Information Warfare Monitor


The Information Warfare Monitor was an advanced research activity tracking the emergence of cyberspace as a strategic domain. Created in 2003, it closed in January 2012. It was a public-private venture between two Canadian institutions: The SecDev Group, an operational think tank based in Ottawa, and the Citizen Lab at the Munk School of Global Affairs, University of Toronto. The Principal Investigators and co-founders of the Information Warfare Monitor are Rafal Rohozinski and Ronald Deibert. The Information Warfare Monitor is part of the Citizen Lab’s network of advanced research projects, which include the OpenNet Initiative, the Fusion Methodology Centre, and PsiLab.
It was an independent research effort and its stated mission was to build and broaden the evidence base available to scholars, policy makers, and others.
The research of the Information Warfare Monitor was supported by the Canada Centre for Global Security Studies, a grant from the John D. and Catherine T. MacArthur Foundation, in-kind and staff contributions from the SecDev Group, and a donation of software from Palantir Technologies Inc.

History

The Information Warfare Monitor was founded in 2003 by Rafal Rohozinski and Ronald Deibert, as a sister project to the Open Net Initiative of which Deibert and Rohozinski are principal investigators along with John Palfrey and Jonathan Zittrain.
Between 2003 and 2008, IWM carried out a number of studies, including monitoring the status of the Iraqi Internet during the 2003 invasion, the 2006 Israel-Hezbollah war, the 2008 Russian Georgian war, and the January 2009 Israeli operations in Gaza.
The Information Warfare Monitor was also an organizing partner for two Russia-NATO workshops examining information warfare and cyber terrorism.
The Information Warfare Monitor project closed in January 2012, having conducted advanced research activity tracking the emergence of cyberspace as a strategic domain.

Activities

The Information Warfare Monitor engages in three primary activities
Case studies - The Information Warfare Monitor designs and carries out active case study research. These are self-generated activities consistent with the IWM's mission. It employs a rigorous and multidisciplinary approach to all case studies blending qualitative, technical, and quantitative methods. As a general rule, its investigations consist of at least two components:

Field-based investigations - The IWM engages in qualitative research among affected target audiences and employ techniques that include interviews, long-term in situ interaction with partners, and extensive technical data collection involving system monitoring, network reconnaissance, and interrogation. Its field-based teams are supported by senior analysts and regional specialists, including social scientists, computer security professionals, policy experts, and linguists, who provide additional contextual support and substantive back-up.
Technical scouting and laboratory analysis - Data collected in the field is analyzed using a variety of advanced data fusion and visualization methods. Leads developed on the basis of infield activities are pursued through “technical scouting,” including computer network investigations, and the resulting data and analysis is shared with infield teams and partners for verification and for generating additional entry points for follow-on investigations.
Open source trend analysis - The IWM collects open source information from the press and other sources tracking global trends in cyberspace. These are published on its public website.
Analytical workshops and outreach - The IWM works closely with academia, human rights organizations, and the defense and intelligence community. It publishes reports, and occasionally conducts joint workshops. Its work is independent, and not subject to government classification, Its goal is to encourage vigorous debate around critical policy issues. This includes engaging in ethical and legal considerations of information operations, computer network attacks, and computer network exploitation, including the targeted use of Trojans and malware, denial of service attacks, and content filtering.

Publications

Breaching Trust: An analysis of surveillance and security practices on China’s TOM-Skype platform (2008)

In 2008, the Information Warfare Monitor discovered a surveillance network being operated by Skype and its Chinese Partner, TOM Online, which insecurely and routinely collected, logged, and captured millions of records.

Tracking GhostNet: Investigating a Cyber Espionage Network (2009)

In 2009, after a 10-month investigation, the Information Warfare Monitor discovered and named GhostNet, a suspected cyber-espionage operation, based mainly in the People's Republic of China, which has infiltrated at least 1,295 computers in 103 countries. 30% of these computers were high-value targets, including ministries of foreign affairs, embassies, international organizations, news media, and NGOs.

Shadows in the Cloud: Investigating Cyber Espionage 2.0 (2010)

In their 2010 follow-up report, Shadows in the Cloud: Investigating Cyber Espionage 2.0, the Information Warfare Monitor documented a complex ecosystem of cyber espionage that systematically targeted and compromised computer systems in India, the Offices of the Dalai Lama, the United Nations, and several other countries. The investigation recovered a large quantity of stolen documents – including sensitive and classified materials – belonging to government, business, academic, and other computer network systems and other politically sensitive targets.

Koobface: Inside a Crimeware Network (2010)

Having discovered archived copies of the Koobface botnet's infrastructure on a well-known Koobface command and control server, Information Warfare Monitor researchers documented the inner workings of Koobface in their 2010 report, Koobface: Inside a Crimeware Network. Researchers discovered that in just one year, Koobface generated over US$2million in profits.