an analysis of the ability and influence of the attribution of internet threats in the united states

Posted by santillano at 2020-02-28

Number of words in this paper: 1995

Reading time: 6 minutes

In recent years, we have seen a large number of apt reports issued by countries represented by the United States, including APT1, apt3, apt10 against China, apt28 and apt29 from Russia, apt37, apt38 and Lazarus group from North Korea, and initiated judicial proceedings against people from China, Russia, North Korea and other countries. At present, the topic of apt organizational attribution has become an important content of cyberspace game, which has a significant impact on the global cyberspace security situation.

1、 Characteristics of attribution ability of cyberspace threat in the United States

The U.S. government attaches great importance to the construction of cyberspace threat attribution capability. In Trump's first national security strategy report, it stressed that "invest resources to support and enhance the ability to achieve attribution of cyber attacks and ensure the ability to respond quickly". Since 2018, major policy documents of the United States have emphasized the importance of traceability ability building, which is the main basis for the implementation of counter measures by the United States military.

First, the United States has formed the ability of government and enterprises to cooperate with the network threat attribution system. U.S. cyber security companies are the main force in tracking apt organizations. Many cyber security companies, such as fireeye and Symantec, have data intelligence collection and analysis level comparable to that of government intelligence and law enforcement departments. At the same time, these enterprises cooperate and respond to each other in technology and data, relay the implementation in APT organization tracking, make efforts in the system, and quickly form an overwhelming impact. In terms of the disclosed information, many network security enterprises in the United States have carried out a wide range of tracking and correlation analysis around the information about the characteristics of relevant organizations, showing a high degree of consistency.

Second, the United States has outstanding advantages in technology and data. The reason why the report issued by American security company has such great influence is that it has strong technical support and can form evidence chain at the technical level. From the published tracking processes of atp3 and apt10, it can be seen that the global data held by the United States plays a key role in this process, which is unmatched by other countries. During the analysis, the anonymous organization intrusion truth even inquired about the social data such as whois information and Uber software in 2009. These early data information and social software data are not supported by the U.S. government, so it is difficult for general organizations to obtain them.

Third, there are obvious political guiding factors for American cyber security enterprises to actively develop the attribution ability of cyber threats. From the current situation of the U.S. exposure of apt hacker organizations, the political nature is obvious, highlighting the information of apt organizations supported by the national government, which focuses on the U.S. competitors or specific problem countries, but does not involve the completion of the hacking conducted by the U.S. government and its allies. The private enterprises of network security in the United States and the government have a very close cooperation. Through the network defense contract, the two have formed a close and very large network security industry complex.

2、 The global impact of us cyber threat attribution

At present, the United States has formed a highly asymmetric attribution ability of cyber attacks compared with other countries, which not only enhances the discourse power of cyberspace, but also has a potential significant impact on the global cyberspace security system.

First, it reflects the strong network monitoring ability of the United States and poses a direct threat to the network security of other countries. From the current global exposure of apt organizations, it is mainly concentrated in China, Russia, North Korea, Iran and other countries, while there are very few organizations related to the United States, which in turn shows that the United States has almost formed a one-way transparent monitoring advantage over other countries in cyberspace. Through international cooperation mechanisms such as government enterprise cooperation and five eye alliance, the United States carried out in-depth information cooperation and data sharing among departments and allies, and carried out comprehensive monitoring and surveillance of cyberspace activities in other countries, which greatly threatened the security of other countries. From the information disclosed by Snowden, American intelligence agencies have fully adopted big data technology in network monitoring and reconnaissance work, which can automatically analyze and screen valuable information from the intercepted mass information by using keywords, voice and image features, and integrate high-value information.

The second is the combination of attribution and law enforcement, which constitutes a real deterrent to other countries' cyberspace activities. In recent years, the U.S. government has repeatedly combined the network attribution ability with law enforcement and economic sanctions to fight against opponents. The U.S. disclosed that apt organizations mostly happened before and after the government issued some foreign policies aimed at other countries to prove the legitimacy of their foreign policies. The Internet attribution ability of the United States has formed an international deterrent force, which has become an important support of the Internet deterrence strategy of the United States. Other countries have to be more and more cautious under this kind of deterrence. The national cyberspace strategy of the trump administration once again emphasizes this deterrence strategy combined with attribution. It can be predicted that the U.S. cyber security enterprises and law enforcement agencies will further strengthen the attribution ability and investigation of cyberspace security incidents. The United States has always regarded China, Russia, Iran and North Korea as the main threats to cyberspace. The tracing actions against China and Russia will be more frequent, which will make the international environment of cyberspace of China and Russia in a more unfavorable position.

Third, through the network attribution to determine the target, for the implementation of network attacks on other countries to provide a basis. The U.S. cyber offensive strategic intention is more and more obvious. Many cyber space strategies issued by the U.S. Department of homeland security, the Department of defense and the white house all emphasize the attribution counteraction of cyber attacks. The U.S. cyber command's 133 cyber mission forces have achieved full operational capability. In addition, trump overturned the "presidential policy directive No. 20" (ppd-20) signed by Obama on August 15, 2018, and lifted the restriction that "layers of approval are required and the president's approval is obtained before the network action that can lead to" significant consequences ". Senator Mike Luntz praised the decision and believed that the alternative" will allow the military to take a more rapid way " We will give cyber command more freedom. The Internet attribution measures of the United States are likely to be the main basis for launching the internet war.

Fourth, continuously publicize the threat of China Russia apt organization, and take the opportunity to promote the application of "armed law" to cyberspace. One of the core differences between China, Russia and the United States and Western countries in the application of international law to cyberspace is the issue of cyberspace militarization. The United States hopes that the law of armed conflict can be applied to cyberspace, so that it can provide international legal basis for launching "self-defense" by means of traditional military forces with its absolute advantage of network attribution technology. However, China and Russia should avoid being too passive, losing the right to speak completely and being in the risk of physical attack for a long time because of the limited Traceability Technology. The U.S. has long hyped the threat of apt organizations in other countries, but also for its fight for the dominance of international law in cyberspace.

Cyberspace Security Civil Military Integration Innovation Center

As the first military civilian integration development platform of Cyberspace Security in China, the center focuses on the field of cyberspace national defense security, explores the establishment of an innovative development mode of military civilian integration for the construction of cyberspace national defense security equipment, and is committed to building a private think tank in the field of Cyberspace Security for the development of military equipment.