected from their ISPs. This mirrors — albeit in a much less formal manner - recent efforts by the US Federal Trade Commission (FTC) which has begun to send reports to ISPs reporting the number of compromised nodeson their networks. The F T C has contacted hundreds of ISPs informally requesting that they block port 25 (email server), attach rate limits for relays 155 "[b]otnet command and control ( C & C ) communications tend to be unencrypted, and since it's not uncommon for multiple bot infections to be located on the same network or system, attackers commonly instruct their bots to sniff network traffic looking for competing botnet communications" (Ianelli and Hackworth, 2005:6). This has sparked cyber turf wars over compromised nodes which can be likened to the cattle rustling of 19 t h century North American west. In the Hong Kong-Shenzhen case, the potential for real world violence is growing. One interview wondered out load i f the links between bot herders and organized crime would further intensify as traditional organized crime groups seek to utilize a back-to-the-future strategy of creating a protection racket. The stakes are growing primarily because the value and financial rewards of effective, efficient bot nets is increasing. But it is not just the value of intrinsic mined data, large bot nets can be leased and sometimes managed for 'spamming'. Clients who are spammers provide bot herders with a lucrative, low risk source of revenue for lower valued parts of the 'herd' o f compromised nodes. For example, " A s the botnet grows, it becomes a lucrative asset to its owner" and "there is evidence that the compromised machines are being rented out for spam runs, distributed denial-of-service attacks linked to business blackmail" (Naraine, 2005). For spamming purposes, bot herders break their nets down into various categories and typologies: by machines that have high bandwidth-low latency, by legal jurisdictions (arbitrage), and by country (Interview Taipei, 2003). 1 4 3 The jurisdictional arbitrage dimension is an important one because the "spam chain is (open and closed), and if possible and where necessary, isolate compromised nodes until they can be 'patched'. 1 3 There is no reliable data on bot nets by country.. The only way to reliably measure this would be to count the number of compromised nodes as shown in Part One of this study; but this would, at best, be a proxy measure. 156 complex" and "most [of the] people responsible for sending spam are based in the U S , though a growing number are now organized criminals in Eastern Europe and Russia. China is the location of choice for the servers that host the spammers' websites and for buying and selling lists of spam zombies" (Galloway, 2004). Managing networks of compromised nodes in the absence o f a strong legal environment means being able to sell, rent or lease jurisdictional arbitrage in cyber space. Galloway.argues that: Another reason China has become the world's spam central has to do with the industry's growing sophistication. The days when most spam was dispatched from servers in the basement office of some unscrupulous American ex-con are waning. The modern spam industry now is spread across the globe and has become infested by technically advanced programmers from Russia and Eastern Europe, often in league with local organized crime syndicates (Galloway, 2004). The choice of jurisdiction is key. Further investigative work by Galloway found that "China also dominates the market for buying and selling lists of zombie PCs, which are peddled by virus writers on Internet forums also found on Chinese servers. Lists can currently be had for about US$2,000-$3,000 per 20,000 compromised proxies" (Galloway, 2004). 1 4 4 The microeconomics of price levels for black market cyber goods fluctuates because supply and demand curves are highly elastic. The demand for services provided by bot nets are not just related to data theft, intrinsic mining, or herd utilization. Bot herders can also provide complete software, web hosting and security solutions for phishing - the practice o f relieving an unsuspecting web surfer of their personal data such as banking and credit card information. This too has spawned 1 , 4 This works out to around US$0.15 per compromised node; within the range that Ianelli and Hackworth (2005) found and hovering around the mean discovered in my own field interviews. But these compromised nodes would be of lesser quality when compared to the rest of a bot herd. Eventually compromised nodes that are sold or leased to spammers will be blocked or become neutered; hence the lower price. For example, if a typical user in the Middle East wished to view a banned website through a proxy the "black market access to filtered pages in Saudi Arabia runs anywhere from $26 to $67 per Web site" (Palmer, 2005). But black market access to pirate servers (machines that store stolen digital goods) can run users up to US$1000.00 per month depending on the quality, type and scarcity of the data (Confidential Interview, Tokyo 2003). This is likely a response to scarcity and increased risk. 157 an underground economy (Abad, 2005). Fraud is also a common use of less sophisticated bot nets. In 2004 US law enforcement arrested an individual with a small 'herd' who "allegedly used automated software to infect Windows systems, advertised and sold access to the compromised PCs, and used the software to perpetrate click fraud, garnering tens of thousands of dollars in affiliate fees" (Lemos, 2005a). 1 4 5 In the case of the Hong Kong-Shenzhen bot nets presented here, the individuals that operate and build fthem are keenly aware of law enforcement adaptation and the arrests in Europe and North America. To adapt, they now use anti-forensics techniques such as dead-man switches and increasingly rely on counter-intelligence on law enforcement activities. In Shenzhen this is provided by contacts and informal relationships with organized crime in southern China (Confidential Interviews Hong Kong and via email correspondence Apr i l 15, 2002 and November 10, 2004). In Hong Kong and Shenzhen the interface between bot herders and T O C groups is two dimensional. First, the mined intrinsic data is sorted and then sent to a 'black' machine or secret server. From this point meta-data on the stolen files are sent to another server and stored in a database which is accessible to a select group of buyers. The'buyers can sign up for regular emails listing results. Other hackers and select individuals monitor these lists and when something of interest appears the bot herder is contacted for more information and access is granted to the database containing the meta-data on the files 1 4 5 For more on click fraud see Mann (2005). There have also been instances of law enforcement success in arresting operators of much larger more sophisticated bot nets. For example, "Dutch authorities arrested three men in the Netherlands who allegedly controlled a network of more than 1.5 million compromised computers. In August, the FBI and Microsoft helped authorities in Turkey and Morocco track down two men suspected of creating and spreading the Zotob worm—a program that consisted of bot software modified to exploit a flaw in Windows 2000" (Lemos, 2005b). 158 located on the black server. 1 4 6 When I asked about what would constitute a "select" individual the response was generally along the lines of someone who is known, can be trusted and has money. 1 4 7 The interviewees were quite clear that organized criminals that belonged to long established groups in the region did have 'accounts'. To my surprise, I was told that two accounts were set up for two separate individuals in the P R C military. I asked i f they thought this was a bit o f a security risk. The response I got back "no no, not a risk. They pay well and on time" (Confidential Interview, via email correspondence August 2, 2005). 1 4 8 The role of traditional organized criminal groups in the operation and market surrounding bot nets is still unclear. Individuals belonging to more traditional T O C groups in the region do act as 'stand-in' brokers for cases when the intrinsic data found by bot net expansion is significantly more valuable than the norm. In these instances, the data is not sent out to the "lists" but is instead advertised to preferred clients and managed l 4 < > This is very similar to the findings of an extensive study done on phishing markets. The underground phishing economy "is often the end of the line for the phisher. At this point phishers are now providers of credential goods with a limited supply of customers. Consumers of financial institution credentials are known as Cashers. The Casher's main role is to take the phished credentials and obtain currency directly from the accounts attached to the credentials. Phishing and Cashing are distinct and often separate roles" (Abad, 2005). Furthermore, the "phishing marketplace is a loosely tied group of forums where participants can trade goods, services, and money. The key goods are credentials. Credentials are then valued according to the level of detail" (Abad, 2005). The source cited is from the online academic journal First Monday and consequently has no page numbers, see Abad (2005) and <http://www.firstmonday.org>. 1 4 7 The role of trust varies across countries and regions. In a recent study, Cook et al. (2005) looked the role of risk taking in building trust relationships cross-nationally. Specifically, they performed experiments in Japan and the US in order to assess the independent effects of risk taking actions on the level and building of trust. What they found is that Americans do indeed take bigger risks with a higher degree of frequency than their Japanese counterparts. Their findings are important for understanding differences in the role that risk plays in building trust relationships because the results showed that even though the American sample engaged in more risks they were no better than the sample from Japan at improving cooperation. While risk taking is important in American trust relationships, the concept of assurance plays more of a role in the Japanese context (Cook et al, 2005). 1 4 8 The reader should be aware that it is difficult to infer anything substantive from this. The military accounts could simply be for soldiers looking for a way to earn additional income. Alternatively, however, it could indicate that the use of those accounts was sanctioned and used by the state as some sort of intelligence stream. 159 by the 'stand-in' broker (Confidential Interview via email correspondence August 2, 2005). There is a hierarchy here; at the bottom are information on individuals corporate information and finally, and at the top o f the hierarchy, information from government networks. In general, autorooters skew compromised nodes toward the lower value end which are less protected. But occasionally, they manage to get into higher end systems or systems that are connected to higher value targets. Usually, cracking into high value systems heeds to be done manually. But one-off flukes using autorooters happen. In the Hong Kong-Shenzhen case, bot herders immediately drop what they are doing and turn their attention to a one-off fluke produced by an autorooter (Confidential Interviews Hong Kong S A R , Kuala Lumpur, Tokyo, and Vancouver 2002-2004). Does this constitute evidence of a stable nexus? Perhaps. Two interviewees claimed that up to 25% of bot net activity is now "owned" or in some way operated by more traditional T O C groups in the region (Confidential Interviews, Hong Kong S A R , Manila , Philippines 2002, 2003). 1 4 9 This is an interesting observation but one that cannot be verified. The concern here is that other 'data points' indicate that both traditional and non-traditional T O C groups in the region are, for the lack of a better word, taking a hands-off, wait and see approach. The only evidence to contrary that was found, regarding the percentage or extent of involvement with bot nets in East As ia was an interviewee responded by arguing that "the Triads are still unsure about the 'business' o f bot nets. They are sure that they are useful but things are good right now for them so why get more involved" (Confidential Interview, Manila 2003). 1 5 0 1 4 9 To be clear, the control of "activity" refers to access to the spoils of bot net construction and usage. 1 5 0 This is loosely connected to the field observations made by Natasha Wong (2004) in her study of traditional organized crime in southern China and its connection to the pharmaceutical industry. Wong 160 The risk versus reward analogy drawn from Wong's study of counterfeits is also useful for demonstrating the attractiveness of bot net production, even i f the evolution of the bot net 'industry' is beginning to look more like industrial espionage than software piracy. For example, Wong quotes one interviewee as stating simply that "[i]f you're in the business of selling heroin or cocaine, the police are on your tail. If you are making fake meningitis medicine, they don't even know you're there" (Wong, 2004:168). Thus, clamping down on the building and selling the wares gained from bot nets in Shenzhen is unlikely, at least at this point, to be a priority for law enforcement. In Hong Kong, however, the picture is quite different. The 'head' of the bot net may be located somewhere in Kowloon, but bot herders are fully aware that the law enforcement in Hong Kong is much more sophisticated, better funded, and have made high-tech crime a priority, forcing much of the 'real life' activities between bot herders and organized crime into geographic spaces o f convenience - out of Hong Kong and into China . 1 5 1 Bot nets are becoming security proxy actors that provide a kind of emerging pseudo-infrastructure in cyber space. This pseudo-infrastructure has an enabling effect for both traditional and non-traditional T O C by providing sources of data through services, revenue streams, and operational needs such as secure, anonymous communications. 1 5 2 The links, however, between bot nets and T O C groups in the region appear to be more notes, "[tjhere are many facets to the reality here. United States pharmaceutical firms are learning that, excluding amateurs, not only are the counterfeiters from organized crime networks, local police, or the military, but they also may be their own suppliers. What's more, China's state owned enterprises (SOEs) have participated in the manufacture and export of counterfeit medicine as well" (2004:162). Like counterfeit pharmaceuticals, traditional organized crime in China is attracted to the illicit industry after it has shown profitability and the returns are worth the risk (Wong, 2004:167-168). This is, I think, an accurate analogy to describe the links between both traditional and non-traditional TOC groups and bot nets in Southeast Asia. 1 5 1 This is explored in Chapter Ten. 1 5 2 This enabling effect in addition to more the more mundane impact of technology on TOC groups that in 161 like that of a service provider than an intimate business relationship. There are points of collusion and cooperation which provide the necessary, but not sufficient, conditions for a stable nexus between the system intruders and traditional and non-traditional organized crime in the region. In short, the nexus appears to be forming. It is no longer at an embryonic stage nor does it appear to be fully developed. Case two: digital black markets and security Bot herders in East As ia provide cyber pseudo-infrastructure by proxy to the criminal world. But this is only one aspect of this study's investigation of an emergent infrastructural nexus. The Hong Kong-Shenzhen bot net case presented here is a clearer developed case. Case two of the black market for il l icit data is linked in many ways to the growth o f bot nets but is still distinct and as such is worth exploring. The trafficking in il l icit data, obtained by systems intruders, in East As ia is a growing problem and one that mirrors, in many ways, the growth of trafficking more generally. It draws on the problem of flatter, more nimble social networks, jurisdictional arbitrage, and the problem of state capacity. A recent book by Moises Nairn on the security implications of trafficking provides a reasonable starting point. Nairn argues that traffickers are transforming economies and reshaping politics in many regions o f the world. In his view the pursuit of i l l ici t profits is a powerful driver of political upheaval and international instability and that black-market networks are subtly transforming international politics (Nairn, 2005). In other words, transnational black markets are a threat to the security of states and are slowly whittling away at state autonomy and control. There are two driving factors: first, a general maximizes their profits while minimizing their risks of detection and arrest (Savona and Mignone, 162 transformation of power caused by revolutions in technologies; and second, changes in politics during the 1990s that were triggered by the end of the Cold War (2005). But does this perspective underestimate the durability and resilience of the state in the face o f 153 i l l icit network threats. The argument here is that it is the weak states which are the most vulnerable and less able to massage their 'sovereignty' enough to allow cooperation and international linkages necessary to combat these networks. The central feature of a black market is its illegality, "be it in the good or service being traded, or the actors (organized crime groups and individuals) involved. Although the actor(s), good(s) or service(s) may not be criminal in nature, the transaction(s) are. Criminal markets often emerge whenever organized crime identifies and exploits loopholes (i.e. regulatory) in legal markets that then become profitable market niches for it" (CISC, 2005:17). In almost all black markets it is the 'middle men' that reap the profits rather than the suppliers or dealers. Those that can provide the infrastructure control black markets. In the past black markets used to be small, isolated and segregated from the legal economy. In weak states black markets become institutionally embedded in the legal economy. Not only because black market entrepreneurs are able to operate in a matrix of legitimate transactions in hopes of a durable commercial existence, but because legal businesses show a tendency to use increasingly sophisticated methods (Naylor 2002). In another case that was discovered in 2005 "it was reported that over the past five years, Chinese hackers had successfully probed and penetrated a number o f U S 2004: 3). 1 5 3 An opposing view, in reference to non-traditional network based security threats, would be Matthew Shambaugh (2005). 163 Department o f Defense ( D o D ) networks. In at least one o f the attacks, a T ro jan horse computer p rogramme was used to obtain data f r o m a future A r m y c o m m a n d and control sys tem" (Jones, 2 0 0 5 : 6 ) . 1 5 4 S o m e have speculated that because o f both technical aspects and level o f organizat ion required to carry out these attacks f r o m East A s i a that, a priori, there had to be either state sanctioned or state s p o n s o r e d . 1 5 5 I w o u l d argue that T O C groups i n East A s i a have both the resources and sophist icat ion to perpetrate this level o f act iv i ty alone and that one cannot deduce a priori that a government was beh ind the attacks. Y e t , this ev idence, in combinat ion w i t h what has been presented in this chapter indicates that as a nexus forms between.systems intruders and T O C groups i n the region there are also state actors exp lo r ing the uses o f the cyber underwor ld i n a more ' o f f i c i a l ' capacity . W h i l e is often taken ax iomat ica l l y that sophist icated ' h a c k i n g ' act iv i ty has been stable across t ime, p r i m a r i l y because o f the s k i l l leve l i n v o l v e d , this m a y change as the rewards 1 5 4 See also Tiboni (2005). 1551 disagree with the conclusion that just because it was a sophisticated 'operation' that it had to be perpetrated by the government of China. While this is certainly possible, my field research has clearly shown that some TOC groups operating in East and Southeast Asia have a high level of technological and operational sophistication (not to mention resources) to accomplish Titan Rain. The Titan Rain perpetrators appeared to have used a variant of the Myfip worm (Brenner, 2005). The original Myfip only stole .pdf files; the Myfip-B and later variants generally steal date files with the following extensions ( Brenner, 2005). The items in the list below are prefaced by an apteryx (*) which is a standard wild-card character indicating any file name: *.pdf - Adobe Portable Document Format *.doc - Microsoft Word Document *.dwg - AutoCAD drawing *.sch - C i rCAD schematic *.pcb - C i rCAD circuit board layout *.dwt - AutoCAD template *.dwf - AutoCAD drawing *.max - ORC A D layout *.mdb - Microsoft Database I would also add the *.xls for MS Excel files to Brenner's (2005) list. During my field work, interviewees claimed that once a system had been compromised, tailor made search algorithms would be executed (designed for that operating system) to search for files matching the list above (Confidential Interviews, Kuala Lumpur 2003, Hong Kong SAR 2002, Tokyo 2003, Vancouver 2002-2004, and Manila 2003). The 164 for digital goods become greater and law enforcement focuses on the more public forms of cyber crime (Hinde, 2004:13). 1 5 6 The nature o f the arrangements between system intruders and both N T O C arid T O C groups can, and are often, fleeting. It may be interesting to note that payment for bot-net usage and or information stolen from compromised nodes of corporations or government is sometimes made in Colombian emeralds. In East As ia "the irony is that sophisticated groups o f organized crime have found ways to gather data from telecommunications companies in the region, the same telecoms that law enforcement uses for packet sniffing, the data has value, it can then be sold on an access-based, or used by an organization for counter-intelligence purposes. It's not just the C I A that can hire database engineers and data miners" (Confidential Interview, Kuala Lumpur, Malaysia 2003). The dynamics of the cyber black market The trend is evolving to include more than crimes of opportunity but to creating opportunities based on market demands. This indicates that the underground market for stolen proprietary data is shifting from a supply-side to a demand-side dynamic in the region (Confidential Interviews, Hong Kong 2003, Kula Lumpur 2003, Tokyo 2002, operational dilemma is the speed of the search versus the amount of C P U resources taken. 1 6 A third case from the region further illustrated the point. During sometime mid-2002 an individual programmer with expertise in databases and network security was approached by an acquaintance and a former college friend to participate in a group that was being put together for the purpose of building customized software. The group was located was Hong Kong SAR and surrounding area. The assembled group was co-managed by an experienced "cracker" and a member of an organized crime group (name not provided). The interviewee's task was to write software to provide covert access and retrieval to a database owned by a telecommunications company in western Canada. The database was a customer and accounting system. Two small-group meetings interviewee claimed that a member of the P L A China was in attendance. After working on the code, the project was aborted at some point late 2003. The interviewee was paid and handed over the work that had been done (author has not had contact with interviewee since January 2004). The interviewee noted that a bot herder was, at some point, going to be involved. He speculated that a small, secure bot net could be used to transit the data and possibly store it for later analysis and retrieval. But this, admitted the interviewee, was very speculative (Confidential Interview Hong Kong SAR 2003, email correspondence February 16, 2004). 165 Seattle 2004) .The use o f a m i c r o e c o n o m i c m o d e l is part icular ly f i t t ing in l ight o f the results f r o m the field research. D u r i n g the late 1990s the market i n East A s i a for i l l e g a l l y obtained data - everyth ing f r o m research results from labs in Singapore to proprietary i product ion methods from plants i n the Ph i l ipp ines - was a n iche market dominated b y supply -s ide movement . In other words , T O G groups or independent network intruders w o u l d steal data, largely as cr imes o f opportunity , and then attempt to find a buyer . I f a buyer o f the data approached a group or ind iv idua l to steal the in format ion it was usua l l y considered a rare event or what can be fo rmal l y ca l led a n iche market . The supply curve was h i g h l y elast ic ; m e a n i n g that successful attempts were re lat ively l o w and inconsistent. N o w the underground market in East A s i a has begun to s w i n g to a demand side dynamic . Potent ial buyers o f the data approach k n o w n actors in the Shenzhen, usua l l y ind iv idua ls w i t h fo rmal ties to T O C groups i n the region. T h e y then organize the transaction and employ stables o f network intruders to a c c o m p l i s h the request. T h e demand side is re lat ive ly elastic but in format ion gained through interv iews indicates that this elast ic i ty is decreasing. Th i s means that a reasonably stable market , w i t h k n o w n p r i c i n g levels is emerg ing . There are m i x e d forms o f transnational organized c r ime u s i n g the expertise o f each other to create an infrastructure that a l lows them to do what they need to do. These markets m a y chal lenge tradit ional not ions o f security as they internat ional ize and growth and expansion through international demand and supply . Indeed, the market for stolen data is rap id ly sh i f t ing f r o m a p r i m a r i l y supply dr iven to dr iven b y both supply and demand side dynamics . C o n c l u s i o n : W h a t is the N e x u s ? Internet and comput ing technologies that are adopted, in any organizat ional structure, 166 impact in a vertical and horizontal manner. Vertical integration into both types of T O C groups in East As i a is a result of the integration of a younger, often more formally educated, generation. In general, it is this 'layer' that has become the innovation vectors pushing older and younger, less educated, members of Triads and other groups to use certain technologies. The uses range from secure, encrypted communications to untraceable cellular telephones. In one example, participants in a triad based in Hong Kong were involved in a smuggling ring targeting high-tech components for robotic manufacturing lines. Because this required the participation of individuals from three countries, a network intruder was hired to design a website that would operate hidden on the public Internet. The website had shifted IP addresses at regular intervals and used several layers of authentication. Once triad members "logged-on" they were able to view logistical information as well as messages from participants in other countries (Confidential Interview, Hong Kong 2003). Vertical integration o f Internet technologies allows the more sophisticated groups to streamline and secure communications, produce and distribute timely information, as well as control the level of access to this information. Maps can be distributed, photos, instructions and so on, all at a minimal risk. Face to face communication is still the most secure form of information transmission, but the use of software designed especially for them by a stable of network intruders or "hackers" means that specialized customizations can be quickly added and constantly maintained. 1 5 7 Vertical integration of Internet technologies allows operations to be streamlined in only the top-tier of T O C groups 1 5 7 In one particular example, a series of webcams were setup outside of a target facility in the outskirts of Hong Kong weeks before the crime was committed. A l l of this 'intelligence data' could be stored and analyzed on a server by a select group of individuals with the correct privileges (Confidential Interview, 167. operating in East Asia . Horizontal integration allows T O C groups to accomplish two critical tasks: bring in new "hacker" talent and use the technology to gain access to critical information. First, elements of T O C are now playing the role of an agent to negotiate deals between network intruders and clients. Corrupt government officials, other organized criminal elements, individuals, and increasingly, firms in both East Asia . This is a more recent development which may explain concerns in some policy circles that terrorist groups are contracting out certain computing "services" through T O C agents that have been developing "stables" of talent. It must be pointed out, however, that these links are at best theoretical and only scant anecdotal evidence was found. Second, the horizontal integration of Internet technology allows for the theft of data. There are cases where stables of network intruders working under the supervision of several triad members to steal proprietary information from corporate and public laboratories in Singapore, to high-tech manufacturing plants in Taiwan, lapan and Southern China (Confidential Interviews, Hong Kong S A R , Manila, Tokyo, Ku la Lumpur, 2003). This is a particularly attractive horizontal strategy because the rewards are high but the risk is very low. In most of the instances that I came across, the techniques often employed a combination of remote network intrusion from a distance with various types of social engineering strategies. In the very near future, machines wi l l overtake humans to become the biggest users of the Internet as the cyber infrastructure adds electronic sensors, smart homes, and RFID tags that track objects in physical space (ITU, 2005). With more machine than human Hong Kong 2003). 168 activity in the cyber infrastructure, the number o f compromised nodes w i l l grow. M y conclusion here is that the increasingly organized and sophisticated use of elaborate cyber infrastructure strategies and tactics in East As i a has connections to the more traditional and non-traditional forms of T O C but participation by these actors is far from systemic and persistent. The digital divide within traditional triad organizations means that their respective leadership or hierarchies are rarely aware of the use of high-tech tactics and strategies. These conclusions parallel changes in transnational organized criminal activity in the region observed by Zhang and Chin (2003) and discussed in Chapter Seven. Small, nimble, highly skilled networks or ad hoc groups are not necessarily replacing more traditional forms o f T O C in the region. Because, from an operational perspective, these crimes are highly technical and strategically sophisticated, traditional organized crime groups in the region are becoming market consumers of the raw ill icit data, rather than producers. It should be pointed out that this is not true in all cases. There were a few claims made by interviewees that bot herders were forming more stable relationships or partnerships with the traditional crime groups but it is far from clear what this looks like or how it w i l l evolve. It is, therefore, still unclear as to the extent o f the activity, relative extent in East Asia , o f both bot net growth and the cyber black markets that support them. The key conclusion here is that the trafficking in i l l ici t data, obtained by systems intruders, in East As ia is a growing problem and one that mirrors, in many ways, the growth o f trafficking more generally. It draws on the problem of flatter, more nimble social networks, jurisdictional arbitrage, and the problem of state capacity. Intrinsic data mined from compromised nodes from around the world, stored on servers in Shenzhen 169 and Hong Kong, customized software services developed for both the cyber and organized criminal underworlds - all adaptations in the face of both changes in black markets and law enforcement. Can the state adapt in the face o f a nascent nexus between systems intruders, T O C groups, and possibly other state actors? Do cyber enabled organized crime groups in the region constitute of threat to security? These are the subjects to which the following chapters now turn. 170 Chapter Nine: Bot Nets and Back Channels, The Return of the State Introduction In the previous chapters, a link has been established between both traditional and non-traditional forms of organized crime groups in East As i a and system intruders operating in the 'cyber underworld.' That link has been characterized and tentative claims made about what these links might mean for security in the region. The process of state responses to threats from the cyber infrastructure has been introduced as a series of coevolutionary competitive processes. This cat-and-mouse adaptive game is influenced not only by the actors and payoffs but also by the national environments in which they take place. A s wi l l be shown below, adaptive competitive processes do not take place in a vacuum. This final substantive chapter turns now to the remaining conceptual and substantive questions. First, i f there is an adaptation space between state responses to cyber security threats, is it increasing or decreasing? Second, what conclusions can be drawn regarding state capacity to respond to cyber security threats in the region? Chapter eight concluded that while criminal innovation does not, in the short run, constitute a threat to security, this does not mean that states wi l l 'see' it that way. There have been fairly consistent efforts in the region to securitize the cyber infrastructure. This is driven by two critical tensions in both the behaviour o f state actors and in policy discourse. The first tension is driven by a loss of control narrative regarding cyber space. Here states see a 'space' that is not ' i n control' and can thus be a threat to security. The second tension is enveloped by a tendency to see the cyber infrastructure in territorial terms as anarchical and subject to power projection in order to maximize the national interest. This emerging virtual realism accurately characterizes and explains state behavior in East Asia toward the cyber infrastructure both in the realm of security and in 171 international politics more generally. This chapter w i l l begin with a discussion of the loss-of-control narrative and situate it . within the context of an emerging virtual realism. The following section discusses the coevolutionary gap .between law enforcement agencies and criminal innovators within the context of three brief cases: Singapore, Hong Kong S A R , and China. It w i l l be important to situate state responses in the region against international models and, in principle, make tentative distinctions among global models used in the United Kingdom ( U K ) and the United States (US). This section illustrates the problem of accurately describing the competitive processes by using a predator-prey model. This w i l l only be a very initial examination within the context of an explicit coevolutionary competitive model. It is initial, or tentative, because of the number and complexity of the'actors involved: a) state - law enforcement and intelligence; b) cyber actors - systems intruders and bot nets; and c) T O C and N T O C groups. Despite the problems associated with accurately characterizing the gap, it is clear that the widening has been arrested in some countries, but continues to widening in others. The chapter concludes with a discussion of East Asian states in a cyber world characterized by virtual realism. There are several important issues regarding states in East Asia . First, the problem of jurisdictional arbitrage has only recently been addressed in the region. This has exposed, not surprisingly, a host of interconnected issues such as state capacity, victim silence, and particular norms and culture. These issues stand in tension with an emerging realism in the region, especially in light of the evidence found in Part One of this study linking the level of the rule o f law and the number of compromised nodes in East Asia . 172 Virtual realism and a loss of control A number of scholars have noted the growing gap between cyber infrastructure threat perception and reality. One research effort is particularly relevant for this work. Peter Shields studied the response of the. U S government to the migration of money laundering to the cyber infrastructure, for example, through the cyber payment system. Shields argues that in general there are growing distortions between the evolution and growth of the cyber infrastructure and threats to security from organized crime. His main thesis is that "the 'loss-of-control' narrative obscures the fact that much of the money-laundering problem has been fueled not by technology developments per se, but by the dynamics interaction between these technological developments and ongoing developments in criminal justice policy and associated changes in the U S state" (Shields, 2005:485). Shields is careful not to underestimate the very real pressure or gap between law enforcement and criminal innovation but he is interested in teasing out a more nuanced understanding of the growing gap. This is important because, as Kenneth Minihan discovered in a sweeping study of the U S military's cyber infrastructure conducted in 1996, "[o]ur [US] ability to network has far out paced our ability to protect networks" (Minihan, 1996:14). Whi le Shields analysis is methodologically problematic (relying on narrative analysis alone) he does have a point: "it would be a mistake to view the 'information revolution' as the sole or primary driver of these phenomena" (Shields, 2005:495). Shield argues that the loss-of-control narrative, which has become "dominant", and that a "central element o f this storyline is that the 'information revolution' has plunged law enforcement into crisis" (2005:495). More specifically that the cyber infrastructure is "portrayed as undermining law enforcement's 'follow-the-money' approach to combating organized 173 crime" (2005:495). The loss-of-control narrative, according to Shields, characterizes the state as "purely reactive" and "greatly understates the degree to which the U S state has actually helped to create the conditions that have generated and exacerbated the money-laundering problem" (2005:497). Shields analysis does, however, lead to an important point: the sense of a loss-of-control effects international security relations because the U S has begun in earnest "the export of surveillance-intensive money laundering countermeasures to unwilling countries" which can be "justified in a similar way" as the crisis generated by a loss-of-control (2005: 502). A very similar brand of export from the U S to East Asian countries is evident. A n example is the use of the US model for detecting emerging problems which borrows from epidemiology and the use of "syndromic surveillance" (Stoto, 2005). The idea here is that in addition to state policies aimed at retaking the cyber infrastructure - a device-by-device security strategy - law enforcement agencies have begun to implement broad syndromic surveillance programs designed to act like early warning systems used by disease outbreak and control programs. The strategy involves the use o f passive and active monitors that rely on disclosure and reporting o f Internet security 'outbreaks' using an infection control analogy from epidemiology (Mil i to , 2006). A s Casman et al (2005) note, there is a tradeoff between sensitivity and specificity in syndromic security strategies. This means that it is highly unlikely that syndromic surveillance systems can detect the first or even sixth case of a newly emerging threat. Syndromic surveillance capacities provide the state a kind of 'population-wide' monitoring framework within a social, political and temporal milieu that would otherwise make overt intrusions by the state into the cyber infrastructure untenable in most cases. Moved to an international level of analysis, Shields work provides a theoretical ) 174 starting position in understanding how criminalization and securitization of the cyber infrastructure by states in East As ia is occurring simultaneously. Most countries in the international system now make commitments to rolling out information infrastructure. It is viewed as a tool of both economic and military empowerment. But it also ushers in a host of non-traditional vulnerabilities and insecurities that are difficult to for states to understand and respond to. Adaptation space A coevolutionary competitive process means that when an adversary is faced with a quickly evolving predator the tendency is to reach for the tools that are known best to both predator and prey. Framed within the context of state institutional capacity this usually means more police and more laws and, possibly even framing the problem as a threat to 'national security' which then provides a rhetorical foundation for the use of extraordinary measures to confront the threat. 1 5 8 The state is in a unique position in the predator prey analogy because it is both prey when the target of attacks and predator responding to or attacking. But as has been argued in Chapter Seven, state actors too are feeling their way around the nexus as predator, not just as prey. Responding to quickly evolving criminal networks has only in recent years begun to stimulate a more focused response from the law enforcement communities in the region. This shift appears to be evolving from a universal approach to the cyber infrastructure to a more concerted device-by-device strategy. But as we have seen in previous chapters, there is a certain 1 5 8 There is a growing array of international and national laws to deal with 'cyber crimes'. A full survey of these legal apparatuses is well beyond the scope of this study. However, I do note that the importance of understanding cyber crime is most certainly linked to knowledge of cyber crime legislation and privacy laws. For a detailed look at the international legal instruments developed to combat 'cyber-crime' see Pocar (2004) and Urbas (2001). Pocar argues that despite a very long list of international legal tools that have been developed to address the impact of technology and criminal innovation especially the use of the cyber infrastructure, other than specific European conventions, few of the international legal instruments have come into force (2004:31). The bulk of the heavy lifting is done by national legislation. The exception is the E U Convention on Cybercrime which is the standard to which other efforts are often compared. 175 cyber security viscosity at work - i.e. the degree to which the il l ici t data in the cyber underground resists flow under an applied force stemming from state laws and regulation. There are a number of models o f coevolutionary competitive processes that can describe asymmetrical arms races: the Tron Game, the aggressor-defender model, and the more familiar predator-prey model, The Tron game has been used in studies setting humans against web robots (software based artificial intelligence) in the cyber infrastructure. The Tron game is a type of "live and let l ive" model inspired by the 1980s science fiction movie Tron. According to Funes et al "two robot players make tightest [sic] spirals in order to stay as far from the opponent as possible. This form of collusion is a frequent suboptimal equilibrium that prevents learning robot strategies by self-play in a coevolutionary arms race" (1997:6). While the eventual goal is to approach and cut-off the opposing player - thereby destroying it - this does not fit the competitive processes in cyber infrastructure security because the strategy used in the beginning o f the game is to stay as 'far away' as possible.. It is only after the "structure" of the game forces competitors into tighter confines, does the "race" begin. Another possibility is the aggressor :defender used by Anderson (2004). Using an abstract geometric approach, Anderson argues that in "multiagent systems, small changes in individual-level rules may lead to very large changes at the group-level. This phenomenon is striking in the aggressor-defender game, a simple participative game in which each participant randomly selects two others from the group A and B . In the aggressor game, everyone tries to position themselves so that A is always between themselves and B " (2004:175). In a very abstract manner, the aggressor-defender game does incorporate the "positioning" of the actors involved in this analysis: the state, nodes in the cyber infrastructure, and criminal innovation. But it does not accurately describe 176 the "chase" that ensues, nor does it apply to the types of information exchanges and equilibrium dynamics seen in cyber incidents, as discussed in Chapter Three. The final framework is a predator-prey model. This model is generally used to describe the dynamics of biological and ecological systems in which two species interact, one is a predator and one is its prey. This model holds for the action-reaction between attacks, defence, and then subsequent iterations which lead to new strategies. But the predator-prey model describes the ebb and flow of population dynamics (Volterra, 1931). So, while an explicit Lotka-Volterra model of predator-prey interaction is not useful for this study, as an analogy it may work. But there are limitations to the predator-prey analogy. For example, Robert Jervis (1997) who wrote about international system change and the state, argues for a more nuanced view of coevolution in the sense that actors not only compete with one another in their environments, they change it (1997:48). This interaction or feedback is the point at which complexity theory, according to Jervis, can help explain the unintended consequences o f international processes. Be that as it may, the adaptive understanding of the state and the cyber infrastructure in this study stops at the point where Jervis and others take off. A much 'simpler' objective is to' restrict the analysis to the adaptation space in a coevolutionary environment and not account for interactions feeding back into that same environment. In methodological terms, coevolutionary competitive processes, while conceptually useful, are very difficult to 'test'. This is the trade-off when using these frameworks; they are easy to conceptualize but very difficult to generate testable hypotheses. This holds true in Biology and is also a factor in this study. In International Relations, for example, Cederman (1997) defines complex adaptive systems within the context of International Relations as an "adaptive network exhibiting aggregate properties that 177 emerge from the local interaction among many agents mutually constituting their own environment" (1997:50). But Cederman's definition is used to distinguish complex adaptive systems as an alternative modeling methodology to more traditional agent-based and game theory computer simulations. Coevolutionary competitive processes are a more abstract idea when compared to the strategic adaptation inherent in Cederman's complex adaptive systems model. While analytic 'solutions' are certainly possible, they are rarely tested against empirical data obtained outside simulations. The questions, however, that are central to the use of coevolutionary frameworks to study adaptive competitive processes are never-the-less relevant here: what is it, exactly, that adapts (Price, 1997:245-247)? Is it the state? The institutions? Or the individuals that make the institutions work? The Red Queen effect (discussed in Chapter Two) is another good example of the inherent limitations. Recall that the effect, for the purpose of this study, makes two claims: first, that it takes all the 'running' an actor can do just to maintain its position. Thus, the ability, or likelihood, of survival does not increase over time. Second, as F ic i and Pollack (1998) argue in their analysis o f the application of genetic algorithms to game theory, the "desired arms race does not simply involve competition, but also enculturation towards convention" (1998:9-10). Abstract, yes, but important in. understanding that the competitive process itself produces a culture which feeds back into the process. This is very difficult to observe empirically, and limits the extent of the substantive conclusions. 178 Coevo lu t ionary patterns i n cyber infrastructure security are rooted i n what Savona and M i g n o n e ident i fy as a paradox. T h e paradox, they argue, is that law enforcement agencies exploit technologies in their crusade against crime, which - as explained - is also highly dependent on new technologies. From this standpoint, new technologies are a threat and a piece of good fortune for both criminals and law enforcement authorities. In fact, criminals enhance their activities by means of ICT, which make them vulnerable to the risks of being intercepted by the technological solutions used by the police (2004:18). B u t the goal o f an opt imal state response is to disrupt or d issolve networks rather than try to destroy them - at least, i n theory. Mathemat i ca l m o d e l i n g , for instance, does show that this is the most eff icient w a y to handle socia l networks in w h i c h the l inks or connect ions are not entirely k n o w n (Lev ine , 2004:7 ) . Th i s appears s imple in theory, but i n pract ice c l o s i n g the gap between c r i m i n a l innovat ion and state responses become m u c h more compl icated . P o l i c e agencies have very l o w levels o f trust not on ly between countries but also w i t h i n - and it is trust, even i n the cyber infrastructure, that makes things happen. In addi t ion to trust, po l i t i cs also plays an especia l ly important role (K luve r , R a n d o l p h , Indrajit, Baner jee, 2005) . Th i s is due to " m a n y nations . . . r i s ing to this chal lenge [cyber c r ime] , i n d i v i d u a l l y and co l lec t i ve ly , but the web o f international cooperat ion does have its holes and those nations that l a g behind the leaders r isk b e c o m i n g havens for cyberc r imina ls o f the future" (G rabosky 2004:1 ) . Other scholars have more exp l ic i t adv ice for l a w enforcement w h e n faced w i t h n i m b l e social n e t w o r k s . 1 5 9 P h i l W i l l i a m s argued that the "approach has to be strategic, w i t h clear and real ist ic objectives (contain ing and weaken ing rather than eradicat ing organized cr ime) , coordinat ion o f efforts to pursue these object ives, exp l ic i t measures o f effectiveness, and efforts to th ink through the impl icat ions o f success (how the c r imina ls might adapt and h o w to ensure that the threat they pose is less rather than more severe after their adaptation)" (2004:4) . 1 5 9 Interesting endnote on how technology and crime is impacting Criminology as a discipline: "in the fast moving world of the future it is likely that criminology will have to sacrifice some scholarly rigor in favour of timeliness and relevance" (Clarke, 2004:60). 179 O n the one hand, the cyber infrastructure was designed to route around obstacles, but both T O C and N T O C groups must ef fect ive ly neutral ize efforts at socia l control i n cyber space i n order to be successful innovators o f these t e c h n o l o g i e s . 1 6 0 In an environment in w h i c h these dual i t ies increas ing ly matter, does nar rowing or w i d e n i n g the adaptation space s i m p l y b o i l d o w n to resources? Poss ib le , but u n l i k e l y . A study b y K e n n y (2003) that looked at h o w flatter networks are chang ing the i l l i c i t d rug trade conc luded that w h i l e "non-state c r im in a l enterprises cannot match the technological sophist icat ion o f drug enforcement and inte l l igence agencies, they possess important advantages over their state adversaries, i n c l u d i n g the clandestine nature o f narcotics t ra f f i ck ing , flatter dec is ion m a k i n g hierarchies, and fewer bureaucratic restraints to act ion" (2003:133) . In East A s i a , they can and do, match the state - but o n l y certain states. T h e prescr ipt ion, it w o u l d seem, w o u l d be to f ight networks w i t h networks . B u t s i m p l y th rowing networks at other networks does not address ju r i sd ic t iona l arbitrage, weak states w i t h l o w inst i tut ional capacit ies, v i c t i m si lence, and d i f fe r ing norms and cultures across countries — especia l ly i n East A s i a . The U K m o d e l is often he ld as an example b y both practit ioners and scholars o f an effect ive inst i tut ional and organizat ional response to h igh - tech cr ime. T h e Nat iona l H i g h - T e c C r i m e U n i t ( N H T C U ) , headquartered i n L o n d o n , was created i n A p r i l o f 2 0 0 1 . O r i g i n a l l y tasked w i t h f ight ing cyber c r ime l i k e fraud and ph ish ing it has rap id ly 1 6 0 McMullan and Perrier (2003) have a great discussion of early works in criminology and sociology. Specifically, the impact of what Haggarty (2005) calls the "the accelerated embrace of new crime-fighting technologies" (2005:492) and the subsequent "unanticipated consequences of technologies" (2005: 495). McMullan and Perrier also found that technological payoffs do not often emerge as expected. For example, the "system of mobile communication fostered the development of'response time' as a measure of police success, although we now recognize that the speed of response bears little relationship to police effectiveness" (2005:495). The authors have also studied the technologies which have been used by organized crime against gambling-related computer systems in Nova Scotia, Canada. Sophisticated organized crime that employs advanced technologies in either method or organization do so not as a tool to accomplish the job (i.e. steal the data) but must also consider it to blunt, manipulate, circumvent or 'hack' state control. 180 expanded to deal with organised crime and individual hackers and set up the first formal links with industry to increase the effectiveness o f cyber crime prevention and reporting. The model is being replicated in Australia and South Africa. The N H T C U from the beginning appeared to make a conscious choice not to field experts in all areas of the cyber infrastructure. Instead they chose to focus on two dimensions: 1) forensic computing; and 2) network investigation. To help manage the problem of firms staying quiet after serious system breaches the N H T C U created and launched the Confidentiality Charter for businesses ( N H T C U , 2005). The Charter has shown promising results in allaying the concerns o f firms when reporting breaches, but it is still voluntary. To date, however, there is only one jurisdiction in the world that requires, by law, that firms report system intrusions -California. California has also devised a new type of model to respond to cyber infrastructure crimes. The Northern California Model operates on a regional basis rather than a national one. The U S Department of Justice has set up ten regional units across the U S staffed by technical experts as well as lawyers. What is also different from the U K model is the focus on intellectual property rights rather than the crimes. What is unique about the California initiatives is that they place considerable emphasis on providing the 'right tools' for both the lawyers and investigators. Briefly, there are two capabilities that cyber crime investigative agencies should possess. First, each organization should have the ability to investigate crimes occurring on computer networks. Second, an organization should have the forensic capability to analyze seized electronic evidence. Self-evident, perhaps, but states such as the Philippines use a single unit to exercise both functions, while others such as Hong Kong separate these functions into different units. It unclear which models work best (holding 181 other factors constant) but innovation appears to be key in East A s i a . 1 6 1 Huey argues that it is not just a lack of resources and training, it is that police agencies often treat cyber enhance crime and the technologies involved as a kind of black-box primarily because of the territorial nature of policing itself. Huey argues that this "is because historically the nature of policing in society has been intricately tied to spatial arrangements. The public police meet their prescribed mandate through techniques involving the oversight of very carefully defined territories" (Huey 2002:244). Measured by basic capabilities alone, the Philippines, China, and Indonesia all appear to be lacking in one facet or another. In addition to basic capabilities, there are law enforcement tactics which can include monitoring and infiltrating clandestine cyber social networks like bulletin groups and IRC channels, developing computer programs to information and incident data, and making connections - both formal and informal - with security personnel working for private sector firms and state security agencies. Increasingly, these links are being made across borders in order to address the problem of jurisdictional arbitrage and the digital divides that exist between information rich police forces versus information poor agencies in East Asia . In this regional context, cyber security issues were in the past been linked to economics. This stands in stark contrast to state response patterns in the U S . In the U S case, a much more subtle, hegemonic strategic approach has evolved rather than the 'surveillance' focused approaches in East Asia . Both approaches often involve the private sector. But in the U S case, the cooperation is built on strategic footings. 1 6 1 As an example, one of the more basic measures is the Police innovation curve. There are few openly available studies on this subject. However, one particular research effort of police adaptation at the micro level stands out. The authors looked at municipal forces in North American and found that "[ajdoption and extent of utilization proved to be largely independent processes. Involvement in cosmopolitan networks, experience with using databases for law enforcement, and the human capital capacities of the organizations influenced the adoption decision, while organizational resources and experience in using the system drove the level of actual use" (Skogan and Hartnett, 2005). The finding is rather stark. 182 L i c h t b l a u and R i s e n , w r i t i n g i n the N e w Y o r k T i m e s found that one "outs ide expert on communicat ions pr i vacy w h o prev ious ly w o r k e d at the N . S . A . said that to exploit its technolog ica l capabi l i t ies , the A m e r i c a n government had i n the last few years been quiet ly encouraging the te lecommunicat ions industry to increase the amount o f international t raff ic that is routed through A m e r i c a n - b a s e d swi tches" (2005) . In effect, this extends the in format ion territory o f the U S , at the loss o f others - especia l ly i n East A s i a . These two approaches point to a key di f ference i n manag ing the growth o f the cyber infrastructure. W h a t is important is that states i n East A s i a are n o w m i r r o r i n g or responding to the U S approach in an attempt to 'secure ' and mainta in the integrity o f their infrastructures. S i m i l a r cooperat ion strategies are employed i n East A s i a . F o r example , the governments o f South K o r e a , Japan, S ingapore and H o n g K o n g , for example , require Internet service providers to keep in format ion on users and to help l a w enforcement agencies track their on l ine activ it ies. In Japan, the C o m m u n i c a t i o n s Interception L a w was passed i n Augus t 1999, a l l o w i n g l a w enforcement o f f i c ia l s access to pr ivate e -ma i l accounts i f they were invest igat ing certain types o f c r ime ( W i l l i a m s , 2000) . T h e C o m m u n i c a t i o n s Author i t y o f T h a i l a n d ( C A T ) b y l a w has m i n i m u m 32 per cent share i n a l l p r i va te ly -owned ISPs. In addi t ion the N a t i o n a l Informat ion T e c h n o l o g y C o m m i t t e e ( N I T C ) has ordered ISPs to retain connect ion data about their customers for at least three months. T h e goal is to enable prosecutors to take act ion against those w h o surf to 'undesi rable ' websites and to faci l i tate government authorities to b l o c k such sites. (Reporters Wi thout Borders , 2002) . M o v i n g to the case studies w i l l demonstrate not just the adaptive responses i n East A s i a to c r im ina l innovat ion as a security p r o b l e m but also situate this process w i t h i n a 183 strategic cyber awakening in the region. Three cases wi l l be presented: Singapore, Hong Kong S A R and China. The complex two-level game that states in the region must play within cyber space continues to evolve and change. The cases show that while the idea of security in the cyber infrastructure is changing in the region, there does not appear to be a threat to the infrastructure itself. But rather, the threats are effects of contending social and political forces. Singapore National information infrastructure strategies and policies in Singapore have been cornerstones to economic growth (Kraemer and Dedrick, 1996). Growth, jobs, and the ability to compete in region by attracting M N C s and reinforcing the city-state's role as a regional hub. Singapore's vision is of an intelligent island; one that can achieve balance between economic openness and a kind of communitarian ideology. Political and religious websites must register with the government's Media Development Authority ( R W B , 2003:100). There is good reason for the government in Singapore to worry. The country has made science and technological development the foundation of its economic plan. The fours pillars of growth: biomedicine, electronics, chemicals and engineering have seen massive investments from both public and private monies since 2000. The key to the four pillars is the idea of taking an initial idea through the research and development stage all the way to commercialization, all accomplished within the city state (Young 2004:48-51). Singapore's policy toward the cyber infrastructure began in the 1990s with a strong government controls which have gradually been reduced as a culture of self-regulation has embedded in society (Lee 2005:79). This is a unique model in East Asia . The practicability of self-regulation relies on the application of'auto-regulation', where 184 cryptic and arbitrary policies and legal codes as governmental technologies are employed by regulatory authorities to "shape, normalize and instrumentalize the conduct, thought, decisions and aspirations of others" (Mil ler and Rose, 1990:82). With the holistic application of'auto-regulation', the otherwise complex and arduous task of Internet policing in Singapore is made less onerous,.aided and empowered or 'coregulated' by laws, policy codes, statements and generalised techniques and technologies of surveillance designed to shape the conduct of individuals and groups within society. While the auto or self regulation model now dominates the more public dimensions of cyber security, very little is known regarding Singapore's response to the emerging nexus between systems intruders and law enforcement. 1 6 2 In November 1998, the local Straits Times reported that a section of the Singapore Police Force has been set up to "patrol the alleys of cyberspace" (Chong, 1998). While their official role is to keep hackers and cyber-crime at bay, the very existence of a 'cyber-police' branch in the late 1990s served to reinforce the widespread belief that Internet surveillance is conducted in Singapore (Lee and Birch, 2000:159). In Apr i l 1999 some anecdotal evidence surfaced that SingNet was conducting secret scanning of its subscribers' web accounts, supposedly for vulnerabilities to virus attacks (Chong, 1999b:l). N o further information on this 'cyber-police' has been available since. 1 6 3 It is probable that this branch has been subsumed under the Technology Crimes Division of the Criminal Investigations Department (CID) of the Singapore Police Force ( S P F ) . 1 6 4 It has also formed close ties with local universities for forensics, security research and support (Straights Times, 2001). Singapore's strategy is not limited to strictly law enforcement and intelligence 1 0" In many ways the Singapore model has been a''beacon' for other states in East Asia, especially China. 1 6 3 For a history of Internet regulation in Singapore see Rodriguez (2000). 1 6 4 I have not had a chance to do extensive field work in Singapore; much of what is openly known about the case is often rumor or anecdotal evidence and the few quasi-academic articles that have been written. 185 institutional capacity building. There has also been a concerted effort to engage the 'hacker' community. Government and industry have in the past organized a contests to find the city state's best computer hacker. Six teams competed in hacker challenges organized by the government-funded National Infocomm Competency Center. Singapore has not made cyber infrastructure security an entirely separate pillar but has that required law enforcement, legal, and intelligence personnel take courses on computer use and misuse. Singapore was one of the first countries in East As ia to routinely ja i l 'hackers'. System intruders, or anyone using the Internet for anything "untoward", were routinely jailed for up to three years or fined up to US$5,800 under the state's Computer Misuse Act . What is key in the minds of policy makers in Singapore is the how valuable information becomes as it goes from concept or idea through to potential commercialization, traveling all the while from hard drive to hard drive. This new information economy is being mapped-out' by both traditional and non-traditional T O C groups in East Asia ; targeted because of both the sheer volume and value that much o f the data produced in areas like biomedicine to nanotechnology (Confidential Interview, Hong Kong 2003). The Singapore economic development initiatives mean that the value of the data sitting on hard drives in labs and administrative offices cannot be understated. Despite Singapore's technological prowess and the relatively small number o f users and content it must regulate, the government has not pursued a China-type firewall strategy. Instead, the Singaporean government has openly recognized that absolute control is not possible (Rodriguez 2000:24). From what is known Singapore appears to possess a kind of cyber siege stance in its policy toward the infrastructure. This makes sense historically when looking at other dimensions of the city state's security. Singapore's foreign and 186 defence p o l i c y has been rooted i n a k i n d o f siege and insecuri ty , and has shown a remarkable abi l i ty to cope and mit igate innate vulnerabi l i t ies . In Singaporean security p o l i c y "no th ing is taken for granted and noth ing is guaranteed" (Le i fer , 2 0 0 0 : 1 6 2 ) . T w o laws in S ingapore shape l a w enforcement 's response to cyber threats: the Singapore C o m p u t e r M i s u s e A c t and the E lec t ron ic Transact ion A c t . B o t h laws are s imi la r to other pieces o f legis lat ion i n the region except on two p o i n t s . 1 6 5 F i rst , recent changes to the Computer M i s u s e A c t a l low security agencies to take whatever pre-empt ive measures necessary to counter or prevent threats against the infrastructure. Second , Singapore has m o d i f i e d both A c t s to require any user to hand over encrypt ion keys to l a w enforcement. A s o f 2 0 0 3 , on ly Singapore and M a l a y s i a have enacted laws that w o u l d require users to d isc lose their keys or face c r imina l penalties. In both o f those countries, po l i ce have the power to f ine and impr i son users w h o do not p rov ide the keys or p l a i n text vers ion o f any encrypted f i le . Th i s inc ludes an extra-terr i tor ial i ty d imens ion w h i c h requires users to render assistance to law enforcement even i f the f i les are located i n another j u r i s d i c t i o n . 1 6 6 M u c h o f the evolut ion in the legal environment and the growth i n cyber security awareness i n l a w enforcement and intel l igence agencies is guided b y S ingapore 's " I n f o c o m m Secur i ty Maste r P l a n . " T h e M a s t e r P l a n articulates what Singapore sees as the threats f rom cyber terrorists, cyber c r imina ls and " i r respons ib le" hackers (Choudhury , 2005) . L i t t le , however , is k n o w n about the effectiveness o f its cyber security 1 6 5 Singapore and India are the only two states in Asia where interception warrants are issued by executive authorities alone (Wong, 2005:65). Places where interception warrants are issued by courts: Canada, New Zealand, the Philippines. Other countries where interception warrants are issued by executive authorities or courts, for example, Thailand. For a good comparison of Hong Kong SAR, Australia, the U K and the US interception laws and regulations see Wong (2005). 1 6 6 I should point out that there are additional data retention and storage regulations forthcoming in Singapore. In general, data retention regulations make it 'easier' for law enforcement to monitor the infrastructure and gather traffic data. This, as opposed to content data, for which no retention laws or regulations exist. For example, in Canada, law enforcement face a much lower threshold for obtaining warrants for traffic data. The threshold to obtain warrants for content data are considerably higher. 187 infrastructure in closing the adaptation space with innovation in T O C groups outside Singapore's borders. The key is management of the cyber infrastructure and the coevolutionary adaptive processes within its territory but this has the paradoxical effect of 'pushing" the problem to other jurisdictions without the capacity to respond. This process highlights one imperative of jurisdictional arbitrage in a coevolutionary adaptive environment where there are extremes in cross-national institutional capacity. While the 'inside' of a states information territory may be 'secure', it wi l l only be as secure as the weakest state. The problem here is that, in the long run, this does not change the likelihood of infrastructure instability - it simply transfers it. This is the essence of the Red Queen effect. In the Singapore case - the paradox underscores a result of the Red Queen effect, even though adaptation has been in one sense more successful than other countries in the region, the probability or chance that there wi l l be serious infrastructural instabilities remains constant. Recall the underlying process of the Red Queen effect is that it takes all the running you can do just to remain in one spot. What is unique is that it is 'easier' for states to securitize an external threat to the cyber infrastructure. Hong Kong S A R Second only to Singapore in their response to criminal innovation, the Hong Kong Police have also begun aggressively adapt to criminal high-tech innovation. A Computer Crime Section was set up in 1993 to investigate complaints of serious computer crime. This was followed the provision of resources for preventing computer crime and increasing the capability of handling computer crime at the local detachment level. The capability was strengthened with the upgrade of the Computer Crime Section to the 188 Technology Crime Division in 2001 . 1 6 7 The Divis ion is designed to enhance police expertise in computer crime investigation, established a computer forensics laboratory to support investigations and conduct research and development. 1 6 8 The adaptation space in both the Singaporean and Hong Kong responses to criminal innovation is slowly closing. But the adaptation is uneven in addressing jurisdictional arbitrage especially southern China. Law enforcement heads from Hong Kong, Guangdong, Macau regularly meet for Tri-partite sessions for the promotion of intelligence sharing and co-operation on investigations. The tripartite meeting is a b i -annual event. While Singapore and Hong Kong national information infrastructure strategies and policies grew out of a purely economic dimension, such evolutionary trajectories are not entirely uniform across East As ia (Kraemer and Dedrick, 1996). In Japan, for example, the cyber infrastructure development was to support new economic growth and jobs, deal with US threat in high-tech business, then catch-up with U S lead in PCs, software and networking. Singapore's 'intelligence island' and Hong Kong 'information hub' all have a regional market competition influence that sees the integrity of their cyber spaces as key to maintaining an image. In other words, the perception and reality of a clean, safe cyber infrastructure is a paramount goal. But this is not consistent across the region. In Japan, for example, it is a vision and image of a 'multimedia information society' which l 0 / There is extensive capacity building in other law enforcement agencies in Hong Kong. For example, the Anti-Internet Piracy Team in the Customs and Excise Department is responsible for investigating copyright piracy on the Internet which set up its own computer forensic laboratory in 2000. It is responsible for providing computer forensic technical support for examining electronic evidence contained in seized computer systems. 1 6 8 Another example which sets Hong Kong SAR law enforcement apart from regional counterparts is the advanced computer forensics tools that they have devoted resources to — tools that in the past were the purview intelligence agencies. The Commercial Crime Bureau "Technology Crime Division" (TCD) has, in co-operation with the Hong Kong University of Science and Technology, developed a high-powered system to crack password-protected files. The system, known as a 'password cracking cluster', consists of 25 high-powered computers. An adaptation to the increasing use of strong encryption in the conduct of crime. 189 often informs cyber infrastructure policies. The Japanese government has, however, followed the lead of many other countries by aggressively and quietly taking back cyber space. For example, the Diet voted in March 2001 to spend slightly above US$1 mil l ion to create email monitoring software called "Kari-no-mail ." It was ready by the end of that year and is reportedly being installed on the country's ISPs ( R W B , 2003:70). If the reporting is correct, both the relative low cost and ease of implementation is notable. China State responses to criminal innovation in China are complex and as rooted in existing social and political contexts as other East Asian states discussed above. Inefficiencies and inconsistencies toward the infrastructure appear to originate within the central government where a number of different government agencies claim authority over ' IT ' and thus, the infrastructure itself. In 1998, the government planned to create a single body called the Ministry of Information Industry ( M i l ) for telecommunications, but because of bureaucratic competition between agencies and ministries ended up as a kind of 'home land security department' for cyber space - complete with the problems and complications that accompany the creation of extremely large, heterogeneous government bodies. The political super systems in China, called the xitongs, which organize the line ministries have created a large amount of dissonance. The clash of motivations between central and local level bureaucracies as well as the Chinese government's often unique internal logic (Mertha, 2005) are key to understanding cyber security in China. In other words, there is significant bureaucratic vulnerability to corruption and technical incapacity. This, not surprisingly, leads to problems in hiring and personnel retention in both law enforcement and intelligence agencies in China. Hong Kong S A R and China 190 often choose to hire cyber crime investigators only from within the police force and then provide them with training in computer technology. Others, such as the United States, have at times gone outside organizations to hire individuals who already have computer security expertise and then provide them with training in various aspects of law enforcement. P R C Police forces face broader capacity problems in a unique social political context. In China responses criminal innovation are also hampered by exogenous variables like the slow pace o f law enforcement reform and what one scholar calls the the crisis of legitimacy crisis. "Police law reform legislation, such as the Police Law, is making an impact in revolutionizing modernising, and institutionalising the police of the P R C " which has resulted in an uncertain result that has been impossible to measure (Kam, 2005:11-12). This, in addition, to poor funding and high levels of corruption have left many law enforcement efforts in mainland China blunted. The focus for the government in Beijing remains political control over cyber space, rather than law enforcement. The government is also pushing for an internationalization of cyberspace which is designed to buttress rather than supplant its controls "at the borders" (Neil l , 2005:18). The 'internationalization' here is more akin to the making of state centric enforcement and regulatory regimes. This tandem approach to cyber infrastructure security is perhaps the best example of the tensions between internationalization and the desire to stem the i l l -effects of globalization. C C P leadership and Chinese academics warned about the ways in which Internet technologies can challenge state sovereignty by magnifying so called sources of post-Cold War instability (Hughes, 2003:140). 1 6 9 The Internet enhances not only traditional 1 6 9 A recent by Villeneuve (2006) on W W W content filtering noted that states are "seeking to assert information sovereignty over their cyber-territory" (2006). China is the prototypical case. 191 state-based threats to security but also non- t radi t ional threats l i k e those f r o m d ig i t i z ing organized c r i m i n a l groups in the reg ion. M i l and C C P see these threats w i t h i n the context o f broader not ions o f g loba l power (2003:141) . W h a t has emerged then is a v i r tual rea l ism designed to consol idate and expand its in format ion territory and preserve the integrity o f its in fo rmat ion borders (2003:142) . Th is goal appears to h o l d across states but it is i n strategies where the dif ferences are to be found. S ingapore and H o n g K o n g S A R , w h i c h have taken an economic centr ic approach, are h o l d i n g the adaptation space constant, and i n a few d imensions reducing the gap w i t h c r imina l innovators . Th i s is not the case i n C h i n a . Here the gap is w i d e n i n g . The secur i t izat ion o f the cyber infrastructure b y B e i j i n g has put the focus on threats to the state i tse l f and rotates on a k i n d o f e l l ip t ica l pub l i c p o l i c y orbit centered on cyber territorial integrity. T h i s , v i e w e d f r o m an outside perspective, often gives it an appearance o f contradict ion and confus ion . East A s i a n reg ion W h i l e there are emerg ing , robust mechan isms to deal w i t h cyber cr imes and transnational organized through increas ing ly elaborate p o l i c y f rameworks ak in to regional f rameworks for combat ing terror ism, real progress to date has been s low. Consequent ly , cyber security cooperat ion across the A s i a P a c i f i c tends to take the f o r m o f a network o f over lapp ing f rameworks between m e m b e r countries, d ia logue partners and other nations f r o m across the globe. T h i s network relies on the tapestry o f in ter lock ing associat ions, agreements and arrangements that emphasize col laborat ion and cooperat ion in combat ing a transnational threat such as terror ism. In East A s i a , m u c h o f the relevant organized c r ime init iat ives have been subsumed under 'terrorism' i n a pos t -9 -11 w o r l d . A c t i o n has been taken in the reg ion to enhance 192 bilateral and multilateral cooperation to combat terrorism through the Association of South East Asian Nations ( A S E A N ) , the A S E A N Regional Forum (ARF) , and the As ia Pacific Economic Cooperation ( A P E C ) . The frameworks provided by these organizations are based on the global instruments for terrorism and transnational crime together with regional specific instruments. 1 7 0 The effectiveness and progress thus far has been minimal. East Asian states are being pushed to adopt Council o f Europe's convention on Cybercrime and it is possible that points w i l l be adopted into national legislation, but progress has been slow (Urbas, 2001; A P E C - T E L , 2002). Other examples of cyber security networking include a conference on strengthening international law enforcement cooperation to deal with cyber crime, held in July 2003 by the Asia-Pacific Economic Cooperation ( A P E C ) e-Security Task Group. B y 2004 A S E A N wi l l set up a framework to share information in order to respond to incidents like fast spreading viruses or other forms of "cyber crime". Each member country wi l l set up a "Computer Emergency Response Team" (CERT) to coordinate the cooperation, through online exchange of information on cyber crime activities via the A S E A N Secretariat as well as the sharing and analysis of critical intelligence information. A related A P E C initiative is the 'Cybersecurity tool kit ' which is to be developed jointly with several business organisations including Microsoft. To date, few, i f any, of these initiatives have born fruit, suggesting that it w i l l bilateral modalities, rather than regional coordination, in the fight against criminal innovation. The role of the U S in the region should not be discounted. There are two reasons for 1 7 0 Partial list of notable regional frameworks includes: 1) A S E A N Declaration on Transnational Crime 1997 2) A S E A N Ministerial Meeting on Transnational Crime ( A M M T C ) 3) A S E A N Chiefs of National Police A S E A N A P O L ) 4) Senior Officers Meeting on Transnational Crime (SOMTC) 5) A S E A N Plan of Action to Combat Transnational Crime 6) A P E C Shanghai Summit 7) A S E A N Regional Forum statement on Cooperative and Counter-Terrorist Action on Border Security, June 2003 8) A P E C forum meeting, Bangkok, 2003 agreement on measures for terrorism and transnational crime. 193 this. First, the U S case is useful not necessarily as a benchmark of optimal adaptation but as a comparative tool using the 'biggest' case of cyber security responses. Second, the adaptive process in the East Asian cases does not take place in a vacuum. The U S itself is engaged in its own unique coevolutionary process against criminal innovation using the cyber infrastructure. The extra regional influence on the strategies and tactics being adopted in many regional cases cannot be discounted. The U S has exported much of its own security concerns to other states and along with it a set of norms as to the conduct of both law enforcement and intelligence toward the cyber infrastructure. One example was the early cooperation between the U S Federal Bureau o f Investigation (FBI) and the Indian Central Bureau of Investigation (CBI) in 2000 to fight cyber crime in India. After FBI experts trained Indian policeman to handle computer crimes, the Indian C B I then went on to set up its own Cyber crime unit. ( B B C News, 2000b) In February 2004, the C B I announced that they wi l l soon begin networking with nine other Asian countries through a 'Cyber Crime Technology Information Network System' (CTINS) which was initiated by the National Police Agency of Japan (newindpress.com, 2004). The U S has offered bilateral assistance arrangements to train law enforcement and policy makers in Philippines, for example, but most were seen as free trips to California and as such the Philippine government frequently uses such training programs offered by the U S as a reward system - sidelining most o f individuals working in line agencies (Confidential Interview, Mani la 2003). Most of the externally funded strategies in the Philippines have failed primarily because of graft and mismanagement. This is troubling because the Philippines is the weak link East Asian cyber security. Here the role of low levels of state capacity become clear. Most of the patterns of bi-lateral engagement by the U S in East As ia on cyber 194 •\ . . infrastructure security matters or iginate i n the C l i n t o n administ rat ion. T h e 1994 C o m m u n i c a t i o n s Ass is tance for L a w Enforcement A c t ( C A L E A ) w h i c h made mandatory the instal lat ion o f remote access to d ig i ta l switches so that cyber infrastructure traff ic w o u l d be avai lable for l a w enforcement. A s opposed to the U K N H T C U w h i c h has a conf ident ia l i ty charter, U S opted for what is often perce ived as heavy handed l e g i s l a t i o n . 1 7 1 The C a l i f o r n i a Database B r e a c h N o t i f i c a t i o n Secur i ty A c t or C a l i f o r n i a Senate B i l l 1386, w h i c h requires the organizat ions to not i f y C a l i f o r n i a residents w h e n they bel ieve personal data has been c o m p r o m i s e d . These domest ic p o l i c y ini t iat ives were watched carefu l ly b y East A s i a n states as poss ib le mode ls for domest ic control o f their o w n cyber territories, but also because m u c h o f A s i a ' s Internet traff ic gets routed through the U S , creat ing concerns about security. East A s i a in an international context There are two approaches that emerged for international legal f rameworks and cyber -cr ime. Pocar notes that: On the one hand, they provide for the duty of contracting states to implement internationally agreed norms within their own borders, with a view to bringing the legal system of contracting states closer both as to the substance and the practice of criminal law..On the other hand, these rules establish procedures for relevant international relations, aimed at providing such forms of cooperation between national judicial authorities as may interact with each other both swiftly and efficiently (Pocar, 2004: 31). There are three central p rob lems that states must overcome in order to halt the g rowth o f the gap between T O C innovat ion and responses by l a w enforcement: 1) procedural chal lenges; 2) ass imi lat ing different jur isprudent ia l systems; and 3) ensur ing offenses i n one country are actual ly offences i n another. T h e central p r o b l e m i n East A s i a that exasperates or d imin ishes national po l i c ies and strategies is the g r o w i n g d ig i ta l d i v i d e between states in the reg ion. D i g i t a l l y r i ch states w i t h h igh inst i tut ional capacity are n o w , 1 7 1 Although it is important to point out that this currently a proposal in the U K to revive the idea of key escrow systems for encryption keys - an idea was roundly rejected in the US. 195 faced with low digital capacity neighbors. One successful international effort designed, in part, with this in mind is the Financial Action Task Force ( F A T F ) . The F A T F is a good example of the state and legitimate non-state actors, for example, banks and other financial intuitions, marshaled together in a network to fight nimble money laundering networks that frequently use jurisdictional arbitrage as a cornerstone in both their tactics and strategies. A critical component of the response to cyber threats must be the development of effective intelligence analysis by responding to what is different about intelligence gathering and analysis in cyber-space and what sets it apart from more traditional intelligence pursuits (Williams, Shimeall and Dunlevy, 2002). The mixing o f both intelligence based and law enforcement based strategies comes with its own set of liberal democratic dilemmas. A s one scholar noted "there exist examples in U S history o f a danger implicit in the pursuit of RMA- type information- and intelligence-gathering systems, namely the expansion of government power at the expense of c iv i l liberties and libertarian values" (Morgan, 2003). A s the nexus between high technology criminal innovators becomes more securitized these dilemmas wi l l be more salient within national contexts. Can the state in East As ia marshal its own networks of cooperation? Or w i l l it rely on traditional state-based legal institutional frameworks to combat i l l ici t networks? 1 7 2 East Asian governments have begun to report incidents and share information with other governments and are now part of international teams that are members of a global 1 7 2 As mentioned above, the issue of money laundering, security, and the cyber infrastructure falls beyond the scope of this study. It is, however, a critical case in understanding the full extent of the nexus between TOC and cyber infrastructure based actors, and their impact on security. As for the potential for states to marshal networks to fight networks, the picture and potential is unclear. The strategy may make sense for certain problems but there are so few cases (of either success or failure) that a full assessment is not possible. 196 affiliation known as the Forum of Incident Response and Security Teams (FIRST). But other than Australia, Singapore, Hong Kong S A R and Japan, few states have managed to narrow the widening gap. Not surprisingly, East Asian states with pre-existing low levels of capacity are most susceptible to jurisdictional arbitrage and w i l l l ikely remain compromised cyber spaces for the foreseeable future. Uneven adaptation spaces The coevolutionary gap between criminal innovators and state responses mechanisms in East As ia is profoundly uneven - in one dimension, the growth o f the gap is nominal and in others, it is widening. Ultimately, the threat posed by these processes to security depends on how security is defined. A t the individual level there is empirical evidence to suggest that the threat emanates from both criminal elements and the state itself. What is interesting is that there does not appear to be a threat to the cyber infrastructure itself. This is important because both T O C and N T O C groups require the infrastructure to thrive, as much as the state does. Recall D K Matai 's theory linking socio-political instabilities in the international system to cyber infrastructure incidents. Part One of this dissertation found that there is some evidence in support of a connection - especially the level of the rule of law in East Asia . The conclusions in Part Two regarding state capacity, the problem of jurisdictional arbitrage and the profoundly uneven adaptation space between criminal innovators and state responses bring the discussion full circle. The role of jurisdictional arbitrage and the idea of threats coming from 'inside' and 'outside' a state from both traditional and non-traditional organized criminal groups produces a paradox. That is, the act o f closing the adaptive gap in one state pushes the problem to weaker states creating an increasing threat from 'outside' a state's cyber territory. It is unlikely that the gap between criminal 197 innovators and systems intruders in the region w i l l fundamentally alter their capacity to threaten the security of states in the region in short run. However, the adaptive competitive process is strongly influenced and, in part, driven and constrained by existing security pressures, capacity, and unique security cultures. 198 Conclusion: Bowing to Quirinus Introduction The relationship between technology and power changes rapidly. In many ways the cyber infrastructure has ushered in. an age of electronic uncertainty as states in East As ia navigate their way through multiple security modes and modalities. This is not without historical precedent. For example, during the late 1800s, in the post-Crimean War period, the British Navy, and indeed all navies, faced rapid technological change. Naval power leading up to this period had changed little - relying on wooden ships and cannon. The introduction of metal plating and steam power kicked off a coevolutionary competitive process between armor thickness and firepower between navies; a competitive process into which tactics and strategy were also drawn. Some states were able to initiate rapid adaptation processes, but this was a trajectory that left many naval powers with rag-tag collections of ships that reflected the fits and starts produced by the rapid change in technology. L ike the major navies of the late 1800s, cyber warfare and infrastructure security is a patchwork of various tactics, strategies and technologies with seemingly little symmetry o f purpose or trajectory. This age of uncertainty in the infrastructure has produced a patch-work collection of technical and cultural adaptations. In light o f results on cyber infrastructure security issues, it seems that the more complicated a perceived vulnerability or threat is the more likely that there wi l l be disconnects in the securitization process. Gaps begin to grow between threat "perception and reality. The Internet has gone through or is currently going through a unique period of securitization - in different ways in different societies - but the process remains incomplete, and in some cases it is desecuritizing. It is true that threats from the Internet 199 and to the Internet are no longer associated w i t h the stateless geography o f the " h a c k e r " but f r o m real , often geopol i t i ca l , geographies. T h e result is the terr i tor ial izat ion o f the Internet and h o w state actors understand it. T o state this i n more blunt terms: a new vi r tual rea l ism is emerg ing . Y e t , the l inkages between the existential threats and the performative acts are b e c o m i n g too d i f f i cu l t to understand and articulate outside o f technica l ly m i n d e d epistemic communi t ies . H o w this l i nks to the f ind ing that inst i tut ional capacity is pos i t i ve ly related to the state's capaci ty to fu l l y protect the cyber infrastructure from a g r o w i n g number o f compromised nodes is unclear. T h e Internet and its constituent components and appl icat ions have increased the importance o f non-state actors in matters o f nat ional and international security. The assumption here is that these actors become both challengers and new providers o f security, usual ly because they have adapted to the new network environment faster than state institutions and organizat ions. It is unclear , however , i f scholars and observers o f international po l i t i cs are truly cognizant o f the changes tak ing p lace. O n e o f the first exp l ic i t treatments o f the subject o f in format ion technologies and its impact on international po l i t ics observed that po l i t i cs w o u l d pay l i tt le attention to IT unless it has the potential for weapons development or for "exp l i c i t means o f extending one nation's power and inf luence over others" ( M u r p h y 1986: i i ) . It is important to emphasize that the perspectives on the impact o f the Internet and security s ince the early 1980s have not necessari ly predicted the wh i t t l ing away o f state autonomy. B u t they do suggest that change brought about b y technologies l i k e the Internet require a re - th ink ing o f the strict state-centric mode ls o f security. C o m p r o m i s e d N o d e s , Stabi l i ty and Secur i ty 200 The central question for part one of this study was: across an upper stratum of countries, what factors best explain the variation in compromise nodes? The ' fo i l ' for Part One was D K Matai 's theory that cyber infrastructure instabilities could be associated with geopolitical instabilities. Taking into account both the size of economy and the level of Internet technology diffusion only, the level of the rule of law mattered above and beyond the level of cyber infrastructure diffusion. In East Asia , the role o f the rule of law had a greater impact on the number of compromised nodes. This goes a long way to explaining why countries in that region such as South Korea and Singapore which have similar levels of diffusion have such dissimilar numbers of compromised Internet devices. There is no evidence, however, o f a difference between democracies and non-democracies and their ability to control the number of compromised nodes. Cross-nationally, the level of democracy did not appear to be a factor. Nor did this help explain inter-regional variation between East As ia and the rest of the world. A key implication o f this result is that non-democratic regimes do not necessarily have an "authoritarian advantage" in controlling the number of compromised nodes or, inversely, are any more susceptible to instabilities in the cyber infrastructure. Regime type does not matter. The role of political institutional factors in explaining country differences in regression slopes was of particular interest. A t a fundamental level, states are responsible for creating and maintaining the laws, policies and practices toward the security and integrity of the Internet. Unlike the level of democracy, rule of law does appear to be linked to the dependent variable. The measure of the rule of law used in this study, from an institutional perspective, is broad. Future research should be done in order to explore what particular features o f a states legal norms and traditions influence the integrity of the 201 Internet i n nat ional contexts. It appears, then, that D K M a t a i was h a l f r ight. T h e rule o f l aw , as a broad p r o x y measure for stabi l i ty and inst i tut ional capacity can be l inked to cyber infrastructure instabi l i t ies as measured b y the number o f compromised nodes - but o n l y i n East A s i a . R a l f Bendrath 's (2003) gap between cyber threat percept ion and real i ty is n o w a l i tt le narrower. C o n f l a t i n g tradit ional and non-t radi t ional concepts about what constitutes security i n an era o f rapid d i f fus ion o f in fo rmat ion technologies is part o f the appeal o f a node based level o f analysis . Whether the issue is cyber warfare between states, cr i t ica l infrastructure protect ion or c r imina l innovat ion , at the root o f each security d i l e m m a that emerges f r o m each d imens ion is the p rob lem o f the compromised node. Understanding this requires f r a m i n g technologies such as the Internet not just as a m o d e o f communicat ions but also as an environment that prov ides the abi l i ty to act at a distance. The use o f a node based f ramework , as opposed to a network level o f analys is , proved to be useful in one sense, but l i k e f rameworks based on the structural idea o f networks , it has its l imi ts . F r o m a ' techn ica l ' point o f v i e w o f cyber infrastructure security it is the compromised node that is one o f the central p rob lems i n a d ig i t i z ing w o r l d both i n phys ica l and theoretical terms. Other approaches used i n International Re lat ions to study security and the in format ion revolut ion c o m m o n l y employ more tradit ional f rameworks bui l t around the international system or the state and more recent ly the " n e t w o r k " level o f analysis (Deibert 2002) . U s i n g a node-based level o f analysis a l lows for a contr ibut ion to the 'broadening o f security' project that has occup ied m u c h o f the International Relat ions literature recently and at the same t ime grounds the research i n the technical realit ies that are often over looked or misunderstood. De iber t ' s (2002) idea o f a network security 202 image also allows for this, as do his concept of "collective images" o f cyber infrastructure security: state, national, private and network. The network image, as Deibert articulates it, is an intersubjective frame and is thus another referent open for empirical study (2002, 2003). Like the compromised node level, the network security image is not a theory, but a way of structuring empirical research using data derived from the infrastructure itself. 1 7 3 This study's use of a large-N data set presents results that are suggestive but far from conclusive. The next step in the quantitative cross-national research is clear. The cross-sectional design used for this study is limited in its explanatory power. The use of longitudinal or time-series based statistical research would greatly increase the confidence of the results presented here. This next step in the research would see the DShield data for the period of 1999-2005 gathered and processed in order confirm the findings presented in Part One. A time-series design based on all data from 1999-2004 would increase both the validity and reliability of these findings and at the same time allow for more precision in the noise reduction techniques - especially the 'on-off behavioral patterns found in both this study and the Yegneswaran et al research. 1 7 4 The nexus and coevolutionary adaptation The choice to focus on East As ia for this study was timely. The region provides a diversity of actors. There is no other region in the world where there are extremely deep Internet diffusion patterns and where there are both non-democratic and democratic 1 7 3 There are few examples of this type of research design in International Relations and security studies. The OpenNet Initiative (http://opennet.net) is one of the exceptions. 1 7 4 For more on noise reduction techniques in general and within the context of intrusion detection systems see Barford, Jha and Yegneswaran (2004). The reader should also be aware of Internet background radiation or cyber background noise. In Pang et al. (2004) researchers showed that monitoring any portion of the cyber infrastructure will reveal "incessant" activity. This background radiation is made up of "fundamentally nonproductive traffic, either malicious (flooding backscatter, scans for vulnerabilities, worms) or benign (misconfigurations)" (2004). 203 regimes. Indeed, East As ia has now surpassed other regions in use o f technology. Along side state actors in the region, and often at odds with them, are a host of non-state actors that are taking advantage of rapid Internet diffusion. This relationship between the state and sophisticated organized crime gives the rest of the world a look into one possible future; a future where those that possess the technological upper hand, and are wil l ing to use it, can circumvent state responses almost at w i l l . From Part Two of the dissertation, a number of conceptual conclusions can be drawn. First, the co-evolutionary competitive processes spurned on by traditional and non-traditional organized criminal innovation has produced an uneven adaptation space in East Asia . There are points where the gap is narrowing, points where the gap has seen very little change, and points where it is widening. The key driver of this uneven adaptation space is the problem of jurisdictional arbitrage. The key difference between T O C and N T O C groups is there ability or desire to use the cyber infrastructure to perform a jurisdictional "jump." T O C groups in East As ia that had some connection to systems intruders in the nexus are less likely to use the cyber infrastructure to escape unfavorable jurisdictions primarily because "cyberspace" does not fundamentally change the very ' local ' environment in which they operate. While N T O C groups appear to make the most use of bot nets and the services that they provide to obscure possible communications eavesdropping by the state and so on. This coevolutionary competitive process is made somewhat more complicated by state actors that behave as both 'competitors' against criminal innovation using the cyber infrastructure and as passive supporters of the intrinsic data mined by the growth of bot networks. The loss-of-control thesis presented earlier, which paints a rather stark picture 204 of the state as being driven by purely territorial control interests, is now not so clear or uniform across countries. I n the East Asian context, it may be less about recovering some sense of a loss of autonomy in the cyber infrastructure and more about power gains and traditional notions of security. This result moves beyond Shields' (2005) analysis which situated the state as a bounded international actor reacting to a perceived loss of control. Further complicating and frustrating state responses to the nexus between organized crime groups and network intruders is the emergence o f relatively stable black markets for stolen data, especially in the cases presented here which are driven by the growth of bot nets.. The relationship between bot nets, black markets and both traditional and non-traditional organized crime is supported by an emerging pseudo cyber infrastructure that can. provide an array of services and capabilities to various non-state actors. Again, the key to this alternate or pseudo infrastructure is jurisdictional arbitrage. Even though the regional diffusion of the cyber infrastructure has enabled regional states, it has also exposed them to a new array of threats. These threats are from within and across national boundaries making it difficult for governments to unilaterally securitize emergent threats from the cyber infrastructure. A s a result, it is becoming increasingly necessary for East Asian governments to protect their interests by working together. To do so effectively wi l l require the implementation of policies and processes used to encourage regional integration in other sectors of cooperation and transfer them into the realm of the cyber infrastructure. From both Part One and Part Two, a number o