‘Things Are About to Get Worse:’ GIJC23 Keynote Speaker Ron Deibert On the Battle Against Hidden Cyber Threats

Editor’s Note: Ron Deibert, director of the Citizen Lab, will be the keynote speaker at the 2023 Global Investigative Journalism Conference (GIJC23) in Gothenburg, Sweden this September. The deadline to register for the conference is this Sunday, Sept. 3.

Ron Deibert first sounded the alarm about a coming global information security crisis when founding his trail-blazing laboratory in 2000.

In a pitch to Ford Foundation funders, he warned that — contrary to widespread optimism about the internet’s potential to democratize societies and empower citizens — governments would likely exploit the internet to surveil dissidents, censor adversaries, block websites, and foster mass disinformation.

“The way I framed it was to work as a kind of counter-intelligence unit for global civil society,” Deibert recalls. “Because of my background studying intelligence and doing some security work for the Canadian government, I thought all this optimism was naive. I wanted to do evidence-based research and data gathering to see if governments were actually able to control the internet. I knew they’d been tapping telephone lines for decades — surely they would do this with the internet too?”

The project that emerged from his warning was the Citizen Lab — a humble university project that, remarkably, is now a key player in civil society’s battle against widespread surveillance of dissidents and journalists by private government contractors, targeted censorship and DDoS attacks, and digital assaults on truth and the free press by a rising tide of autocrats. Housed at the University of Toronto’s Munk School of Global Affairs & Public Policy, this interdisciplinary research unit not only produces regular research reports on hidden cases of information warfare and cyber espionage — from Mexico and China to the UAE and Ukraine — but also actively assists journalists in major investigative projects.

Image: Screenshot, the Citizen Lab

As director of the Citizen Lab, Deibert, 58, will be the keynote speaker at the 2023 Global Investigative Journalism Conference (GIJC23) in Gothenburg, Sweden, in September. And his warnings about the new cyber threats to independent journalism and democracy at that event promise to be even more ominous, and even more prescient.

While he wouldn’t reveal details of that speech — set for the conference’s opening day, September 20 — Deibert described some of the major cyber espionage firms he has already exposed as “like a privatized Mossad” — and warned that small “hacking-for-hire” outfits are multiplying at the fringes of this covert industry.

“There’s a general descent into authoritarianism — even fascism — sweeping across the world; the last thing we need, as we face existential crises for the planet,” Deibert notes. “Add to this these tools, and it creates a very disturbing perfect storm for democratic institutions. The spyware threat is very acute, because the market is very difficult to regulate, and it is very enticing for governments to have this capability.”

A Career Probing the Security of Cyberspace

Deibert, a professor of political science at the Munk School, was formerly a co-founder and principal investigator of the OpenNet Initiative and the Information Warfare Monitor. His books include “Black Code: Surveillance, Privacy and the Dark Side of the Internet,” and “RESET: Reclaiming the Internet for Civil Society.”

“I didn’t imagine doing the forensic work the way we have been doing recently,” he explains. “What we were doing early on was more like network scanning — identifying patterns of internet censorship worldwide, and figuring out what technologies were being used to do the filtering.”

The Citizen Lab is based at the Munk School of Global Affairs and Public Policy at the University of Toronto. Image: Wikipedia, Creative Commons

Deibert says the report that put the Citizen Lab “on the map” — and on a path to sharp-edged forensic work that has exposed bad actors — was its 2009 “Tracking GhostNet” project.

“This was really the first public cyber espionage report anywhere,” he says. “We collaborated with Tibetan organizations in northern India and the office of the Dalai Lama. They suspected that their computers were breached, and they turned out to be right. The China-based hackers who were eavesdropping on their computers had made an error, allowing us to see a portal on the internet that they didn’t password-protect, displaying all of their other victims. And these turned out to be a collection of very high profile government agencies, ministries of foreign affairs, and so on in 103 countries. It was a blockbuster report, and a first of its kind.”

Since then, the Citizen Lab’s targeted espionage team has released a series of blockbuster analyses, which journalists have then expanded upon with investigations into allied bad actors and human harms. In 2016, the group showed how Pegasus spyware had turned the phone of Middle East human rights defender Ahmed Mansoor into “a digital spy in his pocket.” This pioneering work led to one of the lab’s signature reports, in 2018, which revealed that this spyware by the Israeli NSO Group had likely been used by clients to infect target phones in 45 countries. In addition to assisting in the iconic “Pegasus Project” investigation — which revealed covert spying on thousands of human rights defenders, including at least 180 journalists — a 2022 report co-authored by the Citizen Lab formed the foundation for another collaborative scoop by the Forbidden Stories nonprofit which showed, stunningly, that Pegasus had infected the phones of 22 staff members of El Salvador’s independent El Faro newsroom.

In 2017, the Citizen Lab team discovered a blanket ban of the name of Nobel Peace Prize laureate Liu Xiaobo on China’s WeChat social network after his death. In 2020, lab researcher Bill Marczak discovered government purchases of a covert phone geolocation system that leaves no trace on phones — by using Internet of Things (IoT) search engines, like Shodan and Censys, to find telltale signs on digital firewalls.

“That was a great example of how investigative journalism can expose an urgent issue for deeper research, because CBC/Radio-Canada did an excellent report on SS7 (Signaling System No. 7) vulnerability in 2017,” Deibert explains. “They contracted experts to exploit SS7 to intercept the phone, and track the location, of a sitting member of parliament. The story was mind blowing, but it just kind of came and went. We were able to take advantage of a digital mistake by one company to see the actual spying that was happening. It was Bill’s discovery that they were using a firewall that had distinct fingerprints. We could then search the entire internet for telltale responses from the servers for that particular firewall, and then add contextual details.”

Countering Threats with Solutions

For Deibert, it’s important for the Citizen Lab to not only reveal hidden cyber threats and bad actors, but to spark solutions to those threats as well. For instance, prior to its public revelation of unpatched “zero day” vulnerabilities on Apple devices in its “Million Dollar Dissident” report, the lab disclosed its findings to Apple’s security team, which then issued security patches to all of its iOS, MacOS, and Safari products.

Having documented censorship technologies in authoritarian countries — as well as the vulnerabilities of existing alternative internet access strategies — Deibert’s team also incubated a pioneering, open source censorship circumvention tool that has since connected millions of users to unfiltered news. In an informal GIJN survey of exiled media editors in 2022, this easy-to-use app — called Psiphon — emerged as the one tool every editor recommended. Using a combination of encryption, multiple servers, and various “obfuscation technologies,” this free app — now operated by an independent company — allows users in repressive countries to download and safely connect to banned news sites.

“Psiphon has been operating independently since about 2009,” he explains. “It’s an information lifeline.”

Despite formidable competition for talent from private industry and government agencies, the Citizen Lab has assembled a globally diverse team with cutting-edge skills in computer science, law, and open source investigation. Deibert says the lab’s staff now totals 45 — including doctoral and postdoctoral fellows, part time researchers, and administrative and communications staff — following sharp growth during the Arab Spring in 2011, and the rise in authoritarianism and spyware in 2018.

“It’s not easy, because top people in this area could make a lot more money in the private sector,” he says. “But talented people in what we call the ‘infosec’ space have kind of gravitated to the Citizen Lab because of the mission. They see it as a place where you can do something good; you can use your skills to expose bad things and bad actors.”

He adds: “And they know we have integrity — we are not doing this for money, or on behalf of corporations or governments; in fact, quite the opposite.”

Targeted Spying Needs More Scrutiny

While many public-facing organizations have recently developed around censorship circumvention and information control research, Deibert warns that “the least covered area is targeted espionage.” The Citizen Lab remains one of a small handful doing this work, along with organizations like Access Now and Amnesty Tech lab.

“We’re very lucky to have people like Bill Marczak and John Scott Railton on our team, who co-lead the targeted espionage unit,” he says. “They are extremely talented and devoted researchers. It’s rare to find people like that, and my role is kind of like a general manager on a sports team — I put together the team, and supply them with the tools they need.” (Deibert is also a contributing author on 120 research reports related to internet security.)

He adds: “I very much encouraged the development of Amnesty Tech, because there weren’t other groups doing this kind of work. Yes, there are those who work for governments, and you do have a big private marketplace of people who investigate this sort of stuff — but their work never sees the light of day.”

The Citizen Lab website. Image: Screenshot

Much like investigative journalism itself, Deibert says collaboration is now a key feature of information security monitoring.

“Many of our recent country reports could not have been done without collaboration with local civil society groups and organizations like Access Now and Amnesty International,” he says. “Civil society groups can help you triage the information, or identify who the victims are, so our work becomes more manageable, and allows us to focus on the forensics.”

Asked whether journalists themselves should use intrusive cyber tools to investigate bad actors, Deibert says the decision is a balance between ethics and pragmatism.

“This is a very important question that needs to be thought through carefully with the appropriate ethical considerations, and case-by-case” he says. “Journalists don’t want to be using tools from vendors associated with horrible human rights abuses, because you’d be legitimizing those firms. But there are so many bad things going on in urgent issues that, from a pragmatic perspective, you can make the case to access this data because it will save lives, and you can do it with transparency.”

Deibert says that, by their nature, university programs must accept more constraints on their investigative methodologies than leading public interest intelligence groups, such as Bellingcat: “I greatly admire what Bellingcat does. But because we are based at a university, every method we employ that deals with human subjects, at least, has to go through peer review and a research ethics committee.”

The Citizen Lab has collaborated directly with outlets including The New York Times, The Washington Post, the Guardian, and Forbidden Stories.

“We do our work very much in tandem with reporters, depending on the subject or the area of the world,” he explains. “The flip side is that journalists can do things we can’t — for instance, they can profile the human side and document the harms in detail.”

Despite the whack-a-mole nature of cyber threats that Deibert encounters each month, he does retain some optimism for the future: “I bet that, in 10 years, there will be many organizations inspired by Bellingcat, by Citizen Lab, and by investigative journalists on this beat, and universities will build programs around this topic.”

Right now, however, he is worried. Asked for his chief concern, Deibert says this: “To me, an even bigger threat is the emergence of industrial scale disinformation services. Access to tools around AI and the production of sophisticated deepfakes and videos can be combined with hacking and social media trolling — at a time when social media companies themselves are rolling back trust and safety teams. It will be impossible to stem the flood of disinformation we’re about to face.”

He adds: “That will be a very difficult job for investigative journalists: deciphering fact from fiction, persuading audiences of what is false, finding who is behind it — and also journalists themselves becoming targets of those smears. I fear that things are about to get worse.”

Additional Resources

Reporter’s Guide to Investigating Digital Threats: Disinformation

Reporter’s Guide to Investigating Digital Threats: Digital Threat Landscape

Reporter’s Guide to Investigating Digital Threats: Trolling Campaigns

Rowan Philp is a reporter for GIJN. He was formerly chief reporter for South Africa’s Sunday Times. As a foreign correspondent, he has reported on news, politics, corruption, and conflict from more than two dozen countries around the world.