on the misunderstanding of tracing the origin of network attribution (3)

Posted by barello at 2020-03-11

Today is the third in this series. Today's theme is "unknown defense, how to know how to attack".

If you are interested in the first two parts of this series, please click the link to read:

On the misunderstanding of tracing the origin of network attribution (1)

On the misunderstanding of tracing the origin of network attribution (2)

Misunderstanding three

Attribution Traceability Technology has no "trump card" effect and should not be the priority of the development of China's network security industry

In 2016, comrade Xi Jinping pointed out clearly that we should strengthen investment in asymmetric technology and "killer technology" to strive for major breakthroughs and achieve a change from running to running and running. Asymmetric technology and "Assassin's mace" technology are able to achieve security and balance by building irresistible technical strength in a certain field and forming deterrent effect under the condition that the opponent has superior resources and leading technology. Nuclear weapon technology is a kind of typical "killer" technology: Although the number and technical level of nuclear weapons we possess may still be different from those of hegemonic advantage countries after mastering nuclear weapon technology, due to the lack of comprehensive and effective means to resist nuclear attack by opponents, mutual assured will be formed among countries In this way, the relatively backward countries will get effective security.

Based on such thinking, many experts in the industry think that the development of "killer mace" technology is to develop more aggressive technical means, develop "nuclear weapons" in cyberspace, and deter opponents through striking capabilities, so as to win security and balance in cyberspace under the situation that China's cyberspace security technology is generally in a weak position and the technology level is generally backward 。 These experts believe that cyberspace itself has the asymmetric characteristics of "easy to attack and hard to defend". The technical ability attributed to traceability tends to be a kind of defense means, lacking the "trump card" effect, and the input-output ratio of R & D and construction is not high. Therefore, it is advisable to give way to the advanced technology construction in the offensive field first.

In my opinion, the essence of making such a judgment is to misjudge the current situation of Cyberspace Security. From the technical point of view, cyberspace has the characteristics of "easy to attack and hard to defend": if the defender expects absolute security, he must ensure that the code does not have any defects; in the same case, the attacker only needs to find any problem to attack the system. But as pointed out by the core point of this paper, the confrontation of cyberspace attack and defense is not only the confrontation at the technical level, but also the all-round, systematic and sustained confrontation among people, organizations and organizations, countries and countries. In the process of such confrontation, the advantage gained by adopting offensive technology does not necessarily change into the victory of the overall confrontation game; on the contrary, using defensive means to do a good job in attribution traceability can more fully bring the opponent's actions into your own control. On the one hand, targeted deployment of protective means can be used, on the other hand, public opinion publicity and judicial prosecution can be used Physical counterattack and other means to launch counterattack action to win the overall advantage in the overall confrontation.

On a more macro level, in the process of offensive and defensive confrontation, not only the development of offensive technology can break through the original deterrence balance, but also the breakthrough of defensive technology can tilt the balance of deterrence balance. This is just like the anti missile technology in the field of nuclear deterrence. If a nuclear power can develop a defense system to ensure the interception of ballistic missiles, then this technology will turn into the overwhelming advantage of nuclear deterrence: only one country can use nuclear missiles to threaten other opponents arbitrarily, while the nuclear weapons of other countries cannot threaten its own territory. The development and evolution of attribution Traceability Technology is likely to form such a subversive effect as "antimissile system". If only one superpower in the world has the overwhelming ability of attribution traceability, then the balance of Cyberspace Security will be broken: the country can use the hidden anonymity of the network to carry out cyber attacks against any country without any responsibility; while other countries will be immediately attributed to the source of cyber attacks, and even be How strong will such hegemony be if the country publicly sanctions in any form such as cyber attack, economy and force!

Just as the slogan "unknown attack, how to know how to prevent" publicized by a domestic security manufacturer, the progress of foreign attribution tracing is actually warning us "unknown defense, how to know how to attack". If we don't know exactly what means the opponent takes to analyze the attribution, wouldn't we fall into the encirclement and trap of the opponent if we took the offensive action? Attack and defense is always a confrontation. When the opponent is constantly upgrading resources and means, if we can't recognize our own problems, grasp the opponent's blind spots, upgrade our self-protection measures, and take systematic methodology to organize attack actions, we will fall into a passive situation of confrontation.