There is no doubt that Denver, Colorado lies within the United States. This must be distinctly understood, or nothing wonderful can come of the story I am going to relate. If we were not perfectly convinced that this capital city existed entirely within the state of Colorado before this story began, there would be nothing remarkable about its internet traffic being routed through Virginia, New York, England, Iceland, Canada, back to Illinois, back to New York, Texas, Missouri, and finally across town to the intended recipient in Denver itself.
According to a report from Renesys published last month, this story actually took place on August 2, 2013.
The company believes that this was an example of a “Man-In-the-Middle” attack, where an unknown party inserted false path information, forcing internet activity through a choke point of their choosing. Their report notes this behavior occurred on at least 60 distinct days, involving at least 150 major cities. Multiple instances between February and March were routed through Belarus. After a lapse, subsequent instances between May and August were routed through Iceland.
What does any of this have to do with research administration?
This sort of attack allows the perpetrator to intercept information, without the sender or recipient being aware. In the example above, the perpetrator is unknown, therefore the motive is unknown. The purpose of such an attack is to direct traffic to a location where it can be readily accessed, whether that is to simply take advantage of the information, or to maliciously alter it in some way.
Research institutions are not considered the primary targets, but that does not mean that they are immune to the implications.
- What happens if technical data that is subject to export control passes through a foreign server?
- What happens if non-disclosed intellectual property is intercepted and made public?
- What happens if clinical trial data is exposed?
At this point, it is still a philosophical discussion, but institutions should still be aware of this new risk when considering their policies concerning the transmission of data. Regulations differ with respect to encryption as a safeguard against a breach. Note the positions of the Bureau of Industry and Security (Department of Commerce) and Directorate of Defense Trade Controls (Department of State) concerning export controlled data. Note where unauthorized disclosure may count as prior art against intellectual property, and where an exemption can be made.
Fortunately, there has not yet been a test case involving research data exposed by this sort of attack.