Information Warfare Monitor

The Information Warfare Monitor (IWM) was an advanced research activity tracking the emergence of cyberspace as a strategic domain. Created in 2003, it closed in January 2012. It was a public-private venture between two Canadian institutions: The SecDev Group, an operational think tank based in Ottawa (Canada), and the Citizen Lab at the Munk School of Global Affairs, University of Toronto. The Principal Investigators and co-founders of the Information Warfare Monitor where Rafal Rohozinski (The Secdev Group) and Ronald Deibert (Citizen Lab). The Information Warfare Monitor as part of the Citizen Lab’s network of advanced research projects, which include the OpenNet Initiative, the Fusion Methodology Centre, and PsiLab.

It was an independent research effort and its stated mission was to build and broaden the evidence base available to scholars, policy makers, and others.

The research of the Information Warfare Monitor was supported by the Canada Centre for Global Security Studies (University of Toronto), a grant from the John D. and Catherine T. MacArthur Foundation, in-kind and staff contributions from the SecDev Group, and a donation of software from Palantir Technologies Inc.

History
The Information Warfare Monitor was founded in 2003 by Rafal Rohozinski (Advanced Network Research Group, Cambridge University) and Ronald Deibert (Citizen Lab, Munk School of Global Affairs, University of Toronto), as a sister project to the Open Net Initiative of which Deibert and Rohozinski are principal investigators along with John Palfrey (Berkman Center for Internet and Society, Harvard University) and Jonathan Zittrain (Oxford Internet Institute).

Between 2003 and 2008, IWM carried out a number of studies, including monitoring the status of the Iraqi Internet during the 2003 invasion, the 2006 Israel-Hezbollah war, the 2008 Russian Georgian war, and the January 2009 Israeli operations in Gaza.

The Information Warfare Monitor was also an organizing partner for two Russia-NATO workshops examining information warfare and cyber terrorism.

The Information Warfare Monitor (IWM) project closed in January 2012, having conducted advanced research activity tracking the emergence of cyberspace as a strategic domain.

Activities
The Information Warfare Monitor engaged in three primary activities:

Case studies - The Information Warfare Monitor designs and carries out active case study research. These are self-generated activities consistent with the IWM's mission. It employs a rigorous and multidisciplinary approach to all case studies blending qualitative, technical, and quantitative methods. As a general rule, its investigations consist of at least two components: Field-based investigations - The IWM engaged in qualitative research among affected target audiences and employ techniques that include interviews, long-term in situ interaction with partners, and extensive technical data collection involving system monitoring, network reconnaissance, and interrogation. Its field-based teams are supported by senior analysts and regional specialists, including social scientists, computer security professionals, policy experts, and linguists, who provide additional contextual support and substantive back-up.

Technical scouting and laboratory analysis - Data collected in the field is analyzed using a variety of advanced data fusion and visualization methods. Leads developed on the basis of infield activities are pursued through “technical scouting,” including computer network investigations, and the resulting data and analysis is shared with infield teams and partners for verification and for generating additional entry points for follow-on investigations.

Open source trend analysis - The IWM collected open source information from the press and other sources tracking global trends in cyberspace. These are published on its public website.

Analytical workshops and outreach - The IWM worked closely with academia, human rights organizations, and the defense and intelligence community. It publishes reports, and occasionally conducts joint workshops. Its work is independent, and not subject to government classification, Its goal is to encourage vigorous debate around critical policy issues. This includes engaging in ethical and legal considerations of information operations, computer network attacks, and computer network exploitation, including the targeted use of Trojans and malware, denial of service attacks, and content filtering.

Breaching Trust: An analysis of surveillance and security practices on China’s TOM-Skype platform (2008)
In 2008, the Information Warfare Monitor discovered a surveillance network being operated by Skype and its Chinese Partner, TOM Online, which insecurely and routinely collected, logged, and captured millions of records (including personal information and contact details for any text chat and/or voice calls placed to TOM-Skype users, including those from the Skype platform).

Tracking GhostNet: Investigating a Cyber Espionage Network (2009)
In 2009, after a 10-month investigation, the Information Warfare Monitor discovered and named GhostNet, a suspected cyber-espionage operation, based mainly in the People's Republic of China, which has infiltrated at least 1,295 computers in 103 countries. 30% of these computers were high-value targets, including ministries of foreign affairs, embassies, international organizations, news media, and NGOs.

Shadows in the Cloud: Investigating Cyber Espionage 2.0 (2010)
In their 2010 follow-up report, Shadows in the Cloud: Investigating Cyber Espionage 2.0, the Information Warfare Monitor documented a complex ecosystem of cyber espionage that systematically targeted and compromised computer systems in India, the Offices of the Dalai Lama, the United Nations, and several other countries. The investigation recovered a large quantity of stolen documents – including sensitive and classified materials – belonging to government, business, academic, and other computer network systems and other politically sensitive targets.

Koobface: Inside a Crimeware Network (2010)
Having discovered archived copies of the Koobface botnet's infrastructure on a well-known Koobface command and control server, Information Warfare Monitor researchers documented the inner workings of Koobface in their 2010 report, Koobface: Inside a Crimeware Network. Researchers discovered that in just one year, Koobface generated over US$2million in profits.